Leaving Las Vegas—thanks, Defcon and BSides!
We had a great time meeting everyone at the various Metasploit events at hacker summer camp last week, including two popup capture the flag events with Metasploitable3, the Open Source Security Meetup, and selling Metasploit 0xf Anniversary Tour. If we missed you this time around, you may have a second chance this year at DerbyCon VIII as we again present the Metasploit Town Hall.
Metasploitable3 now easier to set up
One piece of feedback we have consistently received about Metasploitable3 is that it can be difficult and time-consuming to get running. This is because it installs the full OS distributions and vulnerable software from scratch, as well as downloads a lot of files from sites that may not always be available. To make things simpler and faster, we have begun publishing pre-built Vagrant boxes for VMWare and Virtualbox. The quick start guide can now get you running in minutes (with a suitable Internet connection), and you don't even have to install Packer. Thanks to Vagrant Cloud for hosting these images, which will periodically be updated as Metasploitable3 evolves.
Summer of Code coming to a close
We're in the final stages of Google Summer of Code projects with Metasploit and evaluations are underway. A lot of exciting projects will either be finished or at least be in a good state for continued development after the summer. We're looking forward to working with these students in the future as well, as they have all worked really hard to build significant new features into Metasploit.
Exploit modules (1 new)
- Oracle Weblogic Server Deserialization RCE by Jacob Robles and brianwrf, which exploits CVE-2018-2628
Auxiliary and post modules (3 new)
- marked npm module "heading" ReDoS by Adam Cazzolla, Sonatype Security Research and Nick Starke, Sonatype Security Research
- cgit Directory Traversal by Dhiraj Mishra and Google Project Zero, which exploits CVE-2018-14912
- Path Traversal in Oracle GlassFish Server Open Source Edition by Dhiraj Mishra and Trustwave SpiderLabs, which exploits CVE-2017-1000028
- msfconsole will now prompt the user to load a module if they specify its name without the use command. We saw this happen a lot with new users and decided to make it easier to use.
- The new database service for Metasploit 5 will now create a default workspace itself, rather than waiting for msfconsole to do so. This makes it usable by other tools without having to connect to it from msfconsole first.
- The PHPMyAdmin login scanner no longer will error-out on non-PHPMyAdmin sites.
- Host key verification is now disabled for SSH modules, preventing Metasploit from writing to the user's ~/.ssh/known_hosts file, especially when running a scanner module against a range of hosts.
- Packet pivoting for Windows Meterpreter over HTTP is fixed and you can watch a video of the debug development process!
- Download speed of Android and Java Meterpreter are greatly increased.
- Injecting an Android payload into an existing APK file when running Metasploit on Windows now works.
- For Metasploit developers, the pry and irb commands in msfconsole are now grouped together for better accessibility. Running pry outside a module context also no longer hangs; a Pry session is instead started in the Framework context.
- The AWS EC2 metadata gathering post module has been updated for latest responses from the EC2 metadata service.
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub:
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.