Improved
Pro: We completed dependency updates required to support the latest Metasploit Framework version 6.3.
Pro: We completed a periodic update of the Java Runtime to maintain a good security posture.
PR 16685 - Updates the Kerberos Authentication support to include multiple new encryption types, which will allow Kerberos Authentication to work against newer targets that have older encryption types disabled.
PR 16689 - Adds support for host addresses in kerberos tickets.
PR 16700 - Updates LDAP modules to support Kerberos and NTLM authentication.
PR 16749 - Adds Kerberos Authentication support to WinRM modules.
PR 16760 - Updates WinRM sessions to support delegated Kerberos tickets, to be able to access additional network resources from the compromised server.
PR 16770 - This enables the reuse of previously obtained CCache files for MSSQL, SMB, WinRM, and LDAP authentication. After a successful authentication using Kerberos, tickets are stored in CCache files. They will be reused for subsequent authentications without having to renegotiate new Kerberos tickets.
PR 17025 - Adds a new
USER_RIDoption to the Kerberos ticket forging moduleauxiliary/admin/kerberos/forge_ticket.PR 17340 - The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
PR 17343 - This makes performance improvements to the
windows/local/unquoted_service_pathmodule.PR 17373 - Adds ticket flags when presenting krb5 ccaches on msfconsole.
PR 17374 - Adds klist command support to list Kerberos tickets in the database.
PR 17451 - This adds
netntlmandnetntlmv2hashes support toauxiliary/analyze/crack_windowsmodule.PR 17456 - This PR adds a new
KrbOfferedEncryptionTypesoption that allows users to configure what encryption types are used with the KDC.PR 17466 - This updates the
auxiliary/scanner/smb/smb_versionmodule to store additional service information in the database so it can be viewed later.PR 17473 - Updates the docs site to have an edit link at the bottom of each page which will take you to the corresponding markdown file on Github for editing.
PR 17475 - Enables the datastore_fallbacks feature flag by default. This is a rewrite of Metasploit's datastore to fix multiple bugs and edge-cases. The unset command will now consistently unset previously set datastore values, so that default values are used once again.
PR 17480 - A new alias has been added for payloads called
exploitwhich will perform the same action asto_handler, to help users familiar with exploit modules to use the same familiarexploitmethod to open handlers when using payloads.PR 17518 - A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as
SYSTEMor delivered on demand through an exploit module such aspsexec.PR 17519 - Improves the SMTP delivery error handling for the
auxiliary/client/smtp/emailermodule.PR 17526 - Updates the
show optionsandshow advancedcommand to visually group options with the same conditions together, such as options that require an action or datastore value to be set.PR 17535 - This adds NTLM hash recover to the kerberos/get_ticket module.
PR 17539 - Adds additional error handling for Kerberos error codes.
Fixed
Pro: We addressed CVE-2023-0599, a stored XSS vulnerability on the individual host services page reported by Michael Caruso. Thank you for the coordinated disclosure.
Pro: We improved the CLI startup process to ensure running tasks are no longer interrupted by starting a Pro console.
PR 17385 - This PR fixes the file write and file append methods to return the expected Boolean values rather than
nil.PR 17455 - Fixes an issue where Kerberos responses could not be received in smaller chunks, such as in bandwidth restricted networks.
PR 17482 - Fixes a connection issue with reverse_https stagers that are executed on Windows servers attempting to negotiate TLS1 when Metasploit was using OpenSSL3.
PR 17491 - A bug has been fixed in the
lib/msf/core/exploit/remote/ldap.rblibrary that handles LDAP communications for several modules to ensure that failures use the right namespace when throwing errors to prevent crashes.PR 17497 - This fixes an error where modules that issue certificates (icpr_cert and now auxiliary/admin/dcerpc/cve_2022_26923_certifried) would crash if the response from the server was that the certificate was submitted and no certificate was returned. This updates the code to check if the certificate is present before attempting to process it.
PR 17516 - The version of metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the
enumdesktopscommand to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.PR 17525 - Fixes a deprecation warning when using socks proxy support in Metasploit.
PR 17541 - Fixes a crash that occurs when domain option is set to blank.
PR 17549 - Updates the
inspect_ticketmodule to output a user friendly error if the ticket decryption has failed, i.e. due to an invalid decryption key.
Modules
PR 16625 - Adds a new
scanner/kerberos/kerberos_loginmodule for bruteforcing and verifying credentials against a Kerberos server. Accounts which do not require preauthnetication, i.e. AS-REP Roastable accounts, will have the hashes output for offline cracking.PR 17348 - This PR adds a module that performs a DoS attack on Mirage Firewall versions 0.8.0-0.8.3.
PR 17407 - This adds an exploit that targets various versions of Cacti network-monitoring software. For versions
1.2.22and below, there exists an unauthenticated command injection vulnerability inremote_agent.phpthat when exploited, will result in remote code execution as the user running the Cacti server.PR 17449 - A new module has been added for CVE-2021-44529, an unauthenticated code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) before version 4.6.0-512. Successful exploitation requires sending a crafted cookie to the client endpoint at
/client/index.phpto get command execution as thenobodyuser.PR 17479 - This adds an exploit module that leverages an unauthenticated SQLi against Wordpress plugin Paid Membership Pro. This vulnerability is identified as CVE-2023-23488 and affects versions prior to 2.9.8. This module retrieves Wordpress usernames and password hashes using Time-Based Blind SQL Injection technique.
PR 17533 - Enhances the auxiliary/admin/kerberos/get_ticket module with PKINIT functionality.