Metasploit Basic

SecurityTube
Metasploit Framework Expert Part 1

Exploita:on Basics
Vivek Ramachandran
Founder, SecurityTube
hCp://www.securitytube.net
©SecurityTube.net
SecurityTube Metasploit Framework Expert
(SMFE)
hCp://www.securitytube.net/smfe
Vivek Ramachandran
Course Instructor
©SecurityTube.net
SecurityTube Cer:fica:ons
Students from over 25 countries around the world!
©SecurityTube.net
SecurityTube Vision
To provide quality yet free infosec educa8on to

one and all.

The SMFE course material is made available en:rely FREE to the
community. Please feel free to download and distribute the
videos as you please.
©SecurityTube.net
Demo of RPC DCOM
• Lab Setup:
Windows XP Backtrack

Vulnerable to
RPC DCOM (MS03_026)
and Netapi (MS08_067)
©SecurityTube.net
Understanding Basic Terms
• Vulnerability – a weakness which allows an

aCacker to break into / compromise a
system’s security
• Exploit – code which allows an aCacker to

take advantage of a vulnerable system
• Payload – actual code which runs on the

system aèr exploita:on
©SecurityTube.net
How does Exploita:on work?
1. Vulnerability
2. Exploit
3. Payload
©SecurityTube.net
On a more serious note …
Payload Runs Next if Exploit Succeeds
Exploit Runs First
Exploit + Payload
Data Download,

Malware, Rootkit
etc.
Vulnerable ACacker
computer
©SecurityTube.net
Typical Process of a Compromise
• Scan IP address to get ports and services

running on them
• Iden:fy a vulnerable service, find a public /

private exploit
• Launch exploit, compromise, post-‐exploita:on

plan
©SecurityTube.net
Scan for Ports and Services
• Find machine using tools like Nmap
• Use Port scanners to find remote services
• Do a service scan to iden:fy service and even

version at :mes
©SecurityTube.net
Finding Open Ports
©SecurityTube.net
Service Fingerprin:ng
©SecurityTube.net
Finding a Vulnerability
©SecurityTube.net
Technical Details
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
©SecurityTube.net
Any Hackers out there?
©SecurityTube.net
Running RPC DCOM Exploit
©SecurityTube.net
Uh-‐Oh?
©SecurityTube.net
Example – RPC DCOM
• Vulnerability
– hCp://www.microso`.com/technet/security/
Bulle:n/MS03-‐026.mspx
• Exploit and Payload

– hCp://downloads.securityfocus.com/
vulnerabili:es/exploits/dcom.c
©SecurityTube.net
Challenges in using individual Exploits
• Dozens of Exploits available

– Manage, update, customize – nightmare
• To customize payload, rewrite may be required of the

exploit program
– Time consuming, high skill required
• Tes:ng and exploit research is tedious without a

framework
– End up re-‐inven:ng the wheel
Enter Metasploit!
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
End of SecurityTube Metasploit Framework Expert Part 1
Exploita:on Basics
Vivek Ramachandran
©SecurityTube.net
SecurityTube Metasploit Framework Expert Part 2
Why Metasploit?
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision
To provide quality yet free

infosec educa8on to one and
all

©SecurityTube.net
Lesson Lab Setup

Vulnerable to
RPC DCOM (MS03_026)
©SecurityTube.net
Challenges in using individual Exploits
• Dozens of Exploits available

– Manage, update, customize – nightmare
• To customize payload, rewrite may be required of the

exploit program
– Time consuming, high skill required
• Tes:ng and exploit research is tedious without a

framework
– End up re-‐inven:ng the wheel
Enter Metasploit!
©SecurityTube.net
Metasploit Framework
• Tool for development and tes:ng of
vulnerabili:es
• Can be used for:

– Penetra:on tes:ng
– Exploit research
– Developing IDS signatures
• Started by H.D Moore in 2003
• Acquired by Rapid7
• Remains open source and free for use
• WriCen in Ruby
©SecurityTube.net
Metasploit for Pentes:ng!
• Over 770+ tested exploits!

• Over 228 payloads and 27 encoders!
• Metasploit offers “plug and play” of payloads

with exploits
– This alone is a huge advantage
• Tons of other features for beCer and faster

pentests
– Will be covered in later videos
©SecurityTube.net
Demo of Portscan with Metasploit
©SecurityTube.net
Demo of RPC DCOM using Metasploit
©SecurityTube.net
Semng the Payload
©SecurityTube.net
Exploit!
©SecurityTube.net
Using More Exploits -‐ Netapi
©SecurityTube.net
Same Exploit Different Payload
• Using different payloads with RPC DCOM

– windows/shell/bind_tcp
– windows/adduser
– windows/exec
– …
• Power of the framework
©SecurityTube.net
Demo – Metasploit Add User
©SecurityTube.net
Limita:ons of using specific Payloads
• Individual payloads can only do single tasks
– Adduser
– Bind shell to port
– …

• Most exploits include a remote shell (command
interpreter) crea:ng payload
• Disadvantages:
– Crea:on of new process may trigger alarm
– For chrooted apps, even execu:on of command interpreter may
not be possible
– Limited by commands the shell can run
©SecurityTube.net
What we need is …
• A payload which:
– Avoid crea:on of a new process
– Should run in the exploited process’ context
– Should not create a new file on disk (an:-‐AV)
– Creates a “planorm” which allows import more
func:onality remotely (“extending”)
– Allows for wri:ng scripts which can leverage this
planorm
Enter the Meterpreter!

©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Why Metasploit?
Vivek Ramachandran
©SecurityTube.net
Meterpreter Basics
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Lesson Lab Setup

Vulnerable to
RPC DCOM (MS03_026)
©SecurityTube.net
What we need is …
• A payload which:
– Avoid crea:on of a new process
– Should run in the exploited process’ context
– Should not create a new file on disk (an:-‐AV)
– Creates a “planorm” which allows import more
func:onality remotely (“extending”)
– Allows for wri:ng scripts which can leverage this
planorm
Enter the Meterpreter!

©SecurityTube.net
Meterpreter Basics
• Meta-‐Interpreter
• Post exploita:on tool
• Works by using in memory DLL injec:on and
na:ve shared object format
– hCp://www.securitytube.net/DLL-‐Injec:on-‐Basics-‐
video.aspx Prasanna K
• Does not create any files on disk
• Uses encrypted communica:on
• Provides a planorm to write extensions
• Stable, flexible and extensible
©SecurityTube.net
Meterpreter
• Resembles a command interpreter
• Ships with default set of core commands
• Can be extended at run:me by shipping DLLs to the
vic:ms
• large list of things you can do with the Meterperter:
– Command execu:on
– In-‐memory process migra:on
– Registry read/write
– File system access
– Pivo:ng
– …
endless possibili:es using custom extensions
©SecurityTube.net
How does it all it work?
Exploit + 1st Stage Payload
Payload Connects back to MSF
2nd Stage DLL Injection Payload Sent
MSF Sends Meterpreter Server DLL
Client and Server Communicate
©SecurityTube.net
Source: nymissa.org/wp-‐content/uploads/2008/03/msf_no_speaker_notes.ppt
Communica:on between Meterpreter
Client – Server
• Communica:on is Encrypted
• In the form of TLVs (Type-‐Length-‐Value)
• Mul:ple channels of communica:on can use
the same client-‐server connec:on
– TLV allows for tagging of data with channel
numbers
– Allows for mul:ple programs running on the
vic:m to communicate at the same :me
– Demo of channels
©SecurityTube.net
Demo

Vulnerable to
RPC DCOM (MS03_026)
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Why Metasploit?
Vivek Ramachandran
©SecurityTube.net
Framework Organiza:on
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Students from over 30+ countries around the world!
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Accessing Metasploit
Msfgui Msfweb Msfcli
Msfd
Msfconsole
Armitage
Interfaces to work with Metasploit

©SecurityTube.net
Metasploit Basics
• Modular
Architecture

• Modules
– Exploits
– Auxiliary
– Payload
– Encoder
Source: Metasploit Unleashed
– Nops
©SecurityTube.net
Msfconsole Basics
• Interac:ve console for Metasploit

• Has tab comple:on
• External commands can be executed
• Best among available interfaces to get most out of Metasploit
©SecurityTube.net
Exploring the Metasploit Directory
• Important directories include:

– Modules
– Scripts
– Plugins
– External
– Data
– Tools
©SecurityTube.net
Exploit Modules
• Exploits are organized by OS, then service

• Files are ruby scripts containing exploit code
©SecurityTube.net
Auxiliary Modules
• Auxiliary modules are used for a variety of tasks

like port scanning, sniffing, service scanners etc.
©SecurityTube.net
Payload Modules
• 3 types – singles, stagers, stages

• Planorm (OS) specific
©SecurityTube.net
Payloads In-‐depth
• Singles
– Self-‐contained payloads which do a specific task e.g. create user, bind a shell
– E.g. windows/adduser
• Stagers
– Required as Singles cannot deliver arbitrarily large payload at one shot
depending on exploit
– Creates a network connec:on between aCacker and vic:m
– This is used to download Stages payloads
– E.g. windows/shell/bind_tcp (Bind TCP Stager)
• Stages
– Downloaded by the Stagers and executed
– Typically do complex tasks like VNC, Meterpreter etc.
– E.g. windows/shell/bind_tcp (Windows Command Shell)
©SecurityTube.net
Framework Organiza:on
Vivek Ramachandran
©SecurityTube.net
Post Exploita:on Kung-‐Fu
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Phases of Post-‐Exploita:on
1 Understanding the Vic:m beCer

2 Privilege Escala:on

3 Dele:ng Logs and Killing Monitoring so`ware

4 Collec:ng Data, Execu:ng programs etc. on the Vic:m

5 Backdoors and Rootkits

6 Using vic:m as a Pivot to hack deeper into the network
©SecurityTube.net
Understanding the Vic:m BeCer
• Who did we break in as?

• Is the current user ac:vely working?
• Are we running in a VM? Environment details?
• What processes are running? AV?
• Network topology?
• Programs most frequently run?
• Enumera:ng details – users, groups, registry
etc.
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Post Exploita:on Kung-‐Fu
Vivek Ramachandran
©SecurityTube.net
Post Exploita:on Privilege Escala:on
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net





©SecurityTube.net
Privilege Escala:on
• Broken in as less privileged user

• Elevate privileges to SYSTEM or ADMIN group
• Typically done by:
– Using local privilege escala:on exploits
• getsystem
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Post Exploita:on Privilege Escala:on
Vivek Ramachandran
©SecurityTube.net
Post Exploita:on – Kill AV and Firewall
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net





©SecurityTube.net
Log Dele:on and AV Killing
• Ensuring you go undetected is very important

• Kill all monitoring so`ware
– AV
– Firewall
– HIDS
• Meterpreter scripts might now work as desired
– killav
• Clean all Logs
– Event, Applica:on, Security
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Post Exploita:on – Kill AV and Firewall
Vivek Ramachandran
©SecurityTube.net
Post Exploita:on – Stdapi and Priv Extensions
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net





©SecurityTube.net
Collec:ng Data and Running Programs on
Vic:m
• Search for a file
– .doc, .ppt
• Download files
• Download registry
• Download applica:on data
– Outlook pst
– Browser passwords/sessions
– Other so`ware data … vmware, puCy etc.
©SecurityTube.net
Running programs on the remote
computer
• Running programs already available
• Upload programs and run

– Upload from aCacker machine
– Download from the web
• Start / stop services on the vic:m
©SecurityTube.net
Understanding Windows Desktops
• Session 0 typically represents the console
– Others represent remote desktop sessions
• Window sta:on is an object containing a

group of desktop objects among other
things
• WinSta0 is the only interac:ve window

sta:on in every session
– Allows interac:on with user
– Default interacts with logged in user
– Winlogon while user is logging on
• Each WinSta0 desktop has its own

keyboard buffer
– Sniffing logon passwords
©SecurityTube.net
Stdapi commands for desktop
• Enumdesktops
• Getdesktop
• Setdesktop
©SecurityTube.net
Priv commands
• Usernames and Password hashes are stored in the SAM file
– Hashdump
– Crack using Ophcrack and other tools
• Changing file :mestamps

– MACE – Modified-‐Accessed-‐Created-‐Entry Modified
– Timestomp
• Gemng System
– Getsystem
– Tokens and impersona:on
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Post Exploita:on – Meterpreter Extensions
Vivek Ramachandran
©SecurityTube.net
Post Exploita:on – Token Stealing and Incognito
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net





©SecurityTube.net
Incognito Extension
• Very powerful extension

• Can steal windows tokens of other users
• Can impersonate them
We will need to understand Windows Security

model, tokens and impersona:on
©SecurityTube.net
Windows Security
• Every user on a windows system is iden:fied by a unique Security Iden8fier (SID)
• SID is of the form:

S-‐Revision Level – iden:fied Authority Value – domain or local ID – Rela:ve ID

e.g. S-‐1-‐5-‐21-‐3623811015-‐3361044348-‐30300820-‐1013
©SecurityTube.net
Understanding Tokens
• SID
• Groups
User Primary Token • Privileges
Process • Other info…
Thread 1 Thread 2 Thread 3
Required Privileges
Primary Token Primary Token Primary Token

Access resource or
opera:on
©SecurityTube.net
Impersona:on Tokens
user1
user2 • SID
user3 • Groups
FTP Server Primary Token • Privileges
Process • Other info…
Thread 1 Thread 2 Thread 3
Primary Token Primary Token Primary Token
Impersona:on Impersona:on Impersona:on

Token for User 1 Token for User 2 Token for User 3
User 1 User 2 User 3

©SecurityTube.net
Different Levels of Impersona:on Tokens
• Impersona:on – lemng server act on behalf of

the client but only on the local machine
– Created on non-‐interac:ve logins e.g. FTP
• Delega:on – impersona:on extended even to

remote systems!
– Created on Interac:ve login from console,
terminal services
©SecurityTube.net
ACacks on Impersona:on Tokens
• Local Privilege Escala:on
• Domain Privilege Escala:on
©SecurityTube.net
Local Privilege Escala:on
Impersona:on
Thread 1
Token for Admin
Server
Process
• Service with low privilege allows users including admin to login using windows
creden:als
• Creates a thread for each user and impersonates him
• ACacker exploits the service
• ACacker has access to all tokens being impersonated by the service
• E.g. SQL Server where one may connect as Admin using Windows Auth
©SecurityTube.net
Domain Privilege Escala:on
Impersona:on
Thread 1 Token with
Delega:on for
Server Admin
Process
• Once hacker gets his hands on an Impersona:on token with delega:on allowed
he uses it to get access to other machines in the domain
• Impersona:on tokens with delega:on are generally created for interac:ve
sessions
• Might use the admin’s worksta:on as the star:ng point
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Post Exploita:on – Token Stealing and Incognito
Vivek Ramachandran
©SecurityTube.net
Post Exploita:on – Espia and Sniffer Extensions
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Meterpreter Espia Extension
• We can take screenshots of the vic:m’s desktop

remotely
• Ensure we migrate to a process which has access to

the “Default” desktop of the interac:ve window
sta:on “WinSta0”
• Explorer.exe is a good bet
• Check using getdesktop from Stdapi to verify before

use
©SecurityTube.net
Meterpreter Sniffer Extension
• Can sniff on the remote vic:m network!

• Simple func:onality
– Select interface
– Start sniffing
– Dump file (fetches the pcap file to the aCacker)
– Stop sniffing
• Does not have support for filters L

©SecurityTube.net
Post Exploita:on – Espia and Sniffer Extensions
Vivek Ramachandran
©SecurityTube.net
Post Exploita:on – Backdoors
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net





©SecurityTube.net
Persistence -‐ Backdoor
• Creates a persistent backdoor

• Can be configured to connect back on system boot
and/or user login
• Time can be set between connect back aCempts
• Under the hood
– Creates a vbs file on the vic:m and executes it
– Adds registry entries so it is autorun
• Can be uninstalled remotely
– But vbs file needs to be deleted manually (forensics)
– On reboot process ID changes hence the cleanup script
needs to be modified with the new PID
©SecurityTube.net
Demo
©SecurityTube.net
Metsvc -‐ Backdoors
• Backdoor which runs as a service on the vic:m

• ACacker can connect to it remotely
– No authen:ca:on required
• Can be remotely uninstalled
– Files need to be deleted manually (forensics)
• Less noisy compared to persistence
– ACacker can connect when he wants to
• Can be found using a simple portscan as bound to TCP
port
• Sugges:on
– Maybe can use a network packer trigger to create a
backdoor, instead of always being on
©SecurityTube.net
Demo
©SecurityTube.net
3rd Party Backdoors and Rootkits
• Used to do advanced opera:ons like hide

processes, files, etc.
• Can also be used to launch backdoors on
special signal
• Beyond scope in this video series
• hCp://www.rootkit.com
• Hacker defender
– hCp://www.securitytube.net/Hacker-‐Defender-‐
Rootkit-‐Usage-‐Demo-‐video.aspx
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Post Exploita:on – Backdoors
Vivek Ramachandran
©SecurityTube.net
Post Exploita:on -‐ Pivo:ng
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net





©SecurityTube.net
Pivo:ng
Internet
Server 1
Server 2
• ACacker does not have direct access to Server2

• ACacker first breaks into Server 1 and then uses Server
1 as a staging point to break into Server 2
©SecurityTube.net
Pivo:ng ACack Demo
Server 1 Server 2
Internet
10.10.10.20
192.168.1.10
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Post Exploita:on – Port Forwarding
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net





©SecurityTube.net
Port Forwarding
meterpreter
Internet
Server 1
Server 2
Local
Listener
• Local listen port is created on the aCacker’s machine

• All traffic to this listen port is sent to the des:na:on port
on Server 2
• Server 1 acts as a relay
©SecurityTube.net
Port Forwarding ACack Demo
meterpreter Port 80
Internet
Server 1
Server 2
Local
Listener
Port 25000
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Client Side Exploits
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
It’s a Client side World!
• Most enterprises have incoming connec:ons

locked down with firewalls
• Gemng increasingly difficult to find server side
service vulnerabili:es
• Client side aCacks are the new in thing J
– Browser based aCacks
– Social engineering aCacks
©SecurityTube.net
Browser Exploits
• Dozens of exploits discovered

• Browsers not always patched by the user like
the OS
• Use browser_autopwn to break into client
browsers
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Backdoor Executable
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Backdoor Executable
• Package payloads into

– Dedicated executable
– Use “templates” of exis:ng executable
• Template does not run
• Template runs as well
• AV Evasion
– Encoding
– Packing and Encryp:on
©SecurityTube.net
Msfpayload Summary
©SecurityTube.net
Stand Alone Binary
©SecurityTube.net
Setup a Web Server
©SecurityTube.net
Access over the HTTP Server
©SecurityTube.net
Semng up Metasploit
©SecurityTube.net
Windows/shell/reverse_tcp
©SecurityTube.net
Receiving it
©SecurityTube.net
Executable Template
©SecurityTube.net
Packing Executables
• Process of compressing executable

• Running it unpacks the original code and
transfers control to it
• Originally used to decrease the storage
required for an executable
• Started gemng used as a way to evade AV
• Many packers available now –
– UPX, PEPack, ASPack etc.
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Exploit Research with Metasploit
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Exploit Research
• Art and science of how to write exploits

• Vast in scope
– Different opera:ng systems
– Different protec:ons
– Varied techniques for exploita:on
• Metasploit is typically used in conjunc:on
with tools like Ollydbg, Immunity Dbg etc.
©SecurityTube.net
Exploit Research Megaprimer
• Will be covered in the Exploit Research

Megaprimer
– hCp://www.securitytube.net/groups?opera:on=view&groupId=7
• Part of the SMFE courseware

• Will be spun off later as an Exploit Research
course
©SecurityTube.net
SMFE Exam Inclusions
• Exploit Research is a difficult topic

• We will cover all aspects in the Megaprimer
• From an SMFE exam perspec:ve only Buffer
Overflows and SEH will be included
– No DEP and ASLR evasion
• However, you can learn all concepts in the
Megaprimer
©SecurityTube.net
Never end without a demo! J
• Simple Buffer overflow with Minishare 1.4.1

• Write remote shell exploit
• “Metasploi:fy” it by using Meterpreter as the
payload
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Railgun Basics
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Meterpreter Scripts and Post Exploita:on
Modules
• Ability to run code on the remote system
• Can we load any DLL on the remote system and
run code from it?
• Enter Railgun!
hCp://dev.metasploit.com/redmine/projects/
framework/wiki/RailgunUsage
©SecurityTube.net
Railgun
• Meterpreter extension to load and run code from any

DLL present on the vic:m system
• Released by Patrick HVE in the Metasploit mailing list
• Can be used when in a post module of session

meterpreter
• Can be used interac:vely in an ac:ve meterpreter

session by going into “irb” mode
©SecurityTube.net
Using Railgun
©SecurityTube.net
Using Railgun with Func:on Arguments
client.railgun.(DLL Name).(Func:on Name)(arg1, arg2 …)

e.g. client.railgun.netapi32.NetUserDel(arg1, arg2)
©SecurityTube.net
Argument Direc:on
• IN parameters
– Memory alloca:on is managed for Data Pointers
– All others encoded in machine readable form
• OUT parameters
– Data Pointers
– Specify size of the OUT parameter in func:on call
• Railgun manages memory alloca:on
©SecurityTube.net
Accessing Return Values
• Return values from func:on calls are

encapsulated as a hash
– Return value (“return”)
– Error Code (“GetLastError”)
– Any OUT parameters of the func:on call
©SecurityTube.net
Using Railgun with Func:on Arguments
client.railgun.(DLL Name).(Func:on Name)(arg1, arg2 …)

e.g. client.railgun.netapi32.NetUserDel(arg1, arg2)
©SecurityTube.net
More Fun Stuff
• All about finding interes:ng APIs J
• One can write full program logic using

mul:ple APIs within a post exploita:on
module or via the IRB in meterpreter
©SecurityTube.net
Railgun Adding Func:ons
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Too Good to be True?
©SecurityTube.net
Not All Func:ons in the DLL are Defined
• Railgun “Behind the Scene Magic” J

• Func:on needs to be defined before use

©SecurityTube.net
Adding New Func:on Defini:ons
©SecurityTube.net
Adding Func:on Defini:ons on the Fly
• Middle of pentest and need addi:onal API support

• Can be added on the fly

client.railgun.add_func:on(‘netapi32’,
‘NetUserChangePassword’, ‘DWORD’, [
[“PWCHAR”, “domainname”, “in”],
[“PWCHAR”, “username”, “in”],
[“PWCHAR”, “oldpassword”, “in”],
[“PWCHAR”, “newpassword”, “in”]
])
©SecurityTube.net
Adding Func:on Defini:ons Ahead of Time
• Check the DLL defini:on file

• /opt/framework/msf3/lib/rex/post/meterpreter/
extensions/stdapi/railgun/def

dll.add_func:on(‘netapi32’, ‘NetUserChangePassword’,
‘DWORD’, [
[“PWCHAR”, “domainname”, “in”],
[“PWCHAR”, “username”, “in”],
[“PWCHAR”, “oldpassword”, “in”],
[“PWCHAR”, “newpassword”, “in”]
])

©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
SecurityTube Metasploit Framework Expert Part 19a
Railgun Adding New DLLs
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Finding List of Exis:ng DLLs
©SecurityTube.net
Adding DLL Defini:ons on the fly
• Use client.railgun.add_dll(DLL_NAME,
DLL_LOCATION_PATH)
• Func:ons which need to be used require to be

added as shown in the previous video
• Generally not a good idea to add on the fly
– Not available across sessions
– Cannot be cached
– Anything important should be added permanantly
©SecurityTube.net
Mpr.dll (WNetGetUser)
©SecurityTube.net
Adding Support for Mpr.dll
• Add DLL

client.railgun.add_dll("mpr", "c:\\windows\\system32\
\mpr.dll")

• Add Func:on
client.railgun.add_func:on("mpr", "WNetGetUserW",
"DWORD", [
["PWCHAR", "a", "in" ],
[ "PWCHAR", "b", "out"],
[ "PDWORD", "c", "inout" ]
])
©SecurityTube.net
Adding DLL Defini:ons Ahead of Time
• Define a new DLL

• Modify Railgun.rb to include it in the list of
BUILTIN_DLLS
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Resource Scripts
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Resource Scripts
• Simple and easy way to automate tasks

• ~/.msf4/msfconsole.rc runs automa:cally
• Typical uses
– Run at startup via msfconsole
– Can be run while in msfconsole
– Can be run while in meterpreter session
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Database Support
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Why Database Support?
• Penetra:on Tests typically involve 100 of

hosts
• 100’s of hosts
– Dozens of services in each
• Mul:ple vulnerabili:es
• Need for beCer organiza:on of data
©SecurityTube.net
Database Support
• Postgresql – already configured on BT

• Create Workspaces
– Logical units of informa:on
• E.g. all results from a single pentest
• E.g. all results from a single loca:on for a mul:-‐site
pentest
– Ease of important and expor:ng data
©SecurityTube.net
Hosts, Services and Vuls table
• Core tables for storing data

• You can add / delete hosts and services
• Set RHOSTS based on analysis
• Default enabled plugin is Nmap
– Look at other plugins later
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Using Plugins
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Best of All Worlds!
• 3rd Party Tools out there which do a beCer job

for select tasks
– Nmap => Port and Service Fingerprin:ng
– Wmap => Web Security
– Nessus => Policy and Compliance checks
• How do you bring the best of all worlds to
Metasploit?
– Enter Plugins!
©SecurityTube.net
Plugins
• External Tool invoked from within Metasploit
• Integra:on allows to take inputs from

Metasploit and share results
• Metasploit “outsources” work J to the Plugin

and uses the Results sent by it
©SecurityTube.net
Available Plugins
• Nmap
• Nessus
• Nexpose
• Wmap
• …
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Meterpreter API Basics
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Meterpreter
• Presents a planorm for wri:ng our own post

exploita:on scripts
• We can use API available or call arbitrary

func:ons using Railgun
• Unfortunately, documenta:on is preCy sparse

– Learn from the code
©SecurityTube.net
Exploring the Meterpreter Codebase
• Core Codebase
– lib/rex/
• Meterpreter Related
– lib/rex/post/meterpreter/
©SecurityTube.net
Use (client_core.rb)
©SecurityTube.net
Migrate (client_core.rb)
©SecurityTube.net
Stdapi
• Fs
– Dir, File, Filestat
• Sys
– Config, process, registry, eventlog, power
• Net
– config, socket
• Railgun
• Webcam
• Ui
©SecurityTube.net
Fs (stdapi)
• Client.fs.dir.pwd
• client.fs.dir.entries_with_info()
• …
©SecurityTube.net
Sys (stdapi)
• Client.sys.config.sysinfo
• Client.sys.config.sysinfo[“OS”]
• …
©SecurityTube.net
Net (Stdapi)
• Client.net.config.get_interfaces
• Client. onet.cnfig.get_routes
• …
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Meterpreter Scrip:ng – Migrate Clone
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Meterpreter Scrip:ng
• Locate APIs
• Use template script and modify
• Eventually phase out to Post Exploita:on

Scripts
©SecurityTube.net
Cloning Migrate
• Find the “migrate” api

– Under client.core.migrate
• Take PID as input
• Migrate to PID
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Meterpreter Scrip:ng – Process Name Search
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Process Name Search
• Find list of all running processes in the remote

system
– Client.sys.processes.get_processes
• Enumerate the list and search for process

name
• Print success if match occurs J
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
Social Engineering Toolkit
Vivek Ramachandran
©SecurityTube.net
(SMFE)
Vivek Ramachandran
Course Instructor
©SecurityTube.net
©SecurityTube.net
SecurityTube Vision

all

©SecurityTube.net
Social Engineering Toolkit
• Focus on using social engineering to break

into machines
– Exploits human stupidity, rather than so`ware
bugs J
– WriCen by David Kennedy
– hCp://www.secmaniac.com/
• Uses Metasploit internally to break in
©SecurityTube.net
Tons of Op:ons
©SecurityTube.net
Social Engineering ACacks
©SecurityTube.net
Website ACack Vector
©SecurityTube.net

Metasploit Basic

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Metasploit Basic

Uploaded by

Copyright:

Available Formats

SecurityTube

Metasploit Framework Expert Part 1

Students from over 25 countries around the world!

To provide quality yet free infosec educa8on to

Windows XP Backtrack

• Vulnerability – a weakness which allows an

• Exploit – code which allows an aCacker to

• Payload – actual code which runs on the

Payload Runs Next if Exploit Succeeds

Exploit Runs First

• Scan IP address to get ports and services

• Iden:fy a vulnerable service, ﬁnd a public /

• Launch exploit, compromise, post-­‐exploita:on

• Find machine using tools like Nmap

• Use Port scanners to ﬁnd remote services

• Do a service scan to iden:fy service and even

• Exploit and Payload

• Dozens of Exploits available

• To customize payload, rewrite may be required of the

• Tes:ng and exploit research is tedious without a

Students from over 25 countries around the world!

To provide quality yet free

Windows XP Backtrack

• Dozens of Exploits available

• To customize payload, rewrite may be required of the

• Tes:ng and exploit research is tedious without a

• Can be used for:

• Started by H.D Moore in 2003

• Acquired by Rapid7

• Remains open source and free for use

• WriCen in Ruby

• Over 770+ tested exploits!

• Metasploit oﬀers “plug and play” of payloads

• Tons of other features for beCer and faster

• Using diﬀerent payloads with RPC DCOM

• Power of the framework

Enter the Meterpreter!

Students from over 25 countries around the world!

To provide quality yet free

Windows XP Backtrack

Enter the Meterpreter!

Exploit + 1st Stage Payload

Payload Connects back to MSF

2nd Stage DLL Injection Payload Sent

MSF Sends Meterpreter Server DLL

Client and Server Communicate

Windows XP Backtrack

Students from over 30+ countries around the world!

To provide quality yet free

Msfgui Msfweb Msfcli

Interfaces to work with Metasploit

• Interac:ve console for Metasploit

• Important directories include:

• Exploits are organized by OS, then service

• Auxiliary modules are used for a variety of tasks

• 3 types – singles, stagers, stages

Students from over 30+ countries around the world!

To provide quality yet free

1 Understanding the Vic:m beCer

• Who did we break in as?

Students from over 30+ countries around the world!

To provide quality yet free

1 Understanding the Vic:m beCer

• Broken in as less privileged user

• Launch exploit, compromise, post-‐exploita:on