Fresh out of the oven and in time for Black Hat Las Vegas, we present to you the new Metasploit 4.4 with these great new features:

Focus Your Remediation Efforts: Metasploit Risk Validation for Nexpose Vulnerability Management

You may have been in this situation: your vulnerability scanning report is so long you don't know where to start. You don't have time to address all vulnerabilities, and you don't know which ones are important. If this sounds familiar, you may get very excited about Metasploit Pro's new and improved integration with Rapid7 Nexpose, which makes your problem go away.

Why does this challenge exist in the first place? Vulnerability scanners can identify what software versions are installed and knows which software versions have potential vulnerabilities, but they can't detect whether a firewall, IDS, or other compensating controls affect the exploitability. Without being able to validate the risks, IT teams may be focusing on lower priority risks, rather than prioritizing vulnerabilities with known exploits and no compensating controls associated, which represent a very real threat to the organization.

By integrating Metasploit Pro with Nexpose for risk validation, you can now prioritize the critical vulnerabilities that pose a real risk, fixing them before it's too late. Now you can focus your efforts on what matters.

Specifically, Metasploit now tightly integrates with Nexpose by:

  • Importing rich vulnerability data from Nexpose scans, sites, and XML
  • Automatically validating the exploitability of many high-risk vulnerabilities
  • Providing a simplified process to spot-check individual vulnerabilities
  • Pushing granular exploit results back to Nexpose via Vulnerability Exceptions
  • Pushing device classifications back to Nexpose Asset Groups via Metasploit Tags
  • Enhancing Metasploit reports with detailed Nexpose scan data

Security professionals benefit from the integration in the following ways:

  • Quickly identify high-risk vulnerabilities not protected by compensating controls
  • Measure the effectiveness of defensive solutions designed  to mitigate vulnerabilities
  • Increase credibility and reduce friction between IT operations and security teams

On July 18 at 2pm EST, HD Moore will demonstrate the new functionality in the free webcast “Validate Risks in Your Security Assessment Program”. Register now - limited seats!

Improved AV Evasion: "Now they will tremble again, at the sound of our silence" - The Hunt for Red October

Security is often an adversarial process. Metasploit is a part of the offensive side of that equation, constantly pushing the defenders to adjust and innovate. This involves a certain ammount of good-natured give-and-take between us here at Metasploit and the vendors who make defensive products like anti-virus solutions. The response to Metasploit from the AV world has been a mixed bag. Over the years our payloads have gotten higher and higher detection rates. This is especially true when an actual executable binary has to land on the target system, such as in the case of the psexec module. We have recently set out to respond back to the AV vendors to once again challenge them to step up their game while we enable our team to slip past their defenses yet again.

The problem is essentially two-fold, as it always is with AV. There are the signature detections. These, by and large, appear to be cases where the AV vendors literally copied our template files that the payloads get inserted into, and wrote signatures for them. That way they would pick us up no matter what payload was used, because the template itself would be flagged. This is an extremely lazy approach but has the virtue of being effective if we don't do anything about it. So the first step was to address the issue of these templates. We could generate new templates for our Metasploit Pro users, but we had done that once before and it only bought us a temporary reprieve. To create a more long-term solution we developed a method that generates a totally unique executable every time it's run, making it much more difficult for AV vendors to simply grab the template and write a signature.

The second problem is heuristics. This is where the AV vendor actually watches the behavior of the code and tries to analyze it appropriately. This is a far more effective but much more tricky and complicated way of detecting malicious code. Some of the key factors for avoiding this involve hiding obviously suspicious behavior and making it look as normal and innocent as possible. So as we generate our executables each time we pay special care to avoid any obviously malicious activity, and look like a normal legitimate program.

The current iteration of this technique is now available for users of the Metasploit Pro product when using the psexec exploit. When selecting the psexec module from the module runner, they can select the DynamicExe option from under Advanced Options. Also, when running a Metasploit Pro Bruteforce they can select 'Dynamically generate payload EXE for SMB' under the payload settings. These generated payloads will in many cases do a better job at evading anti-virus solutions than our old templates. However, they do not have the virtue of being signed. We will continue to improve this feature over the coming weeks, and hopefully continue to improve our ability to evade detection.

Speedy UI, Even Under Heavy Load

We've taken Metasploit into the wind tunnel and made it a lot more aerodynamic for users who are handling tens of thousands of hosts. The user interface now responds much faster, so you'll have to find a better excuse for your coffee break.

Shiny New Auxiliary and Exploit Modules

As usual, the big point releases cater more to the commercial Metasploit users while our regular weekly updates provide value to our open source community. Since we released Metasploit 4.3 on April 24, we added 101 new modules to Metasploit: 68 exploits, 22 auxiliary modules, 9 post modules, 1 payload, and 1 encoder. All of these are also available in the free Metasploit Community Edition and in the open source Metasploit Framework, which were both updated with this release.

Since our last weekly update, we've added a these new modules to our exploit database:

Please refer to the release notes for a full list of all new modules since version 4.3.

Metasploit 4.4 is Waiting For You

If you'd like to see more details on what's in the new release, please read Tod Beardsley's most excellent release notes. If you're already drooling to get the new release, you can download Metasploit now.