News from the Command Line

As you no doubt saw, earlier this week we started the Doom Clock on two utilities that ship with the Metasploit Framework, msfencode and msfpayload. I won't rehash Wei sinn3r Chen's most excellent blog post too hard here, of course. However, I do want to make extra sure that the Metasploit trainers, teachers, users, and developers have plenty of warning on this change. Time marches on, and while it's important for software to maintain a reasonably consistent profile as it grows and matures, it's also important to recognize when it's time to jettison components that just aren't filling the right needs for users any more. msfencode and msfpayload, while venerable, fall into this category. As sinn3r says, msfvenom has been in beta for over three years, does everything msfencode and msfpayload did before, and is much more tightly integrated with the rest of the Metasploit ecosystem.

You're Next, msfcli

In that vein, keep an eye out for more retiring command line tools. Take msfcli, for example. For most users, msfcli is simply a way to load up one given module, run it, and exit. Sounds useful -- until you get a session. At that point, you're forced into an interactive mode, just like msfconsole, but without all of msfconsole's comforts. So that's not great, and can be surprising, even. Also, given the shocking speedups of Ruby 2.1 and a recent round of optimizations, msfconsole starts up much faster today than it has in a couple years, so running msfconsole with -q (quiet) and -r (resource script source) or -x (execute) gives you practically the identical experience. For a quick example:

$ ./msfconsole -q -x "use auxiliary/scanner/telnet/telnet_login; set USERNAME msfadmin; set PASSWORD msfadmin;  
   set RHOSTS metasploitable; run; exit -y"  
  
USERNAME => msfadmin  
PASSWORD => msfadmin  
RHOSTS => metasploitable  
[+] 192.168.145.61:23 - LOGIN SUCCESSFUL: msfadmin:msfadmin  
[*] Attempting to start session 192.168.145.61:23 with msfadmin:msfadmin  
[*] Scanned 1 of 1 hosts (100% complete)  
[*] Auxiliary module execution completed  

Yep, I can log in to Metasploitable as msfadmin:msfadmin, and exit cleanly, to boot.

So, if you want to fire things up, run a thing, and get out, msfconsole seems like a reasonable -- dare I say, better -- alternative. Given that running resource files allows you to express a bunch of logic as Ruby, it might even be more useful for you if you find yourself reaching for msfcli today. Oh, yes, you can run straight Ruby in Metasploit resource files -- since 2010. There are even a few example scripts to get you going.

New Modules

On the new module front, we added two new modules this week. The Outlook module is especially devious -- it uses PowerShell to manipulate the target's keyboard and mouse to navigate around the UI to snag emails on the target workstation. Oh PowerShell, is there anything you can't do?

Auxiliary and post modules