Rapid 7 - Metasploit Weekly Wrap-Up
The past, present and future of Metasploit
Don't miss Spencer McIntyre's talk on the Help Net Security's blog. Spencer is the Lead Security Researcher at Rapid7 and speaks about how Metasploit has evolved since its creation back in 2003. He also explains how the Framework is addressing today's offensive security challenges and how important is the partnership with the community.
LDAP swiss army knife
This week, our very own @gwillcox-r7 added an auxiliary module that will likely help you to dump useful information from LDAP servers. This module allows you to remotely retrieve data using either your own custom query or a set of LDAP queries under a specific category. In addition to the available predefined queries, the user can also provide a JSON or YAML file containing custom queries to be executed.
Here are the available predefined queries:
msf6 auxiliary(gather/ldap_query) > show actions
Auxiliary actions:
Name Description
---- -----------
ENUM_ACCOUNTS Dump info about all known user accounts in the domain.
ENUM_ALL_OBJECT_CATEGORY Dump all objects containing any objectCategory field.
ENUM_ALL_OBJECT_CLASS Dump all objects containing any objectClass field.
ENUM_COMPUTERS Dump all objects containing an objectCategory of Computer.
ENUM_DOMAIN_CONTROLLERS Dump all known domain controllers.
ENUM_EXCHANGE_RECIPIENTS Dump info about all known Exchange recipients.
ENUM_EXCHANGE_SERVERS Dump info about all known Exchange servers.
ENUM_GROUPS Dump info about all known groups in the LDAP environment.
ENUM_ORGROLES Dump info about all known organizational roles in the LDAP environment.
ENUM_ORGUNITS Dump info about all known organization units in the LDAP environment.
RUN_QUERY_FILE Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
RUN_SINGLE_QUERY Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options.
Here is how you can dump information about users in a Windows domain:
msf6 auxiliary(gather/ldap_query) > set action ENUM_ACCOUNTS
action => ENUM_ACCOUNTS
msf6 auxiliary(gather/ldap_query) > run RHOSTS=10.0.0.33 BIND_DN=MYDOMAIN\\Administrator BIND_PW=123456
[*] Running module against 10.0.0.33
[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 10.0.0.33:389 Discovered base DN: DC=mydomain,DC=local
[*] CN=DC02 OU=Domain Controllers DC=mydomain DC=local
===============================================
Name Attributes
---- ----------
displayname DC02$
name DC02
samaccountname DC02$
useraccountcontrol 532480
[*] CN=Administrator CN=Users DC=mylab DC=local
===========================================
Name Attributes
---- ----------
name Administrator
samaccountname Administrator
useraccountcontrol 512
...[SNIP]...
Win2k summer clean up
For those nostalgic about old Windows systems, bcoles did a great cleanup of old modules targeting Win2k. He breathed life back into modules such as ms01_023_printer
, ms02_065_msadc
and ms03_007_ntdll_webdav
by fixing many issues and adding offsets to support many more Win2k flavors.
New module content (1)
- LDAP Query and Enumeration Module by Grant Willcox - This adds a generic module to perform LDAP queries. Users can execute custom queries either through configuration files on disk, or through a combination of datastore options. The module also includes multiple builtin queries for common operations.
Enhancements and features (7)
- #16737 from adfoster-r7 - This removes the code duplication in the MSSQL client mixins and refactors the code into a single main mixin.
- #16754 from bcoles - Adds additional offsets for various Windows 2000 Professional targets in the ms02_065_msadc module. Also adds documentation and notes.
- #16761 from bcoles - Adds additional offsets for various Windows 2000 targets, replaces raw socket TCP with HttpClient, fixes default payload, adds docs and notes.
- #16776 from bcoles - Adds a ftp-http command stager for FTP clients which support http(s) URLs via
set cmdstager::flavor ftp_http.
- #16778 from bcoles - The checkvm script at
./scripts/meterpreter/checkvm.rb
has been removed andpost/windows/gather/checkvm.rb
now replaces it. Additionally, thepost/windows/gather/checkvm.rb
script has been updated to include missing features from./scripts/meterpreter/checkvm.rb
to ensure backwards compatibility. - #16789 from adfoster-r7 - This adds OpenSSL version information to the report generated by the
debug
command. - #16792 from adfoster-r7 - This improves support for various OpenSSL 3 related errors during console start.
Bugs fixed (2)
- #16743 from adfoster-r7 - Fixes a crash when using the
scanner/mssql/mssql_login
module with thetdsencryption
andUSE_WINDOWS_AUTHENT
options set totrue.
- #16753 from bcoles - This PR fixes several bugs present in the module, including shifting from Meterpreter to shell payloads, better checking, and added targets anddocumentation.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).
from Rapid7 Blog https://blog.rapid7.com/2022/07/22/metasploit-weekly-wrap-up-167/
Comments
Post a Comment