4 min
Metasploit
Metasploit Wrapup
It has been an intense couple of weeks in infosec since the last Wrapup and
we've got some cool things for you in the latest update.
Hacking like No Such Agency
I'll admit I was wrong. For several years, I've been saying we'll never see
another bug like MS08-067
[https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi], a full
remote hole in a default Windows service. While I'm not yet convinced that
MS17-010 will reach the same scale as MS08-067 did, EternalBlue
[https://www.rapi
3 min
Metasploit
Metasploit Wrapup
Faster, Meterpreter, KILL! KILL!
You can now search for and kill processes by name in Meterpreter with the new
pgrep and pkill commands. They both have flags similar to the older ps command,
allowing you to filter by architecture (-a), user (-u), or to show only child
processes of the current session's process (-c). We've also added a -x flag to
find processes with an exact match instead of a regex, if you're into that.
Fun with radiation
Craig Smith has been killing it lately with all his h
2 min
Metasploit
Metasploit, Google Summer of Code, and You!
Spend the summer with Metasploit
I'm proud to announce that the Metasploit Project has been accepted as a mentor
organization in the Google Summer of Code! For those unfamiliar with the
program, their about page [https://summerofcode.withgoogle.com/about/] sums it
up nicely:
> Google Summer of Code is a global program focused on introducing students to
open source software development. Students work on a 3 month programming project
with an open source organization during their break from univer
6 min
Android
Weekly Metasploit Wrapup
Welcome back to the Metasploit Weekly Wrapup! It's been a while since the last
one, so quite a bit has happened in that time including 75 Pull Requests.
Stageless mettle
The rewrite of meterpreter for POSIX systems, mettle, now supports a stageless
mode. You can now build standalone static executables for almost a dozen
architectures and run them on everything from small home routers to cell phones
to servers and mainframes. It can also take its configuration from the command
line, so you don't
3 min
Metasploit Weekly Wrapup
Weekly Metasploit Wrapup
Taking Care of Universal Business: the Handler's Tale
With a few exceptions, payloads have to have a handler. That's the guy who waits
with the car while your exploit runs into the liquor store.
To run an exploit module, we have to select and configure a payload first. In
some cases, Metasploit can do this for you automatically, by just guessing that
you probably wanted the best payload for the target platform and architecture.
Once the payload is set up, we have to have a way to talk to it --
2 min
Metasploit
Metasploit Wrapup
Finding stuff
For a very long time, msfconsole's search command has used a union of the
results of all search terms. This means that if you do something like search
linux firefox, you'll get a list of all modules that mention linux, regardless
of the application they target, and all modules that mention firefox, regardless
of their platform. Most people are probably expecting the intersection, i.e. you
probably wanted to see only the modules that target Firefox on Linux. So now
that's what happe
1 min
Metasploit
Metasploit Weekly Wrapup
Terminal velocity
The terminal/shell interface has been around for decades and has a rich and
storied history. Readline is the main library for shells like msfconsole to deal
with that interface, but it's also possible for commandline tools to print ANSI
escape sequences that the terminal treats specially.
When a shell like msfconsole has asynchronous output going to the terminal at
unpredictable times, such as when a new session connects, that output can
clobber the current prompt. That makes
2 min
Metasploit
Metasploit Wrapup
Everything old is new again
As you probably already know, hardware manufacturers are not always great at
security. Today we'll be picking on Netgear, who produce a WiFi router called
the WNR2200
[http://www.netgear.com/home/products/networking/wifi-routers/wnr2200.aspx].
This cute little device, brand new out of the box on store shelves today, runs
Linux 2.6.15 with Samba 3.0.24. For those of you keeping score at home, those
versions were released in 2007. Way back in 2007, Samba had a pre-auth
3 min
Metasploit Weekly Wrapup
Weekly Metasploit Wrapup
What time is it?
If you want to run some scheduled task, either with schtasks or cron, you have
to decide when to run that task. In both cases, the schedule is based on what
time it is according to the victim system, so when you make that decision, it's
super helpful to know what the victim thinks the current time is.
As of #7435 [https://github.com/rapid7/metasploit-framework/pull/7435],
Meterpreter has a localtime command that gives you that information and then
it's peanut butter jelly time.
2 min
AWS
Weekly Metasploit Wrapup
Silence is golden
Taking screenshots of compromised systems can give you a lot of information that
might otherwise not be readily available. Screenshots can also add a bit of
extra spice to what might be an otherwise dry report. For better or worse,
showing people that you have a shell on their system often doesn't have much
impact. Showing people screenshots of their desktop can evoke a visceral
reaction that can't be ignored. Plus, it's always hilarious seeing Microsoft
Outlook open to the phi
3 min
Metasploit Weekly Wrapup
Weekly Metasploit Wrapup
Extra Usability
Commandline tools in general are powerful, but come with a learning curve. When
you've been using a tool for a long time, that curve becomes a status quo that
embeds itself in your fingers. That isn't always a good thing because it tends
to make you blind to how things can be better and it takes an effort of
introspection to notice inefficiencies. Even then, you weigh those
inefficiencies against the effort required to improve.
An example of that is msfconsole's route command, w
2 min
Metasploit Weekly Wrapup
Weekly Metasploit Wrapup
Security is hard
I usually focus exclusively on the Metasploit Framework here on these wrapups,
but this week is a little special. This week the Metasploit commercial products
(Pro, Express, and Community) come with a fix for a couple of vulnerabilities.
You heard that right, remotely exploitable vulns in Metasploit. Our lovely
engineering manager, Brent Cook, helpfully wrote up the details
[/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401] yesterday.
TL;DR - Three bugs, two o
2 min
Metasploit Weekly Wrapup
Weekly Metasploit Wrapup
PHP Shells Rising from the Flames
Phoenix Exploit Kit is your standard run-of-the-mill crimeware system, written
in PHP, whose creator apparently got popped by the FSB earlier this year
[http://krebsonsecurity.com/tag/phoenix-exploit-kit/]. Like many exploit kits,
it has a back door, this one allowing you to eval whatever PHP code you like by
sending it in a GET parameter (subtly named 'bdr'). Of course running arbitrary
PHP allows us control of the underlying operating system to various degrees
2 min
Metasploit Weekly Wrapup
Weekly Metasploit Wrapup
Windows Privilege Escalation
In the long long ago, Windows users pretty much universally had local
Administrator accounts. While that's still true in less mature environments, I
think we have done a pretty good job as an industry of convincing folks to
reduce users' privileges. Back in those days, privilege escalation exploits
weren't all that useful because every exploit, executable, and Word macro
already gave you the highest privileges. Today that's less true.
Even worse for the enterprising
3 min
Metasploit
Weekly Metasploit Wrapup
House keeping
Since the last Wrapup, we've been continuing our long-running project of
breaking up some of the old cobweb-encrusted parts of the framework codebase
into smaller pieces that are easier to deal with. A few things, lib/sshkey and
lib/bit-struct in particular, that for historical reasons were just slightly
modified copies of a gem, have been pulled out entirely in favor of the upstream
release. A bunch of other things have been pulled out into their own
repositories, making the whole