Skip navigation
All Places > Metasploit > Blog > 2017 > April
2017

Metasploit

April 2017 Previous month Next month

Editor's Note: While this edition of the Metasploit Wrapup is a little late (my fault, sorry), we're super excited that it's our first ever Metasploit Wrapup to be authored by an non-Rapid7 contributor. We'd like to thank claudijd -long-time Metasploit contributor, Mozilla security wrangler, and overall nice guy - for writing this post. If other Metasploit contributors want to get involved with spreading the word, we want to hear from you!

 

We should be back on track timing-wise with our Wrapup for this week on Friday.  Without any further delay, here's what's new in Metasploit versions 4.14.4 through 4.14.11.

- JE

 

Here's my number, text me maybe?

Metasploit sessions can happen at any time. Fortunately, you can always be plugged in to what's going on with the new session notifier plugin, compliments of wchen. This plugin allows you to send SMS notifications for Metasploit sessions to a variety of carriers (AllTel, AT&T wireless, Boost Mobile, Cricket Wireless, Google Fi, T-Mobile, Version, and Virgin Mobile) so you'll never miss out on the pwnage.

 

sms.png

 

Text-editors and Programming Languages

If you've ever been cornered by a VIM user around the water cooler and been regaled to exhaustion about why you should also choose VIM, you probably hold your ability to choose in high regard. Recently, acammack extended Metasploit to provide initial support to include more choice in what programming language you can write Metasploit modules in. The idea here would be that instead of being forced to write all modules in Ruby, you could write one in Python, Go, LOLCODE, or whatever your heart desires.

 

Improve Your Spider Sense

Many of us have had that feeling before that something doesn't add up, you can think of it as your own "hacker spider-sense." This can sometimes happen when you tell yourself, "that seemed way too easy" or "these services don't quite make sense", only to find out later that you've owned a honeypot. To help fight against this, thecarterb recently added an auxillary module to Metasploit, which allows you to check Shodan's honeyscore to see if your target is or is not known to act like a honeypot with a score between 0.0-1.0 (0.0 being not a honeypot and 1.0 being a honeypot). Having this data can be useful both after exploitation (to realize your blunder) or even earlier in the process to avoid an obvious honeypot before you send a single byte in its direction.

 

Waste Not, Want Not

You never know when a useful bit of information will be the key to another door. In that spirit, it's encouraged to loot as much as you can when you can. Recently, a number of useful modules have been added to help you loot as much as possible and improve your odds of success...

 

Multi Gather IRSSI IRC Passwords - This post module allows you to steal an IRSSI user's configuration file if it contains useful IRC user/network passwords. This could be helpful if you'd like to mix in a little social engineering, by impersonating your target to get additional people working for you.

 

Windows Gather DynaZIP Saved Password Extraction - This post module allows you to harvest clear text passwords from dynazip.log files. This can be pretty handy if you have have an encrypted zip file that you need opened in a hurry.

 

Multiple Cambium Modules - If you find yourself testing Cambium ePMP 1000's, you're in luck, as multiple modules have been added to effectively juice all sorts of information from these devices. These modules allow you to pull a variety of configuration files and password hashes over HTTP and SNMP. This is helpful to identify a shared password or password scheme that's been re-used on other network infrastructure devices to expand your influence.

 

New Modules

Exploit Modules (5 new)

 

Auxiliary and post modules (10 new)

 

Get It

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

The Server Message Block (SMB) protocol family is arguably one of the most important network protocols to be conversant in as a security professional. It carries the capability for File and Print Sharing, remote process execution, and an entire system of Named Pipes that serve as access points to any number of services running on a machine, such as Microsoft SQL Server. For users of Metasploit, they will know SMB as the protocol used for PSExec, a remote code execution module that can turn any Administrator credentials into a session on the box. It is also the protocol that has played host to several of the most high-profile vulnerabilities, such MS08-067 (the vulnerability used by the Conficker Worm), and MS03-039 (the vulnerability used by the Blaster Worm).

 

Additionally, the File and Print Sharing services mean that SMB is the default means of sharing files in a Windows environment. Whenever you create a “network share” in Windows, it is being served up over SMB. I can tell you, from personal experience, that network shares are a gold mine during a penetration test.

 

Now, armed with some understanding of why this protocol is so important, we must dive into how Metasploit handles SMB. Metasploit’s current “implementation” of SMB has been an ad hoc reverse-engineered effort that started small and was added to with each major SMB vulnerability we wrote modules to target, which turned out to be rather a lot. The implementation is extremely rough, and only supports SMB1. There are some very good reasons for why this is the case.

 

SMB is complex

SMB, by its very nature is complex. It is a binary protocol, opposed to a text protocol such as HTTP, and is only readable by computers that have been trained to do so. It also has a wide array of capabilities, some of which are interdependent upon each other.

 

Earlier I called SMB a protocol family, and that’s because it is not really just one protocol, nor is it a group of protocols operating at various layers as is the case with something like RDP. It is a Frankenstein’s Monster of efforts by different groups including IBM, Intel, 3COM, and Microsoft. The formative years of SMB were not governed by a single driving design, and it can be seen in the protocol. What’s worse, is that for a long time there was no available developer documentation for the protocol specification. Anecdotally I have heard the story that Microsoft themselves had lost any documentations on the spec, and had to reverse engineer the protocol to provide said documentation.

 

This left Metasploit developers and contributors in the position of only being able to look at packet captures to reproduce what they see going on.

 

The rise of SMB2 and SMB3 and the decline of Metasploit’s SMB

After years of dealing with SMB/CIFS Microsoft finally designed a new protocol, SMB2. They rolled this out for the first time in Windows Vista, and it has since become standard in every Windows OS. SMB2 is a more elegant and more streamlined version of the SMB protocol. Unfortunately, none of Metasploit’s existing code supported the new protocol. For a while this was fine as SMB1 was still enabled by default in the Windows OSes. Over the past few years it has become an increasingly common practice however, to disable SMB1 and only allow SMB2.

 

This change meant that Metasploit could no longer talk to those boxes. Modules from information gathering, to brute forcing, to exploits all suddenly became ineffective against these boxes. On top of this, Metasploit’s ad hoc implementation of SMB1/CIFS had become very recognizable due to its particular idiosyncrasies. IDS/IPS vendors began to differentiate between Metasploit’s SMB traffic and that of a legitimate SMB client. All of this culminated in our SMB support becoming less and less useful as time went on.

 

RubySMB to the rescue

We on the Metasploit team knew something had to be done about our aging SMB code. We weighed several options including trying to clean up the existing code. In the end, we decided to create a new library from scratch. This new library would support both SMB1/CIFS as well as SMB2, and be designed with an eye to coming back and adding the even newer SMB3.

 

We are pleased to announce that, not only have we been working on this new RubySMB gem, but that we have hit the first milestone in its development. The RubySMB Gem can do full client authentication to a remote server. It can communicate over SMB1 or SMB2, and does multi-protocol negotiation so that it can find the correct dialect to speak invisibly to the user.  It handles Extended Security mode for the old SMB1, and can handle security signing for both versions of the protocol.

 

The gem has also been integrated into Metasploit Framework for the first time. We recently added a new version of the SMB Bruteforce, auxiliary/scanner/smb/smb2_login. This version of the SMB LoginScanner module behaves essentially like the original, except that it seamlessly handles both versions of the protocol, and security signing all without any user configuration. It currently does not support the admin privilege check, which is why it has not replaced the original smb_login module.

 

This represents Metasploit’s first steps into future proofing our support for the SMB Protocol family.

 

The Future of RubySMB

We still have a lot of work to do on the RubySMB project, and a lot of important milestones to hit. In the short term, we are shooting for the following goals:

 

  • In the Gem:
    • Support for Listing, Reading, and Writing Files
    • Support for named pipes
    • Simple SMB File Share Server
  • In Framework:
    • Converting smb_version information gathering module to use the new gem
    • Converting PSExec to use the new gem
    • Building in support for the simple file server that will allow modules to define resources on the server and set callbacks for when something requests those resources, much like how the Rex HTTPServer works today.
    • Look at adding SMB Named Pipe transports for Meterpreter payloads

 

In the longer term we have several other goals we hope to accomplish with this project:

  • Adding Support for SMB3
  • Adding SMB3 protocol level encryption (potential IDS/IPS evasion capabilities)
  • Begin work on a similar project for DCERPC to integrate with this gem

 

Creating protocol libraries at this level is not a simple or easy task, but the results will be rewarding for all members of the Metasploit Community. We will be able to not only update compatibility for our existing SMB-based features, but begin expanding those capabilities. If you are interested in joining in on this effort, please check out our starting wiki page for the project.

 

- David “thelightcosine” Maloney

todb

Metasploit, [REDACTED] Edition

Posted by todb Employee Apr 1, 2017

Why should [REDACTED] have all the fun with spiffy codenames for their exploits? As of today, Metasploit is taking a page from [REDACTED], and equipping all Metasploit modules with equally fear-and-awe-inspiring codenames. Sure, there are catchy names for vulnerabilities -- we remember you fondly, Badblock -- but clearly, unique names for exploits is where the real action is at, especially when you're [REDACTED][REDACTED][REDACTED][REDACTED][REDACTED].

 

So, instead of running boring old 'exploit/windows/smb/ms08_067_netapi', now you can don your onyx tactleneck, and use CRISPYTRUFFLE like the international man of mystery that you are.

 

Need to scan for telnet banners? Sure, you could use 'auxiliary/scanner/telnet/telnet_version', like some kind of civilian, or you can be a shadowy puppetmaster and unleash the awesome power of HIDDENBOYFRIEND.

 

Or, maybe you're looking to deploy one of Metasploit's payloads as a standalone executable, given to your operative in the field. Once you've lost your tail and met your contact in a darkened, rain-slicked alley, you can hand off a USB key loaded up with VENGEFULPONY, and trust he'll do what it takes to get back across the border.

 

In order to enable these ultra-top-secret codenames, you'll need to run a fresh checkout of the development version of the Metasploit Framework. If you're on one of the binary versions of Metasploit, they'll be getting these codenames as well, so you can check if they're available by setting the environment variable DANGERZONE, like so:

 

$ DANGERZONE=1 ./msfconsole -q

 

msf > use CRISPYTRUFFLE

msf exploit(ms08_067_netapi) >

 

So take a moment today, April 1st, to read yourself into [REDACTED] by visiting http://www.5z8.info/eid-howto_j0b9mh_openme.exe. Make sure you're behind at least seven proxies when you do so, since [REDACTED] is probably watching.

Filter Blog

By date: By tag: