New Features and Improvements
Project Sonar Integration
Have you been wondering how you can get an outsider's perspective of your organization's publicly facing internet assets? You're in luck! This week's release includes an integration that enables you to easily import data that Project Sonar has collected during its scans of the internet. If you are unfamiliar with Project Sonar, it is an initiative by Rapid7 to actively scan public networks, archive the data, and make it available to the security community. Basically, it gathers data that you can analyze to obtain an outsider's perspective of your internet presence and to better understand your external attack surface. You can query Project Sonar to view the assets are publicly available for a domain and import them into a project for further analysis.
You can use the data from Project Sonar to:
- Discover assets without scanning.
- Identify public facing assets that belong to your organization.
- Expand your view of your exposure surface area.
- Validate your assessment scope.
So, now you're probably wondering what you have to do to get the integration to work. If you have a valid Metasploit Pro license key, you don't have to do anything. As long as your Metasploit Pro instance has access to the internet, it will automatically authenticate to the Sonar service using your Pro license key and you'll be able to access the Project Sonar option from the Import page:
To query Project Sonar, you need to enter a domain name and a last seen range, which can be from within the past 90 days. When you query for just a domain name, like 'rapid7.com', it will include all subdomains. To narrow down your results, you can query for a specific subdomain, like 'support.rapid7.com' or 'community.rapid7.com'.
After you query Project Sonar, the results display in the table, and you can pick and choose the hosts you want to import into the project. You can also apply filters to refine the results list by address and by name.
While you're reviewing the results, it's important that you do not navigate away from the page because you will lose the results and you'll need to rerun the query again.
After you import the data, you'll be able to view and work with it just like you would any other host data. You can easily identify Project Sonar data by its tag.
So, to recap, here are all the things you should keep in mind when you are querying data from Project Sonar:
- All Metasploit Pro licenses automatically have access to Project Sonar.
- You can query data from the last 1-90 days.
- You can enter a subdomain to narrow your results down.
- Do not refresh the Import page while it is querying. You'll lose your results and will need to rerun the query.
- You should use the 'Sonar' tag to easily identify all data imported from Project Sonar.
- Please make sure that you enter a valid address if you are filtering by host address. If you enter an invalid search query, you will not receive any notification that the search failed.
If you want to learn more about Project Sonar, you might want to head over to their wiki to find out how they perform their scans. To learn more about how you can import data from Project Sonar, check out https://help.rapid7.com/metasploit/#importing/importing-project-sonar.html.
Auxiliary and Post-Exploitation Modules
- Chinese Caidao Backdoor Bruteorce by Nixawk
- Jenkins-CI Unauthenticated Script-Console Scanner by Jeffrey Cap and altonjx
- Wordpress XML-RPC system.multicall Credential Collector by KingSabri, William, and sinn3r
- Redis Scanner by Nixawk and iallison
- Telisca IPS Lock Cisco IP Phone Control by Fakhir Karim Reda and zirsalem
- Windows Gather Active Directory Managed Groups by Stuart Morgan
- Windows Manage Privilege Based Process Migration by Josh Hale and theLightCosine
Notable Fixes and Changes
- PR #6305: Updated owa_login module to store valid usernames in the creds database
- PR #6318: Updated ssh_identify_pubkeys module to use the new creds API
- PR #6375: Added a post module for Active Directory Managed Groups Enumeration
- PR #6390: Improved exploit reporting on handler bind/listen failure
- PR #6400: Improved the iis_webdav_upload_asp module
- PR #6402: Added an improved module for Windows privileged-based Meterpreter migration
- PR #6410: Removed John the Ripper binaries from the metasploit-framework source tree
- PR #6411: Added Chinese caidao asp/aspx/php backdoor bruteforce module
- PR #6416: Moved and improved redis_server to auxiliary/scanner/redis
- PR #6425: Updated to Nokogiri 126.96.36.199
- PR #6426: Fixed an incorrect option name in the enable_rdp module
- PR #6429: Fixed console backtrace with LHOST tab completion
- PR #6430: Update egghunter.rb to support new msfenv requirements
- PR #6432: Added Piata SSH scanner wordlist
- PR #6433: Added D-Link DCS-931L file upload module
- PR #6434: Added addition SAP ICM paths
- PR #6437: Added a Metasploit Code of Conduct
- PR #6440: Added SCADAPASS wordlist
- PR #6441: Added a new x86/BMP polyglot payload encoder
- PR #6449: Improved handling of HttpServer resource collisions
- PR #6450: Added TLS support to MSSQL bruteforce logins
- PR #6451: Backported net-ssh Diffie-Hellman Group Exchange SHA-256 key exchange support
- PR #6457: Updated axis2_deployer to use FileDropper
- PR #6458: Backported net-ssh AES CTR cipher support
- PR #6462: Added a 'vulns --help' command alias
- PR #6467: Allow specifying VAR and METHOD for simple_backdoor_exec
- PR #5938: Added an auxiliary scanner module for running commands on unauthenticated Jenkins-CI script consoles
- PR #6226: Added Wordpress XML-RPC system.multicall Credential Bruteforce
- PR #6421: Added native support for Android Debug Bridge (ADB) protocol and an exploit module
- PR #6422: Added support for native targets in the Android webview exploit
- PR #6461: Backported net-ssh ECDH kex algorithms
- PR #6470: Added auxiliary module for locking/unlocking Cisco IP Phones without authentication
- PR #6482: Fixed uploading of files using Wordpress Holding Pattern theme versions 1.2 and 1.3
- PR #6484: Handle rspec failures gracefully if there is no database
- PR #6485: Added sweet new retro mainframe banners
- PR #6491: Shrunk the size of ms08_067 so that it again works w/ bind_tcp
- PR #6493: Refactored and normalized SSL/TLS datastore options
- PR #6496: Fixed search_groovy_script Elasticsearch exploit to explicitly specify the scripting language
- PR #6498: Fixed PHP meterpreter downloads > 64k
- PR #6499: Improved reverse_tcp handler reliability when being port-scanned
- PR #6508: Added an alias in Meterpreter, 'dir', for the 'ls' command
- Pro: MS-260: Custom campaigns now save the configuration for Autopwn.
- Pro: MS-846: Clicking the ? Help button in the application now directs you to the online documentation.
- Pro: MS-875: MSSL Bruteforce now has TLS/SSL support.
- Pro: MS-944: The Audit Report now generates successfully when it includes compromised credentials.
- Pro: MS-946: The ScreenOS backdoor password for CVE-2015-7755 has been added to the default password lists for SSH and telnet.
- Pro: MS-950: Viewing the vulnerability information for a website now displays as expected from the Web Apps area of the application.
- Pro: MS-951: Hosts are now successfully added to a project during a Nexpose scan, regardless of whether or not they have already been imported into other workspaces.
- Pro: MS-1049: Metasploit now successfully imports Nexpose sites that have vulnerabilities that contain more than 255 characters in the site key.
Offline Update File
To download the offline file for this update, go to http://updates.metasploit.com/packages/227fc8a2a6805338629eee8370206201175f74e0. bin.
Upgrading after December 23, 2014
If you did not update to Metasploit 4.11.0 prior to December 23, 2014, you will need to read this handy blog from Eray Yilmaz to learn how to successfully update your Metasploit instance: HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301). The standard method that you use to update Metasploit will not work if you are updating after December 23, so it is critical that you update Metasploit using the steps outlined in the blog.
How to Upgrade
To upgrade Metasploit Pro, go to the Administration menu and select the Software Updates option. To see how to upgrade your Metasploit installation, view this video.
PRO 4.11.6 updates to 4.11.6-2016020201