Skip navigation
All Places > Metasploit > Blog > 2012 > April

Nothing can replace a manual security assessment, especially if you are defending against highly targeted attacks or advanced persistent threats (APTs). However, the majority of attacks are untargeted, trying to exploit or brute force servers on a large scale with minimal effort and minimal risk. So why are penetration testers still mostly testing by hand, especially if they are overworked and companies are having trouble hiring skilled people?


According to the Verizon business report, 67% of data breaches involved low or very low difficulty for the initial compromise. Just to drive the point home, here is how the report classifies low difficulty: “Basic methods, no customization, and/or low resources required. Automated tools and scripts.” In other words, no human interaction was required to get in to 67% of companies breached. That’s a lot of low-hanging fruit that is easy to protect against. The best part: You won’t even have to stay late because, like the attackers, you can automate the entire process.


Slicing the data further, 81% of breaches involved some sort of hacking, which is up 31% from last year. In that category, the top three threat action types were:


  • Exploitation of default or guessable credentials (44%)
  • Use of stolen login credentials (32%)
  • Brute force and dictionary attacks (23%)


As of version 4.3, which was released today, Metasploit Pro can now automate looking for these attack vectors:




For example, you could run the following tasks every weekend:


  1. Scan the network, either with Metasploit Pro's discovery scan or with the Nexpose vulnerability scanner (both new scans and site imports are supported). This will also discover all new, unauthorized, and BYOD devices on your network.
  2. Try to exploit all vulnerable hosts. Collect passwords and password hashes on machines that are exploitable.
  3. Try default and guessable passwords on all hosts. Collect passwords and password hashes on machines with weak passwords.
  4. Have the report emailed to you.


TaskSchedules4.pngBecause automated tests can be carried out with a higher frequency at no additional cost, they uncover threats more quickly than manual security assessments, which typically are few and far between. Finding these low-hanging fruits early is important because attackers can likewise automate the process. In addition, regularly scheduled simulated attacks can test security controls, such as IDS and SIEM systems, to verify that they correctly alert.


Generally speaking, automated security assessments can adversely affect a production environment. This is why Metasploit’s smart exploitation is by default configured to only use exploits that have been rated as reliable by our quality assurance. And remember – manual tests also carry the potential of human error.


While automated security assessments increase the overall security baseline for your average automated attacks, they are no substitute if you also expect to be the target for APT-style attacks, where the attacker is strategically planning the attack and able to leverage his or her intellect. Getting basics out of the way with automated testing also makes ethical hacking more interesting because the attack scenarios start at a more sophisticated level. However, automation can only supplement existing penetration tests and help companies do more with the limited number of skilled penetration testers they employ, especially in times where skilled penetration testers are hard to find.


To try out the new automation features, download a free Metasploit Pro trial today.

It’s been a fun and challenging month for the Metasploit team, and we’re happy to announce that Metasploit 4.3 is ready and available for you to download. Metasploit 4.3 ships with 33 new exploits, 20 new auxiliary modules, 11 new post-exploitation modules, 4 new payloads, and some nifty new features on the Metasploit Pro side. That’s a lot of new stuff, so let’s just cover the highlights for this release.


Task Chains


A feature that makes it super easy to automate tasks in Metasploit Pro? Yes please. Task chains let you configure a series of tasks and run them according to a schedule.  In previous releases of Metasploit Pro, you have to manually run tasks one at a time, such as scan, attack, and generate a report.  Now, you don't have to wait for each task to complete before you execute the next task. Task chains automate this entire process for you, making it possible for you to quickly discover threats on a more frequent and consistent basis. To forgo the days of hand testing, go to the Tasks area in the Metasploit Web UI and create your very first task chain. 

E-mailing Reports


The new email option for reports makes it super easy to share test results with your team and organization. This feature enables you to automatically e-mail a report as soon as Metasploit Pro generates it. You just need to enable the e-mail option and provide a recipient list for the report task, and then set up a mail server for Metasploit Pro to use. We've added new SMTP settings to the global settings to support the configuration of a mail server. To e-mail your first report, check out the Reports area in the Metasploit Web UI.


Updated Architecture


Metasploit 4.3 ships with a number of dependency updates, including:

  • Ruby 1.9.3-p125
  • Java SE 7u3
  • Rails 3.2.2
  • PostgreSQL 9.1

New Stuff to Read


Since our last release, we've posted a few new guides to the Community site. To recap, here they are: Metasploit AMI Set Up Guide, Metasploitable Set Up Guide, andMetasploit OVF Deployment Guide. If you have suggestions for how-to guides that you would like to see, please let us know.


Road to 4.3


Metasploit 4.3 includes all updates that we've integrated from the open source development community since the release of Metasploit 4.2 in February. These updates include new SCADA modules, DNS payloads, Spiceworks asset list support, smarter sessions, improved searching in msfconsole, a Java exploit for CVE-2012-0754, POSIX Meterpreter, and much more.


Get More Information and Download Metasploit


For more information on this release, check out the Release Notes. If you just want the latest version of Metasploit, go here now. Enjoy!


2Pac, Jay-Z, and Eminem - watch out for this year's new music star: Marco. I recently heard this track and wanted to share it with you. Great tune, and free for you to download for the weekend!


Download: What You Need - Metasploit!


If you would like to hear more Nercore music, also check out DualCore's 2011 Metasploit track!

I recently checked into github a C# library that helps allow easy communication and integration from your Mono/.NET applications.


The library follows the same Session/Manager pattern as the Nexpose library I mentioned previously in the Nexpose blog. It has support for both the core Metasploit RPC and for the Metasploit Pro RPC.


Getting started is easy. To understand a bit more the classes you have at your disposal, here are a few quick examples. First off, within the metasploitsharp namespace, you will have a MetasploitSession class, and two managers (MetasploitManager and MetasploitProManager). MetasploitManager implements core RPC methods, while MetasploitProManager inherits from MetasploitManager and implements the Pro features. You may use all three of these classes within the context of a using statement. MetasploitSession automagically logs out your session when the object is disposed at the end of its context.



using (MetasploitSession session = new MetasploitSession("metasploit", "password", ""))
    using (MetasploitManager manager = new MetasploitManager(session))
          Dictionary<object, object> response = manager.GetCoreModuleStats();

          foreach (var pair in response)
              Console.WriteLine(pair.Key + ": " + pair.Value);
} //session is logged out here at the end of its context, no need to manually log out.



You may also call methods directly off of the session object, and ignore the MetasploitManager completely.



using (MetasploitSession session = new MetasploitSession("metasploit", "password", ""))
     Dictionary<object, object> response = session.Execute("core.stats");

     foreach (var pair in response)
          Console.WriteLine(pair.Key + ": " + pair.Value);
} //session is logged out here


Due to C# being a strongly-typed language, and Ruby being a duck-typed language, you are at the mercy of Dictionaries of objects that can be any type. I have done my best to do most of the typing behind the scenes in the MetasploitSession class, but the types in the Dictionaries that are returned vary from method call to method call, so the programmer must know what he is expecting and type accordingly on his end.


There are plenty of examples in the github repo, going over both Core and Pro API features. This library is released under a BSD license, so feel free to fork and do what you will.

Looks like there is another hacker movie coming out soon called "Reboot", as seen in the trailer and screen shots below. It's always cool to see Metasploit appear in movie and TV productions. If anyone out there has seen a screening of the film let us know.


See Trailer -> Reboot Trailer - YouTube


Here's a couple of screen captures from the trailer with Metasploit cameos:



This week's update is packed full of awesome, and I don't use that term lightly.


SCADA Attacks, DigtialBond, and Metasploit


This week sees the addition of six new SCADA modules, targeting a variety of PLC devices, including two new modules aimed at the Schneider Quantum programmable logic controller (PLC).  In order to give penetration testers the ability to accurately assess SCADA infrastructure, Tod Beardsley (from Rapid7) and K. Reid Wightman (from DigitalBond) have been collaborating over IRC to bring DigitalBond's SCADA vulnerability assessment research to the general Metasploit audience. You can read more about DigitalBond's work here. For Metasploit users, here are the new modules in a nutshell:


  • modicon_command allows a remote, unauthenticated user to issue stop and start commands, which behaves exactly what it sounds. If an attacker can reach the Modbus TCP port, an attacker can simply stop the CPU without authentication.
  • modicon_stux_transfer allows a remote, unauthenticated user to download and upload the running "ladder logic" (the PLC's instruction set). Again, this is completely unauthenticated connectivity via Modbus, and this functionality is similar to the SCADA payload of the Stuxnet worm.


In testing, we noticed that uploading ladder logic is somewhat more reliable when the Modicon device is in the STOP state, so these two modules used together can make for reliable code execution.


We've also reviewed and revised four of DigitalBond's previously released Basecamp Metasploit modules for this release:


  • d20_tftp_overflow : Triggers a Denial of Service condition due to a buffer overflow vulnerability in GE's D20ME PLC TFTP server.
  • koyo_login : Bruteforces the authentication passcode on a Koyo DirectLogic PLC
  • modicon_password_recovery : Given default FTP credentials, extracts the "write" password to the HTTP interface of the Schneider Modicon Quantum as well as the VxWorks hashes of all supervisory users.
  • multi_cip_command : Issues up to four unauthenticated stop and reset commands to a variety of PLCs which implement the Ethernet/IP Common Industrial Protocol.


SCADA Defense Measures


While most PLCs are not connected to the Internet directly, some are. If one of them is yours, you might want to examine the wisdom of that ingress policy (or, more likely, correct this misconfiguration). You really don't want just anyone stumbling across your PLC and rewriting your ladder logic for you. Other defensive measures include:


  • Talk to your IPS/IDS vendor. Do you have signatures or filters available and enabled to detect SCADA access? Even if you think your devices aren't reachable from outside the control network, it's usually a Good Idea(tm) to monitor for traffic you're not expecting to see. People screw up routing tables and firewall rules, so an IPS ready to leap to the defense can save your bacon. After all, many of these protocols are pretty distinctive, so they're not difficult for deep packet inspection to pick up on.
  • Change the defaults. Some of the default usernames and passwords are USER and PASSWORD on these things. They're defaults in order to get your gear up and running, and are not intended for real production use. Change them, and rotate them on some kind of schedule, when people leave the organization, and all the other usual password managment advice.
  • Talk to your SCADA vendor. You've got your firewalls, your IPS, and your hard to guess passwords. What else can you do? Insist that your vendor fix actual bugs is a good start. Working with them to come up with secure deployments is a longer term relationship kind of thing, but since it's usually expensive to upgrade these devices, you're in for the long term anyway.


Lab, Gemified


Also this week, Jon Cran has removed a bunch of library code for the lab plugin, and converted it all over to a stand-alone Ruby gem. This is important because the lab functionality he and other contributors have put together is pretty exciting stuff, and it was a shame to have it buried in Metasploit's guts. Promoting this codebase to its own standalone project will get it a little more visibility from the general Ruby community, or so the theory goes. So, even if you're not exploiting stuff, but still have an interest in automating your VMWare lab environment, head on over to the GitHub repo to read up on where it's at today, or install it with a simple gem install lab.


Squid Proxy Pivoting


Finally, I wanted to highlight squid_pivot_scanning, a module contributed by Rapid7's Will Vandevanter. By taking advantage of an ill-configured Squid proxy and analyzing the error messages for bad HTTP proxy requests, an external attacker can map out internal networks. Not only can he find listening machines, but he can also determine which ports are open, closed, and ACL-filtered (from the perspective of the proxy server). By itself, this is a information leak, but armed with this information, a pen-tester can spend an extended period of time building up a hit list of internal hosts for an engagement that might only include a few hours on site. In addition, producing a map of ostensibly secret data can bring a nice wow-factor to a findings report.


Other New Modules





If you're new to Metaspoit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.


Progress on the Internet

Posted by egypt Employee Apr 1, 2012

The Internet has made a lot of progress in the last few years. Censorship has been virtually eliminated. Youtube comments are universally insightful. The people owning networks and dropping docs are now only occasionally on the FBI payroll. Published breaches are at an all-time low. Everyone is running IPv6.


In light of all this progress, it is with a heavy heart that we must announce the demise of IPv4 support in all Metasploit products. This decision has been in the offing for several years, but today, in this time of progress, we've finally made the move.


This is what users of our Pro products will see when using outdated addresses:



And the same error when using the Framework:



Despite the obvious advantages of dropping legacy addressing, switching to only IPv6 is not without its difficulties. Some systems still resolve "localhost" as, which of course won't work. We offer a simple workaround for Windows (Vista and newer) that I know everyone will find to be an easy replacement: using a brilliant stroke of networking genius from Microsoft, you can replace "localhost" with "", which at least for me is easier to remember anyway. Antiquated systems like Linux don't have this useful bit of kit, so you'll just have to content yourself with using the real IPv6 address instead.


We're confident that users will appreciate the simplicity of supporting only one addressing scheme, and are excited to help future-proof the world of pen-testing.

Filter Blog

By date: By tag: