Halfway through

Tabish Imran
Jul 28, 2017 · 5 min read

A mid GSoC report about my work with metasploit.

Roughly two month after I started working on adding file system sessions to the metasploit framework, I decided to write this article detailing my experience with GSoC so far, and explaining everything I’ve done so far.

Init

About a month before GSoC started, being a complete newbie to metasploit development, I started by asking for advice on how to familiarize myself with the framework on the #metasploit IRC channel. Based on the suggestions I got from the community, I started by going through the following resources.

After I had a general idea of what I’m supposed to be doing, I ( with help from #metasploit ) started to list the things that I would need to learn to implement the project.The description of the project on the Project Ideas page divides the project into 4 parts which would be needed to make the whole thing work.

A screenshot from the project Ideas page

Understanding FTP

Since we were going to be focusing on FTP initially, I decided to learn more about how it works internally. I started by going through RFC 765. I then decided to spend some time messing around with my local installation of vsftpd using netcat. I tried out basic command to list files, change directories, uploading/downloading files. Using netcat to do this helped me in understanding how FTP functions under the hood, what the server status codes mean etc.

The first month

Initially, as the coding period started, there was a bit of a confusion about how to implement the project as there were two possible approaches that could be taken.

  • The first was the one detailed in the original project plan. Creating the session interface, and modifying the existing FTP login scanner and using it to create the session whenever it found a valid set of credentials.
  • The other approach was to create an exploit module instead of a new FTP login scanner, which worked with just one IP / Credential and gets us a single FTP session. To run it against multiple hosts the user could write a simple 4 line RC script. This also involved using a ‘fake’ payload, which wasn’t really a payload, but just created the session.

After discussing this further with egypt and mubix, we decided to go with the first approach because it seemed more straightforward.

I started with the session interface file, I knew that the framework had FTP client mixins, the plan was to use the mixin to create functions corresponding to the primitive functions ( ls, cd, pwd, upload, download ). I created an auxiliary module to test out the functions which I wrote using the mixins. But after discussing this a bit more with my mentors, I realized that the mixins could not be used to create the sessions, I needed a standalone class.

On egypt’s suggestion, I started to work on implementing an FTP client class under /lib/rex/proto which would make things much easier for the project. I then used the functions from the ftp mixin and the functions from the test auxiliary module I wrote to put together a FTP client implementation.
I also spent a fair amount of time during my first month of GSoC messing around with rspec. I was familiar with TDD but hadn’t really used rspec before, and my mentors told me that It would be better if I’m able to write tests for my code. I found the learning curve to be fairly steep ( I’m still learning ).

The Second Month

Since the ftp protocol part was now done, I finished working on the session interface. The idea is that the ftp client object ( or other file system based client object ) will be initialized and passed to the session interface. All the session interface has to do is to execute the client object’s functions as needed.

I had a setback of about 8–10 days halfway through the month thanks to flu. Although I did plan about 2 weeks of a buffer period in my original time distribution, so hopefully I’ll be able to catch up in the next week.

The next thing on the list was the command dispatcher, the command dispatcher is supposed to handle user input when the session is created. There’s not a lot of documentation out there about command dispatchers, so I started by studying the existing command dispatchers.

I still wasn’t too clear about how everything works together. I though that a good way to understand how everything works is by tracing everything that happens since we start msfconsole, on paper. That took some time but I think I have a clearer understanding of what I’m doing now. Right now I’m working on completing the command dispatcher.

After the session is created

That leaves the final part, the FTP login scanner, the FTP login scanner I’m supposed to create would be a modified version of the existing ftp_login.rb scanner, which upon finding valid FTP credentials for an IP address, will create one of these sessions.

What I’ve learned so far

  • After working on metasploit for two months, I have a much better understanding of how metasploit is structured and how the namespaces are organized and used.
  • I learned a lot about how the FTP protocol functions, during the first month by spending some time to mess around with my local installation of vsftpd using netcat.
  • I also found Rspec and Behavior driven development in general to be pretty interesting.

What’s next

  • Complete the command dispatcher and the ftp login scanner module before the month ends.
  • Clean up all the code I’ve written and PR it to the rapid7/metasploit-framework.
  • ( I hope I’m not being too ambitious here ) Try to add another file system based protocol to the framework if time permits.

Tabish Imran

Written by

I break stuff!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade