National Cyber Warfare Foundation (NCWF) Forums


Metasploit Weekly Wrap-Up 04 12 24


0 user ratings
2024-04-12 17:53:20
milo
Red Team (CNA)

 - archive -- 

Account Takeover using Shadow Credentials


The new release of Metasploit Framework includes a Shadow Credentials module added by smashery used for reliably taking over an Active Directory user account or computer, and letting future authentication to happen as that account. This can be chained with other modules present in Metasploit



Account Takeover using Shadow Credentials


Metasploit Weekly Wrap-Up 04/12/24

The new release of Metasploit Framework includes a Shadow Credentials module added by smashery used for reliably taking over an Active Directory user account or computer, and letting future authentication to happen as that account. This can be chained with other modules present in Metasploit Framework such as windows_secrets_dump.


Details


The module targets a ‘victim’ account that is part of a domain where the Domain Controller is running Windows Server 2016 and newer.


Using an account that has write permissions over another (or its own) user account object, the module adds a public key credential object to the user account's msDS-KeyCredentialLink property. After this, a Ticket Granting Ticket can be requested using the get_ticket module, which subsequently can be used for a pass-the-ticket style attack such as auxiliary/gather/windows_secrets_dump. This can be performed when a user contains the GenericWrite permission over another account. By default, Computer accounts have the ability to write their own value (whereas user accounts do not).


The shadow credentials added persist between password changes, making it a very useful technique for getting the TGT.


The steps for this technique (performed automatically by the module) are:

Generate and store a key and certificate locally

Store the certificate’s public key as a KeyCredential

On the domain controller, update the msDS-KeyCredentialLink property to include the newly generated KeyCredential object


After the above steps, you can:

Obtain a TGT & NTLM hash

Perform further attacks using the above values


New module content (3)


Shadow Credentials


Authors: Elad Shamir and smashery

Type: Auxiliary

Pull request: #19051 contributed by smashery

Path: admin/ldap/shadow_credentials


Description: A new module to add to, list, flush and delete from the LDAP msDS-KeyCredentialLink attribute which enables the user to execute "shadow credential" attacks for persistence and lateral movement.


Gibbon School Platform Authenticated PHP Deserialization Vulnerability


Authors: Ali Maharramli, Fikrat Guliev, Islam Rzayev, and h00die-gr3y [email protected]

Type: Exploit

Pull request: #19044 contributed by h00die-gr3y

Path: multi/http/gibbon_auth_rce_cve_2024_24725

AttackerKB reference: CVE-2024-24725


Description: An exploit module that exploits Gibbon online school platform version 26.0.00 and lower to achieve remote code execution. Note that authentication is required. This leverages a PHP deserialization attack via columnOrder in a POST request (CVE-2024-24725).


Rancher Audit Log Sensitive Information Leak


Author: h00die

Type: Post

Pull request: #18962 contributed by h00die

Path: linux/gather/rancher_audit_log_leak

AttackerKB reference: CVE-2023-22649


Description: A post module to leverage CVE-2023-22649 which is a sensitive information leak in the rancher service's audit logs.


Enhancements and features (4)



  • #19022 from sjanusz-r7 - Adds support to detect the MySQL server's host's platform and arch by running a query.

  • #19045 from zgoldman-r7 - Adds a set of acceptance tests for MSSQL modules.

  • #19052 from smashery - Updates Metasploit's User Agent strings to values valid for April 2024.

  • #19064 from nrathaus - Adds support to the auxiliary/scanner/snmp/snmp_login module to work over the TCP protocol in addition to UDP.


Bugs fixed (3)



  • #19056 from dwelch-r7 - Fixed an issue were the socket would be closed if targeting a single host with multiple user_file/pass_file module option combinations. This was caused when a session was successfully opened but then the next login attempt would close the socket being used by the newly created session.

  • #19059 from nrathaus - Fixed an issue with the psnuffle module's POP3 support.

  • #19069 from adfoster-r7 - Fixed an edgecase present in clients that programmatically interacted with Metasploit's remote procedure call (RPC) functionality that caused the login modules for SMB, Postgres, MySQL, and MSSQL to open a new session by default instead of it being opt in behavior.


Documentation


You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/04/12/metasploit-weekly-wrap-up-04-12-24/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.