Metasploit Weekly Wrap-Up: 7/22/22

Last updated at Thu, 25 Jan 2024 01:42:41 GMT

The past, present and future of Metasploit

Don't miss Spencer McIntyre's talk on the Help Net Security's blog. Spencer is the Lead Security Researcher at Rapid7 and speaks about how Metasploit has evolved since its creation back in 2003. He also explains how the Framework is addressing today's offensive security challenges and how important is the partnership with the community.

LDAP swiss army knife

This week, our very own @gwillcox-r7 added an auxiliary module that will likely help you to dump useful information from LDAP servers. This module allows you to remotely retrieve data using either your own custom query or a set of LDAP queries under a specific category. In addition to the available predefined queries, the user can also provide a JSON or YAML file containing custom queries to be executed.

Here are the available predefined queries:

msf6 auxiliary(gather/ldap_query) > show actions

Auxiliary actions:

   Name                      Description
   ----                      -----------
   ENUM_ACCOUNTS             Dump info about all known user accounts in the domain.
   ENUM_ALL_OBJECT_CATEGORY  Dump all objects containing any objectCategory field.
   ENUM_ALL_OBJECT_CLASS     Dump all objects containing any objectClass field.
   ENUM_COMPUTERS            Dump all objects containing an objectCategory of Computer.
   ENUM_DOMAIN_CONTROLLERS   Dump all known domain controllers.
   ENUM_EXCHANGE_RECIPIENTS  Dump info about all known Exchange recipients.
   ENUM_EXCHANGE_SERVERS     Dump info about all known Exchange servers.
   ENUM_GROUPS               Dump info about all known groups in the LDAP environment.
   ENUM_ORGROLES             Dump info about all known organizational roles in the LDAP environment.
   ENUM_ORGUNITS             Dump info about all known organization units in the LDAP environment.
   RUN_QUERY_FILE            Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
   RUN_SINGLE_QUERY          Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options.

Here is how you can dump information about users in a Windows domain:

msf6 auxiliary(gather/ldap_query) > set action ENUM_ACCOUNTS
action => ENUM_ACCOUNTS
msf6 auxiliary(gather/ldap_query) > run RHOSTS=10.0.0.33 BIND_DN=MYDOMAIN\\Administrator BIND_PW=123456
[*] Running module against 10.0.0.33

[+] Successfully bound to the LDAP server!
[*] Discovering base DN automatically
[+] 10.0.0.33:389 Discovered base DN: DC=mydomain,DC=local
[*] CN=DC02 OU=Domain Controllers DC=mydomain DC=local
===============================================

 Name                Attributes
 ----                ----------
 displayname         DC02$
 name                DC02
 samaccountname      DC02$
 useraccountcontrol  532480

[*] CN=Administrator CN=Users DC=mylab DC=local
===========================================

 Name                Attributes
 ----                ----------
 name                Administrator
 samaccountname      Administrator
 useraccountcontrol  512

 ...[SNIP]...

Win2k summer clean up

For those nostalgic about old Windows systems, bcoles did a great cleanup of old modules targeting Win2k. He breathed life back into modules such as ms01_023_printer, ms02_065_msadc and ms03_007_ntdll_webdav by fixing many issues and adding offsets to support many more Win2k flavors.

New module content (1)

• LDAP Query and Enumeration Module by Grant Willcox - This adds a generic module to perform LDAP queries. Users can execute custom queries either through configuration files on disk, or through a combination of datastore options. The module also includes multiple builtin queries for common operations.

Enhancements and features (7)

• #16737 from adfoster-r7 - This removes the code duplication in the MSSQL client mixins and refactors the code into a single main mixin.
• #16754 from bcoles - Adds additional offsets for various Windows 2000 Professional targets in the ms02_065_msadc module. Also adds documentation and notes.
• #16761 from bcoles - Adds additional offsets for various Windows 2000 targets, replaces raw socket TCP with HttpClient, fixes default payload, adds docs and notes.
• #16776 from bcoles - Adds a ftp-http command stager for FTP clients which support http(s) URLs via set cmdstager::flavor ftp_http.
• #16778 from bcoles - The checkvm script at ./scripts/meterpreter/checkvm.rb has been removed and post/windows/gather/checkvm.rb now replaces it. Additionally, the post/windows/gather/checkvm.rb script has been updated to include missing features from ./scripts/meterpreter/checkvm.rb to ensure backwards compatibility.
• #16789 from adfoster-r7 - This adds OpenSSL version information to the report generated by the debug command.
• #16792 from adfoster-r7 - This improves support for various OpenSSL 3 related errors during console start.

Bugs fixed (2)

• #16743 from adfoster-r7 - Fixes a crash when using the scanner/mssql/mssql_login module with the tdsencryption and USE_WINDOWS_AUTHENT options set to true.
• #16753 from bcoles - This PR fixes several bugs present in the module, including shifting from Meterpreter to shell payloads, better checking, and added targets anddocumentation.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.7...6.2.8
• Full diff 6.2.7...6.2.8

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).