egypt

Weekly Metasploit Wrapup

Blog Post created by egypt Employee on Apr 15, 2016

Meterpreter Unicode Improvements

 

Pentesting in places where English is not the primary language can sometimes be troublesome. With this week's update, it's a little bit easier. After Brent's work making Meterpreter's registry system support UTF-8, you can now do things like use the venerable post/windows/gather/hashdump to steal hashes and other attributes of local users whose username contains non-ascii characters, e.g.:

 

msf > use post/windows/gather/hashdump
msf post(hashdump) > setg session -1
session => -1
msf post(hashdump) > run

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 168de610cd477d23e9f7713684342744...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

bcook:"normal"
mönkey:"blah"

SSH Backdoors

 

In this week's episode of Authenticated Code Execution by Design, we have a couple of new SSH modules.

System administrators and attackers alike love to use services like SSH to get into and control systems. Sometimes, vendors use them for coordinating multiple systems performing the same task. Such is the case with ExaGrid backup storage devices. Each ExaGrid box uses SSH to talk to other ExaGrid devices on the network, presumably to keep an eye on disk usage and other metrics that such devices care about. To make things fun, this was accomplished by shipping the same passwordless private key on every device, so now Metasploit has that private key, too.

Going a little further back in time to last December, Juniper shipped a backdoored sshd on their ScreenOS devices after a compromise allowed attackers to modify it, allowing access with and username and the remarkably clever password <<< %s(un='%s') = %u. I love it because it doesn't stand out in the output of strings(1). Well played, unknown blackhat backdoor creators, well played. Now you can easily scan for these backdoors with Metasploit.

Consistent options display

 

When you type options in msfconsole, you get a nice table of the things your current module needs to know to do its job. Formerly, advanced and evasion options used a different layout that made it a lot harder to read, especially since there are usually a lot more of them than normal options. It has bothered me for a while and finally pissed me off enough to do something about it -- now all the option types give you the same kind of output.

New Modules

 

Exploit modules (6 new)

Auxiliary and post modules (7 new)

Get it

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.19...4.11.20

Outcomes