Teenage ROBOT Returns

Imagine the joy robot parents must feel when their infant leaves home and returns as a teenager. ROBOT (Return of Bleichenbacher Oracle Threat) is a 19-year-old vulnerability that allows RSA decryption and signing with the private key of a TLS server. It allows for an adaptive-chosen ciphertext attack. It is still very much relevant today as some modern HTTPS hosts are vulnerable to ROBOT. Metasploit now includes auxiliary/scanner/ssl/bleichenbacher_oracle, which checks if a host is susceptible to ciphertext attacks.

EternalGiving

In last week's Metasploit Wrapup, we featured MS17-010: EternalRomance, EternalSynergy, and EternalChampion contributed by zerosum0x0. Check out this demo in which our very own Matthew exploits a Windows Server 2012 R2 Standard. EternalBlue is a gift that keeps on giving.

gift-that-keeps-giving-1

Go Phish

ICYMI, Rapid7 launched an open beta this week for a new phishing simulation and training tool called InsightPhish. A bunch of the offensive security folks here in Austin have been working on this nifty new offering. If you’re a fan of the social engineering capabilities in Metasploit Pro, feel free to mosey on over to the beta to take a look at what the team is developing for the security awareness training use case (no exploits here!). If you’re so inclined, you can sign up to test out some pre-built simulations on domains you own.

New Modules

Auxiliary and post modules (1 new)

Improvements

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.