Improved
PR 18376 - This PR adds support for LDAP capture of NTLM authentication and adds a default implementation for LDAP
BindRequest,SearchRequest,UnbindRequest, as well as a default action for unsupported requests.PR 18686 - This updates the existing
auxiliary/scanner/ssh/ssh_versionmodule with new checks for supported cryptographic algorithms and version detection capabilities.PR 18796 - This updates the ManageEngine Endpoint Central and ServiceDesk Plus RCE modules for CVE-2022-47966. Particularly, it adds a Java target to be able to use Java-based payloads.
PR 18833 - Fixes a module crash when updating a non-existent session
PR 18847 - This PR adds proxy support for getting a PostgreSQL session via the
postgres_loginmodule.PR 18848 - This PR adds proxy support for getting a MSSQL session via the
mssql_loginmodule.PR 18854 - This PR adds proxy support for getting a MySQL session via the
mysql_loginmodule.PR 18872 - Updates the MSSQL modules to support querying database rows that contain boolean bit values.
PR 18879 - Updates the
auxiliary/admin/kerberos/inspect_ticketmodule with improved error messages, and support for printing Kerberos PAC credential information.PR 18892 - This makes some changes necessary for users to leverage the latest ADCS ESC13 technique. These are related to the identification of misconfigured certificate templates and workflow documentation.
ldap_esc_vulnerable_cert_finderandldap_querywere also updated to improve usability.
Payload Enhancements
- PR 18866 - This updates metasploit-payloads gem to 2.0.166 to include the Mimikatz changes needed for Windows 11 23H2 support.
Fixed
PR 18844 - This fixes a bug in the file dropper mixin that would prevent files from being deleted with a Windows shell session.
PR 18880 - Fixes a bug with the
auxiliary/capture/ldapmodule's handling of NTLM hashes.PR 18897 - Updates the smb_login module to support configuring the negotiated SMB protocol versions and whether encryption is negotiated.
PR 18904 - Fixes the
windows/gather/bloodhoundmodule to no longer incorrectly validate theOutputDirectoryoption.
Modules
PR 18125 - This PR adds a module to launch an LDAP service supporting capture and storage of
Simple Authenticationattempts. When launching this module with default options users must have permissions to bind to port389.PR 18678 - Adds a new
auxiliary/server/capture/ldapmodule that emulates an LDAP Server. The server accepts a user's bind request, and the user credentials or NTLM hash is then captured, logged, and persisted to the currently active database. Anldap_bind: Authentication method not supported (7)error is sent to the connecting client.PR 18681 - This PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: CVE-2023-51467.
PR 18700 - This PR add an exploit module for a command injection vulnerability that exists in Kafka-ui between v0.4.0 and v0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.
PR 18792 - This module exploits the recently disclosed SSRF vulnerability (CVE-2024-21893) in Ivanti Connect Secure and Ivanti Policy Secure. The SSRF is chained to a command injection vulnerability (CVE-2024-21887) to achieve unauthenticated RCE.
PR 18821 - This adds an auxiliary module that leverages an information disclosure vulnerability (CVE-2023-5612) in Gitlab versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 to retrieve user email addresses via tags feed.
PR 18827 - This PR adds an authenticated RCE against BoidCMS versions 2.0.0 and earlier. The underlying issue in the vulnerability CVE-2023-38836 is that the file upload check allows a php file to be uploaded and executes as a media file if the GIF header is present in the PHP file.
PR 18832 - The PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices.
PR 18870 - This PR add an unauthenticated RCE exploit for ConnectWise ScreenConnect (CVE-2024-1709).