2 min
Metasploit
Metasploit Weekly Wrap-Up: Nov. 3, 2023
PTT for DCSync
This week, community member smashery [https://github.com/smashery] made an
improvement to the windows_secrets_dump module to enable it to dump domain
hashes using the DCSync method after having authenticated with a Kerberos
ticket. Now, if a user has a valid Kerberos ticket for a privileged account,
they can run the windows_secrets_dump module with the DOMAIN action and obtain
the desired information. No password required. This is particularly useful in
workflows involving the exp
2 min
Metasploit
Metasploit Weekly Wrap-Up: 7/7/23
Apache RocketMQ
We saw some great teamwork this week from jheysel-r7
[https://github.com/jheysel-r7] and h00die [https://github.com/h00die] to bring
you an exploit module for CVE-2023-33246
[https://attackerkb.com/topics/YBI7e7fY0a/cve-2023-33246?referrer=blog].
In Apache RocketMQ version 5.1.0 and under, there is an access control issue
which the module leverages to update the broker's configuration file without
authentication. From here we can gain remote code execution as whichever user is
ru
3 min
Metasploit
Metasploit Weekly Wrap-Up: 4/21/23
VMware Workspace ONE Access exploit chain
A new module contributed by jheysel-r7 [https://github.com/jheysel-r7] exploits
two vulnerabilities in VMware Workspace ONE Access to attain Remote Code
Execution as the horizon user.
First being CVE-2022-22956 [https://github.com/advisories/GHSA-54hw-pp59-j3rc],
which is an authentication bypass and the second being a JDBC injection in the
form of CVE-2022-22957 [https://github.com/advisories/GHSA-cqx6-4jgp-26m2]
ultimately granting us RCE.
The module
4 min
Metasploit
Metasploit Weekly Wrap-Up: 2/2/23
Metasploit 6.3 is out!
Earlier this week we announced the release of Metasploit 6.3 which came with a
tonne of new modules and improvements.
The whole team worked super hard on this and we're very excited that everyone
can now get their hands on it and all of the new features it has to offer!
I won't go over everything we did here because we have a whole separate blog
post
[https://www.rapid7.com/blog/post/2023/01/30/metasploit-framework-6-3-released/]
dedicated to the 6.3 release that you shou
2 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 30, 2022
Veritas Backup Exec Agent RCE
This module kindly provided by c0rs [https://github.com/c0rs] targets the
Veritas Backup Exec Agent in order to gain RCE as the system/root user.
The exploit itself is actually a chain of 3 separate CVEs (CVE-2021-27876,
CVE-2021-27877 and CVE-2021-27878) which only makes it more impressive.
While you're patching, why not take the time to test your backups too.
Hikvision IP Camera user impersonation
This vulnerability has been present in Hikvision products since 20
3 min
Metasploit
Metasploit Weekly Wrap-Up: 7/8/22
DFSCoerce - Distributing more than just files
DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to
Spencer McIntyre [https://github.com/zeroSteiner] with a new
auxiliary/scanner/dcerpc/dfscoerce module that is similar to PetitPotam in how
it functions. Note that unlike PetitPotam, this technique does require a normal
domain user’s credentials to work.
The following shows the workflow for targeting a 64-bit Windows Server 2019
domain controller. Metasploit is hostin
3 min
Metasploit
Metasploit Weekly Wrap-Up: 4/22/22
ManageEngine ADSelfService Plus Authenticated RCE
This module is pretty exciting for us because it's for a vulnerability
discovered by our very own Rapid7 researchers Jake Baines
[https://github.com/jbaines-r7], Hernan Diaz, Andrew Iwamaye, and Dan Kelly.
The vulnerability allowed for attackers to leverage the "custom script"
functionality to execute arbitrary operating system commands whenever domain
users reset their passwords.
I won't go into too much depth though because we have a whole blog
3 min
Metasploit
Metasploit Weekly Wrap-Up: Jan. 28, 2022
A new Log4Shell module for unauthenticated RCE on Ubiquiti UniFi devices, getsystem improvements, and more!
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 10/22/21
Metasploit's first modules targeting Kubernetes, plus Windows support for exploiting Confluence Server CVE-2021-26084.
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 4/9/21
Spilling the (Gi)tea We have two modules coming in from cdelafuente-r7 targeting CVE-2020-14144 for both the Gitea and Gogs self-hosted Git services. Both modules are similar: they take advantage of a user's ability to create Git hooks by authenticating with the web interface, creating a dummy repos
3 min
Metasploit
Metasploit Wrap-Up: 1/22/21
A new Microsoft Windows Spooler privesc module, along with some fixes and improvements!
5 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 8/7/20
Metasploit 6 initial features and active development, the 2020 open-source security meetup (OSSM), four new modules, and the longest list of enhancements and fixes we've ever written in one sitting.
2 min
Metasploit Weekly Wrapup
Metasploit Wrap-Up: 3/13/20
Four new modules and lots of productivity enhancements. You can now run `rubocop -a` to automatically fix most formatting issues when developing modules. Plus, try the new `tip` command in MSF for Framework usage tips!
1 min
Metasploit
Metasploit Wrap-Up 10/4/19
Command and Control with DOUBLEPULSAR
We now have a DOUBLEPULSAR exploit module
[https://github.com/rapid7/metasploit-framework/pull/12374] thanks to some
amazing work by our own wvu [https://github.com/wvu-r7], Jacob Robles, and some
significant contributions from the wider community. The module allows you to
check for the DOUBLEPULSAR implant, disable it, or even load your own payloads
as well; it really deserves its own blog post…
[https://www.rapid7.com/blog/post/2019/10/02/open-source-comma