I want to preface this with the fact that I have an big respect for HDM and his colleagues, both because of technical achievements and for creating this framework in the open, with an enthusiastic community around it. However… 🙂
Some time ago I played around a little with Metasploit for the latest Ethical Hacker Challenge and found it incredibly frustrating. My main gripes are:
It is incredibly slow. Just to give you an idea: to generate a small executable (couple of hundred bytes long), it takes well over a minute! I assume that mostly this is because it is written a Ruby, a decision which I can’t understand. Version 2.x was written in Perl, and for some reason (most probably because some thought that this was the “next big thing” and wanted to play around with it) they rewrote the whole thing in Ruby, more than doubling the line count by their own admission.
Now I’m the first to admit that LOC is not a very useful measure, however abandoning an existing codebase running on a mature interpreter with some very useful tools is a questionable decision, to put it mildly.
The utter lack of documentation. Their “user manual” is 30 page of uselessness. All the materials that I could find out there were videos, which (a) wastes my time, because I can’t scan it rapidly to find the important information (b) wastes bandwidth and (c) is not properly indexable by the current search engines. Also, a lot of documentation is outdated. For example, almost none of the documentation I found seems to mention that msfpayload can now produce Windows executables, without going trough msfencode:
./msfpayload windows/meterpreter/bind_tcp X > runme.exe
This is somewhat faster but still sloooooow. Did I mention that the documentation is lacking? Starting msfpayload only tells you that there is an X option, but it doesn’t tell you what it does!
The structure of the program is a mess and lacks any apparent logic. Just take a look at the steps you have to perform to connect to a meterpreter deployed with an executable:
- Create the executable as shown previously and run it on the target.
- Use the “exploit/multi/handler”, which isn’t an exploit per-se and we don’t want to handle multiple connections!
- Specify the payload “windows/meterpreter/bind_tcp”. Never mind the fact that we specified this when we created the executable!
- Specify the host and the port
- “Launch” the exploit (in fact connect to the running executable or wait for the incoming connections.
Easy and logical, isn’t it ;-)? Especially when you don’t have any written tutorials telling you about it.