Last updated at Fri, 25 Mar 2022 19:26:24 GMT
Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the auxiliary/server/capture. Users can start and configure each of these modules individually, but now the capture plugin can streamline the process. The capture plugin can easily start 13 different services (17 including SSL enabled versions) on the same listening IP address including remote interfaces via Meterpreter. A configuration file can be used to select individual services to start and once finished, all services can easily be stopped using a single command.
To use the plugin, it must first be loaded. That will provide the
captureg command (for Capture-Global) which then offers
stop subcommands. In the following example, the plugin is loaded, and then all default services are started on the 192.168.159.128 interface.
msf6 > load capture [*] Successfully loaded plugin: Credential Capture msf6 > captureg start --ip 192.168.159.128 Logging results to /home/smcintyre/.msf4/logs/captures/capture_local_20220325104416_589275.txt Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_20220325104416_612808 [+] Authentication Capture: DRDA (DB2, Informix, Derby) started [+] Authentication Capture: FTP started [+] HTTP Client MS Credential Catcher started [+] HTTP Client MS Credential Catcher started [+] Authentication Capture: IMAP started [+] Authentication Capture: MSSQL started [+] Authentication Capture: MySQL started [+] Authentication Capture: POP3 started [+] Authentication Capture: PostgreSQL started [+] Printjob Capture Service started [+] Authentication Capture: SIP started [+] Authentication Capture: SMB started [+] Authentication Capture: SMTP started [+] Authentication Capture: Telnet started [+] Authentication Capture: VNC started [+] Authentication Capture: FTP started [+] Authentication Capture: IMAP started [+] Authentication Capture: POP3 started [+] Authentication Capture: SMTP started [+] NetBIOS Name Service Spoofer started [+] LLMNR Spoofer started [+] mDNS Spoofer started [+] Started capture jobs msf6 >
This week Metasploit added features to libraries that provide listening services like HTTP, FTP, LDAP, etc. that allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules to be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that’s provided by the reverse_tcp and reverse_http(s) payload stagers.
When a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won’t be able to bind to it. To fix that, users can now set the ListernBindAddress option to one that Metasploit can listen on. In this case, the IP address that the router will forward the incoming connection to.
For example, with the network configuration:
Private IP: 172.31.21.26 (where Metasploit can bind to)
External IP: 10.2.3.4 (where the target connects to Metasploit)
The Metasploit module commands would be:
set srvhost 10.2.3.4 set ListenerBindAddress 172.31.21.26 set lhost 10.2.3.4 set ReverseListenerBindAddress 172.31.21.26
Enhancements and features (4)
- #16249 from gwillcox-r7 - This expands on the work done in https://github.com/rapid7/metasploit-framework/pull/16164 and adds in a new library named Msf::Exploit::Remote::HTTP::Exchange which will allow for future Exchange library functions.
- #16250 from zeroSteiner - Adds new
ListenerBindAddressoptions on modules which expose services such as HTTP, SMB, LDAP, FTP, etc. This allows users to specify a separate IP/Port to bind to, in addition to providing
SRVPORTvalues. These additional options are useful if Metasploit is running in a network behind a NAT, or when pivoting through a compromised target. The naming convention is similar to the payload options
- #16298 from smashery - This adds the new "capture" plugin which can be used to easily start and stop credential-capturing services.
- #16352 from adfoster-r7 - The
discussiontag has been added to allow for more long term discussions. This will replace the existing Discussions tab, and issues marked as such will not be automatically closed.
Bugs fixed (12)
- #16207 from h00die - The VNC libraries and associated modules have been updated to support more modern versions of VNC and to fix a few bugs so that they will work correctly with new VNC versions.
- #16309 from HynekPetrak - This fixes an issue where the ssh_login module would crash when the channel used to execute the commands to gather the platform information reported that they failed.
- #16317 from smashery - This fixes an issue with multiple modules that listen on UDP sockets where the modules were not closing and freeing the socket when their respective services were stopped.
- #16325 from sjanusz-r7 - This PR replaces
File.binread, in scenarios where it's obvious that we're reading from binaries, to prevent an issue where not all of the file has been read correctly due to an additional EOL<->CRLF conversion that happens on Windows.
- #16340 from bcoles - This fixes the APK injection behavior to use aapt2 if msfvenom is unable to rebuild the APK with apktool, allows more APKs to be compatible with msfvenom, and fixes a bug.
- #16341 from h00die - This fixes a bug where the
auxiliary/server/capture/vncmodule would not output hashes in a format compatible with John The Ripper and a bug that was causing crashes due to assuming hashes always had an associated username. Additionally, support has been added for exporting VNC hashes into a JTR compatible format for later cracking and the
hash_identifyfunction has been updated to properly identify VNC hashes allowing for better hash detection.
- #16353 from jmartin-r7 - A bug has been fixed in the Anemone library and in the HTTP crawler libraries and related module to allow pulling and setting of
ssl_versionfrom standardized options. This permits fine-grained user control and avoids issues related to missing or depreciated SSL versions in newer Ruby versions, which were at times preventing Metasploit from making successful connections to targets.
- #16358 from bcoles - This change fixes a bug in the msfvenom APK injection code, where in some situations a suitable hook point could not be found.
- #16367 from zeroSteiner - A bug was found in the way character escaping was done in
apache_apisix_api_default_token_rcewhich has now been fixed. In addition, several updates have been made to better handle error cases that may occur when sending HTTP requests to the target.
- #16368 from zeroSteiner - This improves response time when a cache miss occurs for commands not provided by
- #16369 from sjanusz-r7 - This change fixes shell_to_meterpreter module to allow upgrading (or duplicating) Meterpreter sessions.
- #16371 from AlanFoster - This fixes a crash in the WebSocket library used by the Kubernetes modules that would occur when a socket method was being called that's only provided by the Rex version.
- #16361 from bcoles - Thisadds docs for the
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).