Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/12/30/2022-metasploit-wrap-up/
It’s been another gangbusters year for Metasploit, and the holidays are a time to give thanks to all the people that help make our load a little bit lighter. So, while this end-of-year wrap-up is a highlight reel of the headline features and extensions that landed in Metasploit-land in 2022, we also want to express our gratitude and appreciation for our stellar community of contributors, maintainers, and users. The Metasploit team merged 824 pull requests across Metasploit-related projects in 2022, more than 650 of which were incorporated into the main metasploit-framework repository. If you fixed a typo, linked a new reference, or cleaned up some code spaghetti, thank you!
Active Directory Certificate Services attacks
For years now, penetration testers and attackers have emphasized Active Directory as a particularly juicy and valuable attack surface area. In 2021, we saw fresh attack research that outlined new techniques for targeting Active Directory Certificate Services, or AD CS, including multiple configuration flaws that can be leveraged to escalate permissions from a domain user to a privileged account. In response to requests from our user community, Metasploit released two modules in the second half of 2022 that support AD CS attack techniques:
auxiliary/gather/ldap_esc_vulnerable_cert_findercan be used by an authenticated AD user to enumerate Certificate Authorities (CAs) and find vulnerable certificate templates.auxiliary/admin/dcerpc/icpr_certallows users to issue certificates from AD CS with a few options that are used for exploiting some escalation (ESC) scenarios. Currently only escalation technique 1 (ESC1) can be exploited with the available options, but support for more techniques is planned.
Linux credential extraction with Mimipenguin
Metasploit expanded our post-exploitation capabilities for extracting plaintext credentials on Linux systems by porting the Mimipenguin utility to Metasploit. This allows users to extract credentials for a variety of services from an established Meterpreter session, including the gnome-keyring-daemon, vsftpd and sshd. Under the hood, this functionality uses a new Meterpreter API that allows searching through process memory.
Metasploit plays well with others
This year Metasploit added a few different ways of supporting interoperability with other offensive security tools. First up is the BOF Loader for COFF files, which enables usage of Cobalt Strike’s Beacon Object File format from within the Windows Meterpreter. This extension can also use BOF files written for Sliver. We’ve also made an improvement this year to allow users to bring their own payloads and stages from other tools and formats. If you’re a Sliver user, you can now deploy a Sliver agent as a custom payload stage, and we will use our own Metasploit stagers to upload and run the custom shellcode on the target.
Holiday hacking challenge
Metasploit teamed up with TryHackMe to deliver a challenge as part of their Advent of Cyber event, which ran for the month of December. The Metasploit challenge debuted on December 9 and walked users through a fun Christmas-themed story where they were able to use some of Metasploit’s latest pivoting capabilities. A walk-through is available under Task 9 on the official event page.
Sixth getsystem technique
Metasploit added a new technique to everyone’s favorite Meterpreter command in the middle of 2022 with help from cdelafuente-r7, who incorporated the newest named-pipe impersonation-based technique (the EfsPotato variant). This particular vulnerability affects Windows Vista / Server 2008 and later can be executed entirely in memory to escalate the current session to NT AUTHORITY\SYSTEM without spawning a new process. For more information about this and other getsystem techniques, check out the new module documentation. (Pro tip: Specific techniques can be used by number!)
Post API improvements and maintenance
Community member bcoles made more than 100 pull requests to improve and maintain the post-exploitation API used by Metasploit’s 400+ post modules. This enormous effort is greatly appreciated and has fixed numerous bugs, added new functionality, and made general improvements that benefit both end users and module developers alike. Among those improvements are removing quite a few lingering Meterpreter scripts (which were replaced by post modules in 2011) and adding shell session support for a few enumeration modules. The shell session support is particularly useful when combined with 2021’s payload-less session improvements because it bypasses the need to address evasion with Meterpreter.
New contributors
We would like to thank the community for all the work done this year. Particularly, we want to give a big shout out to the 45 new contributors that added great content to Metasploit. Some of these folks even added modules for celebrity vulnerabilities or flaws that were being actively exploited in the wild, such as Apache Spark RCE (CVE-2022-33891), Spring Cloud Gateway RCE (CVE-2022-22947) or Spring Framework RCE (CVE-2022-22965). We’re grateful to all our contributors for submitting modules that help organizations test their defenses, demonstrate risk, and prioritize mitigations.
| New contributor | # of modules |
|---|---|
| h00die-gr3y | 5 |
| krastanoel | 4 |
| npm-cesium137-io | 4 |
| Ayantaker | 1 |
| PazFi | 1 |
| c0rs | 1 |
| giacomo270197 | 1 |
| jerrelgordon | 1 |
| m4lwhere | 1 |
| mauricelambert | 1 |
| rad10 | 1 |
| talhakarakumru | 1 |
| usiegl00 | 1 |
| vleminator | 1 |
Others contributed to make Metasploit even better with enhancements, fixes and documentation:
New module highlights
- exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684 – This exploit contributed by community member heyder facilitated unauthenticated code execution on multiple Fortinet products including FortiOS, FortiProxy and FortiSwitchManager.
- exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144 – Despite having a 2021 CVE, this particular vulnerability, contributed by community member h00die-gr3y, gained attention in 2022 for being an unauthenticated RCE in VMware’s NSX product. Being a deserialization vulnerability, exploitation is smooth and reliable.
- auxiliary/gather/ldap_query – This new module allows users to gather useful information from an Active Directory Domain Services (AD DS) LDAP server. Metasploit currently includes 28 predefined queries for common actions like enumerating LAPS passwords, computer accounts, and users with configured Service Principal Names (SPNs) for Kerberoasting. Metasploit users can even define their own queries for use with the module.
- exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc – This module, from community contributor h00die, added in support for CVE-2021-22015. vCenter is frequently targeted by attackers, so h00die’s contribution goes a long way in helping pen testers better assess the security of vCenter servers during their engagements.
- exploit/linux/http/cisco_asax_sfr_rce – This module was added by jbaines-r7 and incorporated an exploit for CVE-2022-20828 that allows authenticated attackers to gain root-level shells on vulnerable Cisco ASA-X devices with FirePOWER Services enabled. These devices are frequently positioned in sensitive pivots within networks, and are prime targets for attackers, so gaining RCE on these devices often results in access to privileged networks and/or data.
- exploit/multi/veritas/beagent_sha_auth_rce – This module from community contributor c0rs exploits CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 in Veritas Backup Exec Agent to bypass authentication and gain remote code execution as SYSTEM/root. This is quite a nice vulnerability since backup agents typically have access to sensitive information, so any compromise of such devices typically leads to access to sensitive company data. Combine this with SYSTEM/root privileges as an unauthenticated remote user, and you have a decent vulnerability for gaining initial access into a network and gaining information to start your pivoting attempts to other segments of that network.
Version 6.2 released
Over the summer, the Metasploit team announced the release of Metasploit Framework 6.2, which included a number of new features. Some of the highlights:
- A streamlined authentication capturing plugin
- An SMB 2 and 3-capable file server
- Improved options for handling NATed services
- Improved SMB relaying
We’re planning a 6.3 feature release in early 2023, so stay tuned for the next round of new Metasploit capabilities and improvements!
E-Z-2-contribute documentation
As of the 6.2 release, Metasploit has a new, user-contributable docs site at https://docs.metasploit.com/. Want to contribute to Metasploit, but don’t want to monkey around with Ruby or exploit code? We can always use more and better documentation on your favorite Metasploit features, workflows, and improvements. Get in there and help us teach people how hacking works!
From all of us at Rapid7, we wish you a very happy new year. As always, you can get the latest Metasploit updates every Friday in our weekly wrap-up, and you can stay up-to-date on vulnerability intelligence with AttackerKB.