New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers

Last updated at Wed, 30 Aug 2017 02:29:07 GMT

Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately.

Generate AV-evading Dynamic Payloads

Malicious attackers use custom payloads to evade anti-virus solutions. Because traditional Metasploit Framework payloads are open source and well known to AV vendors, they are often quarantined by AV solutions when conducting a penetration test, significantly delaying an engagement or even stopping a successful intrusion, giving the organization a false sense of security. Penetration testers must therefore have the ability to evade AV solutions to simulate realistic attacks.

The new Metasploit Pro 4.9 generates Dynamic Payloads that evade detection in more than 90% of cases and has the ability to evade all ten leading anti-virus solutions by creating a unique payload for each engagement that does not demonstrate the typical behavior flagged by heuristic algorithms. Dynamic Payloads significantly increase productivity of a penetration tester by saving many hours of creating custom payloads as well as trial and error to evade detection through encoding and ensure that organizations do not fall prey to a false sense of security.

With Dynamic Payloads, you'll have these advantages:

• Evade all leading anti-virus vendors: Dynamic Payloads evade the top 10 AV solutions in more than 90% of cases. No AV vendor detects all MSP payload options!
• More stable sessions: Dynamic Payloads use error corrections to make sessions more stable than regular MSF sessions
• IPS Evasion through stage encoding: Stager will encode the traffic when downloading the payload, which can help evade IPS

Dynamic payloads are exclusive to Metasploit Pro. To test the new AV evasion, get your free Metasploit Pro trial now.

Free Webcast: Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit Pro

If you would like to learn more about how Dynamic Payloads are used to evade anti-virus solutions, join us on the free webcast "Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit Pro" with Metasploit engineer David Maloney.

• Register for Americas time zone & on-demand
• Register for European time zone

Easily generate stand-alone payloads with the Payload Generator

Penetration testers sometimes need a stand-alone payload to install on a machine they have compromised and want to control. Generating stand-alone payloads with msfvenom in Metasploit Framework is very cumbersome even for the most experienced Framework user. The new Payload Generator makes it very easy to generate Classic Payloads for any platform, architecture, stager, stage, encoding and output format.

The Payload Generator with Classic Payloads is available in the free Metasploit Community Edition as well as the commercial editions Metasploit Express and Metasploit Pro. Dynamic Payloads can also be downloaded as stand-alone executables and are exclusive to Metasploit Pro. To test the new payload generator, get your free Metasploit Community license or free Metasploit Pro trial now.

Test whether your network segmentation is operational and effective

Network segmentation is a security best practice that can help contain a breach to one part of the network by act of splitting a computer network into subnetworks, the so-called segments.

While network segmentation is not required by PCI DSS, it is often used to limit the scope the networking falling under PCI compliance. This can drastically limit the effort and cost of PCI compliance.

However, there is plenty of room for error in setting up network segmentation, and many companies learned this the hard way. In an interview with SearchSecurity, Try Leach, CTO of the PCI Security Standards Council said: "In the past, we've seen compromises where organizations thought they were doing the right thing, adequately segmenting off what they deemed to be their CDEs, only to find [the security controls were] never tested appropriately."

As a result, PCI version 3.0 added requirement 11.3.4, that requires that you conduct a penetration test to verify that your network segmentation is operational and effective. You need to be compliant by June 30, 2015.

Metasploit Pro 4.9 adds a new MetaModule for testing whether network segmentation is operational and effective. The MetaModule requires a target server, e.g. on a laptop, in the target network so that Metasploit Pro can test for open ports between the Metasploit Pro instance and the testing server.

This and other MetaModules are exclusive to Metasploit Pro. To test your network segmentation, get the free Metasploit Pro trial now.

Boost your productivity with new and improved Task Chains

Security assessments contain many repetitive and tedious tasks, and long waiting times in between. This is not only frustrating for you as a penetration tester but also increases the cost of engagements to a level where it's not feasible to test on a regular basis.

In a recent survey with more than 2,000 Metasploit users, Metasploit Pro users said that they save 45% of time compared to using Metasploit Framework. With Metasploit Pro 4.9, we're increasing your productivity even further.

Using the new Task Chains' drag & drop interface, you can create custom workflows, either for running on-demand or on a one-time or repeated schedule. For example, you could schedule a network discovery scan, followed by a single pass of MS08-067 exploitation, looting of credentials and screenshots, and an iterative login with known credentials and looting more credentials to come back to an owned network the next morning. Or you could watch it run while focusing on other tasks.

What would you do with the extra time you've gained from added productivity? You could conduct more assessments, focus your efforts on tasks that really require your expertise, clean up your inbox, or just get home earlier in the day.

Task chains are exclusive to Metasploit Pro. To start creating your custom workflows, get the free Metasploit Pro trial now.

This and other MetaModules are exclusive to Metasploit Pro. To test your network segmentation, get the free Metasploit Pro trial now.

Enjoy a more powerful Meterpreter payload

Since the 4.8 release, we have greatly improved Meterpreter's capabilities and reliability. While we were at it, we overhauled the Windows and POSIX Meterpreter development environment to make it easier to set up for researchers and open source contributors.

Exciting new Meterpreter functions include:

• Monitor clipboards: automatically download contents of the target's clipboard, continously for the life of the session
• Have a two-way video chat with your victim: have a heart-to-heart with your compromised client system, in real time
• Query ADSI and WMI: enables hardcore Windows Domain hackers to rifle through Active Directory records
• Access cleartext credentials: snarf in-memory passwords on 32-bit and 64-bit platforms with improved Mimikatz
• Impersonate in-memory tokens: with the new and improved Incognito extension

Test your network with 118 new exploits, auxiliary and post-exploitation modules

Metasploit is constantly updating its arsenal of exploits, auxiliary and post-exploitation modules to ensure that you're testing your network against the latest threats. We believe that sharing vulnerabilities and exploits broadly with the community increases security for everyone, which is why we also make all of our modules available in our free editions Metasploit Framework and Metasploit Community.

We're adding new exploits at a rate of 1.2 per day, and here's what we've added since version 4.8:

Exploit modules

• Android Browser and WebView addJavascriptInterface Code Execution by joev and jduck
• Firefox Exec Shellcode from Privileged Javascript Shell by joev
• Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal by Ramon de C Valle exploits CVE-2013-2068
• Kloxo SQL Injection and Remote Code Execution by juan vazquez and Unknown
• NETGEAR ReadyNAS Perl Code Evaluation by juan vazquez, hdm, and Craig Young exploits CVE-2013-2751
• Pandora FMS Remote Code Execution by xistence
• Supermicro Onboard IPMI close_window.cgi Buffer Overflow by juan vazquez and hdm exploits CVE-2013-3623
• Synology DiskStation Manager SLICEUPLOAD Remote Command Execution by Markus Wulftange exploits CVE-2013-6955
• SerComm Device Remote Code Execution by Eloi Vanderbeken and Matt "hostess" Andreko exploits OSVDB-101653
• Loadbalancer.org Enterprise VA SSH Private Key Exposure by xistence
• Quantum DXi V1000 SSH Private Key Exposure by xistence
• Quantum vmPRO Backdoor Command by xistence
• Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution by joev, Mariusz Mlynski, and moz_bug_r_a4 exploits CVE-2013-1710
• Apache Roller OGNL Injection by juan vazquez and Unknown exploits CVE-2013-4212
• Cisco Prime Data Center Network Manager Arbitrary File Upload by juan vazquez and rgod exploits ZDI-13-254
• Adobe ColdFusion 9 Administrative Login Bypass by Mekanismen and Scott Buckel exploits CVE-2013-0632
• Dexter (CasinoLoader) SQL Injection by bwall (Brian Wallace)
• HP SiteScope issueSiebelCmd Remote Code Execution by juan vazquez and rgod exploits ZDI-13-263
• MediaWiki Thumb.php Remote Command Execution by Ben Campbell, Ben Harris, Brandon Perry, and Netanel Rubin exploits CVE-2014-1610
• Oracle Forms and Reports Remote Code Execution by Mekanismen and miss_sudo exploits CVE-2012-3153
• Apache Struts 2 Developer Mode OGNL Execution by juan vazquez, Alvaro, Andreas Nusser, and Johannes Dahse exploits CVE-2012-0394
• Apache Tomcat Manager Authenticated Upload Code Execution by rangercha exploits ZDI-10-214
• Up.Time Monitoring Station post2file.php Arbitrary File Upload by Denis Andzakovic exploits OSVDB-100423
• vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload by juan vazquez and Egidio Romano exploits CVE-2013-3215
• Safari User-Assisted Download and Run Attack by joev
• Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution by xistence exploits OSVDB-104654
• FreePBX config.php Remote Code Execution by 0x00string, i-Hmx, and xistence exploits CVE-2014-1903
• Horde Framework Unserialize PHP Code Execution by juan vazquez and EgiX exploits CVE-2014-1691
• Kimai v0.9.2 'db_restore.php' SQL Injection by Brendan Coles and drone exploits OSVDB-93547
• OpenSIS 'modname' PHP Code Execution by Brendan Coles and EgiX exploits CVE-2013-1349
• WordPress OptimizePress Theme File Upload Vulnerability by Mekanismen and United of Muslim Cyber Army
• Simple E-Document Arbitrary File Upload by Brendan Coles and vinicius777
• SkyBlueCanvas CMS Remote Code Execution by Scott Parish and xistence exploits CVE-2014-1683
• vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection by juan vazquez and Orestis Kourides exploits CVE-2013-3522
• Zimbra Collaboration Server LFI by Mekanismen and rubina119 exploits CVE-2013-7091
• Symantec Endpoint Protection Manager Remote Command Execution by Chris Graham, Stefan Viehbock, and xistence exploits CVE-2013-5015
• Adobe Reader ToolButton Use After Free by sinn3r, juan vazquez, Soroush Dalili, and Unknown exploits ZDI-13-212
• MS12-022 Microsoft Silverlight ScriptObject Unsafe Memory Access by juan vazquez, James Forshaw, and Vitaliy Toropov exploits CVE-2013-3896
• MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow by juan vazquez and Unknown exploits CVE-2013-3918
• MS14-012 Internet Explorer TextRange Use-After-Free by sinn3r and Jason Kratzer exploits CVE-2014-0307
• KingScada kxClientDownload.ocx ActiveX Remote Code Execution by juan vazquez and Andrea Micalizzi exploits ZDI-14-011
• Adobe Reader ToolButton Use After Free by sinn3r, juan vazquez, Soroush Dalili, and Unknown exploits ZDI-13-212
• ALLPlayer M3U Buffer Overflow by Gabor Seljan, Mike Czumak, and metacom exploits OSVDB-98283
• Audiotran PLS File Stack Buffer Overflow by Philip OKeefe
• Easy CD-DA Recorder PLS Buffer Overflow by juan vazquez, Gabor Seljan, and chap0 exploits CVE-2010-2343
• IBM Forms Viewer Unicode Buffer Overflow by juan vazquez and rgod exploits ZDI-13-274
• IcoFX Stack Buffer Overflow by juan vazquez and Marcos Accossatto exploits CVE-2013-4988
• MPlayer Lite M3U Buffer Overflow by C4SS!0 and h1ch4m and Gabor Seljan exploits BID-46926
• MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow by sinn3r and Unknown exploits CVE-2013-3906
• RealNetworks RealPlayer Version Attribute Buffer Overflow by Gabor Seljan exploits CVE-2013-7260
• Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow by Fr330wn4g3 and Mike Czumak exploits OSVDB-100619
• DesktopCentral AgentLogUpload Arbitrary File Upload by Thomas Hibbert
• HP LoadRunner EmulationAdmin Web Service Directory Traversal by juan vazquez and rgod exploits ZDI-13-259
• Kaseya uploadImage Arbitrary File Upload by Thomas Hibbert exploits OSVDB-99984
• Windows Escalate UAC Protection Bypass (In Memory Injection) by Ben Campbell, David Kennedy "ReL1K", mitnick, and mubix
• Windows SYSTEM Escalation via KiTrap0D by HD Moore, OJ Reeves, Pusscat, and Tavis Ormandy exploits CVE-2010-0232
• Windows TrackPopupMenuEx Win32k NULL Page by Dan Zentner, Matias Soler, Seth Gibson, and Spencer McIntyre exploits CVE-2013-3881
• Microsoft Windows ndproxy.sys Local Privilege Escalation by juan vazquez, Shahin Ramezany, Unknown, and ryujin exploits CVE-2013-5065
• Nvidia (nvsvc) Display Driver Service Local Privilege Escalation by Ben Campbell and Peter Wintersmith exploits CVE-2013-0109
• Windows Command Shell Upgrade (Powershell) by Ben Campbell
• HP Data Protector Backup Client Service Remote Code Execution by juan vazquez and Aniway.Anyway exploits ZDI-14-008
• HP Data Protector Backup Client Service Directory Traversal by juan vazquez and Brian Gorenc exploits ZDI-14-003
• SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write by Brendan Coles and Mohamed Shetta exploits OSVDB-103671
• ABB MicroSCADA wserver.exe Remote Code Execution by juan vazquez and Brian Gorenc exploits ZDI-13-270
• GE Proficy CIMPLICITY gefebt.exe Remote Code Execution by juan vazquez, Z0mb1E, and amisto0x07 exploits ZDI-14-015
• Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow by juan vazquez and Redsadic
• Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow by juan vazquez and Redsadic

Auxiliary and post modules

• Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection by Ramon de C Valle exploits CVE-2013-2050
• Linksys WRT120N tmUnblock Stack Buffer Overflow by Craig Heffner and Michael Messner exploits OSVDB-103521
• ZyXEL GS1510-16 Password Extractor by Daniel Manser and Sven Vetsch
• SerComm Device Configuration Dump by Eloi Vanderbeken and Matt "hostess" Andreko exploits OSVDB-101653
• Apache Commons FileUpload and Apache Tomcat DoS by Unknown and ribeirux exploits CVE-2014-0050
• Gzip Memory Bomb Denial Of Service by joev and info
• Ruby on Rails Action View MIME Memory Exhaustion by joev, sinn3r, and Toby Hsieh exploits CVE-2013-6414
• Ruby on Rails JSON Processor Floating Point Heap Overflow DoS by joev, todb, and Charlie Somerville exploits CVE-2013-4164
• IBM Lotus Sametime WebPlayer DoS by Chris John Riley and kicks4kittens exploits CVE-2013-3986
• Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow by juan vazquez and Redsadic
• DNS Non-Recursive Record Scraper by Brandon McCann "zeknox" and Rob Dixon "304geek"
• DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials by Brendan Coles
• Drupal OpenID External Entity Injection by juan vazquez and Reginaldo Silva exploits CVE-2012-4554
• IBM Lotus Notes Sametime User Enumeration by kicks4kittens
• IBM Lotus Notes Sametime Room Name Bruteforce by kicks4kittens
• IBM Lotus Sametime Version Enumeration by kicks4kittens
• Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read by Brandon Perry
• MantisBT Admin SQL Injection Arbitrary File Read by Brandon Perry and Jakub Galczyk exploits CVE-2014-2238
• vBulletin Password Collector via nodeid SQL Injection by sinn3r, juan vazquez, and Orestis Kourides exploits CVE-2013-3522
• Chargen Probe Utility by Matteo Cantoni exploits CVE-1999-0103
• A10 Networks AX Loadbalancer Directory Traversal by xistence exploits OSVDB-102657
• Cisco ASA ASDM Bruteforce Login Utility by Jonathan Claudius
• OpenMind Message-OS Portal Login Brute Force Utility by Karn Ganeshen
• Oracle ILO Manager Login Brute Force Utility by Karn Ganeshen
• ManageEngine Support Center Plus Directory Traversal by xistence exploits OSVDB-102656
• Typo3 Login Bruteforcer by Christian Mehlmauer
• Wordpress Scanner by Christian Mehlmauer
• Poison Ivy Command and Control Scanner by SeawolfRN
• SerComm Network Device Backdoor Detection by Eloi Vanderbeken and Matt "hostess" Andreko exploits OSVDB-101653
• Printer File Download Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo Soe
• Printer Environment Variables Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo Soe
• Printer Directory Listing Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo Soe
• Printer Volume Listing Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo Soe
• Printer Ready Message Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo Soe
• Printer Version Information Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo Soe
• MS08-067 Scanner by wvu, hdm, Brett Moore, frank2, jduck, and sho-luv exploits CVE-2008-4250
• Firefox XSS by joev
• Multi Gather Malware Verifier by sinn3r
• Multi Manage YouTube Broadcast by sinn3r
• OSX Screen Capture by Peter Toth
• OSX Gather Autologin Password as Root by joev
• OSX Gather Safari LastSession.plist by sinn3r
• OSX Network Share Mounter by joev and Peter Toth
• OSX VPN Manager by Peter Toth
• Windows Gather SmarterMail Password Extraction by sinn3r, Brendan Coles, and Joe Giron
• Windows Gather Active Directory Service Principal Names by Ben Campbell and Scott Sutherland
• Windows Gather Active Directory User Comments by Ben Campbell
• Windows Gather Skype, Firefox, and Chrome Artifacts by Joshua Harper
• Windows Enumerate LSA Secrets by Rob Bathurst
• Windows Manage Driver Loader by Borja Merino
• Windows Manage Proxy PAC File by Borja Merino

Please also note the release notes from this release versus the last weekly update.

Get your free Metasploit download or trial on the Rapid7 website now!