Nov 4, 2014

Progress of the Viproy pull requests for the Metasploit Framework

I saw a few challenges to submit Viproy modules to the Metasploit Framework;

Firstly, I'm not a developer, but a pen-tester and a researcher. this means, I prepared this code during an engagement or in a testing environment. 400+ features/skills are implemented in the SIP/Skinny libraries and modules, some skills/features require special systems which I have no access now. Because of this, I cannot provide a lab environment to test all the features/options, maybe during the Kiwicon 2015 training. That's why the source code is pretty dirty, but works in many cases, especially in VoIP pen-test engagement.

Moreover, I'm the only one who improves these modules during actual VoIP penetration tests, limited feedback and no code support. This prevents me to detect/fix errors of the software, only the Metasploit Framework team submitted code modifications on them. Thanks for all the commits and suggestions.

Finally, I have some timing issues before January 2015. "rspec" modifications and full review of the features are really hard tasks, and require a working test lab with all components. I'm not sure I can provide this time to major changes, but I will try.

I believe that Viproy should have a community support, that's why it is developed with the Metasploit Framework, not as a standalone software. These commits and comments show that it still has too much errors to fix and too much features to demonstrate. Also they show that community support is very useful, the Viproy's source code is improved by a team, not the author anymore. Basically this process does work.

Thanks for all support.

Now, we have two ways to decide;

  • It may be slow, but I can support/update these pull requests with you to make Viproy a part of the Metasploit Framework, as soon as I can.
  • or, preparing a good plan and waiting for 2015 Q1 for the major Viproy source improvements for the full Metasploit Framework integration.
Please think about it as a team, and suggest a way to do that. Remember, the code is licensed as the Metasploit License, you're free to fix/improve all features. I'm comfortable for the both options, the problem is only my schedule before Jan 2015.

Original post link at Github : https://github.com/rapid7/metasploit-framework/pull/4066#issuecomment-61608013

/cc @todb-r7 @jhart-r7 @jvazquez-r7 @hmoore-r7