Skip navigation
All Places > Metasploit > Blog > Authors leonardovarela

Metasploit

2 Posts authored by: leonardovarela Employee

UPDATE: With the release of version 4.15 on July 19, 2017, commercial Metasploit 32-bit platforms (Metasploit Pro, Metasploit Express, and Metasploit Community) no longer receive future product or content updates. These platforms are now obsolete and are no longer supported.

 

Rapid7 announced the end of life of commercial Metasploit 32-bit versions for both Windows and Linux operating systems on July 5th, 2017. This announcement applies to all editions: Metasploit Pro, Metasploit Express and Metasploit Community. After this date Metasploit 32-bit platforms will not receive product or content updates. Metasploit Framework will continue to provide installers and updates for the 32-bit versions.

 

MilestoneDescription      Date                
End-of-life announcement dateThe date that the end-of-life date has been announced to the general public.July 5th, 2016
Last date of available installersThe last date Rapid7 will generate 32-bit installers. After this date, Rapid7 will continue to provide updates until the last date of support.July 5th, 2016
Last date of supportThe last date to receive service and support for the product. After this date, all support services for the product are unavailable, and the product becomes obsolete.July 5th, 2017

 

 

Product Migrations

Customers are encouraged to migrate to Metasploit 64-bit versions of the product, installation files can be found in the following link. When upgrading to 64-bit, there maybe changes to system requirements including memory, please view the System requirements to see if your current system meets the minimum requirements. To migrate to a newer platform you create a platform independent backup and restore it on the new system. Please see this page to learn how to determine if you need to migrate, how to do a backup/restore, and about other related topics.

 

More Information

This week's release of Metasploit includes a scanner and exploit module for the EternalBlue vulnerability, which made headlines a couple of weeks ago when hacking group, the Shadow Brokers, disclosed a trove of alleged NSA exploits. Included among them, EternalBlue, exploits MS17-010, a Windows SMB vulnerability. This week, EternalBlue has been big news again due to attackers using it to devastating effect in a highly widespread ransomware attack, WannaCry. Unless you've been vacationing on a remote island, you probably already know about this; however, if you have somehow managed to miss it, check out Rapid7's resources on it, including guidance on how to scan for MS17-010 with Rapid7 InsightVM or Rapid7 Nexpose.

 

The Metasploit module - developed by contributors zerosum0x0 and JennaMagius - is designed specifically to enable security professionals to test their organization's vulnerability and susceptibility to attack via EternalBlue. It does not include ransomware like WannaCry does and it won't be worming its merry way around the internet.

 

Metasploit is built on the premise that security professionals need to have the same tools that attackers do in order to understand what they're up against and how best to defend themselves. The community believes in this, and we have always supported it. This philosophy drove the amazing Metasploit contributor community to take on the challenge of reverse engineering and recreating the EternalBlue exploit as quickly and reliably as possible, so they could arm defenders with the info they need. We want to say a big thanks to JennaMagius and zerosum0x0 for their work on this.

 

From a vulnerability management perspective, there are a lot things that security practitioners can do to understand their exposure, however, with Metasploit you can go beyond theoretical risk and show the impact of compromise. Access to systems is more concrete evidence of the problem. Metasploit effectively allows security practitioners to test their own systems and dispel the hype and speculation of headlines with facts.

 

From a penetration testing perspective, research shows that over two thirds of engagements had exploitable vulnerabilities leading to compromise. Metasploit modules such as EternalBlue enable security practitioners to communicate the real impact of not patching to the business.

 

UPDATE – May 19, 2017: Security researcher, Krypt3ia, wrote a blog post highlighting a possible connection between the process that zerosum0x0 and JennaMagius went through in reversing the EternalBlue exploit, and the WannaCry attack.

 

Zerosum0x0 and JennaMagius both work at as security researchers at RiskSense, a provider of pro-active cyber risk management solutions. In response to Krypt3ia’s blog, RiskSense provided this clarification of the situation:

 

The module was developed to enable security professionals to test their organization's vulnerability and susceptibility to attack via EternalBlue. As part of their research, the researchers created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. The purpose of this recording was to help educate other security professionals, and get feedback as they worked through the process. This kind of approach is fairly common in both the security researcher and open source contributor communities, where transparent collaboration enables individuals to pool their expertise and achieve greater results. It’s possible that data from this analysis was copied and rewritten by individuals with malicious intent; we cannot confirm if this is the case or not. Unfortunately, this is a risk that is taken whenever technical information and techniques are shared publicly. None-the-less, we believe the educational and collaborative benefits generally outweigh the risk. To our knowledge, no code from the Metasploit module was ever used in the WannaCry attacks, and once Krypt3ia’s blog pointed out the possibility that some of the information may have been used by the attackers, we removed the recording from the Github repository to ensure no other bad actors would be able to do likewise to create variants of the malware.

 

Here’s a summary of context and the technical details:

 

    • Recording the replay and playing it back works against freshly booted boxes because the Tree Connect AndX response will assign TreeID 2048 on the first few connections, after which it will move on to other tree IDs. This is the same for the user login request. The replay would then fail because the rest of the replay is using "2048" for the tree and user IDs, and the server has no idea what the client is talking about.

 

 

    • Zerosum0x0x’s research supplemented these findings by outlining that __USERID__PLACEHOLDER__ and __TREEID__PLACEHOLDER__ strings were also present in the malware.

 

Replaying ANY recording of EternalBlue will produce the same result, so the attackers may have chosen to use that particular recording to throw investigators off track. It is important to note that to our knowledge no code from the Metasploit module was ever used in the WannaCry attacks.

 

To be successful, the attackers independently implemented sending the network traffic in C; constructed additional code to interact with DoublePulsar (which is a significantly harder undertaking than just replaying the recorded traffic), implemented the rest of their malware (maybe before or after), and then released it on the world.

 

Again, Rapid7 wants to reiterate how much we appreciate community participants such as zerosum0x0 and JennaMagius, who contribute their time and expertise to better arm organizations to defend themselves against cyberattackers.

Filter Blog

By date: By tag: