[framework] Metasploit on Windows

[Daniel Guido]

Ok two things:

1.  The Windows release is valuable.

To an outsider like me, it appears to be one of Metasploit's goals to
bring professional pentesting tools to the masses, not just bring them
to professional pentesters and security professionals.  More people
than just security-professionals-who-wouldn't-be-caught-dead-using-Windows
use Metasploit, and if you drop the Windows binaries you're losing a
lot of InfoSec teams at random US Company X's.

On the other hand, supporting Cygwin is a big pain in the ass and you
really want to be done with it.  So get rid of it.  No one else likes
Cygwin either.  Switch to the native ruby interpreter, broken
libreadline and all, just call it beta and let them use msfweb*
instead of msfconsole.  I'd be willing to gamble that enough people
use MSF on Windows that the libreadline issue will fix itself in a
short time.  You needed to make the switch sometime right?

2.  If you're running low on bandwidth due to distributing the
framework, can you set up a torrent server to host the full installs?
Or upload each release to code.google.com or another hosting service?
'Files Forever' from Dreamhost also comes to mind.

*assuming msfweb doesn't depend on msfconsole to work

On 1/18/07, Rodrigo Dutra Salvalagio <rsalvalagio at timbrasil.com.br> wrote:
> My vote goes to *nix boxes!
> I believe this directed effort will be appreciated in the pen-test
> community.
> (I only use Windows to play Call of Duty)
> Thanks
>
> -----Original Message-----
> From: H D Moore [mailto:hdm at metasploit.com]
> Sent: quarta-feira, 17 de janeiro de 2007 20:23
> To: framework at metasploit.com
> Subject: [framework] Metasploit on Windows
>
> Hi everyone,
>
> We have been struggling to properly support Windows since the early days
>
> of 2.0. Cygwin has done a decent job so far, but software
> incompatibilities and Cygwin version mismatches have caused a ton of
> problems for some of our users. The Cygwin installer requires a ton of
> disk space and is a huge drain our bandwidth (+100Gb/mo).
>
> With Metasploit 3, we wanted to provide a native Windows version of the
> Framework. There has been little progress on this front, due to the main
>
> user interface (msfconsole) depending on libreadline and libreadline
> being a broken mess on Windows.
>
> In the last year, there have been a number of free virtualization
> environments available to the public. VMWare has released VMWare Player
> and VMWare Server, Microsoft is giving away copies of VirtualPC, Xen is
> becoming more popular, and VirtualBox has released their source as GPL.
> Both Intel and AMD have virtualization features built into their latest
> processors and the new version of Windows Server will support native
> virtualization. On the distribution side, BackTrack (from
> remote-exploit.org) is really kicking ass and provides a ready-to-run
> environment for both version of the Framework.
>
> So, given the stability issues with the Metasploit Cygwin release, and
> the
> wide availability of free virtualization software and OS images, would
> anyone mind if we drop support for the pre-packed Windows installer of
> the Metasploit Framework?
>
> If we go this route, we will still support Metasploit running on top of
> Cygwin, but we will not support Cygwin itself or offer a pre-packaged
> Cygwin environment. We may offer custom live CDs or virtual machine
> images for download, but these would not be immediately available. Our
> current documentation (hah!) for using the Windows version will become a
>
> list of methods for loading up Metasploit in a virtualized environment.
>
> If you think this is a horrible idea, keep in mind that the technically
> adept can still install Metasploit into their own Cygwin environment,
> and
> that the less adept will be able to download ready-to-run virtual
> machine
> images sometime in the future.
>
> Please reply with your opinion on this (good or bad), we realize quite a
>
> few people depend on the Windows installer.
>
> Thanks!
>
> -HD
>
> PS. Yes, we still plan on releasing 3.0 "soon" :-) With any luck we can
> have the final release completed  in February.
>
>


-- 
Dan Guido