(The following provided by Christophe De La Fuente!)
A common pen testing pattern is to compromise a local administrative account on a host and use it to grab Windows password hashes, kerberos tickets, and other secrets stored locally. The most common technique is to run tools such as Mimikatz locally on the compromised system to retrieve all these goodies from memory. One of the drawbacks is that anti-virus products often detect them and block the execution.
This is where the new Windows Secrets Dump module comes into play. It dumps SAM hashes and LSA secrets (including cached credentials) from the remote system without executing any agent (i.e., Meterpreter). First, it takes a backup of a portion of the system registry by saving this info into a local file on the target. Then it downloads the temporary hive files and reads the rest of the data from it.
This module is a native Ruby port of the popular secretsdump.py
utility from the Impacket library (note that the NTDS.dit
technique has not been implemented yet and will be added later). It also leverages the latest SMBv3 encryption capabilities recently added to the ruby_smb
library.
This will integrate nicely with Metasploit database and the password cracker module to provide users with full support for each step of their attack chain. One example would be to use the recent Zerologon module and chain it with the Windows Secrets Dump module to retrieve credentials (from exploit to hash grabbing and cracking).
Contributor timwr added a new module that exploits three bugs in Safari on macOS 10.15.3 in order to execute a payload in user-mode outside the sandbox. It exploits an incorrect side-effect modeling of the in
operator, which is expected to be side-effect free. However, using the <embed>
element with the PDF plugin can trigger side-effects, leading to type confusion. This can then be used as addrof and fakeobj primitives to allow an attacker to write shellcode into a JIT region containing the next stage of the exploit.
The next stage of the exploit uses CVE-2020-9856 to exploit a heap overflow in CVM server and extract a macOS application containing the payload info into /var/db/CVMS
. The payload can then be opened via CVE-2020-9856, resulting in the payload being executed as a normal user outside the sandbox. This is the first part of the chain from the winning submission to Pwn2Own 2020 and the previous module that was merged can be found here.
RUN_NOW
option to modules/post/windows/manage/persistence_exe.rb
that can be used to choose whether the exe is automatically executed when the module is run.Gemfile.local
. This change accompanies the new Wiki page which provides additional context and information on this change too.debug
command to output Metasploitâs web server logs. This command is used when creating a Github issue.peinject
stage.auxiliary/gather/windows_secrets_dump
module to form a complete attack chain without relying on external tools such as Impacket.Dockerfile
to include missing dependencies and to ensure impacket
is set up correctly as part of the Docker image building process.The Dockerfile
was previously missing the dependencies for impacket
and its associated dependencies, which was causing several modules within Docker installs of Metasploit to fail to run.get_service
call with calls to services
, and removes support for the get_service
call from Metasploit.SESSION_PATH
option, allowing them to enumerate session details even if portable versions of SecureCRT are used by the target.report_note
function of db_manager.rb whereby the host object was being passed to a services
call lookup instead of host.address
, which was causing an ActiveRecord exception to be raised and Metasploit to return a stack trace. Metasploit now correctly passes host.address
to this services
call, thereby preventing services
from throwing an error.As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).