We've given credentials a new boost with Metasploit 4.10. It's now easier to manage, reuse and report on credentials as part of a penetration test.

Pentesters are shifting from exploits to credentials

There was one common theme that we heard from a lot of penetration testers we talked to over the past few months: You're using more and more credentials on penetration tests. We even surveyed the Metasploit user base to make sure we didn't ask a biased sample: 59% of you said that you use credentials for half or more of your penetration test compared to exploits.

2014 Metasploit User Survey: “On an average pentest, do you focus more on exploits or credentials?”, N=561

This is not really surprising: Organizations are getting better at vulnerability management. (OK, I said better, not perfect.) You find it harder to find that MS08-067 on the network, especially now that Windows XP has been taken out of maintenance and is starting to disappear from corporate networks. (Well, they're “starting” to take XP out of circulation.) Over the past few years, the Microsoft Windows engineering team has also been getting better at making exploitation harder, specifically through techniques such as canary values, data execution prevention (DEP), address space layout randomization (ASLR), the enhanced mitigation experience toolkit (EMET), plus 64-bit addressing pretty much made traditional memory corruption exploits impossible. Exploits also increase your chance of getting caught, because unlike credentials, there is no legitimate reason for using them.

You've probably used credentials for a while, but now they're even more valuable: They're easy to obtain through phishing, public leaks, or simply guessing. Once you have compromised your first machine, you can loot passwords, hashes, and SSH keys and reuse them against other parts of the network. Repeat until the domino effect brings the entire network under your control.

What's more important: Attackers are using more credentials as well, so you're mimicking their actions for more accurate risk assessment. In fact, credentials are the number one attack methodology in the 2014 Verizon Data Breach Investigation Report.

Metasploit gets a new credentials architecture

The Rapid7 Metasploit team revamped the way Metasploit handles credentials. Now, each credential comes with metadata such as its origin and where it was successfully used for logins. We've already ported 60 out of 180 auxiliary modules to the new architecture and have launched a community competition to help port the rest (see @todb's blog post for more details and GitHub for a list of yet unported modules).

If you're using Metasploit Framework, the new architecture is immediately available to you if you are using the binary installers. In case you get your Metasploit Framework code straight from GitHub: We are working on merging the code bases on GitHub and will make these available in the coming weeks - watch this space.

Metasploit Express and Metasploit Pro simplify managing, reusing and reporting on credentials

While Metasploit Framework users will see improvements from the new credentials architecture, there's even more good stuff in the commercial Metasploit editions: Metasploit Pro 4.10 increases the productivity for penetration testers who leverage credentials to take over large networks. Users rarely use unique passwords per application and passwords are often cached on systems. The new functionality in version 4.10 simplifies the reuse of credentials to simulate credentials-based attacks such as the ones recently experienced by Target and eBay. Metasploit now makes it easier to track and manage credentials, including where they were gathered and which systems they gave access to. Users can now quickly validate that credentials work on specific services and reuse them on other parts of the network. Penetration testers also have improved reports to convey results to IT operations, management, and auditors. These improvements are exclusive to Metasploit Express and Metasploit Pro.

New credentials management

Penetration testers often use spreadsheets or even a text editor to keep track of credentials. This hurts productivity because it's difficult to efficiently reuse credentials across services as diverse as Windows, SQL Server and VNC. It's also difficult to report on these credentials. If you're already off-site writing your report, you may even discover that you forgot to note down some important details.

Metasploit Pro and Express now come with new credentials management that makes it a snap to track credentials, their origin, and where they can be used. You can find the new credentials management in the new Credentials menu under Manage. In addition to credentials captured by Metasploit, you can also import a variety of formats.

Quick credential validation

We also overhauled the credentials tab on the single host view, which now shows you both the logins that can get you access to the machine as well as the captured credentials that were looted from the machine. The little key in the Validate column enables you to quickly check if a particular credential is valid.

The quick credential validation only checks if a credential works but does not create a session. Here's how you create a session:

Metasploit Pro: Use the Known Credentials Intrusion MetaModule, and enter the IP range you'd like to target.

Metasploit Express: Use post-authentication modules specific to the service you are using, such as exploit/windows/smb/psexec for SMB credentials (go to Modules menu and select Search to use them).

The Quick Validation feature will turn credentials (the combination of a username plus a password, hash or SSH key) into logins (a credential that has been validated to be used on a certain host/service combination). You can only use the Credentials Intrusion MetaModule with logins, not with credentials. Other ways to create logins are the MetaModules for Single Password Testing, Pass the Hash, and SSH Key Testing as well as the new Credentials Reuse feature (see below).

Efficient credentials reuse

Security best practice is to never share credentials across hosts and services. However, we all know that all good intentions go out of the window when users find it difficult to remember multiple passwords.

Metasploit Pro and Express now have a Credentials Reuse functionality, which you can find – surprise – in the new Credentials menu under Reuse. What's powerful about this new feature is that you can filter and select individual hosts and services to try specific credentials on. This gives you the power to either try every credential against all services, one credential against one service, or any combination in between.

Create clear and concise credential reports

We heard loud and clear from you that you loathe writing reports. Metasploit Pro and Express now create illustrative credentials reports for you. In addition to lists of passwords and compromised hosts, you will see diagrams that show you which hosts are most at risk from credentials abuse and which credentials provide access to the most machines. The reports will make it very easy to communicate your findings with the IT operations team or provide documentation to auditors.

 

New modules since Metasploit 4.9

At Rapid7, we believe that knowledge of vulnerabilities and access to exploits should not be pay for play. We make Metasploit exploits and auxiliary modules available in all editions, including the free Metasploit Framework and Metasploit Community editions. Some of these modules come from our internal team, but many are submitted through you, the Metasploit Community. Here's a list of the new modules we added since version 4.9:

Exploit modules

Auxiliary and post modules

And It's All Available Now

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see our most excellent release notes.