Metasploit 6.2.27 releases: penetration testing platform

The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is a penetration testing platform that enables you to find, exploit, and validate vulnerabilities. The platform includes the Metasploit Framework and its commercial counterparts, such as Metasploit Pro.

Image: Rapid7

Changelog

v6.2.27

• Check in exploit script for CVE-2022-41622 (CSRF into SOAP)
• Land #17257, Adding exploit for ChurchInfo 1.2.13-1.3.0 RCE
• Land #17277, Fix python reverse http stager crash
• More…

v6.0

Initial Metasploit 6.0 features include end-to-end encryption of Meterpreter communications across all five implementations (Windows, Python, Java, Mettle, and PHP), SMBv3 client support to further enable modern exploitation workflows, and a new polymorphic payload generation routine for Windows shellcode that improves evasive capabilities against common antivirus and intrusion detection system (IDS) products.

This initial feature set marks a transition toward secure communications and encryption by default across key components of Metasploit Framework. Initial Metasploit 6 features also increase complexity for creation of signature-based detections for certain network operations and Metasploit’s main payload binaries. Metasploit users and developers can expect further additions to and refinement of version 6 features over the coming months.

Important note: Metasploit 6 incorporates backwards-incompatible changes for payload communication, meaning payloads generated with previous Metasploit versions will be unable to connect to Metasploit 6 and vice versa. Because of this incompatibility, users should not update to Metasploit 6 during active operations unless they are prepared to lose their sessions.

Expanded Encryption

Starting in Metasploit 6, all Meterpreters will use AES to encrypt their communications with the Framework. End-to-end encryption offers operators two noteworthy advantages: First, the encryption obfuscates the traffic, making signature-based detections of established communication channels much more difficult. Secondly, sensitive information (such as passwords) transferred from the compromised host to the Framework is now protected in transit.

Metasploit 6 also improves the Framework’s SMB client to support SMB version 3. SMBv3 added support for encryption, which Metasploit will now use by default when available—and which, as with Meterpreter encryption, will increase complexity for signature-based detections used to identify key operations performed over SMB. We’ve updated a number of popular Metasploit modules to use the new SMB client so they can be used in environments where SMBv3 is the only version available; some older modules may be updated at a later time (or not at all). Some noteworthy modules that now support SMB versions 1, 2, and 3 include:

• exploit/windows/smb/psexec
• exploit/windows/smb/webexec
• auxiliary/admin/smb/psexec_ntdsgrab
• auxiliary/scanner/smb/smb_version
• auxiliary/scanner/smb/smb_login

Cleaner Payload Artifacts

Meterpreter, Metasploit’s primary payload, includes a few additional improvements on top of the encrypted communications channels. DLLs used by the Windows Meterpreter now resolve necessary functions by ordinal instead of name. This means the standard export ReflectiveLoader used by reflectively loadable DLLs is no longer present in the payload binaries as text data. Additionally, the commands that Meterpreter exposes to the Framework are now encoded as integers instead of strings. This particularly benefits stageless Meterpreters on native architectures (such as Windows and Linux) since these strings are no longer in the binaries.

The old Mimikatz Meterpreter extension has been removed in favor of its successor, Kiwi. Attempts to load mimikatz will load Kiwi for the foreseeable future.

Finally, the vast majority of Windows shellcode payloads (like windows/meterpreter/reverse_tcp) use a common stub for invoking Windows API methods. This stub is known as the block API and accounts for almost half the size (130 bytes for x86 and 200 bytes for x64) of some of the smaller payloads. This (previously) static stub was low-hanging fruit for signature-based shellcode detection: Two signatures—one each for x86 and AMD64—could match almost all of Metasploit’s unencoded Windows payloads. To address this, Metasploit has replaced the static generation routine with a randomization routine that adds polymorphic properties to this critical stub by shuffling instructions around each time. This provides the anti-signature benefits historically bestowed by encoding without requiring the payload to be self-modifying (and thus to exist within an RWX segment that is often identified as malicious behavior in and of itself).

How to install Metasploit 6.2.27 on Linux/MacOS

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall