Did you know that in 1982, a robot was arrested by the police? Yeah, get this. It was standing on North Beverly Drive in Los Angeles, and it was there handing out business cards to people. It could talk, too, and it was telling people random robot things. Well, it was causing a commotion.
People were just standing around it staring. Traffic jams, honking. It was making a scene. The police wanted to put a stop to it. They looked around and in the robot to try to find who was controlling it.
But they couldn't figure it out. So they started dragging it off and the robot started screaming, Help! They are trying to take me apart! The officer disconnected the power source and took the robot into custody. They put it in the cop car and drove it down to the Beverly Hills Police Station.
It turned out it was two teenage boys that were remotely controlling it. They borrowed their father's robot to pass out his robot factory business cards. It's funny how time changes our interest in things.
If a robot stood on the same corner today, handing out business cards, it would hardly be noticed. But in 1982, that was quite the scene. Sometimes it just takes us a while to get accustomed to the future.
These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries.
you ready to get into it do you have your six cup of coffee today i did yeah i just fall pot you feel you sound like a guy who's just really turned on to like you know 11 like You talk fast, you build things quickly. I mean, it's just moving all the time for you. Okay.
So what's your name? H.D. Moore.
And how did you, what was some of the early stuff that you were doing security or hacking-wise when you were a teenager? I was an internet hoodlum. Got my start on the old, you know, BBS days. You know, go to hang out with a friend of mine. Fall asleep early, leave his Mac there with his various BBS accounts and start dialing around, figure out what you can get to.
Download the zines, figure out how to dial into all the fun Unix machines in town. How to dial into all the fun Unix machines in town? See, back in the 90s, there weren't a lot of websites that you could just spend your time endlessly scrolling through. But there were a bunch of computers configured to accept connections from outsiders.
And the way to connect to these computers wasn't over the internet, but simply to dial up that phone number directly and see if a computer picked up. And if a computer picks up, now it's time to figure out what even is this machine and why is it listening to people dialing into it? And you could find some weird stuff listening for inbound connections, stuff you probably shouldn't be getting into, but the system just was not configured to stop anyone.
HD lived in Austin, Texas, and was curious to find if any computers were listening for connections in his town. So we started dialing random numbers to see if any would be picked up by a computer. At one point, my mother was working as a medical transcriptionist.
And the great thing in the early days of the internet is that to do that, we'd have a whole lot of phone lines going to the house. We had two or three regular POTS lines, we had an ISDN line, and two computers. And she went to bed pretty early. So as soon as she was down, I was up, and I was running ToneLoke. across the entire 512 area code pretty much every night for years.
And then when you find something interesting, you try to figure out what it is and what you can do with it. Some of the fun highlights from back then are like turning the HVAC on and off at the various department stores, dialing into some of the radio transmission towers and playing with that stuff. You know, this is obviously well before I was like 18 and was too concerned about the consequences. But just that whole process really got me into...
security, security research, and eventually, you know, the internet. This was really fun for HD. Poking around in the dark, trying to find something interesting, and then getting lost in that system for a while.
He was fascinated by it all. Eventually, the internet started forming a little more, and IRC picked up in popularity. This was just a chat room, and HD was spending a lot of time in the Frack Chat channel. Now, Frack is the longest-running hacker magazine. The first issue was published in 1985, and by the 90s, they had quite a trove of information.
If you wanted to learn how to hack or break computers, start by reading every issue of Frack, and by the time you're done, you'll be pretty knowledgeable of hacking. So the Frack Chat channel felt like home to HD, and he loved hanging out there, learning about hacking. We're all using our silly aliases and playing with exploits and generally causing havoc between each other. And out of the blue, I get a message from somebody saying, hey, you're looking for a job.
I'm like, yeah, I actually am. And he's like, well, you're not too far. How far are you from San Antonio?
I'm like, well, I could drive there. So he sent me an interview with Computer Sciences Corporation, which is now just called CSC. And they were doing work for... I think at the time it was called AFWIC or eventually became AIA, but the Air Intelligence Agency. So the U.S.
Air Force is an intelligence wing. And they were basically building tools for various red teams inside the Air Force. And I was like, that sounds like a lot of fun, running exploits in the military.
I'm all about that. So I was a really terrible programmer, and I'm not much of a better one these days. But it was a fun first job to go down there and get these somewhat vague briefs about, we need a tool that...
listens on the network for packets and does these things with them, or scans the network looking for open registry keys and does this other stuff. So that was my first kind of professional experience of building offensive tooling. I think it's kind of weird that a recruiter for a DoD contractor was looking in the frack chat room to find people to come build hacker tools in order to test the defenses of the Air Force.
But that's what happened. HD was now using his hacking skills for good. And while he was in high school, even. At some point while working for this contractor, they asked him to see if he can hack into a local business.
That business had actually paid for a security assessment and wanted to see if they were vulnerable. And it was a lot of fun. We basically just walked in and owned everything. It was great. Outside, inside, you know, their HP 3000 servers, everything in between.
Had a blast doing it. And we went back to CSE and said, hey, we'd like to start doing more commercial pen tests. And they came back and said, nope, we're federal. That's it. So we took the whole team and started a startup.
That was Digital Defense. HD loved doing security assessments for customers, and this is a penetration test. Customers would hire them to see if their computers were vulnerable, and they did other things too, like monitoring for security events and help secure the network better.
But there was a problem, a big one if you ask me. Back in the late 90s, exploits were hard to come by. See, let me walk you through how a typical pen test works. First, you typically want to start out with a vulnerability scanner.
This will tell you what computers are on the network, what services are running, what apps are running, and maybe even give you an idea of what versions that software is running too. Because sometimes when you connect to that computer, it'll tell you what version of software it's running. Now, as a pen tester, once you know the version of an application that a computer is running, you can go look up to see if there's any known vulnerabilities. Maybe that's an old version that they're running.
And here's where the problem lies. Suppose that, yes, you... did find a system that was not updated and was running an old version of software that has a known vulnerability.
It's simply not enough to tell the client that their server is not patched and needs to be updated. The client might push back and say, well, what's really the risk for not updating? And so that's why a pen tester has to actually exploit the system to prove what could go wrong if they don't update. They need to act like an adversary would. But But to get that exploit, so that you can demonstrate to the client that this machine is vulnerable, that's the hard part.
At least it was in the 90s. Some hacker websites would have exploits that you could download, but those were often pretty old and out of date. So then you might start feeling around in chat rooms, trying to see who's got the goods. And if you're lucky, you get pointed to an FTP server to download some exploits. But it has no documentation.
And who knows what this exploit does? It could be an actual virus. And as a professional penetration tester, you really can't just download some random exploit from the internet and launch it on your customer's network.
No way. Who knows what that thing does? It could infect a whole network with some nasty virus or create some backdoor that other hackers can get into. So back then, there just wasn't a place to get good exploits from.
And especially, there wasn't a place to get the latest and greatest ones. As you start rolling into the 2000s, what happened is all the folks who previously were sharing their exploits, you know, with the researchers, with kind of the community, they obviously started either just getting real jobs and stopped sharing their tools, or they thought there was ethical issues with that. But basically, it all dried up. It turned into some commercial firms like Core Impact was started around the same time to commercialize exploit tooling.
Other folks just decided they weren't doing it anymore or they got in trouble. And so if you're a security firm trying to do pentests for your customers, it was really difficult to get exploits back then. Really difficult to know whether they're safe or not without rewriting every byte of shellcode from scratch.
And so the challenge of just getting the right tools and exploits, you had to build a lot of it in-house. Well, this company that he was working for, didn't really have the ability or expertise or resources to develop their own exploit toolkit. But HD, being someone who's fiercely driven and part of this hacker culture, was acquiring quite a bit of exploits and learning how they worked and was able to code some of his own. But these exploits were unorganized.
They were scattered all over his computers. The documentation wasn't there. It was hard to share it with some of his teammates. And that's why HD Moore decided to make Metasploit. Metasploit is an exploit toolkit, which basically means it's a single application that has loads of exploits built into it.
So once you load it up, you can pick which exploit to use, input some parameters, and launch it on the target. It was not so great, but it was a basic collection of vulnerabilities that HD knew and could trust that weren't filled with viruses. This little tool he built... was helping him do security assessments.
And now that he's made a framework, he can continually add new vulnerabilities to make it better. But there are new vulnerabilities being discovered all the time. So it was an endless job to keep adding stuff to Metasploit. Yeah, I mean, it's a combination of like finding vulnerabilities myself, sharing with friends, reporting some of them, not reporting others at the time.
And then just me and my friends sharing exploits all day long. And I wrote some that weren't very good, but I'd write stuff all the time. And then you get access to one of the really interesting ones or really high profile ones and play with it a little bit and see what you can do with it.
What ended up being the first version of Metasploit was very menu based, very terminal based. We kind of picked, you know, picked the exploit, picked the Nop encoder, the exploit encoder and the payload and put them all together and then send it. By the time we got to Metasploit 2, we threw all that out the window and came up with the idea was that you can assemble an exploit like Legos.
So it wasn't, you know, prior to this, most exploits had maybe one payload, maybe two payloads. Yeah, a payload. A payload is what you want your computer to do after a vulnerability gets exploited.
Imagine a needle and syringe. The needle is the exploit. It gets you past the defenses and into the system. But an empty syringe does nothing. The payload is whatever's in the syringe, the thing that gets injected into the computer after it's penetrated.
So what is a typical payload? Well, it could be to open the door and give you command line access. Or it could be to upload a file and execute it on that computer you just got into. Or it could be to reboot the computer.
The exploit is the way in, and the payload is the action taken once you get in. And yeah, the exploits that you would get your hands on back then, they had like built-in payloads. Changing the payload wasn't always even an option, unless you had access to the source code of the exploit and could build your own payload. And even if you did that, what happens the next time when you want to use that exploit with a different payload? Right.
You'd have to recompile the whole thing with something new and then fiddle with it to get it to actually work. And of course, you don't want to run some payload that someone else made on one of your customer's computers unless you can examine the source code and see what it does. HD saw this was a problem and modularized how you build an attack. He made this easy with Metasploit, giving you the option to pick the exploit, pick the payload, and then choose your target. It made hacking a thousand...
times easier. So instead of being stuck with one payload to one exploit, you could take any payload, any exploit, any encoder, any not generator and stick them all together into a chain. And it was great for a bunch of reasons. A lot more flexibility during pen test.
You could experiment with really interesting types of payloads that were non-standard. And because everything was randomized all the time, a lot of the network-based detection tools couldn't keep up. Because everything was randomized? This is actually a really clever thing he added to the tool.
So if you put yourself in a defender's shoes, they obviously don't want exploits being run in the network. And they want to identify them and not let those programs run, right? And a defender might even make a rule in the antivirus program that says, hey, if there's a program that is this size and has this many bytes and is this long and is called this, then it's a known virus.
Do not let this program run. Well, what Metasploit did was randomize all these parts. They'd give it a random name and a random size and all kinds of random characters.
simply so that antivirus tools would have a hard time detecting it. And it makes sense for Metasploit to try to evade antivirus, because securing your network should be multi-layered. The first layer would be to make sure the computers in your network are up to date and on the latest patch.
And then the next layer should be to have them configured correctly. If both of those fail, then antivirus can inspect what's happening and try to stop an attack in progress. But if antivirus is blocking it, It hasn't even tested whether that system is secure or not.
So it needs to go around antivirus tools to actually test the server. And a good pen tester will test multiple layers to make sure each layer of defense is actually working. So by definition, Metasploit was evasive by default.
Now, at the time, HD was using this tool to conduct penetration tests on people who wanted to see if their network was hackable. HD was one of the initial people to join this company, but he wasn't in any sort of leadership role or a manager or anything. So imagine for a moment, you're HD's boss, and HD shows you this homebrew exploit toolkit, which is programmed to seek out and exploit known vulnerabilities in computers, and payloads built into it.
Now clearly, in the right hands, this is a weapon. It's an attacker's dream come true. Some of the vulnerabilities in it are high quality, and make them very dangerous, giving you access to pretty much anything at the time. Him bringing in Metasploit to work was like bringing in a bucket of hypodermic syringes with their safety caps off.
And some of these were picked up off shady underground places. Some of them were DIY homemade. And with syringes, you typically see them in the hands of highly skilled professionals like doctors or people who need beneficial medicine or drug addicts.
So a bucket of syringes can be extremely dangerous or extremely beneficial. There's no real middle ground. And it was the same with Metasploit. It was a bucket of some pretty scary exploits that if you let loose in the office would be a pretty big problem. So bringing in a toolkit like this to work, well, HD's employer was not supportive of this tool.
I guess more accurately, they were terrified of it. They did not want to be associated with anything I was working on. And at the same time, they were kind of stuck with me because I was running most of the test operations. Why were they terrified of it? There's a lot of fear of exploits and liability.
The worry was that if we released an exploit and someone bad used it to hack in somebody else, somehow my company would become liable. So they wanted to stay as far away from it as they possibly could. It didn't help that our primary client base were credit unions, which were kind of naturally conservative and probably still are. They didn't want to know that the people that they hired for security assessments were also releasing and open sourcing exploit tools on the internet. This is an interesting dichotomy, isn't it?
On one hand, if you're going to be testing if a company is hackable, you need these attack tools, these weapons. But nobody ever asks a pen tester, where are you going to get your weapons from? They just assume, since you're a hacker, you know how to do it. But it's not like you can just type a few commands to get around some security measures.
That's like reinventing the wheel every time you want to do an assessment. You need tools for the job, a set of attacks that you know work well and you can trust that won't put malware on your customer's network or cause harm. But that's a lot of work to make sure of.
And if you make a hacking tool like this for yourself and maybe put it out there for someone else to use, well, that does sound like it could come back and bite you. If someone uses it to actually commit a crime with, how much are you liable for that? So he had to make a decision on what to do with this Metasploit tool.
If his work wasn't going to help him with it, what should he do with it? Well, it's one of those things where on one hand, they wouldn't support it. On the other hand, we desperately needed this tool to do our job. And it became a night to weekend thing. So I'd clock out of work and I'd go spend the rest of the night not sleeping, working on exploits, working on shellcode and not particularly good exploits, but I got better eventually.
And finally got to the point that we had something that was like worth using all on its own. It wasn't just a crappy script equal or like a rewrite of a bunch of known exploits. It's actually something that adds some legs to it.
And, you know, that led to... I think my first trip was to Hack the Box Malaysia to talk about it. It was a great experience to really get feedback about how different it was from what other people were doing at the time. That really kind of helped kind of give me motivation to keep working on it. It also helped me find people to work on it with.
So I met Spoon M shortly after. I met Matt Miller, Escape, right after that. They joined the team and we just kind of kept it going as this kind of side project for the next few years.
So in 2002 is when he first shared Metasploit with others. which immediately got a few people so interested in it, they wanted to help make it. And with a few people helping him, in 2003, he decided to release Metasploit publicly for others to download and use. After all, it was providing him a lot of value to do his job better, so it would probably make it easier for other penetration testers to do their job too.
He also decided to give it away free. And importantly, he made it open source, so anyone could inspect the code to verify there's nothing... too bad going on in there.
So Metasploit.com was created. And that was where we first started posting some interesting variants of Windows shell code that we came up with that were much smaller than what was available otherwise. Then eventually it became where we shared the Metasploit framework code.
The downside, of course, is it gave everyone else a target to go after. So as soon as we started posting versions of Metasploit framework to Metasploit.com, we started getting DDoS attacks, exploit attempts. It got so bad that one guy actually...
We couldn't hack our server, so we hacked our ISP, ARP spoofed the gateway by hacking ISP's infrastructure and then used that to redirect our webpage to its own web server. So we couldn't hack our web server to deface it, but we could just redirect the entire ISP's traffic just to build a deface metasploit.com. Wait, the Metasploit website was getting attacked?
By who? In the early days, everyone hated Metasploit. My employer hated Metasploit.
Our customers hated Metasploit. They thought it was dangerous. All the black hats, all the folks who were trading exploits underground, they absolutely hated it because we're taking what...
they thought was theirs and making it available to everybody else. So it's one of those things where the professionals in the space hated it because they thought it was a script-giddy tool. The black hats hated it because they thought we're taking away from what they had. And all the professional folks and employers and customers thought it was sketchy to start with.
So it took a long time to get past that. But in the meantime, we're getting DDoS attacks. We're having people try to deface the website. We're having folks spoof my identity and spoof all kinds of terrible things on the internet under my name.
You name it. Someone decided to attack HD for publishing exploits. They couldn't figure out a good attack on him, so they spent time figuring out where he worked and decided to attack his employer. They scanned the websites that his employer had and found a demo site.
It wasn't the employer's main site. It was a tool to demonstrate how to crack passwords. Well, this demo site was running the Samba service, but it was fully patched, so there shouldn't be a way to hack into this through the Samba service.
HD even tried attacking it with Metasploit, but couldn't figure out a way in. But there was someone who did know of Asamba vulnerability. They developed their own exploit and attacked HD's employer's website and tried to get inside the system. But their payload didn't work that well, and it crashed the server. So I got this alert saying the machine was basically shut down and crashed.
We're capturing all the traffic going in and out of the machine, just for fun to start with. But by doing that, we were able to carve out the initial exploit. Wow, this is fascinating.
Because HD was capturing all traffic going into and out of that machine, he was able to find the exact code that was used to exploit the Samba service, which is incredible. I mean, it's like finding a needle in a haystack. But then as he examined this code that was used to exploit the system, he realized this was a completely unknown vulnerability to everyone, which is called a zero-day exploit.
HD was able to analyze this and learn how to use it himself. Did some analysis on it. contacted the Samba team saying, hey, there's a really awful remote Oday in Samba.
And so we wrote our own version of that exploit, put it on Metasploit.com. And that was kind of the beginning of a long, long war with, I don't even know which group it was, but they spent the next two weeks DDoSing our website for leaking their exploit. And not only leaking it, but running a better version. That's brilliant.
Because someone didn't like the HD-created Metasploit, they attacked his employer, which made him discover their exploit. And he reported that exploit to the Samba team so they could fix it. And then he added it into his tool, Metasploit.
This made his attacker so much more mad at him. And he continued to get attacked like this all the time. Folks like, you know, my boss telling them to fire me, things like that.
Why are people wanting you to be fired? They felt that publishing exploits was irresponsible and I was a liability to the company. And they didn't want me to have a job because of what I was doing in my spare time.
Huh. Did they have a point? Did you feel it with them?
It was good motivation to try harder. Okay, so the idea that somebody's going to be upset with a side project you're working on on the weekends to the point where they're going to say, I need to get this guy HD, I'm going to ruin him. I'm going to email his boss and tell his boss to fire him.
That sounds like... Council culture to me, before they even had the term council culture. I guess it's not that different.
I feel like maybe it was equivalent of a moral ethical dilemma for them at the time. They thought somehow it was doing something that was morally wrong and therefore need to be punished. But yeah, there's definitely a lot of that. There's pressure not just from black hat researchers and from customers who didn't like what I was doing, but also from other security vendors saying, well, if you want business with us, then you have to bury this vulnerability.
You can't talk about this one. Whoa. So when he would find a vulnerability in one of the companies that were a business partner of his employer, that company was absolutely not happy when HD published the exploit and added it into Metasploit.
Because remember, Metasploit makes hacking so much easier. Which means if it's in the tool, it's now easy to exploit that company's products. So they'd get mad at him and ask him to take down the blog posts that talk about this vulnerability and remove it from the tool.
And they would even threaten to take away the partner status that they had with his employer if he didn't comply. Things were getting pretty ugly. And his employer was growing increasingly unhappy with HD.
He was frequently finding himself in the crosshairs of many attacks. But this... is his territory.
Hacking, attacks, defending. That's what he does during the day as his day job. But it's also what he does at night for fun.
And he even dreams about this kind of stuff. So if someone attacks HD more, you know he's going to have fun with that. What happened is some vulnerability we published was being actively exploited by some black hats who were building a botnet.
And they were so mad about it, they decided they were going to use that botnet to do all this. What they didn't realize, though, was like, Metasploit wasn't a company. Metasploit was just like a side project I was running in my spare time. And I thought the whole thing was hilarious that they're spending all this time DDoSing it. But I didn't like the fact they're DDoSing an ISP that I like working with.
So this botnet was flooding both of his DNS names, metasploit.com and www.metasploit.com. It was sending so much traffic that this site was unusable by anyone and was essentially down. HD investigated this botnet a bit and discovered where the botnet was being controlled from.
He found their command and control server, or C2 server. And they just happen to also have two command and control servers. So, you know, Lightbulb goes off and is like, well, let's point www.metasport.com to one of their C2s and their domain name to the other one and just sit back and wait a couple weeks, see what happens, right? So what happened is because those control servers were the botnet and the botnet was DDoSing its control servers, they got locked out of their botnet until we changed the DNS settings.
So we essentially hijacked their own botnet to basically flood their own C2 indefinitely. And so they finally emailed us a week later saying, please, can we have it back? Wait, what? They emailed you?
Yeah, because they didn't know how else to get a hold of us. So they basically lost their botnet. And we said, okay, well, don't DDoS us again.
They went, okay, we won't. And that was the end of that. And we never got DDoSed again.
We're going to take a quick ad break here, but stay with us, because HD is just getting started with the stories that he has. Who do you associate yourself with? I'm feeling like you've got like three legs in three different buckets here. And one leg, you're standing in the frack, you know, IRC channel, which is black hat hackers typically at the time, right? And these are the people who may be either just, I don't know, hacktivists or cyber criminals of proper.
And then you've got, you know, your relationship with the DOD. And then you've got your professional relationship where you're trying to. show yourself like, look, I've got some real chops here.
I can do this kind of penetration work for a fee. I'm a professional, this kind of thing. And I've got actually a tool that I'm developing that can be used for professionals.
So where in this scenario do you feel like you're most at home? Good question. I definitely felt like an outsider in all those groups.
The Frack channel went through a big change right around 2000 or so where it used to be some pretty well-respected hacker researcher types. And... got taken over by a group of trolls that called themselves Frat Chi Council.
And those folks and I did not get along, and that led to this multi-year constant trolling and chaos and things like that. Even professionally, though, I didn't really have anyone I could really hang out with besides my coworkers and have some good friends there. I almost kind of felt like an outsider in all three of those camps, I guess.
Yeah, because I know about this sort of infighting in the hacker communities when a hacker thinks they... They're hot stuff, they post something, they make a website, whatever. Other hackers will try to dox them and attack their website. It's just constantly doing that. Did you feel like that's kind of what this was, was just hacker versus hacker?
Like, look, I'm a smarter hacker than you are? Or did it feel like, no, you're not one of us, get the hell out of here, kind of attack? It definitely wasn't friendly. Some friends and I would always go after each other's stuff. It wasn't a big deal.
You say, hey, look, check your home directory. There's a file there or whatever it is, right? But these are folks who, they would steal your mail spool. They'd publish it on the internet. They would forge stuff on your name.
They'd try to get you fired. They'd try to get you arrested. They'd do everything.
This is prior to swatting, of course. This was pretty much everything they could do to ruin your life. This was no holds barred.
We're ruining you. good luck fighting back. So this is definitely not the fun gun. Now, by this point, HD and the team working on Metasploit have found lots of new unknown vulnerabilities themselves, stuff that the software maker has no idea is even a problem.
And they do this by scanning the internet, attacking their own test servers, and trying to break their own computers. But what do you do when you find an unknown vulnerability in some software? Well, the best avenue is to find a good way to report it to the vendor, right?
But HD has had a bit of a history with reporting bugs to vendors. When I was in teenage years and still kind of in high school, I was working on a bunch of the NT4 exploits for fun, like the old HDR buffer overflow and things like that. And while I was putting around one day, I found a way to bypass their country validation for downloading, I think it was like NTE Service Pack for Microsoft. So instead of looking at your IP address doing geolocation, it'd look at a parameter you put in the URL instead.
And you can basically download the high encryption version of NTE SP6 from... Russia or wherever else, which was not a good thing at the time because of all the expert controls. So I contacted the Microsoft security team, which was pretty nascent back then, and said, hey, you can bypass all your expert controls.
This is probably not good. And they're like, well, what do you want? I'm like, I don't really want anything, but what do you got?
And they said, well, what are you looking for? I'm like, can I have an MSDN license? That'd be awesome. And that was kind of the beginning of a long series of just really weird interactions with the security team there.
I'm trying to remember what an MSDN license was. MSDN was the license that gave you access to all the operating system CDs and media for everything Microsoft made. So if you had an MSDN license, you can install any version of Windows you want, any version of Exchange Server, all that stuff.
So as a hacker or someone doing security research, it was a goldmine because you have all the bulk installers and data all in one place. So fast forward to my first startup and finding vulnerabilities in Microsoft products and doing a lot of work on ASP.NET and skin configurations and other stuff we went into during pen testing. And... Microsoft did not like having vulnerabilities reported. They'd do anything they can to shut you up.
They did not like having someone releasing exploits for vulnerabilities in their platform. The first startup I worked at was a Microsoft partner. So we had a discount for MSDN and things like that for internal licenses. And a gentleman at Microsoft kept calling our CEO saying, hey, you need to stop letting this guy publish stuff. You need to fire this person or we're going to take away your partnership license.
And so they kept putting pressure on my coworkers, on my boss, on the CEO to get rid of me, basically, because of the work I was doing to publish vulnerabilities. And that just made me angry, right? Like, I got a chip on my shoulder pretty early on about that. And by the time I got to the Hack in the Box contest in Malaysia to announce Metasploit, they had a Windows 2000, was it Windows 2003 server? I think it was being announced at that time.
And they had a CTF for it. I was like, great, I'll do the CTF. So CTF stands for capture the flag.
It's a challenge that a lot of these hacker conferences have where they put a computer in the middle of the room and see who can hack into it. In this case, it was a fully patched Windows computer and HD was curious if he could find a vulnerability to get into it. So he created some tools to send it random commands and inputs, anything that he could send to it to try to cause it to malfunction.
And sure enough, he did get a fully patched Windows computer to malfunction. So he examined the data that he sent to this computer to cause it to malfunction. And he was able to use that to create an exploit, which got him remote access to the system.
Now, since this was an unknown bug to Microsoft, and Microsoft was there at this hacker conference sponsoring the thing, he went up to them and told them about it. They're like, great, report it to us. I'm like, no, it's mine. Like, am I going to get a reward for it?
What are you gonna do with it? Like, I found this vulnerability. It's mine. Do what I want to with it. And so I reported it to the Hackenbox, where it's like, hey, Microsoft's trying to pressure me to not disclose this thing that I found.
That's not the point, right? The point is, yeah, I found a bug in your server, and I'm going to talk about it, and I'm going to share it with you, but the idea is to go publish it afterwards. And they shut the whole thing down. So I heard secondhand that Microsoft threatened to pull sponsorship of the Hackenbox conference if they let that vulnerability get published. So the whole thing got swept under the rug.
See, at the time, Microsoft didn't take their security as seriously as they should. They weren't publishing all the bugs that they were finding or rewarding people for the bugs they found. And as HD tells it, they were asking people to not publish bugs publicly. They thought it was just better to hide some of these attacks so that nobody knows about it. But around this time, in 2002, Bill Gates sent a famous memo to everyone at Microsoft which said, security is now a priority of the business.
And they started a new initiative called the Trustworthy Computing Group. Well, HD saw that this bug he found was causing problems with the conference, and he liked the conference and didn't want them to lose their biggest sponsor. So he agreed to just sit on this bug and do nothing with it.
Six months later, someone else found the same bug and reported it to Microsoft, and they were able to fix it. And it was only then that HD published his version of it. So the short version is I'm more than happy to tell the vendors about it, but I'd also want to make it public at some point.
These are vendors that at the time were sitting on vulnerabilities for more than a year or two years, maybe never disclosing it. They had no motivation to ever disclose a vulnerability reported to them, and they would do anything they could to pressure you not to. Microsoft was probably one of the biggest offenders at the time of pressuring researchers to not disclose any vulnerabilities they found. Do you know if there was even a vulnerability list that they had published at that time?
I think Microsoft, I mean, there were CVEs at the time and Microsoft had their security advisories. But the security advisories were just the tip of the iceberg. There was so much stuff being reported to them that they would just shut down.
The challenge with keeping these secret, whether it's because you're the vendor and don't want people to know about it and it's bad marketing, or whether you're a black hat and trying to use it to break into systems, is that nobody else out there can protect themselves. They can't test themselves. They don't know whether... they're actually vulnerable, whether the security product they bought to prevent exploitation is actually working.
So one of the great things about having a publicly available exploit for a recently disclosed vulnerability is you can make sure that all your mitigations, all your controls, all your detection are actually working the way they're supposed to. And everybody else did not want that. At the time, Microsoft's browser was Internet Explorer. And with the chip on his shoulder from dealing with Microsoft in the past, HD decided to see how many vulnerabilities he could find.
in Internet Explorer. Basically, myself and a couple of friends, we put together some browser fuzzers. We used the browser's own JavaScript engine to just find hundreds and hundreds of vulnerabilities.
We tested every single active edge control across Windows and just found bugs in all of them at once. So we basically created this mass vulnerability generator, and we're sitting on probably like 600, 700 vulnerabilities at the time, and the vendors were just not moving on it. He kept reporting bug after bug to Microsoft. But from his perspective, nothing was getting done.
And so now, what do you do when you've told the vendor about a bunch of bugs and they didn't act on it and you have hundreds more? And it got to the point that we just gave up. We said, you know what, we're going to do an entire month.
We're going to drop no date every single day for a month straight and we'll still have hundreds left over afterwards. And it was that particular sequence and that particular event that I think finally killed ActiveX and Internet Explorer. Why?
Why do you think that? Well, after the 30th or 40th ActiveX vulnerability report of them, we're like, hey guys, we have 200 or 300 more. We can keep going all year at this point. And it was a good indication that they realized there was no safe way to implement ActiveX control load in Internet Explorer.
Microsoft was realizing the security in their products wasn't cutting it. They needed to do better. And they were working on that. In fact, what they started doing was offering jobs to people who were reporting bugs to them.
So if you were someone who was previously reporting a bunch of vulnerabilities to Microsoft, all of a sudden you got a job offer instead. I mean, there's an amazing security research group called Last Stage of Delivery out of Poland. And three of the four folks that were part of this group joined Microsoft during this time. Well, did they contact you? We're friends.
I met them in Malaysia and I'd see them at conferences and stuff like that. I definitely got a few offers from Microsoft early on. But, you know.
I kind of pushed back with ridiculous terms like, you know, no way in hell, essentially. Mostly because I felt like they didn't really have the best interest of the community at heart. They definitely, they would shut down anything I was working on. And for the most part, it was true.
Folks who took a job at Microsoft after doing vulnerability research before, you never heard a peep out of them again. Can you imagine if that happened if HD got hired by Microsoft? They might have tried to close down Metasploit altogether. What a loss that would have been. Because Metasploit was starting to pick up some traction.
And while it was hated by many, it was being used by many more. Pen testers all over were beginning to use it as one of their primary tools to test the security of a network. It was shaping up to be a vital and amazing tool as a pen tester. Because it made their job so much easier than before.
As the need for pen testers rose, the need for better pen tester tools rose too. And of course, the whole time, Metasploit was free and open source. So the community could just look at the source code and verify there wasn't anything malicious getting installed on someone's computer once you hack into it.
The security community was slowly adopting it and liking it more and more every day. Well, as time went on, Microsoft really did step up their game on handling bugs found by researchers. They were patching things much quicker and were learning that they cannot control the bugs that outside researchers discover. And that's kind of a hard thing even for companies to understand today.
If. Someone finds a bug in your product, you can't control what that person does with that bug. You can try to offer a bug bounty reward to them, but that doesn't mean researchers will take it.
They might sell it to someone else or publish it publicly for everyone to see. Software vendors cannot control what people do with the bugs they find. And people like HD, who was just publishing vulnerabilities all the time, were making that point crystal clear.
Microsoft has an internal conference that's just for Microsoft employees. It's called Blue Hat. And at some point, they started inviting security researchers from outside Microsoft to come talk at it. HD knew one of the researchers who was giving a talk and was invited to come co-present at Blue Hat.
So HD got to go to this exclusive Microsoft conference and present to their developers. I just imagine like your talk is just like, here are the 400 things wrong with Microsoft. Yeah, there's a lot of that.
It was like, you know, one of the good examples back in, was it 2005 or so? I was on the flight over to Blue Hat and I was playing with... a toolkit that was calling like Car Metasploit at the time, or Karma meets Metasploit.
Karma was a way to convince wireless clients to join your fake access point and then immediately start talking to you and try to authenticate to you like you're a file share or a printer. So essentially, if you had your Wi-Fi card enabled, let's say on an airplane, and someone was running this tool on a different laptop in the same airplane, they would then join your fake access point, try to access company resources automatically, give you their password most times, and then provide a lot of exploitable scenarios where you can actually take over the machine. So we thought it'd be fun to run this tool on the actual airplane as we're flying to Blue Hat. And lo and behold, we end up collecting a bunch of password hashes from Microsoft employees in the process. You little stinker.
It was fun times. Where are you on this whole responsible disclosure thing? Do you want to get this stuff fixed ASAP? Or are you more like, what do you think you should do with vulnerability if you find it? After going down that path a few hundred times, the...
fastest way to get a vulnerability fixed is to publish it on the internet that day. Whether that's responsible or not, it's effective. Well, he has a point. It's true. If you find a bug and want it fixed as fast as possible, make it known to the world in the biggest and loudest way, and it will get fixed fast.
But even though that's the fastest path to getting a bug fixed, it's not the responsible way to do it. Because doing that exposes a lot of people who can't do anything to stop that attack. It means criminals can use it before it's fixed.
And this puts a lot of people at risk, which means you're probably doing more damage than helping. It's better to privately tell the software maker and give them time to fix it. But then when they aren't fixing it, and you've given them plenty of time, then they might need a little fire under them to get them moving on it.
Sometimes to get a company motivated, you've got to give them a little bad PR. Definitely depends on the vulnerability. These days, I've been leaning towards a 98 disclosure policy where you tell the vendor about it for 45 days, then you tell somebody else about it as a dead man's switch. And if the vendor sits on it and it leaks, the other person is going to publish it no matter what.
I've been using that strategy by working with US Cert for the last few years, where whenever I publish a vulnerability to a vendor, they get 45 days of only them having access to it. And then 45 days later, it goes to US Cert, or sorry, CertCC. And they're basically guaranteed to publish after 45 days.
The great thing about that model is you're kind of splitting the responsibility. You're making sure that the vendor takes it seriously and gets the patch out in time. But you're also not having to publish it directly on the internet. So having a third party like that really reduces the ability of the vendor to pressure any individual researcher from not disclosing because it's already in the hands of another party at that point.
There are a few groups that have adopted this same model. Trend Micro has the Zero Day Initiative and Google has Project Zero. Both of these groups look for vulnerabilities and report them to the vendor and then give the vendor 90 days to fix it, and then they're going to publish it publicly. So the vendor knows if they get a bug report from any of these groups, they have to act quick and get it fixed before it becomes public because that would be a PR nightmare. And it's wild to see major tech firms like Google playing this sort of hardball game with software makers.
But this has been working pretty well. It's also interesting to note that HP bought Trend Micro and a few times the Zero Day Initiative has found vulnerabilities in HP products, which didn't get fixed in that 90-day window. And so the Zero Day Initiative published HP vulnerabilities publicly. It was wild and refreshing to see them even treat their parent company the same way as everyone else. Yeah, it's great.
I mean, I think it's effective. Sometimes you have to. I mean, the folks I chatted with at HP about, they're like, yep. that's the only way that team's going to get the resource they need to fix the product is if we publish it as zero day. At some point Metasploit got a new feature called Meterpreter.
Meterpreter was the brainchild of Matthew Miller escape and you know a lot of other folks worked on it but he was really the architect behind it. Meterpreter is a payload. Remember the payload is the action you want to happen after your exploit opens the door for you. But the Meterpreter payload is kind of like the ultimate payload.
It lets you do so much. on the target system that you just hacked into. You can look at what processes are running. You can upload a file to that system or download a file.
It helps you elevate your privileges or grab the hash file where the passwords are stored. I mean, think about that for a second. Let's say you use Metasploit to get into a computer and with one command, hash dump, it knows exactly where the password file is on that computer and it just goes and grabs it and downloads it to your computer so you can just start cracking passwords locally if you want.
You don't need to know where the password files are stored on that computer. Meterpreter knows that for you. You just need to know the one command, hash dump, and you got them.
But Meterpreter does so much more than this. It lets you turn the mic on and listen to anything the mic is picking up. It lets you turn the webcam on and see what that computer can see.
It lets you take screenshots of what the user is doing right now. It lets you install a key logger if you want to see what keys the user is pushing. Meterpreter is incredible. But with a payload like this... makes a Metasploit so much more dangerous.
I mean, all these features can be easily abused by the wrong person and can cause lots of damage. On the vendor side, it was scary for them because instead of exploits being these really simple payloads that they would drop, they could easily detect. Now exploits could drop anything.
They could drop TLS-encrypted connectbacks. They could drop basically mini-malwares instead. are able to automatically dump password hashes and communicate back over any protocol you want. So we made the payload side of the exploitation process incredibly more complicated and way more powerful. This is kind of one of those points where some of the features of Metasploit, especially around Meterpreter, start getting really close to the malware world.
Right. And I think that's where I want to head. But you're not just doing a proof of concept of, okay, look, I can get into your machine. And here is who am I or something and what process ID I'm running as.
You're building this tool. My interpreter gives you full access to that computer, which allows you to screenshot, do keyboard sniffing, whatever. All these things that are a lot more like thumb in your eye kind of thing. And I don't know if that's taking it too far. Like, that's what I'm...
It's not just a proof of concept. We can completely destroy this machine if we wanted. Which I guess you have to kind of prove that in order to show the veracity of this vulnerability. But it's almost going too far for me. What do you think?
Well, one of my favorite things with Meterpreter is we had a way to load the VNC desktop sharing service in memory as part of the payload itself. And we had it wired up in Metasploit. So you literally run the Metasploit exploit and you'd be... immediately get a desktop on your screen, be able to move the mouse cursor, be able to type on their keyboard. It was immediate remote GUI access to a machine over the exploit channel itself, which is just mind-blowing at the time for payloads because it didn't depend on RDP or anything like that.
It didn't depend on the firewall being open because it would connect back to you and then proxies it. It was just amazing delivery. That specific payload blew so many minds that it was really easy for us to show the impact of an exploit.
If you're trying to show an executive after doing a pen test, hey, we got into your server, here's a command prompt of us doing a directory listing. That's one thing. But if you're showing that you literally take over their server and you're moving the mouse on their desktop within two seconds of connecting to the network, that is an entirely different level of impact that you can show. It also let us build a lot of other really complex, really interesting use cases where it really shows what the impact of the exploit is. It isn't just like, oh, you've got a bug and you didn't patch it, and now I've got a command shell.
It's like, no, no, I have all this access to your system, whatever it happens to be. Yeah, I guess that's... kind of what drew me to mess play as well is like oh my gosh it's not just the exploit it's what you do with the exploit after you get in but as you were saying the um the metaterpreter started uh getting close to being its own malware explain what you mean by that A lot of the malware payloads even today are written in C.
And they've got these kind of advanced communication channels and C2 contact mechanisms and all this kind of boilerplate stuff that they do, like providing the ability to chain load payloads, download more stuff, talk to backends, balance between different backends. We got mature to the point that it actually had the same capabilities as some of the more advanced malware that are out there. And that's when it started getting a little swifty for me because it's like, we don't want to be in the malware business. We're here to show the impact of exploits.
to let people test our systems, and to generally demonstrate the security impact of a failed security control or missing patch. But we're not here to persistently infect machines. And Metropter got very, very close to that line. The thing that really separated it from actual malware is the fact that it was always memory-based only. It was never on disk at all.
Hmm, this is a strange territory to be in. Metasploit is a tool that's sole job is to hack into computers. Whether you have permission to do that or not, that's the purpose of it. But it seems to be the intent of the person using it that tells us whether Metasploit is malware or a useful tool.
So the Metasploit team had to be very careful on how far they took this tool. Now, this is a multi-open source, multi-developer project. Did you have some sort of manifesto that said, or a meeting that said, okay, guys, we're going to push this all the way it goes, except no persistence. Was there a manifesto of like, like you just said, you don't want to leave your customers weaker. This is a professional tool.
It's something written out there. It was never a written manifesto. It wasn't like an ethical boundary.
It was just a practical boundary. You're not going to use Metasploit for a pen test if it leaves garbage all over your machine afterwards or backdoors it in a way that's difficult to fix. Some exploits require temporarily creating a backdoor user account.
Otherwise creating something that would otherwise create more exposure. And we're always really careful to document what the after exploit scenario looks like. Okay, after you run this thing, you need to do this other thing.
So we created these like post cleanup module that would remove the trace of whatever the thing was. But that was something that I always agonized over because I really hated having to create any kind of like have to lower the security of the system as part of the exploitation process. I also felt like that was counterintuitive. I was kind of going against what we're trying to do in the first place.
Yeah, I know. And I'm not explaining it well, but it just seems like you're putting your thumb right in the customer's eye. And then you're like, but we don't want to hurt you.
That's when you're trying to be a professional adversary. And so you have to have the most possible, brutal, malicious approach to the problem in a sense that you're going to use the same technique someone else would. But then you need to draw the line about where you leave the customer afterwards and what the actual impact of the attack is.
Okay, so we heard HD has many adversaries, right? Cyber criminals don't like him publishing their weapons and making them ineffective. Old school hackers don't like that he's making hacking so easy that a script kitty can do some amazing stuff.
And vendors don't like that he's publishing their bugs. He's getting hit on all sides by these people. But there's one more group that's also not happy about Metasploit.
Law enforcement. There were crimes committed with Metasploit. Yeah, that's my first experience writing Windows shellcode. And the first Windows shellcode ever published by Metasploit ended up in the blaster worm almost immediately afterwards. See what I mean?
There was a massive worm that was using the information that he published to do dirty work out there. And I just read an article today that said in 2020, there were over 1,000 malware campaigns that used Metasploit. And so what happens in this situation when you're making tools that criminals are using?
Well, let's go back and look at a few other cases. I did an episode on the Mariposa botnet. The people who launched this botnet.
all got arrested, but they weren't the ones who developed the botnet. The butterfly botnet was created by a guy named Eserdo. But this Eserdo guy, all he did was develop the tool and put it out there. He never used it to attack anyone, but he was arrested and sentenced to jail just for developing the tool. What the court proved was that he was knowingly giving it to criminals to commit crimes.
Or let's look at Marcus Hutchins. He developed malware, which became known as Kronos, but he only developed it. He never launched it on anyone.
But it was because he was giving it to someone who did use it to go and attack banks is why Marcus was arrested by the FBI. In both of these cases, what it came down to was whether or not the software maker was knowingly giving these hacking tools to someone who had intent on breaking the law with it. But HD claims he has no responsibility with what people do with his tool. I don't know.
If you bake a bunch of cookies and put them on a sheet in the street and say, free cookies, are you responsible if a criminal eats a cookie? I don't know. I feel like it's different. It's open source.
It's community based. It's an open domain. Everyone's on the same playing field. I feel like it's one of those things where if you're only providing...
those exploits, those weapons to someone in the criminal community and charging for them. That's one thing. But if you're creating a project for the purpose of helping everyone else understand how things work and to test their own systems and a bad actor happens to pick it up and use it too, that seems like something very different.
But I get worried for HD because he takes Metasploit to hacker conferences and hacker meetups to demo it and teach it to other people there. And everyone knows there are criminals who attend these things. I mean, just sharing it with the hacker chat rooms that he was part of. Like, frack, how could he have gone all this time without once seeing that the person that he just taught this to or gave it to was a known criminal?
Did you have any lawyers helping you on this project? No, once in a while I'd have to reach out for help, but it usually wasn't from a lawyer that hired myself. It was usually just people I knew that happened to be lawyers who gave me advice on stuff. But that's why I'm asking about a lawyer, is whether or not you had some sort of fine line on... what the point of Metasploit was and maybe some of the language involved with the terms of use.
Like maybe there was something there that said, you cannot use this for criminal behavior or something. Where was this to keep you out of trouble? What did you do to stay out of trouble in this sense? I mean, I think early on the solution was my spouse had to get out of jail fund, had a lawyer fund sitting aside. So if I got dragged off middle of the night, she had cash that was not tied to my personal accounts or our shared accounts to find a lawyer and give me bail money basically.
So that was the case for about six, seven years where I was pretty concerned about getting arrested for almost anything I was working at the time because it was all pretty close to the line, whether it's internet scanning, whether it was the Metasploit stuff. You know, it really comes down to whether you think, you know, a prosecutor is going to make a case, whether you think they think they can make a case. Like prosecutors don't want to lose a case.
So they're not going to bring a charge against you unless they're very certain that they're going to win. That's why the conviction rates are so high. So it's one of those things where intent matters, but.
what really matters is whether the prosecutor really wants to go after or not. And if you convince them that, you know, hey, I'm not actually a bad actor and I'm not doing this stuff and I'm not driving this economic activity that's related to criminals, then that's helpful. But that's one of the things I really don't like about U.S. law is, you know, the CFA doesn't care about intent, for example.
There's nothing about our Computer Fraud and Abuse Act that cares whether you're doing it for good or not. And a lot of our laws are problematic like that. isn't just like the standard section that's quoted.
It's also section like 1120. There's a couple other parts of the U.S. criminal code that are just really dangerous when they're taken out of context or used to make a case for something that really shouldn't have been prosecuted in the first place. So unfortunately, like a lot of U.S. prosecutions really just come down to whether someone wants to go after you or not. And all you can do is do your best to stay above the law when you can. And when the law is really vague. do your best to not be attempting target.
Yeah, but I am surprised that when I load up some software, or even look at some how-tos and videos on how to hack, there is a disclaimer at the beginning. Do not use this for illegitimate purposes. Do not break the law with this information. And when I load Metasploit, it doesn't say, for pen testing only, only use on systems you have permission to.
And I'm wondering why would you keep that off there? I don't think it ever occurred to us out of warning, honestly. We figured if you're downloading Metasploit, you know what you're getting into. You know you're downloading a security tool to do security testing.
And we're not there to tell you you shouldn't jaywalk or you shouldn't firebomb your neighbor's house. We assume people have reasonable reasons why they're using the software in the first place. And we don't feel like we're enticing them to commit a crime because we're providing them a tool.
Got it. However, in the real world, you might be pressured because law enforcement says, look, man, we keep finding criminals that are using your tool. You need to do something more.
You need to put a terms of use up. You might have had to get a lawyer to say, hey, what do we need to do so that we don't get in trouble? And I'm surprised none of that just hit you in the face.
So black hats are mad at you, vendors are mad at you, but the law wasn't mad at you? I'm surprised. I mean, stuff came up for sure, but mostly it was able to...
Talk my way out of it one way or another. I think a lot of it is just the way to win in that space and to not go to jail, which is to be as loud and as blatant and as above board as you possibly can. So, you know, doing a Metasploit talk at every conference, having, you know, tens of thousands of Metasploit users early on, having 200 different developers involved with the project, the bigger, the wider, the more noisy you can make the project, the less likely someone was going to say, this is the tool for just criminals, we're going to go after it.
You just have such a surprising, like an adventurous life. There's a big difference between your typical pen tester and H.D. Moore.
The typical pen tester today learns how to use Metasploit, which is the tool that H.D. created. And H.D. is the one learning how the exploits work, writing the shellcode to make them work, and actively trying to find new exploits all the time. On top of that, he's fielding a non-stop barrage of attacks himself from creating the tool, so he's well-versed at defending and attacking systems.
The experience he has in this space is almost unparalleled, but it was because of how much passion he has about security that got him to this point. And I just want to say to any up-and-coming pen testers out there, getting your hands on working exploits and contributing to open-source projects is a fantastic way to become fluent. in this field. There are a ton of open source hacker tools out there on GitHub, and it's a great experience to download the source code and see how they work and try to improve upon them.
And even if you're just a beginner, there's probably something you can do to help, whether it's writing better documentation or improving the help menu. Being part of a project like that can launch your career. And HD even helped many of his contributors get jobs.
Learning to find and develop exploits would really pay off for HD. But it was a tough ride for him to hold on to. Yeah, I think it took about three or four years before we really turned the point from that's stupid and that's crappy to that's a script-giddy tool to that's a piece of crap and I don't like it to, okay, fine, we'll use it to, you know, hey, now everyone's using it. Metasploit grew up to be one of the de facto tools used by security professionals all over.
Eventually, schools started teaching students how to use it. And I mean, can you imagine a hacking tool becoming part of the course curriculum in school? But even more than that, it became necessary to know how to use Metasploit to pass certain exams and get certified in security. Despite the hard start and hate it received, Metasploit grew to become an invaluable tool for the pen test community to use.
And it became mass adopted by security teams everywhere. By 2008, both Scape and... Spoon M had moved on to other things. Scape's company got acquired by Microsoft, and he went and worked there. And that was one of his contributions to Metasploit.
Spoon M went to school and kind of disappeared doing his thing for a while. And so it was kind of just me running the project again by 2008. And I'd been working with a guy named Egypt for a long time, contributing exploits to the project and chatting about stuff. And I invited him to kind of be one of the core members. He joined the team, and we started working towards the 3.0 release, I believe, at the time. And during all that stuff, you know, as it gets...
Closer to 2009, I was working at another startup, not particularly happy with life. You know, I was pretty broke. I mean, the startup wasn't paying me that much.
I had a bunch of credit card debt, you know, had a pretty hefty mortgage on the house. Was, you know, doing Metasploit training at the conferences to kind of pay the bills and keep things going. But I was also working, you know, all day for a startup and all night on Metasploit.
And every weekend, every night for years straight at that point. Super stressed out, had a baby on the way. And when I was basically gone for paternal leave.
I got an offer to acquire Metasploit by Rapid7. Whoa, an offer to acquire Metasploit by the company Rapid7? That's amazing.
At the time, Rapid7's product was a vulnerability scanner. And the typical pen test scenario is to start by running a vulnerability scanner, then use Metasploit to try to get into the vulnerable systems you found. It's a beautiful combination of tools.
So it made sense for why Rapid7 would want to acquire the tool. But Metasploit was open source. and not a product that made any money. So HD was a bit skeptical to give his tool to a corporation. But they asked him at the right time because he was all stressed out, low on cash and about to have his first kid.
He sort of needed a big break. So, you know, when the offer came in to do something different, it was definitely tempting and spent quite a lot of time chatting with RAP17, getting a sense for what it looked like. And eventually he said, OK, let's give it a try. Did you give him a heads up?
Like. hold on a second if you take the responsibility for this you're going to be taking some bullets um just so you know this is kind of the the heat i'm getting here and somebody might call up to try to get you fired yeah put it this way like they brought me on to to run the metasploit team and to build the product line but they also brought me on as their head of security at the same time so i got to take most of those bullets in the first few years metasploit had a pretty strong following but only about 33 000 active users at the time or something like that based on our download logs. So it was a really good opportunity to, you know, commercialize an open source tool, but keep it open source.
And then all the commercialization really happened by building a pro version of the tool and selling that instead. So our team was able to, you know, basically built a new office here in Austin, hired the team, got the first commercial product out the door in about six or seven months. And I think our team was paying our own bills in 12 months by selling our pro version of the product. So it ended up working out pretty well. We, you know, even now there's a whole team that's been working on it.
At RAPID7, working on Metasploit full-time. And it wasn't just the development side. They also were an amazing corporate shield for all the drama I was dealing with, all the law enforcement inquiries, all the random threats, all the other stuff.
They stood up and took it. They hired lawyers on my behalf. They hired lobbyists on my behalf. They did everything they could to make sure that Metasploit and exploit development and vulnerability research could stay a thing that you could count on, that you could rely on. And they did their best to protect the legal front.
So outside of all the commercial terms and product stuff and all that, I give them a lot of credit for helping. vulnerability research and exploit disclosure and exploit sharing be what it is today. Yeah. So you said lobbyists, why would they hire lobbyists?
Well, a lot of making sure that vulnerability research and disclosure and all that stuff stays legal is educating people. It's like saying, hey, this is like a real legitimate reason why people need access to information. This is why you don't want to regulate vulnerability disclosure. This is why you don't want to create a law making exploit disclosure illegal. I mean, on the face of it, if someone says, hey, we're going to prevent people from sharing tools that...
allow people to attack each other. He's like, yeah, that sounds like a good thing. You don't want people sharing evil tools with each other, right? Make that illegal. It isn't until you dig in a little bit deeper and realize that you really don't want to criminalize that because that's how your defenders are learning.
That's how your actual defenders are testing their own systems. And if you don't have those tools available internally, you have no idea how effective any of your defenses are. And it was just one of those things where, at a very surface level, it was hard to defend. But once you started educating people about what the benefits were, and once you got kind of, you know, more people to be aware of what you take away by criminalizing this type of work, then you start to build that support. So lobbyist efforts at RAP7 were instrumental in not only excluding Metasploit framework from the Wastanar agreement, at least the way the US interpreted it, but protecting vulnerability research in general.
Yeah. Can you explain the Wastanar agreement? Oh, sure thing. It's been a while, so I'm probably going to get details wrong.
But the last in our agreement was an international arms treaty by a bunch of countries saying, here's the things that we will or will not export to other countries without having approvals and things like that. And amendment, I think either an amendment to it or an interpretation of the agreement, started to classify cybersecurity tools as weapons at one point. And the goal there was to prevent kind of NSO group style attacks, right?
Where you're shipping a toolkit, a software toolkit or a hardware toolkit that's designed to break other people's machines. And it's really designed for the most nefarious. either surveillance use case or for actual cyber war type use cases.
However, the language caught up a lot of other unrelated tools. All the tools that are used for professional security testing, if you squint at them right, would also be classified as weapons or munitions by the last NAR agreement. And the companies, Rabbit7, spent a lot of time working with lobbyists, trying to help folks understand the difference between an open source tool like Metasploit and something that's more... targeted, malicious, and weaponized. The thing that I don't understand about the Rapid7 acquisition is how do you buy a free open source tool?
Why didn't they just fork it and rename it? Well, someone tried that, actually. It didn't go very well. Actually, a few people did.
Prior to Metasploit 3 coming out, when we rewrote the whole thing in Ruby, Metasploit was written in Perl. And there was a company called Saint that released a product called Saint Exploit. which was also written in Perl.
And we're like, ah, that's suspicious. At some point, someone shared a copy of the St. Exploit with us. We're like, you know what? Half this shellcode is ours. And half these exploits really look really like the code that we wrote.
And there were a lot of similarities between the St. Exploit product and Metasploit framework too. So we got a little bit mad about it. We're like, this is kind of bullshit. Like, we feel like if you're going to use our code, that's great.
But like, collaborate. You know, don't pretend it's yours. Don't like, don't say, hey, I made this. Like, no, no, this is open source.
Contribute to it, share it. So we changed it. We literally changed the license of Metasploit to be a commercial-only license briefly for about a year or so.
Between the 2.0 Perl rewrite into 3.0, the brand new 3.0 code was under a non-open source license briefly just because of how we felt about Saint and Saint exploit. Finally, when Egypt joined the project and we're looking prior to the Rep7 commercialization or Rep7 acquisition, We ended up changing the license back to BSD because we felt like that was the right thing to do to really grow the project. But there definitely was like a knee-jerk reaction to close the license after that.
So Metasploit continued to be open source and free under Rapid7, with HD and a guy named Egypt coming on board and working hard on making it even better. But one thing that was a never-ending job was getting more exploits into the tool. When I was working on Rapid7, every time a patch Tuesday came out, our very first thing was how do we get exploits out as fast as possible for everything that was covered? And how do we figure out what they are? It's a lot of work, though.
Taking a binary patch and trying to figure out the bug can take a week or two just on its own. And that just gets you the bug. That doesn't get you the exploit.
Getting the exploit to work, getting it triggered, getting it reliable, figuring out how to manage the memory correctly, figuring out the payload, threading problems with payloads. I mean, there's a ton of work that goes into it. I think one of the reasons why I probably don't work on exploits as much anymore as they've gotten a lot more complicated. Like you need a much deeper set of skills to be able to work on, you know, fiddly heap exploits. You need to basically have this huge background or knowledge just to be able to get the heap in the right state to be able to exploit in the first place.
And that's, you know, I'm not really that great of a programmer. I'm not really that great of an exploit developer. I just spend a lot of time on stuff. So I feel like that was well beyond my ability to keep up at that point.
So I really love logic flaws. I really love the old school, like, you know, stack overflows and SEH overflows, things like that. But I feel like...
Modern exploits, especially on hardened platforms like mobile, holy cow, there's a lot of effort that has to go into it just to get one working exploit. No, I'm scared that you say that because a second ago I was calling you the patron saint of exploit development and penetration testing and now you're like, it's too complicated for me at this point. Good luck whoever's doing it now.
Who can do it now if it's beyond your skill? It's got to be super specialized. If you look at some of the Project Zero posts, I don't want to miss particular names. fear of getting them wrong, but there's some amazing folks out there.
And where you see really good exploits being written is when someone has spent months and maybe years looking into the software stack around that before the exploits worked on. When you're looking into how iOS parses messages or how the heap of this particular OS or Linux kernel is being groomed in a particular way, you need to build up this super deep, super specialized knowledge to be able to even start working on exploits in that particular space. It's not like before where once you know how to exploit one platform, one OS, the rest is all pretty straightforward.
It used to be like, okay, I know how to exploit Spark. I can exploit most other MIPS, a little bit of work here and there. Now, like, every OS is so different, so deep, and so complicated these days that you really have to specialize. Yeah, but I feel like you really enjoy playing in the dark.
And I mean, like, you want to be outside the known world of knowledge, okay? So there's this circle that this is the stuff we know in the world. I'm going outside that circle and I'm going to discover things that the world does not know and bring it into the world of known. And that is a very difficult place to be in. That's a scary place.
You don't know where to go, which direction to go, where to point your finger. You're hitting your face on the wall over and over and over. And that's the difficulty of finding vulnerabilities and zero days and this kind of thing.
Even if you know that there's a vulnerability right there, it still can be hard to find that. That's funny. especially with patch reversing, you're so frustrated because you know it's there.
You know it's patched. You know it's in front of you. You know it's probably one line away from where you're looking. You can't see it. So these days I spend my time on network protocols and fingerprinting techniques and that type of research where you're going really deep down the protocol stack looking for behavioral differences and how a device responds to the network.
And it's a similar challenge. You have to go find these really fiddly, really hard to find things and then extrapolate all this value from it. okay, now that I know the response this way and this response that way, it must be an iOS device with this particular kernel version or this particular update applied to it.
So I love doing that type of work because it is working in the dark, like you mentioned, but it's nowhere near as complicated as doing modern heap exploits. I find this particular skill to be one of the most important skills when dealing with technology, which is being comfortable doing things in the dark, in areas that you have no knowledge of or visibility into. Because when working in IT, you are constantly faced with new challenges or problems that you have no idea how to solve. The problem might even be so weird that you don't even know what to Google.
And so being able to venture out into unknown territories, even if it's just unknown to you, you've got to learn to be comfortable in these dark areas. It's scary and frustrating to try things that you know you're going to fail at and even look stupid doing. But the more comfortable you get...
in that space of working with a world of unknowns, the better you'll be next time you face the darkness, which is like all the time. Are you still at Rapid7? Oh, no, no. I started my own company about three and a half years ago doing network discovery stuff. So Rumble, we help companies find every single thing possibly connected to their network environment or their cloud.
Yeah, explain more. Get a good pitch for it. Sure thing.
So I spent like 27 years now doing pen testing and security work and building products. And the very first thing you do, whether it's a pen test, you're trying to break into someone's network or you're building a product that does something on the network like a bone scanner or a pen test tool, is you got to figure out what's out there. You got to scan the network.
You got to find... targets, assets, IP addresses, things. So we came up with a really cool scan engine that can tell you amazing stuff about everything on the network really quickly.
And at this point, the product Rumble Network Discovery can now find all your networks. So starting with zero knowledge about your environment, it'll do a sampling sweep across every possible routable private IP in your organization. It'll find every populated subnet, every single device, classify every device, tell you what hardware it's running on, and identify things like multi-home systems that are bridging different networks. And it does it all unauthenticated quickly with like... really no interaction and no real network impact.
What I find fascinating about HD is the struggle that he went through to make Metasploit. I mean, the sheer skill it takes just to write exploits and payloads is already impressive, and he had to continually write new exploits as new stuff came out. But the resolve and determination to face a constant barrage of attacks for publishing exploits and to continue publishing more is incredible. I think I would have given in and gave up working on it if vendors are calling my boss, asking them to fire me, or if law enforcement keeps bugging me.
But not HD. He persisted through it all because he had a vision and a belief that what he was doing was right and the whole world was wrong. And I think it turned out in his favor. I think he was right and the world was wrong because we saw the world slowly change and eventually agree with HD.
Microsoft drastically changed how they handle bugs now, and their security is much better than it was before. Google puts a similar kind of pressure on companies that HD does, saying, you better fix this vulnerability we found, or we're going to tell the world. And when stuff doesn't get fixed, they do publish it.
And for governments changing the way they view open source tools. What a wild ride it's been to get some decent hacker tools out there for everyone to use. A big thank you to H.D.
Moore, a true legend in this security space. You can learn more about what he's working on now by visiting rumble.run. This show is made by me, the Knops Letting, Jack Rees-Seider, and editing help this episode by the Zero Trust, Damien. This episode was assembled by Tristan Ledger and mixed by Proximity Sound.
Our theme music is by the encoded Breakmaster Cylinder. Hey, HD, one last question for you. Yeah.
When you're reviewing someone's code, can you tell me what bad code looks like? No comment. This is Dark Knight Diaries.