Pro and Nexpose users: we have good news! Metasploit 4.11.4-2015091002 introduces the Push to Nexpose feature, which lets you push vulnerability validation results to Nexpose directly from the Vulnerabilities Index and the Vulnerability Details page.
With previous versions of Metasploit, you had to use the Vulnerability Validation Wizard to test vulnerability data sourced from Nexpose. Now, with the new Push to Nexpose feature, you can run an import or scan to add Nexpose data to a project, validate vulnerabilities individually, and share your results with Nexpose when you are ready.
What are the benefits?
The Push to Nexpose feature offers the following benefits:
- You have granular control over the vulnerability data that you share between Metasploit and Nexpose.
- You can set the status for a vulnerability to "not exploitable" if you determine that the vulnerability is an exception.
- You have an additional workflow for validating vulnerabilities sourced from Nexpose.
- You can push all vulnerability exceptions and validations at the same time.
Where can you find the Push to Nexpose feature?
The Push to Nexpose feature is available from two areas of the application: the Vulnerabilities Index and the Vulnerability Details page.
Here's what it looks like from the Vulnerabilities Index:
And here's what it looks like from the Vulnerability Details:
When can you use the Push to Nexpose feature?
The Push to Nexpose feature is available for you to use when:
- You have vulnerabilities in your project that were discovered by Nexpose AND
- You have a vulnerability selected that has a status of either "Exploited" or "Not Exploitable."
How do you use the Push to Nexpose feature?
- Add Nexpose data to a project using one of the following methods: initiating a Nexpose scan from Metasploit or importing a Nexpose scan report.
- Test the discovered vulnerabilities using matching remote exploit modules that have a ranking of excellent or great.
- Identify the vulnerabilities that were successfully exploited.
- Review the vulnerabilities that were not compromised and mark them as 'Not exploitable' if they represent low-risk vulnerabilities.
- Push the validation results back to Nexpose.
- Go to your Nexpose Console to view your exceptions and validations.
Can I still push validations and exceptions from the Vulnerability Validations Wizard's Findings?
Yes, you can. To push from the Vulnerability Validation Wizard's Findings page, click on the "Go to Vulnerabilities Index" link. From the Vulnerabilities Index, you can select the validations and exceptions you want to push to Nexpose.
This week's release includes 3 exploit modules and 15 auxiliary and post-exploitation modules.
- Endian Firewall Proxy Password Change Command Injection by Ben Lincoln exploits CVE-CVE-2015-5082
- Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) by Ben Campbell and Vozzie
- Windows Registry Only Persistence by Donny Maasland
Auxiliary and Post-Exploitation
- WordPress NextGEN Gallery Directory Read Vulnerability by Roberto Soares Espreto and Sathish Kumar
- LLMNR Query by Jon Hart
- mDNS Query by Jon Hart
- Android Meterpreter Browsable Launcher by sinn3r
- Android Screen Capture by timwr
- Android Root Remove Device Locks (root) by timwr
- BusyBox Enumerate Connections by Javier Vicente Vallejo
- BusyBox Enumerate Host Names by Javier Vicente Vallejo
- BusyBox Jailbreak by Javier Vicente Vallejo
- BusyBox Ping Network Enumeration by Javier Vicente Vallejo
- BusyBox DMZ Configuration by Javier Vicente Vallejo
- BusyBox DNS Configuration by Javier Vicente Vallejo
- BusyBox SMB Sharing by Javier Vicente Vallejo
- BusyBox Download and Execute by Javier Vicente Vallejo
- Windows Gather Active Directory Groups by Stuart Morgan
Notable Fixes and Changes
- PR #5412: Added an Android screenshot post module
- PR #5413: Added a module to remove lock screen for Android meterpreter
- PR #5637: Added resiliency (retry) support to to Windows TCP stagers
- PR #5639: Added a Meterpreter persistence module that only uses registry keys
- PR #5705: Support removing transports by index
- PR #5736: Added a new command stager using 'certutil' for decoding
- PR #5791: Modified HTTP login scanner output to show VHOST if it is defined
- PR #5822: Updated cmd exploit payload compatibility options
- PR #5826: Updated all modules to properly use EXITFUNC
- PR #5840: Added modules for querying LLMNR and mDNS endpoints
- PR #5880: Added ScriptHost UAC bypass exploit technique for Win7/2008
- PR #5890: Added a post module API for Android
- PR #5895: Greatly improved the ADSI module
- PR #5898: Finished migration of PHP and Python meterpreters to metasploit-payloads
- PR #5899: Added support for opening Android meterpreter from a browser
- PR #5908: Fixed SSL/TLS autonegotiation, add explicit TLS 1.1/1.2 support
- PR #5910: Improve speed of 'ps -h' Meterpreter command
- PR #5912: Added a timeout option to the Meterpreter migrate command
- PR #5913: Added a module for WordPress NextGEN Gallery Directory Traversal Vuln
- PR #5914: Prevent loading cached modules outside of the load path (msfconsole with a pro database)
- PR #5915: Fixed a regex warning when viewing certificate details
- PR #5916: Fixed long-standing encoding bug when badchars contains the '-' character
- PR #5917: Update passive local exploit checks for a number of modules.
- PR #5919: Removed deprecated VMware modules & update resource script.
- PR #5920: Improved HTTP Cross-Site tracing detection module
- PR #5926: Fixed IPMI header length calculations, fixes usernames longer than 5 bytes
- Pro: When you manually import a site from Nexpose, your project shows all assets that are in the site regardless of when they were last scanned.
- Pro: Importing a site now imports all vulnerabilities, including those that can be locally and remotely exploited.
- Pro: Importing a site from Nexpose now includes all vulnerabilities discovered, including those that do not have matching Metasploit modules.
- Pro: You can now import an exported CSV of credentials into a project.
- Pro: The Services Index now displays all services regardless of its state.
- Pro: All executables served by a web page as part of a social engineering campaign now include the .exe extension in the file name.
- Pro: Sending an email notification for a social engineering campaign no longer results in a stack trace. Also updated the global settings link in the notification modal to go to the SMTP settings tab.
- Pro: Reverse HTTPS listeners in social engineering campaigns are now released port when they are stopped.
- Pro: To push validations and exceptions from the Vulnerability Validation Wizard, you must go to the Vulnerabilities Index and use the Push to Nexpose feature.
- Pro: If you import a site using the Vulnerability Validation Wizard, only assets that were discovered in the last site scan will be imported into the project. Therefore, the number of imported assets reported on the wizard's findings window may not match the number of assets that have actually been imported into the project.
Upgrading after December 23, 2014
If you did not update to Metasploit 4.11.0 prior to December 23, 2014, you will need to read this handy blog from Eray Yilmaz to learn how to successfully update your Metasploit instance: HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301). The standard method that you use to update Metasploit will not work if you are updating after December 23, so it is critical that you update Metasploit using the steps outlined in the blog.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.11.4 updates to 4.11.4-2015091002