Last updated at Fri, 17 Jun 2022 17:35:47 GMT
vCenter Secret Extracter
Expanding on the work of the
vcenter_forge_saml_token auxiliary module, community contributor npm-cesium137-io has added a new module for extracting the vmdir/vmafd certificates, the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated, from an offline copy of the services database. This information can then be used with the
vcenter_forge_saml_token module to gain a session cookie that grants access to the SSO domain as a vSphere administrator.
Great work by npm-cesium137-io to complete this exploit chain and provide users a full end to end solution to get administrative level privileges on a vCenter/vSphere server given an offline copy of the services database!
Named Pipe Pivoting Documentation Updates
Historically speaking named pipe pivoting has been an area of much confusion among users. We have taken note of this and thanks to some help from adfoster-r7 and bwatters-r7, we have added in some documentation for using named pipe pivoting with Windows Meterpreter.
You can find this documentation online on our documentation site at https://docs.metasploit.com/docs/using-metasploit/intermediate/pivoting-in-metasploit.html. Note that since with Metasploit 6.2 our documentation now lives inside of the Metasploit codebase, which you can find at docs/metasploit-framework.wiki/Pivoting-In-Metasploit.md.
Service Library Improvements
Community contributor kalidor noticed that whilst testing a few modules that the Windows Services library we maintain was in need of some updates and was erroring out for him in a number of cases. This turned out to be due to some inappropriately thrown exceptions. After further consultation it was decided a rewrite of the code was needed which not only solved the original issue but also aligned the Windows Services library to more closely align with existing design patterns, ensuring it will be easier to maintain long term.
New module content (1)
- VMware vCenter Extract Secrets from vmdir / vmafd DB File by npm - This module extracts the vmdir / vmafd certificates from an offline copy of the service database (i.e. a vCenter backup). Right now it will pull the IdP keypair, the VMCA root cert, and anything from vmafd that has a private key associated.
Enhancements and features (1)
- #16654 from adfoster-r7 - This PR adds documentation for using named pipe pivoting with Windows Meterpreter.
Bugs fixed (3)
- #16602 from kalidor - If a user restarted a service using
lib/msf/core/post/windows/services.rban exception would be thrown as a integer instead of as a string, which would cause an error to occur. This has been fixed by rewriting the code for the
service_restartto use more appropriate logic. Additionally, the documentation has been updated for
lib/msf/core/post/windows/services.rbto note which functions may throw exceptions.
- #16627 from bwatters-r7 - The
tools/modules/update_payload_cached_sizes.rbscript has been updated to contain additional exception handling to appropriately handle any exceptions that may be thrown during runs, and then print out a list of those exceptions at the end of the run.
- #16665 from adfoster-r7 - A missing import has been fixed in
/tools/exploit/random_compile_c.rb, allowing it to now compile C files as expected.
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
If you are a
git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).