Metasploit Version 4.11 Released
This week, we released Metasploit version 4.11 to the world -- feel free to download it here if you're the sort that prefers the binary install over the somewhat Byzantine procedure for setting up a development environment. Which you should be, because the binary installers (for Windows and Linux) have all the dependencies baked in and you don't have to monkey around with much to get going.
The two major features with this release center around reorganizing the bruteforce workflow to make things more sensible and usable for larger-scale password audits, and much better visualization on figuring out where the weak link is/was in the organization under test when stolen credentials were used to extend control.
Check out the screens of the much-streamlined Bruteforce configurator (click to embiggen):
and the "Credentials Domino" screen (also embiggenable):
That is one sexy relational graph, and the whole thing is kind of super fun to use. Makes me almost want to be a web developer. (:
Metasploit Resource Portal
In other news, it turns out I'm now a web developer! I give to you, the Metasploit Resource Portal, currently at https://metasploit.github.io. It's pretty modest right now, and still in a public beta state, but today seems like as good a day as any to announce -- especially since community contributor Tom Sellers pretty much forced my hand yesterday in this quick DM conversation:
Tom has the honor of offering up the first PR to the project, so we'll see how this all plays out. Metasploit is an ever-changing beast, just like the rest of the security landscape. Hopefully, this crowd-sourced scheme to keep up on expert-reviewed content will be useful for both newbs and greybeards.
While this first small pass was collected up by Grandmaster Exploit Dev Wei @_sinn3r Chen and Metasploit Documentrix Thao @crazygoodcookie Doan, it turns out there's a ton of material on Metasploit ins and outs that wasn't written by anyone connected at Rapid7. Of course, that's no real surprise. However, while much of it is really good, only some of it is quite excellent -- so we're going to have to depend on you folks to help flag what's truly over-the-top amazing sauce.
If you have any suggestions or ideas for what can make this static site more useful for you, please don't hesitate to file an issue. This is literally the first on-the-Internet web project I've ever done, so I completely expect you to rake it over the coals. I settled on a Middleman-produced, Bootstrap-flavored, GitHub Pages-hosted static website. The whole thing was pretty fun -- especially since I got some early hand-holding and pep-talking from Matt @techpeace Buck, webdev extraordinaire.
Since commit dcf2317, we've added three new exploits and six new auxiliary and post modules. The Kippo module is particularly interesting, at least to me. More often than not, I run a Kippo server on my laptop when I go to security conferences, just to see what I can see. It looks like that jig is now potentially up, at least until the Honeynet folks figure out if and how they want to avoid detection using these techniques.
- ActualAnalyzer 'ant' Cookie Command Execution by Benjamin Harris and Brendan Coles exploits OSVDB-110601
- Tuleap PHP Unserialize Code Execution by EgiX exploits CVE-2014-8791
- Wordpress Download Manager (download-manager) Unauthenticated File Upload by Christian Mehlmauer and Mickael Nadeau
Auxiliary and post modules
- JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment by us3r777 exploits CVE-2010-0738
- ManageEngine NetFlow Analyzer Arbitrary File Download by Pedro Ribeiro exploits CVE-2014-5445
- BMC TrackIt! Unauthenticated Arbitrary User Password Change by bperry and jhart exploits ZDI-14-419
- Cisco ASA SSL VPN Privilege Escalation Vulnerability by jclaudius and lguay exploits CVE-2014-2127
- Gather Kademlia Server Information by Jon Hart
- Kippo SSH Honeypot Detector by Andrew Morris