As 2023 winds down, we’re taking another look back at all the changes and improvements to the Metasploit Framework. This year marked the 20th anniversary since Metasploit version 1.0 was committed and the project is still actively maintained and improved thanks to a thriving community.
Version 6.3
Early this year in January, Metasploit version 6.3 was released with a number of improvements for targeting Active Directory environments. The crowning achievement of this effort was the integration of native Kerberos authentication. With this in place, HTTP, LDAP, MSSQL, SMB and WinRM modules can all make use of Kerberos authentication, enabling a swath of new attack techniques and workflows. In addition to the existing modules that are now capable of authenticating with Kerberos, multiple Kerberos-specific modules were added as well for a variety of tasks such as requesting tickets from the Key Distribution Center (aka the KDC which is almost always the Active Directory Domain Controller), forging tickets from known secrets, and inspecting the contents of tickets.
This functionality was highlighted in Black Hat USA’s Arsenal demonstrations, a recording of which can be found online.
Fetch Based Payloads
In May 2023, Metasploit released a new set of payloads, dubbed the Fetch Payloads which make exploitation of OS-command-executing vulnerabilities easier for users. At the time of the release, about two-thirds of exploits added to the Metasploit Framework in the previous year resulted in the execution of an OS command, either due to direct injection or via some other means such as deserialization. While OS command execution is becoming more popular, it often limits the type of payloads that can easily be added to an exploit since the most advanced payloads, including Meterpreter, aren’t available as OS commands.
Prior to the Fetch Payloads, exploit authors were burdened with the work necessary to convert Meterpreter payloads to something deliverable as an OS command. This led to extra work and inconsistent implementations that often lacked the flexibility our users desire. The new pattern uses the Fetch Payloads, which allows the Framework to handle this automatically. The result is less work for exploit developers and a higher degree of control for end users. We expect to see Fetch Payloads continue to be used widely well past 2024 and to have new variants added.
Even More Kerberos Improvements
While Metasploit 6.3 release provided support for native Kerberos authentication for Metasploit, we’ve since built on it to add even more. These features didn’t make it into the original 6.3 release in January but have since shipped in weekly releases:
- The
auxiliary/admin/kerberos/forge_ticket
module was expanded to support the diamond and sapphire techniques in addition to the original golden and silver techniques. - The
auxiliary/admin/kerberos/forge_ticket
module was also updated to account for the additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets. - We added the
post/windows/manage/kerberos_tickets
post module, which enables users to dump Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’sklist
/dump
commands do and operates entirely in memory. With this in place, users can now exploit instances of Unconstrained Delegation. - The
auxiliary/gather/windows_secrets_dump
module was updated to support pass-the-ticket authentication when using the DCSync technique (theDOMAIN
action). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.
Fewer DNS Leaks
One of the best features of Metasploit is the seamless way in which users can use established Meterpreter and SSH sessions to tunnel traffic as configured by the route
command or often the post/multi/manage/autoroute
module. Until this year, these connections would resolve hostnames to IP addresses from the system on which the Metasploit Framework was running, which could potentially leak information to listening parties. Thanks to a combined effort by sempervictus and smashery, Metasploit can now be configured to use a custom DNS server that is optionally accessed via an established session. This feature is currently behind a feature flag and requires users to run features set dns_feature true
before it can be accessed.
Once enabled, the dns
command allows users to configure how they would like to resolve DNS hostnames. Users can simply specify a single server to handle all queries, or use a wildcard syntax to send DNS queries for one domain to a specific server and non-matching queries to another. The weekly wrap up for the original release contains more detailed notes and usage examples.
Discoverability Improvements
A more recent change to the Framework brought a new feature to allow searching for more fields within modules. By enabling hierarchical search with features set hierarchical_search_table true
, users will now find search queries that match module actions, targets, and AKA aliases. For example, this will cause the auxiliary/admin/kerberos/forge_ticket
module to be included in the search results when forge_golden
is the query because forging golden tickets is one of the actions that it supports.
Users can also discover new capabilities and how to use them by browsing our new docs site at docs.metasploit.com. This site’s source code is included within Metasploit itself, making it easy for users to contribute improvements and their own workflows.
Payload Improvements
Exploits are at the core of what we do on the Metasploit team, but they would be nothing without our payloads. This year saw multiple improvements to our payloads — some changes closed feature gaps, while others added net new functionality. Some highlights include:
- Smashery updated our Java Meterpreter payloads with an important fix to the loader to enable compatibility with the latest versions of OpenJDK.
- Salu90 added a new API to the Windows Meterpreter and a post module to use it that allows users to set the session’s token to a new value.
- JustAnda7 updated the Windows Meterpreter to display IPv6 routes for inspection when the user runs the Meterpreter
route
command (not to be confused with the Frameworkroute
command). - Ishaanahuja7 added support to Meterpreter for running natively on Apple’s new ARM-based chips.
- Sempervictus added native sessions for AWS Instance connections and AWS SSM agents. These session types are noteworthy because while they require access tokens, they do not require a payload to be run on the target and can be used to open a session on a target that Metasploit is otherwise unable to communicate with.
- usiegl00 and Ishaanahuja7 both contributed enhancements to add support OSX AArch64 Meterpreter payloads, which enables the use of native payloads on M1 or M2 OSX devices that do not have Rosetta installed.
Additionally, GitHub Actions are now being used to measure the feature coverage of the Meterpreter API commands. It’s a lesser-known fact that the Meterpreter payload has multiple implementations for different architectures and platforms. This means some features may be present in one and not another. This is the reason the Mimikatz kiwi
plugin isn’t available when the java/meterpreter/reverse_tcp
payload is used. To help us and the community track this information, a report including a coverage matrix is now generated automatically. This report can be accessed by navigating to the project’s Actions tab, selecting “Acceptance”, the latest run, and finally downloading the “final-report”.
Module Highlights
CVE-2022-47966 – This particular vulnerability was an RCE in multiple ManageEngine products. A combined effort by cdelafuente-r7 and h00die-grey brought exploits for the ServiceDesk Plus, ADSelfService Plus, and Endpoint Central products.
CVE-2023-34362 (Exploit) – The MOVEit exploit leverages one of the more high-profile vulnerabilities to have been released this year. This module exploits a SQL injection to leak sensitive data in order to upload a .NET deserialization payload which results in code execution in the context of NT AUTHORITY\ SYSTEM and was a combined effort by sfewer-r7, rbowes-r7, and bwatters-r7.
CVE-2023-32560 (Exploit) – This vulnerability is an unauthenticated RCE in Ivanti Avalanche MDM that would result in code execution as NT AUTHORITY\SYSTEM. The module was submitted by EgeBalci and is one of the very few memory corruption exploits added this year.
CVE-2023-46214 (Exploit) – Chocapikk made their first contributions this year, one of which is for an authenticated RCE in Splunk Enterprise.
CVE-2023-22952
(Exploit) - This exploit was contributed by community member h00die-gr3y back in January of 2023. While it may seem like old news nearly a year later, this zero-day gained a lot of attention when it first came to light. This exploit brought along with it new mixin capabilities for Metasploit to embed PHP payloads in PNG images. This opens the door for future exploit modules to drop payloads inside of PNGs with ease.CVE-2023-20887
(Exploit) - This module was added by community contributor sinsinology (with help from community contributor h00die). There were a few Metasploit modules released this year that targeted VMware products; however this one stands out above the rest. Targeting the popular VMware Aria Operations for Networks software, this module enabled attackers to gain unauthenticated code execution in the context of the root user on a wide range of affected software versions.CVE-2023-27350
(Exploit) - Speaking of modules written for celebrity vulnerabilities, let’s not leave out the PaperCut NG Authentication Bypass, brought to the framework by Metasploit’s one and only Christophe De La Fuente. Christophe’s contribution helped pen testers better assess the security of systems hosting PaperCut NG and ease the concerns of their clients during a stressful time in the cybersecurity ecosystem. The module exploits all affected versions of PaperCut NG and returns an elevated Meterpreter session.Post Module - Written by Spencer McIntyre of the Metasploit team, this module highlights the framework’s new, powerful Kerberos capabilities. Bringing along with it a large amount of railgun enhancements this module allows for Kerberos tickets to be exported from a compromised host and added to Metasploit’s own cache, allowing them to be used in subsequent attacks. The Kerberos work along with this module helps streamline many different types of attacks that can be performed in and around Domain environments. If you haven’t tested Metasploit's Kerberos authentication capabilities yet, put it at the top of your todo list for 2024!
CVE-2023-28252
(Exploit) - The Common Log File System (CLFS) driver is a fantastic vector for attacks; it’s installed on all the latest versions of Windows and saw more abuse in 2023. Ransomware gangs exploited this vulnerability to gain SYSTEM level access on Windows 10, 11 and Server 2022. Metasploit team member Jack Heysel wrote this module that uses the Reflective DLL template in order to drop a low level PoC which returns a session running in the context of NT AUTHORITY\SYSTEM.CVE-2023-40044
(Exploit) - Another exploit that made big waves this year was the WS_FTP server running the Ad Hoc Transfer module .NET deserialization vulnerability. The module and the initial research behind how the vulnerability actually works was brought to us by Metasploit’s very own, veteran contributor, Stephen Fewer. The exploit module runs reliably on a wide range of affected targets. Everyone loves a module where all you have to do is: select the module, input the IP address of the machine running the vulnerable software, run the module, and get a SYSTEM-level session.
Contributors
We would like to give a big thank you to all of the contributors who sent us code in 2023. Whether it was bug fixes, enhancements, or exploits, we appreciate the work you put into making Metasploit better. In 2023, we received pull requests from the following 75 people (ordered by count). Of these, 49 made their first contribution to Metasploit this year.
- h00die
- bcoles
- smashery
- h00die-gr3y
- jmartin-tech
- ErikWynter
- EgeBalci
- ismaildawoodjee (new in 2023)
- wvu
- jvoisin
- sempervictus
- rorymckinley (new in 2023)
- rad10
- manishkumarr1017 (new in 2023)
- Ryuuuuu (new in 2023)
- prabhatjoshi321 (new in 2023)
- Chocapikk (new in 2023)
- Jemmy1228 (new in 2023)
- AleksaZatezalo (new in 2023)
- emirpolatt (new in 2023)
- heyder
- steve-embling
- dm-ct (new in 2023)
- ide0x90
- archcloudlabs
- samsepi0x0 (new in 2023)
- Lorenyx (new in 2023)
- MikeAnast (new in 2023)
- loredous (new in 2023)
- bradyjackson (new in 2023)
- nfsec
- HynekPetrak
- whotwagner (new in 2023)
- rtpt-erikgeiser
- errorxyz (new in 2023)
- e-lliot (new in 2023)
- gcarmix (new in 2023)
- j0ev (new in 2023)
- xaitax (new in 2023)
- cudalac (new in 2023)
- bka-dev
- cnnrshd (new in 2023)
- pbarry25 (new in 2023)
- D00Movenok (new in 2023)
- gardnerapp (new in 2023)
- rodnt (new in 2023)
- hahwul (new in 2023)
- JustAnda7
- Guilhem7 (new in 2023)
- shellchocolat (new in 2023)
- sdcampbell (new in 2023)
- attl4s (new in 2023)
- distortedsignal (new in 2023)
- spmedia (new in 2023)
- YiDa858 (new in 2023)
- j-baines (new in 2023)
- catatonicprime
- vtoutain (new in 2023)
- SubcomandanteMeowcos (new in 2023)
- samueloph (new in 2023)
- araout42 (new in 2023)
- Pflegusch (new in 2023)
- tekwizz123
- rohitkumarankam (new in 2023)
- jeffmcjunkin
- MegaManSec
- bugch3ck
- raboof (new in 2023)
- JBince (new in 2023)
- Frycos (new in 2023)
- neterum (new in 2023)
- mkonda (new in 2023)
- serializingme (new in 2023)
- k0pak4
- npm-cesium137-io
- hamax97 (new in 2023)
Source: Rapid7
Source Link: https://blog.rapid7.com/2023/12/29/metasploit-2023-wrap-up/