4 min
Metasploit Wrapup 5/26/17
It has been an intense couple of weeks in infosec since the last Wrapup and
we've got some cool things for you in the latest update.
Hacking like No Such Agency
I'll admit I was wrong. For several years, I've been saying we'll never see
another bug like MS08-067, a full remote hole in a default Windows service.
While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067
did, EternalBlue
[https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue] has
already
3 min
Metasploit Weekly Wrapup
Metasploit Wrapup 3/24/17
Faster, Meterpreter, KILL! KILL!
You can now search for and kill processes by name in Meterpreter with the new
pgrep and pkill commands. They both have flags similar to the older ps command,
allowing you to filter by architecture (-a), user (-u), or to show only child
processes of the current session's process (-c). We've also added a -x flag to
find processes with an exact match instead of a regex, if you're into that.
Fun with radiation
Craig Smith has been killing it lately with all his h
2 min
Metasploit
Metasploit, Google Summer of Code, and You!
Spend the summer with Metasploit
I'm proud to announce that the Metasploit Project has been accepted as a mentor
organization in the Google Summer of Code! For those unfamiliar with the
program, their about page [https://summerofcode.withgoogle.com/about/] sums it
up nicely:
> Google Summer of Code is a global program focused on introducing students to
open source software development. Students work on a 3 month programming project
with an open source organization during their break from univer
2 min
Metasploit Wrapup 12/9/16
Finding stuff
For a very long time, msfconsole's search command has used a union of the
results of all search terms. This means that if you do something like search
linux firefox, you'll get a list of all modules that mention linux, regardless
of the application they target, and all modules that mention firefox, regardless
of their platform. Most people are probably expecting the intersection, i.e. you
probably wanted to see only the modules that target Firefox on Linux. So now
that's what happe
2 min
Metasploit Wrapup 11/18/16
Everything old is new again
As you probably already know, hardware manufacturers are not always great at
security. Today we'll be picking on Netgear, who produce a WiFi router called
the WNR2200 [https://www.netgear.com/home/wifi/routers/]. This cute little
device, brand new out of the box on store shelves today, runs Linux 2.6.15 with
Samba 3.0.24. For those of you keeping score at home, those versions were
released in 2007. Way back in 2007, Samba had a pre-auth heap buffer overflow
vulnerabil
2 min
Metasploit
Weekly Update: Fun with ZPanel, MoinMoin, and FreeBSD
Chaining Zpanel Exploits for Remote Root
ZPanel is a fun, open source web hosting control panel, written in code
auditors' favorite language, PHP. For bonus points, ZPanel likes to do some
things as root, so it installs a nifty little setuid binary called 'zsudo' that
does pretty much what you might expect from a utility of that name -- without
authentication. In the wake of some harsh words on reddit and elsewhere in
regard to the character of ZPanel's development team, the project came to the
2 min
Product Updates
Weekly Update: Smaller is Better
In this week's episode, the role of Tod Beardsley will be played by egypt.
Smaller is better
Perhaps the most prominent addition to the framework this week is not an
addition at all, but rather a deletion. We've been working toward a slimmer,
more manageable source tree for a while now, and as part of that effort, we
recently removed a pile of old-and-busted unit tests. This update goes a bit
further, moving source code for some compiled payloads into seperate
repositories. Metasploit's version
2 min
Metasploit
Introduction to Metasploit Hooks
Metasploit provides many ways to simplify your life as a module developer. One
of the less well-known of these is the presence of various hooks you can use for
processing things at important stages of the module's lifetime. The basic one
that anyone who has written an exploit will be familiar with is exploit, which
is called when the user types the exploit command. That method is common to all
exploit modules. Aux and post modules have an analogous run method. Common to
all the runnable modules
1 min
Metasploit
Current User psexec
At DEF CON this year I talked about some of the post exploitation capabilities
within Metasploit and demo'd a cool technique I developed with Jabra on a
pentest a year or so ago (I later found out that Mubix had come up with
basically the same idea - great minds think alike). It is essentially this: use
a session's current token to create a remote service on a victim machine.
It takes advantage of a feature in Windows that most people take completely for
granted. Given that you are already logg
3 min
Exploits
Press F5 for root shell
As HD mentioned [/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploit],
F5 has been inadvertently shipping a static ssh key that can be used to
authenticate as root on many of their BigIP devices. Shortly after the advisory,
an anonymous contributor hooked us up with the private key.
Getting down to business, here it is in action:
18:42:35 0 exploit(f5_bigip_known_privkey) > exploit
[ ] Successful login
[*] Found shell.
[*] Command shell session 3 opened ([redacted]
3 min
Release Notes
Metasploit Framework 4.0 Released!
It's been a long road to 4.0. The first 3.0 release was almost 5 years ago and
the first release under the Rapid7 banner was almost 2 years ago. Since then,
Metasploit has really spread its wings. When 3.0 was released, it was under a
EULA-like license with specific restrictions against using it in commercial
products. Over time, the reasons for that decision became less important and the
need for more flexibility came to the fore; in 2008, we released Metasploit 3.2
under a 3-clause BSD licen
4 min
Metasploit 4.0: The Database as a Core Feature
Early in the 3.x days, metasploit had support for using databases through
plugins. As the project grew, it became clear that tighter database integration
was necessary for keeping track of the large amount of information a pentester
might encounter during an engagement. To support that, we moved database
functionality into the core, to be available whenever a database was connected
and later added postgres to the installer so that functionality could be used
out of the box. Still, the command
1 min
Release Notes
Metasploit Framework 3.7.2 Released!
It's that time again! The Metasploit team is proud to announce the immediate
release of the latest version [http://metasploit.com/download/] of the
Metasploit Framework, 3.7.2. Today's release includes eleven new exploit modules
and fifteen post modules for your pwning pleasure. Adding to Metasploit's
well-known hashdump capabilities, now you can easily steal password hashes from
Linux, OSX, and Solaris. As an added bonus, if any of the passwords were hashed
with crypt_blowfish (which is the d
4 min
Exploits
Recent Developments in Java Signed Applets
The best exploits are often not exploits at all -- they are code execution by
design. One of my favorite examples of this is a signed java applet. If an
applet is signed, the jvm allows it to run outside the normal security sandbox,
giving it full access to do anything the user can do.
Metasploit has supported using signed applets as a browser exploit for quite
awhile, but over the last week there have been a couple of improvements that
might help you get more shells. The first of these improve