HD Moore (https://twitter.com/hdmoore) invented a hacking tool called Metasploit. He crammed it with tons of exploits and payloads that can be used to hack into computers. What could possibly go wrong? Learn more about what HD does today by visiting rumble.run/.
Support for this show comes from Quorum Cyber. They exist to defend organisations against cyber security breaches and attacks. That’s it. No noise. No hard sell. If you’re looking for a partner to help you reduce risk and defend against the threats that are targeting your business — and specially if you are interested in Microsoft Security - reach out to www.quorumcyber.com.
Support for this show comes from Snyk. Snyk is a developer security platform that helps you secure your applications from the start. It automatically scans your code, dependencies, containers, and cloud infrastructure configs — finding and fixing vulnerabilities in real time. And Snyk does it all right from the existing tools and workflows you already use. IDEs, CLI, repos, pipelines, Docker Hub, and more — so your work isn’t interrupted. Create your free account at snyk.co/darknet.
Darknet Diaries is created by Jack Rhysider.
Episode artwork by odibagas.
Audio cleanup by Proximity Sound.
Recording equipment used this episode was the Shure SM7B, Zoom Podtrak P4, Sony MDR7506 headphones, and Hindenburg audio editor.
Add this episode of Darknet Diaries to your own website with the following embed code:
<iframe frameborder="0" height="200" scrolling="no" src="https://playlist.megaphone.fm?e=ADV5343057961" width="100%"></iframe>
[START OF RECORDING]
JACK: Did you know that in 1982, a robot was arrested by the police? [MUSIC] Yeah, get this; it was standing on North Beverly Drive in Los Angeles, and it was there handing out business cards to people. It could talk, too, and it was telling people random robot things. Well, it was causing a commotion. People were just standing around it, staring. Traffic jams, honking; it was making a scene. The police wanted to put a stop to it. They looked around and in the robot to try to find who was controlling it, but they couldn’t figure it out, so they started dragging it off, and the robot started screaming ‘help, they’re trying to take me apart.’ The officer disconnected the power source and took the robot into custody. They put it in the cop car and drove it down to the Beverly Hills Police Station. It turned out, it was two teenage boys that were remotely controlling it. They borrowed their father’s robot to pass out his robot factory business cards. [INTRO MUSIC] It’s funny how time changes our interest in things. If a robot stood on the same corner today handing out business cards, it would hardly be noticed. But in 1982, that was quite the scene. Sometimes it just take us a while to get accustomed to the future.
(INTRO): These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: You ready to get into it? You have your sixth cup of coffee today?
HD: I did, yeah. I finished the whole pot.
JACK: You feel…you sound like a guy who’s just really turned on to like, 11.
HD: I just devolved, I think.
JACK: You talk fast, you’ve built things quickly; it’s just moving all the time for you. Okay, so, what’s your name?
HD: HD Moore.
JACK: How did you…what was some of the early stuff that you were doing security or hacking wise when you were a teenager?
HD: I was the internet hoodlum. Got my start on the old BBS days, go to hang out with a friend of mine; he’d fall asleep early, leave his Mac there with his various BBS accounts, and start dialing around, figure out what we could get to, download the zines, figure out how to dial into all the fun UNIX machines in town.
JACK: How to dial into all the fun UNIX machines in town? See, back in the 90s, there weren’t a lot of websites that you could just spend your time endlessly scrolling through, [MUSIC] but there were a bunch of computers configured to accept connections from outsiders. The way to connect to these computers wasn’t over the internet, but simply to dial up that phone number directly and see if a computer picked up. If a computer picks up, now it’s time to figure out what even is this machine, and why is it listening to people dialing into it? You could find some weird stuff listening for inbound connections, stuff you probably shouldn’t be getting into, but the system just was not configured to stop anyone. HD lived in Austin, Texas, and was curious to find if any computers were listening for connections in his town. So, he started dialing random numbers to see if any would be picked up by a computer.
HD: At one point, my mother was working as a medical transcriptionist, and the great thing in the early days of the internet is that to do that, we had to have a whole lot of phone lines going to the house. We had two or three regular POTS lines, we had an ISDN line, and two computers. She went to bed pretty early, so as soon as she was down, I was up, and I was running ToneLoc across the entire 512 area code pretty much every night for years. Then whenever you find something interesting, you try to figure out what it is and what you can do with it. Some of the fun highlights from back then are like, turning the HVAC on and off at the various department stores, dialing into radio transmission towers and playing with that stuff. This is obviously well before I was eighteen and was too concerned about the consequences, but just that whole process really got me into security, security research, and eventually the internet.
JACK: This was really fun for HD, poking around in the dark, trying to find something interesting, and then getting lost in that system for a while. He was fascinated by it all. Eventually, the internet started forming a little more, and IRC picked up in popularity. This was just a chat room, and HD was spending a lot of time in the Phrack chat channel. Now, Phrack is the longest-running hacker magazine. The first issue was published in 1985, and by the 90s, they had quite a trove of information. If you wanted to learn how to hack or break computers, start by reading every issue of Phrack, and by the time you’re done, you’ll be pretty knowledgeable of hacking. So, the Phrack chat channel felt like home to HD, and he loved hanging out there, learning about hacking.
HD: We’re all using our silly aliases and playing with exploits and generally causing havoc between each other. Out of the blue, I get a message from somebody saying hey, you looking for a job? I’m like yeah, actually I am. He’s like well, you’re not too far; how far are you from San Antonio? I’m like well, I could drive there. So, he set me up with a interview with Computer Sciences Corporation, which is now just called CSC, and they were doing work for – I think at the time it was called AFIC, or – it eventually became AIA. But the Air Intelligence Agency, so the US Air Force’s Intelligence wing, and they were basically building tools for various red teams inside the Air Force. I was like, that sounds like a lot of fun, writing exploits for the military. I’m all about that. So, I was a really terrible programmer and I’m not much of a better one these days, but it was a fun first job to go down there and get these somewhat vague briefs about – we need a tool that listens on the network for packets and does these things with them, or scans the network looking for open registry keys and does this other stuff, so that was my first kinda professional experience of building offensive tooling.
JACK: I think it’s kinda weird that a recruiter for a DoD contractor was looking in the Phrack chat room to find people to come build hacker tools in order to test the defenses of the Air Force, but that’s what happened. HD was now using his hacking skills for good, and while he was in high school, even. At some point while working for this contractor, they asked him to see if he can hack into a local business. That business had actually paid for a security assessment and wanted to see if they were vulnerable.
HD: It was a lot of fun. We basically just walked in and owned everything. It was great; outside, inside, their HP 3000 servers, everything between, had a blast doing it. We went back to CSC and said hey, we’d like to start doing more commercial pen tests, and they came back and said nope, we’re federal; that’s it. So, we took the whole team and started a startup. That was Digital Defense.
JACK: HD loved doing security assessments for customers, and this is a penetration test. Customers would hire them to see if their computers were vulnerable, and they did other things too, like monitoring for security events, and helped secure the network better. [MUSIC] But there was a problem, a big one, if you ask me. Back in the late 90s, exploits were hard to come by. See, let me walk you through how a typical pen test works. First, you typically want to start out with a vulnerability scanner. This will tell you what computers are on the network, what services are running, what apps are running, and maybe even give you an idea of what versions that software is running, too, because sometimes when you connect to that computer, it’ll tell you what version of software it’s running. Now, as a pen tester, once you know the version of an application that a computer is running, you can go look up to see if there’s any known vulnerabilities. Maybe that’s an old version that they’re running. Here’s where the problem lies; suppose that yes, you did find a system that was not updated and was running an old version of software that has a known vulnerability. It’s simply not enough to tell the client that their server is not patched and needs to be updated.
The client might push back and say well, what’s really the risk for not updating? So, that’s why a pen tester has to actually exploit the system to prove what could go wrong if they don’t update. They need to act like an adversary would. But to get that exploit so that you can demonstrate to the client that this machine is vulnerable, that’s the hard part. At least, it was in the 90s. Some hacker websites would have exploits that you could download. Those were often pretty old and out of date. So, then you might start feeling around in chat rooms, trying to see who’s got the goods. If you’re lucky, you get pointed to an FTP server to download some exploits, but it has no documentation, and who knows what this exploit does? It could be an actual virus. As a professional penetration tester, you really can’t just download some random exploit from the internet and launch it on your customer’s network; no way. Who knows what that thing does? It could infect the whole network with some nasty virus or create some backdoor that other hackers can get into. So, back then, there just wasn’t a place to get good exploits from, and especially, there wasn’t a place to get the latest and greatest ones.
HD: As you start rolling into the 2000s, what happened is all the folks who previously were sharing their exploits with the researchers, with kinda the community, they obviously started either just getting real jobs and stopped sharing their tools or they thought there was ethical issues with that. But basically, it all dried up. It turned into some commercial firms. Like, Core Impact was targeted around the same time to commercialize exploit tooling. Other folk just decided they weren’t doing it anymore or they got in trouble. So, if you were a security firm trying to do pen tests for your customers, it was really difficult to get exploits back then and really difficult to know whether they were safe or not without rewriting every byte of shell code from scratch. So, the challenge of getting the right tools and exploits, you had to build a lot of it in-house.
JACK: Well, this company that he was working for didn’t really have the ability or expertise or resources to develop their own exploit toolkit. But HD, being someone who’s fiercely driven and part of this hacker culture, was acquiring quite a bit of exploits and learning how they worked, and was able to code some of his own. But these exploits were unorganized; they were scattered all over his computer, the documentation wasn’t there, it was hard to share it with some of his teammates, and that’s why HD Moore decided to make Metasploit. [MUSIC] Metasploit is an exploit toolkit, which basically means it’s a single application that has loads of exploits built into it. So, once you load it up, you can pick which exploit to use, input some parameters, and launch it on the target. It was not so great, but it was a basic collection of vulnerabilities that HD knew and could trust that weren’t filled with viruses. This little tool he built was helping him do security assessments, and now that he’s made a framework, he can continually add new vulnerabilities to make it better. But there are new vulnerabilities being discovered all the time, so it was an endless job to keep adding stuff to Metasploit.
HD: Yeah, I mean, it’s a combination of finding vulnerabilities myself, sharing with your friends, reporting some of them, not reporting others at the time, and then just me and my friend sharing exploits all day long. I wrote some; they weren’t very good, but I’d write stuff all the time. Then you get access to one of the really interesting ones or really high-profile ones, and play with it a little bit and see what you can do with it. What ended up being the first version of Metasploit was very menu-based, very terminal-based. We kinda picked the exploit, picks – picked the NOP encoder, the exploit encoder, and the payload, and put them all together, and then send it. By the time we got to Metasploit 2, we threw all that out the window and came up with – the idea was that you can assemble an exploit like Legos. So, it wasn’t – prior to this, most exploits had maybe one payload, maybe two payloads.
JACK: Oh yeah, a payload. A payload is what you want your computer to do after a vulnerability gets exploited. Imagine a needle and syringe; the needle is the exploit. It gets you past the defenses and into the system, but an empty syringe does nothing. The payload is whatever’s in the syringe, the thing that gets injected into the computer after it’s penetrated. So, what is a typical payload? Well, it could be to open the door and give you command line access, or it could be to upload a file and execute it on that computer you just got into, or it could be to reboot the computer. The exploit is the way in, and the payload is the action taken once you get in. Yeah, the exploits that you would get your hands on back then, then had built-in payloads.
Changing the payload wasn’t always even an option unless you had access to the source code of the exploit and could build your own payload. Even if you did that, what happens the next time when you want to use that exploit with a different payload? You’d have to recompile the whole thing with something new and then fiddle with it to get it to actually work. Of course, you don’t want to run some payload that someone else made on one of your customer’s computers unless you can examine the source code and see what it does. HD saw this was a problem and modularized how you build an attack. He made this easy, with Metasploit, giving you the option to pick the exploit, pick the payload, and then choose your target. It made hacking a thousand times easier.
HD: So, instead of being stuck with one payload or one exploit, you could take any payload, any exploit, any encoder, any NOP generator and stuck – stick them all together into a chain. It was great for a bunch of reasons; a lot more flexibility during pen tests, you could experiment with really interesting types of payloads that were non-standard, and because everything was randomized all the time, a lot of the network-based detection tools couldn’t keep up.
JACK: Because everything was randomized? This is actually a really clever thing he added to the tool. So, if you put yourself in a defender’s shoes, they obviously don’t want exploits being run in the network, and they want to identify them and not let those programs run, right? A defender might even make a rule in the antivirus program that says hey, if there’s a program that is this size and has this many bytes and is this long and is called this, then it’s a known virus. Do not let this program run. Well, what Metasploit did was randomize all these parts. They’d give it a random name and a random size and all kinds of random characters, simply so that antivirus tools would have a hard time detecting it. It makes sense for Metasploit to try to evade antivirus, because securing your network should be multilayered. The first layer would be to make sure the computers in your network are up to date and on the latest patch. Then the next layer should be to have them configured correctly. If both of those fail, then antivirus can inspect what’s happening and try to stop an attack in progress. But if antivirus is blocking it, it hasn’t even tested whether that system is secure or not. So, it needs to go around antivirus tools to actually test the server, and a good pen tester will test multiple layers to make sure each layer of defense is actually working.
HD: So, by definition, Metasploit was evasive by default.
JACK: [MUSIC] Now, at the time, HD was using this tool to conduct penetration tests on people who wanted to see if their network was hackable. HD was one of the initial people to join this company, but he wasn’t in any sort of leadership role or a manager or anything. So, imagine for a moment you’re HD’s boss, and HD shows you this home brew exploit toolkit which is programmed to seek out and exploit known vulnerabilities in computers and payloads built into it. Now, clearly, in the right hands, this is a weapon. It’s an attacker’s dream come true. Some of the vulnerabilities in it are high-quality and make them very dangerous, giving you access to pretty much anything at the time. Him bringing in Metasploit to work was like bringing in a bucket of hypodermic syringes with their safety caps off, and some of these were picked up off shady, underground places. Some of them were DIY homemade, and with syringes, you typically see them in the hands of highly-skilled professionals like doctors or people who need beneficial medicine, or drug addicts. So, a bucket of syringes can be extremely dangerous or extremely beneficial. There’s no real middle ground. It was the same with Metasploit; it was a bucket of some pretty scary exploits that if you let loose in the office would be a pretty big problem. So, bringing in a toolkit like this to work, well, HD’s employer was not supportive of this tool.
HD: I guess more accurately, they were terrified of it. They did not want to be associated with anything I was working on. But at the same time, they were kinda stuck with me because I was running most pen test operations.
JACK: Why were they terrified of it?
HD: There was a lot of fear of exploits and liability. The worry was that if we released an exploit and something – someone bad used it to hack into somebody else, somehow my company would become liable. So, they wanted to stay as far away from it as they possibly could. It didn’t help that our primary client base were credit unions, which were kinda naturally conservative and probably still are. They didn’t want to know that the people they hired for security assessments were also releasing and open-sourcing exploit tools on the internet.
JACK: This is an interesting dichotomy, isn’t it? On one hand, if you’re gonna be testing if a company is hackable, you need these attack tools, these weapons. But nobody ever asks a pen tester, where are you gonna get your weapons from? They just assume, since you’re a hacker, you know how to do it. But it’s not like you can just type a few commands to get around some security measures. That’s like reinventing the wheel every time you want to do an assessment. You need tools for the job, a set of attacks that you know work well and you can trust that won’t put malware on your customer’s network or cause harm. But that’s a lot of work to make sure of, and if you make a hacking tool like this for yourself and maybe put it out there for someone else to use, that does sound like it could come back and bite you. If someone uses it to actually commit a crime with, how much are you liable for that? So, he had to make a decision on what to do with this Metasploit tool. If his work wasn’t going to help him with it, what should he do with it?
HD: [MUSIC] Well, it’s one of those things where on one hand, they wouldn’t support it; other hand, we desperately needed this tool to do our job. It became a nights and weekends thing. So, I’d clock out of work and I’d go spend the rest of the night not sleeping, working on exploits, working on a shell code, and – not particularly good exploits, but I got better eventually, and finally got to the point that we had something that was worth using all on its own that wasn’t just a crappy script kiddie tool or a rewrite of a bunch of new exploits; it was actually something that had some legs to it. That led to – I think my first trip was to Hack the Box, Malaysia, to talk about it. It was a great experience to really get feedback about how different it was from what other people were doing at the time. That really kind of helped give me motivation to keep working on it. It also helped me find people to work on it with. So, Annette, Spoonm shortly after, I met Matt Miller or Skape right after that. They joined the team and we just kinda kept it going as this side project for the next few years.
JACK: So, in 2002 is when he first shared Metasploit with others, which immediately got a few people so interested in it, they wanted to help make it. With a few people helping him, in 2003, he decided to release Metasploit publicly for others to download and use. After all, it was providing him a lot of value to do his job better, so it would probably make it easier for other penetration testers to do their job, too. He also decided to give it away free, and importantly, he made it open-source, so anyone could inspect the code to verify there’s nothing too bad going on in there.
HD: So, metasploit.com was created, and that was where we first started posting some interesting variants of Windows shell code that we came up with that were much smaller that was available otherwise. Then eventually, it became where we shared the Metasploit framework code. The downside, of course, is it gave everyone else a target to go after. So, as soon as we started posting versions of Metasploit framework to metasploit.com, we started getting DDoS attacks, exploit attempts. It got so bad that one guy actually couldn’t hack our server, so he hacked our ISP, ARP-spoofed the gateway by hacking the ISP’s infrastructure, and then used that to redirect our web page to his own web server. So, he couldn’t hack our web server or deface it, but he’d just redirect the entire ISP’s traffic just to be able to deface metasploit.com.
JACK: Wait, the Metasploit website was getting attacked? By who?
HD: [MUSIC] In the early days, everyone hated Metasploit. My employer hated Metasploit, our customers hated Metasploit. They thought it was dangerous. All the black hats, all the folks who were trading exploits underground, they absolutely hated it because we’re taking what they thought was theirs and making it available to everybody else. So, it’s one of those things where the professionals in the space hated it because they thought it was a script kitty tool. The black hats hated it ‘cause they thought we’re taking away from what they had, and all the professional folks and employers and customers thought it was sketchy to start with, so it took a long time to get past that. But in the meantime, we were getting DDoS attacks, we’re having people try to deface the website, we’re having folks spoof my identity and spoof all kinds of terrible things on the internet under my name, you name it.
JACK: Someone decided to attack HD for publishing exploits. They couldn’t figure out a good attack on him, so they spent time figuring out where he worked and decided to attack his employer. They scanned the websites that his employer had, and found a demo site. It wasn’t the employer’s main site; it was a tool to demonstrate how to crack passwords. Well, this demo site was running the Samba service, but it was fully patched, so there shouldn’t be a way to hack into this through the Samba service. HD even tried attacking it with Metasploit, but couldn’t figure out a way in. But there was someone who did know of a Samba vulnerability. They developed their own exploit and attacked HD’s employer’s website and tried to get inside the system. But their payload didn’t work that well, and it crashed the server.
HD: So, I got this alert saying the machine was basically shut down, it crashed. We’re capturing all the traffic going in in that machine just fine to start with, but by doing that, we were able to carve out the initial exploit.
JACK: Wow, this is fascinating. Because HD was capturing all traffic going into and out of that machine, he was able to find the exact code that was used to exploit the Samba service, which is incredible. I mean, it’s like finding a needle in a haystack. But then as he examined this code that was used to exploit the system, he realized this was a completely unknown vulnerability to everyone, which is called a zero-day exploit. HD was able to analyze this and learn how to use it himself.
HD: Did some analysis on it, contacted the Samba team saying hey, there’s a really awful remote 0-day in Samba. So, we wrote our own version of the exploit, put it on metasploit.com, and that was kind of the beginning of a long, long war with – I don’t even know which group it was, but they spent the next two weeks DDossing our website for leaking their exploit. Not only leaking it, but writing a better version.
JACK: That’s brilliant. Because someone didn’t like that HD created Metasploit, they attacked his employer, which made him discover their exploit, which he then reported to the Samba team to get it fixed, and then he added it into his tool, Metasploit. This made his attacker so much more mad at him, and he continued to get attacked like this all the time.
HD: Folks like emailing my boss telling them to fire me, things like that. We’ve had some…
JACK: But yeah, why are people wanting you to be fired?
HD: They felt that publishing exploits was irresponsible and I was a liability to the company, and they didn’t want me to have a job because of what I was doing in my spare time.
JACK: Huh. Did they have a point? Did you feel it with them?
HD: It was good motivation to try harder.
JACK: Okay, so, the idea that somebody’s going to be upset with a side project you’re working on on the weekends to the point where they’re gonna say, I need to get this guy HD; I’m gonna ruin him, I’m gonna e-mail his boss and tell his boss to fire him, that sounds like cancel culture to me before they even had the term ‘cancel culture’.
HD: I guess it’s not that different. I feel like maybe it was the equivalent of a moral, ethical dilemma for them at the time. They thought somehow I was doing something that was morally wrong and therefore needed to be punished. But yeah, there’s definitely a lot of that. There is pressure not just from black hat researchers and from customers who didn’t like what I was doing, but also from other security vendors saying well, if you want business with us, then you have to bury this vulnerability. You can’t talk about this one.
JACK: [MUSIC] Whoa, so when he would find a vulnerability in one of the companies that were a business partner of his employer, that company was absolutely not happy when HD published the exploit and added it into Metasploit. Because remember, Metasploit makes hacking so much easier, which means if it’s in the tool, it’s now easy to exploit that company’s products. So, they’d get mad at him, ask him to take down the blog posts that talk about this vulnerability, and remove it from the tool. They would even threaten to take away the partner status that they had with his employer if he didn’t comply. Things were getting pretty ugly, and his employer was growing increasingly unhappy with HD. He was frequently finding himself in the crosshairs of many attacks, but this is his territory; hacking, attacks, defending. That’s what he does during the day as his day job, but it’s also what he does at night for fun, and he even dreams about this kind of stuff. So, if someone attacks HD Moore, you know he’s gonna have fun with that.
HD: What happened is some vulnerability we published was being actively exploited by some black hats who were building a botnet, and they were so mad about it, they decided they were gonna use that botnet to DDoS metasploit.com. What they didn’t realize, though, was Metasploit wasn’t a company. Metasploit was just a side project I was running in my spare time, and I thought the whole thing was hilarious that they were spending all this time DDossing it. But I didn’t like the fact they were DDossing an ISP that I liked working with.
JACK: So, this botnet was flooding both of his DNS names, metasploit.com and www.metasploit.com. It was sending so much traffic that the site was unusable by anyone and was essentially down. HD investigated this botnet a bit and discovered where the botnet was being controlled from. He found their command and control server, or C2 server.
HD: They just happened to also have two command and control servers. So, a light bulb goes off. It’s like, well, let’s point www.metasploit.com to one of their C2s and their domain name to the other one and just sit back and wait a couple weeks, see what happens, right? So, what happened is because those are the control servers for the botnet and a botnet was DDossing its control servers, they got locked out of their botnet until we changed the DNS settings. So, we essentially hijacked their own botnet to basically flood their own C2 indefinitely until they finally e-mailed us a week later saying please can we have it back?
JACK: Wait, what? They e-mailed you?
HD: Yeah, ‘cause they didn’t know how else to get ahold of us. So, they basically lost their botnet. We said okay, well, don’t DDoS us again. They went okay, we won’t, and that was the end of that. We never got DDossed again.
JACK: We’re gonna take a quick ad break here, but stay with us because HD’s just getting started with the stories that he has. Who do you associate yourself with? Because I’m feeling like you’ve got three legs in three different buckets, here. On one leg, you’re standing in the Phrack IRC channel, which is black hat hackers, typically, at the time, right? These are the people who may be either just, I don’t know, hacktivists or cyber criminals proper. Then you’ve got your relationship with the DoD, and then you’ve got your professional relationship where you’re trying to show yourself, like look, I’ve got some real chops here; I can do this kind of penetration work for a fee. I’m a professional, this kind of thing, and I’ve got actually a tool that I’m developing that can be used for professionals. So, how – where in this scenario do you feel like you’re most at home?
HD: Good question. I definitely felt like an outsider in all those groups. The Phrack channel went through a big change right around 2000 or so, where it used to be some pretty well-respected hacker researcher types, and got taken over by a group of trolls that called themselves Phrack High Council, and those folks and I did not get along. That led to this multi-year constant trolling and chaos and things like that. Even professionally though, I didn’t really have anyone I could really hang out with besides my coworkers, and I had some good friends there, but there wasn’t – I almost kinda felt like an outsider in all three of those camps, I guess.
JACK: Yeah, because I know about this sort of infighting in the hacker communities. When a hacker thinks they’re hot stuff, they post something, they make a website, whatever. Other hackers will try to dox them and attack their website, and it’s just constantly doing that. Did you feel like that’s kinda what this was, was just hacker versus hacker? Like look, I’m a smarter hacker than you are? Or did it feel like no, you’re not one of us; get the hell out of here kind of attack?
HD: It definitely wasn’t friendly. Some friends and I would always go after each other’s stuff and it wasn’t a big deal. You say hey, look, check your home directory; there’s a file there, or whatever it is, right? These are folks who – they would steal your mail spool, they’d publish it on the internet, they would forge stuff in your name, they’d try to get you fired, they’d try to get you arrested. They do everything – this is prior to swatting, of course, but this is pretty much everything they could do to ruin your life. This was no holds barred; we’re ruining you and good luck fighting back. So, this is definitely not the fun kind.
JACK: Now, by this point, HD and the team working on Metasploit have found lots of new unknown vulnerabilities themselves, stuff that the software maker has no idea is even a problem. They do this by scanning the internet, attacking their own test servers, and trying to break their own computers. But what do you do when you find an unknown vulnerability in some software? Well, the best avenue is to find a good way to report it to the vendor, right? But HD has had a bit of a history with reporting bugs to vendors.
HD: When I was in teenage years and still kind of in high school, I was working on a bunch of the NT4 exploits for fun, like the old HGR buffer overflow and things like that. While I was putting around one day, I found a way to bypass their country validation for downloading – I think it was NTs, Service Pack 4 for Microsoft. So, instead of it looking at your IP address doing geolocation, it’d look at a parameter you put in the URL instead, and you can basically download the high encryption version of NT SP6 from Russia or wherever else, which was not a good thing at the time because of all the expert controls. So, I contact the Microsoft security team which was pretty nascent back then, and said hey, you can bypass all your expert controls; this is probably not good. They were like well, what do you want? I’m like, I don’t want anything, but what do you got? They said well, what are you looking for? I’m like, can I have an MSDN license? That’d be awesome. That was the beginning of a long series of really weird interactions with the security team there. Fast forward to…
JACK: I’m trying to remember what a MSDN license was.
HD: MSDN was the license that gave you access to all the operating system CDs and media for everything Microsoft made. So, if you had an MSDN license, you basically have a – you can install any version of Windows you want, any version of Exchange Server, all that stuff. So, as a hacker or someone doing security research, it was a gold mine ‘cause you have all the bulk installers and data all in one place.
JACK: Got it. Okay.
HD: So, fast forward to my first startup and finding vulnerabilities in Microsoft products and doing a lot of work on asp.net and configurations and other stuff we run into during pen testing, and Microsoft did not like having vulnerabilities reported. They do anything they can to shut you up. They did not like having someone ex – releasing exploits for vulnerabilities on their platform. The first startup I worked at was a Microsoft partner, so we had a discount for MSDN and things like that for internal licenses, and a gentleman at Microsoft kept calling our [MUSIC] RCO saying hey, you need to stop letting this guy publish stuff. You need to fire this person or we’re going to take away your partnership license. So, they kept putting pressure on my coworkers and my boss and the CEO to get rid of me, basically, because of the work I was doing to publish vulnerabilities. That just made me angry; I had got a chip on my shoulder pretty early on about that, and by the time I got to the Hack the Box contest in Malaysia to announce Metasploit, they had a Windows 2000…what was it? Windows 2003 server, I think it was being announced at that time, and they had a CTF for it. I was like great, I’ll do this CTF.
JACK: So, CTF stands for Capture the Flag. It’s a challenge that a lot of these hack conferences have, where they put a computer in the middle of the room and see who can hack into it. In this case, it was a fully-patched Windows computer, and HD was curious if he could find a vulnerability to get into it. So, he creates some tools to send it random commands and inputs, anything that he could send to it to try to cause it to malfunction. Sure enough, he did get a fully-patched Windows computer to malfunction. So, he examined the data that he sent to this computer to cause it to malfunction, and he was able to use that to create an exploit which got him remote access to the system. Now, since this was an unknown bug to Microsoft and Microsoft was there at this hacker conference sponsoring the thing, he went up to them and told them about it.
HD: They were like great, report it to us. I’m like no, it’s mine. Am I gonna get a reward for it? What are you gonna do with it? I found this vulnerability. It’s mine to do what I want to with it. So, I reported it to the Hack the Box where I was like hey, Microsoft’s trying to pressure me to not disclose this thing that I found. That’s not the point, right? The point is yeah, I found a bug in your server; now I’m gonna talk about it. I’m gonna share it with you, but the idea is to go publish it afterwards. They shut the whole thing down. [MUSIC] So, I heard secondhand that Microsoft threatened to pull sponsorship of the Hack the Box conference if they let that vulnerability get published. So, the whole thing got swept under the rug.
JACK: See, at the time, Microsoft didn’t take their security as seriously as they should. They weren’t publishing all the bugs that they were finding or rewarding people for the bugs they found. As HD tells it, they were asking people to not publish bugs publicly. They thought it was just better to hide some of these attacks so that nobody knows about it. But around this time, in 2002, Bill Gates sent a famous memo to everyone at Microsoft which said security is now a priority of the business, and they started a new initiative called the Trustworthy Computing Group. Well, HD saw that this bug he found was causing problems with the conference and he liked the conference and didn’t want them to lose their biggest sponsor, so he agreed to just sit on this bug and do nothing with it. Six months later, someone else found the same bug and reported it to Microsoft, and they were able to fix it. It was only then that HD published his version of it.
HD: So, the short version is, I’m more than happy to tell the vendors about it, but I also want to make it public at some point. These are vendors that, at the time, were sitting on vulnerabilities more than a year, two years, maybe never disclosing it. They had no motivation to ever disclose a vulnerability reported to them, and they would do anything they could to pressure you not to. Microsoft was probably the – one of the biggest offenders at the time of pressuring researchers into not disclosing vulnerabilities they found.
JACK: Do you know if there was a – even a vulnerability list that they had published at the – at that time?
HD: I think Microsoft – there were CVEs at the time and Microsoft had their security advisories, but the security advisors were just the tip of an iceberg. There was so much stuff being reported to them that they would just shut down. The challenge with keeping these secret whether it’s because you’re the vendor and don’t want people to know about it and it’s bad marketing or whether you’re a black hat and trying to use it to break into systems is that nobody else out there can protect themselves. They can’t test themselves. They don’t know whether they’re actually vulnerable, whether the security product they bought to prevent exploitation is actually working, right? So, one of the great things about having a publicly available exploit for a recently disclosed vulnerability is you can make sure that all your mitigations, all your control, all your detection, are actually working the way they’re supposed to. Everybody else did not want that.
JACK: At the time, Microsoft’s browser was Internet Explorer. With the chip on his shoulder from dealing with Microsoft in the past, HD decided to see how many vulnerabilities he could find in Internet Explorer.
JACK: He kept reporting bug after bug to Microsoft, but from his perspective, nothing was getting done. So now, what do you do when you’ve told the vendor about a bunch of bugs and they didn’t act on it, and you have hundreds more?
HD: It got to the point that we just gave up. We said you know what? We’re gonna do an entire month; we’re gonna just drop an 0-day every single day for a month straight, and we’ll still have hundreds left over afterwards. It was that particular sequence and that particular event that I think finally killed ActiveX and Internet Explorer.
JACK: Why? Why do you think that?
HD: Well, after the thirty or fortieth ActiveX vulnerability reported, then we’re like, hey guys, we have 200 or 300 more. We can keep – we can go – keep going all year at this point. It was a good indication that they realized there was no safe way to implement ActiveX control and Internet Explorer.
JACK: Microsoft was realizing the security in their products wasn’t cutting it. They needed to do better, and they were working on that. In fact, what they started doing was offering jobs to people who were reporting bugs to them.
HD: So, if you were someone who was previously reporting a bunch of vulnerabilities to Microsoft, all of a sudden you got a job offer instead. I mean, there’s a amazing security research group called LSD out of Poland, and three of the four folks that were part of this group joined Microsoft during this time.
JACK: Well, did they contact you?
HD: We’re friends. I met them in Malaysia and I see them at conferences and stuff like that. I definitely got a few offers from Microsoft early on, but I kinda pushed back with ridiculous terms, like no way in hell, essentially, mostly because I felt like they didn’t really have the best interest of the community at heart. They definitely – they would shut down anything I was working on. For the most part, it was true; folks who took a job at Microsoft after doing vulnerability research before, you never heard a peep out of them again.
JACK: Hm, can you imagine if that happened? If HD got hired by Microsoft? They might have tried to close down Metasploit altogether, and what a loss that would have been. Because, Metasploit was starting to pick up some traction, and while it was hated by many, it was being used by many more. Pen testers all over were beginning to use it as one of their primary tools to test the security of a network. It was shaping up to be a vital and amazing tool as a pen tester, because it made their job so much easier than before. As the need for pen testers rose, the need for better pen tester tools rose, too. Of course, the whole time, Metasploit was free and open-source, so the community could just look at the source code and verify there wasn’t anything malicious getting installed on someone’s computer once you hack into it. The security community was slowly adopting it and liking it more and more every day. Well, as time went on, Microsoft really did step up their game on handling bugs found by researchers. They were patching things much quicker and were learning that they cannot control the bugs that outside researchers discover.
That’s kind of a hard thing even for companies to understand today. If someone finds a bug in your product, you can’t control what that person does with that bug. You can try to offer a bug bounty reward to them, but that doesn’t mean researchers will take it. They might sell it to someone else or publish it publicly for everyone to see. Software vendors cannot control what people do with the bugs they find, and people like HD, who was just publishing vulnerabilities all the time, were making that point crystal clear. [MUSIC] Microsoft has an internal conference that’s just for Microsoft employees. It’s called BlueHat, and at some point, they started inviting security researchers from outside Microsoft to come talk at it. HD knew one of the researchers who was giving a talk, and was invited to come co-present at BlueHat. So, HD got to go to this exclusive Microsoft conference and present to their developers. I just imagine your talk is just like, here are the 400 things wrong with Microsoft.
HD: Yeah, it was a lot of that. It was like, one good example is back in – what was it? 2005 or so, I was on the flight over to BlueHat and I was playing with a toolkit that I was calling KarMetasploit at the time or Karma meets Metasploit. Karma was a way to convince wireless clients to join your fake access point and then immediately start talking to you and try to authenticate to you like you’re a file sharer or printer. So, essentially, if you had your Wi-Fi card enabled, let’s say on an airplane, and someone was writing this tool on a different laptop in the same airplane, they would then join your fake access point, try to access company resources automatically, give you their password both times, and then provide a lot of exploitable scenarios where you can actually take over their machine. So, we thought it’d be fun to run this tool on the actual airplane as we were flying to BlueHat, and lo and behold, we end up collecting a bunch of password hashes from Microsoft employees in the process.
JACK: You little stinker.
HD: It was fun times.
JACK: Where are you on this whole responsible disclosure thing? Do you want to get this stuff fixed ASAP or are you more – where do you – what do you think you should do with a vulnerability if you find it?
HD: After going down that path a few hundred times, the fastest way to get a vulnerability fixed is to publish it on the internet that day. Whether it’s responsible or not, it’s effective.
JACK: Well, he has a point. It’s true; if you find a bug and want it fixed as fast as possible, make it known to the world in the biggest and loudest way, and it will get fixed fast. But even though that’s the fastest path to getting a bug fixed, it’s not the responsible way to do it, because doing that exposes a lot of people who can’t do anything to stop that attack. It means criminals can use it before it’s fixed, and this puts a lot of people at risk, which means you’re probably doing more damage than helping. It’s better to privately tell the software maker and give them time to fix it. But then when they aren’t fixing it and you’ve given them plenty of time, then they might need a little fire under them to get them moving on it. Sometimes to get a company motivated, you’ve got to give them a little bad PR.
HD: Definitely depends on the vulnerability. These days, I’ve been leaning towards kind of a 98 disclosure policy, where you tell the vendor about it for forty-five days, then you tell somebody else about it is a dead man’s switch. If the vendor sits on it and it leaks, the other person’s gonna publish it no matter what. I’ve been using that strategy by working with US-CERT for the last few years, where whenever you publish a vulnerability to a vendor, they get forty-five days of only them having access to it, and then forty-five days later, it goes to US-CERT, or sorry, CERT CC, and they can – they’re basically guaranteed to publish it after forty-five days. So, the great thing about that model is you’re kinda splitting the responsibility; you’re in – you’re making sure that the vendor takes it seriously and gets the patch out in time, but you’re also not having to publish it directly on the internet. So, having a third party like that really reduces the ability of the vendor to pressure any individual researcher from not disclosing, because it’s already in the hands of another party at that point.
JACK: There are a few groups that have adopted this same model. Trend Micro has the Zero Day Initiative, and Google has Project Zero. Both of these groups look for vulnerabilities and report them to the vendor, and then give the vendor ninety days to fix it. Then they’re gonna publish it publicly. So, the vendor knows if they get a bug report from any of these groups, they have to act quick and get it fixed before it becomes public, because that would be a PR nightmare. It’s wild to see major tech firms like Google playing this sort of hardball game with software makers. But this has been working pretty well. Because now we see things like Trend Micro publishing some zero days on big companies like HP. Because HP wasn’t fixing their vulnerabilities fast enough.
HD: Yeah, it’s great. I think it’s effective; sometimes you have to. The folks that you chatted with at HP about, they’re like yep, that’s the only way that team’s gonna get the resource needed to fix the product, is if we publish it a zero-day.
JACK: [MUSIC] At some point, Metasploit got a new feature called Meterpreter.
HD: Meterpreter was the brainchild of Matthew Miller, Skape, and a lot of other folks worked on it, but he was really the architect behind it.
JACK: Meterpreter is a payload. Remember, the payload is the action you want to happen after your exploit opens the door for you. But the Meterpreter payload is kind of like the ultimate payload. It lets you do so much on the target system that you just hacked into; you can look at what processes are running, you can upload a file to that system or download a file. It helps you elevate your privileges or grab the hash file where the passwords are stored. I mean, think about that for a second. Let’s say you use Metasploit to get into a computer, and with one command, hashdump, it knows exactly where the password file is on that computer and it just goes and grabs it and downloads it to your computer so you can just start cracking passwords locally if you want. You don’t need to know where the password files are stored on that computer; Meterpreter knows that for you. You just need to know the one command, hashdump, and you got them. But Meterpreter does so much more than this; it lets you turn the mic on and listen to anything the mic is picking up. It lets you turn the webcam on and see what that computer can see. It lets you take screenshots of what the user is doing right now. It lets you install a keylogger if you want to see what keys the user is pushing. Meterpreter is incredible, but with a payload like this, it makes Metasploit so much more dangerous. I mean, all these features can be easily abused by the wrong person and can cause lots of damage.
HD: On the vendor side, it was scary for them because instead of exploits being these really simple payloads that they would drop, they could easily detect. Now exploits could drop anything. They could drop TLS-encrypted connect packs. They could drop basically mini-malwares instead that are able to automatically dump password hashes and communicate back over any protocol you want. So, we made the payload side of the exploitation process incredibly more complicated and way more powerful. This is kinda one of those points where some of the features of Metasploit, especially around Meterpreter, started getting really close to the malware world.
JACK: Right, and I think that’s where I want to head, but you’re not just doing a proof of concept of okay, look, I can get into your machine and I – here’s who am I or something and what process ID I’m running as. You’re building this – Meterpreter gives you full access to that computer, which allows you to screenshot, do keyboard sniffing, whatever, all these things that are a lot more thumb-in-your-eye kinda thing, and I don’t know if that’s taking it too far. That’s what I’m – it’s not just a proof of concept; it’s – we can completely destroy this machine if we wanted, which I guess you have to kind of prove that in order to show the voracity of this vulnerability, but it just – it’s almost going too far for me. What do you think?
HD: Well, one of my favorite things with Meterpreter is we had a way to load the VNC desktop-sharing service in memory as part of the payload itself. We had it wired up in Metasploit, so you literally run the Metasploit exploit and you’d be – immediately get a desktop on your screen, be able to move the mouse cursor, be able to type on their keyboard. It was immediate remote, gooey access to a machine over the exploit channel itself, which is just mind-blowing at the time for payloads, ‘cause it didn’t depend on RDP or anything like that. It didn’t depend on the firewall being open ‘cause they do a connect back to you and then proxies it. It was just amazing delivery. That specific payload blew so many minds that it was really easy for us to show the impact of an exploit.
If you’re trying to show an executive after doing a pen test, hey, we got into your server; here’s a command prompt of us doing a directory listing, that’s one thing. But if you’re showing that you literally take over their server and you’re moving the mouse on their desktop within two seconds of connecting to the network, that is an entirely different level of impact that you can show. It also let us build a lot of other really complex, really interesting use cases where it really shows what the impact of the exploit is. It isn’t just like oh, you’ve got a bug and you didn’t patch it and now I’ve got a command shell. It’s like no, no; I have all this access to your system, whatever it happens to be.
JACK: Yeah, I guess that’s kinda what drew me to Metasploit as well, is like, oh my gosh, it’s not just a exploit, it’s what you do with the exploit after you get in. But as you were saying, the Meterpreter started getting close to being its own malware. Explain what you mean by that.
HD: Well, a lot of the malware payloads even today are written in C and they’ve got all these advanced communication channels and C2 contact mechanisms and all this boiler plate stuff that they do, like providing the ability to chainload payloads, download more stuff, talk to back ends, bounce between different back ends. We got Meterpreter to the point that it actually had the same capabilities as some of the more advanced malware that are out there, and that’s when it started getting a little swiffy for me, ‘cause it’s like, we don’t want to be in the malware business. We’re here to show the impact of exploits and let people test their systems and to generally demonstrate the security impact of a failed security control or a missing patch. But we’re not here to persistently infect machines, and Meterpreter got very, very close to that line. The thing that really separated it from actual malware is the fact it was always memory-based only. It was never on disk at all.
JACK: [MUSIC] Hm, this is a strange territory to be in. Metasploit is a tool that’s sole job is to hack into computers. Whether you have permission to do that or not, that’s the purpose of it. But it seems to be the intent of the person using it that tells us whether Metasploit is malware or a useful tool. So, the Metasploit team had to be very careful on how far they took this tool. Now, this is a multi-open-source, multi-developer project. Did you have some sort of manifesto that said – or a meeting that said okay guys, here’s – we’re gonna push this all the way it goes, except no persistence. Was there a manifesto of like…? Like you just said, you don’t want to leave your customers weaker. This is a secure – this is a professional tool; it’s something written out there.
HD: It was never a written manifesto, but it wasn’t a ethical boundary; it was just a practical boundary. You’re not gonna use Metasploit for a pen test if it leaves garbage all over your machine afterwards or backdoors it in a way that’s difficult to fix. Some exploits require temporarily creating a backdoor user account or otherwise creating something that would otherwise create more exposure, and we’re always really careful to document what the after-exploit scenario looks like. Okay, after you run this thing, you need to do this other thing, so we created these post-cleanup modules that would remove the trace of whatever the thing was. But that was something that I also agonized over, ‘cause I really hated having to create any kind of – like, have to lower the security of the system as part of the exploitation process. Also, that was counterintuitive; that was kinda going against what we’re trying to do in the first place.
JACK: Yeah, I know. I mean, I’m not explaining it well, but it just seems like you’re putting your thumb right in the customer’s eye and you’re like well, we don’t want to hurt you.
HD: Well, that’s the thing; you’re trying to be a professional adversary. So, you have to have the most possible brutal, malicious approach to the problem in the sense that you’re gonna use the same technique someone else would. But then you need to draw the line about where you leave the customer afterwards and what the actual impact of the attack is.
JACK: [MUSIC] Okay, so we heard HD has many adversaries, right? Cyber criminals don’t like him publishing their weapons and making them ineffective, old school hackers don’t like that he’s making hacking so easy that a script kitty can do some amazing stuff, and vendors don’t like that he’s publishing their bugs. He’s getting hit on all sides by these people. But there’s one more group that’s also not happy about Metasploit; law enforcement. There were crimes committed with Metasploit.
HD: That’s my first experience writing Windows shell code. The first Windows shell code ever published by Metasploit ended up in the Blaster worm almost immediately afterwards.
JACK: See what I mean? There was a massive worm that was using information that he published to do dirty work out there. I just read an article today that said in 2020, there were over 1,000 malware campaigns that used Metasploit. So, what happens in this situation when you’re making tools that criminals are using? Well, let’s go back and look at a few other cases. I did an episode on the Mariposa botnet. The people who launched this botnet all got arrested, but they weren’t the ones who developed the botnet. The Butterfly botnet was created by a guy named Iserdo, but this Iserdo guy, all he did was develop the tool and put it out there. He never used it to attack anyone, but he was arrested and sentenced to jail just for developing the tool. What the court proved was that he was knowingly giving it to criminals to commit crimes. Or let’s look at Marcus Hutchins; he developed malware which became known as Kronos, but he only developed it. He never launched it on anyone. But it was because he was giving it to someone who did use it to go and attack banks is why Marcus was arrested by the FBI. In both of these cases, what it came down to was whether or not the software maker was knowingly giving these hacking tools to someone who had intent on breaking the law with it. But HD claims he has no responsibility with what people do with his tool.
HD: I don’t know, if you bake a bunch of cookies and put them on the sheet – in the street and say free cookies, are we responsible if a criminal eats a cookie? I don’t know. I feel like it’s different. It’s open-source, it’s community-based, it’s open domain. Everyone’s on the same playing field. I feel like it’s one of those things where if you’re only providing those exploits, those weapons, to someone in the criminal community and charging for them, that’s one thing. But if you’re creating a project for the purpose of helping everyone else understand how things work and to test their own systems, and a bad actor happens to pick it up and use it too, that seems like a – something very different.
JACK: But I get worried for HD because he takes Metasploit to hacker conferences and hacker meetups to demo it and teach it to other people there. Everyone knows there are criminals who attend these things. I mean, just sharing it with the hacker chat rooms that he was part of, like Phrack; how could he have gone all this time without once seeing that the person that he just taught this to or gave it to was a known criminal? Did you have any lawyers helping you on this project?
HD: No. Once in a while I’d have to reach out for help, but it usually wasn’t from a lawyer that would – I had hired myself. Usually it was just people I knew that happened to be lawyers who would give me advice on stuff.
HD: I think early on, the solution was my spouse had a get-out-jail-fund, had a lawyer fund sitting aside, so if I got dragged out in the middle of the night, she had cash that was not tied to my personal accounts or our shared accounts to find a lawyer and give me bail money, basically. So, that was the case for about six, seven years, where I was pretty concerned about getting arrested for almost anything I was working on at the time, ‘cause it was all pretty close to the line, whether it’s internet scanning, whether it was the Metasploit stuff. It really comes down to whether you think a prosecutor’s gonna make a case, whether you think – they think they can make a case. Prosecutors don’t want to lose a case, so they’re not gonna bring a charge against you unless they’re very certain that they’re gonna win. That’s why the conviction rates are so high.
So, it’s one of those things where intent matters, but what really matters is whether the prosecutor really wants to go after you or not, and if you convince them that hey, I’m not actually a bad actor and I’m not doing this stuff, I’m not driving this economic activity that’s related to criminals, then that’s helpful. But that’s one of the things I really don’t like about US law, is the CFA doesn’t care about intent, for example. There’s nothing about our Computer Fraud and Abuse Act that cares whether you were doing it for good or not. A lot of our laws are problematic like that. It isn’t just the standard section that’s quoted; it’s also Section 1120. There’s a couple other parts of the US criminal code that are just really dangerous when they’re taken out of context or used to make a case for something that really shouldn’t have been prosecuted in the first place. So unfortunately, a lot of the US prosecutions really just come down to whether someone wants to go after you or not, and all you can do is do your best to stay above the law when you can, and when the law is really vague, do your best to not be a tempting target.
JACK: Yeah, but I am surprised that when I load up some software, even look at some how-to’s and videos on how to hack, there is a disclaimer at the beginning; do not use this for illegitimate purposes. Do not break the law with this information. When I load Metasploit, it doesn’t say for pen testing only, only use on systems you have permission to, and I’m wondering why would you keep that off there?
HD: I don’t think it ever occurred to us to add a warning, honestly. We figured if you’re downloading Metasploit, you know what you’re getting into. You’re know you’re downloading a security tool to do security testing. We’re not there to tell you you shouldn’t jaywalk or you shouldn’t firebomb your neighbor’s house. We assume people have reasonable reasons why they’re using the software in the first place, and we don’t feel like we’re enticing you to commit a crime because we’re providing them a tool.
HD: I mean, stuff came up for sure, but mostly I was able to talk my way out of it one way or another. I think a lot of it is – just the way to win in that space and to not go to jail was to be as loud and as blatant and as above-board as you possibly can. So, doing a Metasploit talk at every conference, having tens of thousands of Metasploit users early on, having 200 different developers involved with the project; the bigger, the wider, the more noisy you can make the project, the less likely someone was gonna say this is a tool for just criminals and we’re gonna go after it.
JACK: You just have such a surprising – an adventurous life. [MUSIC] There’s a big difference between your typical pen tester and HD Moore. The typical pen tester today learns how to use Metasploit, which is the tool that HD created. HD is the one learning how the exploits work, writing the shell code to make them work, and actively trying to find new exploits all the time. On top of that, he’s fielding a nonstop barrage of attacks himself from creating the tool, so he’s well-versed at defending and attacking systems. The experience he has in this space is almost unparalleled, but it was because of how much passion he has about security that got him to this point. I just want to say to any up-and-coming pen testers out there, getting your hands on working exploits and contributing to open-source projects is a fantastic way to become fluent in this field. There are a ton of open-source hacker tools out there on GitHub, and it’s a great experience to download the source code and see how they work, and try to improve upon them. Even if you’re just a beginner, there’s probably something you can do to help, whether it’s writing better documentation or improving the Help menu. Being part of a project like that can launch your career. HD even helped many of his contributors get jobs. Learning to find and develop exploits would really pay off for HD, but it was a tough ride for him to hold on to.
HD: Yeah, I think it took about three or four years before we really turned the point from ‘that’s stupid’ and ‘that’s crappy’ to ‘that’s a script kitty tool’ to ‘that was a piece of crap and I don’t like it’ to ‘okay, fine, I’ll use it to – hey, now everyone’s using it’.
JACK: Metasploit grew up to be one of the de facto tools used by security professionals all over. Eventually, schools started teaching students how to use it. I mean, can you imagine a hacking tool becoming part of the course curriculum in school? But even more than that, it became necessary to know how to use Metasploit to pass certain exams and get certified in security. Despite the hard start and hate it received, Metasploit grew to become an invaluable tool for the pen test community to use, and it became mass-adopted by security teams everywhere.
HD: By 2008, both Skape and Spoonm had moved on to other things. Skape’s company got acquired by Microsoft and he went and worked there, and that was the end of his contributions to Metasploit. Spoonm went to school and kinda disappeared doing his thing for a while. So, it was kinda just me running the project again by 2008, and I’ve been working with a guy named Egypt for a long time, contributing exploits to the project and chatting about stuff. I invited him to come and be one of the core members. He joined the team and we started working towards the 3.0 release, I believe, at the time. During all that stuff, as you get closer to 2009, I was working out of the startup, not particularly happy with life. I was pretty broke. The startup wasn’t paying me that much, I had a bunch of credit card debt, had a pretty hefty mortgage on the house, was doing Metasploit training at the conferences to kinda pay the bills and keep things going, but I was also working all day for a startup and all night on Metasploit, and every weekend, every night for years straight at that point. Super stressed out, had a baby on the way, and when I was basically gone for paternal leave, I got an offer to acquire Metasploit by Rapid7.
JACK: [MUSIC] Whoa, an offer to acquire Metasploit by the company Rapid7? That’s amazing. At the time, Rapid7’s product was a vulnerability scanner, and the typical pen test scenario is to start by running a vulnerability scanner, then use Metasploit to try to get into the vulnerable systems you found. It’s a beautiful combination of tools, so it made sense for why Rapid7 would want to acquire the tool. But Metasploit was open-source and a not a product that made any money, so HD was a bit skeptical to give his tool to a corporation. But they asked him at the right time, because he was all stressed out, low on cash, and about to have his first kid. He sorta needed a big break.
HD: So, yeah, when the offer came in to do something different, it was definitely tempting and spent quite a lot of time chatting with the Rapid7 team, getting a sense for what it’d look like, and eventually said okay, let’s give it a try.
JACK: Yeah, did you give them a heads up? Like, hold on a second, if you take the responsibility for this, you’re gonna be taking some bullets. Just so you know, this is kind of the heat I’m getting here and somebody might call up to try to get you fired.
HD: Yeah, put it this way; they brought me on to run the Metasploit team and to build a product line, but they also brought me on as their head of security at the same time. So, I got to take most of those bullets in the first few years. Metasploit had a pretty strong following, but only about 33,000 active users at the time or something like that based on our download logs. So, it was a really good opportunity to commercialize an open-source tool but keep it open-source, and then all the commercialization really happened by building a pro version of the tool and selling that instead. So, our team was able to – basically built a new office here in Austin, hired the team, got the first commercial product out the door in about six or seven months.
I think our team was paying their own bills within twelve months by selling our pro version of the product. So, ended up working out pretty well. Even now, there’s a whole team at Rapid7 working on Metasploit full time. It wasn’t just the development side; they also were an amazing corporate shield for all the drama I was dealing with, all the law enforcement inquiries, all the random threats, all the other stuff. They stood up and took it. They hired lawyers on my behalf, they hired lobbyists on my behalf. They did everything they could to make sure that Metasploit and exploit development and vulnerability research could stay a thing that you could count on, that you could rely on, and they did their best to protect the legal front. So, outside of all the commercial terms and product stuff and all that, I give them a lot of credit for helping vulnerability research and exploit disclosure and exploit sharing be what it is today.
JACK: Yeah, so you said lobbyists; why would they hire lobbyists?
HD: Well, a lot of them – making sure that vulnerability research and disclosure and all that stuff stays legal, is educating people. It’s like saying hey, this is like a real, legitimate reason why people need access to information. This is why you don’t want to regulate vulnerability disclosure. This is why you don’t want to create a law making exploit disclosure illegal. I mean, on the face of it, if someone says hey, we’re gonna prevent you from sharing tools that allow people to attack each other, you’re like yeah, that sounds like a good thing. You don’t want people sharing evil tools with each other, right? Make that illegal. It isn’t ‘til you dig a little bit deeper and realize that you really don’t want to criminalize that because that’s how your defenders are learning. That’s how your actual defenders are testing their own systems. If you don’t have those tools available in turn, you have no idea how effective any of your defenses are. It was just one of those things where, at a very surface level, it was hard to defend, and – but once you started educating people about what the benefits were and once you got more people to be aware of what you take away by criminalizing this type of work, then you try to build that support. So, lobbyist efforts at Rapid7 were instrumental in not only splitting Metasploit framework from the Wassenaar Agreement, at least the way the US interpreted it, but protecting vulnerability research in general.
JACK: Yeah. Can you explain the Wassenaar Agreement?
HD: Oh, sure thing. I don’t have – it’s been a while, so I don’t – I’m probably gonna get details wrong, but the Wassenaar Agreement was an international arms treaty by a bunch of countries saying here’s the things that we will or will not export to other countries without having approvals and things like that. Amendment – I think either an amendment to it or an interpretation of the agreement started to classify cyber security tools as weapons at one point. The goal there is to prevent the NSO-group style attacks, right, where you’re shipping a toolkit, a software toolkit or a hardware toolkit that’s designed to break into other people’s machines, and it’s really designed for the most nefarious – either surveillance use case or for actual cyber-war type use cases. However, the language caught up a lot of other unrelated tools. All the tools that are used for professional security testing would – if you squint at them, right, would also be classified as weapons by the armunitions, by the Wassenaar Agreement. The company Rapid7 spent a lot of time working with lobbyists, trying to help folks understand the difference between an open-source tool like Metasploit and something that’s more targeted, malicious, and weaponized.
JACK: The thing that I don’t understand about the Rapid7 acquisition is how do you buy a free, open-source tool? Why didn’t they just fork it and rename it?
HD: Well, someone tried that, actually. It didn’t go very well. Actually, a few people did. Prior to Metasploit 3 coming out, when we rewrote the whole thing in Ruby, Metasploit was written in Perl. There was a company called SAINT that released a product called SAINTexploit, which was also written in Perl. We’re like ah, that’s suspicious. At some point, someone shared a copy of SAINTexploit with us and we’re like, you know what? Half this shell code is ours and half these exploits really look really like the code that we wrote. There were a lot of similarities between the SAINTexploit product and Metasploit framework, too. So, we got a little bit mad about it. We’re like, this is kinda bullshit. We feel like, if you’re gonna use our code, that’s great, but collaborate.
Don’t pretend it’s yours. Don’t say hey, I made this. Like, no, no; this is open-source. Contribute to it, share it. So, we changed it. We literally changed the commercial – the license of Metasploit to be a commercial-only license briefly, for about a year or so. Between the 2.0 Perl rewrite and the 3.0, the brand-new 3.0 code was under a non-open-source license briefly just because of how we felt about SAINT and SAINTexploit. Finally, when Egypt got – joined the project and we’re looking prior to the Rapid7 commercialization or Rapid7 acquisition, we ended up changing the license back to BSD because we felt like that was the right thing to do to really grow the project. But there definitely was a knee-jerk reaction to close the license after that.
JACK: So, Metasploit continued to be open-source and free under Rapid7, with HD and a guy named Egypt coming on board and working hard on making it even better. One thing that was a neverending job was getting more exploits into the tool.
HD: When I was working at Rapid7, every time a Patch Tuesday came out, our very first thing was how do we get exploits out as fast as possible for everything that was covered, and how do we figure out what they are? It’s a lot of work though; taking a binary patch and trying to figure out the bug can take a week or two just on its own, and that just gets you the bug. That doesn’t get you the exploit. Getting the exploit to work, getting it triggered, getting it reliable, figuring out how to manage the memory correctly, figuring out the payload, threading problems with payloads, I mean, there’s a ton of work that goes into it. I think one of the things that – one of the reasons why I probably don’t work on exploits as much anymore is they’ve gotten a lot more complicated.
You need a much deeper set of skills to be able to work on fiddly heap exploits. You need to basically have this huge background of knowledge just to be able to get the heap in the right state to build a exploit in the first place. I’m not really that great of a programmer. I’m not really that great of an exploit developer; I just spent a lot of time on stuff. So, I felt like that was well beyond my ability to keep up at that point. So, I really love logic flaws, I really love the old school stack overflows and SCH overflows and things like that. But I feel like modern exploits, especially on ARM platforms like mobile – holy cow, there’s a lot of effort that has to go into it just to get one working exploit.
JACK: Now, I’m scared that you say that because a second ago I was calling you the patron saint of exploit development and penetration testing, and now you’re like ah, it’s too complicated for me at this point. Good luck whoever’s doing it now. Who can do it now if it’s beyond your skill?
HD: It’s gotta be super-specialized. If you look at some of the Project Zero posts, I don’t want – particular names in fear of getting them wrong, but there’s some amazing folks out there, and where you see really good exploits being written is when someone has spent months and maybe years looking into the software stack around that before the exploit’s worked on. When you’re looking into how IOS parses messages or how the heap of this particular OS or the Linux kernel is being groomed in a particular way, you need to build up this super-deep, super-specialized knowledge to be able to even start working exploits in that particular space. It’s not like before where once you know how to exploit one platform, one OS, the rest is all pretty straightforward. It used to be like, okay, I know how to exploit Spark; I can exploit most other NIPS with a little bit of work here and there. Now every OS is so different, so deep, and so complicated these days that you really have to specialize.
JACK: Yeah, but I feel like you really enjoy playing in the dark, and I mean, you want to be outside the known world of knowledge, okay? So, there’s a circle that this is the stuff we know in the world; I’m going outside that circle and I’m gonna discover things that the world does not know and bring it into the world of known. That is a very difficult place to be in. That’s a scary place. You don’t know where to go, which direction to go, where to point your finger. You’re hitting your face on the wall over and over and over, and that’s the difficulty of finding vulnerabilities and zero-days and this kind of thing. Even if you know that there’s a vulnerability right there, it still can be hard to find that.
HD: That’s probably – especially with patch reversing; you’re so frustrated because you know it’s there. You know it’s patched. You know it’s in front of you. You know it’s probably one line away from where you’re looking, and you can’t see it. So, these days I spend my time on network protocols and fingerprinting techniques and that type of research, where you’re going really deep on the protocol stack looking for behavioral differences and how a network respond – how a device responds in the network. It’s a similar challenge; you have to go find these really fiddly, really hard-to-find things and then extrapolate all this value from it, saying okay, now that I know that it responds this way and this responds that way, it must be an IOS device or these people are a kernel version or this particular update applied to it. So, I love doing that type of work, but it is working in the dark, like you mentioned. But it’s nowhere near as complicated as doing modern heap exploits.
JACK: I find this particular skill to be one of the most important skills when dealing with technology, which is being comfortable doing things in the dark, in areas that you have no knowledge of or visibility into, because when working in IT, you are constantly faced with new challenges or problems that you have no idea how to solve. The problem might even be so weird that you don’t even know what to Google, and so being able to venture out into unknown territories, even if it’s just unknown to you, you’ve got to learn to be comfortable in these dark areas. It’s scary and frustrating to try things that you know you’re going to fail at and even look stupid doing, but the more comfortable you get in that space of working with the world of unknowns, the better you’ll be next time you face the darkness, which is like, all the time. Are you still at Rapid7?
HD: Oh, no, no. I started my own company about three and a half years ago doing network discovery stuff. So, Rumble; we help companies find every single thing possibly connected to their network environment or their Cloud.
JACK: Yeah, explain more. Get a good pitch for it.
HD: Sure thing. So, I spent twenty-seven years now doing pen testing and security work and building products, and the very first thing you do, whether it’s a pen test and you’re trying to break into someone’s network or you’re building a product that does something on the network like a vuln scanner or a pen test tool, is you gotta figure what’s out there. You gotta scan the network. You gotta find targets, assets, IP addresses, things. So, we came up with a really cool scan engine that can tell you amazing stuff about everything on the network really quickly. At this point, the product Rumble Network Discovery can now find all your networks. So, starting with zero knowledge about your environment, they’ll do a sampling sweep across every possible routable private IP in your organization, they’ll find every populated subnet, every single device, classify every device, tell you what hardware it’s running on, and identify things like multi-owned systems that are breaching different networks. It does it all unauthenticated, quickly, with really no interaction and no real network impact.
JACK: [MUSIC] What I find fascinating about HD is the struggle that he went through to make Metasploit. I mean, the sheer skill it takes just to write exploits and payloads is already impressive, and he had to continually write new exploits as new stuff came out. But the resolve and determination to face a constant barrage of attacks for publishing exploits and to continue publishing more is incredible. I think I would have given in and gave up working on it if vendors are calling my boss, asking them to fire me, or if law enforcement keeps bugging me, but not HD. He persisted through it all, because he had a vision and a belief that what he was doing was right and the whole world was wrong. I think it turned out in his favor. I think he was right and the world was wrong, because we saw the world slowly change and eventually agree with HD. Microsoft drastically changed how they handle bugs now, and their security is much better than it was before. Google puts a similar kind of pressure on companies that HD does, saying you better fix this vulnerability we found, or we’re gonna tell the world. When stuff doesn’t get fixed, they do publish it, and for governments, changing the way they view open-source tools. What a wild ride it’s been to get some decent hacker tools out there for everyone to use.
(OUTRO): [OUTRO MUSIC] A big thank-you to HD Moore, a true legend in the security space. You can learn more about what he’s working on now by visiting rumble.run. This show is made by me, the NOP-sledding Jack Rhysider, and editing help this episode by the zero-trust Damienne. This episode was assembled by Tristan Ledger and mixed by Proximity Sound. Our theme music is by the encoded Breakmaster Cylinder. Hey, HD, one last question for you.
JACK: When you’re reviewing someone’s code, can you tell me what bad code looks like?
HD: No comment.
JACK: This is Darknet Diaries.
[END OF RECORDING]