Loginpalooza, the Great Credential Refactor
In August, we ran a little contest here in the People's Republic of Metasploit to see about converting a pile of credential-gathering modules to the new after the release of Metasploit 4.10. Today, I'm happy to announce the winners:
First place goes to Tom Sellers, for his work on a number of modules and constant feedback and question-asking on how the heck to do all this stuff. In return, we'll be sending him a delightful Wifi Pineapple Ultra Bundle -- try not to get it pwned by @ihuntpineapples!
Second and Other Second place goes to Chris Truncer and 0a2940, for their work on the IP board and AppleTV modules. Since they both ended up at pretty much the same place with their work, and were super useful in teasing out documentation and functionality issues with the new credential module authoring process, we'll be sending both of them a second place prize of an OnionPi (just as soon as they're back in stock).
These open source contributors really dove in and helped us out a lot by actually working with the new LoginScanner mixin and the Credential Gem. We still have work to do to get these components more developer friendly, so keep an eye on that work as we make progress for total conversion.
A couple weeks ago, I kicked off an informal Twitter poll:
Well, the response was overwhelmingly in favor of GitHub Issues as a replacement. I do love Redmine, don't get me wrong -- it's pretty amazing project planning and issue tracking software, and it's open source, and it's written in Ruby, so what's not to love?
As it turns out, we kind of live and breathe on GitHub these days, we use Pull Requests pretty extensively, and GitHub Issues recently saw a pretty amazing update that makes labelling, searching, and sorting on issues a delightful experience. You can read all about that, here. GitHub Issues just offers us much better integration with the way we do things already, so I'm pretty thrilled about the move.
So, over the next few weeks, we'll be retiring our beloved Redmine server at https://dev.metasploit.com. We've gone through and triaged some dozens of Redmine bugs to move over to GitHub (and you can see which ones using this search for Framework and this one for Meterpreter), and will be making the call on the rest soon.
If you have a favorite issue or feature request that you can't live without on GitHub, and it's not yet on that list, please feel free to re-create the issue on GitHub. As it stands, we're assuming bugs that are over a year old (pre-4.8.0) probably aren't show-stoppers or have already been fixed in the last couple releases. We'll have time to make sure this is the case, and don't worry, we won't be deleting any of Redmine's historical data.
That all said, the moral of the story here is that the switch over to end-to-end GitHub should make the whole issue/bug/fix workflow a lot smoother and more reliable for both our internal and external developers, and I'm excited to be injecting a little more efficiency in the whole Metasploit donut-making process.
Note that Metasploit Community, Express, and Pro users should still stick to their support contacts here at Rapid7 and SecurityStreet (especially for "how do I..." sorts of questions). Those resources aren't going away anytime soon.
Meterpreter Kiwi Extension
Last but in absolutely no way least, Metasploit now boasts the mighty Kiwi Extension! Kiwi is the Meterpreter and Metasploit integration of all the available Mimikatz techniques for dumping credentials from memory on fully-pached Windows machines. Thanks to the heroic efforts of OJ TheColonial Reeves, Benjamin gentilkiwi Delpy, and the nattering and gnashing of teeth from Rob mubix Fuller and Josh kernelsmith Smith. Thanks guys!
Since the last release, we've only two new modules this week. While it may seem a little light, the last release, 2014082701, was actually staged up on Friday afternoon (and not the usual Monday cut). This was to ensure we were able to address the outstanding issues involving a database-less use of msfconsole and msfcli. The downside is, sadly, only allowing for one weekend for new modules this week -- over a US holiday, no less. But, you should update anyway! The Rsync auxiliary module is pretty fun to use, and brings some security attention to an often-used, but often-misunderstood, backup infrastructure technique.
- Wing FTP Server Authenticated Command Execution by Nicholas Nam
Auxiliary and post modules
- Rsync Unauthenticated List Command by ikkini