Last updated at Mon, 10 Sep 2018 22:35:50 GMT

The following is a guest blog by one of Metasploit's 2018 Google Summer of Code students.

Hi, my name is Eliott Teissonniere (I go by DeveloppSoft on GitHub), and I was selected as a Google Summer of Code (GSoC) student for Metasploit this summer! Today, I am excited to tell you more about what we did and what’s next.

#include

When submitting my proposal, I decided to focus on improving post-exploit and Meterpreter functionality for POSIX-compliant platforms such as Mac OS and Linux systems. I chose this approach because I was more comfortable with these platforms than Windows and I already had some ideas I wanted to bring to the project.

I work as a blockchain consultant, but way before I even heard the word "blockchain," I was playing around with security stuff. I have long enjoyed experimenting with advanced threat modeling and coming up with rather exotic ways to gain a foothold (and keep it!) on a potential target system. This is why Metasploit was a natural choice for my first GSoC. When I first interacted with the project before submitting my proposal (strategy, strategy!), I just felt in place, and my choice was made.

int main(void)

My project idea was basically to have some fun playing around with Metasploit and adding new features to its POSIX-specific implant, Mettle. My proposal included:

  • Before GSOC started, I would play around with mettle by building an extension to execute Lua code in memory. I chose Lua because it was designed to have a small runtime and be embedded in other codebases.
  • For the first two weeks of GSoC, I would play around with the sounds feature that exists on Windows and (partially) on Mac OS. This feature does not exist on Linux, so I would implement a feature to play a sound file from memory and another one to listen to the microphone (did anybody say, "stalker?").
  • In June, I would improve and document my previous code, and also experiment with the screensaver on Linux systems.
  • In July, I would add two new things: a keylogger and new improvements to Mettle for more persistence on target systems. Again, the keylogger existed on Mac and Windows but not Linux—this part was more complex than I had expected.
  • In August, I would have a lot of fun implementing a completely new module: a way to play with the proxy settings of the victim so you could redirect its traffic to your system.

My plan was met with support and encouragement from the team, and during the summer, we sometimes discussed new ideas to explore when the GSOC period ended—in many ways, it was funnier and friendlier than I had expected.

goto end

Now that the summer is over, here is what Metasploit Framework users can enjoy as a result of my project (and what they should be able to enjoy soon!):

  • In a Mettle session, you can now use the play command to, well, play an audio file!
  • In a Mettle session on Linux, you can now play around with the microphone. Try it: mic_start -d 10.
  • Thanks to post/linux/manage/xdg_open, you can now open files on the victim's desktop (probably more fun than useful!).
  • Using post/linux/manage/xdg_screensaver, you can lock the current session, launch the screensaver, and wake the screen back up.
  • Using post/linux/gather/keylogger, you will soon be able to run a keylogger on a Linux target (currently limited to QWERTY keyboards). What's cool about this is that you can even root keystrokes (yeah … check out the pull request!).
  • Using exploit/linux/local/autostart_persistence, you can persist on the victim's session. Whenever the user logs on, you will get a Mettle session!
  • Using exploit/linux/local/rc_local_persistence you are able to patch the /etc/rc.local file to launch a session whenever the computer starts (need root privileges).
  • Using post/multi/manage/local_mitm, you will be able to modify your victim's proxy settings (works even on Windows). Use with care. Here’s the pull request.

I'm still working on giving Metasploit users the ability to execute Lua scripts for Metasploit. I still have to debug at the time of writing.

return 0

During these past three months, I really enjoyed diving into the code of the project, but what made the whole period so amazing was the human aspect of the program. I have been able to share ideas and interact with various members of the community. I wasn't isolated while pushing my PRs. Instead, I was always supported and encouraged, I met new people, and I discovered new ways of working. Thanks, guys.

Developing something is not just about pushing code; it is also about human interaction and discussions.

In the future, I would like to continue my work on the Lua extension, and I also have a few crazy ideas to implement. Stay tuned, and see you in the ether!

Special shoutout to my awesome mentors, @mkienow-r7 and @busterb. You guys rock.

And also a special shoutout to @timwr. Even if you were not listed as my mentor, you always stayed available and supported me, just like a third mentor.

➜  ~ echo $?
0
➜  ~ logout