最后更新于2024年2月26日星期一12:16:44 GMT

LDAP捕获模块

Metasploit now has an LDAP capture module thanks to the work of
JustAnda7. This work was completed as part of the Google Summer of Code program.

When the module runs it will by default require privileges to listen on port 389. The module implements a default implementation for BindRequest, SearchRequest, UnbindRequest, and will capture both plaintext credentials and NTLM hashes which can be brute-forced offline. 当收到一个成功的绑定请求时 ldap_bind: Authentication method not supported (7) 错误被发送到连接客户端.

该模块可以运行:

msf6 > use 辅助/服务器/捕获/ ldap
msf6 auxiliary(服务器/捕获/ ldap) > run

Incoming requests will have their credentials stored for later use:

[+] LDAP Login attempt => From:10.0.2.15:48198用户名:用户密码:Pass
[+] LDAP Login Attempt => From:127.0.0.1:55566	 用户名:admin	 ntlm_hash::8aa0e517cd547b4032ff7e9c5359c200879aa5a8031d3d74	 Domain:DOMAIN

These values will be stored in the database for later retrieval:

msf6 auxiliary(服务器/捕获/ ldap) > creds
Credentials
===========
host       origin     service         public  private  realm        private_type  JtR Format
----       ------     -------         ------  -------  -----        ------------  ----------
10.0.2.15  10.0.2.15 389/tcp (ldap)用户通过示例.com密码

伊凡蒂开发模块

Another honorable mention for this week’s Metasploit release is a module by sfewer-r7 这是两个链 最近披露的漏洞(cve - 2024 - 21893 and cve - 2024 - 21887) in Ivanti gateways to achieve remote code execution on a vulnerable target. The vulnerabilities are both being widely exploited in the wild. Read Rapid7’s full technical analysis of the exploit chain in AttackerKB.

新增模块内容(4)

身份验证捕获:LDAP

作者:JustAnda7
类型:辅助
Pull request: #18678 提供的 jmartin-tech
Path: 服务器/捕获/ ldap

描述:添加一个新的 辅助/服务器/捕获/ ldap 模块,用于模拟LDAP服务器. 服务器接受用户的绑定请求, and the user credentials or NTLM hash is then captured, logged, 并持久化到当前活动的数据库. An ldap_bind: Authentication method not supported (7) 错误被发送到连接客户端.

Ivanti Connect Secure Unauthenticated Remote Code Execution

作者:sfewer-r7
Type: Exploit
Pull request: #18792 提供的 sfewer-r7
Path: linux/http/ivanti_connect_secure_rce_cve_2024_21893
AttackerKB引用: cve - 2024 - 21887, cve - 2023 - 36661, cve - 2024 - 21893

Description: This module exploits the recently disclosed SSRF vulnerability (cve - 2024 - 21893) in Ivanti Connect Secure and Ivanti Policy Secure. The SSRF is chained to a command injection vulnerability (cve - 2024 - 21887),以实现未经验证的RCE.

Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.

Authors: BobTheShopLifter and Thingstad and h00die-gr3y h00die.gr3y@gmail.com
Type: Exploit
Pull request: #18700 提供的 h00die-gr3y
Path: linux / http / kafka_ui_unauth_rce_cve_2023_52251
AttackerKB参考: cve - 2023 - 52251

Description: This PR adds an exploit module for a command injection vulnerability that exists in Kafka-ui between v0.4.0 and v0.7.1 that allows an attacker to inject and execute arbitrary shell commands via the groovy filter parameter at the topic section.

QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi

Authors: Spencer McIntyre, jheysel-r7, and sfewer-r7
Type: Exploit
Pull request: #18832 提供的 sfewer-r7
Path: linux / http / qnap_qts_rce_cve_2023_47218
AttackerKB参考: cve - 2023 - 47218

描述:PR增加了一个模块目标 cve - 2023 - 47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices. cve - 2023 - 47218 发现和披露 by Stephen Fewer.

增强模块(2)

Modules which have either been enhanced, or renamed:

  • #18125 from JustAnda7 - This PR adds a module to launch an LDAP service supporting capture and storage of 简单身份验证 attempts. When launching this module with default options users must have permissions to bind to port 389.
  • #18681 from h00die - This PR updates the pre-existing apache_ofbiz_deserialization module to include functionality that will bypass authentication by using the newly discovered auth-bypass vulnerability: cve - 2023 - 51467.

增强功能和特性(8)

  • #18376 from JustAnda7 - This PR adds support for LDAP capture of NTLM authentication and adds a default implementation for LDAP BindRequest, SearchRequest, UnbindRequest, as well as a default action for unsupported requests.
  • #18817 from dwelch-r7 - This PR adds support to now bucket module options that are output after running the options command. 这将适用于支持 RHOST or a SESSION connection to show that only one or the other is required when using the new session type features for SMB/MSSQL/MYSQL/PostgreSQL sessions.
  • #18847 from sjanusz-r7 - This PR adds proxy support for getting a PostgreSQL session via the postgres_login module.
  • #18848 from sjanusz-r7 - This PR adds proxy support for getting a MSSQL session via the mssql_login module.
  • #18854 from sjanusz-r7 - This PR adds proxy support for getting a MySQL session via the mysql_login module.
  • #18855 from sjanusz-r7 -此PR删除 cwd convention from SQL-based sessions, and instead uses a more appropriate def database_name 计算值而不是缓存变量.
  • #18863 from sjanusz-r7 -此PR添加了 ENVCHANGE 类型到MSSQL客户端混合, and uses those to fetch the initial DB name received from the server.
  • #18864 from cgranleese-r7 —添加别名 ls and dir SMB会话内部.

bug修复(5)

  • #18770 from dwelch-r7 - Fixes a bug when multiple new session types (SMB, PostgreSQL, MSSQL, MySQL) were enabled with the 特性设置postgresql_session_type为true command.
  • #18842 from upsidedwn - Updates the Metasploit Dockerfile to correctly honor user provided bundler config arguments.
  • #18850 from adfoster-r7 —修复ldap服务器测试失败的问题.
  • #18861 from cgranleese-r7 - Removes SessionType values from modules with OptionalSession mixin.
  • #18871 from adfoster-r7 修复了使用webconsole时的崩溃.

新增文档(1)

  • #18857 from jlownie - Updates the Wiki documentation on running the Metasploit database to be more clear.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git 用户,可以克隆 Metasploit框架 (主分支)为最新.
To install fresh without using git, you can use the open-source-only 夜间的安装程序 or the
商业版 Metasploit职业