Metasploit 6.3 releases: penetration testing platform

The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. The platform includes the Metasploit Framework and its commercial counterparts, such as Metasploit Pro.

Image: Rapid7

Changelog v6.3

Highlights include:

• Native Kerberos authentication over HTTP, LDAP, MSSQL, SMB, and WinRM
• The ability to request Ticket-Granting Tickets (TGT) and Ticket-Granting Server (TGS) from the Key Distribution Center (KDC) if the user obtains a password, NT hash, or encryption key; users can also request tickets via PKINIT with certificates issued from AD CS
• Kerberos ticket inspection and debugging via the auxiliary/admin/kerberos/inspect_ticket module and the auxiliary/admin/kerberos/keytab module, which can generate Keytab files to allow decryption of Kerberos network traffic in Wireshark
• Fully automated privilege escalation via Certifried (CVE-2022–26923)

Metasploit 6.3 also includes new modules for key attack primitives in Active Directory Domain Services (AD DS) environments, including creation of computer accounts, abuse of Role Based Constrained Delegation (RBCD), and enumeration of 28 key data points via LDAP. AD DS modules include:

• auxiliary/admin/dcerpc/samr_computer, which can add, lookup, or delete computer accounts from an Active Directory domain
• auxiliary/admin/ldap/rbcd, which lets users configure an object in Active Directory to permit another object to impersonate any other account
• auxiliary/gather/ldap_query, which allows for remote LDAP server queries, including custom and group queries

Metasploit 6.3 adds new modules to find and execute certificate attacks, including:

• auxiliary/admin/dcerpc/icpr_cert, which supports issuing certs via AD CS
• auxiliary/gather/ldap_esc_vulnerable_cert_finder, which supports hunting for ESC1, ESC 2 and ESC 3 vulnerable certificates on the target AD CS server using LDAP
• auxiliary/admin/kerberos/get_ticket, which requests TGT/TGS tickets from the KDC using certificates by way of PKINIT

Additional features and improvements since Metasploit 6.2 include:

• A sixth getsystem technique that leverages the EFSRPC API to elevate a user with the SeImpersonatePrivilege permission to NT AUTHORITY\SYSTEM (“EfsPotato”)
• Better Linux credential extraction through native Mimipenguin support in Metasploit
• Meterpreter support for running Cobalt Strike’s Beacon Object Files (BOF) — many thanks to the TrustedSec team!
• A rewrite of Metasploit’s datastore to resolve common errors, address edge cases, and improve user quality of life
• Updated show options support that lets module authors specify the conditions under which options are relevant to the user (e.g., a particular action or datastore value being set)

How to install Metasploit 6.3 on Linux/MacOS

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall