Release Notes ยป

Metasploit Framework 3.5.0 Release Notes

Statistics

  • Metasploit now has 613 exploit modules and 306 auxiliary modules (from 551 and 261 respectively in v3.4)
  • Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (480K lines of Ruby)
  • Over 85 tickets were closed since the last point release and over 130 since v3.4.0

General

  • Sessions now include additional information by default. This is often the username/hostname of the remote session.
  • Dead sessions are now automatically detected and closed without requiring user interaction.
  • The msfcli interface is now a thin wrapper around msfconsole; auxiliary modules and passive exploits now work.
  • All modules now track which local user launched them (via module.owner)
  • Resolve Windows error codes intro descriptive strings
  • Automatically choose a preferred "reverse" payload if non was specified
  • Warn the user if an antivirus program has corrupted the installation (EICAR canary)
  • A socks4a proxy auxiliary module is available capable of routing through a meterpreter session
  • Host names will now resolve properly on Windows with Ruby 1.9.1+
  • Improved performance and accuracy of FTP and telnet brute force scanners

Payloads

  • Java Meterpreter is now available for some Java exploits such as exploit/multi/browser/java_trusted_chain
  • A race condition in concurrent incoming session handling has been fixed
  • The reverse_https stager is more reliable through an additional wfs_delay
  • The ReverseListenerBindAddress option can be used to override LHOST as the local bind address for reverse connect payloads
  • The ReverseListenerComm option can be set to "local" to prevent the listener from binding through a Meterpreter pivot
  • Bug fixes for proper socket cleanup in exploit and auxiliary modules, even after exceptions are thrown
  • Allow the IPv6 Bind stagers to work over Toredo tunnels

Plugins

  • Lab plugin added to manage target VM's
  • Support for managing Nessus scans from the console via Zate Berg's plugin

Meterpreter Scripts

  • All scripts now run in the context of an anonymous class, with access to shared methods
  • A script has been added by scriptjunkie for automatically exploiting weak service permissions
  • Tab completion for the "run" command now looks in ~/.msf3/scripts/meterpreter/
  • All credential-related tools (credcollect, hashdump, etc) now use the new creds database table

Meterpreter Core

  • Only a single SSL certificate is generated for all Meterpreter sessions per instance of Metasploit
  • The AutoSystemInfo option can be disabled if username, hostname, and admin status should not be automatically obtained
  • RAILGUN has been merged into the STDAPI extension and x64 support has been added
  • Support slow/laggy connections better through extended timeouts
  • Automatically closed file, register, process, thread, and event handles through finalizers
  • Search for files (using the Windows index where available)

Database

  • A new db_export command has been added that produces db_import compatible XML snapshots of a given workspace
  • Web sites and web application data is now stored in the web_sites, web_pages, web_forms, and web_vulns tables
  • Import of both NeXpose Raw XML and NeXpose Simple XML has been improved
  • Import support has been added for Retina and NetSparker XML
  • The Nessusv2 XML format now uses an improved SAX-based parser
  • The connection pool size has been reduced to match PostgreSQL defaults
  • Cracked credentials now have their own database table (creds) instead of being a subclass of notes
  • New exploited_hosts table added to streamline bookkeeping of successful session generation
  • db_import more robust in the face of badly-formatted data
  • report_note and report_vuln now automatically create associated hosts and services in the database if absent

GUI

  • A new Java GUI has been created to replace the GTK interface, which relied on unmaintained and buggy libraries
  • The new GUI uses the XMLRPC interface to control Metasploit
  • It supports launching modules, viewing running jobs and sessions, and interacting with sessions
  • It can generate, encode, and save payloads with the features of msfencode
  • It integrates support for most Meterpreter scripts
  • It provides support for handling plugins
  • It supports database connection, and allows viewing the database as well as limited interaction with the database

Deprecated

  • The msfweb interface is no longer included. This interface was marked as unsupported 12 months ago and no suitable replacements were found.
  • The GTK interface is no longer included and has been replaced by scriptjunkie's Java GUI that uses the XMLRPC protocol.
  • The sqlite3 backend is no longer supported and may be removed entirely in an upcoming point release. Use PostgreSQL or MySQL instead.
  • The VNC stage for the old DLL injection stager (patchup) has been removed due to compatibility issues
  • Deprecated specific filetypes for db_import_* commands; users should use just "db_import"

Known issues

Please see the 3.4.0 Release Notes and 3.4.1 Release Notes for a list of all changes since version 3.4

The latest version of Metasploit can be downloaded from the Metasploit web site