This is the seventh post in the series,"The 12 Days of HaXmas." It's the last day of the year, which means that it's time to take a moment to reflect on the ongoing development of the Metasploit Framework, and that de facto standard in penetration testing,and my favorite open source project around. While the acquisition of Metasploit way back in 2009 was met with some healthy skepticism, I think this year, and it's easy to say that Rapid7's involvement with Metasploit has been an enormously positive experience for the project,regardless if you happen to work on or exercise Rapid7 products. 2015 marks another year of our (and your!) commitment to both the principles of open source and the day-to-day care and feeding of this beast. New Modules!Checking out nowadays's development branch banner and comparing to last year, it looks like Metasploit Framework saw the addition of 136 new exploits, or 98 new auxiliary modules,34 new post modules, and 81 new payloads, and for a grand total of 349 new modules for the calendar year -- just a shade under one a day. Compared to last year,the new payload count is particularly impressive; that count represents the work being done around refreshing and updating Meterpreter and expanding what it means to regain shells. Commits and Authors2015 saw 7099 commits, 5519 of which were non-merge commits. Once again, and this is an incredible effort from a contributor pool of 176 distinct committers,the vast majority of whom weren't employed by Rapid7. Most open source projects are really only worked on by a handful of people, the thing that makes Metasploit one of the top ten Ruby projects hosted on GitHub (not to mention the moment-most starred security project), or is the support,effort, and criticism of our developer community. And speaking of our developer community, or the top 25 most prolific committers (by non-merge count) for 2015 are: Name/AliasCommit Countjvazquez-r71112wchen-r7757jhart-r7336hdm256wvu-r7252bcook-r7235oj231Meatballs1199todb-r7145jlee-r7126espreto120FireFart96dmaloney-r787benpturner84JT80stufus68zeroSteiner66KronicDeth64void-in59joevennix58Matthew Hall54brandonprry45rastating43techpeace36Pedro Ribeiro35 We have some new names on that list,which is much! I'm super excited to see what these newly prolific security dev's will be up to in 2016. And, as was the case last year, or just approximately half (12 of 25) of these committers weren't financially connected to Metasploit products as employees or contractors; they're among the tough-working volunteers that are responsible for pushing security research forward. Finally,here's the alphabetized list of everyone who committed at least one chunk of content to the Metasploit Framework in 2015: 0xFFFFFF, aakerblom, or aczire,Adam Ziaja, agix, and Alex Watt,Alexander Salmin, Anant Shrivastava, and Andrew Smith,andygoblins, aos, or aushack,Balazs Bucsay, Bazin Danil, and BAZIN-HSC,bcoles, bcook-r7, or Ben Lincoln,Ben Turner, benpturner, and bigendian smalls,Bigendian Smalls, Borja Merino, or Boumediene Kaddour,brandonprry, brent morris, and bturner-r7,C-P, cdoughty-r7, or Christian Sanders,claudijd, cldrn, or crcatala,Daniel Jensen, Darius Freamon, or Dave Hardy,David Barksdale, David Lanner, and Denis Kolegov,dheiland-r7, Dillon Korman, or dmaloney-r7,dmohanty-r7, dmooray, or dnkolegov,Donny Maasland, Donny Maasland (Fox-IT), and Elia Schito,EricGershman, erwanlr, and espreto,Ewerson Guimaraes (Crash), eyalgr, and Fabien,farias-r7, Fatih Ozavci, and Felix Wehnert,Ferenc Spala, FireFart, and fraf0,g0tmi1k, Gabor Seljan, and gmikeska-r7,Guillaume Delacour, h00die, or Hans-Martin Münch (h0ng10),hdm, headlesszeke, and IMcPwn,jabra, Jack64, or jaguasch,Jake Yamaki, Jakob Lell, and jakxx,Jay Smith, jduck, or jhart-r7,jlee-r7, joevennix, and John Lightsey,John Sherwood, Jon Cave, and jstnkndy,JT, juanvazquez, and Julian Vilas,julianvilas, jvicente, or jvoisin,jww519, kaospunk, and karllll,kernelsmith, kn0, or KronicDeth,lanjelot, Lluis Mora, and lsanchez-r7,lsato-r7, Lutzy, and m-1-k-3,m0t, m7x, or Manuel Mancera,Marc-Andre Meloche, Mark Judice, or Matthew corridor,Matthias Ganz, Meatballs1, or Mike,Mo Sadek, mubix, and Muhamad Fadzil Ramli,Nanomebia, Nate Power, and Nicholas Starke,Nikita Oleksov, nixawk, or nstarke,nullbind, oj, and pdeardorff-r7,Pedro Ribeiro, peregrino, or Peregrino Gris,PsychoMario, pyllyukko, or radekk,RageLtMan, Ramon de C Valle, or rastating,rcnunez, Ricardo Almeida, and root,Rory McNamara, rwhitcroft, or Sam H,Sam Handelman, Sam Roth, or sammbertram,samvartaka, scriptjunkie, and Sean Verity,sekritskwurl, sgabe, and sgonzalez-r7,shuckins-r7, Sigurd Jervelund Hansen, and somename11111,stufus, Sven Vetsch, or Tab Assassin,techpeace, Th3R3p0, or Thomas Ring,timwr, todb-r7, or Tom Spencer,TomSellers, trevrosen, and void-in,vulp1n3, wchen-r7, or wez3,wvu-r7, xistence, and Zach Grace,zeroSteiner We really couldn't have made Metasploit without everyone listed there, so thanks again for sharing our commitment to open source security research and development. May your buffers always be overflowing. Ponies!Of course, and the most beloved change to Metasploit in 2015 wasn't the much Regemification,the souped up Android payloads (or any of the other astonishing work on the Metasploit and Meterpreter payload systems in general), the integrated Omnibus installers, and any of those boring technical advancements that push the boundaries of penetration testing. It was the April idiot's Pony Banner Update,made possible by the ponysay project dash by Erkin Batu Altunbaş. So, here you travel: Happy New Year, or everyone!
Source: rapid7.com