Improved
PR 18376 - This PR adds support for LDAP capture of NTLM authentication and adds a default implementation for LDAP
BindRequest
,SearchRequest
,UnbindRequest
, as well as a default action for unsupported requests.PR 18686 - This updates the existing
auxiliary/scanner/ssh/ssh_version
module with new checks for supported cryptographic algorithms and version detection capabilities.PR 18796 - This updates the ManageEngine Endpoint Central and ServiceDesk Plus RCE modules for CVE-2022-47966. Particularly, it adds a Java target to be able to use Java-based payloads.
PR 18833 - Fixes a module crash when updating a non-existent session
PR 18847 - This PR adds proxy support for getting a PostgreSQL session via the
postgres_login
module.PR 18848 - This PR adds proxy support for getting a MSSQL session via the
mssql_login
module.PR 18854 - This PR adds proxy support for getting a MySQL session via the
mysql_login
module.PR 18872 - Updates the MSSQL modules to support querying database rows that contain boolean bit values.
PR 18879 - Updates the
auxiliary/admin/kerberos/inspect_ticket
module with improved error messages, and support for printing Kerberos PAC credential information.PR 18892 - This makes some changes necessary for users to leverage the latest ADCS ESC13 technique. These are related to the identification of misconfigured certificate templates and workflow documentation.
ldap_esc_vulnerable_cert_finder
andldap_query
were also updated to improve usability.
Payload Enhancements
- PR 18866 - This updates metasploit-payloads gem to 2.0.166 to include the Mimikatz changes needed for Windows 11 23H2 support.
Fixed
PR 18844 - This fixes a bug in the file dropper mixin that would prevent files from being deleted with a Windows shell session.
PR 18880 - Fixes a bug with the
auxiliary/capture/ldap
module's handling of NTLM hashes.PR 18897 - Updates the smb_login module to support configuring the negotiated SMB protocol versions and whether encryption is negotiated.
PR 18904 - Fixes the
windows/gather/bloodhound
module to no longer incorrectly validate theOutputDirectory
option.
Modules
PR 18125 - This PR adds a module to launch an LDAP service supporting capture and storage of
Simple Authentication
attempts. When launching this module with default options users must have permissions to bind to port389
.PR 18678 - Adds a new
auxiliary/server/capture/ldap
module that emulates an LDAP Server. The server accepts a user's bind request, and the user credentials or NTLM hash is then captured, logged, and persisted to the currently active database. Anldap_bind: Authentication method not supported (7)
error is sent to the connecting client.PR 18681 - This PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: CVE-2023-51467.
PR 18700 - This PR add an exploit module for a command injection vulnerability that exists in Kafka-ui between v0.4.0 and v0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.
PR 18792 - This module exploits the recently disclosed SSRF vulnerability (CVE-2024-21893) in Ivanti Connect Secure and Ivanti Policy Secure. The SSRF is chained to a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated RCE.
PR 18821 - This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-5612) in Gitlab versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 to retrieve user email addresses via tags feed.
PR 18827 - This PR adds an authenticated RCE against BoidCMS versions 2.0.0 and earlier. The underlying issue in the vulnerability CVE-2023-38836 is that the file upload check allows a php file to be uploaded and executes as a media file if the GIF header is present in the PHP file.
PR 18832 - The PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices.
PR 18870 - This PR add an unauthenticated RCE exploit for ConnectWise ScreenConnect (CVE-2024-1709).