Thursday, January 12, 2012

Metasploit Updated: Trivial Access to TFTP

The Metasploit Update is out, and it's a little smaller than you might expect. We've recently rejiggered our development to QA to release workflow here at Rapid7, and that means that this week, we cut the release a couple days earlier than usual in order to ensure the work flow all makes sense and that the releases get the post-commit QA attention that they deserve. The end result is that we'll have a pretty light release this week (due to the shortened development cycle), but going forward, week-to-week changes should hit about the same volume as before.

TFTP Client Library

Metasploit Framework already ships a library for emulating a TFTP server, used mostly for setting up a rogue PXE server. PXE (pre-boot execution environment) is used to deliver operating system configuration details, so by running your own, you can pre-compromise unwary PXE clients. While that's pretty awesome in and of itself, I was kind of amazed to find no reasonable client-side implementation. What if a pen-tester lucks into finding a PXE server that has write access enabled? With the help of community contributor K. Reid Wightman, Metasploit features a new TFTP client library. With this, a penetration tester can now seize control of that legitimate PXE server and provide custom, pre-owned netboot images.

For usage details for the library, just take a peek at auxiliary/admin/tftp/tftp_transfer_util, which provides file upload and download functionality. Of course, you're not limited to merely squatting on PXE servers -- apparently, there are plenty of write-enabled TFTP servers floating around internal networks responsible for all sorts of interesting gear.

Firewall Fingerprinting

Another module of note is Patrick Webster's community submission, the auxiliary/gather/checkpoint_hostname module. This module takes advantage of an information leak present on current versions of CheckPoint's Firewall-1 product, disclosing not only the firewall's hostname, but the hostname of the associated SmartCenter management host. Not only is positively fingerprinting a client's firewall vendor pretty useful for the penetration tester, but getting the management console's hostname for free is an added bonus that can help the pen-tester concentrate efforts on a high-value target.

Perhaps the most noteworthy aspect of this module is that it's apparently 0-day. At first, it looked like a repackage of the 2001 vulnerability described by SecuriTeam, but Patrick insists that it's a) different and b) recent. So, you're not going to find a proper advisory or CVE number or anything for this.

New Modules

The other two modules of note in this release are auxiliary/admin/edirectory/edirectory_edirutil, which leverages the vulnerability described in CVE-2008-0926 to gain unauthorized access to logs and the ability to start and stop services on Novell's eDirectory server, andpost/windows/gather/credentials/razorsql, which is a post-exploitation module that makes quick work of saved database administrator credentials on a compromised workstation.


For those of you who rely on the msfupdate command to track Framework development, you already have these sitting in your local checkout. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new Framework hotness today when you check for updates through the Software Updates menu under Administration.

For more details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.