Posts by Spencer McIntyre

3 min Metasploit

Metasploit Weekly Wrap-Up 11/22/2024

JetBrains TeamCity Login Scanner Metasploit added a login scanner for the TeamCity application to enable users to check for weak credentials. TeamCity has been the subject of multiple ETR vulnerabilities [http://kql3.us1788.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/] and is a valuable target for attackers. Targeted DCSync added to Windows Secrets Dump This week, Metasploit community member smashery [ht

3 min Metasploit

Metasploit Weekly Wrap-Up 10/18/2024

ESC15: EKUwu AD CS continues to be a popular target for penetration testers and security practitioners. The latest escalation technique (hence the the ESC in ESC15) was discovered [http://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc] by Justin Bollinger [http://x.com/bandrel] with details being released just last week. This latest configuration flaw has common issuance requirements to other ESC flaws such as requiring no authorized signatures or manager approval. Additionally, templa

2 min Metasploit

Metasploit Weekly Wrap-Up 09/13/2024

SPIP Modules This week brings more modules targeting the SPIP publishing platform. SPIP has gained some attention from Metasploit community contributors recently and has inspired some PHP payload and encoder improvements. New module content (2) SPIP BigUp Plugin Unauthenticated RCE Authors: Julien Voisin, Laluka, Valentin Lobstein, and Vozec Type: Exploit Pull request: #19444 [http://github.com/rapid7/metasploit-framework/pull/19444] contributed by Chocapikk [http://github.com/Chocapikk] Pat

3 min Metasploit

Metasploit Wrap-Up 05/17/2024

LDAP Authentication Improvements This week, in Metasploit v6.4.9, the team has added multiple improvements for LDAP related attacks. Two improvements relating to authentication is the new support for Signing [http://github.com/rapid7/metasploit-framework/pull/19127] and Channel Binding [http://github.com/rapid7/metasploit-framework/pull/19132]. Microsoft has been making changes [http://support.microsoft.com/en-gb/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for

4 min Metasploit

Metasploit Weekly Wrap-Up 04/26/24

Rancher Modules This week, Metasploit community member h00die [http://github.com/h00die] added the second of two modules targeting Rancher instances. These modules each leak sensitive information from vulnerable instances of the application which is intended to manage Kubernetes clusters. These are a great addition to Metasploit’s coverage for testing Kubernetes environments [http://docs.metasploit.com/docs/pentesting/metasploit-guide-kubernetes.html]. PAN-OS RCE Metasploit also released an e

12 min Metasploit

Metasploit Framework 6.4 Released

Today, Metasploit is pleased to announce the release of Metasploit Framework 6.4. It has been just over a year since the release of version 6.3 [http://kql3.us1788.com/blog/post/2023/01/30/metasploit-framework-6-3-released/] and the team has added many new features and improvements since then. For news reporters, please reach out to press@us1788.com. Kerberos Improvements Metasploit 6.3 included initial support for Kerberos authentication within Metasploit and was one of the larger features i

5 min Metasploit

Metasploit Weekly Wrap-Up 02/16/2024

New Fetch Payload It has been almost a year since Metasploit released the new fetch payloads [http://kql3.us1788.com/blog/post/2023/05/25/fetch-payloads-a-shorter-path-from-command-injection-to-metasploit-session/] and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll3

8 min Metasploit

Metasploit 2023 Annual Wrap-Up: Dec. 29, 2023

As 2023 winds down, we’re taking another look back at all the changes and improvements to the Metasploit Framework. This year marked the 20th anniversary since Metasploit version 1.0 was committed and the project is still actively maintained and improved thanks to a thriving community. Version 6.3 Early this year in January, Metasploit version 6.3 [http://kql3.us1788.com/blog/post/2023/01/30/metasploit-framework-6-3-released/] was released with a number of improvements for targeting Active Dir

1 min Metasploit Weekly Wrapup

Metasploit Weekly Wrap-Up: Nov. 17, 2023

Possible Web Service Removal Metasploit has support for running with a local database, or from a remote web service which can be initialized with msfdb init --component webservice. Future versions of Metasploit Framework may remove the msfdb remote webservice. Users that leverage this functionality are invited to react on an issue currently on GitHub [http://github.com/rapid7/metasploit-framework/issues/18439] to inform the maintainers that the feature is used. New module content (1) ZoneMind

4 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 22, 2023

Improved Ticket Forging Metasploit’s admin/kerberos/forge_ticket module has been updated to work with Server 2022. In Windows Server 2022, Microsoft started requiring additional new PAC elements to be present - the PAC requestor and PAC attributes. The newly forged tickets will have the necessary elements added automatically based on the user provided domain SID and user RID. For example: msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f649

4 min Metasploit

Metasploit Weekly Wrap-Up: Sep. 15, 2023

Flask Cookies This week includes two modules related to Flask cookie signatures. One is specific to Apache Superset where session cookies can be resigned, allowing an attacker to elevate their privileges and dump the database connection strings. While adding this functionality, community member h00die [http://github.com/h00die] also added a module for generically working with the default session cookies used by Flask. This generic module auxiliary/gather/python_flask_cookie_signer [http://git

2 min Metasploit

Metasploit Weekly Wrap-Up: Aug. 18, 2023

Meterpreter Testing This week’s release adds new payload tests to our automated test suite. This is intended to help the team and community members identify issues and behavior discrepancies before changes are made. Payloads run on a variety of different platforms including Windows, Linux, and OS X each of which has multiple Meterpreter implementations available that are now tested to help ensure consistency. This should improve payload stability and make testing easier for community members tha

2 min Metasploit

Metasploit Wrap-Up: 2/24/23

Basic discover script improvements This week two improvements were made to the script/resource/basic_discovery.rc resource script. The first update from community member samsepi0x0 [http://github.com/samsepi0x0] allowed commas in the RHOSTS value, making it easier to target multiple hosts. Additionally, adfoster-r7 [http://github.com/adfoster-r7] improved the script by adding better handling for error output. This continues our trend of trying to provide more useful diagnostic information to

5 min Haxmas

2022 Annual Metasploit Wrap-Up

It's been another gangbusters year for Metasploit, and the holidays are a time to give thanks to all the people that help make our load a little bit lighter. So, while this end-of-year wrap-up is a highlight reel of the headline features and extensions that landed in Metasploit-land in 2022, we also want to express our gratitude and appreciation for our stellar community of contributors, maintainers, and users. The Metasploit team merged 824 pull requests across Metasploit-related projects in 20

2 min Metasploit

Metasploit Weekly Wrap-Up: 11/18/22

Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream (CVE-2021-39144) There’s nothing quite like a pre-authenticated remote code execution vulnerability in a piece of enterprise software. This week, community contributor h00die-gr3y [http://github.com/h00die-gr3y] added a module [http://github.com/rapid7/metasploit-framework/pull/17222] that targets VMware NSX Manager using XStream. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMwa