This blog is the fifth post in our annual 12 Days of HaXmas series.
Happy HaXmas, friends. Metasploit turned 15 this year, and by all accounts, 2018 was pretty epic. We finished development on a major version of Framework, released research that culminated in a brand-new module type, welcomed dozens of new contributors to the project, and grew our content repository by more than 230 modules. In between, the team updated Metasploit’s data model, added our first Impacket and Go modules, and put on a CTF for a few thousand hackers.
Here are some of the highlights of the goodness that’s landed in Framework this past year—from module hotness and contributor excellence to big backend projects and new functionality you may have missed.
ICYMI: Under the covers
- We got more REST: The Metasploit data model got a refresh this year; the team added a REST API to the Framework database, plus a bonus JSON-RPC interface for Metasploit automation. We also made significant improvements to module metadata caching, which makes module search lightning-fast, whether you’re running a database or not.
- SMBlock party: Thanks to the many community members over in the ruby_smb gem who worked diligently to add SMBv2 support to Framework, module authors can opt to support and extend it moving forward. We’ve also updated a few key modules and payloads to support SMBv2 connections with RubySMB.
- Automate your target practice: Because of our awesome community, we have lots of payloads and lots of modules; this makes for tons of testing and even more learning. In the past year, we made strides to simplify all this learning and testing with the addition of a quick-start setup option for Metasploitable3, thanks to pre-built Vagrant boxes for VMware and Virtualbox. We also extended the metasploit-baseline-builder to include more targets. Hacking at home has never been easier!
Metalingual: Multi-language support
We’ve spoken a few times over the past year and a half on our work to add Framework support for languages beyond Ruby. Back in April 2017 (because that was a totally chill month for the security world), we added the ability to run modules as separate processes, which eliminated the need to start
msfconsole and expanded our language potential—since any language that can talk JSON over stdin/stdout and make connections through a SOCKS5 proxy is able to take advantage of this interface. If you haven’t read the team’s write-ups on the topic, start with Adam’s explanation here. In the meantime, here are some highlights from our growing treasure trove of external modules:
- Impacket secretsdump by zerosteiner
- Impacket wmiexec, which supports SMBv3, by zerosteiner
- Impacket dcomexec by zerosteiner
- Error-based user enumeration for Office 365 integrated email addresses and Exchange identification scanner by Nick Powers, poptart, jlarose, Vincent Yiu, grimhacker, Nate Power, and clee-r7.
- Teradata ODMC login and SQL modules by actuated
For a full list of external module-related PRs, watch the corresponding label on Github. If you’re particularly moved by snakes and gophers, there’s a primer on writing external Python modules for Metasploit here, and one on Go development for Metasploit here.
In our new Austin office, the Metasploit team sits within easy shouting distance of Rapid7’s pen testing crew. Because of this proximity, we’re able to cross-pollinate on which Metasploit modules and enhancements are important for them, and which types of output and data are interesting to us. One of 2018’s utility constants has been Metasploit’s EternalBlue capabilities. MS17-010 is more than EternalBlue, and contributor zerosum0x0 started the year with a new exploit module
ms17_010_psexec that uses additional MS17-010 vulnerabilities to target Windows 2000 through Windows 10. Later, MS17-010 modules were enhanced to support arbitrary processes for injection, add sleepya's new Windows 8/10 focused PoC, and support additional platforms like ARM/WinRT and embedded targets.
One of the biggest reveals of 2018 was a brand-new module type in MSF 5, courtesy of lead researcher and exploit dev Wei Chen, who spent big chunks of the past year experimenting with ways to evade common antivirus products. The
evasion module class allows Framework users to generate evasive payloads without having to install or rely on external tools; because detect-and-evade is an ever-progressing game of cat and mouse, developers can build their own evasion modules in addition to testing and modifying the two we released at DerbyCon in October. You can read the full research paper here.
Local exploitation: Privilege is a state of mind
Metasploit gained a lot in the way of local exploitation modules, as well as local exploitation APIs for Unix and Unix-like targets, thanks to research by bcoles, h00die, timwr, and others; local exploitation modules cover VMware, macOS, Linux kernel, glibc, Solaris, and more. It’s now far easier to write local exploits on these platforms; thanks to improved mixins, much less custom code per module is required than before. The new ‘metashell’ also makes managing your privilege escalation sessions easier than ever.
Content and community
Ah, yes, two of our favorite things. Before we extol all the killer content that landed recently, we must acknowledge the community behind a huge portion of it. Metasploit averaged more than 90 contributors a month in 2018; of the 230 (and counting) modules that landed in Framework this year, more than 75% of them were community-driven—meaning initially contributed by non-Metasploit staff, even if the landing process was a robust collaboration. You can always keep an eye on top contributors on metasploit.com. We appreciate you all!
Payload updates and pivot opportunities
- In a world of shells, the Meterpreter session is king: We landed long-awaited support for SOCKS5 proxying earlier this year; this addition allows Metasploit users to redirect network traffic through a Meterpreter session, making attacks look like they’re coming from the target.
- Extend your privilege: @thealpiste’s peinjector Meterpreter extension allows a user to inject a payload into a binary file; when the binary file is launched, the payload is executed with the same privileges as the original binary's process (more details here).
- One man’s hash is a Metasploit hacker’s treasure: Want to use Metasploit to remotely dump all the hashes in a target DC using DCsync? Now you can, thanks to OJ, who added the ability to dcsync and hashdump via PowerShell.
- Psst, over here: Google Summer of Code student Eliott Teissonniere added a Mettle extension that lets an attacker play sounds on the victim host once they’ve gained a session on a POSIX system.
Notable 2018 aux and post modules
Exploits tend to get a lot of the glory, but some of the most underrated modules in Framework fall into the aux and post categories. Here are a few gems we’ve incorporated since Auld Lang Syne rang out last:
- Windows Manage RID hijacking by Sebastian Castro
- OSX High Sierra APFS volume password disclosure by Sarah Edwards and cbrnrd
- wvu-r7 and busterb updated ssh_enumusers to include coverage for CVE-2018-15473, which enables pen testers to test credentials without logging in.
- Memcached stats amplification scanner by Marek Majkowski, xistence, and jhart-r7. You may remember the “memcrashed” DDoS attack that targeted
memcachedover UDP last March; if not, there’s a good story and some neat data viz from Rapid7 Labs on the amplification attack.
Notable 2018 exploits
From Hadoop to osCommerce and Apache to Alpaca (“ALPC” is less fun to say than “alpaca”, even if it’s more accurate), we collected shells all year long. If you’ve got a favorite exploit that didn’t make our list, let us know. This year’s highlights include:
- Drupalgeddon 2 Forms API property injection by Jasper Mattsson, a2u, Nixawk, FireFart, and wvu-r7 (for Metasploit’s exploit development notes, see the middle section of this blog. wvu also created a Drupal mixin for Framework that should help future module developers targeting the platform.
- Ghostscript failed restore command execution by taviso and wvu-r7, which exploits CVE-2018-16509
- Microsoft Windows ALPC Task Scheduler LPE, by SandboxEscaper, bwatters-r7, asoto-r7, and Jacob Robles, which exploits CVE-2018-8440
- Apache Struts 2 Namespace Redirect OGNL Injection by Man Yue Mo, asoto-r7, wvu, and hook-s3c, which exploits CVE-2018-11776
- Hadoop YARN ResourceManager unauthenticated command execution by Green-m and cbmixx
- osCommerce Installer unauthenticated code execution by DanielRTeixeira and Simon Scannell
Stuff in our attic
A few weeks ago, we added a new Github label called
attic. In the spirit of other open-source attics, this label is for stuff the Metasploit crew thinks is cool and belongs in the Framework, but that we or the original developers couldn’t quite get in merge-able shape. This list is a good place to start if you’re looking for a little 2019 inspiration on offensive content or features.
For those seeking stickers or craving human contact, we popped up at a few IRL events this year, too. Aaron put together a sweet five-minute hacking challenge for BSidesLV attendees, the whole team took turns selling Metasploit 0xf shirts at Rapid7’s DEF CON booth, and we kept it casual for Metasploit’s fourth annual Open Source Security Meetup (OSSM) in the lobby at Caesars Palace. (FWIW, if we get a chance to hold OSSM again next year, we’ll probably move back to somewhere a little quieter and more conducive to conversation; constructive feedback was that while a bar meetup was fun for those who already knew us and wanted to stop by briefly to say hi, a slightly less raucous environment would be more welcoming for new folks.)
We capped off the 2018 Metasploit IRL Tour with our fourth Derbycon Town Hall in Louisville, where Brent, Cody, Adam, and Aaron got to demo evasion modules, talk about potential future integrations they’d like to see, and offer themselves up to the crowd for feature requests and general heckling. Check out the full Derbycon Town Hall video here, courtesy of IronGeek.
That’s it for 2018—or at least what we could fit before the blog editing team yanked us offstage with one of those big cane-things. Feeling nostalgic? See Brent’s 2017 wrap-up here, or stroll through Metasploit weekly wrap-ups from seasons past. Happy HaXmas to all! See you next year.