Skip navigation
All Places > Metasploit > Blog
1 2 3 Previous Next

Metasploit

691 posts

This week's release of Metasploit includes a scanner and exploit module for the EternalBlue vulnerability, which made headlines a couple of weeks ago when hacking group, the Shadow Brokers, disclosed a trove of alleged NSA exploits. Included among them, EternalBlue, exploits MS17-010, a Windows SMB vulnerability. This week, EternalBlue has been big news again due to attackers using it to devastating effect in a highly widespread ransomware attack, WannaCry. Unless you've been vacationing on a remote island, you probably already know about this; however, if you have somehow managed to miss it, check out Rapid7's resources on it, including guidance on how to scan for MS17-010 with Rapid7 InsightVM or Rapid7 Nexpose.

 

The Metasploit module - developed by contributors zerosum0x0 and JennaMagius - is designed specifically to enable security professionals to test their organization's vulnerability and susceptibility to attack via EternalBlue. It does not include ransomware like WannaCry does and it won't be worming its merry way around the internet.

 

Metasploit is built on the premise that security professionals need to have the same tools that attackers do in order to understand what they're up against and how best to defend themselves. The community believes in this, and we have always supported it. This philosophy drove the amazing Metasploit contributor community to take on the challenge of reverse engineering and recreating the EternalBlue exploit as quickly and reliably as possible, so they could arm defenders with the info they need. We want to say a big thanks to JennaMagius and zerosum0x0 for their work on this.

 

From a vulnerability management perspective, there are a lot things that security practitioners can do to understand their exposure, however, with Metasploit you can go beyond theoretical risk and show the impact of compromise. Access to systems is more concrete evidence of the problem. Metasploit effectively allows security practitioners to test their own systems and dispel the hype and speculation of headlines with facts.

 

From a penetration testing perspective, research shows that over two thirds of engagements had exploitable vulnerabilities leading to compromise. Metasploit modules such as EternalBlue enable security practitioners to communicate the real impact of not patching to the business.

 

UPDATE – May 19, 2017: Security researcher, Krypt3ia, wrote a blog post highlighting a possible connection between the process that zerosum0x0 and JennaMagius went through in reversing the EternalBlue exploit, and the WannaCry attack.

 

Zerosum0x0 and JennaMagius both work at as security researchers at RiskSense, a provider of pro-active cyber risk management solutions. In response to Krypt3ia’s blog, RiskSense provided this clarification of the situation:

 

The module was developed to enable security professionals to test their organization's vulnerability and susceptibility to attack via EternalBlue. As part of their research, the researchers created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. The purpose of this recording was to help educate other security professionals, and get feedback as they worked through the process. This kind of approach is fairly common in both the security researcher and open source contributor communities, where transparent collaboration enables individuals to pool their expertise and achieve greater results. It’s possible that data from this analysis was copied and rewritten by individuals with malicious intent; we cannot confirm if this is the case or not. Unfortunately, this is a risk that is taken whenever technical information and techniques are shared publicly. None-the-less, we believe the educational and collaborative benefits generally outweigh the risk. To our knowledge, no code from the Metasploit module was ever used in the WannaCry attacks, and once Krypt3ia’s blog pointed out the possibility that some of the information may have been used by the attackers, we removed the recording from the Github repository to ensure no other bad actors would be able to do likewise to create variants of the malware.

 

Here’s a summary of context and the technical details:

 

    • Recording the replay and playing it back works against freshly booted boxes because the Tree Connect AndX response will assign TreeID 2048 on the first few connections, after which it will move on to other tree IDs. This is the same for the user login request. The replay would then fail because the rest of the replay is using "2048" for the tree and user IDs, and the server has no idea what the client is talking about.

 

 

    • Zerosum0x0x’s research supplemented these findings by outlining that __USERID__PLACEHOLDER__ and __TREEID__PLACEHOLDER__ strings were also present in the malware.

 

Replaying ANY recording of EternalBlue will produce the same result, so the attackers may have chosen to use that particular recording to throw investigators off track. It is important to note that to our knowledge no code from the Metasploit module was ever used in the WannaCry attacks.

 

To be successful, the attackers independently implemented sending the network traffic in C; constructed additional code to interact with DoublePulsar (which is a significantly harder undertaking than just replaying the recorded traffic), implemented the rest of their malware (maybe before or after), and then released it on the world.

 

Again, Rapid7 wants to reiterate how much we appreciate community participants such as zerosum0x0 and JennaMagius, who contribute their time and expertise to better arm organizations to defend themselves against cyberattackers.

The Python Meterpreter has received quite a few improvements this year. In order to generate consistent results, we now use the same technique to determine the Windows version in both the Windows and Python instances of Meterpreter. Additionally, the native system language is now populated in the output of the sysinfo command. This makes it easier to identify and work with international systems.

 

The largest change to the Python Meterpreter is the addition of Railgun functionality. Railgun - in the context of the Metasploit Framework - refers to a set of features available in the standard API (stdapi) extension of Meterpreter. The intention of the feature set is to allow the Metasploit side to call functions in native libraries on the compromised host. This has some very practical applications when it comes to post exploitation, but is also used in some older local exploit modules. The functionality has been around since 2010, but until recently was only supported by the native Windows Meterpreter.

 

Recent additions to Metasploit are expanding the scope of this functionality to support non-Windows platforms. Specifically, the Python Meterpreter has received support for these Railgun API functions when on the Windows and Linux platforms. Bringing this functionality to the Linux platform will increase what Metasploit users can do with their sessions.

 

To demonstrate the functionality, one of the newest Linux post-exploit modules uses Railgun to call functions in libgnome-keyring.so.0 as the current user. This is then used to enumerate and extract all plaintext passwords that it holds for the user - all without having to write any files to disk.

 

Without Railgun, a common practice to call a native library code would be to upload a precompiled binary to perform the necessary tasks, or upload the source to compile one. Most penetration testers want to avoid writing things to disk for obvious reasons. With expanded Railgun support, uploading files such as these isn’t necessary.

 

For more technical details on how the new Python Meterpreter Railgun implementation works, check out this War Room blog post.

Integrating InsightVM or Nexpose (Rapid7's vulnerability management solutions) with Metasploit (our penetration testing solution) is a lot like Cupid playing “matchmaker” with vulnerabilities and exploit modules. When a vulnerability scan is imported into Metasploit, many things happen under the hood, outside of generating host, service, and vulnerability data in your workspace. In much the same way that Cupid takes into account the qualities of the individuals he is matchmaking, when a host’s service is found to have a vulnerability, Metasploit will check its ever growing store of modules for one that can potentially be run against the host’s vulnerabilities. This is referred to as an Automatic Exploitation Match. Match generation takes into account not only the vulnerability, but attributes of the host like platform, architecture, etc. This special set of criteria leads to the generation of module matches that have a pretty high chance of successfully being run on the host. Of course, just like with Cupid’s matchmaking, given the uncertain nature of networking environments and other factors, the default configuration for a module may not always work without some tweaking of parameters (e.g. using a bind payload for a target that is behind a NAT). Two people may be compatible, but sometimes things just don’t work out.

 

Screen Shot 2017-05-11 at 7.34.44 AM.png

The Vuln count is over 9000!! X.X

 

Modules that have been matched with vulnerable hosts can be viewed at a single vulnerability instance’s related modules tab. This is all well and good, but vulnerability instances are attributed to a single host, which means the same Vulnerability definition will show up in several Vulnerability instances, one for each host that has an instance of that Vulnerability. When dealing with a non-trivial environment containing several hosts, the table of Vulnerabilities quickly explodes in number, becoming difficult to manage and make sense of. This can be similar to the feeling of being overwhelmed by the plenty of fish that are out there in the sea: a lot of noise, when you really just want to know which are even compatible. It is difficult to determine which vulnerability instances actually have modules that can be used against them, requiring iteratively clicking on each Vulnerability instance’s related modules tab to see.  If only there was a way to view the results of matchmaking modules with vulnerabilities in an intuitive and productive way…

 

Screen Shot 2017-05-11 at 7.38.39 AM.png

Introducing the Applicable Modules tab: a list of modules that can be run against targets in your workspace.

 

Screen Shot 2017-05-11 at 7.43.57 AM.png

Quick visibility into associated hosts and vulnerability instances with aggregated counts.

 

With the latest release of Metasploit Pro, we introduce the Applicable Modules tab to the workspace analysis view. This view aims to solve the problem of making sense of a massive list of vulnerabilities. Similar to the way a single vulnerability page has a related modules tab, the Applicable Modules tab in workspace analysis aggregates a list of related modules across all vulnerable instances in your workspace. Along with each module entry in this list, relevant metadata related to the module are also quickly viewable, including the affected hosts and associated vulnerabilities. Hover over the various metadata entities to view additional information, such as services on a host or a full vulnerability description, without having to navigate away from the page. You can click on a module to autoconfigure a module run with all affected hosts filled in as targets. This list defaults to being sorted by module release date, so you can quickly see the latest hotness Metasploit has to offer that can target hosts in your environment. The Applicable Modules table densely packs and associates host, vuln, and module-matching information that is relevant to your workspace into a single view, allowing for deeper insight at a glance.

Screen Shot 2017-05-11 at 7.39.38 AM.png

Handy hover-overs to view further details without having to navigate away from page.

 

Metasploit generates quite a bit of insightful data regarding the relationship of vulnerabilities found in your workspace and their exploitability via modules. The Applicable Modules workspace analysis tab intuitively presents the relevant information relating hosts, vulnerabilities, and the exploit modules within Metasploit by listing modules that can target assets in your environment. Be sure to also catch the other productivity enhancements included in the latest release: “Single Host’s modules view as a searchable/sortable table” and “Pushing InsightVM and Nexpose Exceptions and Validations from Task Chains”. All is fair in <3 and Infosec. Happy exploiting, friends!

Ghost...what???

hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy logo which also contains the exploit:

GhostButt

(spoiler alert: it's called GhostButt)

Forever and a day

From mr_me comes a one-two punch in the form of two exploits which target an EOL'd Trend Micro appliance. Certain versions of the Threat Discovery Appliance contain both authentication bypass and command injection vulnerabilities, which can be used to gain access to the appliance and run whatevs, respectively. And because this product is no longer supported by Trend Micro, these vulns are expected to be "forever day".

 

HTA RCE FTW

If you're looking for remote code execution via an MS Office document vuln, nixawk's exploit module might fit the bill nicely. This new addition allows Framework users to easily craft a doc file containing an OLE object which references an HTML Application (HTA). When the target opens this document, the HTA is accessed over the network (Framework acting as the server, of course), and remote code execution is back on the menu.

 

Feeling constrained?

Mercurial SCM users with ssh access can now move about more freely thanks to a new exploit module from claudijd. By targeting weak repo validation in HG server's customizable hg-ssh script, users can use this module to break out of their restricted shell and execute arbitrary code. Give it a go and enjoy your new-found freedom...!

 

But wait, there's more!

Rounding out our tech updates, bcook-r7 has given us a polite push forward and "flipped the switch" so that the POSIX Meterpreter used by Framework is now providing Mettle as its payload. Not only does Mettle weigh-in at ~1/2 the size of the old POSIX Meterpreter, it also provides more functionality. Additionally, it's being actively worked on these days, unlike the old POSIX Meterpreter. Yes, plz!

 

The Summer of Code is upon us!

We are excited to welcome Tabish Imran, B.N. Chandrapal, and Taichi Kotake to the Metasploit community as 2017 Google Summer of Code students. We thank everyone who took the time to participate; it was a fierce competition, with over 30 applicants. Look forward to seeing the great projects these students create this summer!

 

New Modules

Exploit modules (6 new)

 

Auxiliary and post modules (1 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Editor's Note: While this edition of the Metasploit Wrapup is a little late (my fault, sorry), we're super excited that it's our first ever Metasploit Wrapup to be authored by an non-Rapid7 contributor. We'd like to thank claudijd -long-time Metasploit contributor, Mozilla security wrangler, and overall nice guy - for writing this post. If other Metasploit contributors want to get involved with spreading the word, we want to hear from you!

 

We should be back on track timing-wise with our Wrapup for this week on Friday.  Without any further delay, here's what's new in Metasploit versions 4.14.4 through 4.14.11.

- JE

 

Here's my number, text me maybe?

Metasploit sessions can happen at any time. Fortunately, you can always be plugged in to what's going on with the new session notifier plugin, compliments of wchen. This plugin allows you to send SMS notifications for Metasploit sessions to a variety of carriers (AllTel, AT&T wireless, Boost Mobile, Cricket Wireless, Google Fi, T-Mobile, Version, and Virgin Mobile) so you'll never miss out on the pwnage.

 

sms.png

 

Text-editors and Programming Languages

If you've ever been cornered by a VIM user around the water cooler and been regaled to exhaustion about why you should also choose VIM, you probably hold your ability to choose in high regard. Recently, acammack extended Metasploit to provide initial support to include more choice in what programming language you can write Metasploit modules in. The idea here would be that instead of being forced to write all modules in Ruby, you could write one in Python, Go, LOLCODE, or whatever your heart desires.

 

Improve Your Spider Sense

Many of us have had that feeling before that something doesn't add up, you can think of it as your own "hacker spider-sense." This can sometimes happen when you tell yourself, "that seemed way too easy" or "these services don't quite make sense", only to find out later that you've owned a honeypot. To help fight against this, thecarterb recently added an auxillary module to Metasploit, which allows you to check Shodan's honeyscore to see if your target is or is not known to act like a honeypot with a score between 0.0-1.0 (0.0 being not a honeypot and 1.0 being a honeypot). Having this data can be useful both after exploitation (to realize your blunder) or even earlier in the process to avoid an obvious honeypot before you send a single byte in its direction.

 

Waste Not, Want Not

You never know when a useful bit of information will be the key to another door. In that spirit, it's encouraged to loot as much as you can when you can. Recently, a number of useful modules have been added to help you loot as much as possible and improve your odds of success...

 

Multi Gather IRSSI IRC Passwords - This post module allows you to steal an IRSSI user's configuration file if it contains useful IRC user/network passwords. This could be helpful if you'd like to mix in a little social engineering, by impersonating your target to get additional people working for you.

 

Windows Gather DynaZIP Saved Password Extraction - This post module allows you to harvest clear text passwords from dynazip.log files. This can be pretty handy if you have have an encrypted zip file that you need opened in a hurry.

 

Multiple Cambium Modules - If you find yourself testing Cambium ePMP 1000's, you're in luck, as multiple modules have been added to effectively juice all sorts of information from these devices. These modules allow you to pull a variety of configuration files and password hashes over HTTP and SNMP. This is helpful to identify a shared password or password scheme that's been re-used on other network infrastructure devices to expand your influence.

 

New Modules

Exploit Modules (5 new)

 

Auxiliary and post modules (10 new)

 

Get It

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

The Server Message Block (SMB) protocol family is arguably one of the most important network protocols to be conversant in as a security professional. It carries the capability for File and Print Sharing, remote process execution, and an entire system of Named Pipes that serve as access points to any number of services running on a machine, such as Microsoft SQL Server. For users of Metasploit, they will know SMB as the protocol used for PSExec, a remote code execution module that can turn any Administrator credentials into a session on the box. It is also the protocol that has played host to several of the most high-profile vulnerabilities, such MS08-067 (the vulnerability used by the Conficker Worm), and MS03-039 (the vulnerability used by the Blaster Worm).

 

Additionally, the File and Print Sharing services mean that SMB is the default means of sharing files in a Windows environment. Whenever you create a “network share” in Windows, it is being served up over SMB. I can tell you, from personal experience, that network shares are a gold mine during a penetration test.

 

Now, armed with some understanding of why this protocol is so important, we must dive into how Metasploit handles SMB. Metasploit’s current “implementation” of SMB has been an ad hoc reverse-engineered effort that started small and was added to with each major SMB vulnerability we wrote modules to target, which turned out to be rather a lot. The implementation is extremely rough, and only supports SMB1. There are some very good reasons for why this is the case.

 

SMB is complex

SMB, by its very nature is complex. It is a binary protocol, opposed to a text protocol such as HTTP, and is only readable by computers that have been trained to do so. It also has a wide array of capabilities, some of which are interdependent upon each other.

 

Earlier I called SMB a protocol family, and that’s because it is not really just one protocol, nor is it a group of protocols operating at various layers as is the case with something like RDP. It is a Frankenstein’s Monster of efforts by different groups including IBM, Intel, 3COM, and Microsoft. The formative years of SMB were not governed by a single driving design, and it can be seen in the protocol. What’s worse, is that for a long time there was no available developer documentation for the protocol specification. Anecdotally I have heard the story that Microsoft themselves had lost any documentations on the spec, and had to reverse engineer the protocol to provide said documentation.

 

This left Metasploit developers and contributors in the position of only being able to look at packet captures to reproduce what they see going on.

 

The rise of SMB2 and SMB3 and the decline of Metasploit’s SMB

After years of dealing with SMB/CIFS Microsoft finally designed a new protocol, SMB2. They rolled this out for the first time in Windows Vista, and it has since become standard in every Windows OS. SMB2 is a more elegant and more streamlined version of the SMB protocol. Unfortunately, none of Metasploit’s existing code supported the new protocol. For a while this was fine as SMB1 was still enabled by default in the Windows OSes. Over the past few years it has become an increasingly common practice however, to disable SMB1 and only allow SMB2.

 

This change meant that Metasploit could no longer talk to those boxes. Modules from information gathering, to brute forcing, to exploits all suddenly became ineffective against these boxes. On top of this, Metasploit’s ad hoc implementation of SMB1/CIFS had become very recognizable due to its particular idiosyncrasies. IDS/IPS vendors began to differentiate between Metasploit’s SMB traffic and that of a legitimate SMB client. All of this culminated in our SMB support becoming less and less useful as time went on.

 

RubySMB to the rescue

We on the Metasploit team knew something had to be done about our aging SMB code. We weighed several options including trying to clean up the existing code. In the end, we decided to create a new library from scratch. This new library would support both SMB1/CIFS as well as SMB2, and be designed with an eye to coming back and adding the even newer SMB3.

 

We are pleased to announce that, not only have we been working on this new RubySMB gem, but that we have hit the first milestone in its development. The RubySMB Gem can do full client authentication to a remote server. It can communicate over SMB1 or SMB2, and does multi-protocol negotiation so that it can find the correct dialect to speak invisibly to the user.  It handles Extended Security mode for the old SMB1, and can handle security signing for both versions of the protocol.

 

The gem has also been integrated into Metasploit Framework for the first time. We recently added a new version of the SMB Bruteforce, auxiliary/scanner/smb/smb2_login. This version of the SMB LoginScanner module behaves essentially like the original, except that it seamlessly handles both versions of the protocol, and security signing all without any user configuration. It currently does not support the admin privilege check, which is why it has not replaced the original smb_login module.

 

This represents Metasploit’s first steps into future proofing our support for the SMB Protocol family.

 

The Future of RubySMB

We still have a lot of work to do on the RubySMB project, and a lot of important milestones to hit. In the short term, we are shooting for the following goals:

 

  • In the Gem:
    • Support for Listing, Reading, and Writing Files
    • Support for named pipes
    • Simple SMB File Share Server
  • In Framework:
    • Converting smb_version information gathering module to use the new gem
    • Converting PSExec to use the new gem
    • Building in support for the simple file server that will allow modules to define resources on the server and set callbacks for when something requests those resources, much like how the Rex HTTPServer works today.
    • Look at adding SMB Named Pipe transports for Meterpreter payloads

 

In the longer term we have several other goals we hope to accomplish with this project:

  • Adding Support for SMB3
  • Adding SMB3 protocol level encryption (potential IDS/IPS evasion capabilities)
  • Begin work on a similar project for DCERPC to integrate with this gem

 

Creating protocol libraries at this level is not a simple or easy task, but the results will be rewarding for all members of the Metasploit Community. We will be able to not only update compatibility for our existing SMB-based features, but begin expanding those capabilities. If you are interested in joining in on this effort, please check out our starting wiki page for the project.

 

- David “thelightcosine” Maloney

todb

Metasploit, [REDACTED] Edition

Posted by todb Employee Apr 1, 2017

Why should [REDACTED] have all the fun with spiffy codenames for their exploits? As of today, Metasploit is taking a page from [REDACTED], and equipping all Metasploit modules with equally fear-and-awe-inspiring codenames. Sure, there are catchy names for vulnerabilities -- we remember you fondly, Badblock -- but clearly, unique names for exploits is where the real action is at, especially when you're [REDACTED][REDACTED][REDACTED][REDACTED][REDACTED].

 

So, instead of running boring old 'exploit/windows/smb/ms08_067_netapi', now you can don your onyx tactleneck, and use CRISPYTRUFFLE like the international man of mystery that you are.

 

Need to scan for telnet banners? Sure, you could use 'auxiliary/scanner/telnet/telnet_version', like some kind of civilian, or you can be a shadowy puppetmaster and unleash the awesome power of HIDDENBOYFRIEND.

 

Or, maybe you're looking to deploy one of Metasploit's payloads as a standalone executable, given to your operative in the field. Once you've lost your tail and met your contact in a darkened, rain-slicked alley, you can hand off a USB key loaded up with VENGEFULPONY, and trust he'll do what it takes to get back across the border.

 

In order to enable these ultra-top-secret codenames, you'll need to run a fresh checkout of the development version of the Metasploit Framework. If you're on one of the binary versions of Metasploit, they'll be getting these codenames as well, so you can check if they're available by setting the environment variable DANGERZONE, like so:

 

$ DANGERZONE=1 ./msfconsole -q

 

msf > use CRISPYTRUFFLE

msf exploit(ms08_067_netapi) >

 

So take a moment today, April 1st, to read yourself into [REDACTED] by visiting http://www.5z8.info/eid-howto_j0b9mh_openme.exe. Make sure you're behind at least seven proxies when you do so, since [REDACTED] is probably watching.

egypt

Metasploit Wrapup

Posted by egypt Employee Mar 24, 2017

Faster, Meterpreter, KILL! KILL!

You can now search for and kill processes by name in Meterpreter with the new pgrep and pkill commands. They both have flags similar to the older ps command, allowing you to filter by architecture (-a), user (-u), or to show only child processes of the current session's process (-c). We've also added a -x flag to find processes with an exact match instead of a regex, if you're into that.

 

Fun with radiation

radio-stylin.jpg

Craig Smith has been killing it lately with all his hardware exploitation techniques. Check out his post from earlier this week for details of his latest work on integrating radio reconaissance with Metasploit via the HWBridge, including crafting and examining radio frequency packets, brute force via amplitude modulation, and more!

 

Java web things

 

This update includes modules for two fun Java things: Struts2 and WebSphere.

 

Struts is a Java web application framework often deployed on Tomcat, but it can run on any of the various servlet containers out there. The bug is in an error handler. Basically, if the Content-Type header sent by the client is malformed, it will cause an exception and send a stack trace back to the client. As part of its rendering process, Struts will treat the value of the header as part of a template. Templates can contain Object-Graph Navigation Language (OGNL) expressions meaning we get full code execution as the user running the web process. The exploit for this drops a file and runs it so your shells can strut their stuff.

 

WebSphere is an application server manager. It is particularly interesting because it is often used to deploy code to clusters of application servers, which means popping one box can potentially give you code execution on dozens more.

 

You used to pwn me on my cell phone

 

While MMS messages aren't as common of a phishing vector as email, they can potentially be highly successful late at night when you need those shells. Now you can send SMS and MMS messages with Metasploit, using any SMTP server including GMail or Yahoo servers. Pair this with a malicious attachment such as the one generated by android/fileformat/adobe_reader_pdf_js_interface, or a link to the Stagefright browser exploit (android/browser/stagefright_mp4_tx3g_64bit), and get that holla back.

 

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (10 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Currently, phishing is seen as one of the largest infiltration points for businesses around the globe, but there is more to social engineering than just phishing. Attackers may use email and USB keys to deliver malicious files to users in the hopes of gaining access to an organization’s network. Users that are likely unaware that unsolicited files, such as a Microsoft Word document with a macro, may be malicious and can be a major risk to an organization. Metasploit Pro can assist in the education of employees about these attack vectors.

 

Metasploit Pro’s Social Engineering functionality is often used for its phishing capabilities, but it has other options - such as USB key drops and emailing of malicious files - that are able to obtain sessions on a target’s device. As part of an internal training engagement or penetration test, these features will give more insight into the organization’s defenses against social engineering attacks. This post will cover emailing malicious files utilizing the current Microsoft Word macro file format module.

 

To begin, start a new custom campaign and configure your email starting with the email header and target list, similar to a phishing campaign. For Attack Type, select Attach File, give the attachment a name and select File format exploit.

 

Screen Shot 2017-03-17 at 10.55.18 AM.jpg

 

Search for “macro” and select “Microsoft Office Word Malicious Macro Execution”. This will create a Microsoft Word document with a macro that will deliver a payload and open a shell back to Metasploit Pro. Configure your target settings (I’ll be using the OS X Python target for this example) and payload options. Then use the “BODY” field for the content of the Word document. (You can use plain text or xml formatted data, which will be injected between the <p> and </p> tags of the Word xml document.) And click OK.

 

Screen Shot 2017-03-17 at 10.40.45 AM.jpg

 

Click “NEXT” and format your email. Save your changes and configure your email server if you haven’t done so already.

 

Launch your campaign and the email(s) will be sent to all the members of your target list and a listener will be opened for the payload. The recipients will need to enable macros in order for the payload to launch. All those that enable the macro on the specified platform will have a shell that connects back to your Metasploit instance.

 

Screen Shot 2017-03-17 at 11.03.25 AM.jpg

 

Your campaign findings will list the number of targets, recipients that opened the email and number of sessions opened. If any sessions are opened, you’ll be able to interact with that session as you would any others via the Sessions page.

 

Screen Shot 2017-03-17 at 10.49.25 AM.jpeg

 

And there you have it. Metasploit has successfully sent malicious files and opened sessions on remote targets via the Social Engineering feature without attempting a phish.

 

For more on the Microsoft Office Word Malicious Macro Execution module, see sinn3r’s post here: https://community.rapid7.com/community/metasploit/blog/2017/03/08/attacking-micr osoft-office-openoffice-with-metasploit-macro-exploits

 

Interested in learning more about Metasploit Pro’s phishing capabilities? Watch the video below to see how easy it is to build a phishing campaign targeting your users to test their ability to detect malicious emails:

 

 

 

The rise of the Internet of Things

We spend a lot of time monitoring our corporate networks. We have many tools to detect strange behaviors. We scan for vulnerabilities. We measure our exposure constantly. However, we often fail to recognize the small (and sometimes big) Internet of Things (IoT) devices that are all around our network, employees, and employees’ homes. Somewhat alarmingly – considering their pervasiveness — these devices aren’t always the easiest to test.

 

Though often difficult, it is technically possible to find and identify some of these IoT devices via their Ethernet side connection. But that doesn’t always give us a full picture of the risk these devices present to consumers or organizations. When assessing only Ethernet connected devices you can miss the wireless world that can have a major impact on the security of your organization. Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas.

 

Which leaves us with one very critical question: how do you really determine the risk of these devices?

 

Let’s start with the basics:

  • What do these connected devices do?
  • What is the range of exposure of these devices?
  • Does the device have wireless capabilities?

 

Traditionally, we often perform perimeter scans of our 802.11 wireless networks to ensure our Access Points are secure and the network bleed isn’t too large. We can monitor these Access Points (APs) to create overlap in case one goes down or gets interference from a nearby kitchen microwave.

 

However, if you’re asking yourself, “but what about the rest of the wireless spectrum?” that’s exactly the position we found ourselves in.

 

Radio, radio, everywhere

Chances are your company and employees are already using many other radio frequencies (RFs) outside of the standard 802.11 network for various reasons. Perhaps you have a garage door with a wireless opener? Company vehicle key fobs? Not to mention RFID card readers, wireless security systems, Zigbee controlled lights, or HVAC systems.

 

What are the ranges for these devices? Are they encrypted or protected? What happens when they receive interference? Do they fail in a closed or open state?

 

The inability to effectively answer these questions (easily or even at all) is the very reason we are releasing the RFTransceiver extension for Metasploit’s Hardware Bridge, and why we think this will be a critical tool for security researchers and penetration testers in understanding the actual attack surface.

 

Now, security teams will be able to perform a much broader assessment of a company’s true security posture. They will be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.

 

Sunlight is the best disinfectant

Much of the activity undertaken in the name of security research can be contentious, divisive, or hard to understand. This is certainly true of RF testing, an area of research becoming both more prevalent and increasingly necessary as we see more and more technologies leveraging RF communications.

 

The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things. The most common response from the security research community is that the bad guys are already doing bad things, and that it’s only when we understand what they’re doing, can effectively replicate it, and demonstrate the potential impact of attacks, that we can take the necessary steps to stop them. Sunlight is the best disinfectant.

 

This is the logic behind Metasploit, as well as what drives Rapid7’s extensive vulnerability research efforts. It is also the reasoning behind the RFTransceiver. We strongly believe that RF testing is an incredibly important – though currently often overlooked – component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk. We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.

 

To provide an example of this kind of testing, in 2016, Rapid7’s Jay Radcliffe disclosed vulnerabilities in Johnson & Johnson’s Animas OneTouch Ping insulin pump. The popular pump has a blood glucose meter that serves as a remote control via radio frequency in a proprietary wireless management protocol. Communications between the pump and the remote control are sent in cleartext, rather than being encrypted. This creates an opportunity for an attacker with the right technical skills and resources, opportunity, and motive to spoof the Meter Remote and trigger unauthorized insulin injections.

 

While Jay considered the likelihood of an attacker exploiting these vulnerabilities in the wild to be quite low, it could seriously harm a patient using the technology. Fortunately, Jay’s research uncovered the problem and he was able to work with Johnson & Johnson to notify patients and advise them of ways to mitigate the risk. Without RF testing, these vulnerabilities would have continued to go unnoticed, and patients would not have the opportunity to make informed choices to protect themselves.

 

How it works

Just one quick author’s note before we get into the ‘how-to’ portion. Rapid7 does not sell the hardware required to perform RF testing. The required hardware can be found at any number of places, including Hacker Warehouse, Hak5, or any electronics store that carries software defined radios or RF transmitter hobbyist equipment.

 

With the RFTransceiver, security pros have the ability to craft and monitor different RF packets to properly identify and access a company’s wireless systems beyond Ethernet accessible technologies.

 

The first RFTransceiver release supports the TI cc11xx Low-Power Sub-1GHz RF Transceiver. The RFTransceiver extension makes it possible to tune your device to identify and demodulate signals. You can even create short bursts of interference to identify failure states. This release provides a full API that is compatible with the popular RfCat python framework for the TI cc11xx chipsets. If you have existing programs that use RfCat you should be able to port those into Metasploit without much difficulty. This release comes with two post modules: an Amplitude Modulation based brute forcer (rfpwnon) and a generic transmitter (transmitter).

 

How to use RFTransceiver

Using the new RFTransceiver extension requires the purchase of an RfCat-compatible device like the Yard Stick One. Then download the latest RfCat drivers, included with those drivers you will find rfcat_msfrelay. This is the Metasploit Framework relay server for RfCat. Run this on the system with the RfCat compatible device attached.

 

Then you can connect with the hardware bridge:

RFTranceiver Usage

$ ./msfconsole -q

msf > use auxiliary/client/hwbridge/connect

msf auxiliary(connect) > run

 

[*] Attempting to connect to 127.0.0.1...

[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-02-16 20:04:57 -0600

[+] HWBridge session established

[*] HW Specialty: {"rftransceiver"=>true}  Capabilities: {"cc11xx"=>true}

[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge

[!]          could have real world consequences.  Use this module in a controlled testing

[!]          environment and with equipment you are authorized to perform testing on.

[*] Auxiliary module execution completed

msf auxiliary(connect) > sessions

 

Active sessions

===============

 

  Id  Type                   Information    Connection

  --  ----                   -----------    ----------

  1   hwbridge cmd/hardware  rftransceiver  127.0.0.1 -> 127.0.0.1 (127.0.0.1)

 

msf auxiliary(connect) > sessions -i 1

[*] Starting interaction with 1...

 

hwbridge > status

[*] Operational: Yes

[*] Device: YARDSTICKONE

[*] FW Version: 450

[*] HW Version: 0348

 

To learn more about the RFTransceiver, you can download the latest Metasploit here: https://www.rapid7.com/products/metasploit/download/community/

Spend the summer with Metasploit

 

I'm proud to announce that the Metasploit Project has been accepted as a mentor organization in the Google Summer of Code! For those unfamiliar with the program, their about page sums it up nicely:

Google Summer of Code is a global program focused on introducing students to open source software development. Students work on a 3 month programming project with an open source organization during their break from university.

 

This is an amazing program that helps remove the financial barriers of contributing to Open Source. Basically how it works is you (a university student) work on an Open Source project over the summer (12 weeks) with a mentor who has experience working on that project. As long as you keep at it and hit your milestones, Google gives you money along the way based on performance. Pay your rent, stock the fridge, get coffee, whatever.

 

Open Source is the heart of the Metasploit community, but it's more than that to me. It's the means by which we, as programmers, can help improve the world a little bit at a time. We all stand on the shoulders of giants, building greater things because others before us have built great things. Like many OSS contributors, I personally started contributing to an Open Source project because it allowed me to get my work done more efficiently. By working together on Open Source, we can help others get their work done too, and enable them to build greater things. By working on Metasploit in particular, you will be helping to democratize offensive security, improving the world by giving everyone access to the same techniques that bad guys use, so they can be better understood and mitigated.

 

If Metasploit is not where your heart lies, I encourage you to consider contributing to one of the other GSoC security projects.

 

We have a list of project ideas that will have you writing some awesome code for great justice. Most everything requires at least a little Ruby, but if you're more comfortable in C or Python, there are options for you as well. Whatever you choose, I'm super excited to see what you will accomplish.

 

Important dates to know:

  • Student Application Period - March 20, 2017 - April 3, 2017
  • Student Projects Announced - May 4, 2017

 

If you are interested in participating, you should definitely check out the rest of the GSoC timeline. You will need to apply to us and also through GSoC's application page when it goes live next week on March 20th.

 

So please come work with us. Be the shoulders others can stand on.

William Webb

Metasploit Weekly Wrapup

Posted by William Webb Employee Mar 10, 2017


interrupt.jpeg

The last couple of weeks in the infosec world have appeared busier, and buzzier, than most others.  It seems almost futile to pry everyone away from the current drama--that being the bombshell revelation that intelligence agencies collect intelligence--long enough to have them read our dev blog.  Regardless, we've been busy ourselves.  And if you're the least bit like me, you could probably use a quick respite from the cacophony.  Keeping up with all the noise is enough to make anyone feel like Ricky:

 

rickym.png

This is Ricky.  Don't be like Ricky.

 

Features and Fixes

 

There are few things worse than getting a Meterpreter session on a host, only to find yourself unable to download large files that you might be interested in because your connection is spotty.  Unfortunately, download timeouts in such sessions have been a reality for as long as Meterpreter has been around.  Thankfully, a recent patch by Pearce Barry goes a long way to alleviate said issues by providing more fault tolerance to adverse network conditions.  I personally tested this on over 1GB of data across a network link with 20% packet loss, and while it felt like I was using CompuServe once again, it delivered the goods.

 

Other issues addressed include a fix by mrjefftang for an issue in BrowserExploitServer.  Instead of delivering the obfuscated Javascript from JSObfu, raw Javascript was mistakenly being sent.  Good catch.  Also, a major rewrite of the reverse_shell_jcl payload was submitted by bigendiansmalls and merged.  Functionally, it behaves the same as the previous iteration; however, the actual code is much cleaner and easier to maintain.  So if you haven't tried your hand at IBM mainframe hacking, it's now even easier to jump right in.

 

A Requiem for Meterpreter Scripts

 

We obliterated what we believe to be the last vestige of Meterpreter scripts in framework.  In their time, an exploit module may have used migrate -f to automatically migrate the session to another process on the target.  This is now handled by 'post/windows/manage/priv_migrate', and has been for some time.  The old migrate -f argument set in InitialAutoRunScript was pointed at this new module; however, there's been a few hiccups over the last few weeks.  That's been corrected, and all should now be right with Windows process migration.  Note: This doesn't mean that your personal custom scripts will stop working. Scripts are still a handy way to bust out a prototype to get stuff done quickly without needing to care about the reliability requirements of a post module.

 

In other assorted bugfix news, Brendan Watters resolved an issue that occurred when sorting tables from auxiliary modules when the results contained both IPv4 and IPv6 addresses.  We also updated Metasploit to use the latest Nexpose client libraries, so it's now able to validate that it's communicating with a trusted Nexpose instance via preconfigured SSL certificates.

 

Docker!

 

One final item in this release was the addition of a basic Dockerfile and Docker Compose configuration.  With support for Docker, you can now isolate your Metasploit instances, and it allows you to both quickly and easily setup new testing and development environments.  Plans are in the works to publish the container to hub.docker.com, and users will be able to deploy new installations of Metasploit Framework just as easily as they would other applications using Docker.

 

New Modules

 

Exploit modules (5 new)

Auxiliary and post modules (2 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

 

That's all for now.  Stay tuned, as we have several interesting projects in the works that should be debuting in the coming weeks.

office_icon.pngIt is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that, even in developing countries, workers that are proficient in an Office suite can make a decent living based on this skill alone.

 

Unfortunately, high popularity for software also means more high-value targets in the eyes of an attacker, and malware-infested Office macros are like an irritating rash that doesn't go away for IT professionals.

 

A macro is a feature that allows users to create automated processes inside of a document used by software like Microsoft Word, Excel, or PowerPoint. This is used to enhance user experience, increase productivity, or automate otherwise manual tasks. But, in other words, it executes code. What kind of code? Well, pretty much whatever you want, even a Meterpreter session!

 

Macro attacks are nothing new or unusual. A typical attack usually involves embedding malicious macro code in an Office document, sending it to the victim, and asking him or her very nicely to enable that code. The saddest part isn't how lame the attack is, since you are basically begging the victim to run your malware. It's that people have been falling for this trick for decades!

 

The impact of such attacks should not be underestimated. In fact, malicious macros are often used in ransomware, and other high-profile breaches. For example, the Cerber Ransomware was a macro attack against Office 365 that put millions of users at risk. Since Office 365 is extremely popular in businesses, we expect it to be one of malicious macros' favorite audiences for quite some time.

 

Yup, I think people call that social-engineering, and apparently it always works. I figured: "ok, why not, a shell is a shell. Let me write some exploits for these"... and that's how Metasploit's macro exploits were born:

 

The Microsoft Office Macro Exploit

This Microsoft Office macro exploit is specifically written for the Word document format. It has been tested against these environments:

 

  • Microsoft Office 2010 for Windows
  • Microsoft Office 2013 for Windows
  • Microsoft Office 2016 for Windows
  • Microsoft Office Word for Mac OS X 2011

 

The following demonstrates how to create a macro exploit for Microsoft Office for OS X, setting up a handler, as well as obtaining a session:

 

msft_osx_macro_demo.gif

 

If you actually have a valid certificate to sign the malicious macro, you can actually apply that by using Microsoft Office to sign it. Having a valid cert will not have the "Enable Content" prompt, Microsoft Office will just execute your code by default. However, this is obviously only ideal for internal use. Good certificates are expensive.

 

The OpenOffice Macro Exploit

The Apache OpenOffice macro exploit is specifically written for OpenOffice Writer (odt). It has been tested against these environments:

 

  • Windows with Powershell support (which should be the case since Windows 7)
  • Ubuntu Linux (which ships LibreOffice by default)
  • OS X

 

Unlike Microsoft, OpenOffice actually does not want to open any documents with macros, which means in order to attack, the victim has to manually do the following in advance:

 

1. Choose Tools -> Options -> Security

2. Click the Macro Security button

3. Change the security level to either medium to low.

 

If the security level is set to medium, a prompt is presented to the user to either allow or disallow the macro. If set to low, the macro will run without warning.

 

Now let's talk about how to use the exploit. The design for it is actually different than the Microsoft one: not only will it create the malicious document file, the module will also spawn a web server, and a payload handler. The purpose of the web server is when the victim runs the macro, the malicious code will download the final payload from our web server, and execute it. The following demonstrates how to use the exploit:

 

openoffice_demo.gif

 

Exploit Customization

Although the Metasploit macro exploits work right out of the box, some cosmetic customizations are probably necessary to make the document look more legit and believable.

 

To do this, you will need a copy of either Microsoft Office or OpenOffice (depending on the type of exploit you're using), and then:

 

  1. Generate the exploit
  2. Move the exploit to a platform with Office that can edit the document
  3. Open the document with Office, do your editing there. When you're done, simply click save. As long as you're not modifying the macro, it should still work

 

Time to Play!

Congratulations, young grasshopper! If you've read this far, and have not fallen asleep, then you are ready to start your journey of sweet Office macro pwnage. But before you leave, if you have never used Metasploit - a cyber weapon forged in the fires of um... Austin, Texas - then you shall download it here. If you already possess such power, then we strongly recommend you run msfupdate.

 

Go now, embrace your destiny of pwnage, and let that glory be yours with Metasploit Office macro exploits.

Penetration testing with Metasploit made easy.

 

Millions of IT professionals all over the world want to get into the hot field of security, and Metasploit is a great place to start. Metasploit Framework is free, used by more penetration testers than any other tool, and helps you understand security from the attackers perspective. There’s one problem: it's hard to use Metasploit without vulnerable services to play against.

 

To help, the Metasploit team has created vulnerable OS images (Metasploitable2 and Metasploitable3), each containing dozens of vulnerable services that a user can cut his/her teeth with. However, these images contain small subset of the thousands of Metasploit modules available for users. You may wonder why we don't have vulnerable services available for testing and training every module. The reason is simple: it can be very time-consuming and difficult to configure vulnerable services. First, you have to obtain the vulnerable software, and then install, and configure each service. Sometimes, older software is simply unavailable for download, either because it is too old, or because the vendor removed it for security reasons. Depending on the software, setting up even one vulnerable service can take hours, if not days. While Metasploitable VMs makes the job of setting up your first vulnerability lab much easier, it is still not simple.

 

We developed the Vulnerable Services Emulator to fill this gap. It is a framework that makes it easy to emulate the vulnerable services for penetration testing purposes.  Right now, it emulates over 100 vulnerable services, covering things like compromising credentials, getting a shell from the victim, and more. After going through module exercises, users can learn details about security vulnerabilities and how to test them, and are encouraged to continue to learn and play with Metasploit’s capabilities. It is like a high-interaction honeypot, but specially tuned to be exploitable.

 

This tool is very easy to install and use.  All you need to run it is a working Perl installation for your favorite OS (Windows, Mac or Linux). Directions for installing the tool, which only takes a minute, are on Github page for this project.

 

In addition to learning, the emulator can be used to perform system testing on Metasploit modules themselves, providing feedback to the community on how to make modules more effective. But, the ultimate goal of the project is to help the community learn and make it even easier to get into penetration testing and Metasploit!

 

Example Usage

 

Here we are emulating a vulnerable printer service that is targeted by the Metasploit module exploits/windows/iis/ms01_023_printer.  The IP address 0.0.0.0 means we will bind to 0.0.0.0, and be accepting connections on any network interface. The default IP to bind is “127.0.0.1” which only connects from the same host. This is more secure when your Metasploit instance is installed on the same server.

 

Screen Shot 2017-02-26 at 5.55.50 PM.png

 

Here is the Metasploit configuration, which is configured to target the emulated service. You can see a session is established.  Note that the commands are actually executed on the target, so please run this emulator in a safe environment if you don't want it to be owned :-)

Screen Shot 2017-02-26 at 6.00.57 PM.png

 

That’s pretty easy right? What’s even nicer about this framework how easy it is to develop a new emulated vulnerable service. We know developers have very different preferences on programming languages, so instead of implementing the vulnerable services using a particular language, the framework describes vulnerable service interactions in JSON. It’s not a programming language per se but it has enough logic for service emulation. The following is the description for the vulnerable printer service.

 

Simple JSON description on an emulated service

"exploits/windows/iis/ms01_023_printer": {

  "desc": "set payload windows/shell_reverse_tcp",

  "seq": [

    ["regex", "GET http:\/\/.*\/NULL.printer?"],

    ["HTTP/1.1 200 OK\r\nContent-Length: 0\r\n\r\n", ["action", ["connect", ":4444"]]]

  ]

},

 

In the above JSON code, the most important part is the “seq” section, which represents the sequence of messages used for the exploit.  It has an even number of entries (in this case, there are 2 entries). The odd-numbered entries are conditions. When a message comes in, it’s matched against the odd-numbered entries starting from the first; when there is a match, the corresponding even-numbered entries will be the action.  Typically, the action involves sending a response.  But it can also include an action such as making a new connection (like connecting back as a metepreter session in our case). This makes it easy to emulate vulnerable services and trigger them to set up a connection back to attacker.

 

At the core of the project, we implemented a framework (an interpreter) to execute the JSON based service description file. The current implementation is in Perl, but you can implement the framework in other programming languages of your choice.

 

The github project, we will have more technical details on the tool and its usage. It’s our hope that this tool can help you to enjoy a better learning experience in the exciting field of security and eventually become a security professional. Be sure to let us know if you have any feedback!

Pearce Barry

Weekly Metasploit Wrapup

Posted by Pearce Barry Employee Feb 23, 2017

I gave at the office

The office can be a popular place when it comes to giving. From selling kids' cookies/candy to raising awareness for a charity, the opportunity to 'give at the office' is definitely a thing. And now, thanks to Office macros, Metasploit offers a new way to give (and receive!) at 'the Office'.

 

These days, using malicious macros in office productivity programs is still a common attack vector. Designed with a handful of word-processing programs in mind (including some open source), Metasploit can now generate documents which utilize macros to execute an injected payload. Once a target receives and opens one of these documents (with macros enabled), the payload is executed, and now you have a shell or Meterpreter session (or whatever your payload is). Who says it's better to give than to receive?

 

 

When the sequel is better than the original

In the vein of "creative ways to achieve code execution on a MS SQL server", here's a new one which doesn't write to disk and works on a number of MS SQL versions. By setting up a stored procedure (with some pre-built .NET assembly code Metasploit provides) on the target, one can then issue a query containing an encoded payload, which will be executed as native shellcode by the stored procedure (woo!). Valid credentials with a certain level of privilege are required to use this new module, then you're good to go.

 

Screen Shot 2017-02-23 at 11.11.01 AM.png

 

Logins, logins, everywhere...

We've had a couple of good login-related fixes recently, including a fix to properly honor USER_AS_PASS and USER_FILE options when running a login scanner. Also of note is a fix to the owa_login module to properly handle valid credentials when a user doesn't have a mailbox setup. And if you'd rather skip logins entirely, grab yourself a misfortune cookie and check out the new authentication bypass RomPager module.

 

New Modules

Exploit modules (4 new)

Auxiliary and post modules (1 new)

 

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Filter Blog

By date: By tag: