Since we Last Left Our Heroes...

Wow, it's been a busy couple weeks here, post-DefCon/Black Hat. As you no doubt have noticed, we released Metasploit 4.10, which brings some major architectural changes to how our brute force login scanners are written, run, and logged -- you can read up on all that over at Dave TheLightCosine Maloney's delightful documentation, Creating Metasploit Framework LoginScanners to see how to write and use the new login and credential APIs.

Along with this, we've also converted the Metasploit Framework into a fully-fledged Rails::Application, which itself is kind of huge. This should allow for much easier integration with other Ruby projects -- most notably, testing frameworks (let's cut down on regressions and bitrot) and opens the door for a gem-based distribution system for modules and module packs (yes, this is as rad as it sounds). If you're interested in the guts of how Metasploit Framework works now, take a look at Luke KronicDeth Imhoff's blog post about this significant upgrade.

A Great Big Pile of HOWTO

Also during 4.10, we've been revisiting a lot of the documentation of how to write specific kinds of Metasploit modules -- and by "we," I mean Wei sinn3r Chen, the world-reknowned and -feared superhacker with over 200 direct credits on Metasploit modules and input on well over a thousand. If you're just starting your exploit dev career, or if you've been at it for a while, these resources will be crazy valuable for you. The latest material includes:

Sinn3r goes on to provide a lot of detail for major types of modules, such as web browser exploits and file format exploits, as well as typical chunks of modules, such as the check() method and using Railgun, Meterpreter's interface with the Windows core API. If you're troubled or confused about some area of Metasploit module writing after reading these, then feel free to offer suggestions and ask questions on our open source developer's Freenode channel, #metasploit.

Distributed, Reflective Denial of Service with NTP

Earlier this week, we also released five new auxiliary modules that can be used to audit your NTP infrastructure, This is Kind of a Big Deal -- given these common exposures in NTP and the nature of UDP-based communications, it can become trivially easy for an attacker to start flooding victims by using these mis-configured devices as amplification stations, leading to a distributed, reflective denial of service (DRDoS) attack.

DRDoS events are slightly different than just regular DDoS events. Instead of an attacker controlling a network of compromised and/or controlled hosts, the attacker uses the reflective and amplication "features" of spoofable services. The old "Smurf" attack is a classic example of this attack, where I pretend to be you and ping the broadcast address of some other network, resulting in lots of reply messages sent your way that you didn't ask for. In this way, one ICMP ping packet from me could turn into a few hundred ping response packets for you.

The ICMP Smurf attack rarely works any more - pipes are bigger and broadcast domains that respond to ping are few. People just don't respond to ping like they used to. NTP, on the other hand, is the Network Time Protocol, used to keep computers in sync, is listening all over the place, and is kind of hugely important for things like authentication and certificate revocation, so it's definitely a critical chunk of Internet architecture. Turns out, vulnerable NTP servers are also plenty available for attackers -- as Jon wrote, Rapid7's Project Sonar has identified over 65,000 hosts that appear to be capable of aiding attackers in amplified, reflective attacks.

For lots more detail on these vectors, and advice on how to protect your own network, check out Jon's blog post on R7-2014-12: NTP Amplication Attacks.

New Modules

Since the release of Metasploit 4.10, we've added 20 new modules, including the aforementioned NTP scanners, as well as a command injection exploit for Yokogawa-manufactured Human Interface Stations (discussed at DefCon by yours truly and Jim CipherLaw Denaro) and of course a whole pile of other tools for your pen-test bag of tricks. Enjoy!

Exploit modules

Auxiliary and post modules

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes, as well as last week's release notes. which covers the period immediately following the 4.10 release.