Since our last release in October, we've added 54 new exploits, 66 new auxiliary modules, 43 new post-exploitation modules, and 18 new payloads -- that clocks in at just about 1.5 new modules per day since version 4.1. Clearly, this kind of volume is way too much to detail in a single update blog post. Of course, you could just dive in and download the latest version to get started. In the meantime, here are the highlights for this latest release of Metasploit.
Metasploit 4.2 now ships with thirteen brand new payloads, all added to support opening command sessions and shells on IPv6 networks. In addition, Metasploit's existing arsenal of payloads has been updated to support IPv6 as well. The database back end now fully supports IPv6 addressing for discovered and compromised hosts. Rex, Metasploit's general purpose socket and protocol library, is now compatible with IPv6 networks. The ability to launch attacks over IPv6, even in otherwise IPv4 networks, is crucial in the modern penetration testing environment, so if you're not yet up to speed on auditing a client network's IPv6 exposure, be sure to catch HD Moore's free IPv6 security online training on March 28.
Virtualization as an Attack Vector
With this release comes a pile of new modules targeting VMware vSphere/ESX SOAP interface, as well as a pair of new brute force modules to audit password strength for both vmauthd and Virtual Web Services. Here's the quick list of the new virtual target hotness:
- vmauthd_version : Discovers the version details for a vmauthd service
- esx_fingerprint : Fingerprints (down to the build number) of a stand-alone ESX server
- vmware_http_login : Attempts to brute force local VMware credentials via the Web Services interface
- vmauthd_login : Attempts to brute force local VMware credentials via the vmauthd service
- vmware_enum_users : Enumerates both local and domain VMware user accounts
- vmware_enum_permissions : Enumerates locally-defined user and group permissions on a VMware instance
- vmware_enum_sessions : Enumerates active VMware login sessions
- vmware_enum_vms : Enumerates all local virtual machines on the local VMware instance
- vmware_host_details : Discovers host hardware and software details of the VMware host machine
- poweroff_vm : Powers off a virtual machine via the VMware Web Services interface
- poweron_vm : Powers on a virtual machine via the VMware Web Services interface
- tag_vm : Writes a user-defined "tag" to the VMware logs as proof of compromise
- vmware_screenshot_stealer : Grabs screenshots of VMware guest operating systems as proof of compromise
- terminate_esx_sessions : Disconnects a user from the ESX server
Virtual machine targets in a network often offer unique avenues of attack for penetration testers, and are sometimes overlooked by IT departments and security infrastructure groups alike. Rapid7's David Maloney, aka, TheLightCosine, wrote most of these modules. For a deep-dive into virtualization security, please join his webcast on March 21.
New Resource Scripts
Metasploit 4.2 now ships with fourteen new resource scripts, nearly all of which were provided by open source community contributors. These scripts demonstrate the power of Metasploit's extensible architecture, allowing programmatic Metasploit module usage through the powerful Ruby scripting language. By automating away penetration testing tasks common to most engagements, Metasploit expert users can free up valuable time for more interesting avenues of research and exploitation. Note that while these scripts are useful on their own, they're also great examples of using this entry point and really getting your hands dirty with Metasploit internals. Finally, most of these scripts were submitted by open source contributor m-1-k-3, while the Oracle-centric scripts come from nebulous.
The Ghost of Updates Past
Since January or so, we've been detailing the progress of Metasploit development here on the blog, so other big updates won't come as much of a surprise to regular readers. Metasploit 4.2 includes Chao-Mu's reload of Railgun, HD's SSH public key scanner and H.323 video conferencing scanner, Jon Cran's overhaul of MSF Labs, expanded 64-bit payload coverage, and bunches more.
Details and Availability