Skip navigation
All Places > Metasploit > Blog > 2016 > November

Metasploit Wrapup

Posted by egypt Employee Nov 18, 2016

Everything old is new again


As you probably already know, hardware manufacturers are not always great at security. Today we'll be picking on Netgear, who produce a WiFi router called the WNR2200. This cute little device, brand new out of the box on store shelves today, runs Linux 2.6.15 with Samba 3.0.24. For those of you keeping score at home, those versions were released in 2007. Way back in 2007, Samba had a pre-auth heap buffer overflow vulnerability in the LsarLookupSids RPC call, for which Metasploit has had an exploit since shortly after the bug's disclosure.


Unfortunately for people who like shells, the exploit only worked on x86 targets, so popping these new routers with old exploits wasn't feasible. Until now. Thankfully, JanMitchell came to the rescue, porting it to MIPS for all your ridiculously-old-software-on-a-brand-new-router hacking needs.


Steal all the things


A few weeks ago, we talked about stealing AWS metadata. This update adds a post module (post/multi/gather/awks_keys) that will extract credential and other valuable AWS information from a compromised machine with aws console/cli installed and configured with credentials. These credentials can be used to access all of an AWS user's resources he/she has access to.


Book keeping


There won't be a release next week because of the Thanksgiving holiday here in the US. Automated nightly installers for the open source framework will still be automatically built nightly as you might expect.


New Modules


Exploit modules (8 new)


Auxiliary and post modules (6 new)


Get it


As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.38...4.12.42


To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Test Your Might With The Shiny New Metasploitable3


Today I am excited to announce the debut of our shiny new toy - Metasploitable3.


Metasploitable3 is a free virtual machine that allows you to simulate attacks largely using Metasploit. It has been used by people in the security industry for a variety of reasons: such as training for network exploitation, exploit development, software testing, technical job interviews, sales demonstrations, or CTF junkies who are looking for kicks, etc :-)


If you are already a Metasploitable fan, you would have noticed that we haven't had a new vulnerable image since 2012. To be honest, when James and I took over the project, we didn't even know who was maintaining it anymore. So we decided to do something about it.


After months of planning and building the vulnerable image from scratch, we have something for you all to play :-) Unlike its predecessor, Metasploitable3 has these cool features:


It is Open Source


Screen Shot 2016-11-11 at 4.22.43 PM.pngDuring development, we recognized one of the drawbacks of Metasploitable2 was maintenance. We figured since we want everyone in the community to play, the community should have the power to influence and contribute. This also allows the vulnerable image to constantly evolve, and hopefully will keep the VM fun to play.


Metasploitable3 can be found as a Github repository here.


Keep in mind, instead of downloading a VM like before, Metasploitable3 requires you to issue a few commands and build for Virtual Box (VMWare will be supported in the future soon). To do so, your machine must install the following requirements:



To build automatically:


  1. Run the script if using bash. If you are using Windows, run build_win2008.ps1.
  2. If the command completes successfully, run "vagrant up".
  3. The the build process takes anywhere between 20 to 40 minutes, depending on your system and Internet connection. After it's done, you should be able to open the VM within VirtualBox and login. The default username is "vagrant" with password "vagrant".


To build manually, please refer to the README documentation.


If you are on Windows, you can also follow these videos to set up Metasploitable3 (Thanks Jeremy Druin)


If you have experience in making vulnerable images, or would like to suggest a type of exploitation scenario for Metasploitable3, your feedback is welcome!


It is for People with Different Skills Levels


kung_fu.jpgMetasploitable2 back then was more of a test environment heavily for Metasploit. It was straight-forward to play, and it didn't take long to find the right exploit to use, and get a high privileged shell.


But you see, we want to make you try a little harder than that :-)


First off, not every type of vulnerability on Metasploitable3 can be exploited with a single module from Metasploit, but some can. Also by default, the image is configured to make use of some mitigations from Windows, such as different permission settings and a firewall.


For example, if you manage to exploit a service in the beginning, you will most likely be rewarded with a lower privileged shell. This part shouldn't be too difficult for young bloods who are new to the game. But if you want more than that, higher privileged services tend to be protected by a firewall, and you must figure out how to get around that.


For special reasons, the firewall can be disabled if you set the MS3_DIFFICULTY environment variable:


$ MS3_DIFFICULTY=easy vagrant up


If the image is already built, you can simply open a command prompt and do:


$ netsh advfirewall set allprofiles state off


It Has Flags


flag.jpgOne very common thing about performing a penetration test is going after corporate data. Well, we can't shove any real corporate data in Metasploitable3 without any legal trouble, therefore we have introduced flags throughout the whole system. They serve as "data you want to steal", and each is in the form of a poker card image of a Rapid7/Metasploit developer, and is packaged in one of more of these ways:


  • Obfuscation
  • Strict permission settings
  • File attributes
  • Embedded files


Getting your hands on these flags exercises your post exploitation muscle, and may require some level of reverse engineering knowledge.


A hint about these flags can be found from one of the services. In the future, we will be publishing more blog posts about how to find these flags.


(Special thanks to Marilyn Marti for the excellent art work!)


It is Expandable


network.pngIn real world penetration testing, a lot of it involves being able to break into one machine, and leverage the information stolen from there against the next one. Stolen passwords and hashes are perfect examples for this.


Instead of just having one virtual machine, our plan is to also have the capability to build multiple vulnerable images, and create a network of them. This allows the audience to have the opportunity to practice more post exploitation techniques, pivoting, and break into the next box.


Although our first image is Windows, the planning part of the Linux version has already begun. If you would like to jump on this train, please feel free to leave a comment on Github, or contribute.


And that's what our new toy is all about :-)


Last but not least, if you are trying out Metasploitable3 without Metasploit, either you are Neo from the Matrix, or you are nuts. Metasploit consists of thousands of modules, including exploits, auxiliary, post modules, and payloads that allows you to succeed in many kinds of attack scenarios. If you don't have this in your toolkit, please feel free to grab it here.

Filter Blog

By date: By tag: