Slide 1 - Computer Defense

quaggahooliganInternet και Εφαρμογές Web

5 Φεβ 2013 (πριν από 4 χρόνια και 4 μήνες)

104 εμφανίσεις

.


Metasploitation


A CanSecWest Presentation

Original Presenter: HD Moore




Presentation and Additional
Information: Tyler Reguly

www.TASK.to

© Toronto Area Security Klatch 2005

Who is this guy?


Who am I?


Graduate of Fanshawe College


Computer Systems
Technology 3
-
year diploma


Previously worked at Fanshawe College in student support
and as a Sys Admin for a small marketing company


Worked doing quasi
-
International web development for the
past 5 years.


Now at nCircle as a Vulnerability and Exposure Research
Engineer


Also a moderator on AntiOnline.com


Maintain the ComputerDefense.org blog.

www.TASK.to

© Toronto Area Security Klatch 2005

Why are we here?


The goal tonight?


Cover information introduced by H.D. Moore at CanSecWest.


We’ll provide you with background information on the Metasploit
project and Metasploit Framework.


Basic Framework usage


Functional differences between Framework versions


Various Metasploit Project Web Fuzzers


Brief overview of other sections of the Metasploit Project

www.TASK.to

© Toronto Area Security Klatch 2005

Meta
-
what?


What is Metasploit?


Metasploit itself is nothing… it’s not even a word… but it’s come to
mean so much more.


Metasploit has come to be synonymous with the Metasploit
Framework.


Metasploit is actually The Metasploit Project. Whose goal is to provide
information that will be useful in Pentration Testing, IDS Signature
Development and exploit research.


The Metasploit Framework is one aspect of the Metasploit Project.


Other parts of the project include: MSRT, MAFIA, Hamachi, etc.


www.TASK.to

© Toronto Area Security Klatch 2005

Metasploit Framework


The framework is an open
-
source platform for developing,
testing and using exploit code. (Point ‘n Click Hacking)


The current “stable” version is version 2.5


Primarily written in perl, sections that are written in C, python
and assembly.


Similar to the commercial projects Canvas (Immunity) and
Impact (Core)


Rather than be current, aims to facilitate research and
experimentation.

www.TASK.to

© Toronto Area Security Klatch 2005

Basic Framework Usage


Let’s take a look at a video demo of Metasploit Framework
2.5 in action


Show


list modules available (exploits, payloads, etc)


Use


Use a specific exploit module


Set


set specific variables (Case sensitive)


RHOST


Remote Host (who we’re attacking)


PAYLOAD


The payload to carry


LHOST


Local Host (for the phone home attacks, reverse shell)


Exploit


run the exploit.

www.TASK.to

© Toronto Area Security Klatch 2005

Finally… Something Interesting.


New version of Metasploit Framework


Framework Version 3.0


Currently @ 3.0 Alpha R3


Complete rewrite of V2 code…


Perl migrated to Ruby


Allows for a focus on flexibility and automation


Multitasking through Ruby threads


Many users can share a single instance of Metasploit


Concurrent exploits and sessions


Suspend, restore and share your sessions…


Run multi
-
victim exploits


Exploit Mixins


Write advanced exploits in 3 lines


Mixins for SMB, DCERPC, HTTP, FTP, TCP, UDP, TCPServer, etc

www.TASK.to

© Toronto Area Security Klatch 2005

New features… cont’d


New Interfaces


Updated module hierarchy (much more organized)


See details in video


New web interface uses ERB and AJAX


Developing a GUI version.


New Opcode DB


Online database of Win32 DLL Info


Stores locations of usable ‘opcodes’


Framework Integration


CLI tool to perform queries


‘opcode pool’ system currently in the works


And automated return address updates


Add fingerprinting and imagine!

www.TASK.to

© Toronto Area Security Klatch 2005

The parts that make the whole!


Executable processing


Msfpescan


Command
-
line tool for EXE processing


Discovers usable return addresses


Partially used to created the opcode DB


Will also now handle Resources and TLBs (Translation Lookup Buffers)



Msfrpcscan


Extracts MIDL (MS Interface Definition Language) information from PE
files


Creates boilerplate for new exploits


Still in Development…

www.TASK.to

© Toronto Area Security Klatch 2005

Huh? What did he just say?

www.TASK.to

© Toronto Area Security Klatch 2005

www.TASK.to

© Toronto Area Security Klatch 2005

Sounds good, but what else?


Rewrite of all Exploit modules


Massive number of bug fixes


Improved randomness, use of Mixins


Exploit Module Structure


Single exploit can target many platforms


Simplified the meta
-
information fields


Mixins can also modify exploit before


Target brute forcing


Passive Exploits

www.TASK.to

© Toronto Area Security Klatch 2005

Can I do anything cool?


Payload upgrades and Enhancements


Bug fixes and size improvements


New “cmd” modules, “php” payloads



Meterpreter


Consolidation of standard modules


“Wicked Cool” API and remote scripting


Process migration


Pid = client.sys.process[‘calc.exe’]


Client.core.migrate(pid)


Mirror the remote hard drive in one line


Client.fs.dir.download(“/tmp/”,”C:
\
\
”,true)

www.TASK.to

© Toronto Area Security Klatch 2005

Meterpreter Commands

www.TASK.to

© Toronto Area Security Klatch 2005

Meterpreter Commands Cont’d

www.TASK.to

© Toronto Area Security Klatch 2005

There’s more?!?!


The Problem…


Not all exploits fit into the standard structure


Recon Modules overlapped with exploits


No standard for information sharing



Auxiliary Modules


Catch
-
all for interesting security tools


Perform reconnaissance and reporting


Integrate with third
-
party utilities


Report data in a standard format

www.TASK.to

© Toronto Area Security Klatch 2005

So why Ruby?



“The Ruby Language Rocks”


Ability to redefine anything at runtime


Plugins can alter almost anything



Framework Plugins


Extend and replace Framework Code


Hook events and filter parameters


Simplify feature development


Examples:


Socket tracing and filtering


Multiuser exploit console

www.TASK.to

© Toronto Area Security Klatch 2005

Backend


Support for common databases


Postgres, SQLite, MySQL, etc


Based on Ruby on Rails (ROR) Active Record


Simplified API and thread
-
safety



Implementation defined by plugins


Monitor sockets with db_tracker.rb


Interact with the database (search, etc)


Persistent storage of session data


Reporting is just another plugin

www.TASK.to

© Toronto Area Security Klatch 2005

Automation


Turning Metasploit into Nessus


Database backend provides “KB” function


Auxiliary modules for assessment/discovery


Event coordinator for triggering modules


Report generator uses the database



Development Status


75% of the database schema


50% of the Aux module API


Handful of discovery modules


Integration with Nessus/Nmap

www.TASK.to

© Toronto Area Security Klatch 2005

Automation Cont’d



Creating a professional mass
-
rooter


Aux modules perform discovery


Exploit modules perform vuln checks


Plugins automate exploitation


Plugins automate post exploitation


Dump XML reports via ActiveRecord



Useful framework for all security tools


Extensive protocol support, friendly API


Passive tools work well with event system


Most APIs are accessible from REX

www.TASK.to

© Toronto Area Security Klatch 2005

How to ‘not get caught’!


Evasion is finally taken seriously


Evasion options now a separate class


Protocol stacks integrate IDS evasion


Mixins expose these to exploit modules



Strong evasion techniques


Multi
-
layered evasion defeats most solutions


Client
-
side attacks impossible to detect


WMF = HTTP + Compress + Chunked +Jscript


Deep protocols offer so man options


LSASS = TCP + SMB + DCERPC

www.TASK.to

© Toronto Area Security Klatch 2005

Evasion Options


Example Evasion Options


TCP::max_send_size


TCP::send_delay


HTTP::chunked


HTTP::compression


SMB::pipe_evasion


DCERPC::bind_multi


DCERPC::alter_context

www.TASK.to

© Toronto Area Security Klatch 2005

Evasion Features


IPS Fingerprinting


Implemented as Auxiliary modules


Use low
-
risk signature deltas to ID


Linux
-
based IPS depends on bridging…



IPS Evasion


Configure an ‘evasion profile’


Override exploit/evasion options


Uses per
-
IPS evasion techniques

www.TASK.to

© Toronto Area Security Klatch 2005

Offensive IPS


IPS Filtering for the Attacker


Socket hooking plugins can filter data


Not all vendors encrypt their signatures


Lets create an application layer IPS



The “ips_filter” plugin


Monitor all socket transactions


Block packets that would trigger an alert



Challenges


Signatures are often for decoded data


Formats are difficult to convert to RE

www.TASK.to

© Toronto Area Security Klatch 2005

Status


Metasploit Framework v3.0
-
alpha
-
r3


User Interfaces are still a bit rough


Module cache a huge improvement


Over half of the exploits are ported


Only supports Linux / OS X / BSD


Should work with Cygwin… but not Native yet



Metasploit Framework v3.0
-
alpha
-
r4


Includes database, plugins, aux modules


IPS Detection features depending on time


Was scheduled for release April 12
th
, as been pushed back.

www.TASK.to

© Toronto Area Security Klatch 2005

Web Fuzzing


“Newer” area in security that’s actively gaining speed and
evolving.


Broad Range of interest


Has lead to numerous exploits released for and upgrades to
a number of mainstream browsers


Internet Explorer (April 2006): 1 Patch (10 Vulns/Flaws)


Firefox (April 2006): 1 Release Version (1.5.0.2) (15+
Vulns/Flaws)


Why are we suddenly discovering all of these?

www.TASK.to

© Toronto Area Security Klatch 2005

H.D. Moore’s Web Fuzzers


HD has released a series of web fuzzers


Hamachi


http://metasploit.com/users/hdm/tools/hamachi/hamachi.html


CSS Die


http://metasploit.com/users/hdm/tools/see
-
ess
-
ess
-
die/cssdie.html


Dom
-
Hanoi


http://metasploit.com/users/hdm/tools/domhanoi/domhanoi.html

www.TASK.to

© Toronto Area Security Klatch 2005

Hamachi


Hamachi


Created by H D Moore and Aviv Raff


Looks for common DHTML implementation flaws



How does it work?


Specifies common “bad” values for method arguments and property
values.



Has anyone passed?


So far Firefox 1.5.0.1 has passed all built
-
in Hamachi tests

www.TASK.to

© Toronto Area Security Klatch 2005

Hamachi Screeshot

www.TASK.to

© Toronto Area Security Klatch 2005

CSS Die


CSS Die


Created by H D Moore, Aviv Raff, Matt Murphy and Thierry Zoller


Looks for common implementation flaws in CSS1, CSS2 and CSS3.



How does it work?


Specifies common “bad” values for style values.



Has anyone passed?


So far Firefox 1.5.0.1 has passed all built
-
in CSS Die tests

www.TASK.to

© Toronto Area Security Klatch 2005

CSS Die Screenshot

www.TASK.to

© Toronto Area Security Klatch 2005

DOM
-
Hanoi


DOM
-
Hanoi


Created by H D Moore and Aviv Raff


Looks for common DHTML implementation flaws.



How does it work?


It adds and removes DOM elements, similar to the way used in the
game Tower of Hanoi.



Has anyone passed?


So far there have been no browsers announced has having passed
this series of tests.


www.TASK.to

© Toronto Area Security Klatch 2005

DOM
-
Hanoi Screenshot

www.TASK.to

© Toronto Area Security Klatch 2005

Latest IE Fully Patched

www.TASK.to

© Toronto Area Security Klatch 2005

Other Metasploit Projects


Metasploit Research Toolkit


Standalone disassembler, emulator, mmu


eEye
-
style return detection, input tracing


skape has some nice blogs on the subject @ metasploit.blogspot.com


Metasploit Anti Forensics tools (MAFIA)


Timestomp


First ever tool to modify all four NTFS timestamp values
(modified, accessed, created and entry modified)


Slacker


First ever tool to allow you to hide files in the slack space of
an NTFS partition


Sam Juicer


A tool to dump hashes from the SAM without touching
the hard disk (Available as a Meterpreter module)


Transmogrify


First ever tool to defeat Encase’s file signature
capabilities by allowing you to mask and unmask files (Coming Soon)

www.TASK.to

© Toronto Area Security Klatch 2005

Thank You!



Thanks!