Link Search Menu Expand Document

Metasploit’s 2017 Roadmap Review

In 2017, we published our first open roadmap for Metasploit development. How did we do? For achievements:

  • The Metasploit data model backend: we did a lot of design work on this, and got a couple of initial Proof-of-Concept project built. You can see a video of it here: In the mean time, we started merging parts of the main development branch

  • The first pass of external session handling landed with the metasploit-proxy project.

  • Independent modules that run in isolation did land, along with a hand full of new modules demonstrating the advantages of the design, including multi-language support.

  • The ruby_smb project made a lot of progress, with support incorporated into several existing modules. Full client-side support is also available for testing now.

  • Native iOS and macOS support landed, along with many new IoT and router exploits.

  • Meterpreter shrank almost 4x thanks to the new cryptTLV packet obfuscation support, and the removal of OpenSSL.

Things we didn’t quite finish:

  • Metasploit’s RESTful interface was not complete in 2017, so we will continue it into 2018.

  • Session handling as a separate process was implemented with the project, but more work needs to be done to improve scalability and usability.

  • Asynchronous session support remains on the drawing board.

  • SOCKS5 support did not land, but Metasploit did gain a lot more support for running modules externally as separate processes, and gained initial support for running modules in Python.

  • Modernized payload generation with new tools continues to be researched.