3 min
Metasploit
Metasploit Weekly Wrap-Up 11/22/2024
JetBrains TeamCity Login Scanner
Metasploit added a login scanner for the TeamCity application to enable users to
check for weak credentials. TeamCity has been the subject of multiple ETR
vulnerabilities
[http://kql3.us1788.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/]
and is a valuable target for attackers.
Targeted DCSync added to Windows Secrets Dump
This week, Metasploit community member smashery [ht
3 min
Metasploit
Metasploit Weekly Wrap-Up 10/18/2024
ESC15: EKUwu
AD CS continues to be a popular target for penetration testers and security
practitioners. The latest escalation technique (hence the the ESC in ESC15) was
discovered [http://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc] by
Justin Bollinger [http://x.com/bandrel] with details being released just last
week. This latest configuration flaw has common issuance requirements to other
ESC flaws such as requiring no authorized signatures or manager approval.
Additionally, templa
2 min
Metasploit
Metasploit Weekly Wrap-Up 09/13/2024
SPIP Modules
This week brings more modules targeting the SPIP publishing platform. SPIP has
gained some attention from Metasploit community contributors recently and has
inspired some PHP payload and encoder improvements.
New module content (2)
SPIP BigUp Plugin Unauthenticated RCE
Authors: Julien Voisin, Laluka, Valentin Lobstein, and Vozec
Type: Exploit
Pull request: #19444 [http://github.com/rapid7/metasploit-framework/pull/19444]
contributed by Chocapikk [http://github.com/Chocapikk]
Pat
3 min
Metasploit
Metasploit Wrap-Up 05/17/2024
LDAP Authentication Improvements
This week, in Metasploit v6.4.9, the team has added multiple improvements for
LDAP related attacks. Two improvements relating to authentication is the new
support for Signing [http://github.com/rapid7/metasploit-framework/pull/19127]
and Channel Binding [http://github.com/rapid7/metasploit-framework/pull/19132].
Microsoft has been making changes
[http://support.microsoft.com/en-gb/topic/2020-2023-and-2024-ldap-channel-binding-and-ldap-signing-requirements-for
4 min
Metasploit
Metasploit Weekly Wrap-Up 04/26/24
Rancher Modules
This week, Metasploit community member h00die [http://github.com/h00die] added
the second of two modules targeting Rancher instances. These modules each leak
sensitive information from vulnerable instances of the application which is
intended to manage Kubernetes clusters. These are a great addition to
Metasploit’s coverage for testing Kubernetes environments
[http://docs.metasploit.com/docs/pentesting/metasploit-guide-kubernetes.html].
PAN-OS RCE
Metasploit also released an e
12 min
Metasploit
Metasploit Framework 6.4 Released
Today, Metasploit is pleased to announce the release of Metasploit Framework
6.4. It has been just over a year since the release of version 6.3
[http://kql3.us1788.com/blog/post/2023/01/30/metasploit-framework-6-3-released/]
and the team has added many new features and improvements since then.
For news reporters, please reach out to press@us1788.com.
Kerberos Improvements
Metasploit 6.3 included initial support for Kerberos authentication within
Metasploit and was one of the larger features i
5 min
Metasploit
Metasploit Weekly Wrap-Up 02/16/2024
New Fetch Payload
It has been almost a year since Metasploit released the new fetch payloads
[http://kql3.us1788.com/blog/post/2023/05/25/fetch-payloads-a-shorter-path-from-command-injection-to-metasploit-session/]
and since then, 43 of the 79 exploit modules have had support for fetch
payloads. The original payloads supported transferring the second stage over
HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to
include SMB, allowing payloads to be run using rundll3
8 min
Metasploit
Metasploit 2023 Annual Wrap-Up: Dec. 29, 2023
As 2023 winds down, we’re taking another look back at all the changes and
improvements to the Metasploit Framework. This year marked the 20th anniversary
since Metasploit version 1.0 was committed and the project is still actively
maintained and improved thanks to a thriving community.
Version 6.3
Early this year in January, Metasploit version 6.3
[http://kql3.us1788.com/blog/post/2023/01/30/metasploit-framework-6-3-released/]
was released with a number of improvements for targeting Active Dir
1 min
Metasploit Weekly Wrapup
Metasploit Weekly Wrap-Up: Nov. 17, 2023
Possible Web Service Removal
Metasploit has support for running with a local database, or from a remote web
service which can be initialized with msfdb init --component webservice. Future
versions of Metasploit Framework may remove the msfdb remote webservice. Users
that leverage this functionality are invited to react on an issue currently on
GitHub [http://github.com/rapid7/metasploit-framework/issues/18439] to inform
the maintainers that the feature is used.
New module content (1)
ZoneMind
4 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 22, 2023
Improved Ticket Forging
Metasploit’s admin/kerberos/forge_ticket module has been updated to work with
Server 2022. In Windows Server 2022, Microsoft started requiring additional new
PAC elements to be present - the PAC requestor and PAC attributes. The newly
forged tickets will have the necessary elements added automatically based on the
user provided domain SID and user RID. For example:
msf6 auxiliary(admin/kerberos/forge_ticket) > run aes_key=4a52b73cf37ba06cf693c40f352e2f4d2002ef61f6031f649
4 min
Metasploit
Metasploit Weekly Wrap-Up: Sep. 15, 2023
Flask Cookies
This week includes two modules related to Flask cookie signatures. One is
specific to Apache Superset where session cookies can be resigned, allowing an
attacker to elevate their privileges and dump the database connection strings.
While adding this functionality, community member h00die
[http://github.com/h00die] also added a module for generically working with the
default session cookies used by Flask. This generic module
auxiliary/gather/python_flask_cookie_signer
[http://git
2 min
Metasploit
Metasploit Weekly Wrap-Up: Aug. 18, 2023
Meterpreter Testing
This week’s release adds new payload tests to our automated test suite. This is
intended to help the team and community members identify issues and behavior
discrepancies before changes are made. Payloads run on a variety of different
platforms including Windows, Linux, and OS X each of which has multiple
Meterpreter implementations available that are now tested to help ensure
consistency. This should improve payload stability and make testing easier for
community members tha
2 min
Metasploit
Metasploit Wrap-Up: 2/24/23
Basic discover script improvements
This week two improvements were made to the script/resource/basic_discovery.rc
resource script. The first update from community member samsepi0x0
[http://github.com/samsepi0x0] allowed commas in the RHOSTS value, making it
easier to target multiple hosts. Additionally, adfoster-r7
[http://github.com/adfoster-r7] improved the script by adding better handling
for error output. This continues our trend of trying to provide more useful
diagnostic information to
5 min
Haxmas
2022 Annual Metasploit Wrap-Up
It's been another gangbusters year for Metasploit, and the holidays are a time
to give thanks to all the people that help make our load a little bit lighter.
So, while this end-of-year wrap-up is a highlight reel of the headline features
and extensions that landed in Metasploit-land in 2022, we also want to express
our gratitude and appreciation for our stellar community of contributors,
maintainers, and users. The Metasploit team merged 824 pull requests across
Metasploit-related projects in 20
2 min
Metasploit
Metasploit Weekly Wrap-Up: 11/18/22
Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream
(CVE-2021-39144)
There’s nothing quite like a pre-authenticated remote code execution
vulnerability in a piece of enterprise software. This week, community
contributor h00die-gr3y [http://github.com/h00die-gr3y] added a module
[http://github.com/rapid7/metasploit-framework/pull/17222] that targets VMware
NSX Manager using XStream. Due to an unauthenticated endpoint that leverages
XStream for input serialization in VMwa