Account Takeover using Shadow Credentials
The new release of Metasploit Framework includes a Shadow Credentials module added by smashery used for reliably taking over an Active Directory user account or computer, and letting future authentication to happen as that account. This can be chained with other modules present in Metasploit
Account Takeover using Shadow Credentials
The new release of Metasploit Framework includes a Shadow Credentials module added by smashery used for reliably taking over an Active Directory user account or computer, and letting future authentication to happen as that account. This can be chained with other modules present in Metasploit Framework such as windows_secrets_dump
.
Details
The module targets a ‘victim’ account that is part of a domain where the Domain Controller is running Windows Server 2016 and newer.
Using an account that has write permissions over another (or its own) user account object, the module adds a public key credential object to the user account's msDS-KeyCredentialLink property. After this, a Ticket Granting Ticket can be requested using the get_ticket
module, which subsequently can be used for a pass-the-ticket style attack such as auxiliary/gather/windows_secrets_dump
. This can be performed when a user contains the GenericWrite
permission over another account. By default, Computer accounts have the ability to write their own value (whereas user accounts do not).
The shadow credentials added persist between password changes, making it a very useful technique for getting the TGT.
The steps for this technique (performed automatically by the module) are:
Generate and store a key and certificate locally
Store the certificate’s public key as a KeyCredential
On the domain controller, update the msDS-KeyCredentialLink property to include the newly generated KeyCredential object
After the above steps, you can:
Obtain a TGT & NTLM hash
Perform further attacks using the above values
New module content (3)
Shadow Credentials
Authors: Elad Shamir and smashery
Type: Auxiliary
Pull request: #19051 contributed by smashery
Path: admin/ldap/shadow_credentials
Description: A new module to add to, list, flush and delete from the LDAP msDS-KeyCredentialLink
attribute which enables the user to execute "shadow credential" attacks for persistence and lateral movement.
Gibbon School Platform Authenticated PHP Deserialization Vulnerability
Authors: Ali Maharramli, Fikrat Guliev, Islam Rzayev, and h00die-gr3y [email protected]
Type: Exploit
Pull request: #19044 contributed by h00die-gr3y
Path: multi/http/gibbon_auth_rce_cve_2024_24725
AttackerKB reference: CVE-2024-24725
Description: An exploit module that exploits Gibbon online school platform version 26.0.00 and lower to achieve remote code execution. Note that authentication is required. This leverages a PHP deserialization attack via columnOrder in a POST request (CVE-2024-24725).
Rancher Audit Log Sensitive Information Leak
Author: h00die
Type: Post
Pull request: #18962 contributed by h00die
Path: linux/gather/rancher_audit_log_leak
AttackerKB reference: CVE-2023-22649
Description: A post module to leverage CVE-2023-22649 which is a sensitive information leak in the rancher service's audit logs.
Enhancements and features (4)
- #19022 from sjanusz-r7 - Adds support to detect the MySQL server's host's platform and arch by running a query.
- #19045 from zgoldman-r7 - Adds a set of acceptance tests for MSSQL modules.
- #19052 from smashery - Updates Metasploit's User Agent strings to values valid for April 2024.
- #19064 from nrathaus - Adds support to the
auxiliary/scanner/snmp/snmp_login
module to work over the TCP protocol in addition to UDP.
Bugs fixed (3)
- #19056 from dwelch-r7 - Fixed an issue were the socket would be closed if targeting a single host with multiple
user_file
/pass_file
module option combinations. This was caused when a session was successfully opened but then the next login attempt would close the socket being used by the newly created session. - #19059 from nrathaus - Fixed an issue with the psnuffle module's POP3 support.
- #19069 from adfoster-r7 - Fixed an edgecase present in clients that programmatically interacted with Metasploit's remote procedure call (RPC) functionality that caused the login modules for SMB, Postgres, MySQL, and MSSQL to open a new session by default instead of it being opt in behavior.
Documentation
You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro
Source: Rapid7
Source Link: https://blog.rapid7.com/2024/04/12/metasploit-weekly-wrap-up-04-12-24/