934
We are two hackers who run development on the Metasploit Framework and Aircrack-NG. Ask us anything about open source security development!
We (Thomas d'Otreppe and Tod Beardsley) are the primary maintainers of Aircrack-NG, a suite of wireless network auditing tools, and the Metasploit Framework, a penetration testing tool set). Working on security software in public has some unique technical and ethical aspects not often found in other projects, and we're going to be at BSidesLV later this month to talk about the trials, tribulations, rewards, and challenges of producing security software in public. As these projects are open source, anyone can use and contribute to them.
Proof: https://gist.github.com/todb-r7/5954729
We'd like to talk with the Reddit community (which itself is powered by open source software) about open source security -- think of this as a sneak preview of our material.
Ask us Anything!
Edit: Mister_X is /u/mister_x_aircrack-ng and I'm /u/todbatx in case that wasn't glaringly obvious.
Edit I'll peek in on this for a couple more days to answer anything else exciting... but it looks like 4 hours is about as long as this'll go. Thanks everyone! If you're in the security scene, we'll see you in Vegas!
Edit Answered a bunch of day two questions, thanks a ton everyone!
todbatx99 karma
Security Programming
- Like you said, Metasploit Unleashed
- ReL1k's book, Metasploit: The Penetration Tester's Guide. Still relevant! If you can't use Metasploit, you're going to have a hard time dev'ing on it.
- Art of Exploitation, still probably the best getting started book on "hacking."
- Anything from Corelan
- /r/netsec - pretty great way to keep up on the news, since security is always changing fast.
There are a zillion other good to great resources, I'm sure others can chime in.
Best way to get experience
Contribute to open source. I know that's a self-serving answer, but even before I was involved in Metasploit directly, if I saw someone had Metasploit commits on their resume, it was easily 50 bonus points, out of the gate.
CanadianVelociraptor8 karma
Thanks for the great response! I'll look into those materials and keep an eye out for open-source projects to contribute to, possibly even Metasploit in the near future.
todbatx14 karma
Maybe start here? https://github.com/search?q=security&ref=cmdform
Whittle down to your language of choice. Every open source security project on Earth could use more help.
mens-rea25 karma
I am a just-graduated computer scientist interested in security and I would also love to hear from some more experienced people. However, here's the advice I can give you, for college at least. Be ready for a wall of text:
- Take systems, networks, and other low-level classes. This is all VERY relevant to security.
- Get to know your security professors. If your school has any sort of CTF team, join it. If not, look for one in your area.
- CCDC can be a good source of learning too, but take it with a grain of salt (it is more admin-type stuff and focuses on defense)
- DON'T BE AFRAID TO ASK QUESTIONS. DON'T BE WORRIED ABOUT YOUR LACK OF EXPERIENCE. We all start somewhere. I had next to zero experience when I got involved with this stuff. Everyone was super-helpful and as a result I've learned a lot and I've gotten better at a lot of things
Don't be afraid to get your hands dirty too. The easiest way to legally break things is to set up your own systems to break. Damn vulnerable Linux or an old XP machine is a good place to start (since you mention metasploit I assume you know about Backtrack/Kali)
If you're interested in physical security too, just go for it:
- Buy some lockpicks (if they are legal in your state) and buy some cheap padlocks.
- Play around with other mechanisms and take any chance you can to (legally) practice. Forgot the combo to your luggage? Don't try to remember it. Hack it! (yes, this happened to me recently)
Most importantly, learn to get into a security mindset. That means thinking about security as much as you can. Examine new products, buildings, etc. Almost every time I go to the bank, I'm considering how I would rob it. My point is, just think about everything from a security standpoint. Be paranoid (to a healthy extent). And keep looking for answers, whether by learning, asking questions, or playing around with things.
Take opportunities to network whenever you can with security professionals. Go to DEFCON, etc.
Some great resources:
- Exploit-Exercises - probably some of the best security exercises out there. Highly recommended by security professionals.
- HackThisSite - also very good practice, but for web security
- Matasano Crypto Challenges - excellent crypto practice
- (http://www.amanhardikar.com/mindmaps/Practice.html) - I haven't had a chance to check out most of this but it seems like a good collection of security exercises
- CTFs
- DEFCON talks (YouTube)
I can guarantee you I've missed a TON of things, but this should be a good start I think. I hope at least some of it is helpful.
Arlybeiter7 karma
I'm kind of surprised that vehicle security isn't often talked about. I'm sure they have their own circles and conventions, but I'd expect some overlap with the hacking community.
todbatx5 karma
The professional locksmith community is pretty closed, from what I've seen. There's a very vibrant lockpicking scene, though -- most hacker and maker conferences have a "Lockpicking Village." However, even these guys tend to not talk about popping vehicle locks. To get that kind of training, you tend to have to be part of a professional locksmith shop or hang around car thieves.
T_at42 karma
What sort of relationship (if any) do you have with the big name security vendors (McAfee, Kaspersky, Symantec, etc.) - any of them particularly good / bad?
mylogic23 karma
I'm a contractor working with the government on a zero-day defense pilot utilizing FireEye's MPS suite and Palo Alto's WildFire. We've enjoyed working with both vendors. What are your thoughts on the black market buying and selling of zero-days? What do you foresee changing in the signature-based based industry now that behavior-based analysis is becoming more of an ideal solution (perhaps why those previously mentioned vendors are a little more tight-lipped)? I ask these questions with the recent news that certain power-house software company's (notably Microsoft) are identifying these zero-days and offering them to the government before creating/supplying consumers with a security patch. Thanks so much for everything you two have contributed! HACK ON!
todbatx15 karma
This is the question I've been waiting for! Thanks mylogic!
What are your thoughts on the black market buying and selling of zero-days?
My opinion on the private trading of zero-days is pretty well represented by the EFF Article from 2012 on the subject. If people are buying 0day in order to fix the vulnerabilities rapidly, that's totally legit. The bounty programs from Facebook, Google, and Microsoft seem to be in this category, most of the time.
If organizations are buying 0day in order to bury them, or tor exploit them as part of a SIGINT program... I feel like that's on the other side of an ethical line I wouldn't want to cross. That activity removes the democratization power of exploit research, it empowers the already powerful, and it's paying to make the Internet a less reliable communications mechanism.
changing in the signature-based based industry
If you can get away with signatures, you have no reason to stop that. It's low-hanging fruit, after all. But the dichotomy is false, and it's not really an either/or proposition. Signatures can be fast and reliable, while behavior-driven is necessarily slower (you need to see the behavior unfold first). They augment each other.
certain power-house software company's (notably Microsoft) are identifying these zero-days and offering them to the government before creating/supplying consumers with a security patch
I don't know how true that is. While Microsoft does offer advance notice to large customers (various governments and corps), I'm under the impression that that intelligence is largely for defense. If Microsoft is playing arms dealer, that's another story, but so far, the data doesn't appear to show that.
the_angry_angel33 karma
First off thanks for your work on both metasploit and aircrack-ng and keeping it all open. It's a great learning resource.
- What area do you feel doesn't get enough attention in the metasploit code base?
- What new tech terrifies you the most?
todbatx30 karma
Post modules. There's a million things you can do on a machine once it's already compromised. Post modules are totally fun and pretty easy to write -- no offset alignments required.
Patent Trolls. Also, let's hope this never gets wide use: http://www.google.com/patents/US20130133036
tea-earl-grey-hot32 karma
Do you think every system can be broken given enough time and effort?
What operating system and server software have you found to be hardest to exploit? What has been the easiest, buggiest, OS/software throughout the years?
todbatx40 karma
Do you think every system can be broken given enough time and effort?
Philosophically, sure. Heck, there's always rubber-hose cryptanalysis. Realistically, systems have a tendency to get more complex, and complexity is the enemy of security. We've been at this compiled C game for like 30 years, yet people still write buffer overflow vulnerabilities in new stuff.
What operating system is the hardest or easiest to exploit? (paraphrased)
Well, everything's easy once you know how to do it. Generally speaking, software from mature software vendors is hard to break in novel ways, because they've already taken their lumps. Software from non-software-centric organizations tends to have more low-hanging fruit.
todbatx52 karma
linksys
EDIT: If it's not that, it's almost certainly a variation of one of these.
andrew_balls22 karma
Tod,
What limitations, if any, have you run into with the Metasploit Framework being written in Ruby? If the Framework weren't gi-fucking-gantic would you consider rewriting it in another language?
How do you feel about commercial exploitation frameworks like Core Impact that allow users to "natively" run Metasploit modules?
WHAT WAS HD THINKING WHEN HE REMOVED AUTOPWN?!!? HOW AM I SUPPOSED TO CONTINUE MY CAREER AS A PENTESTER?
Thomas,
- One of my favorite features of Aircrack was the airtun-ng utility that allows me to passively decrypt WEP traffic from a monitor mode interface. One of the things that I think is missing from Aircrack is the ability to do that, but with WPA(2) traffic as well. Are there any plans for this feature? How difficult would it be considering the fundamental differences in WEP and WPA?
Keep up the awesome work!
--Andrew
todbatx16 karma
Ruby can be a little... pokey. Also, the packaged versions of Ruby all kind of sucked (this is largely no problem any more thanks to rvm ). Python would have been a reasonable choice, because you get more direct access to more IT and academic types who already know Python. But really, I'm a pretty huge Ruby fanboy. I like it a lot.
I wish they would contribute back to the open source community more regularly (or at all). I'm wishing as hard as I can.
Exactly. I'm kind of growing weary of browser_autopwn, too. It often oesn't do what you expect it ought to do, just like autopwn. Turns out, that "throw everything at the target" approach still needs a bunch of smarts behind it to work well.
whendrik22 karma
Did your team ever encounter a security flaw you feel you could't make public for any reason?
todbatx32 karma
No, never. I cannot imagine a case where we discover some uber-awesome vulnerability and it's not already known by someone else, either in the past or very near in the future.
Ultimately, public disclosure is in the interest of the Internet. If I keep secret a vulnerability, I'm just enabling bad guys to continue to use that vuln.
I'm totally fine with limited secrecy, but my expectation is to pretty much always disclose once people have had a chance to chew it over in a reasonable amount of time.
todbatx30 karma
It's completely dependent on the vendor. Some of them are really mature, have good processes, and keep us in the loop on fixes and invite us to test the fixes before they go out. Some are black boxes, vulns go in a patches come out. Some are adversarial.
I like the first kind.
Enzonoty19 karma
What programming languages do you recommend learning first for overall hacking, like RATs and keyloggers and network hacking, and also, how long have you been programming for?
todbatx38 karma
Either Python or Ruby. They both have really mature network libraries in the standard lib and are both easy to pick up. For RATs and keyloggers, C.
I've been writing code in one form or another for... a while. 20+ years, and doing more code than ops for a little over ten.
jmp-118 karma
Why do you choose the licenses that you do? Aircrack is GPL and Metasploit is BSD. How do you deal with commercialization of your code? Why does your particular license help with that?
todbatx30 karma
For Metasploit, we like BSD because it affords pretty maximal freedom of use. As far as commercialization, go nuts. If you're going to write secret 0days for your customers using Metasploit, maybe someday you'll find your heart and contribute back to open source. Making Metasploit better helps everyone, and many people in that everyone group need to collect a paycheck at some point, so I'm not going to try to restrict Metasploit use and development to just penniless hippies. :)
Edit: See Mister X's response
mubix17 karma
Ethical aspects were mentioned in the summary, what are the 2 hardest ethical aspects of running a open source project?
todbatx34 karma
For security in particular, disclosing vulnerabilities to vendors is rarely an easy process, and this is especially true when the vendors aren't particularly savvy about security, don't already know how to have secure communications, or are more interesting in arguing if a security problem is a real bug or not. It's always way easier to just drop exploits on their heads and tell them to deal with it, but the easy way is rarely the right way. We practice "Reasonable Disclosure" as described here, which is essentially a quiet period; we give them and CERT/CC a heads up, and then after 60 days, we disclose publicly.
For open source in general, there's always difficulty telling people their babies are ugly. For many people, the horrible PoS software they just wrote is the first time they've contributed to open source -- and it's the 1000th time we've seen the same kind of horrible code. It's hard to be firm but fair, and the easy path is to either be a jerk and just close it out without comment, or to compromise code quality by allowing substandard work in, or to sacrifice time better spent on other things by performing too much hand-holding.
That second one is my biggest challenge right now, honestly -- balancing that all out while trying to be fair to other contributors, my employer, my employees, and especially my family.
mister_x_aircrack-ng17 karma
I agree with Tod on both points. However, ethical is not the hardest aspect of open source.
Here are a few hard things:
Keeping working on it (events in your life are unpredictable) and sometimes even starting the project. Aircrack-ng is more than 7 years old. In my case, I was still a student and depending on my parents who discouraged me from doing it. They thought I was gonna get in trouble because of it. I didn't listen ;)
Finding team members can become pretty hard and keeping them too. Events in their life sometimes force them to stop contributing.
Maintaining servers with constant updates. It's consuming a LOT of my time unfortunately. And finding someone you can trust to take care of it is even harder.
Raising money to pay for hosting/domains and hardware. Right now everything comes from my pocket. However, a friend of mine gave me a server for hosting. On the other end, the nice thing about it is that I'm independent from any company and I can decide what directions the project goes.
todbatx9 karma
You should get acquired :) Lots of those problems go away (to be replaced with other problems)
todbatx14 karma
Touching base with folks I haven't seen in a while, to be honest. For the talks, Let's Screw With Nmap touches on a whole lot of stuff that I have a lot of interest in (I'm a packet dork at heart). I'm curious if/how Gregory deals with performance with something like that.
RogueInteger16 karma
Props to keeping Metasploit free. The acquisition by R7 a few years ago had a lot of people pretty nervous about it.
mafiasecurity16 karma
How can someone contribute to Open Source Security Development who is not a programmer and does not have any intentions to be one?
todbatx25 karma
Many, many do. In fact, I'd say most security software contributors are not formally-trained software engineers; they're penetration testers, security consultants, curious IT guys, and fall anywhere from hobbyist to full time professional.
It's one of the reasons Metasploit is written in Ruby -- it's pretty accessible to anyone with basic "how to computers" knowledge.
ComradeCookie9 karma
I'm a noob that's trying to make may way into network security. What are some tips, advices, places to turn to learn the tricks and tools of the trade and help the community grow (and grow myself in the process)?
todbatx14 karma
I think this question covers the basic material. Also, didn't mention there, Freenode IRC. We hang out in #metasploit and #aircrack-ng pretty much all the time.
techpeace7 karma
Hi Tod! Just sent a bunch of MakerSquare students here to pelt you with questions. :)
pwnies7 karma
Have you guys had any issues at borders or with governments in general due to the nature of your work?
BigCat90006 karma
What would it take to have my student loans erased? Is such a thing possible?
todbatx20 karma
student loans aren't even forgivable with bankruptcy. You have to pay them, or die (and the latter isn't a guarantee).
You could do what I did -- don't go to school for too long, or if you do, don't enroll. It's amazing what you could learn by just hanging around the right computer labs.
Bat_turd6 karma
Is it wrong for people to say that there is no money in writing open source software? Why?
todbatx7 karma
Monetization of open source is a rich (haha) topic. I'm not an expert, but you can certain go the acquisition route that Metasploit did. Writing open source software that people actually use also can get you consulting jobs, speaking engagements, etc. It's not so much the software itself, but the fact that you become an expert in a few different fields through the process.
todbatx6 karma
+1. It's the best one around. It's from Alfa. Cheap, decent power, plays nice with VMs.
Os_agnostic5 karma
What are your thoughts on Moxie's comments about tools being used by repressive regimes/organizations against citizens? I fully understand the need for these tools, just wondering what your thoughts are when working on these exploitation tools and how they can be used for good/evil.
"the insecurity of the internet is now more predominantly leveraged by people that I dislike against people that I like. More often than not, that’s by governments against people." Moxie Marlinspike - http://www.thoughtcrime.org/blog/saudi-surveillance/
todbatx18 karma
That's one of the reasons why I'm really passionate about open source security tools. Everyone has access; it's democratizing. If some government is using a technology for repression, I hope that the repressed (or their advocates) are using something equally as liberating.
I don't think open source tools lend themselves well to police states and criminal organziations. I think open source tools like ours tend to favor the individual.
tinkers_5 karma
Do you do perform any statistics on most common attack vectors?
Do you have any plans on doing a 'official' port to Android? I've tried dSploit having the full power of metasploit on a mobile device would be most awesome.
Thanks for doing the AMA!
todbatx8 karma
Turns out, by watching the commit counts for the Metasploit modules, we can infer pretty well what people are using all the time. See the blog post about that.
As for Android as a platform... while it would be fun and funny, there hasn't been a whole lot of serious pursuit of that. People have gotten it to work (all you really need is a decent Ruby interpreter), but it's pretty s-l-o-w....
_osik5 karma
Have you received any cease-and-desist letter for just poking vendors about holes in their stuff?
todbatx9 karma
I wish I had a really cool story about that, but no. Most vendors I ever deal with are pretty sane. A couple complain, but it hasn't gotten to a C&D level as far as I know.
FuckieMcFuckerson4 karma
What is currently running(OS and/or software wise) in your pen test lab?
todbatx7 karma
"currently" is hard to pin down -- we have tons and tons of VMs, running pretty much everything.
Managing all that is a huge hassle, btw. We're hiring in QA for someone to mind all the warez.
chidokage4 karma
Do you guys feel responsible when your tools get used for evil??
You shouldn't.
todbatx21 karma
Real bad guys tend to have much more expensive tools. I don't know if they're any better....
mister_x_aircrack-ng9 karma
I don't but to be honest, I don't really like it. We have rules for IRC and the forum stating you cannot hack your neighbor and stuff (no matter what your country laws say) but I still see people asking that. They never get any support as soon as we spot it.
You can use any tool for good or evil. Think about a hammer.
todbatx8 karma
Ya, ditto. We once had these Brazilian would-be bank robbers pestering us on the mailing list for advice on how to rob banks. It was really silly.
todbatx6 karma
I helped some on the BaliWicked implementation. That was a pretty fun and weird bug.
xe4l3 karma
Would love to hear your thoughts on two key comparisons.
Metasploit Framework vs Metasploit Pro. Pro obviously has some features that can save a lot of time and effort, however adept users build their own automation. Last I used Pro however, it's typically undetectable meterpreter payloads were getting caught by HIPS and we reverted to packing our own.
and
Aircrack-ng's 3rd party customizations, eg: airmon-zc.
Thanks for doing the AMA!
todbatx19 karma
Rapid7, my delightful employer, makes this commercial product, Metasploit Pro. That thing pays my salary so I can continue pursuing open source. So, obviously, any answer I give you is going to either be a sales pitch or self-defeating. Metasploit Pro is great and you should totally buy 6 licenses.
That said, we like to keep have some separation here -- Metasploit Pro is State, and Metasploit Framework is Church. My main, day to day concern is the health of the open source software and the community that both builds it and uses it. I am paradoxically paid to not care too much about Metasploit Pro sales numbers.
On the gripping hand, Metasploit Pro will of course dry up without a solid Framework foundation, and we can't sell software unless we keep that open source thing going strong.
So... it's all very schizophrenic, really. It's a commercial-vs-free balancing act, for sure.
rewqrewqrewqrewqrewq3 karma
When will Metasploit and Aircrack-NG be rewritten in C#?
How do you feel about competitors who charge money for their products using your open-source frameworks and applications?
But who was phone?
todbatx10 karma
How do you feel about competitors who charge money
I'm excited for them. Embiggening the Metasploit user base tends to embiggen the researcher and developer base as well.
burlyscudd3 karma
Tod: do you try to direct/encourage contributions for exploits in certain areas or for certain apps/stacks? If so, how do you go about it?
todbatx8 karma
I try to for sure, but the wisdom of crowds is much stronger than the wisdom of me -- if there's some hotness that needs an exploit out there, someone's pretty much already on it. Between our staff exploit writers (hdm, juan.vazquez, sinn3r, and egypt) and the amazing open source community that's coalesced around Metasploit (see kind of a list here and here), we pretty much stay abreast of the new hotness.
So, once in a while I can convince and cajole someone to pursue a research effort, but open source is very much a put-up-or-shut-up meritocracy; if we want to get more exploits for UPnP, for example, we need to start start by churning out some kind of UPnP exploitation framework for people to work in. Asking nicely doesn't really cut it.'
So, the TL;dr is, the best way to get what you want in open source security is to start collaborating on it in code. Otherwise, it's kind of vapor.
le_reddit_bacon_XD2 karma
Hi I have a question: what do any of the words in your post mean?
FuckieMcFuckerson2 karma
Thanks for taking the time do an AMA!
This is more of a background question, but what sparked your interest in security?
todbatx3 karma
I was a phone hacker as a kid -- the San Francisco Bay Area was a good place to be for that. Oh, and I saw War Games in the theater and hung around with srs bsns anarchists, both at impressionable ages, so that all probably helped.
I've always been interested in how things (and people) work, and how people assume things work, and how a person, if he was so inclined, could subvert and exploit the gap between the two.
throwaway36iscool2 karma
What do you guys think of your tools being used for blackhat activities? Btw, you guys are awesome!
emarkay1922 karma
Tod, with a name like Beardsley, please tell me you have a perfectly crafted beard of a lumberjack. I'm imagining that's where you keep your USB drives with the latest builds of Metasploit/Aircrack.
ftfsi1 karma
Tod, I see you went to college in R-town. Did you go to high school there also?
CanadianVelociraptor57 karma
Cool, thank you for doing an AMA! I'm currently a Computer Science major (starting this fall!) and have always been interested in a career in computer security. Some questions come to mind:
What resources would you suggest for learning about security programming? Any go-to tutorials or must-read books? (Besides Metasploit Unleashed) ;)
What's the best way to gain experience in the field of security? A lot of the things seem to be legal grey-areas unless you are working for a security research company or similar. What sort of things can an individual do to learn the ropes?
View HistoryShare Link