Last updated at Thu, 18 Jan 2024 21:52:00 GMT
Customizable DNS resolution
Contributor smashery added a new dns command to Metasploit console, which allows the user to customize the behavior of DNS resolution. Similarly to the route command, it is now possible to specify where DNS requests should be sent to avoid any information leak. Before these changes, the Framework was using the default local system configuration. Now, it is possible to specify which DNS server should be queried based on rules that match specific hostnames or domains. It is also possible to route DNS requests through an existing session, which is useful when querying a DNS server located in an internal network we can only reach through a pivot host.
The DNS feature must be enabled to make this command available with features set dns_feature true. Then, use dns help to list the default commands:
msf6 > features set dns_feature true
dns_feature => true
msf6 > dns help
Manage Metasploit's DNS resolution behaviour
Usage:
dns [add] [--session <session_id>] [--rule <wildcard DNS entry>] <IP Address> <IP Address> ...
dns [remove/del] -i <entry id> [-i <entry id> ...]
dns [purge]
dns [print]
Subcommands:
add - add a DNS resolution entry to resolve certain domain names through a particular DNS server
remove - delete a DNS resolution entry; 'del' is an alias
purge - remove all DNS resolution entries
print - show all active DNS resolution entries
Examples:
Display all current DNS nameserver entries
dns
dns print
Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10
route add --rule *.metasploit.com 192.168.1.10
Add multiple entries at once
route add --rule *.metasploit.com --rule *.google.com 192.168.1.10 192.168.1.11
Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10, but specifically to go through session 2
route add --session 2 --rule *.metasploit.com 192.168.1.10
Delete the DNS resolution rule with ID 3
route remove -i 3
Delete multiple entries in one command
route remove -i 3 -i 4 -i 5
Set the DNS server(s) to be used for all requests that match no rules
route add 8.8.8.8 8.8.4.4
Once set up, any name resolution will be performed according to these rules. For example, setting RHOSTS to a hostname with set RHOST www.example.com and a rule set with route add --session 1 --rule *.example.com 10.10.1.1 will force Framework to resolve the hostname sending a DNS request to the internal DNS server at 10.10.1.1 and through the session 1. No other requests will be sent to avoid information leak.
Tickets in the sky with diamond
Smashery also enhanced the existing Kerberos ticket-forging module and added support for Diamond and Sapphire techniques, which are similar to the Golden and Silver Tickets but stealthier. The Diamond technique consists in using a real TGT and modifies the PAC, assuming the krbtgt Kerberos keys is known. The Sapphire technique makes use of S4U2Self and U2U (User-to-User) to obtain the PAC of another user and assembling it with an existing TGT to impersonate him.
New module content (1)
WordPress Royal Elementor Addons RCE
Authors: Fioravante Souza and Valentin Lobstein
Type: Exploit
Pull request: #18567 contributed by Chocapikk
Path: multi/http/wp_royal_elementor_addons_rce
Description: This pull request adds a new exploit module for CVE-2023-5360, an unauthenticated file upload vulnerability in the WordPress Royal Elementor Addons and Templates plugin in versions before 1.3.79.
Enhancements and features (5)
- #18526 from smashery - This adds a new
dnscommand in Metasploit, to allow the user to customize the behavior of DNS resolution in the framework. DNS resolution can be set to be routed through a session via a specificCommchannel or to request a specific DNS server. Routing rules ensure DNS queries are not sent to unwanted DNS servers and avoid the leak of information. - #18560 from smashery - This updates the existing Kerberos ticket-forging module with new actions for forging tickets with fields copied from ones issued by the legitimate KDC using the Diamond and Sapphire techniques.
- #18565 from zeroSteiner - This adds an enhancement to adjust the kerberos cache lookup logic. If no TGT for the specific host is found, it will try again but with any host. This fixes the workflow where a user can currently forge a golden ticket, but that ticket will not be automatically used for authentication by other services. This will also fix the future issue of the TGT that's created by the Diamond and Sapphire techniques.
- #18571 from smashery - Improves the error messages shown to users if there is a validation error with a module's
RHOSTdatastore values. Now, the user is notified when there is a failure with parsing a URL, invalid CIDR, or DNS resolution failure. - #18580 from adfoster-r7 - Metasploit modules developed using Python can now provide
default_optionsas part of an exploit.
Bugs fixed (1)
- #18579 from zeroSteiner - This converts the module to use the new style of Windows version detection that was added in https://github.com/rapid7/metasploit-framework/pull/17336. This will become more important once the Windows Meterpreter returns a more accurate string for the sysinfo OS field.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
