Newsy.co

Metasploit Weekly Wrap-Up

Customizable DNS resolution

Metasploit Weekly Wrap-Up

Contributor smashery added a new dns command to Metasploit console, which allows the user to customize the behavior of DNS resolution. Similarly to the route command, it is now possible to specify where DNS requests should be sent to avoid any information leak. Before these changes, the Framework was using the default local system configuration. Now, it is possible to specify which DNS server should be queried based on rules that match specific hostnames or domains. It is also possible to route DNS requests through an existing session, which is useful when querying a DNS server located in an internal network we can only reach through a pivot host.

The DNS feature must be enabled to make this command available with features set dns_feature true. Then, use dns help to list the default commands:

msf6 > features set dns_feature true
dns_feature => true
msf6 > dns help
Manage Metasploit's DNS resolution behaviour

Usage:
  dns [add] [--session <session_id>] [--rule <wildcard DNS entry>] <IP Address> <IP Address> ...
  dns [remove/del] -i <entry id> [-i <entry id> ...]
  dns [purge]
  dns [print]

Subcommands:
  add - add a DNS resolution entry to resolve certain domain names through a particular DNS server
  remove - delete a DNS resolution entry; 'del' is an alias
  purge - remove all DNS resolution entries
  print - show all active DNS resolution entries

Examples:
  Display all current DNS nameserver entries
    dns
    dns print

  Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10
    route add --rule *.metasploit.com 192.168.1.10

  Add multiple entries at once
    route add --rule *.metasploit.com --rule *.google.com 192.168.1.10 192.168.1.11

  Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10, but specifically to go through session 2
    route add --session 2 --rule *.metasploit.com 192.168.1.10

  Delete the DNS resolution rule with ID 3
    route remove -i 3

  Delete multiple entries in one command
    route remove -i 3 -i 4 -i 5

  Set the DNS server(s) to be used for all requests that match no rules
    route add 8.8.8.8 8.8.4.4

Once set up, any name resolution will be performed according to these rules. For example, setting RHOSTS to a hostname with set RHOST www.example.com and a rule set with route add --session 1 --rule *.example.com 10.10.1.1 will force Framework to resolve the hostname sending a DNS request to the internal DNS server at 10.10.1.1 and through the session 1. No other requests will be sent to avoid information leak.

Tickets in the sky with diamond

Smashery also enhanced the existing Kerberos ticket-forging module and added support for Diamond and Sapphire techniques, which are similar to the Golden and Silver Tickets but stealthier. The Diamond technique consists in using a real TGT and modifies the PAC, assuming the krbtgt Kerberos keys is known. The Sapphire technique makes use of S4U2Self and U2U (User-to-User) to obtain the PAC of another user and assembling it with an existing TGT to impersonate him.

New module content (1)

WordPress Royal Elementor Addons RCE

Authors: Fioravante Souza and Valentin Lobstein
Type: Exploit
Pull request: #18567 contributed by Chocapikk
Path: multi/http/wp_royal_elementor_addons_rce

Description: This pull request adds a new exploit module for CVE-2023-5360, an unauthenticated file upload vulnerability in the WordPress Royal Elementor Addons and Templates plugin in versions before 1.3.79.

Enhancements and features (5)

  • #18526 from smashery - This adds a new dns command in Metasploit, to allow the user to customize the behavior of DNS resolution in the framework. DNS resolution can be set to be routed through a session via a specific Comm channel or to request a specific DNS server. Routing rules ensure DNS queries are not sent to unwanted DNS servers and avoid the leak of information.
  • #18560 from smashery - This updates the existing Kerberos ticket-forging module with new actions for forging tickets with fields copied from ones issued by the legitimate KDC using the Diamond and Sapphire techniques.
  • #18565 from zeroSteiner - This adds an enhancement to adjust the kerberos cache lookup logic. If no TGT for the specific host is found, it will try again but with any host. This fixes the workflow where a user can currently forge a golden ticket, but that ticket will not be automatically used for authentication by other services. This will also fix the future issue of the TGT that's created by the Diamond and Sapphire techniques.
  • #18571 from smashery - Improves the error messages shown to users if there is a validation error with a module's RHOST datastore values. Now, the user is notified when there is a failure with parsing a URL, invalid CIDR, or DNS resolution failure.
  • #18580 from adfoster-r7 - Metasploit modules developed using Python can now provide default_options as part of an exploit.

Bugs fixed (1)

  • #18579 from zeroSteiner - This converts the module to use the new style of Windows version detection that was added in https://github.com/rapid7/metasploit-framework/pull/17336. This will become more important once the Windows Meterpreter returns a more accurate string for the sysinfo OS field.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

  • Pull Requests 6.3.44...6.3.45
  • Full diff 6.3.44...6.3.45

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Download Rapid7's 2023 Mid-Year Threat Report ▶︎