This post is the seventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014.

Since today happens to be the last day of the year, let's take a moment to reflect on another year of amazing Metasploit exploit development, and see what we've all been up to over the course of 2014. Of course, when I say "we," I really do mean all of us -- if you're reading this blog, more likely than not, you're part of the Metasploit open source community. Thanks so much for your continued commitment to the principles of openness and disclosure that makes Metasploit such a powerful force for Internet security today. It's a humbling and massively rewarding experience to be a part of this.

Loads of new modules

Judging by last year's screenshot, Metasploit Framework picked up 135 new exploits, 99 new auxiliary modules, 25 new post modules, and 32 new payloads, for a total of 291 new modules landed to the framework. If you haven't used Metasploit in a while, you might want to check in on your favorite software packages over at the Rapid7 Vulnerability Database to see if you're running anything that's at risk.

Loads of commits in general

We also saw 7,627 commits across the entire code base for the year, which is a stupendous show of effort for the two hundred or so contributors that landed at least one commit that made it into the Metasploit Framework master branch. In fact, the top 25 committers of 2014, by non-merge commit count were:

Name/Alias Commit Count jvazquez-r7 1095 limhoff-r7 481 wchen-r7 374 Meatballs1 373 dmaloney-r7 343 todb-r7 297 joev-r7 272 jhart-r7 236 wvu-r7 223 jlee-r7 219 hmoore-r7 134 zeroSteiner 121 FireFart 100 OJ 78 brandonprry 73 m-1-k-3 57 kernelsmith 52 TomSellers 51 lsanchez-r7 45 Pedro Ribeiro 42 David Bloom 40 xistence 32 us3r777 29 trosen-r7 29 shuckins-r7 27

While it's fairly expected that the people who are paid by Rapid7 will tend to have quite a few commits, you'll notice that just about half of the top 25'ers here don't work at Rapid7 (Yes, OJ did work on Meterpreter full time for a little while in 2014, so let's count him for both.) Exceedingly few open source projects get the kind of support we enjoy, so please take a moment to thank (or blame) these people:

0a2940, agix, Ahmed Elhady Mohamed, Alton Johnson, Andrew Morris, AnwarMohamed, Arnaud SOULLIE, attackdebris, b00stfr3ak, bcoles, bcook-r7, bmerinofe, Borja Merino, brandonprry, Bruno Morisson, bturner-r7, bwall, byt3bl33d3r, cdoughty-r7, Cenk Kalpakoglu, Chris Hebert, Christopher Truncer, coma, cx, Daniel Miller, David Bloom, David Chan, David Maciejak, dheiland-r7, dmaloney-r7, DrDinosaur, dukeBarman, dummys, EgiX, Emilio Pinna, Ethan Robish, Etienne Stalmans, Fabian Br\xC3\xA4unlein, farias-r7, Fatih Ozavci, Fernando Munoz, FireFart, Florian Gaultier, floyd, Fr330wn4g3, g0tmi1k, Gabor Seljan, Gary Blosser, gigstorm, grimmlin, HackSys Team, hmoore-r7, ikkini, inkrypto, inokii, Iquaba, j0hnf, Jakob Lell, Jakub Nawalaniec, jakxx, Jay Smith, Jeff Jarmoc, jgor, jhart-r7, jiuweigui, jlee-r7, joe, joev-r7, John Sawyer, Jonas Vestberg, Jonathan Claudius, Jon Cave, JoseMi, Josh Abraham, Jovany Leandro G.C, Juan Escobar, julianvilas, Julian Vilas, Julio Auto, jvazquez-r7, kaospunk, Karmanovskii, Karn Ganeshen, kenkeiras, Ken Smith, kernelsmith, kicks4kittens, kn0, Kurt Grutzmacher, kyuzo, limhoff-r7, linuxchuck, lsanchez-r7, Lutz Wolf, m-1-k-3, Marc Wickenden, Mark Judice, Martin Vigo, Matias P. Brutti, Matt Andreko, Matteo Cantoni, Matthew Kienow, mbuck-r7, Meatballs1, Mekanismen, mercd, mfadzilr, midnitesnake, Miroslav Stampar, mschloesser-r7, mubix, mvdevnull, navs, Nicholas Nam, Niel Nielsen, Nikita, nnam, nodeofgithub, nstarke, nullbind, oj, parzamendi-r7, Pedro Laguna, Pedro Ribeiro, peregrino, Peregrino Gris, Peter Marszalik, Philip OKeefe, pyoor, RageLtMan, Ramon de C Valle, RangerCha, Rasta Mouse, ribeirux, Rich Lundeen, Rich Whitcroft, Rick Farina (Zero_Chaos), Roberto Soares Espreto, root, Royce Davis, rsmudge, Russell Sim, Sagi Shahar, Sam, Samuel, sappirate, Sascha Schirra, schierlm, scriptjunkie, Sean Verity, Sebastiano Di Paola, sgabe, shellster, sho-luv, shuckins-r7, silascutler, Silas Cutler, singe, spdfire, staaldraad, tate, TecR0c, Thanat0s, Thomas Ring, Tiago Sintra, Timothy Swartz, timwr, todb-r7, TomSellers, Tonimir Kisasondi, Trenton Ivey, trosen-r7, us3r777, Victor, Vincent Herbulot, wchen-r7, wez3, Wies\xC5\x82aw Kielas, wvu-r7, xard4s, xistence, Your Name, zeroSteiner, and Zinterax

Outstanding work, all!

Weekly Wrapup

Oh, and since this post doubles as the weekly wrap-up, here are the new modules landed to Framework since the last release (commit 067bda4). Metasploit community contributor Borja Merino is clearly up to no good with the combination of his freshly-landed Windows outbound firewall rules checking post module and his port-knocking enabling shellcode. Port knocking is one of those super fun things to do to be extra-stealthy with your listening shells so they don't get picked up by network scanners like Project Sonar. Thanks Borja!

Exploit modules

Auxiliary and post modules