By Charles Joseph | Cybersecurity Advocate
H. D. Moore is one of the world’s foremost cybersecurity researchers, but even if you don’t know his name, you’ve probably been saved multiple times by his work.
He created Metasploit, widely considered the best open-source penetration testing software suite, and discovered countless bugs in everything from local business networks to Windows to the U.S. Air Force’s computer systems.
But Moore’s proclivity for finding vulnerabilities hasn’t always been warmly received by the tech industry.
H. D. Moore at a Glance
- Austin-based misfit H. D. Moore eschewed traditional schooling for self-taught computer prowess, landing a job as a cybersecurity consultant for the Department of Defense at just 17.
- Frustrated by the increasingly closed-off world of penetration testing, he created the free and open source pen testing suite Metasploit in 2002.
- Metasploit was designed to be more versatile and comprehensive than similar software, allowing for unlimited combinations of exploits, methods and payloads.
- While developing Metasploit, Moore uncovered critical bugs in many popular programs and OSes, drawing the ire of various tech companies.
- Moore started the “Month of Bugs” trend, in which a new vulnerability is published every day, to bring attention to unfixed bugs.
- In 2009, Metasploit was bought by Rapid7, which kept the core software free and open source while licensing a more advanced version to businesses for a fee.
- Moore left Rapid7 in 2016, but continues to hunt for bugs and develop cybersecurity software to this day.
The Life of H. D. Moore
H. D. Moore’s Early Life
Born in Honolulu in 1981, H. D. Moore spent his early childhood moving around the country with his family. The Moores lived in 13 different states throughout the ’80s before settling in Austin, Texas, in the early ’90s.
Moore’s new elementary school had a computer lab outfitted with Apple IIs, and he fell in love at first click. He began waking up before dawn to arrive at school several hours early, sneak into the computer lab, and play around with the beguiling machines.
But he was far from a model student: he found his classes unchallenging and often skipped them to hang out with friends or read computer books. He was kicked out of multiple schools and, at age 15, dropped out on his own.
Unencumbered by school responsibilities, Moore devoted himself to computers. He would drive around Austin searching for computer parts in dumpsters, eventually assembling a full machine from salvaged components.
Hacking held a particular appeal for Moore: he loved fiddling with his dial-up connection to find new computers to connect to, then pulling pranks on them. He would connect to radio towers, department stores and random devices, then mess with their lights, HVAC units and power systems.
Moore (Sort of) Joins the Air Force
At age 17, after being out of school for two years, Moore enrolled at Gonzalo Garza Independence High School, an alternative school for kids who couldn’t attend traditional public school. There he met math and computer teacher Christopher Walker, who instantly recognized Moore’s technical talents and recruited him to help run the school’s IT department.
After school, Moore would go home and chat with other hackers in the Phrack IRC channel, the official community space for the Phrack hacker magazine. One day, he received a message from a fellow user asking if Moore lived near San Antonio and, if so, would he be interested in a job?
Intrigued, Moore agreed to an interview with a company called Computer Sciences Corporation, a tech contractor. CSC was currently contracted with the U.S. Department of Defense and was specifically looking for someone to create cybersecurity tools for the Air Force.
Moore was given brief descriptions of software to write — a program to monitor network traffic, a program to search for computers with various vulnerabilities — and could produce them as he saw fit. He was also tasked with penetration testing systems for the Air Force Intelligence Command, the intelligence and surveillance unit of the Air Force.
“Breaking in” to these systems and hunting for vulnerabilities was challenging and rewarding, and he soon started doing pen testing for local businesses.
The Creation of Metasploit
In 2002, when Moore was 21, various aspects of the cybersecurity world were beginning to get on his nerves.
The community had previously been very open and collaborative, with hackers sharing new vulnerabilities as they were discovered. And exploits — hacker-created software that could take advantage of said vulnerabilities — were also freely distributed.
That was no longer the case: large companies were sniping hackers from the open source community and keeping their work for themselves.
There was also the issue of the exploits themselves, which were cumbersome and not particularly versatile. They were coded to act in very specific ways and deliver very specific payloads (end results).
But professional pen testing required more flexibility — all possible combinations of tools, tactics and payloads needed to be tested, not just one predefined set.
Moore wanted to solve these problems by creating a free, open source pen testing framework that allowed users to quickly develop and test new exploits. By putting this power back in the hands of the people, he reasoned, software as a whole would become more secure and maybe even return to its former collaborative nature.
The result of his quest was Metasploit, released to the public in 2003, just a few days before Moore’s 23rd birthday.
Making Metasploit Better
Moore considers the initial version of Metasploit relatively unsophisticated: he admits that the exploits he wrote weren’t very elegant, and the framework was more rigid than he had envisioned.
His employer wasn’t a fan, either. When Moore showed Metasploit to his boss and proposed using it for his pen testing work, the boss wanted nothing to do with it, expressing concern over putting so much power in the public’s hands.
This wasn’t an uncommon opinion: detractors had already begun contacting Moore’s employer, demanding that he be fired for releasing his code so recklessly. And it was true that by making Metasploit open source, bad actors could potentially use it to enhance their hacking.
But Moore reasoned that hackers already used similar tools and would continue their activities with or without Metasploit. The good guys, on the other hand, lacked the tools to protect themselves — and Metasploit could fill that void, evening out the power imbalance between hacker and victim.
So Moore worked on Metasploit on nights and weekends, continuing to refine his exploits and create useful new ones. He presented his work at the 2003 Hack-in-the-Box conference in Malaysia, where he received a good deal of encouraging, constructive feedback and met fellow programmers who helped him write the next version of Metasploit.
Metasploit 2 made waves as the first truly modular pen testing suite. Moore likened the new framework to Legos: users could customize each stage of the pen testing process, swapping out exploits and payloads at will to test all kinds of combinations.
The software was a hit with security researchers, cybersecurity students and hobbyists alike. Moore spent much of the next several years traveling around the world, giving Metasploit presentations at conferences like Defcon and Black Hat.
The Month of Bugs
Moore’s work on Metasploit led him to discover vulnerabilities in some of the most widely-used software, including Windows and other Microsoft products. He reported each new bug to the appropriate developers, but they were rarely receptive, and the bugs often went unfixed.
Frustrated, Moore declared July 2006 the “Month of Browser Bugs”, announcing that he would publish a new browser vulnerability every day of the month. Most of the bugs affected Internet Explorer, but Moore also found them in Safari and Firefox.
The “Month of Bugs” trend took hold in the cybersecurity community, inspiring other hackers to publish their own vulnerabilities and push developers to fix their security. But it also drew the ire of Microsoft, with several employees publicly condemning Moore and his tactics.
Moore Moves Beyond Metasploit
In 2009, Metasploit was bought by Rapid7, a company that specialized in vulnerability management. Though the community initially worried that Metasploit was going corporate, Moore remained as head of the project and promised that the software would always be free and open-source.
Instead of locking Metasploit down, Rapid7 created a more advanced version, Metasploit Pro, that it offered to enterprise customers for a yearly license fee.
The acquisition gave Moore more time to work on other projects. In 2012, he created Critical.io, a tool that scanned the entire internet for computers with new vulnerabilities.
Critical.io quickly uncovered one of the worst vulnerabilities in history: a bug with Universal Plug and Play (UPnP), a widespread protocol that enabled devices like printers, routers and game consoles to connect over networks. As many as 50 million devices were affected by the bug, which allowed a hacker to easily and remotely execute malicious code.
Moore published the bug, and before long law enforcement was knocking on his door. Though he was explicit about his altruistic motivations behind the discovery, authorities repeatedly questioned him and accused him of malicious intent.
Moore was never arrested, but the experience shook him, and he stepped back from his cybersecurity work for several years.
H. D. Moore Today
In 2016, Moore left Rapid7. He spent the next three years flying solo, then started a new company called Rumble in 2019.
Rumble produced a network discovery tool, which allowed IT departments to quickly detect and identify new or suspicious devices on their networks. It was a quick success, amassing $5 million in venture capital, and was renamed runZero in 2022.
Join Our Community
H. D. Moore: A Pen Testing Pioneer
Depending on who you’re talking to, the name H. D. Moore may elicit either groans of disapproval or gushing praise.
A hacker whose payday was ruined by a pen tester using Metasploit may curse the framework’s creator, and a Microsoft security analyst’s stomach may sink when Moore publishes yet another critical Windows vulnerability for the world to see.
But self-taught ethical hackers, freelance security consultants, and fans of free and open source software can credit him for the software, science and philosophy that makes their lives more secure.
Keeping It Open Source with Metasploit’s HD Moore (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional