Skip navigation
All Places > Metasploit > Blog > 2010 > November

Originally Posted by Chris Kirsch




Bill Swearingen aka hevnsnt blew us away by designing
a Metasploit ambigram for the Metasploit Pro tattoo

You may remember Roy’s Metasploit tattoo a few weeks ago, which prompted our Metasploit Pro tattoo competition. We thought it was a cute idea, expecting a few fun pictures with felt pen tattoos or tattoo photo montages of of the Metasploit logo. 

We weren’t counting on Bill Swearingen from
I-Hacked (aka hevnsnt on Twitter), who blew us away by creating a Metasploit ambigram design for his photoshopped tattoo. For those poor souls among you who haven’t read Dan Brown’s Angels & Demons: an ambigram is a word that can be read right side up or upside down.















Turn your screen on its head if you don’t believe me, but don’t drop your old tube monitor on your toe. 

Bill, many thanks for the extra effort. You really earned your free Black Hat Briefings pass. Looking forward to meeting you there. By the way, cool desktop background! 

Even though the tattoo contest deadline has now passed, we encourage all of you to keep sharing your creativity with us through
Twitter, Facebook, this blog and when we meet in person. Our desire to award a new Metasploit “spot” prize could strike at any moment!

Originally Posted by Chris Kirsch

Setting listener host and ports for payloads in
Metasploit Pro


Life is full of disappointments: You spend a lot of time flirting with a cute new machine, convince it to accept your payload, and never get a call back – just because the big bad NAT is not letting your new sweetheart phone home. That’s why many of you broken hearted pentesters have asked us to make the listener port and IP address for payloads configurable to ports that are usually accessible, such as ports 80 and 443. This week’s release of Metasploit Express and Metasploit Pro enables this configuration, so that your new found love can phone you back. If you’re using Metasploit Pro, you can also use VPN pivoting to talk to her sisters, which I blogged about earlier this week.


Enough love – back to business! This week, you have 12 new modules to play with, including an unpatched Internet Explorer exploit, the ProFTPD buffer overflow (for Linux and FreeBSD) and yet another Adobe exploit. Metasploit Pro’s social engineering campaign feature now supports SMTP authentication when sending out emails with phishing links or exploit attachments. We’ve also added more granular control in the discovery phase with custom nmap command lines. In the smart bruteforcing dialog, you can now upload wordlists through the interface to tweak your dictionary attacks with terms tailored for your target. For example, you can upload a medical terms wordlist when you attack a healthcare provider, or upload a non-English wordlist for assignments in other countries. You can also import PWDump format files for pass-the-hash attacks, or export hashes to a dedicated password cracker such as john.

That’s all for today – have a great weekend!

Originally Posted by jcran



Update (11/17/2010 10:14PM): I've updated the title of this post, based on solely on the fact that I don't think the old title captured the essence of the post, and didn't convey the tone i wanted to take.


Clearly Metasploit is a commercial grade product, so the title is decidedly tongue-in-cheek, but it's important to highlight this fact. A huge benefit of the commercial products is that we now have the resources to provide QA'd snapshots (see below). In addition, every submission is hand-reviewed for correctness, and we regularly run regression tests. I'm very proud that we're able to do this, having been a pentester and run into issues with the framework which could have been caught by a QA pass. It didn't happen more than once, but it was enough to show me the value of having verified code.


The real key to the post below is that we're committed to helping pen testers solve as many of the problems that they run in to, and being as responsive as possible to customers and contributors alike. (How many other development teams do you know that /volunteer/ to take their frontline support requests?) I love hearing from folks, whether it be on the commercial or framework side.


As far as the QA story for the framework, it's only going to improve. Stay tuned for more information, and if you're interested in helping, please contact me (!!




Over the last few months, we’ve received many feature requests for the commercial Metasploit products, and we wanted to give you the low-down on a couple new features that are in direct response to your feedback. Thanks to everyone who has been involved in getting us here, it’s been a fun six months.


Metasploit Framework Tested Snapshots
First and foremost, we’re now publishing tested weekly snapshots of the Framework. If you have ever run into a bug in the framework, you know how frustrating it can be to try to determine if it’s your target, or the framework which is causing an error. With these snapshots, you can be sure the basic functionality of the framework is intact.


These are the same snapshots the commercial products are built upon, and they can be checked out from svn, much the same way that many of you obtain the framework today.To obtain one of the snapshots, simply run an ‘svn checkout’ on the latest Metasploit Express or Metasploit Pro version number. For instance, with this week’s update:



svn co



These snapshots are published weekly and links are located with each update’s release notes. You will find the list of releases here and the individual snapshot under each new release notes’s ‘Obtain this Snapshot’ heading.


Specifying Reverse Payload Connection Settings


One of the most-requested features of the commercial products was the ability to configure the port and address used for the payload connection. Users of the open source framework know these as the LHOST and LPORT options. Since the commercial products are designed to automatically select and launch multiple exploits at once, the criteria for select the correct listener host and port is a bit more complicated than the standard framework.


This update provides the ability to specify the listener port and listener address for the Bruteforce, Exploit, and Web Application exploit components, as well as through the Modules tab when doing manual exploit configuration.



The listener port can be specified using the Nmap syntax. For example, a single port (4444), a range of ports (4444-5555), or a list of ports / ranges (4444-5555,5556-6666). The ability to specify the listener address is critical when using the product in certain configurations, such as Amazon EC2 with Elastic IPs.




A little background on automatic payload selection: If you’ve used the commercial Metasploit products, you may have noticed the ‘Auto’ setting for the Payload Connection option. This option determines whether the product will listen for a connection from the target or try to connect to a listener running on the target. The Auto setting chooses this value for you based on the network configuration of the system where the product is installed and the configuration of the individual target. To determine whether to use connect-back (Reverse) or listen (Bind), the following rules are consulted.


  • A reverse payload is selected when the target is on the same network as the product.
  • A reverse payload is selected when the target and the product both use RFC1918 IPs.
  • A reverse payload is selected when the target and the product both use external IPs.
  • A bind payload is selected when the attacker is behind a NAT gateway
  • The bind port is chosen based on the firewall rules of the target


It is possible to override these settings by choosing Reverse or Bind directly. The same rules will apply to choosing the Bind port (consult the firewall configuration of the target) and the Reverse listener port and address (based on what you specify).


Concurrent exploits are restricted to the number of specified listeners. If you, for example, enter ‘4444’ for the listener port, you will be restricted to one concurrent exploit at a time. To use this option in NAT-> Internet host situations, you’ll need to forward ports from your router to your Metasploit host.


This makes it easy to launch exploits or bruteforce attacks from one host and catch sessions on another host. For example, you may have one pentester on the target’s LAN and a listener on a remote system catching shells provided by the internal pentester.


To facilitate the scenario above (internally-launched exploits, remote handler), use Metasploit Pro’s USB campaign handler or a Metasploit Framework multi/handler. And don’t forget, it’s easy to forward a range of ports to a single handler with IPTables:


iptables -t nat -A PREROUTING -p tcp -d $HOST --dport 2000:3000 -j DNAT --to $HOST:1024


Credential Import and Export



Another common request was the ability to import wordlists. You can now import credentials and password lists via the ‘Manage Credentials’ button on the Bruteforce task page.




The same file format (detailed below) can handle password lists. You can import full SMB hashes, lists of user name password combinations, or plain lists of passwords.




These passwords will be added in




to the “normal,” and “deep” bruteforce runs. They can also be tested independently with the new scan type of “Imported only.” All imported credentials are treated as unverified, and must be successful in order to show up in the project report.







Pass-the-Hash (link) has never been easier now that you can import PWDump files. Simply import the file, select Bruteforce, specify your targets and the imported-only configuration, and prepare to



own the network.



Exporting valid credentials is now easy too.




We’ve also added a new report type of “PWDump.” This generates a simple text file with of all the active credentials for a project. Especially handy is the ability to take this text file and use it directly with John the Ripper to crack SMB hashes. To create one, simply browse to the ‘Reports’ page in a project w/ credentials, and select the “PWDump” report type.




The files generated by the PWDump report can also be re-imported in two places. In addition to the ‘Manage Credentials’ interface, they can be uploaded via the Host > Import tab. If imported in this manner to a new project, the credentials will be treated as unvalidated credentials, and are ready to be validated with a typical bruteforce run.




The import of msf credential reports is also available in the framework:


db_import msf_pwdump_report.txt


Nmap command line

Additionally, The discovery scan has a new option of “Custom Nmap command line.” Here, you can provide options directly to the nmap command line. Specifically, this enables users to exercise more granular control over timing options (max retires, host timeouts, etc) and scan


types (maybe you want to just ACK and Xmas scan). Some limitations:


Disallowed options: Users cannot set the target list (-i), set the port list (-p), or set the output options (-o). The first two are handled capability by the UI, and the last is for basic file system security (no need to allow output to be redirected willy-nilly).


Administrator only: In multi-user environments, only the administrators have this option. Otherwise, it’s too easy for users to ignore the project’s scope and boundaries.


Nmap scanning is also available in the framework:


db_nmap [options]

Source port scanning


Another handy feature, and something that’s often an afterthought (or missing entirely) in vulnerability scanners is source port scanning. This is super easy to configure during discovery:













What about msfconsole?


Many of you have requested console access from within the commercial Metasploit products, and we’re happy to report that you can absolutely use a console to interact with the commercial products.
Since the Framework is snapshotted, packaged, and used as the engine of the commercial versions, you can use the following commands as root:


ruby /opt/metasploit-3.5.0/apps/pro/msf3/msfconsole
-e production -y /opt/metasploit-3.5.0/apps/pro/ui/config/database.yml


This will give you a msfconsole instance tied to the Metasploit Express/Pro database. Although not everything will work the way you would expect (for example, sessions cannot be shared), this will enable you to track session data and hosts and access this information in the Web Interface.

Where's the 0x1337beef?

Posted by rapid7-admin Nov 10, 2010

Originally Posted by jduck



As we all know, the past couple of months have been busy times for our industry. As lead exploit developer, it is my duty to stay on top of all of the vulnerabilities being published. When working through the plethora of issues published in October's patch-extravaganza, there was one particular vulnerability that I felt compelled to investigate.


That issue was CVE-2010-3509. After all, I've had a soft spot in my heart for the Common Desktop Environment (CDE) since back the late 90's.


Oracle's CPU release included this issue as a 10.0 CVSS affecting rpc.cmsd on Solaris 8, 9, and 10. As is customary of Oracle's CPU document, there were no additional details presented. At this point the issue went on the back burner.


Later that day, Digital Defense (DDI) released their advisory about this issue. Even though there was nothing substantial in the DDI advisory, it did mention "Buffer Overflow", "Denial of Service" and "integer overflow". In the "Solution Description" section, they even supplied the Sun bug ID of 6214701. This gave me hope.


Unfortunately, the Sun bug ID only stated "6214701 rpc.cmsd core dump". Wow, that was very anti-climactic.


As the days continued, multiple unpatched vulnerabilities were discovered being exploited in the wild. These issues take priority over patched issues, and so it wasn't until after they had been investigated that I could come back to the rpc.cmsd bug.


Back on this bug, I moved to the next step, patch diffing.


It had been quite a while since I had done any patch diffing against Solaris patches. I didn't know that after acquiring Sun, Oracle decided to require a valid support contract to access patches. Furthermore, for Solaris 8, you need an additional level of "legacy" support. I am generally annoyed and deterred by this kind of road block. I assume certain other researchers agree.


That said, where there is a will, there is a way. An anonymous contributor offered to provide the desired patches. Finally, on to the fun part. Armed with the usual IDA Pro and BinDiff, I set to it. I investigated Solaris 9 on SPARC first, since I had immediate access to a SPARC in the vulnerable configuration. After a dozen or so clicks of the mouse, I was finally looking at what I wanted to see. There was only one changed function, the "_DtCm_rtable_create_4_svc" function, as seen below.



After further analysis, I became quite confused. What I saw in the code differences, as you can see below, was not an "integer overflow". Nor was it a "Buffer Overflow"...



Those fluent in SPARC assembly can see, the added basic blocks are due to checks for a NULL return from the "DmCmGetPrefix" function. This function is nearly identical to the "strchr" function. Here, it is being used to search for an '@' character. Later, the returned values are passed to "strcmp" function. BUT, if you pass NULL to "strcmp", it will attempt to blindly de-reference it and cause a crash.



Then, I thought to myself, "Maybe there are other changes in one of the other patches." After all, DDI's advisory did specifically say Solaris 10. I set off to check the rest of the patches.


Turns out, all of them are the same. I checked Solaris 9 and 10, on both x86 and SPARC. In all cases, the only change was the additional of a null pointer check. Either a null pointer de-reference got a 10.0 CVSS, or Oracle didn't properly fix the vulnerability that DDI described.


Is this the kind of analysis we should expect from Oracle? I hope everyone enjoyed the time they spent downloading, applying, writing vulnerability checks, reports, and so on, for this bug! Personally, I feel a little like a child at Christmas that asked for a new game system and got a hula-hoop.


To conclude, I concede that I may have made some mistake. After all, I am human. If you have further information, please do not hesitate to contact me! I will do my best to make sure this post is factually correct.


Until next time, beware of the FUD!

Originally Posted by Chris Kirsch





Let’s assume your goal for an external penetration test is to pwn the domain controller. Of course, the domain controller’s IP address is not directly accessible from the Web, so how do you go about it? Seasoned pentesters already know the answer: they compromise a publicly accessible host and pivot to other machines and network segments until they reach the domain controller. It’s the same concept as a frog trying to cross a pond by jumping from lily pad to lily pad. 


If you have already used pivoting, chances are high that you’ve used proxy pivoting. In other words, the payload you have deployed to a compromised machine to enable pivoting is a proxy that understands and forwards specific protocols. It works, but it can be very limiting.



Metasploit Pro introduces a new type of pivoting, which we’ve called VPN pivoting because it essentially creates a VPN gateway on your target machine to which you have an encrypted layer 2 connection. VPN pivoting creates a virtual Ethernet adapter on the Metasploit Pro machine that enables you to route any traffic through the target. Let me repeat that: “Metasploit Pro is the first and only pentesting solution to route any traffic through a compromised target". 

Let’s say you’ve just pivoted into a different subnet, VPN pivoting enables you to run nmap or a
vulnerability scanner such as NeXpose through the compromised machine to discover new hosts in that subnet, for example the domain controller you’ve been after. Even better, there are no limits on how many VPN pivots you can chain behind each other. Got custom tools you’d like to use through a VPN pivot? Go ahead! 

Metasploit Pro’s VPN pivot payload does not install any software on the target machine, doesn’t show up as a separate process or give any other visual signs it's present on the machine. In other words, it’s akin to a local network tap that is virtually undetectable. And yes: you can deploy VPN pivots using social engineering attacks, such as email attachments and USB thumbdrives to get around the corporate firewall. 

In version 3.5.0 of Metasploit Pro, VPN pivoting is supported for Metasploit Pro running on Linux and targeting a Windows machine. We’ll soon extend that support, so stay tuned. In the meantime, take the software for a spin with the
free Metasploit Pro trial download!

Originally Posted by egypt



The 3.5.0 release a couple of weeks ago ran into a few minor problems in the new Windows installer.  First, Console2, our new terminal emulator, wouldn't work correctly with our setup if you already had a copy installed.  Second, installing into a directory with a space in its name would prevent Console from starting.  Lastly, and probably more important for most users, is that the new msfgui didn't work out of the box due to some incorrect paths in various places.  All of these issues have been resolved with a new installer.  The new installer still contains everything you need to run msfgui, scan a network, and store the results for use with db_autopwn out of the box.



Additionally, there is now a Windows mini installer that omits PostgreSQL, Java, and many of the things unnecessary for metasploit to run such as source code for the various non-ruby bits of the framework.  The result is a much smaller download.


Lastly, for situations where disk space is at a premium, we have added a portable zip archive that weighs in at around 26MB.  Of course, minimizing the required storage entails some sacrifices.  Specifically, the .svn files have been ripped out, removing the ability to update the framework.  If you can't live without updates, use one of the installers instead.  Despite this downside, the zip has one very important advantage over installers -- it is self-contained and portable. It can be run from a usb drive or a network share.

Originally Posted by Chris Kirsch







Be careful what we wish for: In 2006, HD Moore wrote a blog post about a redesign of the Metasploit Project, announcing that the new graphics “will be featured on tee shirts, posters, and tattoos over the coming year.” Well, you guys took a little longer than we thought but we now have our first Metasploit tattoo!  

Initially, we thought Roy Morris (aka
@soundwave1234) was joking when he tweeted to @hdmoore on October 13 that he wanted to get a Metasploit tattoo. Just in case, we contacted him to find out. 

Roy’s the man – he got the tattoo a week ago at the
Ink for a Cause competition in California. See the full story in Roy’s gallery. Roy’s currently looking for IT security gigs in North LA / Ventura County, so let him know if you’re currently hiring in this area. 

Getting a tattoo shows some serious dedication, so we’d like to say thanks. We’re sending Roy a free license of
Metasploit Pro for the duration of his tattoo. We thought a license valid for one hundred years should cover it. 

For the less dedicated, we’re opening up a competition: Tweet your Metasploit tattoo with the hash tag #MetasploitProInk by November 15th. You don’t have to get a permanent tattoo - you can submit non-permanent and Sharpie tattoos as well as photoshopped images. First 35 participants will get a one-month license for
Metasploit Pro 3.5. You’ll all get to vote for the best Metasploit tattoo artist, who will receive a BlackHat briefings pass!

Filter Blog

By date: By tag: