It's another Metasploit update, and it's headed straight for us!
This week, Metasploit session management got a whole lot smarter. Here's the scenario: As a penetration tester, you rook a bunch of people into clicking on your browser-embedded Flash exploit, sit back, and watch the sessions rolling in. However, they're all behind a single NAT point, so all your sessions appear to be terminating at a single IP address, and you quickly lose track of who's who in your session list.
Over the last couple weeks, Rapid7's own HD Moore and James "egypt" Lee have solved that problem by giving Meterpreter sessions the smarts to figure out that the IP address they were delivered to isn't the same as the IP address they ended up on by comparing the local interface address with what it thought it was headed to. So, the end result is, if you've got sessions behind a NAT or something similar, you can now at least tell the difference between end points that are otherwise cloaked by NAT. Here's an example of a local attacker (192.168.168.10) connected to a remote victim (10.1.1.101) who is behind a NAT gateway (192.168.168.13):
msf exploit(handler) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 6 meterpreter win32 SITTINGDUCK\darkwing @ WEBSPHERE 192.168.168.10:9999 -> 192.168.168.13:26641 (10.1.1.101) msf exploit(handler) > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.1.1.101 WEBSPHERE Microsoft Windows .NET Server SP2 client 192.168.168.13 firewall msf exploit(handler) >
GitHub Care and Feeding
These last couple weeks have been dedicated to cleaning up a lot of our own internal processes around GitHub. For starters, we've been clearing out a lot of the older framework fixes that have been lingering in the queue, and by the end of the week, we should be in a pretty good spot as far as backlog is concerned. Going forward, I have sworn a blood oath to keep that backlog down to week's worth of pull requests.
Module management hasn't been too much trouble, seeing how Wei "sinn3r" Chen is an android from the future who can process community modules at insane speeds. Integrating the more complex framework patches, plugins, and other non-module contributions have been a little slower than I'd like in this post-Redmine world, and the longer those get put off, the harder it is to merge them in. By this time next week, you shouldn't see any outstanding pull requests more than a couple days old.
Speaking of Redmine, we're also just about ready to move our issue tracking over to GitHub. Right now, if Metasploit users run into a bug or have a feature request, we are still using the old dev.metasploit.com bug tracker, and that means users need to log in over there, too, which is kind of a hassle. We'd rather have one unified place to track issues and patches together (for obvious reasons), so look for the Redmine tracker to go away Real Soon Now.
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.