Last updated at Fri, 14 Mar 2025 19:52:46 GMT

New module content (3)

Get NAA Credentials

Authors: skelsec, smashery, and xpn
Type: Auxiliary
Pull request: #19712 contributed by smashery
Path: admin/sccm/get_naa_credentials

Description: Adds an auxiliary module which performs the retrieval of Network Access Account (NAA) credentials from an System Center Configuration Manager (SCCM) server. Given a computer name and password (which can typically be created by a standard AD domain user), a misconfigured SCCM server will give NAA credentials when requested.

SonicWall HTTP Login Scanner

Author: msutovsky-r7
Type: Auxiliary
Pull request: #19935 contributed by msutovsky-r7
Path: scanner/sonicwall/login_scanner

Description: This adds a module to brute-force the login credentials for SonicWall NSv HTTP Login.

D-Tale RCE

Authors: Takahiro Yokoyama and taiphung217
Type: Exploit
Pull request: #19899 contributed by Takahiro-Yoko
Path: linux/http/dtale_rce_cve_2025_0655
AttackerKB reference: CVE-2025-0655

Description: This module exploits a bypass (CVE-2025-0655) for an older vulnerability (CVE-2024-3408), leading to remote code execution (RCE) in D-Tale, a visualizer for pandas data structures.

Enhancements and features (7)

  • #19639 from zeroSteiner - Adds support for check method in relay modules and updates the two relay modules present in Metasploit Framework. In the case of smb_relay, this checks if the target has SMB signing disabled. In the case of ESC8, it checks that the target URI responds with a 401 and offers NTLM as an authentication mechanism.
  • #19682 from h00die - Adds additional tests for Linux post functionality along with additional comments for better understanding; adds new library for work with Linux packages.
  • #19879 from zeroSteiner - This updates the existing MsDtypSecurityDescriptor class to include a #to_sddl_text method. This allows an initialized object to be displayed using the Security Descriptor Definition Language defined by Microsoft.
    • #19917 from zeroSteiner - This adds crypto primitives for AES key derivation (NIST SP 800 108) and AES key unwrapping (NIST SP 800 38f) replacing RubySMB's implementation which does not support all of the parameters.
    • #19918 from msutovsky-r7 - Extracts a reusable Rex::Proto::Http::AuthDigest library for use within modules.
    • #19927 from bcoles - This improves the support of several Linux distros on the library function get_sysinfo in Msf::Post:Linux::System.
    • #19933 from zeroSteiner - Updates the auxiliary/scanner/ldap/ldap_login module with a new CreateSession option which controls the opening of an interactive LDAP session. This functionality was previously behind a feature flag, but is now enabled by default.
    • #19946 from zeroSteiner - Adds a warning to help users that are performing relay attacks. It notes that the attack won't work when relaying SMB to SMB on the same host if the MS08-068 patch has been applied.

Bugs fixed (5)

  • #19745 from smashery - This adds an escape_args method to all command shells that finds the appropriate OS escaping routines for an SSH server.
  • #19902 from zeroSteiner - This fixes the byte to int and vice versa conversion in MsAdts.
  • #19919 from jheysel-r7 - This fixes an issue in the gather/ldap_esc_vulnerable_cert_finder that would come up when checking templates for ESC13 that had missing issuance policy OIDs.
  • #19922 from cgranleese-r7 - Fixes a crash when searching by target, i.e search targets:python.
  • #19925 from zeroSteiner - Fixes a bug that caused a module's validation logic to not always be executed.

Documentation added (2)

  • #19895 from cgranleese-r7 - Updates multiple out of date reference links within modules.
  • #19920 from jheysel-r7 - This adds documentation for creating AD CS certificate templates that are vulnerable to ESC4, ESC13, and ESC15 for testing purposes.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.