Metasploit Updated: Forensics, SCADA, SSH Public Keys, and More

Last updated at Wed, 07 Feb 2024 20:17:14 GMT

Been a busy week here at Metasploit, so let's get to it.

Forensics-Centric Updates 

New this week is Brandon Perry's offline Windows registry enhancements. Featuring a pile of extensions to Rex (Metasploit's general purpose parsing library) and the tools/reg.rb utility, this update builds on TheLightCosine's ShadowCopy library and makes life a lot easier for the forensics investigator looking to parse through Windows registry hives. Brandon goes into the technical details over here, so I encourage you to read up on it.

Speaking of TheLightCosine, he's also knocked out three database schema dumpers. Given remote access to a database, penetration testers can now pull the schemas from MySQL, PostgreSQL, and Microsoft SQL databases in a uniform way. This is hugely useful for both automated evidence gathering and for getting familiar with the intimate details of a freshly-compromised database.

The final addition in this week's forensics-flavored update is Stephen Haywood's simple but powerful enum_artifacts module. With this post-exploit module, investigators can build up a custom set of files and registry keys to search for on a target computer. Among other uses, this can be a handy trick for nailing down if a machine has already been compromised by known malware -- users can searching for specific files matching an MD5sum, or examine the Windows registry for tell-tale registry entries indicating infection.

Revenge of TFTP: SCADA Attacks

This week we have new modules targeting General Electric's D20 PLCs, a SCADA component that's responsible for "mud-on-the-boots" physical assets. We've been working pretty closely with the guys over at Digital Bond to develop reliable exploits that demonstrate their findings over the last several weeks, and truth be told, their research is the reason why Metasploit released a more complete TFTP client library. Now that these vulnerabilities are public knowledge, people responsible for administering and validating their SCADA infrastructure can use these modules to audit:

• d20pass : This module leverages a pretty major information disclosure for the device -- turns out, anyone who connects to the TFTP server on the D20 can snag the complete configuration for the device, which includes plaintext usernames and passwords. This module does just that -- downloads the configuration file, parses out the credentials, and stores them in Metasploit's database for reuse.
• d20tftpdb : This module demonstrates an asynchronous backdoor functionality in the D20 via the TFTP interface. Again, in an unauthenticated way, anyone can connect to the TFTP server, and issue command by writing to a special location on the filesystem. Also again, this is a pretty big deal. Note that this module is currently still in the unstable Metasploit branch pending a little more QA work on getting this (pretty unique) command and channel all nice and automated. As is, though, it works just fine for demonstration purposes, and if you have some of these PLCs in your environment, you are encouraged to investigate this more (and send patches!).

Bruteforce and SSH

Last update, @escan_sachin and @aim4r noticed on Twitter that we snuck in "updates to #metasploit auxiliary scanner modules as well." Well, that's true, but the updates in question weren't quite ready to be discussed here in blog-land. Unlike the TFTP modules, these were developed pretty much entirely in the public GitHub space, so it's kind of hard to keep that sort of thing secret. That said, the work is done now, and this new mode for SSH scanning in Metasploit is ready to be discussed here. Sorry for the mysteriousness. (:

The ssh_identify_pubkeys module allows users to take a list of SSH public keys and scan around to find out who's authorized to use them for authentication  -- without requiring the corresponding private key. This information disclosure is a useful, but little-known, feature of the SSH protocol, and can be used to audit who has access to what without compromising the integrity of an organization's private keys. For example, this is an ideal functional implementation for an IT administrator who wants to ensure that developer keys don't accidentally (or otherwise) show up on production systems. HD Moore will be talking about this and lots of other authentication scanning and bruteforce techniques in today's webcast on the topic, so sign up here to learn more.

Other New Modules and Scripts

Metasploit community contributor m-1-k-3 committed three new example resource scripts: portscan.rc and port_cleaner.rc, which help to automate up the Metasploit-Nmap integration and tidies up the database by dropping uninteresting closed port records. He also provides his autocrawler.rb script, which targets all hosts in the current workspace that have a running HTTP service and records their linked pages for later analysis.

We also have new exploits for:

• CVE-2011-0065, submitted by argp, which targets Mozilla Firefox on OSX
• CVE-2005-1790, submitted by Sam Sharps, which targets Internet Explorer's MS05-054 bug
• ZDI-12-012, submitted by sinn3r, which targets a McAfee Software-as-a-Service ActiveX control
• An uncategorized vulnerability in BS.Player 2.57, submitted by Chris Gabriel

Availability

For those of you who rely on the msfupdate command to track Framework development, you already have these sitting in your local checkout. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new Framework hotness today when you check for updates through the Software Updates menu under Administration.

For more details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.