## The past, present and future of Metasploit ![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/07/metasploit-fence-1.png) Don't miss Spencer McIntyre's talk on the Help Net Security's [blog](). Spencer is the Lead Security Researcher at Rapid7 and speaks about how Metasploit has evolved since its creation back in 2003. He also explains how the Framework is addressing today's offensive security challenges and how important is the partnership with the community. ## LDAP swiss army knife This week, our very own [@gwillcox-r7]() added an auxiliary module that will likely help you to dump useful information from LDAP servers. This module allows you to remotely retrieve data using either your own custom query or a set of LDAP queries under a specific category. In addition to the available predefined queries, the user can also provide a JSON or YAML file containing custom queries to be executed. Here are the available predefined queries: msf6 auxiliary(gather/ldap_query) > show actions Auxiliary actions: Name Description ---- ----------- ENUM_ACCOUNTS Dump info about all known user accounts in the domain. ENUM_ALL_OBJECT_CATEGORY Dump all objects containing any objectCategory field. ENUM_ALL_OBJECT_CLASS Dump all objects containing any objectClass field. ENUM_COMPUTERS Dump all objects containing an objectCategory of Computer. ENUM_DOMAIN_CONTROLLERS Dump all known domain controllers. ENUM_EXCHANGE_RECIPIENTS Dump info about all known Exchange recipients. ENUM_EXCHANGE_SERVERS Dump info about all known Exchange servers. ENUM_GROUPS Dump info about all known groups in the LDAP environment. ENUM_ORGROLES Dump info about all known organizational roles in the LDAP environment. ENUM_ORGUNITS Dump info about all known organization units in the LDAP environment. RUN_QUERY_FILE Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE. RUN_SINGLE_QUERY Execute a single LDAP query using the QUERY_FILTER and QUERY_ATTRIBUTES options. Here is how you can dump information about users in a Windows domain: msf6 auxiliary(gather/ldap_query) > set action ENUM_ACCOUNTS action => ENUM_ACCOUNTS msf6 auxiliary(gather/ldap_query) > run RHOSTS=10.0.0.33 BIND_DN=MYDOMAIN\\Administrator BIND_PW=123456 [*] Running module against 10.0.0.33 [+] Successfully bound to the LDAP server! [*] Discovering base DN automatically [+] 10.0.0.33:389 Discovered base DN: DC=mydomain,DC=local [*] CN=DC02 OU=Domain Controllers DC=mydomain DC=local =============================================== Name Attributes ---- ---------- displayname DC02$ name DC02 samaccountname DC02$ useraccountcontrol 532480 [*] CN=Administrator CN=Users DC=mylab DC=local =========================================== Name Attributes ---- ---------- name Administrator samaccountname Administrator useraccountcontrol 512 ...[SNIP]... ## Win2k summer clean up For those nostalgic about old Windows systems, [bcoles]() did a great cleanup of old modules targeting Win2k. He breathed life back into modules such as `ms01_023_printer`, `ms02_065_msadc` and `ms03_007_ntdll_webdav` by fixing many issues and adding offsets to support many more Win2k flavors. ## New module content (1) * [LDAP Query and Enumeration Module]() by Grant Willcox - This adds a generic module to perform LDAP queries. Users can execute custom queries either through configuration files on disk, or through a combination of datastore options. The module also includes multiple builtin queries for common operations. ## Enhancements and features (7) * [#16737]() from [adfoster-r7]() \- This removes the code duplication in the MSSQL client mixins and refactors the code into a single main mixin. * [#16754]() from [bcoles]() \- Adds additional offsets for various Windows 2000 Professional targets in the ms02_065_msadc module. Also adds documentation and notes. * [#16761]() from [bcoles]() \- Adds additional offsets for various Windows 2000 targets, replaces raw socket TCP with HttpClient, fixes default payload, adds docs and notes. * [#16776]() from [bcoles]() \- Adds a ftp-http command stager for FTP clients which support http(s) URLs via `set cmdstager::flavor ftp_http.` * [#16778]() from [bcoles]() \- The checkvm script at `./scripts/meterpreter/checkvm.rb` has been removed and `post/windows/gather/checkvm.rb` now replaces it. Additionally, the `post/windows/gather/checkvm.rb` script has been updated to include missing features from `./scripts/meterpreter/checkvm.rb` to ensure backwards compatibility. * [#16789]() from [adfoster-r7]() \- This adds OpenSSL version information to the report generated by the `debug` command. * [#16792]() from [adfoster-r7]() \- This improves support for various OpenSSL 3 related errors during console start. ## Bugs fixed (2) * [#16743]() from [adfoster-r7]() \- Fixes a crash when using the `scanner/mssql/mssql_login` module with the `tdsencryption` and `USE_WINDOWS_AUTHENT` options set to `true.` * [#16753]() from [bcoles]() \- This PR fixes several bugs present in the module, including shifting from Meterpreter to shell payloads, better checking, and added targets anddocumentation. ## Get it As always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub: * [Pull Requests 6.2.7...6.2.8]() * [Full diff 6.2.7...6.2.8]() If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the [binary installers]() (which also include the commercial edition).

Query Builder