A Visit from the Spirits of HaXmas Past
One balmy Texas winter’s eve, having closed the pull request tab for the night, I lie in bed poking at my computer, pondering the next thing to do. As the clock strikes midnight, I see a popup in my notifications: “Tonight, you will be visited by three spirits: the ghosts of HaXmas past!” A chill runs down my spine. Recharging in my fading battery and memory, I brace for the coming trip through the memories past promises and eternal optimism that HaXmas brings out this time of year.
‘12 Days of HaXmas: Does It Blend Like a Duck?’ (2014)
First to visit, “12 Days of HaXmas: Does It Blend Like a Duck?” rattled its chains out of the blog archives and onto my screen. At the time of writing in 2014, I had only been with Rapid7 for a couple of weeks, and obviously I didn’t know what I was doing! So in sticking with what I did know, I just described general experiences making a cryptography library work on various operating systems. Along the way, I make a prediction we would incorporate it into Meterpreter someday as well:
“My eventual goal is to incorporate this work into Meterpreter, updating the aging, yet nicely Heartbleed-free, OpenSSL 0.9.8 that it currently uses.”
Fast-forward a few years later, and what really happened? For a while, I looked at incorporating the new code, but it was really a lot larger than desired, the features were overkill. It turned out to be a lot easier to add native obfuscation and encryption into Meterpreter itself, removing the need to embed an SSL library entirely. This also reduced the size of the Windows Meterpreter to one-fifth of its original size, allowing OJ to use that extra space to add other neat features like named pipes and pivot support. While the spirit of Meterpreter future didn’t come true, it was actually better than anyone had originally imagined.
‘Maxing Meterpreter’s Mettle’ (2015)
Second to drift by, with “Maxing Meterpreter’s Mettle.” I made yet another set of lofty predictions about Meterpreter someday working on a lot of new targets, while making the whole software enterprise intimately testable as well. Tod Beardsley remarked at the time that it was pretty gutsy to put out a personal roadmap in a public blog post after only a few weeks on the job, but after all:
There is nothing like a fresh new year to get one’s optimism at its highest.
Reflecting on that post a few years later, a lot of what it predicted did come true, eventually. The Mettle payload for Metasploit made its way into the master tree, working on a ton of targets, like mainframes, phones, and routers, IoT, and more! It could eventually run Metasploit Modules and even reflectively load other programs as well. The foreshadowed testing framework eventually morphed into the “Sanity Tests” feature now seen on every Metasploit Pull request, as well as the Geppetto test orchestration framework and the Metasploit Baseline Builder projects. Unfortunately, the bug that I was so proud of fixing literally took another two years to fix in the end!. Well, you can’t win ’em all!
‘Advice for the Lazy Family Sysadmin’ (2018)
Last but not least, “Advice for the Lazy Family Sysadmin](https://blog.rapid7.com/2018/12/30/advice-for-the-lazy-family-sysadmin/)” drifted out of the server closet. Did the prophecies of optimizing the home network for minimal familial strife come to pass? While bad for Intel and AMD, the desire of relatives to have working PCs continues to be replaced with the desire for upgraded smartphones and how to cut the cable. With major complications such as fixing OS updates being replaced with discussions of which antenna or streaming service to use, the lazy sysadmin will continue to have less to do. Now, about all the broken IoT devices that can no longer contact their bankrupt motherships. Hey, Vector!
As dawn breaks, and having apparently survived all of the spirits of HaXmas past, a little wiser and a lot more humble, I close my laptop and ponder making a closing prediction: May you have a happy holiday season and healthy new year! Metasploit 6, anyone?