Metasploit Framework 6.0 is in progress!

Metasploit 6.0 adds a number of features and promotes a theme of being “secure by default”.

See the release initial announcement here.

Payload Improvements

Quite a few payload improvements have been made, most but not all have been for the Meterpreter payload and it’s various implementations. Among other things, it was updated to support AES encryption in CBC mode in all implementations on all transports. This helps to secure framework users data in transit. Now any files transferred, commands issued, etc. are encrypted on the network using a AES and a key negotiated via RSA.

This helps remove static strings from network traffic, but it’s not the only change targeting obfuscation. Each of the Meterpreter commands were replaced with an integer equivalent, thus removing conspicuous values such as stdapi_fs_file_copy, core_migrate and mimikatz_custom_command. Additionally, the payload binaries were updated to utilize functions by ordinal value rather than by name. This allows them to be called without disclosing their own conspicuous values such as RefletiveLoader, ext_server_, etc. Lastly, the static “Block API” used by almost all x86 and x64 Windows shellcode payloads was updated to be polymorphic, causing it to be randomized on each invocation. In some payloads, the Block API accounts for as much as half of the shellcode and was an easy target for signature-based detection.

All of these changes mark strides towards complicating the identification of key artifacts generated by Metasploit via static analysis, ie. signatures.

Compatibility Changes

Metasploit 6 drops Meterpreter support for Windows versions older than XP SP2. This service pack adds a number of API methods that are required by Meterpreter and backporting compatibility is not a priority at this time. The Meterpreter stage will fail to load on these older, unsupported versions. This results in a message saying that the session was closed.

SMB 3

Metasploit 6 adds support for SMB client connections using the version 3 dialects. This adds compatibility for a large pool of modules to work in environments where SMB version 1 and 2 have been disabled. Additionally, one of the most notable improvements of the version 3 dialects is encryption support, which when negotiated allows the framework to secure it’s connections to compatible SMB servers. SMB version 3, which was added in Windows 8 and Server 2012 incorporates a few security improvements leading to many organizations migrating towards its exclusive use within their environments.

While many modules were updated to use the RubySMB SMB 3 implementation, not all were updated. Notably many older exploits that pre-date the release of SMB 3 were not updated and continue to use the original Rex implementation of the protocol. For those modules that have been updated however, users will be able to use them without any changes to their work flow. By default the newest dialect will be negotiated with the remote server and if it is one of the dialects within version 3 that supports encryption, the framework will use encryption by default. Users can alter this behavior by setting the SMB::AlwaysEncrypt and SMB::ProtocolVersion options. SMB::AlwaysEncrypt enforces encryption for SMB 3 connections even when the server does not require it (defaults to: true) while SMB::ProtocolVersion is a comma separated list of versions to allow the framework to negotiate (default: 1,2,3).

Module authors looking to write SMB modules should note the move towards the RubySMB protocol stack instead of the legacy Rex implementation. Much of the functionality is standardized within the mixins however some edge-case functionality must still be ported over to RubySMB. For information on writing modules target SMB for Metasploit, see Guidelines for Writing Modules with SMB.

Pull Requests

A complete list of pull requests included as part of the initial version 6 work:

• Payload Improvements
  • Add AES TLV encryption support: Java, Python
    • Support AES-128-CBC as an additional option: Framework Core, Java
    • Change from PEM to DER for crypt TLV negotiation: Windows, Java, PHP, Framework Core, mettle, Python
  • Remove DLL exports from Meterpreter: Windows Framework Core, ReflectiveDLLInjection
  • Replace METHOD string with COMMAND_ID integer (to remove obvious strings): Framework Core, Windows, Java, PHP, Python
  • Cross-compile Windows binaries on Linux
    • Various changes required for cross compilation
    • Update readme for cross compilation
  • Remove the old Mimikatz extension: Windows, Framework Core
  • Polymorphic x86/x64 Block API
• Add SMBv3 support: ruby_smb, Framework Core
  • Fixes and improvements from MSF code review
  • Store server system and start time values
• Add a command target to the PSexec module

Get Metasploit 6.0

You can get Metasploit 6.0 by checking out the 6.0.0 tag in the Metasploit GitHub project.

Need a primer on Framework architecture and usage? Take a look at our wiki here, and feel free to reach out to the broader community on Slack. There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can’t find something you want in our wiki, ask Google or the community what they recommend.

See all the ways to stay informed and get involved at https://metasploit.com.