Rapid7 has released Metasploit Framework 6.3, adding native authentication, incorporating new modules for attacks and simplifying complex workflows.
The company’s latest release provides native support for Kerberos authentication, which is a protocol commonly used to verify the identity of a user or host in Windows environments.
Kerberos support is built into most operating systems. However, the capability is most well known as the authentication protocol used in Active Directory implementations.
Thousands of organisations rely on these implementations to define user groups and permissions to provide network resources.
Attackers have also targeted Kerberos and Active Directory, with both capabilities featuring heavily in threat actor and pen tester playbooks.
These cyber criminals also published a range of novel attack techniques detailing how to target Active Directory Certificate Services (AD CS), a popular tool that equips administrators with the means to put in place public key infrastructure and to issue and manage public key certificates.
The adversaries and red teams abused AD CS, granting them new opportunities to escalate privileges, move laterally, and establish persistence within Windows environments.
High-end support Active Directory and Kerberos-based attack technique support are now crucial for allowing pen testers and security researchers to demonstrate risks to clients and the public.
In response, Rapid7 has created new modules to carry out a wide range of Active Directory attacks, as well as make these workflows easier to understand to allow for faster and more valuable security testing.
The company notes that while there are a range of tools available to allow users to conduct these offensive security operations, they often either require operators to manage their own tickets and environment variables or are too narrowly scoped to support end-to-end attack workflows.
Sometimes it can be a case of both.
This results in many operators having to use multiple purpose-built tools to achieve specific pieces of their playbooks and then having to manually track ticket information to pursue broader objectives.
Metasploit Framework 6.3 gives users the ability to authenticate themselves on multiple services through Kerberos and build attack chains with new modules that request, forge and convert tickets between formats for use in other tools, streamlining Kerberos and Active Directory attack workflows.
Tickets are also cached and stored in the Metasploit database as loot, no longer making it necessary to manually manage environment variables.
Further, users expect Metasploit attack workflows to support pivoting over sessions out of the box, which the new capability provides.
Metasploit Framework 6.3’s key highlights include:
- Native Kerberos authentication over HTTP, LDAP, MSSQL, SMB, and WinRM
- The ability to request Ticket-Granting Tickets (TGT) and Ticket-Granting Server (TGS) if the user obtains a password, NT hash, or encryption key. Users can also request tickets through PKINIT with certificates issued from AD CS
- Kerberos ticket inspection and debugging via the auxiliary/admin/kerberos/inspect_ticket module and the auxiliary/admin/kerberos/keytab module, which can generate Keytab files to allow decryption of Kerberos network traffic in Wireshark
- Fully automated privilege escalation via Certifried (CVE-2022–26923)