Even though Metasploit 3.3.3 was just released on December 23rd, the holidays provided some free time for the community and the development team to add more shiny to the Metasploit Framework.

Metasploit now has the ability to discover, brute force, and query MySQL database servers. This was a multi-pronged effort led by Bernardo Damele A. G, combined with TOMITA Masahiro's pure Ruby MySQL driver, tweaked by myself, and concisely documented by Carlos Perez. We will continue to improve MySQL exploitation support by borrowing some of the other techniques that Bernardo implemented in SQLMap (UDFs, upload, download).

SunRPC support and NFS export scanning has been improved due to a series of patches from Ty Bodell. Expect to see more work around SunRPC and NFS in the future as we start porting more RPC exploits and automate the exploitation of weak NFS exports.

The database backend in Metasploit is going through some major changes; most recently, the report*() functions were modified to append to a queue as opposed to directly inserting data into the database. This solves a large number of performance problems and concurrency issues. This change ties in to the work by James Lee and Mike Smith in version 3.3.3 and has been integrated with the most of the existing auxiliary/scanner/ modules. For the average user, this means that once a database has been configured, modules will start automatically saving their results as they run.

We added a NetBIOS name scanner that can retrieve the hostname, domain, and ethernet mac address of any machine running NetBIOS services (Windows, Samba). What makes this module unique is that it sends a second probe to each host, targeted at the NetBIOS hostname, asking for a list of IP addresses to which that name is bound. This effectively provides a way to enumerate all IP addresses of a Windows or Unix machine (running Samba) with just two UDP packets. This technique allows for the identification of VPN clients, VMWare virtual networks, wireless links, and multi-homed hosts. The examples below demonstrate this module and some of the results that can be found while using it.

msf> use auxiliary/scanner/netbios/nbname 
msf auxiliary(nbname) > set RHOSTS 192.168.0.0/24
msf auxiliary(nbname) > run
 
[*] Sending NetBIOS status requests to 192.168.0.0->192.168.0.255
 
[*] 192.168.0.142 [WIN7SONY] OS:Windows
Names:(WIN7SONY, WORKGROUP)
Addresses:(192.168.0.142, 192.168.50.1, 192.168.6.1)
Mac:00:1d:ba:xx:xx:xx
 
[*] 192.168.0.2 [STORAGE] OS:Unix
Names:(STORAGE, WORKGROUP)
Addresses:(192.168.0.2, 66.194.xx.xx)
Mac:00:00:00:00:00:00

This example shows a Windows 7 machine running VMware Workstation (the two additional IP addresses) and an Ubuntu Linux system running Samba with both an internal and external IP address. An external machine running Samba with multiple interfaces would look something like:

[*] 66.240.xx.xx [DBxxxxxx] OS:Unix
Names:(DBxxxxxx, __MSBROWSE__)
Addresses:(66.240.xx.xx, 71.6.yy.yy, 71.6.zz.zz)
Mac:00:00:00:00:00:00

The sweep_udp module has been updated to parse out the NetBIOS status information but doesn't send the secondary probe to obtain the IP address list.

Last but not least, we have added a number of new exploits and auxiliary modules to the tree since version 3.3.3 was released. These exploits include file format modules for Media Jukebox and Mini-stream as well as a remote exploit for HP Recovery Manager's Omni-Inet service.