bcoles
commented
1 year ago So in this context I'd love if metasploit could also be used as a "test-framework" for showcasing what could be improved on the LOCAL computer system, e. g. hardening or making it better. Ideally you guys could generate some kind of report, a bit similar to how rubocop checks on a system and tells you of syntax error, style errors and so forth. So something similar to rubocop in metasploit would be nice to have in this regard.
Rubocop (and msftidy) are linting tools used to streamline the development process.
IF this does not fit to metasploit as such
This doesn't really fit with Metasploit use cases.
There are many system auditing tools. Here's a janky script I wrote which wraps a bunch of them:
Support for LinPEAS is currently broken since they moved it. Also, I would advise against running this on production systems.
You'll notice that these tools are frequently updated as the Linux kernel and associated ecosystem evolve. These tools require constant maintenance. Implementing the same functionality in Metasploit would add additional maintenance burden for non-core functionality outside of the intended use case.
If something like this were to be added, it would make more sense to develop a module (or plugin) which performs system hardening checks on a session host, rather than the local host. This would be a closer fit with Metasploit use cases. You could always get a session on your local host should you wish to run the checks locally.
Similarly, you could try getting a Metasploit session on your local system. You can use the Local Exploit Suggester module to search for vulnerabilities for which there is an associated exploit.
adfoster-r7
Summary
I would like to propose that metasploit adds the ability / feature to showcase what vulnerabilities or exploits may exist on the LOCAL computer system. (Yes, local only.)
Basic example
API: I think you guys can think of a good API name here; I don't know metasploit that well to understand which API method names may fit. Perhaps ".hardening" or ".query_local_system" or ".investigate_local" or anything like that, to distinguish it from other features. The name will probably be easy to add anyway, so I think it is more important to talk about pro/con yes/no about the idea/suggestion itself. The name will be easy to pick if the code has been added (provided that it is agreed that this may be a useful functionality for different users).
Motivation
So, I think this is the key part of the suggestion here.
I am typically compiling from source on Linux here. I can build LFS/BLFS, recompile glibc, compile the kernel and so forth.
However had, I manage the whole system on my own which can be tedious. I may have to switch to a "real" distribution due to my lack of time. On my laptop, for instance, I am now using fedora and I do not want to change it anymore, simply because I need my laptop to work at all times (since I carry it with me as I transport/move).
For my home setup, though, I still experiment a LOT.
So in this context I'd love if metasploit could also be used as a "test-framework" for showcasing what could be improved on the LOCAL computer system, e. g. hardening or making it better. Ideally you guys could generate some kind of report, a bit similar to how rubocop checks on a system and tells you of syntax error, style errors and so forth. So something similar to rubocop in metasploit would be nice to have in this regard.
As for the format: commandline output may suffice but a .html page or something like this would be neat. This could then also be shown to other people who could possibly help give suggestions. But if this is too much work, commandline suffices.
IF this does not fit to metasploit as such, perhaps it could be some add-on (although from past experiences add-ons tend to be more volatile and disappear, so making it a core functionality, in the report-specific parts of metasploit, would be nice).