Metasploit 6.2.0 Improves Credential Theft, SMB Support Features, More
Metasploit 6.2.0 has been released with 138 new modules, 148 new improvements/features, and 156 bug fixes since version 6.1.0 was released in August 2021.
Metasploit is a penetration testing framework that includes 864 payloads and 2,227 exploits that can be used to target vulnerabilities and test a network’s defenses.
The framework is commonly used as part of penetration testing engagements and by threat actors who use it to breach networks.
Due to its ease of use and the many payloads, Metasploit has become one of the most popular tools cybersecurity professionals use today.
New features in Metasploit 6.2.0
Last week, Rapid7 released Metasploit 6.2.0, which includes hundreds of bug fixes and improvements. However, six new features are highlighted that enhance existing exploit modules, add protocol support, and provide additional debugging mechanisms.
The new stand-out features in Metasploit 6.2.0 are summarized below:
Capture plugin – While Metasploit has always included modules to steal credentials on a network, a new ‘Capture’ plugin has been introduced that offers a more streamlined approach.
When launched, the plugin will automatically start 13 different services, with an additional four running in SSL mode, to capture credentials on the network.
SMB v3 server support – Metasploit has expanded its support for SMB v3 so that users can quickly launch an SMB v3 server that shares a read-only folder. Pentesters can use this remote share to host payloads or DLLs that will be copied to targets or remotely executed.
Furthermore, all existing modules now support SMB v3 with this release.
Enhanced SMB relay support – The
smb_relay module has been updated to support relaying over SMB versions 2 and 3. The module can also be configured to target multiple devices in one session, with the module intelligently cycling between targets.
Improved pivoting / NATed services support – “Metasploit has added features to libraries that provide listening services (like HTTP, FTP, LDAP, etc) to allow them to be bound to an explicit IP address and port combination that is independent of what is typically the SRVHOST option. This is particularly useful for modules that may be used in scenarios where the target needs to connect to Metasploit through either a NAT or port-forward configuration.”
Debugging Meterpreter sessions – You can now debug Meterpreter sessions by logging network requests and responses between msfconsole and Meterpreter (TLV packets) or generating a custom Meterpreter debug build.
Local exploit suggester improvements – The
local_exploit_suggester module has been updated with bug fixes and an improved user interface.
This module will launch multiple Metasploit modules to attempt to gain local privilege escalation on the targeted host.
Most actively used modules
Rapid7 has also listed the new Metasploit modules that are commonly successfully used in engagements:
- VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell) – This module exploits the Log4Shell vulnerability (CVE-2021-44228) in both Windows and Linux targets. Log4Shell has been under significant in-the-wild exploitation by state-sponsored hacking groups and ransomware actors since it was disclosed in December 2021.
- F5 BIG-IP iControl RCE via REST Authentication Bypass – This module exploits CVE-2022-1388, which allows unauthenticated, remote attackers to execute commands on vulnerable devices. This vulnerability has been exploited in the wild to deploy web shells and to gain initial access to networks.
- VMware Workspace ONE Access CVE-2022-22954 – This module exploits a critical authentication bypass vulnerability in VMware Workspace one that has been under active exploitation by threat actors to deploy coinminers and breach networks.
- Zyxel Firewall ZTP Unauthenticated Command Injection – This unauthenticated, remote code execution vulnerability was discovered by Rapid7 researcher Jake Baines, who also alerted the cybersecurity community that it was under active exploitation by threat actors.
- Windows CVE-2022-21999 SpoolFool Privesc – Exploits a Windows Print Spooler Elevation of Privilege Vulnerability tracked as CVE-2022-21999 that was fixed as part of the February 2022 Patch Tuesday.
- Dirty Pipe Local Privilege Escalation via CVE-2022-0847 – Finally, we have the Linux DirtyPipe privilege elevation vulnerability that allows users of lower privileges to easily gain root access on a server.Demonstration of the CVE-2022-0847 Dirty Pipe vulnerability
For a weekly roundup of new exploits added to Metasploit and how they are being used, you can read the Rapid7 blog.