Windows LNK and Linux persistence
This week, happybear-21 introduced four new modules that abuse Windows Shell Link (LNK) to execute various attacks. Three of these modules are designed to trigger authentication attempts to a remote server, facilitating the harvesting of NTLM authentication credentials. The fourth module allows for the execution of arbitrary commands. Also, h00die added a new Linux persistence module. This module establishes persistence on the target by creating an override.conf file for a SystemD service, which then launches the payload.
New module content (5)
Fileformat NTLM leak & LNK padding modules
Author: Nafiez
Type: Auxiliary
Pull request: #20518 contributed by happybear-21
Reference: ZDI-25-148
Description: This adds multiple auxiliary modules for NTLM leak.
- Right-Click Execution - Windows LNK File Special UNC Path NTLM Leak Path: fileformat/environment_variable_datablock_leak
- IconEnvironmentDataBlock - Windows LNK File Special UNC Path NTLM Leak Path: fileformat/icon_environment_datablock_leak
- SpecialFolderDatablock - Windows LNK File Special UNC Path NTLM Leak Path: fileformat/specialfolder_leak
- Windows Shortcut (LNK) Padding Path: fileformat/datablock_padding_lnk
Service SystemD override.conf Persistence
Author: h00die
Type: Exploit
Pull request: #20538 contributed by h00die
Path: linux/persistence/init_systemd_override
Description: Introducing a new persistence module, which exploits overloading systemd services. The module will create override.conf in the /etc directory for a specific systemd service. Once the service is restarted, it will run a malicious payload in override.conf. Note that the module requires root access.
Enhancements and features (4)
- #20412 from bwatters-r7 - This updates powershell/exec_powershell and swaps the existing powershell execution logic with a psh_exec call.
- #20517 from cgranleese-r7 - This adds SSL support to the PostgreSQL login scanner (brute force) module. It enables users to target servers that require an SSL connection.
- #20565 from h00die - Moves the image exec module into the persistence category and expands its capabilities by using the persistence mixin.
- #20566 from jheysel-r7 - This updates the esc_update_ldap module and takes into account the situations where shadow credentials are not required. Now the module will not use shadow credentials, unless it has to.
Documentation added (1)
- #20456 from RakRakGaming - This adds documentation for auxiliary/scanner/http/wordpress_cp_calendar_sqli auxiliary module.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
