Metasploit 3.4.0 Released
The guys over at Rapid7/Metasploit have been really busy lately, judging by all the new features that have been added to what is one of the most widely used Open Source security tools.
If you’re one of the people that have been running off of the svn builds, then you will have seen these changes coming in gradually, if not, then you’re in for quite a nice suprise.
The new features added to Metasploit 3.4.0 are the following:
-Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
-Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net ( 400K lines of Ruby)
-Over 100 tickets were closed since the last point release and over 200 since v3.3
-The dns_enum auxiliary module now supports bruteforcing IPv6 AAAA records thanks to a patch from Rob Fuller
- Command shell sessions can now be automated via scripts using an API similar to Meterpreter
- The console can be automated using Ruby code blocks within resource files
- Initial sound support is available by loading the “sounds” plugin
-The Report mixin and report_* methods are now one-way, you can write to the database but not work with the results. This increases the scalability of the database.
- Many modules report information to the database by default now (auxiliary/scanner/*)
- Lotus Domino version, login bruteforce, and hash collector auxiliary modules
- Upgrade any command shell session to Meterpreter via sessions -u (Windows only)
- The VNC injection payload now uses the latest TightVNC codebase and bypasses Session 0 isolation
- Several modules were renamed to include their Microsoft Technet bulletin number, e.g. ie_xml_corruption is now ms08_078_xml_corruption
- Code can now interface directly with an installed Java Development Kit via a Java mixin. See the java_signed_applet exploit for an example.
- Tomcat and JBoss installations can be exploited to gain sessions (Windows x86/x64, Linux x86/x64)
- The msfencode utility can now generate WAR payloads for Tomcat and JBoss
- Oracle XDB SID brute forcing is much more comprehensive thanks to Thomas Ring
- The msfencode utility can now inject into an existing executable while keeping the original functionality
- The XMLRPC server has been improved and additional APIs are available
- The db_import command now supports NeXpose Simple XML, NeXpose Export XML, Nessus (NBE, XMLv1, XMLv2), QualysGuard XML, and Nmap
- The sqlite3 driver has been deprecated. To ease the transition away from sqlite3, the postgres driver is installed by default in the Linux installer.
- There is a new db_status command that shows which driver is currently in use and whether your database connection is active
- Account brute forcing has been standardized across all login modules
- Login and version scanning module names have been standardized
- The SSH protocol is now supported for brute force and fingerprint scans
- The telnet_login and ssh_login modules now create sessions
- MySQL is now supported for brute forcing, enumeration, service fingerprinting, and arbitrary SQL queries
- Postgres fingerprinting (pre-authentication) using the line numbers in the error messages
- Tomcat is now supported for brute forcing and session creation
- The Meterpreter process management APIs and commands can now see all processes on WinNT 4.0 -> Windows 7 (32 & 64)
- The Meterpreter can now migrate from 32 to 64 and from 64 to 32, in addition to using a new mechanism to do the migration.
- The Meterpreter adds the steal_token, drop_token, getprivs, and getsystem commands (including kitrap0d integration)
- The Meterpreter pivoting system now supports bidirectional UDP and TCP sockets
- The Meterpreter protocol handle now supports ZLIB compression of data blocks
- The Meterpreter can now take screenshots (jpeg) without process migration and bypasses Session 0 isolation
- The Meterpreter can now stage over a full-encrypted SSL 3.0 connection using the reverse_https stager
- The Meterpreter and Command Shell scripts are now evaluated in the context of a new Rex::Script object
- The “hashdump” Meterpreter script provides a safe way to dump hashes for the local user accounts
- Automatically route through new subnets with the auto_add_route plugin
Thanks for all the hard work guys, Metasploit has come a long way, and I’m looking forward to seeing where it’s going to be in a few months time.