Even when offensive security techniques have been publicly discussed at conferences and proof of concept code or open source tools are available, using them in your projects can be very time consuming and may even require custom development. Metasploit Pro 4.7 now introduces MetaModules, a unique new way to simplify and operationalize security testing for IT security professionals.

MetaModules automate common yet complicated security tests that provide under-resourced security departments a more efficient way to get the job done. The current release includes six MetaModules for security controls testing and penetration testing, which supply common functionality such as validating which outbound firewall ports are open, testing for default credentials or stealthily discovering hosts on the network.

Here's an overview of the new MetaModules:

  • Firewall Egress Testing: Validate which outbound firewall ports are open to audit your firewall egress. This MetaModule contacts a Rapid7-hosted server to test open ports and delivers the results in one easy report. (Documentation)
  • Passive Network Discovery: Stealthily discover hosts and services on the network without sending a single packet. Some penetration tests place value on breaching the network without triggering alarms. This MetaModule sniffs the network traffic and maps out hosts and services as a first step in a network - without risking the chance of detection. All data is automatically available in the Metasploit Pro project so you can plan your attack.(Documentation)
  • Single Credentials Testing: These three MetaModules can help you test where certain passwords, hashes, or SSH keys can be used. In enterprise IT environments, you can test, for example, whether development credentials are mistakenly used on production systems. As part of a penetration test, you can try out credentials on thousands of hosts at a time without using a payload to reduce the likelihood of detection. These MetaModules attempt to log on to several service types and reports the results. There are three MetaModules in this category: Single Password Testing consumes user/password combinations; Pass the Hash consumes password hashes; and SSH Key Testing validates which systems a particular SSH private key grants access to. (Documentation for single password, pass the hash, SSH keys)
  • Known Credentials Intrusion: Compromise machines on the network using verified credentials. After having determined which credential works on which machine, use this easy MetaModule to compromise a machine and create a session. (Documentation)

MetaModules are based on a unique architecture that will enable development of more packaged security testing. MetaModules are another example of Rapid7's commitment to operationalizing security controls testing, the best practice of verifying that your defensive solutions are effective in keeping attackers out.

While the new MetaModules are exclusive to the Metasploit Pro Edition, Rapid7 continues to deliver regular updates to Metasploit Framework, such as new exploits and other modules, as they become available.

We will be hosting a Metasploit 4.7 webcast on Tuesday, July 23 at 2pm ET that will discuss MetaModules in detail and show you how to use them.

New Modules since 4.6.0

Of course, the Metasploit exploit development community has been chugging along since 4.6.0 was released, so we've got a ton of new vulnerability content in this release as well, which are available in both the commercial and free editions. From the recent IPMI modules, to the SAP scanners, to the embedded device exploits for pretty much every home access point manufacturer, we've got more than enough to keep you busy on your next penetration testing engagement. Below is the list of the 91 new modules in all; 54 exploits, 34 auxiliary modules, and 3 post modules, all new since Metasploit 4.6.0.

Exploits

Auxiliary

Post

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.