We've given credentials a new boost with Metasploit 4.10. It's now easier to manage, reuse and report on credentials as part of a penetration test.
Pentesters are shifting from exploits to credentials
There was one common theme that we heard from a lot of penetration testers we talked to over the past few months: You're using more and more credentials on penetration tests. We even surveyed the Metasploit user base to make sure we didn't ask a biased sample: 59% of you said that you use credentials for half or more of your penetration test compared to exploits.
2014 Metasploit User Survey: “On an average pentest, do you focus more on exploits or credentials?”, N=561
This is not really surprising: Organizations are getting better at vulnerability management. (OK, I said better, not perfect.) You find it harder to find that MS08-067 on the network, especially now that Windows XP has been taken out of maintenance and is starting to disappear from corporate networks. (Well, they're “starting” to take XP out of circulation.) Over the past few years, the Microsoft Windows engineering team has also been getting better at making exploitation harder, specifically through techniques such as canary values, data execution prevention (DEP), address space layout randomization (ASLR), the enhanced mitigation experience toolkit (EMET), plus 64-bit addressing pretty much made traditional memory corruption exploits impossible. Exploits also increase your chance of getting caught, because unlike credentials, there is no legitimate reason for using them.
You've probably used credentials for a while, but now they're even more valuable: They're easy to obtain through phishing, public leaks, or simply guessing. Once you have compromised your first machine, you can loot passwords, hashes, and SSH keys and reuse them against other parts of the network. Repeat until the domino effect brings the entire network under your control.
What's more important: Attackers are using more credentials as well, so you're mimicking their actions for more accurate risk assessment. In fact, credentials are the number one attack methodology in the 2014 Verizon Data Breach Investigation Report.
Metasploit gets a new credentials architecture
The Rapid7 Metasploit team revamped the way Metasploit handles credentials. Now, each credential comes with metadata such as its origin and where it was successfully used for logins. We've already ported 60 out of 180 auxiliary modules to the new architecture and have launched a community competition to help port the rest (see @todb's blog post for more details and GitHub for a list of yet unported modules).
If you're using Metasploit Framework, the new architecture is immediately available to you if you are using the binary installers. In case you get your Metasploit Framework code straight from GitHub: We are working on merging the code bases on GitHub and will make these available in the coming weeks - watch this space.
Metasploit Express and Metasploit Pro simplify managing, reusing and reporting on credentials
While Metasploit Framework users will see improvements from the new credentials architecture, there's even more good stuff in the commercial Metasploit editions: Metasploit Pro 4.10 increases the productivity for penetration testers who leverage credentials to take over large networks. Users rarely use unique passwords per application and passwords are often cached on systems. The new functionality in version 4.10 simplifies the reuse of credentials to simulate credentials-based attacks such as the ones recently experienced by Target and eBay. Metasploit now makes it easier to track and manage credentials, including where they were gathered and which systems they gave access to. Users can now quickly validate that credentials work on specific services and reuse them on other parts of the network. Penetration testers also have improved reports to convey results to IT operations, management, and auditors. These improvements are exclusive to Metasploit Express and Metasploit Pro.
New credentials management
Penetration testers often use spreadsheets or even a text editor to keep track of credentials. This hurts productivity because it's difficult to efficiently reuse credentials across services as diverse as Windows, SQL Server and VNC. It's also difficult to report on these credentials. If you're already off-site writing your report, you may even discover that you forgot to note down some important details.
Metasploit Pro and Express now come with new credentials management that makes it a snap to track credentials, their origin, and where they can be used. You can find the new credentials management in the new Credentials menu under Manage. In addition to credentials captured by Metasploit, you can also import a variety of formats.
Quick credential validation
We also overhauled the credentials tab on the single host view, which now shows you both the logins that can get you access to the machine as well as the captured credentials that were looted from the machine. The little key in the Validate column enables you to quickly check if a particular credential is valid.
The quick credential validation only checks if a credential works but does not create a session. Here's how you create a session:
• Metasploit Pro: Use the Known Credentials Intrusion MetaModule, and enter the IP range you'd like to target.
• Metasploit Express: Use post-authentication modules specific to the service you are using, such as exploit/windows/smb/psexec for SMB credentials (go to Modules menu and select Search to use them).
The Quick Validation feature will turn credentials (the combination of a username plus a password, hash or SSH key) into logins (a credential that has been validated to be used on a certain host/service combination). You can only use the Credentials Intrusion MetaModule with logins, not with credentials. Other ways to create logins are the MetaModules for Single Password Testing, Pass the Hash, and SSH Key Testing as well as the new Credentials Reuse feature (see below).
Efficient credentials reuse
Security best practice is to never share credentials across hosts and services. However, we all know that all good intentions go out of the window when users find it difficult to remember multiple passwords.
Metasploit Pro and Express now have a Credentials Reuse functionality, which you can find – surprise – in the new Credentials menu under Reuse. What's powerful about this new feature is that you can filter and select individual hosts and services to try specific credentials on. This gives you the power to either try every credential against all services, one credential against one service, or any combination in between.
Create clear and concise credential reports
We heard loud and clear from you that you loathe writing reports. Metasploit Pro and Express now create illustrative credentials reports for you. In addition to lists of passwords and compromised hosts, you will see diagrams that show you which hosts are most at risk from credentials abuse and which credentials provide access to the most machines. The reports will make it very easy to communicate your findings with the IT operations team or provide documentation to auditors.
New modules since Metasploit 4.9
At Rapid7, we believe that knowledge of vulnerabilities and access to exploits should not be pay for play. We make Metasploit exploits and auxiliary modules available in all editions, including the free Metasploit Framework and Metasploit Community editions. Some of these modules come from our internal team, but many are submitted through you, the Metasploit Community. Here's a list of the new modules we added since version 4.9:
- ibstat $PATH Privilege Escalation by Kostas Lintovois, Kristian Erik Hermansen, and Sagi Shahar exploits CVE-2013-4011
- eScan Web Management Console Command Injection by juan vazquez and Joxean Koret
- AlienVault OSSIM SQL Injection and Remote Code Execution by Sasha Zivojinovic and xistence exploits OSVDB-106252
- D-Link authentication.cgi Buffer Overflow by Craig Heffner, Michael Messner, and Roberto Paleari exploits OSVDB-95951
- D-Link hedwig.cgi Buffer Overflow in Cookie Header by Craig Heffner, Michael Messner, and Roberto Paleari exploits OSVDB-95950
- Fritz!Box Webcm Unauthenticated Command Injection by Fabian Braeunlein, Michael Messner, and Unknown exploits OSVDB-103289
- LifeSize UVC Authenticated RCE via Ping by Brandon Perry
- Linksys E-Series TheMoon Remote Command Injection by juan vazquez, Johannes Ullrich, Michael Messner, Rew, and infodox exploits OSVDB-103321
- Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution by Brandon Perry exploits ZDI-14-069
- AlienVault OSSIM av-centerd Command Injection by juan vazquez and Unknown exploits ZDI-14-202
- ElasticSearch Dynamic Script Arbitrary Java Execution by juan vazquez, Alex Brasetvik, and Bouke van der Bijl exploits CVE-2014-3120
- Rocket Servergraph Admin Center fileRequestor Remote Code Execution by juan vazquez and rgod exploits ZDI-14-162
- Apache Struts ClassLoader Manipulation Remote Code Execution by Mark Thomas, Przemyslaw Celej, and Redsadic exploits CVE-2014-0112
- Vtiger Install Unauthenticated Remote Command Execution by Jonathan Borgeaud exploits CVE-2014-2268
- Java Debug Wire Protocol Remote Code Execution by Christophe Alladoum, Michael Schierl, and Redsadic exploits OSVDB-96066
- Mac OS X NFS Mount Privilege Escalation Exploit by joev and Kenzley Alphonse
- SePortal SQLi Remote Code Execution by jsass and xistence exploits CVE-2008-5191
- Symantec Workspace Streaming Arbitrary File Upload by juan vazquez and rgod exploits ZDI-14-127
- Adobe Flash Player Integer Underflow Remote Code Execution by juan vazquez and Unknown exploits CVE-2014-0497
- Adobe Flash Player Type Confusion Remote Code Execution by juan vazquez, Unknown, and bannedit exploits CVE-2013-5331
- Adobe Flash Player Shader Buffer Overflow by juan vazquez and Unknown exploits CVE-2014-0515
- Adobe Flash Player Regular Expression Heap Overflow by juan vazquez, Boris "dukeBarman" Ryutin, and Unknown exploits CVE-2013-0634
- MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free by juan vazquez, Jean-Jamil Khalife, and Unknown exploits CVE-2014-0322
- MS14-017 Microsoft Word RTF Object Confusion by Haifei Li, Spencer McIntyre, and unknown exploits CVE-2014-1761
- WinRAR Filename Spoofing by juan vazquez and chr1x exploits OSVDB-62610
- Wireshark wiretap/mpeg.c Stack Buffer Overflow by Wesley Neelen and j0sm1 exploits CVE-2014-2299
- Cogent DataHub Command Injection by juan vazquez and John Leitch exploits ZDI-14-136
- Easy File Management Web Server Stack Buffer Overflow by Julien Ahrens, TecR0c, and superkojiman exploits OSVDB-107241
- Ericom AccessNow Server Buffer Overflow by juan vazquez and Unknown exploits ZDI-14-160
- HP AutoPass License Server File Upload by juan vazquez and rgod exploits ZDI-14-195
- JIRA Issues Collector Directory Traversal by juan vazquez and Philippe Arteau exploits CVE-2014-2314
- Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) by Ben Campbell, Donato Capitella, Jon, and Nils exploits CVE-2013-1300
- MS13-097 Registry Symlink IE Sandbox Escape by juan vazquez and James Forshaw exploits CVE-2013-5045
- MS14-009 .NET Deployment Service IE Sandbox Escape by juan vazquez and James Forshaw exploits CVE-2014-0257
- Yokogawa CS3000 BKESimmgr.exe Buffer Overflow by juan vazquez and Redsadic exploits CVE-2014-0782
Auxiliary and post modules
- Chromecast Factory Reset DoS by wvu
- Chromecast YouTube Remote Control by wvu
- Katello (Red Hat Satellite) users/update_roles Missing Authorization by Ramon de C Valle exploits CVE-2013-2143
- Advantech WebAccess SQL Injection by juan vazquez and rgod exploits ZDI-14-077
- OpenSSL DTLS Fragment Buffer Overflow DoS by Jon Hart and Juri Aedla exploits ZDI-14-173
- Wireshark CAPWAP Dissector DoS by Laurent Butti and j0sm1 exploits CVE-2013-4074
- AlienVault Authenticated SQL Injection Arbitrary File Read by Brandon Perry
- Chromecast Wifi Enumeration by wvu
- EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read by Brandon Perry
- F5 BigIP Backend Cookie Disclosure by Thanat0s
- MongoDB NoSQL Collection Enumeration Via Injection by Brandon Perry
- MyBB Database Fingerprint by Arthur Karmanovskii
- Microsoft Windows Deployment Services Unattend Gatherer by Ben Campbell
- DNS Amplification Scanner by xistence
- ElasticSearch Indices Enumeration Utility by Silas Cutler
- ElasticSearch Indices Enumeration Utility by Silas Cutler
- Cisco SSL VPN Bruteforce Login Utility by Jonathan Claudius
- EtherPAD Duo Login Bruteforce Utility by Karn Ganeshen
- HTTP Header Detection by Christian Mehlmauer and rick2600
- JBoss Status Servlet Information Gathering by Matteo Cantoni exploits CVE-2008-3273
- Oracle Demantra Database Credentials Leak by Oliver Gruskovnjak exploits CVE-2013-5880
- Oracle Demantra Arbitrary File Retrieval with Authentication Bypass by Oliver Gruskovnjak exploits CVE-2013-5880
- PocketPAD Login Bruteforce Force Utility by Karn Ganeshen
- Supermicro Onboard IPMI Port 49152 Sensitive File Exposure by hdm, Dan Farmer, John Matherly, and Zach Wikholm
- Brocade Password Hash Enumeration by Deral "PercentX" Heiland
- Netopia 3347 Cable Modem Wifi Enumeration by Deral "PercentX" Heiland
- HP LaserJet Printer SNMP Enumeration by Matteo Cantoni
- Ubee DDW3611b Cable Modem Wifi Enumeration by Deral "PercentX" Heiland
- Cerberus FTP Server SFTP Username Enumeration by Matt Byrne and Steve Embling exploits BID-67707
- SSH Username Enumeration by kenkeiras exploits CVE-2006-5229
- OpenSSL Server-Side ChangeCipherSpec Injection Scanner by juan vazquez, Craig Young, and Masashi Kikuchi exploits CVE-2014-0224
- OpenSSL Heartbeat (Heartbleed) Information Leak by wvu, juan vazquez, Antti, Ben Buchanan, Christian Mehlmauer, FiloSottile, Jared Stafford, Matti, Neel Mehta, Riku, Sebastiano Di Paola, Tom Sellers, herself, and jjarmoc exploits CVE-2014-0160
- OpenSSL Heartbeat (Heartbleed) Client Memory Exposure by hdm, Antti, Matti, Neel Mehta, and Riku exploits CVE-2014-0160
- Multiplatform WLAN Enumeration and Geolocation by Tom Sellers
- Windows Gather Enumerate Active Domain Users by Ben Campbell and Etienne Stalmans
- Windows Gather Enum User MUICache by TJ Glad
- Windows Manage Change Password by Ben Campbell
And It's All Available Now
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see our most excellent release notes.