Metasploit 3.2 released

Posted by Trancer on Nov 20 2008

Metasploit Framework
Metasploit 3.2 is out!

From the news:

the Metasploit Project announced today the free, world-wide availability of version 3.2 of their exploit development and attack framework. The latest version is provided under a true open source software license (BSD) and is backed by a community-based development team. Metasploit runs on all modern operating systems, including Linux, Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the iPhone. Users can access Metasploit using the tab-completing console interface, the Gtk GUI, the command line scripting interface, or the AJAX-enabled web interface. The Windows version of Metasploit includes all software dependencies and a selection of useful networking tools.

Version 3.2 includes exploit modules for recent Microsoft flaws, such as MS08-041, MS08-053, MS08-059, MS08-067, MS08-068, and many more.

The module format has been changed in version 3.2. The new format removes the previous naming and location restrictions and paved the way to an improved module loading and caching backend. For users, this means being able to copy a module into nearly any subdirectory and be able to immediately use it without edits.

The Byakugan WinDBG extension developed by Pusscat has been integrated with this release, enabling exploit developers to quickly exploit new vulnerabilities using the best Win32 debugger available today.

The Context-Map payload encoding system development by I)ruid is now enabled in this release, allowing for any chunk of known process memory to be used as an encoding key for Windows payloads.

The Incognito token manipulation toolkit, written by Luke Jennings, has been integrated as a Meterpreter module. This allows an attacker to gain new privleges through token hopping. The most common use is to hijack domain admin credentials once remote system access is obtained.

The PcapRub, Scruby, and Packetfu libraries have all been linked into the Metasploit source tree, allowing easy packet injection and capture.

The METASM pure-Ruby assembler, written by Yoann Guillot and Julien Tinnes, has gone through a series of updates. The latest version has been integrated with Metasploit and now supports MIPS assembly and the ability to compile C code.

The Windows payload stagers have been updated to support targets with NX CPU support. These stagers now allocate a read/write/exec segment of memory for all payload downloads and execution.

Executables which have been generated by msfpayload or msfencode now support NX CPUs. The generated executable is now smaller and more reliable, opening the door to a wider range of uses. The psexec and smb_relay modules now use an executable template thats acts like a real Windows service, improving the reliability and cleanup requirements of these modules.

The Reflective DLL Injection technique pioneered by Stephen Fewer of Harmony Security has been integrated into the framework. The new payloads use the “reflectivedllinjection” stager prefix and share the same binaries as the older DLL injection method.

Client-side browser exploits now benefit from a set of new javascript obfuscation techniques developed by Egypt. This improvement leads to a greater degree of anti-virus bypass for client-side exploits.

Metasploit contains dozens of exploit modules for web browsers and third-party plugins. The new browser_autopwn module ties many of these together with advanced fingerprinting techniques to deliver more shells than most pen-testers know what to do with.

This release includes a set of man-in-the-middle, authentication relay, and authentication capture modules. These modules can be integrated with a fake proxy (WPAD), a malicious access point (Karmetasploit), or basic network traffic interception to gain access to client machines. These modules tie together browser_autopwn, SMB relaying, and HTTP credential and form capturing to pillage data from client systems.

Nearly all Metasploit modules now support IPv6 transports. IPv6 stagers exist for the Windows and Linux platforms, opening the door for penetration testing of pure IPv6 networks. The VNCInject and Meterpreter payloads have been extensively tested over IPv6 sockets.

Efrain Torres’s WMAP project has been merged into Metasploit. WMAP is general purpose web application scanning framework that can be automated through integration with an attack proxy (ratproxy) or be accessed as individual auxiliary modules.

Egypt’s new PHP payloads provide complete bind, reverse, and findsock support for PHP web application exploits. If you are sick of C99 and R57 and looking to gain a “real” shell from one of the hundreds of RFI flaws listed on milw0rm, the new PHP payloads work great against multiple operating systems.

The db_autopwn command has been revamped to support port-based limits, regex-based module matching, and limits on the number of spawned jobs. The end result is a way to quickly launch specific modules against a specific set of target machines. These changes were suggested and implemented by Marcell “SkyOut” Dietl (Helith).

Announcement.
Some of the new features are presented in Metasploit Prime.
Grab a copy from the Metasploit web site.

Categories: Metasploit, Tools

Share this on Facebook Share this on Twitter Digg thisShare this on redditShare this on LinkedInStumbleupon itDelicious
0 Comments | Comments RSS feedComments RSS | TrackBack URLTrackBack URL

Google Developer Day 2008 got pwned

Posted by Trancer on Nov 05 2008

Google Developer Day 2008Now that is funny, Israel Google Developer Day 2008 networks got hacked, the wireless network and the wired LAN.
I got this email from Google, a day after the convention:

Dear attendee,

First of all thanks for attending Google Developer Day yesterday, we hope you found it useful. Unfortunately, we need to let you know about an incident which took place during the conference which you may need to take precautionary action on.

We identified unauthorised activity on the public wired Ethernet network which was provided by the convention centre for conference attendees to access the Internet. This may have affected a limited number of attendees accessing websites and online applications through the wired Ethernet connection. We have no evidence so far to suggest that the wireless network also provided at the event, and which was used by most attendees, was affected.

Due to the unauthorised activity, there is a chance that if you used the wired network, any user name and password entered to access a website may have been put at risk. When trying to access a secure website (a website using https), you may have received an alert indicating that the page had an invalid security certificate. In any case, we advise users as a precaution to change the passwords for any websites or services they accessed through the wired connection during the conference.

We’re really sorry that this has happened but we believe that the vast majority of attendees won’t have been affected by this incident. In the meantime, we look forward to seeing you at future events very soon.

The Google Developer Day Team

Sounds like a typical man-in-the-middle using ARP poisoning technique.
In my opinion, that’s really irresponsible from Google, risking their event visitors with unsecured LANs. There was tons of developers at the convention and the information at stake here is sensitive.
Hope they do good next year, I also strongly recommend changing routers and switches default passwords when setting up a network for the convention ;-)

See also an article at Calcalist web site (Hebrew).

Categories: LOLz

Share this on Facebook Share this on Twitter Digg thisShare this on redditShare this on LinkedInStumbleupon itDelicious
0 Comments | Comments RSS feedComments RSS | TrackBack URLTrackBack URL
Follow Recognize-Security on Twitter