Source: Rapid7 blog
Metasploit 5.0 offers a new data service, introduces fresh evasion capabilities, supports multiple languages, and builds upon the Framework’s ever-growing repository of world-class offensive security content. We’re able to continue innovating and expanding in no small part thanks to the many open source users and developers who make it a priority to share their knowledge with the community. You have our gratitude.
We are happy to announce the release of Metasploit 5.0, the culmination of work by the Metasploit team over the past year. As the first major Metasploit release since 2011, Metasploit 5.0 brings many new features, as well as a fresh release cadence. Metasploit’s new database and automation APIs, evasion modules and libraries, expanded language support, improved performance, and ease-of-use lay the groundwork for better teamwork capabilities, tool integration, and exploitation at scale.
Database and automation APIs
Metasploit 5.0 is the first step in modernizing how Metasploit interacts with data and other tools. On top of the existing Postgresql database backend from 4.x, Metasploit 5.0 adds the ability to run the database by itself as a RESTful service, with which multiple Metasploit consoles and even external tools can then interact. The change also offloads some bulk operations to the database service, which improves performance by allowing parallel processing of the database and regular
Metasploit’s new JSON-RPC API will be a welcome addition for users who want to integrate Metasploit with new tools and languages. Metasploit has long supported automation via its own unique network protocol, but being unique also meant that it was more difficult to test or debug using standard tools like ‘curl’. Metasploit 5.0 also adds a common web service framework to expose both the database and the automation APIs; this framework supports advanced authentication and concurrent operations and paves the way for future services.
For backward compatibility, Metasploit 5.0 still supports running with just a local database, or with no database at all. It still supports the original MessagePack-based RPC protocol as well. You can read more about how to set up and run these new services here.
Evasion modules and libraries
Earlier in 2018, we announced the new evasion module type in Metasploit along with a couple of example modules. These modules allow users to easily develop their own evasions, and they add a set of convenient libraries that developers can use to add new on-the-fly mutations to payloads; a recent module takes advantage of these evasion libraries to generate unique persistent services on the fly. Writing shellcode in C is definitely more fun than assembler, and with Metasploit 5.0’s generation libraries, you can do that as well. You can read more about evasion modules, libraries, and how to create your own own evasive content here.
Usability improvements and exploitation at scale
A long-requested feature for Metasploit is the ability to execute an exploit module against more than one target at a time. While Metasploit has supported the concept of scanners that can target a subnet or network range, using an exploit module was limited to only one host at a time. This meant that any attempt at mass exploitation required writing a script or manual interaction. With Metasploit 5.0, any module can now target multiple hosts in the same way by setting RHOSTS to a range of IPs or referencing a hosts file with the
file:// option. You can even use the old method of setting RHOST by itself as well, since Metasploit now treats RHOST and RHOSTS as identical options.
Features you never knew you had!
Not everything that we built for Metasploit 5.0 stayed there. In several cases, a feature we added turned out to be useful for 4.x users as well, and letting it bake in the unstable branch allowed us to work out the bugs before backporting.
Have you previously been stymied by Metasploit’s ‘slow search’ message when looking for modules? Among other improvements, Metasploit now starts much faster out of the box, thanks to an improved search mechanism that doesn’t rely on the database to work. This means that searching for modules is always fast, regardless of how you use Metasploit. In addition, modules have gained a lot of new metadata capabilities. Wondering which modules have side effects and leave artifacts on disk? You can now search for that!
Have you ever wanted to interact with a shell session but been frustrated by its capabilities? Metasploit’s new metashell feature, which is available automatically in all shell sessions, allows users to background sessions with the
background command, upload/download files, or even run resource scripts—all without needing to upgrade to a Meterpreter session first. Meterpreter still reigns supreme in terms of overall capability and versatility, but metashell kicks shell sessions up a notch by making them easier and more interactive.
Have you ever wanted to add something to Metasploit, but Ruby got in the way? Maybe there was a library that would be hard to port to run within Metasploit without a lot of work. To ameliorate this, Metasploit 5.0 includes support for three different module languages: Go, Python, and Ruby. We have talked about external modules in the past (e.g., here and here), but they continue to improve in Metasploit, providing a handy way to expand Metasploit’s capability while also providing increased performance and capabilities.
New release cycle
For the past year we have split Metasploit development into two branches: a 4.x stable branch that underpins Metasploit Pro and open-source projects like Kali Linux, ParrotSec Linux, and Rapid7’s own open-source Metasploit Framework installer; and an unstable branch where core development is done. If you have checked out Metasploit from Github over the past year, you have probably used the latter, whose default prompt was
Before, a feature might sit in in a pull request for months and still cause bugs we couldn’t see before shipping straight to Kali Linux or another distribution. With an unstable branch for Metasploit development, the team was able to iterate on features more quickly and thoroughly, making it easier to get real feedback on them before graduating them to a Metasploit stable release. Some features even got merged into the 4.x branch early because they were deemed stable before Metasploit 5.0 shipped. Other features took longer to stabilize and are represented in the final Metasploit 5.0 release.
The takeaway is that Metasploit now has a more mature development process that we hope to continue leveraging in the future to enable even bigger improvements to the code base.
Get it (and improve it)
As of today, you can get MSF 5 by checking out the 5.0.0 tag in the Metasploit Github project. We’re in the process of reaching out to third-party software developers to let them know that Metasploit 5 is stable and ready to ship; for information on when MSF 5 will be packaged and integrated into your favorite distribution, keep an eye on threads like this one. As always, if you find a bug, you can report it to us on Github. Friendly reminder: Your issue is a lot more likely to get attention from us and the rest of the community if you include all the information we ask for in the issue form.
Contributions from the open source community are the soul of Metasploit. Want to join the many hackers, researchers, bug hunters, and docs writers who have helped make Metasploit awesome over the years? Start here. Not into Ruby development? Help us add to our Python or Go module counts.
A beginning set of release notes for Metasploit 5.0 is here. We’ll be adding to these over the next few months. As always, community PRs are welcome! Need a primer on Framework architecture and usage? Take a look at our wiki here, and feel free to reach out to the broader community on Slack. There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can’t find something you want in our wiki, ask Google or the community what they recommend.
See all the ways to stay informed and get involved at https://metasploit.com.