Posts tagged Metasploit

3 min Metasploit

Metasploit Weekly Wrap-Up: Dec. 15, 2023

Continuing the 12th Labor of Metasploit Metasploit continues its Herculean task of increasing our toolset to tame Kerberos by adding support for AS_REP Roasting, which allows retrieving the password hashes of users who have Do not require Kerberos preauthentication set on the domain controller. The setting is disabled by default, but it is enabled in some environments. Attackers can request the hash for any user with that option enabled, and worse (or better?) you can query the DC to determine

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up 12/8/2023

New this week: An OwnCloud gather module and a Docker cgroups container escape. Plus, an early feature that allows users to search module actions, targets, and aliases.

4 min Metasploit

Metasploit Weekly Wrap-Up: Dec. 1, 2023

Customizable DNS resolution Contributor smashery [https://github.com/smashery] added a new dns command to Metasploit console, which allows the user to customize the behavior of DNS resolution. Similarly to the route command, it is now possible to specify where DNS requests should be sent to avoid any information leak. Before these changes, the Framework was using the default local system configuration. Now, it is possible to specify which DNS server should be queried based on rules that match sp

1 min Metasploit

Metasploit Wrap-Up: Nov. 23, 2023

Metasploit 6.3.44 released with stability improvements and module fixes

1 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up: Nov. 17, 2023

Possible Web Service Removal Metasploit has support for running with a local database, or from a remote web service which can be initialized with msfdb init --component webservice. Future versions of Metasploit Framework may remove the msfdb remote webservice. Users that leverage this functionality are invited to react on an issue currently on GitHub [https://github.com/rapid7/metasploit-framework/issues/18439] to inform the maintainers that the feature is used. New module content (1) ZoneMind

3 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up 11/10/23

Apache MQ and Three Cisco Modules in a Trenchcoat This week’s release has a lot of new content and features modules targeting two major recent vulnerabilities that got a great deal of attention: CVE-2023-46604 targeting Apache MQ [https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/] resulting in ransomware deployment and CVE-2023-20198 targeting Cisco IOS XE OS [https://www.rapid7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitati

2 min Metasploit

Metasploit Weekly Wrap-Up: Nov. 3, 2023

PTT for DCSync This week, community member smashery [https://github.com/smashery] made an improvement to the windows_secrets_dump module to enable it to dump domain hashes using the DCSync method after having authenticated with a Kerberos ticket. Now, if a user has a valid Kerberos ticket for a privileged account, they can run the windows_secrets_dump module with the DOMAIN action and obtain the desired information. No password required. This is particularly useful in workflows involving the exp

2 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 27, 2023

New module content (4) Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control Authors: Emir Polat and Unknown Type: Auxiliary Pull request: #18447 [https://github.com/rapid7/metasploit-framework/pull/18447] contributed by emirpolatt [https://github.com/emirpolatt] Path: admin/http/atlassian_confluence_auth_bypass AttackerKB reference: CVE-2023-22515 [https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515?referrer=blog] Description: This adds an exploit for

4 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 19, 2023

That Privilege Escalation Escalated Quickly This release features a module leveraging CVE-2023-22515 [https://www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/] , a vulnerability in Atlassian’s on-premises Confluence Server first listed as a privilege escalation, but quickly recategorized as a “broken access control” with a CVSS score of 10. The exploit itself is very simple and easy to use so there was little surprise when

3 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 13, 2023

Pollution in Kibana This week, contributor h00die [https://github.com/h00die] added a module that leverages a prototype pollution bug in Kibana prior to version 7.6.3. Particularly, this issue is within the Upgrade Assistant and enables an attacker to execute arbitrary code. This vulnerability can be triggered by sending a queries that sets a new constructor.prototype.sourceURL directly to Elastic or by using Kibana to submit the same queries. Note that Kibana needs to be restarted or wait for c

2 min Metasploit

Metasploit Weekly Wrap-Up: Oct. 6, 2023

New module content (3) LDAP Login Scanner Author: Dean Welch Type: Auxiliary Pull request: #18197 [https://github.com/rapid7/metasploit-framework/pull/18197] contributed by dwelch-r7 [https://github.com/dwelch-r7] Path: scanner/ldap/ldap_login Description: This PR adds a new login scanner module for LDAP. Login scanners are the classes that provide functionality for testing authentication against various different protocols and mechanisms. This LDAP login scanner supports multiple types of aut

3 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 29, 2023

TeamCity authentication bypass and remote code execution This week’s Metasploit release includes a new module for a critical authentication bypass in JetBrains TeamCity CI/CD Server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource, and the Metasploit module was developed by Rapid7’s Principal Security Researcher Stephen Fewer who additionally published a technical analysis on AttackerKB for CVE-2023-4279

4 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 22, 2023

Improved Ticket Forging Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present - the PAC requestor and PAC attributes. The newly forged tickets will have the necessary elements added automatically based on the user provided domain SID and user RID. For example: msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f649

4 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 15, 2023

Flask Cookies This week includes two modules related to Flask cookie signatures. One is specific to Apache Superset where session cookies can be resigned, allowing an attacker to elevate their privileges and dump the database connection strings. While adding this functionality, community member h00die [https://github.com/h00die] also added a module for generically working with the default session cookies used by Flask. This generic module auxiliary/gather/python_flask_cookie_signer [https://git

2 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 8, 2023

New module content (4) Roundcube TimeZone Authenticated File Disclosure Authors: joel, stonepresto, and thomascube Type: Auxiliary Pull request: #18286 [https://github.com/rapid7/metasploit-framework/pull/18286] contributed by cudalac [https://github.com/cudalac] Path: auxiliary/gather/roundcube_auth_file_read AttackerKB reference: CVE-2017-16651 [https://attackerkb.com/topics/He57FR8fB4/cve-2017-16651?referrer=blog] Description: This PR adds a module to retrieve an arbitrary file on hosts run