This week's release updates Metasploit to version 4.11, which includes the following new features and modules.
Credentials Domino MetaModule (PRO ONLY)
This brand new MetaModule performs an iterative-based credentials attack using a valid login or an open session to attempt to gain access to additional targets and collect credentials. You can run this MetaModule to determine how far an attacker can get in a network if they are able to obtain a particular credential or compromise a particular target.
Like the other MetaModules, the Credentials Domino provides a semi-guided interface to help you with its configuration, displays real-time statistics through the findings window, and includes its own specialized report to document its findings. To access the Credentials Domino MetaModule, select Modules > MetaModules from within a project in Metasploit Pro.
Known Issues with the Domino MetaModule
- Pivoting from a Linux system to a Windows system is not supported.
- The Credentials Domino MetaModule cannot be added to a task chain at this time.
Guided Bruteforce Workflow (PRO/ULTIMATE/EXPRESS)
The Bruteforce workflow has undergone a complete overhaul, which means that there are a few significant changes that need to be highlighted.
In place of the old style configuration form, Bruteforce now has a cleaner, more streamlined interface. The workflow has been separated into three distinct tasks: choosing the targets to attack, choosing the credentials to try, and configuring options to control things like termination conditions and mutation rules.
In addition to the revamped interface, there are a few notable features to point out in the new workflow:
- More ways to add credentials - In Metasploit 4.10, there was only one method to supply a bruteforce attack with credentials: you had to manually enter them. Now, you have a few options for adding them. You can reuse existing credentials, import a credentials list, manually enter a credentials list, and try common factory defaults for services.
- Mutations rules - Mutations rules were removed in Metasploit 4.10, but they are now available again through the Bruteforce workflow. There are several preconfigured mutation rules that you can use to prepend and append characters to a password as well as perform leetspeak substitutions.
- Get a session - You can automatically open a session when a credential is guessed on a specific service, such as MSSQL, MySQL, PostgreSQL, SMB, SSH, Telnet, WinRM, and some HTTP services, such as Tomcat, Axis2, and GlassFish. Open sessions can be used to perform post-exploitation tasks, such as gathering additional information from the host and leveraging that data to compromise additional hosts.
Known Issues with Bruteforce
Now that we've covered the new and exciting stuff, here are a few things you should keep in mind when you configure and run a bruteforce attack:
- Existing tasks chains that include a legacy bruteforce task need to be updated - Metasploit 4.11 introduces a completely new workflow for configuring Bruteforce attacks, which means that any legacy version of Bruteforce must be updated using this new approach. By default, if Metasploit detects that the task chain contains a legacy version of Bruteforce, it will automatically replace the legacy Bruteforce task with the new Bruteforce configuration workflow. All options and fields will not be configured, so you will need to go to the Bruteforce task and manually configure it with the desired settings. Otherwise, any scheduled task chain that includes a legacy Bruteforce task will run without bruteforcing any targets.
To help you identify the task chains that need to be updated, a warning message will display when you access the Task Chains page and list all task chains that include a legacy bruteforce task. You must update the listed task chains. Otherwise, the warning message will continue to display each time you access the Task Chains page or view a task chain that contains a legacy bruteforce task.
Quick Lesson on Editing a Task Chain
To edit a task chain, select Tasks > Chains from within a project.
If any of the task chains include a legacy bruteforce task, a helpful little warning message displays. Review the list and click "OK" to close it.
Open the configuration page for the task chain you want to edit.
Another warning message appears and alerts you that the Bruteforce task needs to be configured using the new style workflow. Again, click "OK" to close the window. Once you get past all the warning messages, click on the Bruteforce task bubble. This brings up the new style Bruteforce configuration form.
Now, you're ready to configure the targets, credentials, and options for the Bruteforce task. Just remember that if you choose to use the "All credentials in this project" option, you need to run an Exploit and a Collect task before the Bruteforce task or you need to make sure that the project already contains the credentials that you want to use.
- Cloning a task chain that includes a legacy Bruteforce task results in an unconfigured task - If you attempt to clone a task chain that includes a legacy Bruteforce task, the resulting task chain will contain an unconfigured Bruteforce task. You will need to configure the Bruteforce task before you can run the task chain.
- Enabling AV evasion causes Bruteforce to run for an extended period of time (PRO ONLY) - The "Use Dynamic Stagers for EXE payloads" option enables you to use dynamic stagers whenever executables are generated to ensure that our payloads can evade detection from anti-virus vendors that already have signatures for the standard Metasploit payloads. However, if you enable this option, it may cause an substantial increase in the run time of the Bruteforce task.
- Credentials list file types are not validated when they are imported - You can import a new line and space delimited text file that contains credential pairs. Please make sure that the file has a .txt extension.
- Replaying a Bruteforce task is no longer supported - Bruteforce tasks cannot be replayed. You will need to configure a new Bruteforce task each time you want to run it.
New Modules for Everyone
In addition to the new features for Metasploit 4.11, this weekly update also contains 6 new exploit modules and 8 new auxiliary and post-exploitation modules.
- Tincd Post-Authentication Remote TCP Stack Buffer Overflow by Martin Schobert and Tobias Ospelt exploits CVE-2013-1428
- Mac OS X IOKit Keyboard Driver Root Privilege Escalation by Ian Beer and joev exploits CVE-2014-4404
- ActualAnalyzer 'ant' Cookie Command Execution by Benjamin Harris and Brendan Coles exploits OSVDB-110601
- Tuleap PHP Unserialize Code Execution by EgiX exploits CVE-2014-8791
- Wordpress Download Manager (download-manager) Unauthenticated File Upload by Christian Mehlmauer and Mickael Nadeau
- Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution by GradiusX, Rik van Duijn, Robert Freeman, Wesley Neelen, b33f, and yuange exploits CVE-2014-6332
Auxiliary and Post-Exploitation Modules
- JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment by us3r777 exploits CVE-2010-0738
- ManageEngine NetFlow Analyzer Arbitrary File Download by Pedro Ribeiro exploits CVE-2014-5445
- Cisco DLSw Information Disclosure Scanner by John McLeod, Kyle Rainey, and Tate Hansen exploits CVE-2014-7992
- BMC TrackIt! Unauthenticated Arbitrary User Password Change by bperry and jhart exploits ZDI-14-419
- Cisco ASA SSL VPN Privilege Escalation Vulnerability by jclaudius and lguay exploits CVE-2014-2127
- WildFly Directory Traversal by Roberto Soares Espreto exploits CVE-2014-7816
- Gather Kademlia Server Information by Jon Hart
- Windows Gather Outlook Email Messages by Wesley Neelen
Notable Fixes and Changes
- #4337: Fixed msfconsole prompt colors on Windows (issue #4259)
- #4333: Added deprecation notices to msfpayload and msfencode
- #4338: Fixed heartbleed cert parsing error (issue #4309)
- #4346: Fixed msfvenom bug which was ignoring datastore options
- #4220: Added post module for searching Outlook email
- #4286: Removed lots of old documentation
- #4313: Fixed blank password attempts when unselected (issue #4304)
- #4319: Fixed nil Action on post modules (issue #4307)
- #4317: Fixed leaky gateway test (issue #4305)
- #4311: Fixed broken NETMASK logic (issue #4306)
- #3679: Fixed msfvenom -b option
- #4315: Fixed os_flavor deprecated usage
#4335: Added WAR file upload JBoss exploit
#4368: Bumped credential gem version
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.10.2 updates to 4.11.0-2014121601
MSF3 4.10.2 updates to 4.11.0-2014121601