Metasploit Wrap-Up 03/27/2026

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-03-27-2026
• Blog Title: Metasploit Wrap-Up 03/27/2026
• Suggested Section: HackTricks Main → Network Services Pentesting (SMB/NTLM Relay notes) and/or Pentesting Web (WebSocket/JSON-RPC unauth RCE pattern); also consider Generic Hacking → Archive/Attachment processing command injection (TAR filename -> shell injection)

🎯 Content Summary

Post: Rapid7 “Metasploit Wrap-Up 03/27/2026” (published and last updated Mar 27, 2026).

This wrap-up covers (1) a key behavior change in Metasploit’s SMB NTLM relay server to improve real-world client compatibility, (2) three new Metasploit modules (one auxiliary and two exploit modules, including multiple unauthenticated RCEs), plus (3) one enhancement and (4) five bug fixes with concrete command-line examples.

---

1) Better SMB NTLM relaying functionality (Metasplo...

🔧 Technical Details

NTLM relay reliability can hinge on SMB client handling of server-side errors like STATUS_NETWORK_SESSION_EXPIRED. To broaden compatibility, a relay implementation can switch to immediate forwarding of Net-NTLM messages when only a single relay target is configured (avoiding client retry semantics), while enabling multi-target relay by ensuring the SMB client behaves like Windows net use (as implemented via RubySMB updates).

Unauthenticated device-command injection against ESC/POS-capable network printers can be achieved by sending crafted ESC/POS sequences over the printer’s network interface, allowing an attacker to inject arbitrary printer control/print commands (impacting output integrity and potentially availability).

Unauthenticated RCE can arise when a management/control service exposes a WebSocket endpoint that accepts JSON-RPC calls and includes command-execution methods without enforcing authentication; e...

🤖 Agent Actions

I’m mapping the repo first and then reading candidate pages for the three technique areas from the blog. After that I’ll decide whether anything is actually missing and only then patch a single file.
I have the likely landing zones. Next I’m reading the existing NTLM relay, WebSocket, and command-injection pages in detail to see whether the blog adds anything beyond what HackTricks already documents.
I’ve read the main relay, WebSocket, SMTP, archive, and printer-adjacent pages. The current gap looks narrower than the blog summary suggests, so I’m now checking whether the WebSocket JSON-RPC and tar-metadata-to-shell patterns are already covered elsewhere before I touch anything.
The repository already covers the WebSocket/JSON-RPC-to-RCE pattern and generic shell metacharacter command injection. The one clearly missing, technically specific addition from this post is the SMB relay client-behavior nuance in Metasploit’s relay server, so I’m narrowing to the NTLM relay page unless a final pass shows it’s already there.
I’ve finished the comparison and I’m editing a single file: the NTLM relay methodology page. The patch will add the missing Metasploit relay-server client-compatibility details and update the references section with the Rapid7 source.
Updated spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md with a new NTLM relay subsection covering Metasploit SMB relay client compatibility: why multi-target relay depends on STATUS_NETWORK_SESSION_EXPIRED handling, why single-target relay improves compatibility by forwarding Net-NTLM immediately, and why RubySMB behaving like Windows net use matters operationally. I also added the Rapid7 wrap-up URL to the file’s ## References.

I did not update the WebSocket or command-injection pages because those techniques were already abstracted in HackTricks: the repo already documents JSON-RPC/WebSocket RCE chaining in websocket-attacks.md and generic shell metacharacter injection in command-injection.md. No tests were needed beyond verifying the edited markdown and diff.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-03-27-2026

Content Categories: Based on the analysis, this content was categorized under "HackTricks Main → Network Services Pentesting (SMB/NTLM Relay notes) and/or Pentesting Web (WebSocket/JSON-RPC unauth RCE pattern); also consider Generic Hacking → Archive/Attachment processing command injection (TAR filename -> shell injection)".

Repository Maintenance:

• MD Files Formatting: 963 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0