WEBVTT 00:00:00.000 --> 00:00:07.600 JACK: Did you know that in 1982, a robot was arrested by the police? [MUSIC] Yeah, get this; 00:00:07.600 --> 00:00:12.640 it was standing on North Beverly Drive in Los Angeles, and it was there handing out business 00:00:12.640 --> 00:00:17.520 cards to people. It could talk, too, and it was telling people random robot things. Well, 00:00:17.520 --> 00:00:21.880 it was causing a commotion. People were just standing around it, staring. Traffic jams, 00:00:21.880 --> 00:00:27.640 honking; it was making a scene. The police wanted to put a stop to it. They looked around and in 00:00:27.640 --> 00:00:31.840 the robot to try to find who was controlling it, but they couldn’t figure it out, so they started 00:00:31.840 --> 00:00:36.720 dragging it off, and the robot started screaming ‘help, they’re trying to take me apart.’ The 00:00:36.720 --> 00:00:41.720 officer disconnected the power source and took the robot into custody. They put it in the cop 00:00:41.720 --> 00:00:46.880 car and drove it down to the Beverly Hills Police Station. It turned out, it was two teenage boys 00:00:46.880 --> 00:00:52.680 that were remotely controlling it. They borrowed their father’s robot to pass out his robot factory 00:00:52.680 --> 00:00:58.960 business cards. [INTRO MUSIC] It’s funny how time changes our interest in things. If a robot stood 00:00:58.960 --> 00:01:05.240 on the same corner today handing out business cards, it would hardly be noticed. But in 1982, 00:01:05.240 --> 00:01:12.920 that was quite the scene. Sometimes it just take us a while to get accustomed to the future. 00:01:12.920 --> 00:01:17.600 (INTRO): These are true stories from the dark side 00:01:17.600 --> 00:01:35.560 of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS] 00:01:35.560 --> 00:01:44.140 JACK: You ready to get into it? You have your sixth cup of coffee today? 00:01:44.140 --> 00:01:46.420 HD: I did, yeah. I finished the whole pot. 00:01:46.420 --> 00:01:52.200 JACK: You feel…you sound like a guy who’s just really turned on to like, 11. 00:01:52.200 --> 00:01:53.520 HD: I just devolved, I think. 00:01:53.520 --> 00:01:59.120 JACK: You talk fast, you’ve built things quickly; 00:01:59.120 --> 00:02:06.760 it’s just moving all the time for you. Okay, so, what’s your name? 00:02:06.760 --> 00:02:08.840 HD: HD Moore. 00:02:08.840 --> 00:02:12.520 JACK: How did you…what was some of the early stuff that you were doing 00:02:12.520 --> 00:02:14.760 security or hacking wise when you were a teenager? 00:02:14.760 --> 00:02:20.560 HD: I was the internet hoodlum. Got my start on the old BBS days, 00:02:20.560 --> 00:02:24.720 go to hang out with a friend of mine; he’d fall asleep early, leave his Mac there with 00:02:24.720 --> 00:02:29.960 his various BBS accounts, and start dialing around, figure out what we could get to, 00:02:29.960 --> 00:02:35.400 download the zines, figure out how to dial into all the fun UNIX machines in town. 00:02:35.400 --> 00:02:42.040 JACK: How to dial into all the fun UNIX machines in town? See, back in the 90s, there weren’t a lot 00:02:42.040 --> 00:02:46.240 of websites that you could just spend your time endlessly scrolling through, [MUSIC] but there 00:02:46.240 --> 00:02:52.520 were a bunch of computers configured to accept connections from outsiders. The way to connect 00:02:52.520 --> 00:02:57.920 to these computers wasn’t over the internet, but simply to dial up that phone number directly and 00:02:57.920 --> 00:03:03.320 see if a computer picked up. If a computer picks up, now it’s time to figure out what 00:03:03.320 --> 00:03:08.160 even is this machine, and why is it listening to people dialing into it? You could find some 00:03:08.160 --> 00:03:13.560 weird stuff listening for inbound connections, stuff you probably shouldn’t be getting into, 00:03:13.560 --> 00:03:18.880 but the system just was not configured to stop anyone. HD lived in Austin, Texas, 00:03:18.880 --> 00:03:23.920 and was curious to find if any computers were listening for connections in his town. So, 00:03:23.920 --> 00:03:29.080 he started dialing random numbers to see if any would be picked up by a computer. 00:03:29.080 --> 00:03:33.360 HD: At one point, my mother was working as a medical transcriptionist, and the great thing 00:03:33.360 --> 00:03:37.560 in the early days of the internet is that to do that, we had to have a whole lot of 00:03:37.560 --> 00:03:42.320 phone lines going to the house. We had two or three regular POTS lines, we had an ISDN line, 00:03:42.320 --> 00:03:46.840 and two computers. She went to bed pretty early, so as soon as she was down, I was up, 00:03:46.840 --> 00:03:53.280 and I was running ToneLoc across the entire 512 area code pretty much every night for years. 00:03:53.280 --> 00:03:55.920 Then whenever you find something interesting, you try to figure out what it is and what you can do 00:03:55.920 --> 00:04:00.800 with it. Some of the fun highlights from back then are like, turning the HVAC on and off at 00:04:00.800 --> 00:04:06.760 the various department stores, dialing into radio transmission towers and playing with that stuff. 00:04:06.760 --> 00:04:13.520 This is obviously well before I was eighteen and was too concerned about the consequences, but just 00:04:13.520 --> 00:04:18.860 that whole process really got me into security, security research, and eventually the internet. 00:04:18.860 --> 00:04:25.640 JACK: This was really fun for HD, poking around in the dark, trying to find something interesting, 00:04:25.640 --> 00:04:31.440 and then getting lost in that system for a while. He was fascinated by it all. Eventually, 00:04:31.440 --> 00:04:35.720 the internet started forming a little more, and IRC picked up in popularity. 00:04:35.720 --> 00:04:41.320 This was just a chat room, and HD was spending a lot of time in the Phrack chat channel. Now, 00:04:41.320 --> 00:04:46.720 Phrack is the longest-running hacker magazine. The first issue was published in 1985, and by the 90s, 00:04:46.720 --> 00:04:51.800 they had quite a trove of information. If you wanted to learn how to hack or break computers, 00:04:51.800 --> 00:04:55.480 start by reading every issue of Phrack, and by the time you’re done, 00:04:55.480 --> 00:05:00.840 you’ll be pretty knowledgeable of hacking. So, the Phrack chat channel felt like home to HD, 00:05:00.840 --> 00:05:03.220 and he loved hanging out there, learning about hacking. 00:05:03.220 --> 00:05:07.720 HD: We’re all using our silly aliases and playing with exploits and generally causing havoc between 00:05:07.720 --> 00:05:12.080 each other. Out of the blue, I get a message from somebody saying hey, you looking for a 00:05:12.080 --> 00:05:16.520 job? I’m like yeah, actually I am. He’s like well, you’re not too far; how far are you from 00:05:16.520 --> 00:05:20.680 San Antonio? I’m like well, I could drive there. So, he set me up with a interview with Computer 00:05:20.680 --> 00:05:25.000 Sciences Corporation, which is now just called CSC, and they were doing work for – I think at 00:05:25.000 --> 00:05:30.000 the time it was called AFIC, or – it eventually became AIA. But the Air Intelligence Agency, 00:05:30.000 --> 00:05:35.640 so the US Air Force’s Intelligence wing, and they were basically building tools for 00:05:35.640 --> 00:05:38.400 various red teams inside the Air Force. I was like, that sounds like a lot of fun, 00:05:38.400 --> 00:05:43.280 writing exploits for the military. I’m all about that. So, I was a really terrible programmer and 00:05:43.280 --> 00:05:49.000 I’m not much of a better one these days, but it was a fun first job to go down there and get these 00:05:49.000 --> 00:05:54.280 somewhat vague briefs about – we need a tool that listens on the network for packets and does these 00:05:54.280 --> 00:05:59.280 things with them, or scans the network looking for open registry keys and does this other stuff, 00:05:59.280 --> 00:06:02.880 so that was my first kinda professional experience of building offensive tooling. 00:06:02.880 --> 00:06:08.240 JACK: I think it’s kinda weird that a recruiter for a DoD contractor was looking in the Phrack 00:06:08.240 --> 00:06:13.680 chat room to find people to come build hacker tools in order to test the defenses of the Air 00:06:13.680 --> 00:06:19.760 Force, but that’s what happened. HD was now using his hacking skills for good, 00:06:19.760 --> 00:06:24.680 and while he was in high school, even. At some point while working for this contractor, 00:06:24.680 --> 00:06:28.600 they asked him to see if he can hack into a local business. That business 00:06:28.600 --> 00:06:32.800 had actually paid for a security assessment and wanted to see if they were vulnerable. 00:06:32.800 --> 00:06:36.320 HD: It was a lot of fun. We basically just walked in and owned everything. It was great; outside, 00:06:36.320 --> 00:06:42.280 inside, their HP 3000 servers, everything between, had a blast doing it. We went back to CSC and said 00:06:42.280 --> 00:06:45.440 hey, we’d like to start doing more commercial pen tests, and they came back and said nope, we’re 00:06:45.440 --> 00:06:50.820 federal; that’s it. So, we took the whole team and started a startup. That was Digital Defense. 00:06:50.820 --> 00:06:56.000 JACK: HD loved doing security assessments for customers, and this is a penetration 00:06:56.000 --> 00:07:00.240 test. Customers would hire them to see if their computers were vulnerable, 00:07:00.240 --> 00:07:04.680 and they did other things too, like monitoring for security events, and helped secure the 00:07:04.680 --> 00:07:10.360 network better. [MUSIC] But there was a problem, a big one, if you ask me. Back in the late 90s, 00:07:10.360 --> 00:07:16.720 exploits were hard to come by. See, let me walk you through how a typical pen test works. First, 00:07:16.720 --> 00:07:20.280 you typically want to start out with a vulnerability scanner. This will tell 00:07:20.280 --> 00:07:24.480 you what computers are on the network, what services are running, what apps are running, 00:07:24.480 --> 00:07:29.400 and maybe even give you an idea of what versions that software is running, too, because sometimes 00:07:29.400 --> 00:07:33.360 when you connect to that computer, it’ll tell you what version of software it’s running. Now, 00:07:33.360 --> 00:07:38.000 as a pen tester, once you know the version of an application that a computer is running, 00:07:38.000 --> 00:07:43.160 you can go look up to see if there’s any known vulnerabilities. Maybe that’s an old version that 00:07:43.160 --> 00:07:49.360 they’re running. Here’s where the problem lies; suppose that yes, you did find a system that was 00:07:49.360 --> 00:07:55.080 not updated and was running an old version of software that has a known vulnerability. It’s 00:07:55.080 --> 00:08:01.080 simply not enough to tell the client that their server is not patched and needs to be updated. 00:08:01.080 --> 00:08:06.520 The client might push back and say well, what’s really the risk for not updating? So, 00:08:06.520 --> 00:08:12.760 that’s why a pen tester has to actually exploit the system to prove what could go wrong if they 00:08:12.760 --> 00:08:20.200 don’t update. They need to act like an adversary would. But to get that exploit so that you can 00:08:20.200 --> 00:08:25.120 demonstrate to the client that this machine is vulnerable, that’s the hard part. At least, 00:08:25.120 --> 00:08:31.160 it was in the 90s. Some hacker websites would have exploits that you could download. Those were often 00:08:31.160 --> 00:08:35.840 pretty old and out of date. So, then you might start feeling around in chat rooms, trying to 00:08:35.840 --> 00:08:42.480 see who’s got the goods. If you’re lucky, you get pointed to an FTP server to download some 00:08:42.480 --> 00:08:49.080 exploits, but it has no documentation, and who knows what this exploit does? It could be an 00:08:49.080 --> 00:08:54.240 actual virus. As a professional penetration tester, you really can’t just download some 00:08:54.240 --> 00:09:00.040 random exploit from the internet and launch it on your customer’s network; no way. Who knows what 00:09:00.040 --> 00:09:05.960 that thing does? It could infect the whole network with some nasty virus or create some backdoor that 00:09:05.960 --> 00:09:12.480 other hackers can get into. So, back then, there just wasn’t a place to get good exploits from, 00:09:12.480 --> 00:09:15.920 and especially, there wasn’t a place to get the latest and greatest ones. 00:09:15.920 --> 00:09:19.400 HD: As you start rolling into the 2000s, what happened is all the folks who previously were 00:09:19.400 --> 00:09:25.360 sharing their exploits with the researchers, with kinda the community, they obviously started either 00:09:25.360 --> 00:09:29.360 just getting real jobs and stopped sharing their tools or they thought there was ethical issues 00:09:29.360 --> 00:09:33.400 with that. But basically, it all dried up. It turned into some commercial firms. Like, 00:09:33.400 --> 00:09:36.160 Core Impact was targeted around the same time to commercialize exploit 00:09:36.160 --> 00:09:41.120 tooling. Other folk just decided they weren’t doing it anymore or they got in trouble. So, 00:09:41.120 --> 00:09:43.840 if you were a security firm trying to do pen tests for your customers, 00:09:43.840 --> 00:09:46.560 it was really difficult to get exploits back then and really difficult to know whether 00:09:46.560 --> 00:09:50.640 they were safe or not without rewriting every byte of shell code from scratch. So, 00:09:50.640 --> 00:09:54.880 the challenge of getting the right tools and exploits, you had to build a lot of it in-house. 00:09:54.880 --> 00:10:00.560 JACK: Well, this company that he was working for didn’t really have the ability or expertise or 00:10:00.560 --> 00:10:08.040 resources to develop their own exploit toolkit. But HD, being someone who’s fiercely driven and 00:10:08.040 --> 00:10:13.360 part of this hacker culture, was acquiring quite a bit of exploits and learning how they worked, 00:10:13.360 --> 00:10:19.040 and was able to code some of his own. But these exploits were unorganized; they were scattered 00:10:19.040 --> 00:10:23.240 all over his computer, the documentation wasn’t there, it was hard to share it with some of his 00:10:23.240 --> 00:10:31.840 teammates, and that’s why HD Moore decided to make Metasploit. [MUSIC] Metasploit is an 00:10:31.840 --> 00:10:37.680 exploit toolkit, which basically means it’s a single application that has loads of exploits 00:10:37.680 --> 00:10:43.760 built into it. So, once you load it up, you can pick which exploit to use, input some parameters, 00:10:43.760 --> 00:10:48.560 and launch it on the target. It was not so great, but it was a basic collection 00:10:48.560 --> 00:10:53.200 of vulnerabilities that HD knew and could trust that weren’t filled with viruses. This 00:10:53.200 --> 00:10:59.800 little tool he built was helping him do security assessments, and now that he’s made a framework, 00:10:59.800 --> 00:11:04.960 he can continually add new vulnerabilities to make it better. But there are new vulnerabilities 00:11:04.960 --> 00:11:10.620 being discovered all the time, so it was an endless job to keep adding stuff to Metasploit. 00:11:10.620 --> 00:11:15.400 HD: Yeah, I mean, it’s a combination of finding vulnerabilities myself, sharing with your friends, 00:11:15.400 --> 00:11:19.280 reporting some of them, not reporting others at the time, and then just me and my friend 00:11:19.280 --> 00:11:23.280 sharing exploits all day long. I wrote some; they weren’t very good, but I’d write stuff all the 00:11:23.280 --> 00:11:27.880 time. Then you get access to one of the really interesting ones or really high-profile ones, 00:11:27.880 --> 00:11:31.440 and play with it a little bit and see what you can do with it. What ended up being the first 00:11:31.440 --> 00:11:35.680 version of Metasploit was very menu-based, very terminal-based. We kinda picked the exploit, 00:11:35.680 --> 00:11:38.960 picks – picked the NOP encoder, the exploit encoder, and the payload, 00:11:38.960 --> 00:11:43.200 and put them all together, and then send it. By the time we got to Metasploit 2, we threw all that 00:11:43.200 --> 00:11:47.000 out the window and came up with – the idea was that you can assemble an exploit like Legos. So, 00:11:47.000 --> 00:11:51.780 it wasn’t – prior to this, most exploits had maybe one payload, maybe two payloads. 00:11:51.780 --> 00:11:58.120 JACK: Oh yeah, a payload. A payload is what you want your computer to do after a vulnerability 00:11:58.120 --> 00:12:04.560 gets exploited. Imagine a needle and syringe; the needle is the exploit. It gets you past 00:12:04.560 --> 00:12:11.000 the defenses and into the system, but an empty syringe does nothing. The payload is whatever’s 00:12:11.000 --> 00:12:17.040 in the syringe, the thing that gets injected into the computer after it’s penetrated. So, 00:12:17.040 --> 00:12:23.360 what is a typical payload? Well, it could be to open the door and give you command line access, 00:12:23.360 --> 00:12:28.280 or it could be to upload a file and execute it on that computer you just got into, or it could be to 00:12:28.280 --> 00:12:34.840 reboot the computer. The exploit is the way in, and the payload is the action taken once you get 00:12:34.840 --> 00:12:40.320 in. Yeah, the exploits that you would get your hands on back then, then had built-in payloads. 00:12:40.320 --> 00:12:45.720 Changing the payload wasn’t always even an option unless you had access to the source code of the 00:12:45.720 --> 00:12:50.440 exploit and could build your own payload. Even if you did that, what happens the next time when 00:12:50.440 --> 00:12:54.320 you want to use that exploit with a different payload? You’d have to recompile the whole thing 00:12:54.320 --> 00:12:59.320 with something new and then fiddle with it to get it to actually work. Of course, you don’t want to 00:12:59.320 --> 00:13:05.280 run some payload that someone else made on one of your customer’s computers unless you can examine 00:13:05.280 --> 00:13:11.920 the source code and see what it does. HD saw this was a problem and modularized how you build an 00:13:11.920 --> 00:13:17.440 attack. He made this easy, with Metasploit, giving you the option to pick the exploit, 00:13:17.440 --> 00:13:23.340 pick the payload, and then choose your target. It made hacking a thousand times easier. 00:13:23.340 --> 00:13:27.160 HD: So, instead of being stuck with one payload or one exploit, you could take any payload, 00:13:27.160 --> 00:13:32.640 any exploit, any encoder, any NOP generator and stuck – stick them all together into a chain. 00:13:32.640 --> 00:13:36.480 It was great for a bunch of reasons; a lot more flexibility during pen tests, you could experiment 00:13:36.480 --> 00:13:40.320 with really interesting types of payloads that were non-standard, and because everything 00:13:40.320 --> 00:13:44.080 was randomized all the time, a lot of the network-based detection tools couldn’t keep up. 00:13:44.080 --> 00:13:49.040 JACK: Because everything was randomized? This is actually a really clever thing he 00:13:49.040 --> 00:13:53.600 added to the tool. So, if you put yourself in a defender’s shoes, they obviously don’t want 00:13:53.600 --> 00:13:58.560 exploits being run in the network, and they want to identify them and not let those programs run, 00:13:58.560 --> 00:14:03.280 right? A defender might even make a rule in the antivirus program that says hey, if there’s a 00:14:03.280 --> 00:14:07.760 program that is this size and has this many bytes and is this long and is called this, 00:14:07.760 --> 00:14:14.160 then it’s a known virus. Do not let this program run. Well, what Metasploit did was randomize all 00:14:14.160 --> 00:14:19.360 these parts. They’d give it a random name and a random size and all kinds of random characters, 00:14:19.360 --> 00:14:24.880 simply so that antivirus tools would have a hard time detecting it. It makes sense for Metasploit 00:14:24.880 --> 00:14:30.240 to try to evade antivirus, because securing your network should be multilayered. The first 00:14:30.240 --> 00:14:34.600 layer would be to make sure the computers in your network are up to date and on the latest patch. 00:14:34.600 --> 00:14:39.600 Then the next layer should be to have them configured correctly. If both of those fail, 00:14:39.600 --> 00:14:44.440 then antivirus can inspect what’s happening and try to stop an attack in progress. But 00:14:44.440 --> 00:14:50.400 if antivirus is blocking it, it hasn’t even tested whether that system is secure or not. So, 00:14:50.400 --> 00:14:56.000 it needs to go around antivirus tools to actually test the server, and a good pen 00:14:56.000 --> 00:15:01.180 tester will test multiple layers to make sure each layer of defense is actually working. 00:15:01.180 --> 00:15:04.986 HD: So, by definition, Metasploit was evasive by default. 00:15:04.986 --> 00:15:09.440 JACK: [MUSIC] Now, at the time, HD was using this tool to conduct penetration tests on people who 00:15:09.440 --> 00:15:14.320 wanted to see if their network was hackable. HD was one of the initial people to join this 00:15:14.320 --> 00:15:20.560 company, but he wasn’t in any sort of leadership role or a manager or anything. So, imagine for a 00:15:20.560 --> 00:15:28.040 moment you’re HD’s boss, and HD shows you this home brew exploit toolkit which is programmed 00:15:28.040 --> 00:15:34.760 to seek out and exploit known vulnerabilities in computers and payloads built into it. Now, 00:15:34.760 --> 00:15:40.400 clearly, in the right hands, this is a weapon. It’s an attacker’s dream come true. Some of 00:15:40.400 --> 00:15:45.360 the vulnerabilities in it are high-quality and make them very dangerous, giving you access to 00:15:45.360 --> 00:15:52.120 pretty much anything at the time. Him bringing in Metasploit to work was like bringing in a bucket 00:15:52.120 --> 00:15:57.280 of hypodermic syringes with their safety caps off, and some of these were picked up off shady, 00:15:57.280 --> 00:16:02.480 underground places. Some of them were DIY homemade, and with syringes, you typically see 00:16:02.480 --> 00:16:06.800 them in the hands of highly-skilled professionals like doctors or people who need beneficial 00:16:06.800 --> 00:16:14.600 medicine, or drug addicts. So, a bucket of syringes can be extremely dangerous or extremely 00:16:14.600 --> 00:16:21.720 beneficial. There’s no real middle ground. It was the same with Metasploit; it was a bucket of some 00:16:21.720 --> 00:16:28.160 pretty scary exploits that if you let loose in the office would be a pretty big problem. So, 00:16:28.160 --> 00:16:34.000 bringing in a toolkit like this to work, well, HD’s employer was not supportive of this tool. 00:16:34.000 --> 00:16:36.400 HD: I guess more accurately, they were terrified of it. They did not 00:16:36.400 --> 00:16:39.920 want to be associated with anything I was working on. But at the same time, 00:16:39.920 --> 00:16:42.540 they were kinda stuck with me because I was running most pen test operations. 00:16:42.540 --> 00:16:44.540 JACK: Why were they terrified of it? 00:16:44.540 --> 00:16:48.040 HD: There was a lot of fear of exploits and liability. The worry was that if we 00:16:48.040 --> 00:16:52.720 released an exploit and something – someone bad used it to hack into somebody else, 00:16:52.720 --> 00:16:56.160 somehow my company would become liable. So, they wanted to stay as far away from it as they 00:16:56.160 --> 00:17:00.600 possibly could. It didn’t help that our primary client base were credit unions, which were kinda 00:17:00.600 --> 00:17:05.120 naturally conservative and probably still are. They didn’t want to know that the people they 00:17:05.120 --> 00:17:09.620 hired for security assessments were also releasing and open-sourcing exploit tools on the internet. 00:17:09.620 --> 00:17:15.040 JACK: This is an interesting dichotomy, isn’t it? On one hand, if you’re gonna be testing if a 00:17:15.040 --> 00:17:20.520 company is hackable, you need these attack tools, these weapons. But nobody ever asks a pen tester, 00:17:20.520 --> 00:17:24.200 where are you gonna get your weapons from? They just assume, since you’re a hacker, 00:17:24.200 --> 00:17:28.600 you know how to do it. But it’s not like you can just type a few commands to get around some 00:17:28.600 --> 00:17:33.600 security measures. That’s like reinventing the wheel every time you want to do an assessment. You 00:17:33.600 --> 00:17:39.720 need tools for the job, a set of attacks that you know work well and you can trust that won’t put 00:17:39.720 --> 00:17:45.640 malware on your customer’s network or cause harm. But that’s a lot of work to make sure of, and if 00:17:45.640 --> 00:17:51.080 you make a hacking tool like this for yourself and maybe put it out there for someone else to use, 00:17:51.080 --> 00:17:56.280 that does sound like it could come back and bite you. If someone uses it to actually commit a crime 00:17:56.280 --> 00:18:02.320 with, how much are you liable for that? So, he had to make a decision on what to do with this 00:18:02.320 --> 00:18:09.548 Metasploit tool. If his work wasn’t going to help him with it, what should he do with it? 00:18:09.548 --> 00:18:12.760 HD: [MUSIC] Well, it’s one of those things where on one hand, they wouldn’t support it; other hand, 00:18:12.760 --> 00:18:17.280 we desperately needed this tool to do our job. It became a nights and weekends thing. So, 00:18:17.280 --> 00:18:21.360 I’d clock out of work and I’d go spend the rest of the night not sleeping, working on exploits, 00:18:21.360 --> 00:18:24.840 working on a shell code, and – not particularly good exploits, but I got better eventually, 00:18:24.840 --> 00:18:28.080 and finally got to the point that we had something that was worth using all on its 00:18:28.080 --> 00:18:32.160 own that wasn’t just a crappy script kiddie tool or a rewrite of a bunch of new exploits; 00:18:32.160 --> 00:18:38.320 it was actually something that had some legs to it. That led to – I think my first trip was to 00:18:38.320 --> 00:18:43.960 Hack the Box, Malaysia, to talk about it. It was a great experience to really get feedback about 00:18:43.960 --> 00:18:47.440 how different it was from what other people were doing at the time. That really kind of helped give 00:18:47.440 --> 00:18:51.240 me motivation to keep working on it. It also helped me find people to work on it with. So, 00:18:51.240 --> 00:18:55.840 Annette, Spoonm shortly after, I met Matt Miller or Skape right after that. They joined 00:18:55.840 --> 00:19:00.220 the team and we just kinda kept it going as this side project for the next few years. 00:19:00.220 --> 00:19:05.600 JACK: So, in 2002 is when he first shared Metasploit with others, which immediately 00:19:05.600 --> 00:19:10.680 got a few people so interested in it, they wanted to help make it. With a few people helping him, 00:19:10.680 --> 00:19:16.840 in 2003, he decided to release Metasploit publicly for others to download and use. 00:19:16.840 --> 00:19:20.720 After all, it was providing him a lot of value to do his job better, 00:19:20.720 --> 00:19:24.960 so it would probably make it easier for other penetration testers to do their job, 00:19:24.960 --> 00:19:30.760 too. He also decided to give it away free, and importantly, he made it open-source, 00:19:30.760 --> 00:19:35.940 so anyone could inspect the code to verify there’s nothing too bad going on in there. 00:19:35.940 --> 00:19:40.360 HD: So, metasploit.com was created, and that was where we first started posting some interesting 00:19:40.360 --> 00:19:43.400 variants of Windows shell code that we came up with that were much smaller that was available 00:19:43.400 --> 00:19:46.480 otherwise. Then eventually, it became where we shared the Metasploit framework code. The 00:19:46.480 --> 00:19:51.880 downside, of course, is it gave everyone else a target to go after. So, as soon as we started 00:19:51.880 --> 00:19:56.000 posting versions of Metasploit framework to metasploit.com, we started getting DDoS attacks, 00:19:56.000 --> 00:20:01.320 exploit attempts. It got so bad that one guy actually couldn’t hack our server, 00:20:01.320 --> 00:20:06.080 so he hacked our ISP, ARP-spoofed the gateway by hacking the ISP’s infrastructure, and then used 00:20:06.080 --> 00:20:09.920 that to redirect our web page to his own web server. So, he couldn’t hack our web server or 00:20:09.920 --> 00:20:13.560 deface it, but he’d just redirect the entire ISP’s traffic just to be able to deface metasploit.com. 00:20:13.560 --> 00:20:17.945 JACK: Wait, the Metasploit website was getting attacked? By who? 00:20:17.945 --> 00:20:21.840 HD: [MUSIC] In the early days, everyone hated Metasploit. My employer hated Metasploit, 00:20:21.840 --> 00:20:25.720 our customers hated Metasploit. They thought it was dangerous. All the black hats, all the 00:20:25.720 --> 00:20:29.160 folks who were trading exploits underground, they absolutely hated it because we’re taking 00:20:29.160 --> 00:20:33.520 what they thought was theirs and making it available to everybody else. So, it’s one of 00:20:33.520 --> 00:20:36.440 those things where the professionals in the space hated it because they thought it was a 00:20:36.440 --> 00:20:40.040 script kitty tool. The black hats hated it ‘cause they thought we’re taking away from what they had, 00:20:40.040 --> 00:20:44.960 and all the professional folks and employers and customers thought it was sketchy to start with, 00:20:44.960 --> 00:20:49.120 so it took a long time to get past that. But in the meantime, we were getting DDoS attacks, 00:20:49.120 --> 00:20:54.840 we’re having people try to deface the website, we’re having folks spoof my identity and spoof 00:20:54.840 --> 00:20:58.120 all kinds of terrible things on the internet under my name, you name it. 00:20:58.120 --> 00:21:02.240 JACK: Someone decided to attack HD for publishing exploits. They couldn’t figure 00:21:02.240 --> 00:21:07.240 out a good attack on him, so they spent time figuring out where he worked and decided to 00:21:07.240 --> 00:21:13.600 attack his employer. They scanned the websites that his employer had, and found a demo site. It 00:21:13.600 --> 00:21:17.960 wasn’t the employer’s main site; it was a tool to demonstrate how to crack passwords. Well, 00:21:17.960 --> 00:21:22.640 this demo site was running the Samba service, but it was fully patched, so there shouldn’t be a way 00:21:22.640 --> 00:21:27.440 to hack into this through the Samba service. HD even tried attacking it with Metasploit, 00:21:27.440 --> 00:21:32.640 but couldn’t figure out a way in. But there was someone who did know of a Samba vulnerability. 00:21:32.640 --> 00:21:38.840 They developed their own exploit and attacked HD’s employer’s website and tried to get 00:21:38.840 --> 00:21:43.080 inside the system. But their payload didn’t work that well, and it crashed the server. 00:21:43.080 --> 00:21:45.800 HD: So, I got this alert saying the machine was basically shut down, 00:21:45.800 --> 00:21:50.120 it crashed. We’re capturing all the traffic going in in that machine just fine to start with, 00:21:50.120 --> 00:21:53.320 but by doing that, we were able to carve out the initial exploit. 00:21:53.320 --> 00:21:58.840 JACK: Wow, this is fascinating. Because HD was capturing all traffic going into and out of that 00:21:58.840 --> 00:22:04.320 machine, he was able to find the exact code that was used to exploit the Samba service, 00:22:04.320 --> 00:22:06.840 which is incredible. I mean, it’s like finding a needle in 00:22:06.840 --> 00:22:11.520 a haystack. But then as he examined this code that was used to exploit the system, 00:22:11.520 --> 00:22:15.800 he realized this was a completely unknown vulnerability to everyone, 00:22:15.800 --> 00:22:21.672 which is called a zero-day exploit. HD was able to analyze this and learn how to use it himself. 00:22:21.672 --> 00:22:24.640 HD: Did some analysis on it, contacted the Samba team saying hey, 00:22:24.640 --> 00:22:29.760 there’s a really awful remote 0-day in Samba. So, we wrote our own version of the exploit, 00:22:29.760 --> 00:22:34.560 put it on metasploit.com, and that was kind of the beginning of a long, 00:22:34.560 --> 00:22:38.600 long war with – I don’t even know which group it was, but they spent the next two weeks DDossing 00:22:38.600 --> 00:22:42.780 our website for leaking their exploit. Not only leaking it, but writing a better version. 00:22:42.780 --> 00:22:47.760 JACK: That’s brilliant. Because someone didn’t like that HD created Metasploit, 00:22:47.760 --> 00:22:53.000 they attacked his employer, which made him discover their exploit, which he then reported 00:22:53.000 --> 00:22:58.400 to the Samba team to get it fixed, and then he added it into his tool, Metasploit. This 00:22:58.400 --> 00:23:03.880 made his attacker so much more mad at him, and he continued to get attacked like this all the time. 00:23:03.880 --> 00:23:08.830 HD: Folks like emailing my boss telling them to fire me, things like that. We’ve had some… 00:23:08.830 --> 00:23:11.160 JACK: But yeah, why are people wanting you to be fired? 00:23:11.160 --> 00:23:15.120 HD: They felt that publishing exploits was irresponsible and I was a liability to the 00:23:15.120 --> 00:23:19.700 company, and they didn’t want me to have a job because of what I was doing in my spare time. 00:23:19.700 --> 00:23:23.840 JACK: Huh. Did they have a point? Did you feel it with them? 00:23:23.840 --> 00:23:27.880 HD: It was good motivation to try harder. 00:23:27.880 --> 00:23:37.360 JACK: Okay, so, the idea that somebody’s going to be upset with a side project you’re 00:23:37.360 --> 00:23:43.160 working on on the weekends to the point where they’re gonna say, I need to get this guy HD; 00:23:43.160 --> 00:23:48.520 I’m gonna ruin him, I’m gonna e-mail his boss and tell his boss to fire him, 00:23:48.520 --> 00:23:53.160 that sounds like cancel culture to me before they even had the term ‘cancel culture’. 00:23:53.160 --> 00:23:58.200 HD: I guess it’s not that different. I feel like maybe it was the equivalent of a moral, 00:23:58.200 --> 00:24:01.360 ethical dilemma for them at the time. They thought somehow I was doing something that 00:24:01.360 --> 00:24:05.000 was morally wrong and therefore needed to be punished. But yeah, there’s definitely a lot 00:24:05.000 --> 00:24:10.440 of that. There is pressure not just from black hat researchers and from customers 00:24:10.440 --> 00:24:14.080 who didn’t like what I was doing, but also from other security vendors saying well, if you want 00:24:14.080 --> 00:24:18.706 business with us, then you have to bury this vulnerability. You can’t talk about this one. 00:24:18.706 --> 00:24:22.320 JACK: [MUSIC] Whoa, so when he would find a vulnerability in one of the companies 00:24:22.320 --> 00:24:28.840 that were a business partner of his employer, that company was absolutely not happy when HD published 00:24:28.840 --> 00:24:35.360 the exploit and added it into Metasploit. Because remember, Metasploit makes hacking so much easier, 00:24:35.360 --> 00:24:40.440 which means if it’s in the tool, it’s now easy to exploit that company’s products. So, 00:24:40.440 --> 00:24:45.040 they’d get mad at him, ask him to take down the blog posts that talk about this vulnerability, 00:24:45.040 --> 00:24:49.960 and remove it from the tool. They would even threaten to take away the partner status that 00:24:49.960 --> 00:24:56.520 they had with his employer if he didn’t comply. Things were getting pretty ugly, and his employer 00:24:56.520 --> 00:25:02.720 was growing increasingly unhappy with HD. He was frequently finding himself in the crosshairs of 00:25:02.720 --> 00:25:11.160 many attacks, but this is his territory; hacking, attacks, defending. That’s what he does during 00:25:11.160 --> 00:25:16.280 the day as his day job, but it’s also what he does at night for fun, and he even dreams about 00:25:16.280 --> 00:25:22.720 this kind of stuff. So, if someone attacks HD Moore, you know he’s gonna have fun with that. 00:25:22.720 --> 00:25:26.720 HD: What happened is some vulnerability we published was being actively exploited 00:25:26.720 --> 00:25:30.480 by some black hats who were building a botnet, and they were so mad about it, they 00:25:30.480 --> 00:25:34.480 decided they were gonna use that botnet to DDoS metasploit.com. What they didn’t realize, though, 00:25:34.480 --> 00:25:38.080 was Metasploit wasn’t a company. Metasploit was just a side project I was running in my 00:25:38.080 --> 00:25:41.000 spare time, and I thought the whole thing was hilarious that they were spending all this time 00:25:41.000 --> 00:25:44.440 DDossing it. But I didn’t like the fact they were DDossing an ISP that I liked working with. 00:25:44.440 --> 00:25:49.040 JACK: So, this botnet was flooding both of his DNS names, metasploit.com and 00:25:49.040 --> 00:25:55.280 www.metasploit.com. It was sending so much traffic that the site was unusable by anyone 00:25:55.280 --> 00:26:01.040 and was essentially down. HD investigated this botnet a bit and discovered where the botnet 00:26:01.040 --> 00:26:06.360 was being controlled from. He found their command and control server, or C2 server. 00:26:06.360 --> 00:26:09.080 HD: They just happened to also have two command and control servers. So, 00:26:09.080 --> 00:26:13.680 a light bulb goes off. It’s like, well, let’s point www.metasploit.com to one of their C2s and 00:26:13.680 --> 00:26:17.120 their domain name to the other one and just sit back and wait a couple weeks, see what happens, 00:26:17.120 --> 00:26:21.080 right? So, what happened is because those are the control servers for the botnet and a botnet was 00:26:21.080 --> 00:26:25.720 DDossing its control servers, they got locked out of their botnet until we changed the DNS 00:26:25.720 --> 00:26:29.400 settings. So, we essentially hijacked their own botnet to basically flood their own C2 00:26:29.400 --> 00:26:33.060 indefinitely until they finally e-mailed us a week later saying please can we have it back? 00:26:33.060 --> 00:26:35.280 JACK: Wait, what? They e-mailed you? 00:26:35.280 --> 00:26:38.160 HD: Yeah, ‘cause they didn’t know how else to get ahold of us. So, 00:26:38.160 --> 00:26:44.080 they basically lost their botnet. We said okay, well, don’t DDoS us again. They went okay, 00:26:44.080 --> 00:26:46.820 we won’t, and that was the end of that. We never got DDossed again. 00:26:46.820 --> 00:26:50.880 JACK: We’re gonna take a quick ad break here, but stay with us because HD’s just 00:26:50.880 --> 00:26:57.840 getting started with the stories that he has. Who do you associate yourself with? 00:26:57.840 --> 00:27:02.640 Because I’m feeling like you’ve got three legs in three different buckets, here. On one leg, 00:27:02.640 --> 00:27:09.320 you’re standing in the Phrack IRC channel, which is black hat hackers, 00:27:09.320 --> 00:27:14.600 typically, at the time, right? These are the people who may be either just, I don’t know, 00:27:14.600 --> 00:27:21.000 hacktivists or cyber criminals proper. Then you’ve got your relationship with the DoD, 00:27:21.000 --> 00:27:25.920 and then you’ve got your professional relationship where you’re trying to show yourself, like look, 00:27:25.920 --> 00:27:30.960 I’ve got some real chops here; I can do this kind of penetration work for a fee. I’m a professional, 00:27:30.960 --> 00:27:34.600 this kind of thing, and I’ve got actually a tool that I’m developing that can be 00:27:34.600 --> 00:27:41.540 used for professionals. So, how – where in this scenario do you feel like you’re most at home? 00:27:41.540 --> 00:27:46.440 HD: Good question. I definitely felt like an outsider in all those groups. The Phrack channel 00:27:46.440 --> 00:27:51.920 went through a big change right around 2000 or so, where it used to be some pretty well-respected 00:27:51.920 --> 00:27:55.640 hacker researcher types, and got taken over by a group of trolls that called themselves 00:27:55.640 --> 00:28:01.040 Phrack High Council, and those folks and I did not get along. That led to this multi-year constant 00:28:01.040 --> 00:28:04.760 trolling and chaos and things like that. Even professionally though, I didn’t really have 00:28:04.760 --> 00:28:08.200 anyone I could really hang out with besides my coworkers, and I had some good friends there, 00:28:08.200 --> 00:28:14.220 but there wasn’t – I almost kinda felt like an outsider in all three of those camps, I guess. 00:28:14.220 --> 00:28:20.680 JACK: Yeah, because I know about this sort of infighting in the hacker communities. 00:28:20.680 --> 00:28:24.840 When a hacker thinks they’re hot stuff, they post something, they make a website, 00:28:24.840 --> 00:28:28.400 whatever. Other hackers will try to dox them and attack their website, 00:28:28.400 --> 00:28:33.280 and it’s just constantly doing that. Did you feel like that’s kinda what this was, 00:28:33.280 --> 00:28:38.560 was just hacker versus hacker? Like look, I’m a smarter hacker than you are? Or did 00:28:38.560 --> 00:28:43.760 it feel like no, you’re not one of us; get the hell out of here kind of attack? 00:28:43.760 --> 00:28:48.160 HD: It definitely wasn’t friendly. Some friends and I would always go after each other’s stuff 00:28:48.160 --> 00:28:51.520 and it wasn’t a big deal. You say hey, look, check your home directory; there’s a file there, 00:28:51.520 --> 00:28:55.040 or whatever it is, right? These are folks who – they would steal your mail spool, 00:28:55.040 --> 00:28:58.200 they’d publish it on the internet, they would forge stuff in your name, they’d try to get you 00:28:58.200 --> 00:29:01.440 fired, they’d try to get you arrested. They do everything – this is prior to swatting, 00:29:01.440 --> 00:29:05.160 of course, but this is pretty much everything they could do to ruin your life. This was no holds 00:29:05.160 --> 00:29:12.480 barred; we’re ruining you and good luck fighting back. So, this is definitely not the fun kind. 00:29:12.480 --> 00:29:18.200 JACK: Now, by this point, HD and the team working on Metasploit have found lots of new 00:29:18.200 --> 00:29:22.600 unknown vulnerabilities themselves, stuff that the software maker has no idea is 00:29:22.600 --> 00:29:27.960 even a problem. They do this by scanning the internet, attacking their own test servers, 00:29:27.960 --> 00:29:32.640 and trying to break their own computers. But what do you do when you find an unknown vulnerability 00:29:32.640 --> 00:29:37.840 in some software? Well, the best avenue is to find a good way to report it to the vendor, 00:29:37.840 --> 00:29:42.960 right? But HD has had a bit of a history with reporting bugs to vendors. 00:29:42.960 --> 00:29:47.040 HD: When I was in teenage years and still kind of in high school, I was working on 00:29:47.040 --> 00:29:52.480 a bunch of the NT4 exploits for fun, like the old HGR buffer overflow and things like that. 00:29:52.480 --> 00:29:56.200 While I was putting around one day, I found a way to bypass their country validation for 00:29:56.200 --> 00:30:00.400 downloading – I think it was NTs, Service Pack 4 for Microsoft. So, instead of it looking at 00:30:00.400 --> 00:30:04.320 your IP address doing geolocation, it’d look at a parameter you put in the URL instead, 00:30:04.320 --> 00:30:09.640 and you can basically download the high encryption version of NT SP6 from Russia or wherever else, 00:30:09.640 --> 00:30:12.760 which was not a good thing at the time because of all the expert controls. So, 00:30:12.760 --> 00:30:16.280 I contact the Microsoft security team which was pretty nascent back then, and said hey, 00:30:16.280 --> 00:30:19.480 you can bypass all your expert controls; this is probably not good. They were like well, 00:30:19.480 --> 00:30:25.160 what do you want? I’m like, I don’t want anything, but what do you got? They said well, what are 00:30:25.160 --> 00:30:29.480 you looking for? I’m like, can I have an MSDN license? That’d be awesome. That was the beginning 00:30:29.480 --> 00:30:34.114 of a long series of really weird interactions with the security team there. Fast forward to… 00:30:34.114 --> 00:30:36.440 JACK: I’m trying to remember what a MSDN license was. 00:30:36.440 --> 00:30:40.720 HD: MSDN was the license that gave you access to all the operating system CDs 00:30:40.720 --> 00:30:44.080 and media for everything Microsoft made. So, if you had an MSDN license, 00:30:44.080 --> 00:30:47.360 you basically have a – you can install any version of Windows you want, any version of 00:30:47.360 --> 00:30:50.800 Exchange Server, all that stuff. So, as a hacker or someone doing security research, 00:30:50.800 --> 00:30:54.480 it was a gold mine ‘cause you have all the bulk installers and data all in one place. 00:30:54.480 --> 00:30:55.680 JACK: Got it. Okay. 00:30:55.680 --> 00:31:00.440 HD: So, fast forward to my first startup and finding vulnerabilities in Microsoft products and 00:31:00.440 --> 00:31:05.800 doing a lot of work on asp.net and configurations and other stuff we run into during pen testing, 00:31:05.800 --> 00:31:09.640 and Microsoft did not like having vulnerabilities reported. They do anything they can to shut you 00:31:09.640 --> 00:31:13.800 up. They did not like having someone ex – releasing exploits for vulnerabilities on 00:31:13.800 --> 00:31:19.720 their platform. The first startup I worked at was a Microsoft partner, so we had a discount 00:31:19.720 --> 00:31:25.000 for MSDN and things like that for internal licenses, and a gentleman at Microsoft kept 00:31:25.000 --> 00:31:29.040 calling our [MUSIC] RCO saying hey, you need to stop letting this guy publish stuff. You need 00:31:29.040 --> 00:31:33.320 to fire this person or we’re going to take away your partnership license. So, they kept putting 00:31:33.320 --> 00:31:38.760 pressure on my coworkers and my boss and the CEO to get rid of me, basically, because of the work 00:31:38.760 --> 00:31:43.280 I was doing to publish vulnerabilities. That just made me angry; I had got a chip on my shoulder 00:31:43.280 --> 00:31:48.760 pretty early on about that, and by the time I got to the Hack the Box contest in Malaysia to 00:31:48.760 --> 00:31:54.760 announce Metasploit, they had a Windows 2000…what was it? Windows 2003 server, I think it was being 00:31:54.760 --> 00:31:58.900 announced at that time, and they had a CTF for it. I was like great, I’ll do this CTF. 00:31:58.900 --> 00:32:03.000 JACK: So, CTF stands for Capture the Flag. It’s a challenge that a lot of these hack 00:32:03.000 --> 00:32:08.240 conferences have, where they put a computer in the middle of the room and see who can hack into it. 00:32:08.240 --> 00:32:12.880 In this case, it was a fully-patched Windows computer, and HD was curious if he could find 00:32:12.880 --> 00:32:18.960 a vulnerability to get into it. So, he creates some tools to send it random commands and inputs, 00:32:18.960 --> 00:32:23.320 anything that he could send to it to try to cause it to malfunction. Sure enough, 00:32:23.320 --> 00:32:29.520 he did get a fully-patched Windows computer to malfunction. So, he examined the data that he sent 00:32:29.520 --> 00:32:36.400 to this computer to cause it to malfunction, and he was able to use that to create an exploit which 00:32:36.400 --> 00:32:43.240 got him remote access to the system. Now, since this was an unknown bug to Microsoft and Microsoft 00:32:43.240 --> 00:32:49.260 was there at this hacker conference sponsoring the thing, he went up to them and told them about it. 00:32:49.260 --> 00:32:53.720 HD: They were like great, report it to us. I’m like no, it’s mine. Am I gonna get a reward for 00:32:53.720 --> 00:32:56.600 it? What are you gonna do with it? I found this vulnerability. It’s mine to do what I want to with 00:32:56.600 --> 00:33:00.400 it. So, I reported it to the Hack the Box where I was like hey, Microsoft’s trying to pressure 00:33:00.400 --> 00:33:05.360 me to not disclose this thing that I found. That’s not the point, right? The point is yeah, 00:33:05.360 --> 00:33:07.920 I found a bug in your server; now I’m gonna talk about it. I’m gonna share it with you, 00:33:07.920 --> 00:33:11.960 but the idea is to go publish it afterwards. They shut the whole thing down. [MUSIC] So, 00:33:11.960 --> 00:33:17.160 I heard secondhand that Microsoft threatened to pull sponsorship of the Hack the Box conference 00:33:17.160 --> 00:33:20.700 if they let that vulnerability get published. So, the whole thing got swept under the rug. 00:33:20.700 --> 00:33:25.640 JACK: See, at the time, Microsoft didn’t take their security as seriously as they should. They 00:33:25.640 --> 00:33:29.800 weren’t publishing all the bugs that they were finding or rewarding people for the bugs they 00:33:29.800 --> 00:33:35.480 found. As HD tells it, they were asking people to not publish bugs publicly. They thought it 00:33:35.480 --> 00:33:40.240 was just better to hide some of these attacks so that nobody knows about it. But around this time, 00:33:40.240 --> 00:33:47.440 in 2002, Bill Gates sent a famous memo to everyone at Microsoft which said security is now a priority 00:33:47.440 --> 00:33:52.520 of the business, and they started a new initiative called the Trustworthy Computing Group. Well, 00:33:52.520 --> 00:33:57.800 HD saw that this bug he found was causing problems with the conference and he liked the conference 00:33:57.800 --> 00:34:03.040 and didn’t want them to lose their biggest sponsor, so he agreed to just sit on this bug and 00:34:03.040 --> 00:34:08.040 do nothing with it. Six months later, someone else found the same bug and reported it to Microsoft, 00:34:08.040 --> 00:34:13.060 and they were able to fix it. It was only then that HD published his version of it. 00:34:13.060 --> 00:34:16.560 HD: So, the short version is, I’m more than happy to tell the vendors about it, 00:34:16.560 --> 00:34:20.640 but I also want to make it public at some point. These are vendors that, at the time, 00:34:20.640 --> 00:34:24.120 were sitting on vulnerabilities more than a year, two years, maybe never disclosing 00:34:24.120 --> 00:34:28.720 it. They had no motivation to ever disclose a vulnerability reported to them, and they would 00:34:28.720 --> 00:34:33.440 do anything they could to pressure you not to. Microsoft was probably the – one of the biggest 00:34:33.440 --> 00:34:38.720 offenders at the time of pressuring researchers into not disclosing vulnerabilities they found. 00:34:38.720 --> 00:34:41.160 JACK: Do you know if there was a – even a 00:34:41.160 --> 00:34:44.240 vulnerability list that they had published at the – at that time? 00:34:44.240 --> 00:34:48.720 HD: I think Microsoft – there were CVEs at the time and Microsoft had their security advisories, 00:34:48.720 --> 00:34:52.200 but the security advisors were just the tip of an iceberg. There was so much stuff being reported to 00:34:52.200 --> 00:34:56.560 them that they would just shut down. The challenge with keeping these secret whether it’s because 00:34:56.560 --> 00:34:59.800 you’re the vendor and don’t want people to know about it and it’s bad marketing or whether you’re 00:34:59.800 --> 00:35:03.520 a black hat and trying to use it to break into systems is that nobody else out there can protect 00:35:03.520 --> 00:35:06.760 themselves. They can’t test themselves. They don’t know whether they’re actually vulnerable, 00:35:06.760 --> 00:35:10.800 whether the security product they bought to prevent exploitation is actually working, 00:35:10.800 --> 00:35:15.480 right? So, one of the great things about having a publicly available exploit for a recently 00:35:15.480 --> 00:35:19.160 disclosed vulnerability is you can make sure that all your mitigations, all your control, all your 00:35:19.160 --> 00:35:23.380 detection, are actually working the way they’re supposed to. Everybody else did not want that. 00:35:23.380 --> 00:35:28.040 JACK: At the time, Microsoft’s browser was Internet Explorer. 00:35:28.040 --> 00:35:31.760 With the chip on his shoulder from dealing with Microsoft in the past, 00:35:31.760 --> 00:35:38.108 HD decided to see how many vulnerabilities he could find in Internet Explorer. 00:35:38.108 --> 00:35:42.360 HD: [MUSIC] Basically were myself, a couple friends; we put together some browser fuzzers. We 00:35:42.360 --> 00:35:47.840 used the browser’s own JavaScript engine to just find hundreds and hundreds of vulnerabilities. We 00:35:47.840 --> 00:35:52.640 tested every single ActiveX control across Windows and just found bugs in all of them at once. So, 00:35:52.640 --> 00:35:55.920 we basically created this mass vulnerability generator, and we’re sitting on probably like, 00:35:55.920 --> 00:35:59.900 600, 700 vulnerabilities at the time, and the vendors were just not moving on it. 00:35:59.900 --> 00:36:06.520 JACK: He kept reporting bug after bug to Microsoft, but from his perspective, 00:36:06.520 --> 00:36:11.800 nothing was getting done. So now, what do you do when you’ve told the vendor 00:36:11.800 --> 00:36:17.720 about a bunch of bugs and they didn’t act on it, and you have hundreds more? 00:36:17.720 --> 00:36:20.520 HD: It got to the point that we just gave up. We said you know what? We’re gonna 00:36:20.520 --> 00:36:23.880 do an entire month; we’re gonna just drop an 0-day every single day for a month straight, 00:36:23.880 --> 00:36:27.880 and we’ll still have hundreds left over afterwards. It was that particular 00:36:27.880 --> 00:36:32.560 sequence and that particular event that I think finally killed ActiveX and Internet Explorer. 00:36:32.560 --> 00:36:34.840 JACK: Why? Why do you think that? 00:36:34.840 --> 00:36:38.200 HD: Well, after the thirty or fortieth ActiveX vulnerability reported, 00:36:38.200 --> 00:36:41.840 then we’re like, hey guys, we have 200 or 300 more. We can keep – we can go – keep 00:36:41.840 --> 00:36:45.760 going all year at this point. It was a good indication that they realized 00:36:45.760 --> 00:36:49.240 there was no safe way to implement ActiveX control and Internet Explorer. 00:36:49.240 --> 00:36:53.480 JACK: Microsoft was realizing the security in their products wasn’t 00:36:53.480 --> 00:36:58.240 cutting it. They needed to do better, and they were working on that. In fact, 00:36:58.240 --> 00:37:02.260 what they started doing was offering jobs to people who were reporting bugs to them. 00:37:02.260 --> 00:37:04.360 HD: So, if you were someone who was previously reporting a bunch 00:37:04.360 --> 00:37:08.600 of vulnerabilities to Microsoft, all of a sudden you got a job offer instead. I mean, 00:37:08.600 --> 00:37:13.480 there’s a amazing security research group called LSD out of Poland, 00:37:13.480 --> 00:37:19.160 and three of the four folks that were part of this group joined Microsoft during this time. 00:37:19.160 --> 00:37:22.120 JACK: Well, did they contact you? 00:37:22.120 --> 00:37:27.160 HD: We’re friends. I met them in Malaysia and I see them at conferences and stuff like that. 00:37:27.160 --> 00:37:32.560 I definitely got a few offers from Microsoft early on, but I kinda pushed back with ridiculous terms, 00:37:32.560 --> 00:37:37.680 like no way in hell, essentially, mostly because I felt like they didn’t really 00:37:37.680 --> 00:37:40.440 have the best interest of the community at heart. They definitely – they would shut down 00:37:40.440 --> 00:37:45.440 anything I was working on. For the most part, it was true; folks who took a job at Microsoft 00:37:45.440 --> 00:37:49.950 after doing vulnerability research before, you never heard a peep out of them again. 00:37:49.950 --> 00:37:54.960 JACK: Hm, can you imagine if that happened? If HD got hired by Microsoft? They might have tried 00:37:54.960 --> 00:38:00.760 to close down Metasploit altogether, and what a loss that would have been. Because, 00:38:00.760 --> 00:38:06.600 Metasploit was starting to pick up some traction, and while it was hated by many, it was being used 00:38:06.600 --> 00:38:12.160 by many more. Pen testers all over were beginning to use it as one of their primary tools to test 00:38:12.160 --> 00:38:17.760 the security of a network. It was shaping up to be a vital and amazing tool as a pen tester, 00:38:17.760 --> 00:38:21.920 because it made their job so much easier than before. As the need for pen testers rose, 00:38:21.920 --> 00:38:26.840 the need for better pen tester tools rose, too. Of course, the whole time, Metasploit was free and 00:38:26.840 --> 00:38:30.880 open-source, so the community could just look at the source code and verify there wasn’t anything 00:38:30.880 --> 00:38:35.960 malicious getting installed on someone’s computer once you hack into it. The security community was 00:38:35.960 --> 00:38:41.840 slowly adopting it and liking it more and more every day. Well, as time went on, Microsoft really 00:38:41.840 --> 00:38:47.120 did step up their game on handling bugs found by researchers. They were patching things much 00:38:47.120 --> 00:38:53.160 quicker and were learning that they cannot control the bugs that outside researchers discover. 00:38:53.160 --> 00:38:58.520 That’s kind of a hard thing even for companies to understand today. If someone finds a bug in your 00:38:58.520 --> 00:39:04.040 product, you can’t control what that person does with that bug. You can try to offer a bug bounty 00:39:04.040 --> 00:39:09.760 reward to them, but that doesn’t mean researchers will take it. They might sell it to someone else 00:39:09.760 --> 00:39:15.640 or publish it publicly for everyone to see. Software vendors cannot control what people do 00:39:15.640 --> 00:39:21.400 with the bugs they find, and people like HD, who was just publishing vulnerabilities all the time, 00:39:21.400 --> 00:39:26.880 were making that point crystal clear. [MUSIC] Microsoft has an internal conference that’s 00:39:26.880 --> 00:39:30.720 just for Microsoft employees. It’s called BlueHat, and at some point, 00:39:30.720 --> 00:39:36.920 they started inviting security researchers from outside Microsoft to come talk at it. HD knew one 00:39:36.920 --> 00:39:42.160 of the researchers who was giving a talk, and was invited to come co-present at BlueHat. So, 00:39:42.160 --> 00:39:47.760 HD got to go to this exclusive Microsoft conference and present to their developers. 00:39:47.760 --> 00:39:54.960 I just imagine your talk is just like, here are the 400 things wrong with Microsoft. 00:39:54.960 --> 00:40:00.960 HD: Yeah, it was a lot of that. It was like, one good example is back in – what was it? 2005 or so, 00:40:00.960 --> 00:40:05.160 I was on the flight over to BlueHat and I was playing with a toolkit that I was 00:40:05.160 --> 00:40:10.360 calling KarMetasploit at the time or Karma meets Metasploit. Karma was a way to convince wireless 00:40:10.360 --> 00:40:13.920 clients to join your fake access point and then immediately start talking to you and 00:40:13.920 --> 00:40:17.120 try to authenticate to you like you’re a file sharer or printer. So, essentially, 00:40:17.120 --> 00:40:21.200 if you had your Wi-Fi card enabled, let’s say on an airplane, and someone was writing this tool 00:40:21.200 --> 00:40:24.960 on a different laptop in the same airplane, they would then join your fake access point, 00:40:24.960 --> 00:40:30.000 try to access company resources automatically, give you their password both times, and then 00:40:30.000 --> 00:40:33.360 provide a lot of exploitable scenarios where you can actually take over their machine. So, we 00:40:33.360 --> 00:40:38.120 thought it’d be fun to run this tool on the actual airplane as we were flying to BlueHat, and lo and 00:40:38.120 --> 00:40:41.560 behold, we end up collecting a bunch of password hashes from Microsoft employees in the process. 00:40:41.560 --> 00:40:43.160 JACK: You little stinker. 00:40:43.160 --> 00:40:45.240 HD: It was fun times. 00:40:45.240 --> 00:40:48.400 JACK: Where are you on this whole responsible disclosure thing? Do 00:40:48.400 --> 00:40:56.400 you want to get this stuff fixed ASAP or are you more – where do you – what 00:40:56.400 --> 00:40:59.220 do you think you should do with a vulnerability if you find it? 00:40:59.220 --> 00:41:03.280 HD: After going down that path a few hundred times, the fastest way to get a vulnerability 00:41:03.280 --> 00:41:08.520 fixed is to publish it on the internet that day. Whether it’s responsible or not, it’s effective. 00:41:08.520 --> 00:41:14.760 JACK: Well, he has a point. It’s true; if you find a bug and want it fixed as fast as possible, 00:41:14.760 --> 00:41:20.320 make it known to the world in the biggest and loudest way, and it will get fixed fast. But 00:41:20.320 --> 00:41:26.320 even though that’s the fastest path to getting a bug fixed, it’s not the responsible way to do it, 00:41:26.320 --> 00:41:30.800 because doing that exposes a lot of people who can’t do anything to stop that attack. 00:41:30.800 --> 00:41:34.960 It means criminals can use it before it’s fixed, and this puts a lot of people at risk, 00:41:34.960 --> 00:41:39.400 which means you’re probably doing more damage than helping. It’s better to privately tell the 00:41:39.400 --> 00:41:45.840 software maker and give them time to fix it. But then when they aren’t fixing it and you’ve given 00:41:45.840 --> 00:41:51.960 them plenty of time, then they might need a little fire under them to get them moving on 00:41:51.960 --> 00:41:57.500 it. Sometimes to get a company motivated, you’ve got to give them a little bad PR. 00:41:57.500 --> 00:42:01.560 HD: Definitely depends on the vulnerability. These days, I’ve been leaning towards kind of a 00:42:01.560 --> 00:42:05.480 98 disclosure policy, where you tell the vendor about it for forty-five days, then you tell 00:42:05.480 --> 00:42:09.400 somebody else about it is a dead man’s switch. If the vendor sits on it and it leaks, the other 00:42:09.400 --> 00:42:13.640 person’s gonna publish it no matter what. I’ve been using that strategy by working with US-CERT 00:42:13.640 --> 00:42:18.000 for the last few years, where whenever you publish a vulnerability to a vendor, they get forty-five 00:42:18.000 --> 00:42:23.200 days of only them having access to it, and then forty-five days later, it goes to US-CERT, or 00:42:23.200 --> 00:42:27.560 sorry, CERT CC, and they can – they’re basically guaranteed to publish it after forty-five days. 00:42:27.560 --> 00:42:31.000 So, the great thing about that model is you’re kinda splitting the responsibility; 00:42:31.000 --> 00:42:35.640 you’re in – you’re making sure that the vendor takes it seriously and gets the patch out in time, 00:42:35.640 --> 00:42:40.800 but you’re also not having to publish it directly on the internet. So, having a third party like 00:42:40.800 --> 00:42:45.400 that really reduces the ability of the vendor to pressure any individual researcher from not 00:42:45.400 --> 00:42:48.360 disclosing, because it’s already in the hands of another party at that point. 00:42:48.360 --> 00:42:53.040 JACK: There are a few groups that have adopted this same model. Trend Micro has the Zero Day 00:42:53.040 --> 00:42:58.160 Initiative, and Google has Project Zero. Both of these groups look for vulnerabilities and report 00:42:58.160 --> 00:43:02.440 them to the vendor, and then give the vendor ninety days to fix it. Then they’re gonna publish 00:43:02.440 --> 00:43:07.440 it publicly. So, the vendor knows if they get a bug report from any of these groups, they have 00:43:07.440 --> 00:43:13.280 to act quick and get it fixed before it becomes public, because that would be a PR nightmare. It’s 00:43:13.280 --> 00:43:21.120 wild to see major tech firms like Google playing this sort of hardball game with software makers. 00:43:21.120 --> 00:43:39.313 But this has been working pretty well. Because now we see things like Trend Micro publishing some 00:43:39.313 --> 00:43:42.600 zero days on big companies like HP. Because HP wasn’t fixing their vulnerabilities fast enough. 00:43:42.600 --> 00:43:45.720 HD: Yeah, it’s great. I think it’s effective; sometimes you have to. 00:43:45.720 --> 00:43:48.640 The folks that you chatted with at HP about, they’re like yep, that’s the only way that 00:43:48.640 --> 00:43:53.266 team’s gonna get the resource needed to fix the product, is if we publish it a zero-day. 00:43:53.266 --> 00:43:56.660 JACK: [MUSIC] At some point, Metasploit got a new feature called Meterpreter. 00:43:56.660 --> 00:44:01.840 HD: Meterpreter was the brainchild of Matthew Miller, Skape, and a lot 00:44:01.840 --> 00:44:04.300 of other folks worked on it, but he was really the architect behind it. 00:44:04.300 --> 00:44:09.480 JACK: Meterpreter is a payload. Remember, the payload is the action you want to happen after 00:44:09.480 --> 00:44:15.120 your exploit opens the door for you. But the Meterpreter payload is kind of like the ultimate 00:44:15.120 --> 00:44:20.840 payload. It lets you do so much on the target system that you just hacked into; you can look 00:44:20.840 --> 00:44:26.080 at what processes are running, you can upload a file to that system or download a file. It helps 00:44:26.080 --> 00:44:30.320 you elevate your privileges or grab the hash file where the passwords are stored. I mean, 00:44:30.320 --> 00:44:34.160 think about that for a second. Let’s say you use Metasploit to get into a computer, 00:44:34.160 --> 00:44:39.840 and with one command, hashdump, it knows exactly where the password file is on that computer and 00:44:39.840 --> 00:44:44.560 it just goes and grabs it and downloads it to your computer so you can just start cracking passwords 00:44:44.560 --> 00:44:49.720 locally if you want. You don’t need to know where the password files are stored on that computer; 00:44:49.720 --> 00:44:54.040 Meterpreter knows that for you. You just need to know the one command, hashdump, 00:44:54.040 --> 00:44:58.600 and you got them. But Meterpreter does so much more than this; it lets you turn the mic on and 00:44:58.600 --> 00:45:02.200 listen to anything the mic is picking up. It lets you turn the webcam on and see what that 00:45:02.200 --> 00:45:06.800 computer can see. It lets you take screenshots of what the user is doing right now. It lets you 00:45:06.800 --> 00:45:13.080 install a keylogger if you want to see what keys the user is pushing. Meterpreter is incredible, 00:45:13.080 --> 00:45:20.400 but with a payload like this, it makes Metasploit so much more dangerous. I mean, 00:45:20.400 --> 00:45:27.420 all these features can be easily abused by the wrong person and can cause lots of damage. 00:45:27.420 --> 00:45:33.400 HD: On the vendor side, it was scary for them because instead of exploits being these really 00:45:33.400 --> 00:45:38.760 simple payloads that they would drop, they could easily detect. Now exploits could drop anything. 00:45:38.760 --> 00:45:44.960 They could drop TLS-encrypted connect packs. They could drop basically mini-malwares instead that 00:45:44.960 --> 00:45:49.480 are able to automatically dump password hashes and communicate back over any protocol you want. So, 00:45:49.480 --> 00:45:54.600 we made the payload side of the exploitation process incredibly more complicated and way more 00:45:54.600 --> 00:46:01.120 powerful. This is kinda one of those points where some of the features of Metasploit, 00:46:01.120 --> 00:46:04.860 especially around Meterpreter, started getting really close to the malware world. 00:46:04.860 --> 00:46:11.200 JACK: Right, and I think that’s where I want to head, but you’re not just doing a proof of concept 00:46:11.200 --> 00:46:19.960 of okay, look, I can get into your machine and I – here’s who am I or something and what process ID 00:46:19.960 --> 00:46:26.760 I’m running as. You’re building this – Meterpreter gives you full access to that computer, which 00:46:26.760 --> 00:46:35.360 allows you to screenshot, do keyboard sniffing, whatever, all these things that are a lot more 00:46:35.360 --> 00:46:43.600 thumb-in-your-eye kinda thing, and I don’t know if that’s taking it too far. That’s what I’m – 00:46:43.600 --> 00:46:50.040 it’s not just a proof of concept; it’s – we can completely destroy this machine if we wanted, 00:46:50.040 --> 00:46:56.160 which I guess you have to kind of prove that in order to show the voracity of this vulnerability, 00:46:56.160 --> 00:46:59.720 but it just – it’s almost going too far for me. What do you think? 00:46:59.720 --> 00:47:03.320 HD: Well, one of my favorite things with Meterpreter is we had a way to load the VNC 00:47:03.320 --> 00:47:09.720 desktop-sharing service in memory as part of the payload itself. We had it wired up in Metasploit, 00:47:09.720 --> 00:47:13.680 so you literally run the Metasploit exploit and you’d be – immediately get a desktop 00:47:13.680 --> 00:47:16.720 on your screen, be able to move the mouse cursor, be able to type on their keyboard. 00:47:16.720 --> 00:47:21.280 It was immediate remote, gooey access to a machine over the exploit channel itself, 00:47:21.280 --> 00:47:24.920 which is just mind-blowing at the time for payloads, ‘cause it didn’t depend on RDP or 00:47:24.920 --> 00:47:27.400 anything like that. It didn’t depend on the firewall being open ‘cause they do 00:47:27.400 --> 00:47:32.120 a connect back to you and then proxies it. It was just amazing delivery. That specific 00:47:32.120 --> 00:47:37.480 payload blew so many minds that it was really easy for us to show the impact of an exploit. 00:47:37.480 --> 00:47:41.440 If you’re trying to show an executive after doing a pen test, hey, we got into your server; 00:47:41.440 --> 00:47:45.480 here’s a command prompt of us doing a directory listing, that’s one thing. But if you’re showing 00:47:45.480 --> 00:47:49.200 that you literally take over their server and you’re moving the mouse on their desktop within 00:47:49.200 --> 00:47:52.720 two seconds of connecting to the network, that is an entirely different level of impact that 00:47:52.720 --> 00:47:57.200 you can show. It also let us build a lot of other really complex, really interesting use 00:47:57.200 --> 00:48:01.320 cases where it really shows what the impact of the exploit is. It isn’t just like oh, 00:48:01.320 --> 00:48:04.160 you’ve got a bug and you didn’t patch it and now I’ve got a command shell. It’s like no, 00:48:04.160 --> 00:48:07.360 no; I have all this access to your system, whatever it happens to be. 00:48:07.360 --> 00:48:11.800 JACK: Yeah, I guess that’s kinda what drew me to Metasploit as well, is like, oh my gosh, 00:48:11.800 --> 00:48:17.360 it’s not just a exploit, it’s what you do with the exploit after you get in. But as you were saying, 00:48:17.360 --> 00:48:24.270 the Meterpreter started getting close to being its own malware. Explain what you mean by that. 00:48:24.270 --> 00:48:28.480 HD: Well, a lot of the malware payloads even today are written in C and they’ve got all these 00:48:28.480 --> 00:48:34.080 advanced communication channels and C2 contact mechanisms and all this boiler plate stuff that 00:48:34.080 --> 00:48:39.320 they do, like providing the ability to chainload payloads, download more stuff, talk to back ends, 00:48:39.320 --> 00:48:42.880 bounce between different back ends. We got Meterpreter to the point that it actually 00:48:42.880 --> 00:48:46.880 had the same capabilities as some of the more advanced malware that are out there, 00:48:46.880 --> 00:48:49.520 and that’s when it started getting a little swiffy for me, ‘cause it’s like, 00:48:49.520 --> 00:48:53.040 we don’t want to be in the malware business. We’re here to show the impact of exploits and 00:48:53.040 --> 00:48:58.080 let people test their systems and to generally demonstrate the security impact of a failed 00:48:58.080 --> 00:49:02.040 security control or a missing patch. But we’re not here to persistently infect machines, 00:49:02.040 --> 00:49:05.200 and Meterpreter got very, very close to that line. The thing that really separated 00:49:05.200 --> 00:49:11.062 it from actual malware is the fact it was always memory-based only. It was never on disk at all. 00:49:11.062 --> 00:49:16.480 JACK: [MUSIC] Hm, this is a strange territory to be in. Metasploit is a tool that’s sole 00:49:16.480 --> 00:49:20.840 job is to hack into computers. Whether you have permission to do that or not, 00:49:20.840 --> 00:49:26.680 that’s the purpose of it. But it seems to be the intent of the person using it that tells 00:49:26.680 --> 00:49:34.640 us whether Metasploit is malware or a useful tool. So, the Metasploit team had to be very 00:49:34.640 --> 00:49:42.480 careful on how far they took this tool. Now, this is a multi-open-source, multi-developer 00:49:42.480 --> 00:49:47.280 project. Did you have some sort of manifesto that said – or a meeting that said okay guys, 00:49:47.280 --> 00:49:53.960 here’s – we’re gonna push this all the way it goes, except no persistence. Was there a 00:49:53.960 --> 00:49:58.560 manifesto of like…? Like you just said, you don’t want to leave your customers weaker. 00:49:58.560 --> 00:50:03.800 This is a secure – this is a professional tool; it’s something written out there. 00:50:03.800 --> 00:50:08.200 HD: It was never a written manifesto, but it wasn’t a ethical boundary; 00:50:08.200 --> 00:50:12.280 it was just a practical boundary. You’re not gonna use Metasploit for a pen test if it leaves garbage 00:50:12.280 --> 00:50:16.160 all over your machine afterwards or backdoors it in a way that’s difficult to fix. Some exploits 00:50:16.160 --> 00:50:20.880 require temporarily creating a backdoor user account or otherwise creating something that 00:50:20.880 --> 00:50:24.880 would otherwise create more exposure, and we’re always really careful to document what the 00:50:24.880 --> 00:50:29.520 after-exploit scenario looks like. Okay, after you run this thing, you need to do this other thing, 00:50:29.520 --> 00:50:34.360 so we created these post-cleanup modules that would remove the trace of whatever the thing was. 00:50:34.360 --> 00:50:39.040 But that was something that I also agonized over, ‘cause I really hated having to create any kind of 00:50:39.040 --> 00:50:43.240 – like, have to lower the security of the system as part of the exploitation process. Also, that 00:50:43.240 --> 00:50:46.780 was counterintuitive; that was kinda going against what we’re trying to do in the first place. 00:50:46.780 --> 00:50:52.400 JACK: Yeah, I know. I mean, I’m not explaining it well, but it just seems like you’re putting 00:50:52.400 --> 00:50:57.920 your thumb right in the customer’s eye and you’re like well, we don’t want to hurt you. 00:50:57.920 --> 00:51:00.880 HD: Well, that’s the thing; you’re trying to be a professional adversary. So, 00:51:00.880 --> 00:51:06.560 you have to have the most possible brutal, malicious approach to the problem in the sense 00:51:06.560 --> 00:51:10.240 that you’re gonna use the same technique someone else would. But then you need to draw the line 00:51:10.240 --> 00:51:15.266 about where you leave the customer afterwards and what the actual impact of the attack is. 00:51:15.266 --> 00:51:19.080 JACK: [MUSIC] Okay, so we heard HD has many adversaries, right? Cyber criminals don’t 00:51:19.080 --> 00:51:23.080 like him publishing their weapons and making them ineffective, old school hackers don’t 00:51:23.080 --> 00:51:27.200 like that he’s making hacking so easy that a script kitty can do some amazing stuff, 00:51:27.200 --> 00:51:31.000 and vendors don’t like that he’s publishing their bugs. He’s getting hit on all sides by 00:51:31.000 --> 00:51:36.840 these people. But there’s one more group that’s also not happy about Metasploit; 00:51:36.840 --> 00:51:40.920 law enforcement. There were crimes committed with Metasploit. 00:51:40.920 --> 00:51:45.160 HD: That’s my first experience writing Windows shell code. The first Windows shell code ever 00:51:45.160 --> 00:51:48.560 published by Metasploit ended up in the Blaster worm almost immediately afterwards. 00:51:48.560 --> 00:51:53.360 JACK: See what I mean? There was a massive worm that was using information that he published to 00:51:53.360 --> 00:51:59.000 do dirty work out there. I just read an article today that said in 2020, there were over 1,000 00:51:59.000 --> 00:52:05.080 malware campaigns that used Metasploit. So, what happens in this situation when you’re making tools 00:52:05.080 --> 00:52:10.520 that criminals are using? Well, let’s go back and look at a few other cases. I did an episode on 00:52:10.520 --> 00:52:15.440 the Mariposa botnet. The people who launched this botnet all got arrested, but they weren’t the ones 00:52:15.440 --> 00:52:21.520 who developed the botnet. The Butterfly botnet was created by a guy named Iserdo, but this Iserdo 00:52:21.520 --> 00:52:26.160 guy, all he did was develop the tool and put it out there. He never used it to attack anyone, 00:52:26.160 --> 00:52:32.720 but he was arrested and sentenced to jail just for developing the tool. What the court proved was 00:52:32.720 --> 00:52:38.960 that he was knowingly giving it to criminals to commit crimes. Or let’s look at Marcus Hutchins; 00:52:38.960 --> 00:52:43.800 he developed malware which became known as Kronos, but he only developed it. He never launched it on 00:52:43.800 --> 00:52:49.120 anyone. But it was because he was giving it to someone who did use it to go and attack banks 00:52:49.120 --> 00:52:54.720 is why Marcus was arrested by the FBI. In both of these cases, what it came down to was whether 00:52:54.720 --> 00:53:01.320 or not the software maker was knowingly giving these hacking tools to someone who had intent on 00:53:01.320 --> 00:53:07.120 breaking the law with it. But HD claims he has no responsibility with what people do with his tool. 00:53:07.120 --> 00:53:09.680 HD: I don’t know, if you bake a bunch of cookies and put them on the sheet – in 00:53:09.680 --> 00:53:12.880 the street and say free cookies, are we responsible if a criminal eats a cookie? 00:53:12.880 --> 00:53:16.320 I don’t know. I feel like it’s different. It’s open-source, it’s community-based, 00:53:16.320 --> 00:53:21.040 it’s open domain. Everyone’s on the same playing field. I feel like it’s one of those things where 00:53:21.040 --> 00:53:25.320 if you’re only providing those exploits, those weapons, to someone in the criminal 00:53:25.320 --> 00:53:29.720 community and charging for them, that’s one thing. But if you’re creating a project for 00:53:29.720 --> 00:53:33.560 the purpose of helping everyone else understand how things work and to test their own systems, 00:53:33.560 --> 00:53:38.020 and a bad actor happens to pick it up and use it too, that seems like a – something very different. 00:53:38.020 --> 00:53:43.360 JACK: But I get worried for HD because he takes Metasploit to hacker conferences 00:53:43.360 --> 00:53:48.000 and hacker meetups to demo it and teach it to other people there. 00:53:48.000 --> 00:53:51.480 Everyone knows there are criminals who attend these things. I mean, 00:53:51.480 --> 00:53:54.840 just sharing it with the hacker chat rooms that he was part of, like Phrack; 00:53:54.840 --> 00:53:59.680 how could he have gone all this time without once seeing that the person that he just taught this 00:53:59.680 --> 00:54:05.660 to or gave it to was a known criminal? Did you have any lawyers helping you on this project? 00:54:05.660 --> 00:54:07.880 HD: No. Once in a while I’d have to reach out for help, 00:54:07.880 --> 00:54:11.840 but it usually wasn’t from a lawyer that would – I had hired myself. Usually it was just people 00:54:11.840 --> 00:54:14.200 I knew that happened to be lawyers who would give me advice on stuff. 00:54:14.200 --> 00:54:16.480 JACK: But that’s why I’m asking about a lawyer, 00:54:16.480 --> 00:54:22.720 is whether or not you had some sort of fine line on what the point of Metasploit was and 00:54:22.720 --> 00:54:26.480 maybe some of the language involved with the terms of use. Like, maybe there was 00:54:26.480 --> 00:54:32.120 something there that said you cannot use this for criminal behavior, or something. Where was 00:54:32.120 --> 00:54:35.640 this to keep you out of trouble? What did you to do to stay out of trouble in this sense? 00:54:35.640 --> 00:54:41.600 HD: I think early on, the solution was my spouse had a get-out-jail-fund, had a lawyer fund sitting 00:54:41.600 --> 00:54:45.680 aside, so if I got dragged out in the middle of the night, she had cash that was not tied to my 00:54:45.680 --> 00:54:50.880 personal accounts or our shared accounts to find a lawyer and give me bail money, basically. So, that 00:54:50.880 --> 00:54:55.280 was the case for about six, seven years, where I was pretty concerned about getting arrested for 00:54:55.280 --> 00:54:58.280 almost anything I was working on at the time, ‘cause it was all pretty close to the line, 00:54:58.280 --> 00:55:03.240 whether it’s internet scanning, whether it was the Metasploit stuff. It really comes down to 00:55:03.240 --> 00:55:07.160 whether you think a prosecutor’s gonna make a case, whether you think – they think they 00:55:07.160 --> 00:55:12.280 can make a case. Prosecutors don’t want to lose a case, so they’re not gonna bring a charge against 00:55:12.280 --> 00:55:16.880 you unless they’re very certain that they’re gonna win. That’s why the conviction rates are so high. 00:55:16.880 --> 00:55:20.920 So, it’s one of those things where intent matters, but what really matters is whether the prosecutor 00:55:20.920 --> 00:55:24.560 really wants to go after you or not, and if you convince them that hey, I’m not actually 00:55:24.560 --> 00:55:28.920 a bad actor and I’m not doing this stuff, I’m not driving this economic activity that’s related to 00:55:28.920 --> 00:55:34.867 criminals, then that’s helpful. But that’s one of the things I really don’t like about US law, 00:55:34.867 --> 00:55:39.480 is the CFA doesn’t care about intent, for example. There’s nothing about our Computer Fraud and Abuse 00:55:39.480 --> 00:55:45.320 Act that cares whether you were doing it for good or not. A lot of our laws are problematic like 00:55:45.320 --> 00:55:50.040 that. It isn’t just the standard section that’s quoted; it’s also Section 1120. There’s a couple 00:55:50.040 --> 00:55:54.360 other parts of the US criminal code that are just really dangerous when they’re taken out of context 00:55:54.360 --> 00:55:59.880 or used to make a case for something that really shouldn’t have been prosecuted in the first place. 00:55:59.880 --> 00:56:05.320 So unfortunately, a lot of the US prosecutions really just come down to whether someone wants 00:56:05.320 --> 00:56:12.760 to go after you or not, and all you can do is do your best to stay above the law when you can, 00:56:12.760 --> 00:56:17.500 and when the law is really vague, do your best to not be a tempting target. 00:56:17.500 --> 00:56:23.400 JACK: Yeah, but I am surprised that when I load up some software, 00:56:23.400 --> 00:56:31.480 even look at some how-to’s and videos on how to hack, there is a disclaimer at the beginning; 00:56:31.480 --> 00:56:35.400 do not use this for illegitimate purposes. Do not break the law with 00:56:35.400 --> 00:56:41.320 this information. When I load Metasploit, it doesn’t say for pen testing only, 00:56:41.320 --> 00:56:46.340 only use on systems you have permission to, and I’m wondering why would you keep that off there? 00:56:46.340 --> 00:56:50.680 HD: I don’t think it ever occurred to us to add a warning, honestly. We figured if you’re 00:56:50.680 --> 00:56:53.400 downloading Metasploit, you know what you’re getting into. You’re know you’re downloading 00:56:53.400 --> 00:56:59.560 a security tool to do security testing. We’re not there to tell you you shouldn’t 00:56:59.560 --> 00:57:05.400 jaywalk or you shouldn’t firebomb your neighbor’s house. We assume people have 00:57:05.400 --> 00:57:08.280 reasonable reasons why they’re using the software in the first place, and we don’t 00:57:08.280 --> 00:57:11.580 feel like we’re enticing you to commit a crime because we’re providing them a tool. 00:57:11.580 --> 00:57:18.440 JACK: Got it. However, in the real world, you might be pressured because law enforcement 00:57:18.440 --> 00:57:22.280 says look, man, we keep finding criminals that are using your tool. You need to do 00:57:22.280 --> 00:57:26.200 something more. You need to put a terms of use up. A lawyer might have – like, 00:57:26.200 --> 00:57:29.320 you might have had to get a lawyer to say hey, what do we need to do so that 00:57:29.320 --> 00:57:35.120 we don’t get in trouble? I’m surprised none of that just hit you in the face. The law – so, 00:57:35.120 --> 00:57:39.600 black hats are mad at you, vendors are mad at you, but the law wasn’t mad at you? I’m surprised. 00:57:39.600 --> 00:57:44.400 HD: I mean, stuff came up for sure, but mostly I was able to talk my way out of it one way or 00:57:44.400 --> 00:57:49.920 another. I think a lot of it is – just the way to win in that space and to not go to jail was to be 00:57:49.920 --> 00:57:55.720 as loud and as blatant and as above-board as you possibly can. So, doing a Metasploit talk at every 00:57:55.720 --> 00:58:00.880 conference, having tens of thousands of Metasploit users early on, having 200 different developers 00:58:00.880 --> 00:58:05.280 involved with the project; the bigger, the wider, the more noisy you can make the project, the less 00:58:05.280 --> 00:58:09.200 likely someone was gonna say this is a tool for just criminals and we’re gonna go after it. 00:58:09.200 --> 00:58:20.480 JACK: You just have such a surprising – an adventurous life. [MUSIC] There’s a big difference 00:58:20.480 --> 00:58:26.600 between your typical pen tester and HD Moore. The typical pen tester today learns how to use 00:58:26.600 --> 00:58:33.240 Metasploit, which is the tool that HD created. HD is the one learning how the exploits work, 00:58:33.240 --> 00:58:38.120 writing the shell code to make them work, and actively trying to find new exploits all 00:58:38.120 --> 00:58:44.640 the time. On top of that, he’s fielding a nonstop barrage of attacks himself from creating the tool, 00:58:44.640 --> 00:58:50.520 so he’s well-versed at defending and attacking systems. The experience he has in this space 00:58:50.520 --> 00:58:56.600 is almost unparalleled, but it was because of how much passion he has about security that got 00:58:56.600 --> 00:59:01.640 him to this point. I just want to say to any up-and-coming pen testers out there, getting 00:59:01.640 --> 00:59:07.280 your hands on working exploits and contributing to open-source projects is a fantastic way to 00:59:07.280 --> 00:59:13.160 become fluent in this field. There are a ton of open-source hacker tools out there on GitHub, 00:59:13.160 --> 00:59:17.520 and it’s a great experience to download the source code and see how they work, and try to 00:59:17.520 --> 00:59:21.960 improve upon them. Even if you’re just a beginner, there’s probably something you can do to help, 00:59:21.960 --> 00:59:26.920 whether it’s writing better documentation or improving the Help menu. Being part of a project 00:59:26.920 --> 00:59:33.880 like that can launch your career. HD even helped many of his contributors get jobs. Learning to 00:59:33.880 --> 00:59:40.380 find and develop exploits would really pay off for HD, but it was a tough ride for him to hold on to. 00:59:40.380 --> 00:59:44.560 HD: Yeah, I think it took about three or four years before we really turned the point from 00:59:44.560 --> 00:59:49.520 ‘that’s stupid’ and ‘that’s crappy’ to ‘that’s a script kitty tool’ to ‘that was a piece of crap 00:59:49.520 --> 00:59:54.640 and I don’t like it’ to ‘okay, fine, I’ll use it to – hey, now everyone’s using it’. 00:59:54.640 --> 01:00:00.200 JACK: Metasploit grew up to be one of the de facto tools used by security professionals 01:00:00.200 --> 01:00:05.200 all over. Eventually, schools started teaching students how to use it. I mean, 01:00:05.200 --> 01:00:09.840 can you imagine a hacking tool becoming part of the course curriculum in school? But even more 01:00:09.840 --> 01:00:15.040 than that, it became necessary to know how to use Metasploit to pass certain exams and get certified 01:00:15.040 --> 01:00:22.200 in security. Despite the hard start and hate it received, Metasploit grew to become an invaluable 01:00:22.200 --> 01:00:28.480 tool for the pen test community to use, and it became mass-adopted by security teams everywhere. 01:00:28.480 --> 01:00:35.080 HD: By 2008, both Skape and Spoonm had moved on to other things. Skape’s company got acquired by 01:00:35.080 --> 01:00:39.520 Microsoft and he went and worked there, and that was the end of his contributions to Metasploit. 01:00:39.520 --> 01:00:43.280 Spoonm went to school and kinda disappeared doing his thing for a while. So, it was kinda just me 01:00:43.280 --> 01:00:48.920 running the project again by 2008, and I’ve been working with a guy named Egypt for a long time, 01:00:48.920 --> 01:00:52.320 contributing exploits to the project and chatting about stuff. I invited him to come and be one 01:00:52.320 --> 01:00:57.880 of the core members. He joined the team and we started working towards the 3.0 release, 01:00:57.880 --> 01:01:03.120 I believe, at the time. During all that stuff, as you get closer to 2009, I was working out of the 01:01:03.120 --> 01:01:07.200 startup, not particularly happy with life. I was pretty broke. The startup wasn’t paying me that 01:01:07.200 --> 01:01:13.600 much, I had a bunch of credit card debt, had a pretty hefty mortgage on the house, 01:01:13.600 --> 01:01:18.840 was doing Metasploit training at the conferences to kinda pay the bills and keep things going, 01:01:18.840 --> 01:01:23.320 but I was also working all day for a startup and all night on Metasploit, and every weekend, 01:01:23.320 --> 01:01:28.000 every night for years straight at that point. Super stressed out, had a baby on the way, 01:01:28.000 --> 01:01:33.440 and when I was basically gone for paternal leave, I got an offer to acquire Metasploit by Rapid7. 01:01:33.440 --> 01:01:39.080 JACK: [MUSIC] Whoa, an offer to acquire Metasploit by the company Rapid7? That’s 01:01:39.080 --> 01:01:43.800 amazing. At the time, Rapid7’s product was a vulnerability scanner, and the typical 01:01:43.800 --> 01:01:48.200 pen test scenario is to start by running a vulnerability scanner, then use Metasploit 01:01:48.200 --> 01:01:53.120 to try to get into the vulnerable systems you found. It’s a beautiful combination of tools, 01:01:53.120 --> 01:01:59.240 so it made sense for why Rapid7 would want to acquire the tool. But Metasploit was open-source 01:01:59.240 --> 01:02:04.880 and a not a product that made any money, so HD was a bit skeptical to give his tool 01:02:04.880 --> 01:02:10.800 to a corporation. But they asked him at the right time, because he was all stressed out, 01:02:10.800 --> 01:02:16.480 low on cash, and about to have his first kid. He sorta needed a big break. 01:02:16.480 --> 01:02:19.000 HD: So, yeah, when the offer came in to do something different, 01:02:19.000 --> 01:02:22.240 it was definitely tempting and spent quite a lot of time chatting with the Rapid7 team, 01:02:22.240 --> 01:02:25.280 getting a sense for what it’d look like, and eventually said okay, let’s give it a try. 01:02:25.280 --> 01:02:29.360 JACK: Yeah, did you give them a heads up? Like, hold on a second, 01:02:29.360 --> 01:02:35.480 if you take the responsibility for this, you’re gonna be taking some bullets. Just so you know, 01:02:35.480 --> 01:02:41.100 this is kind of the heat I’m getting here and somebody might call up to try to get you fired. 01:02:41.100 --> 01:02:45.160 HD: Yeah, put it this way; they brought me on to run the Metasploit team and to build 01:02:45.160 --> 01:02:49.520 a product line, but they also brought me on as their head of security at the same time. So, I 01:02:49.520 --> 01:02:53.680 got to take most of those bullets in the first few years. Metasploit had a pretty strong following, 01:02:53.680 --> 01:02:57.160 but only about 33,000 active users at the time or something like that based on our download 01:02:57.160 --> 01:03:03.600 logs. So, it was a really good opportunity to commercialize an open-source tool but keep it 01:03:03.600 --> 01:03:08.040 open-source, and then all the commercialization really happened by building a pro version of the 01:03:08.040 --> 01:03:12.400 tool and selling that instead. So, our team was able to – basically built a new office here in 01:03:12.400 --> 01:03:18.240 Austin, hired the team, got the first commercial product out the door in about six or seven months. 01:03:18.240 --> 01:03:22.120 I think our team was paying their own bills within twelve months by selling our pro version 01:03:22.120 --> 01:03:27.360 of the product. So, ended up working out pretty well. Even now, there’s a whole team at Rapid7 01:03:27.360 --> 01:03:32.800 working on Metasploit full time. It wasn’t just the development side; they also were an amazing 01:03:32.800 --> 01:03:37.120 corporate shield for all the drama I was dealing with, all the law enforcement inquiries, all the 01:03:37.120 --> 01:03:41.040 random threats, all the other stuff. They stood up and took it. They hired lawyers on my behalf, 01:03:41.040 --> 01:03:45.360 they hired lobbyists on my behalf. They did everything they could to make sure that Metasploit 01:03:45.360 --> 01:03:49.440 and exploit development and vulnerability research could stay a thing that you could 01:03:49.440 --> 01:03:53.600 count on, that you could rely on, and they did their best to protect the legal front. So, outside 01:03:53.600 --> 01:03:59.520 of all the commercial terms and product stuff and all that, I give them a lot of credit for helping 01:03:59.520 --> 01:04:03.980 vulnerability research and exploit disclosure and exploit sharing be what it is today. 01:04:03.980 --> 01:04:08.280 JACK: Yeah, so you said lobbyists; why would they hire lobbyists? 01:04:08.280 --> 01:04:12.080 HD: Well, a lot of them – making sure that vulnerability research and disclosure and 01:04:12.080 --> 01:04:15.640 all that stuff stays legal, is educating people. It’s like saying hey, this is like a real, 01:04:15.640 --> 01:04:18.840 legitimate reason why people need access to information. This is why you don’t want to 01:04:18.840 --> 01:04:22.080 regulate vulnerability disclosure. This is why you don’t want to create a law making 01:04:22.080 --> 01:04:26.960 exploit disclosure illegal. I mean, on the face of it, if someone says hey, we’re gonna prevent 01:04:26.960 --> 01:04:31.480 you from sharing tools that allow people to attack each other, you’re like yeah, 01:04:31.480 --> 01:04:34.560 that sounds like a good thing. You don’t want people sharing evil tools with each other, 01:04:34.560 --> 01:04:38.920 right? Make that illegal. It isn’t ‘til you dig a little bit deeper and realize that you really 01:04:38.920 --> 01:04:42.440 don’t want to criminalize that because that’s how your defenders are learning. That’s how your 01:04:42.440 --> 01:04:47.640 actual defenders are testing their own systems. If you don’t have those tools available in turn, you 01:04:47.640 --> 01:04:52.880 have no idea how effective any of your defenses are. It was just one of those things where, 01:04:52.880 --> 01:04:57.280 at a very surface level, it was hard to defend, and – but once you started educating people about 01:04:57.280 --> 01:05:03.160 what the benefits were and once you got more people to be aware of what you take away by 01:05:03.160 --> 01:05:07.880 criminalizing this type of work, then you try to build that support. So, lobbyist efforts 01:05:07.880 --> 01:05:13.600 at Rapid7 were instrumental in not only splitting Metasploit framework from the Wassenaar Agreement, 01:05:13.600 --> 01:05:19.180 at least the way the US interpreted it, but protecting vulnerability research in general. 01:05:19.180 --> 01:05:22.880 JACK: Yeah. Can you explain the Wassenaar Agreement? 01:05:22.880 --> 01:05:25.760 HD: Oh, sure thing. I don’t have – it’s been a while, so I don’t – I’m probably gonna get 01:05:25.760 --> 01:05:30.080 details wrong, but the Wassenaar Agreement was an international arms treaty by a bunch of countries 01:05:30.080 --> 01:05:35.680 saying here’s the things that we will or will not export to other countries without having approvals 01:05:35.680 --> 01:05:40.360 and things like that. Amendment – I think either an amendment to it or an interpretation of the 01:05:40.360 --> 01:05:46.200 agreement started to classify cyber security tools as weapons at one point. The goal there is to 01:05:46.200 --> 01:05:51.080 prevent the NSO-group style attacks, right, where you’re shipping a toolkit, a software 01:05:51.080 --> 01:05:54.920 toolkit or a hardware toolkit that’s designed to break into other people’s machines, and it’s 01:05:54.920 --> 01:06:00.480 really designed for the most nefarious – either surveillance use case or for actual cyber-war type 01:06:00.480 --> 01:06:07.240 use cases. However, the language caught up a lot of other unrelated tools. All the tools that are 01:06:07.240 --> 01:06:11.920 used for professional security testing would – if you squint at them, right, would also be 01:06:11.920 --> 01:06:18.520 classified as weapons by the armunitions, by the Wassenaar Agreement. The company Rapid7 spent a 01:06:18.520 --> 01:06:22.000 lot of time working with lobbyists, trying to help folks understand the difference between 01:06:22.000 --> 01:06:27.960 an open-source tool like Metasploit and something that’s more targeted, malicious, and weaponized. 01:06:27.960 --> 01:06:33.280 JACK: The thing that I don’t understand about the Rapid7 acquisition is how do 01:06:33.280 --> 01:06:39.260 you buy a free, open-source tool? Why didn’t they just fork it and rename it? 01:06:39.260 --> 01:06:42.800 HD: Well, someone tried that, actually. It didn’t go very well. Actually, 01:06:42.800 --> 01:06:48.720 a few people did. Prior to Metasploit 3 coming out, when we rewrote the whole thing in Ruby, 01:06:48.720 --> 01:06:53.520 Metasploit was written in Perl. There was a company called SAINT that released a 01:06:53.520 --> 01:06:56.880 product called SAINTexploit, which was also written in Perl. We’re like ah, 01:06:56.880 --> 01:07:01.080 that’s suspicious. At some point, someone shared a copy of SAINTexploit with us and we’re like, 01:07:01.080 --> 01:07:05.160 you know what? Half this shell code is ours and half these exploits really look 01:07:05.160 --> 01:07:10.000 really like the code that we wrote. There were a lot of similarities between the SAINTexploit 01:07:10.000 --> 01:07:13.800 product and Metasploit framework, too. So, we got a little bit mad about it. We’re like, 01:07:13.800 --> 01:07:18.520 this is kinda bullshit. We feel like, if you’re gonna use our code, that’s great, but collaborate. 01:07:18.520 --> 01:07:21.800 Don’t pretend it’s yours. Don’t say hey, I made this. Like, no, no; 01:07:21.800 --> 01:07:25.560 this is open-source. Contribute to it, share it. So, we changed it. We literally changed 01:07:25.560 --> 01:07:29.040 the commercial – the license of Metasploit to be a commercial-only license briefly, 01:07:29.040 --> 01:07:35.160 for about a year or so. Between the 2.0 Perl rewrite and the 3.0, 01:07:35.160 --> 01:07:41.240 the brand-new 3.0 code was under a non-open-source license briefly just because of how we felt about 01:07:41.240 --> 01:07:48.600 SAINT and SAINTexploit. Finally, when Egypt got – joined the project and we’re looking 01:07:48.600 --> 01:07:53.160 prior to the Rapid7 commercialization or Rapid7 acquisition, we ended up changing the license 01:07:53.160 --> 01:07:56.960 back to BSD because we felt like that was the right thing to do to really grow the 01:07:56.960 --> 01:08:01.560 project. But there definitely was a knee-jerk reaction to close the license after that. 01:08:01.560 --> 01:08:06.280 JACK: So, Metasploit continued to be open-source and free under Rapid7, 01:08:06.280 --> 01:08:12.040 with HD and a guy named Egypt coming on board and working hard on making it even better. One 01:08:12.040 --> 01:08:16.280 thing that was a neverending job was getting more exploits into the tool. 01:08:16.280 --> 01:08:20.600 HD: When I was working at Rapid7, every time a Patch Tuesday came out, our very first thing was 01:08:20.600 --> 01:08:23.960 how do we get exploits out as fast as possible for everything that was covered, and how do we figure 01:08:23.960 --> 01:08:28.880 out what they are? It’s a lot of work though; taking a binary patch and trying to figure out the 01:08:28.880 --> 01:08:32.760 bug can take a week or two just on its own, and that just gets you the bug. That doesn’t get you 01:08:32.760 --> 01:08:35.920 the exploit. Getting the exploit to work, getting it triggered, getting it reliable, figuring out 01:08:35.920 --> 01:08:40.080 how to manage the memory correctly, figuring out the payload, threading problems with payloads, 01:08:40.080 --> 01:08:44.120 I mean, there’s a ton of work that goes into it. I think one of the things that – one of the reasons 01:08:44.120 --> 01:08:49.640 why I probably don’t work on exploits as much anymore is they’ve gotten a lot more complicated. 01:08:49.640 --> 01:08:54.400 You need a much deeper set of skills to be able to work on fiddly heap exploits. You 01:08:54.400 --> 01:08:57.360 need to basically have this huge background of knowledge just to be able to get the heap in the 01:08:57.360 --> 01:09:02.880 right state to build a exploit in the first place. I’m not really that great of a programmer. I’m not 01:09:02.880 --> 01:09:05.680 really that great of an exploit developer; I just spent a lot of time on stuff. So, I felt 01:09:05.680 --> 01:09:09.240 like that was well beyond my ability to keep up at that point. So, I really love logic flaws, 01:09:09.240 --> 01:09:15.680 I really love the old school stack overflows and SCH overflows and things like that. But 01:09:15.680 --> 01:09:20.920 I feel like modern exploits, especially on ARM platforms like mobile – holy cow, 01:09:20.920 --> 01:09:23.720 there’s a lot of effort that has to go into it just to get one working exploit. 01:09:23.720 --> 01:09:29.400 JACK: Now, I’m scared that you say that because a second ago I was calling you the patron saint 01:09:29.400 --> 01:09:34.440 of exploit development and penetration testing, and now you’re like ah, it’s too complicated for 01:09:34.440 --> 01:09:40.520 me at this point. Good luck whoever’s doing it now. Who can do it now if it’s beyond your skill? 01:09:40.520 --> 01:09:45.080 HD: It’s gotta be super-specialized. If you look at some of the Project Zero posts, I don’t 01:09:45.080 --> 01:09:49.560 want – particular names in fear of getting them wrong, but there’s some amazing folks out there, 01:09:49.560 --> 01:09:54.080 and where you see really good exploits being written is when someone has spent months and 01:09:54.080 --> 01:09:58.360 maybe years looking into the software stack around that before the exploit’s worked on. 01:09:58.360 --> 01:10:03.160 When you’re looking into how IOS parses messages or how the heap of this particular OS or the Linux 01:10:03.160 --> 01:10:06.920 kernel is being groomed in a particular way, you need to build up this super-deep, 01:10:06.920 --> 01:10:10.600 super-specialized knowledge to be able to even start working exploits in that particular 01:10:10.600 --> 01:10:14.800 space. It’s not like before where once you know how to exploit one platform, one OS, 01:10:14.800 --> 01:10:19.000 the rest is all pretty straightforward. It used to be like, okay, I know how to exploit Spark; 01:10:19.000 --> 01:10:23.120 I can exploit most other NIPS with a little bit of work here and there. Now every OS is so different, 01:10:23.120 --> 01:10:26.500 so deep, and so complicated these days that you really have to specialize. 01:10:26.500 --> 01:10:35.160 JACK: Yeah, but I feel like you really enjoy playing in the dark, and I mean, 01:10:35.160 --> 01:10:40.960 you want to be outside the known world of knowledge, okay? So, there’s a circle 01:10:40.960 --> 01:10:45.680 that this is the stuff we know in the world; I’m going outside that circle and I’m gonna 01:10:45.680 --> 01:10:52.480 discover things that the world does not know and bring it into the world of known. That is a very 01:10:52.480 --> 01:10:56.680 difficult place to be in. That’s a scary place. You don’t know where to go, which direction to go, 01:10:56.680 --> 01:11:00.640 where to point your finger. You’re hitting your face on the wall over and over and over, and 01:11:00.640 --> 01:11:05.080 that’s the difficulty of finding vulnerabilities and zero-days and this kind of thing. Even if 01:11:05.080 --> 01:11:09.440 you know that there’s a vulnerability right there, it still can be hard to find that. 01:11:09.440 --> 01:11:13.600 HD: That’s probably – especially with patch reversing; you’re so frustrated because you 01:11:13.600 --> 01:11:17.320 know it’s there. You know it’s patched. You know it’s in front of you. You know it’s probably one 01:11:17.320 --> 01:11:21.120 line away from where you’re looking, and you can’t see it. So, these days I spend my time 01:11:21.120 --> 01:11:24.160 on network protocols and fingerprinting techniques and that type of research, 01:11:24.160 --> 01:11:28.000 where you’re going really deep on the protocol stack looking for behavioral differences and how 01:11:28.000 --> 01:11:32.080 a network respond – how a device responds in the network. It’s a similar challenge; 01:11:32.080 --> 01:11:35.640 you have to go find these really fiddly, really hard-to-find things and then extrapolate all this 01:11:35.640 --> 01:11:39.040 value from it, saying okay, now that I know that it responds this way and this responds that way, 01:11:39.040 --> 01:11:43.040 it must be an IOS device or these people are a kernel version or this particular 01:11:43.040 --> 01:11:47.440 update applied to it. So, I love doing that type of work, but it is working in the dark, 01:11:47.440 --> 01:11:51.380 like you mentioned. But it’s nowhere near as complicated as doing modern heap exploits. 01:11:51.380 --> 01:11:57.040 JACK: I find this particular skill to be one of the most important skills when dealing with 01:11:57.040 --> 01:12:03.520 technology, which is being comfortable doing things in the dark, in areas that you have 01:12:03.520 --> 01:12:10.480 no knowledge of or visibility into, because when working in IT, you are constantly faced with new 01:12:10.480 --> 01:12:16.120 challenges or problems that you have no idea how to solve. The problem might even be so weird that 01:12:16.120 --> 01:12:21.320 you don’t even know what to Google, and so being able to venture out into unknown territories, even 01:12:21.320 --> 01:12:28.000 if it’s just unknown to you, you’ve got to learn to be comfortable in these dark areas. It’s scary 01:12:28.000 --> 01:12:34.360 and frustrating to try things that you know you’re going to fail at and even look stupid doing, 01:12:34.360 --> 01:12:41.120 but the more comfortable you get in that space of working with the world of unknowns, the better 01:12:41.120 --> 01:12:47.360 you’ll be next time you face the darkness, which is like, all the time. Are you still at Rapid7? 01:12:47.360 --> 01:12:53.440 HD: Oh, no, no. I started my own company about three and a half years ago doing 01:12:53.440 --> 01:12:57.800 network discovery stuff. So, Rumble; we help companies find every single 01:12:57.800 --> 01:13:01.160 thing possibly connected to their network environment or their Cloud. 01:13:01.160 --> 01:13:04.740 JACK: Yeah, explain more. Get a good pitch for it. 01:13:04.740 --> 01:13:09.400 HD: Sure thing. So, I spent twenty-seven years now doing pen testing and security work and building 01:13:09.400 --> 01:13:12.320 products, and the very first thing you do, whether it’s a pen test and you’re trying to break into 01:13:12.320 --> 01:13:15.360 someone’s network or you’re building a product that does something on the network like a vuln 01:13:15.360 --> 01:13:18.640 scanner or a pen test tool, is you gotta figure what’s out there. You gotta scan the network. You 01:13:18.640 --> 01:13:24.240 gotta find targets, assets, IP addresses, things. So, we came up with a really cool scan engine that 01:13:24.240 --> 01:13:29.120 can tell you amazing stuff about everything on the network really quickly. At this point, 01:13:29.120 --> 01:13:32.080 the product Rumble Network Discovery can now find all your networks. So, 01:13:32.080 --> 01:13:34.760 starting with zero knowledge about your environment, they’ll do a sampling sweep 01:13:34.760 --> 01:13:39.480 across every possible routable private IP in your organization, they’ll find every populated subnet, 01:13:39.480 --> 01:13:43.400 every single device, classify every device, tell you what hardware it’s running on, 01:13:43.400 --> 01:13:46.920 and identify things like multi-owned systems that are breaching different networks. It does 01:13:46.920 --> 01:13:53.360 it all unauthenticated, quickly, with really no interaction and no real network impact. 01:13:53.360 --> 01:13:57.840 JACK: [MUSIC] What I find fascinating about HD is the struggle that he went through to 01:13:57.840 --> 01:14:02.600 make Metasploit. I mean, the sheer skill it takes just to write exploits and payloads is 01:14:02.600 --> 01:14:07.800 already impressive, and he had to continually write new exploits as new stuff came out. But 01:14:07.800 --> 01:14:14.160 the resolve and determination to face a constant barrage of attacks for publishing exploits and to 01:14:14.160 --> 01:14:20.440 continue publishing more is incredible. I think I would have given in and gave up working on it 01:14:20.440 --> 01:14:26.400 if vendors are calling my boss, asking them to fire me, or if law enforcement keeps bugging me, 01:14:26.400 --> 01:14:33.280 but not HD. He persisted through it all, because he had a vision and a belief that what he was 01:14:33.280 --> 01:14:39.400 doing was right and the whole world was wrong. I think it turned out in his favor. I think he was 01:14:39.400 --> 01:14:47.360 right and the world was wrong, because we saw the world slowly change and eventually agree with HD. 01:14:47.360 --> 01:14:53.000 Microsoft drastically changed how they handle bugs now, and their security is much better than it was 01:14:53.000 --> 01:14:58.000 before. Google puts a similar kind of pressure on companies that HD does, saying you better 01:14:58.000 --> 01:15:02.840 fix this vulnerability we found, or we’re gonna tell the world. When stuff doesn’t get fixed, 01:15:02.840 --> 01:15:09.160 they do publish it, and for governments, changing the way they view open-source tools. 01:15:09.160 --> 01:15:23.184 What a wild ride it’s been to get some decent hacker tools out there for everyone to use. 01:15:23.184 --> 01:15:28.040 (OUTRO): [OUTRO MUSIC] A big thank-you to HD Moore, a true legend in the security space. 01:15:28.040 --> 01:15:33.720 You can learn more about what he’s working on now by visiting rumble.run. This show is made by me, 01:15:33.720 --> 01:15:38.960 the NOP-sledding Jack Rhysider, and editing help this episode by the zero-trust Damienne. 01:15:38.960 --> 01:15:43.360 This episode was assembled by Tristan Ledger and mixed by Proximity Sound. 01:15:43.360 --> 01:15:48.760 Our theme music is by the encoded Breakmaster Cylinder. Hey, HD, one last question for you. 01:15:48.760 --> 01:15:49.200 HD: Yeah. 01:15:49.200 --> 01:15:53.720 JACK: When you’re reviewing someone’s code, can you tell me what bad code looks like? 01:15:53.720 --> 01:15:55.300 HD: No comment. 01:15:55.300 --> 01:16:03.920 JACK: This is Darknet Diaries.