October 30, 2008

Portrait: Metasploit godfather H.D. Moore

Author: Tina Gasperson

The Metasploit Project develops a set of security tools to create and execute exploit code on remote computers. Some people say Metasploit makes the job easier for black hat hackers who attack networks looking for vulnerabilities to take advantage of; others says the tool helps network security administrators do a better job of finding and repairing weaknesses before the bad guys get to them. H.D. Moore, the 20-something creator of the Metasploit Project, says it all depends on your perspective.

Portraits

"If you ask a system administrator what side they see me on, a large portion would consider me more useful for the attackers than for the defenders. At the same time, if you ask nearly anyone who provides penetration tests, they would argue the exact opposite. Personally, I believe that making security information, tools, and exploits available to everyone will always benefit the defenders in the long term. By raising the bar for the defenders, you are also locking out the attackers who depend on those vulnerabilities not being fixed."

Even back in school, Moore enjoyed taking things apart and "generally making a mess." He visited garage sales to find "interesting gadgets," and "always had more fun deconstructing things than trying to build anything. My family did not have much in the way of disposable income, so I was still playing with older electronics even when the newer ones were out." Necessity became the mother of Moore's hacking ability.

He fixed an old Atari 7800 video game system he found at one of the garage sales. "The controllers were broken, so I had to wire up my own using a block of wood and a few nails. I ran each wire from the controller to one of the nails, and played the system by connecting the nails together with a fork. As absurd as it sounds, it actually worked."

After learning to program in BASIC on one of the school's Apple IIe computers, Moore began writing "all sorts" of utilities in junior high and high school. "In the case of AOL, I wrote a tool called Switchboard, which was designed to proxy the AOL protocol and provide better access to the network. At the time, there were few security checks on the protocol AOL used, so by manipulating the packets and injecting new requests, it was possible to access more of the AOL back end directly through the resource identifiers. These identifiers were sequential and could be brute-forced. The combination of the Switchboard application and a resource scanner discovered dozens of development and testing areas within the AOL service."

With that success, Moore created other AOL "tools," including one to bridge AOL's chats with IRC channels, which Moore was interested in because of his growing involvement in the "warez scene. Normally, the AOL interface restricts the user to one open chat, but this limit could be bypassed using the Switchboard (it would scrub the close chat command from the packets). The result was the ability to proxy conversations between multiple Efnet channels and AOL chats, which was really useful for certain methods of software distribution."

It wasn't long before Moore was writing SMB share scanners, DoS tools, IRC extensions, and Eggdrop scripts. "I worked on one of the earlier remote access Trojan tools for Windows, which worked really well, even if the code was a horrible mess. Back then, even the hackers didn't pay much attention to Windows security, and the thought of someone having remote control of their 'toy' Windows 95 machine was just silly. Obviously, once Back Orifice, NetBus, and SubSeven came out, that view changed."

Moore had a hard time staying out of trouble in school. "I ran with a crowd that attracted trouble, and after my sophomore year, the amount of drama, violence, and legal repercussions got to the point that public school wasn't really an option." He dropped out, focusing instead on the things that were to lead to his success -- "computer skills, programming, and exploring the Internet." Later, a local high school offered to let him take classes at his own pace and schedule. "I signed up, burned through all the classes I could, and graduated at the same time I would have normally."

While at the new high school, Moore helped out with network administration, showing the IT department how to do security assessments and lock down desktops. "Having a big network of malicious users, a.k.a. students, was a great way to cut my teeth on the defensive side of security."

An open source education

Moore first learned about the concept of open source software in 1996, when he discovered the Cheap Bytes mail-order Linux CD service. "You could purchase any of the common distributions for under $5. This was important, because at the time CD burners were still extremely expensive, download speeds over dialup were terrible, and nearly all of the cutting-edge security tools required a Unix-like system to run. As someone interested in security, not having access to a legitimate root shell on a networked Unix system significantly restricted what tools I could use.

"Once my SuSE 4.2 CDs arrived, I spent a month dual-booting between Linux and Windows, until I could use Linux for my day-to-day work. I have been using it as my primary system for more than 12 years now."

Moore says that his talent for creating exploit tools made for an uneasy relationship with early employers. "There was definitely a sense of mistrust. I blame this more on the lack of awareness about computer security at the time than any particular character trait. If you represent a bank and are hiring someone to test your defenses, some part of your brain is going to equate the people doing the work with the real threat of someone actually breaking in and stealing money. Over time, public views have shifted, and security professionals are now just another part of IT. The fear of 'hackers' has been used to drive the sales of a wide variety of products and services. To this day, antivirus vendors are producing TV commercials that feature shadowy 'hacker' figures. This type of negative marketing contributes to lingering mistrust of security professionals."

Yet Moore says the computer industry can thank the warez scene for its incredible growth. "The industry would not have made it where it is today without pirated software. The people who had the interest and more importantly the free time to learn how to use commercial software rarely had the money to afford it. This left aspiring artists, system administrators, and programmers no choice but to pirate the tools that they now use in their jobs."

The growth of the open source software industry, he says, has happened for the same reason. "The free software movement and the open source development model managed to grab market share from the same group of folks who would otherwise have had to steal commercial software. The increase of open source adoption and the rate of new open source projects is being driven by the entry-level folks who can't afford a multi-thousand-dollar toolkit. Once these folks have those skills, they bring their experience and that software into the organizations they work for, where it has increasingly become part of the core infrastructure. In both of my last two companies, the number of Linux and BSD systems on the network greatly outnumbered Windows and OS X. These days, there is a trend for developers to move from Linux to Mac OS X -- oooh, shiny -- but only because of the same free software available on the OS X platform."

Metasploit futures

The latest version of Metasploit will be released with a new BSD-style license; something Moore calls a big change from the previous "EULA-like" license. The first two versions of Metasploit were GPL, but Moore says that "commercial entities" were taking advantage of the liberal nature of the license.

On the Metasploit blog, Moore wrote, "In one case, a product vendor was selling laptops containing Metasploit 2 for the sole purposing of demonstrating how their product could detect it. The original license allowed for this, but we do want people who use the software to contribute back, and we want to make sure that any 'demo' use is based on the original version of the software and not one that a vendor has modified. We never saw a bug fix, patch, or suggestion from the group within that vendor which was using it for this purpose. We want the Metasploit name to be consistent with a certain level of quality, which we could not guarantee when a vendor was using a possibly modified version to demonstrate their product's detection capabilities."

Now that the project has matured, Moore says that a move back to a more open license is in order. "The new license will lead to commercial abuse, but I believe that the project is now strong enough to succeed even with competition from commercial entities that are using our source code. The key to our success is the Metasploit community and our dedication to sharing security information (and code) in a timely fashion. Metasploit is great at destroying FUD, whether the source is an incompetent product vendor or a media-happy security company."

Regardless of whether you see Moore as good or not so good, it's clear that he is enjoying himself. "I don't think I have been bored any time in the last 10 years, at least if I have a computer and a network connection."

Our Portraits series seeks to profile individuals who are doing interesting things with free and open source software. If you know of someone you'd like to read about, please let us know.

Categories:

  • Security
  • Community
Click Here!