Posts by Spencer McIntyre

3 min Metasploit

Metasploit Wrap-Up 05/17/2024

LDAP Authentication Improvements This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing [] and Channel Binding []. Microsoft has been making changes [

4 min Metasploit

Metasploit Weekly Wrap-Up 04/26/24

Rancher Modules This week, Metasploit community member h00die [] added the second of two modules targeting Rancher instances. These modules each leak sensitive information from vulnerable instances of the application which is intended to manage Kubernetes clusters. These are a great addition to Metasploit’s coverage for testing Kubernetes environments []. PAN-OS RCE Metasploit also released an e

12 min Metasploit

Metasploit Framework 6.4 Released

Today, Metasploit is pleased to announce the release of Metasploit Framework 6.4. It has been just over a year since the release of version 6.3 [] and the team has added many new features and improvements since then. For news reporters, please reach out to Kerberos Improvements Metasploit 6.3 included initial support for Kerberos authentication within Metasploit and was one of the larger features i

5 min Metasploit

Metasploit Weekly Wrap-Up 02/16/2024

New Fetch Payload It has been almost a year since Metasploit released the new fetch payloads [] and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll3

8 min Metasploit

Metasploit 2023 Annual Wrap-Up: Dec. 29, 2023

As 2023 winds down, we’re taking another look back at all the changes and improvements to the Metasploit Framework. This year marked the 20th anniversary since Metasploit version 1.0 was committed and the project is still actively maintained and improved thanks to a thriving community. Version 6.3 Early this year in January, Metasploit version 6.3 [] was released with a number of improvements for targeting Active Dir

1 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up: Nov. 17, 2023

Possible Web Service Removal Metasploit has support for running with a local database, or from a remote web service which can be initialized with msfdb init --component webservice. Future versions of Metasploit Framework may remove the msfdb remote webservice. Users that leverage this functionality are invited to react on an issue currently on GitHub [] to inform the maintainers that the feature is used. New module content (1) ZoneMind

4 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 22, 2023

Improved Ticket Forging Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present - the PAC requestor and PAC attributes. The newly forged tickets will have the necessary elements added automatically based on the user provided domain SID and user RID. For example: msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f649

4 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 15, 2023

Flask Cookies This week includes two modules related to Flask cookie signatures. One is specific to Apache Superset where session cookies can be resigned, allowing an attacker to elevate their privileges and dump the database connection strings. While adding this functionality, community member h00die [] also added a module for generically working with the default session cookies used by Flask. This generic module auxiliary/gather/python_flask_cookie_signer [https://git

2 min Metasploit

Metasploit Weekly Wrap-Up: Aug. 18, 2023

Meterpreter Testing This week’s release adds new payload tests to our automated test suite. This is intended to help the team and community members identify issues and behavior discrepancies before changes are made. Payloads run on a variety of different platforms including Windows, Linux, and OS X each of which has multiple Meterpreter implementations available that are now tested to help ensure consistency. This should improve payload stability and make testing easier for community members tha

2 min Metasploit

Metasploit Wrap-Up: 2/24/23

Basic discover script improvements This week two improvements were made to the script/resource/basic_discovery.rc resource script. The first update from community member samsepi0x0 [] allowed commas in the RHOSTS value, making it easier to target multiple hosts. Additionally, adfoster-r7 [] improved the script by adding better handling for error output. This continues our trend of trying to provide more useful diagnostic information to

5 min Haxmas

2022 Annual Metasploit Wrap-Up

It's been another gangbusters year for Metasploit, and the holidays are a time to give thanks to all the people that help make our load a little bit lighter. So, while this end-of-year wrap-up is a highlight reel of the headline features and extensions that landed in Metasploit-land in 2022, we also want to express our gratitude and appreciation for our stellar community of contributors, maintainers, and users. The Metasploit team merged 824 pull requests across Metasploit-related projects in 20

2 min Metasploit

Metasploit Weekly Wrap-Up: 11/18/22

Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream (CVE-2021-39144) There’s nothing quite like a pre-authenticated remote code execution vulnerability in a piece of enterprise software. This week, community contributor h00die-gr3y [] added a module [] that targets VMware NSX Manager using XStream. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMwa

3 min Metasploit

Metasploit Weekly Wrap-Up: 10/21/22

Zimbra with Postfix LPE (CVE-2022-3569) This week rbowes [] added an LPE exploit for Zimbra with Postfix. The exploit leverages a vulnerability whereby the Zimbra user can run postfix as root which in turn is capable of executing arbitrary shellscripts. This can be abused for reliable privilege escalation from the context of the zimbra service account to root. As of this time, this vulnerability remains unpatched. Zimbra RCE (CVE-2022-41352) rbowes [

5 min Vulnerability Disclosure

CVE-2022-31660 and CVE-2022-31661 (FIXED): VMware Workspace ONE Access, Identity Manager, and vRealize Automation LPE

The VMware Workspace ONE Access, Identity Manager, and vRealize Automation products contain a locally exploitable privilege escalation vulnerability.

4 min Metasploit

Metasploit Weekly Wrap-Up: Jul. 29, 2022

Roxy-WI Unauthenticated RCE This week, community member Nuri Çilengir [] added an unauthenticated RCE for Roxy-WI. Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers. The vulnerability can be triggered by a specially crafted POST request to a Python script where the ipbackend parameter is vulnerable to OS command injection. The result is reliable code execution within the context of the web application user. Fewer Meterpreter Scripts Community