Last updated at Wed, 17 Jan 2024 21:30:41 GMT
Continuing the 12th Labor of Metasploit
Metasploit continues its Herculean task of increasing our toolset to tame Kerberos by adding support for AS_REP Roasting, which allows retrieving the password hashes of users who have Do not require Kerberos preauthentication
set on the domain controller. The setting is disabled by default, but it is enabled in some environments.
Attackers can request the hash for any user with that option enabled, and worse (or better?) you can query the DC to determine which accounts have this setting, so not only can you get these hashes, the DC will tell you which users are vulnerable to the attack. Metasploit’s AS_REP roasting module will both gather the users and pull the authentication information, or pull information on a select set of users.
Ticket Management
This week’s release includes a brand new post module for enumerating and dumping Kerberos tickets from a compromised Windows host. This module will copy all of the tickets that are accessible based on the current privilege level to Metasploit’s own cache, where they can then be used in a Pass-The-Ticket (PTT) style attack. This notably enables Metasploit users to execute the entire workflow necessary to exploit Unconstrained Delegation right from with Metasploit, there’s even new documentation which outlines the entire process.
New module content (3)
Find Users Without Pre-Auth Required (ASREP-roast)
Author: smashery
Type: Auxiliary
Pull request: #18569 contributed by smashery
Path: gather/asrep
Description: This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two mechanisms, brute forcing using a list of usernames or using a LDAP query to request the relevant usernames, followed by requesting TGTs.
Splunk Authenticated XSLT Upload RCE
Authors: Valentin Lobstein, h00die, and nathan
Type: Exploit
Pull request: #18577 contributed by Chocapikk
Path: unix/http/splunk_xslt_authenticated_rce
Description: This PR adds a Remote Code Execution (RCE) module for Splunk Enterprise using CVE-2023-46214. This module exploits a vulnerability in the XSLT transformation functionality of certain versions of Splunk Enterprise, allowing for authenticated remote code execution.
Kerberos Ticket Management
Authors: Spencer McIntyre and Will Schroeder
Type: Post
Pull request: #18488 contributed by zeroSteiner
Path: windows/manage/kerberos_tickets
Description: This PR adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit's own cache, allowing them to be used for the duration in which they are valid.
Enhancements and features (3)
- #18539 from dwelch-r7 - This adds a new session type for SMB sessions. The smb session is behind a feature flag and can be enabled by setting
features set smb_session_type true
in msfconsole. - #18598 from bwatters-r7 - :
This bumps the Metasploit-payload version to bring in one fix and one enhancement. The fix is to standardize the behavior of Java Meterpreter to only listen on IPv4 interfaces when binding to 0.0.0.0. The enhancement is to better align pretty OS names on Windows for Windows Kernel 10 releases, AKA Windows server 2016-present or Windows 10/11+. - #18601 from MikeAnast - Adds arm64 support to Metasploit's Dockerfile. This new image is available from Dockerhub via
docker pull metasploitframework/metasploit-framework:6.3.47
or through the wrapper script./docker/bin/msfconsole
.
Bugs fixed (4)
- #18606 from Lorenyx -
rpc_plugin
has been updated to correctly use the provided plugin options. - #18609 from adfoster-r7 - This fixes an issue in the
cmd/windows/powershell/download_exec
payload module that was preventing it from executing correctly due to an architecture check. - #18613 from dwelch-r7 - Ensures that after listing files within an SMB directory that the handle is closed.
- #18614 from sjanusz-r7 - Fixes a crash in the
auxiliary/scanner/ssh/ssh_identify_pubkeys
module, as well as adding new module documentation.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro