Metasploit 4.11.0 (Update 2014121601)

Document created by tdoan Employee on Dec 10, 2014Last modified by tdoan Employee on Oct 7, 2016
Version 3Show Document
  • View in full screen mode



This week's release updates Metasploit to version 4.11, which includes the following new features and modules.


Credentials Domino MetaModule (PRO ONLY)

This brand new MetaModule performs an iterative-based credentials attack using a valid login or an open session to attempt to gain access to additional targets and collect credentials. You can run this MetaModule to determine how far an attacker can get in a network if they are able to obtain a particular credential or compromise a particular target.

Like the other MetaModules, the Credentials Domino provides a semi-guided interface to help you with its configuration, displays real-time statistics through the findings window, and includes its own specialized report to document its findings. To access the Credentials Domino MetaModule, select Modules > MetaModules from within a project in Metasploit Pro.


Known Issues with the Domino MetaModule

    • Pivoting from a Linux system to a Windows system is not supported.
    • The Credentials Domino MetaModule cannot be added to a task chain at this time.


Guided Bruteforce Workflow (PRO/ULTIMATE/EXPRESS)

The Bruteforce workflow has undergone a complete overhaul, which means that there are a few significant changes that need to be highlighted.

In place of the old style configuration form, Bruteforce now has a cleaner, more streamlined interface. The workflow has been separated into three distinct tasks: choosing the targets to attack, choosing the credentials to try, and configuring options to control things like termination conditions and mutation rules.

old-bruteforce.png bruteforce.png

In addition to the revamped interface, there are a few notable features to point out in the new workflow:

    • More ways to add credentials - In Metasploit 4.10, there was only one method to supply a bruteforce attack with credentials: you had to manually enter them. Now, you have a few options for adding them. You can reuse existing credentials, import a credentials list, manually enter a credentials list, and try common factory defaults for services.


    • Mutations rules -  Mutations rules were removed in Metasploit 4.10, but they are now available again through the Bruteforce workflow. There are several preconfigured mutation rules that you can use to prepend and append characters to a password as well as perform leetspeak substitutions.


    • Get a session - You can automatically open a session when a credential is guessed on a specific service, such as MSSQL, MySQL, PostgreSQL, SMB, SSH, Telnet, WinRM, and some HTTP services, such as Tomcat, Axis2, and GlassFish.  Open sessions can be used to perform post-exploitation tasks, such as gathering additional information from the host and leveraging that data to compromise additional hosts.


    • Real-time findings - The Bruteforce Findings Window lets you track login attempts, compromised targets, and successful logins in real-time.

Known Issues with Bruteforce

Now that we've covered the new and exciting stuff, here are a few things you should keep in mind when you configure and run a bruteforce attack:

    • Existing tasks chains that include a legacy bruteforce task need to be updated - Metasploit 4.11 introduces a completely new workflow for configuring Bruteforce attacks, which means that any legacy version of Bruteforce must be updated using this new approach. By default, if Metasploit detects that the task chain contains a legacy version of Bruteforce, it will automatically replace the legacy Bruteforce task with the new Bruteforce configuration workflow. All options and fields will not be configured, so you will need to go to the Bruteforce task and manually configure it with the desired settings. Otherwise, any scheduled task chain that includes a legacy Bruteforce task will run without bruteforcing any targets.

      To help you identify the task chains that need to be updated, a warning message will display when you access the Task Chains page and list all task chains that include a legacy bruteforce task. You must update the listed task chains. Otherwise, the warning message will continue to display each time you access the Task Chains page or view a task chain that contains a legacy bruteforce task.


Quick Lesson on Editing a Task Chain

To edit a task chain, select Tasks > Chains from within a project.


If any of the task chains include a legacy bruteforce task, a helpful little warning message displays. Review the list and click "OK" to close it.


Open the configuration page for the task chain you want to edit.


Another warning message appears and alerts you that the Bruteforce task needs to be configured using the new style workflow.  Again, click "OK" to close the window. Once you get past all the warning messages, click on the Bruteforce task bubble. This brings up the new style Bruteforce configuration form.


Now, you're ready to configure the targets, credentials, and options for the Bruteforce task. Just remember that if you choose to use the "All credentials in this project" option, you need to run an Exploit and a Collect task before the Bruteforce task or you need to make sure that the project already contains the credentials that you want to use.


    • Cloning a task chain that includes a legacy Bruteforce task results in an unconfigured task - If you attempt to clone a task chain that includes a legacy Bruteforce task, the resulting task chain will contain an unconfigured Bruteforce task. You will need to configure the Bruteforce task before you can run the task chain.
    • Enabling AV evasion causes Bruteforce to run for an extended period of time (PRO ONLY) - The "Use Dynamic Stagers for EXE payloads" option enables you to use dynamic stagers whenever executables are generated to ensure that our payloads can evade detection from anti-virus vendors that already have signatures for the standard Metasploit payloads. However, if you enable this option, it may cause an substantial increase in the run time of the Bruteforce task.
    • Credentials list file types are not validated when they are imported - You can import a new line and space delimited text file that contains credential pairs. Please make sure that the file has a .txt extension.
    • Replaying a Bruteforce task is no longer supported - Bruteforce tasks cannot be replayed. You will need to configure a new Bruteforce task each time you want to run it.

New Modules for Everyone

In addition to the new features for Metasploit 4.11, this weekly update also contains 6 new exploit modules and 8 new auxiliary and post-exploitation modules.


Exploit Modules


Auxiliary and Post-Exploitation Modules


Notable Fixes and Changes


    • #4337: Fixed msfconsole prompt colors on Windows (issue #4259)
    • #4333: Added deprecation notices to msfpayload and msfencode
    • #4338: Fixed heartbleed cert parsing error (issue #4309)
    • #4346: Fixed msfvenom bug which was ignoring datastore options
    • #4220: Added post module for searching Outlook email
    • #4286: Removed lots of old documentation
    • #4313: Fixed blank password attempts when unselected (issue #4304)
    • #4319: Fixed nil Action on post modules (issue #4307)
    • #4317: Fixed leaky gateway test (issue #4305)
    • #4311: Fixed broken NETMASK logic (issue #4306)
    • #3679: Fixed msfvenom -b option
    • #4315: Fixed os_flavor deprecated usage
    • #4335: Added WAR file upload JBoss exploit

    • #4368: Bumped credential gem version

    • #4375: Fixed event handlers for Ruby 2.x (issue #4219)

    • #4371: A trio of new msftidy checks (issues #4369, #4362, #3853)

    • #4364: Modules respect bruteforce_speed again (issue #3904)


How to Upgrade

To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.


Version Information

PRO 4.10.2 updates to 4.11.0-2014121601

MSF3 4.10.2 updates to 4.11.0-2014121601