In 2017, we published our first open roadmap for Metasploit development. How did we do? For achievements:
The Metasploit data model backend: we did a lot of design work on this, and got a couple of initial Proof-of-Concept project built. You can see a video of it here: https://www.youtube.com/watch?v=hvuy6A-ie1g. In the mean time, we started merging parts of the main development branch
The first pass of external session handling landed with the metasploit-proxy project.
Independent modules that run in isolation did land, along with a hand full of new modules demonstrating the advantages of the design, including multi-language support.
The ruby_smb project made a lot of progress, with support incorporated into several existing modules. Full client-side support is also available for testing now.
Native iOS and macOS support landed, along with many new IoT and router exploits.
Meterpreter shrank almost 4x thanks to the new cryptTLV packet obfuscation support, and the removal of OpenSSL.
Things we didn’t quite finish:
Metasploit’s RESTful interface was not complete in 2017, so we will continue it into 2018.
Session handling as a separate process was implemented with the https://github.com/rapid7/metasploit-aggregator project, but more work needs to be done to improve scalability and usability.
Asynchronous session support remains on the drawing board.
SOCKS5 support did not land, but Metasploit did gain a lot more support for running modules externally as separate processes, and gained initial support for running modules in Python.
Modernized payload generation with new tools continues to be researched.