National Cyber Warfare Foundation (NCWF)

Metasploit Wrap-Up 03 06 2025
0 user ratings		2025-03-18 17:07:24
milo
Red Team (CNA)
This week's Metasploit Wrap Up saw 3 new modules. Learn more about the enhancements, features, and bugs fixed.

New module content (3)


Get NAA Credentials


Metasploit Wrap-Up 03/06/2025

Authors: skelsec, smashery, and xpn

Type: Auxiliary

Pull request: #19712 contributed by smashery

Path: admin/sccm/get_naa_credentials


Description: Adds an auxiliary module which performs the retrieval of Network Access Account (NAA) credentials from an System Center Configuration Manager (SCCM) server. Given a computer name and password (which can typically be created by a standard AD domain user), a misconfigured SCCM server will give NAA credentials when requested.


SonicWall HTTP Login Scanner


Author: msutovsky-r7

Type: Auxiliary

Pull request: #19935 contributed by msutovsky-r7

Path: scanner/sonicwall/login_scanner


Description: This adds a module to brute-force the login credentials for SonicWall NSv HTTP Login.


D-Tale RCE


Authors: Takahiro Yokoyama and taiphung217

Type: Exploit

Pull request: #19899 contributed by Takahiro-Yoko

Path: linux/http/dtale_rce_cve_2025_0655

AttackerKB reference: CVE-2025-0655


Description: This module exploits a bypass (CVE-2025-0655) for an older vulnerability (CVE-2024-3408), leading to remote code execution (RCE) in D-Tale, a visualizer for pandas data structures.


Enhancements and features (7)



  • #19639 from zeroSteiner - Adds support for check method in relay modules and updates the two relay modules present in Metasploit Framework. In the case of smb_relay, this checks if the target has SMB signing disabled. In the case of ESC8, it checks that the target URI responds with a 401 and offers NTLM as an authentication mechanism.

  • #19682 from h00die - Adds additional tests for Linux post functionality along with additional comments for better understanding; adds new library for work with Linux packages.

  • #19879 from zeroSteiner - This updates the existing MsDtypSecurityDescriptor class to include a #to_sddl_text method. This allows an initialized object to be displayed using the Security Descriptor Definition Language defined by Microsoft.

    • #19917 from zeroSteiner - This adds crypto primitives for AES key derivation (NIST SP 800 108) and AES key unwrapping (NIST SP 800 38f) replacing RubySMB's implementation which does not support all of the parameters.

    • #19918 from msutovsky-r7 - Extracts a reusable Rex::Proto::Http::AuthDigest library for use within modules.

    • #19927 from bcoles - This improves the support of several Linux distros on the library function get_sysinfo in Msf::Post:Linux::System.

    • #19933 from zeroSteiner - Updates the auxiliary/scanner/ldap/ldap_login module with a new CreateSession option which controls the opening of an interactive LDAP session. This functionality was previously behind a feature flag, but is now enabled by default.

    • #19946 from zeroSteiner - Adds a warning to help users that are performing relay attacks. It notes that the attack won't work when relaying SMB to SMB on the same host if the MS08-068 patch has been applied.




Bugs fixed (5)



  • #19745 from smashery - This adds an escape_args method to all command shells that finds the appropriate OS escaping routines for an SSH server.

  • #19902 from zeroSteiner - This fixes the byte to int and vice versa conversion in MsAdts.

  • #19919 from jheysel-r7 - This fixes an issue in the gather/ldap_esc_vulnerable_cert_finder that would come up when checking templates for ESC13 that had missing issuance policy OIDs.

  • #19922 from cgranleese-r7 - Fixes a crash when searching by target, i.e search targets:python.

  • #19925 from zeroSteiner - Fixes a bug that caused a module's validation logic to not always be executed.


Documentation added (2)



  • #19895 from cgranleese-r7 - Updates multiple out of date reference links within modules.

  • #19920 from jheysel-r7 - This adds documentation for creating AD CS certificate templates that are vulnerable to ESC4, ESC13, and ESC15 for testing purposes.


You can always find more documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro



NEVER MISS AN EMERGING THREAT


Be the first to learn about the latest vulnerabilities and cybersecurity news.






Source: Rapid7
Source Link: https://blog.rapid7.com/2025/03/06/metasploit-wrap-up-03-06-2025/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.