Embed Size (px)
Citation preview
@NTXISSA #NTXISSACSC3
Metasploit Year in Review
James Lee
Metasploit Developer and Community Manager
Rapid7
2015-10-03
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
$ whoami
James Lee@egyp7Metasploit Developer Community Manager
2
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
What is Metasploit
Framework for building & using:● Exploits● Post-exploitation tasks● Reconnaissance tools
Scaffolding for solving networking problems● Client for many protocols
3
@NTXISSA #NTXISSACSC3
A few numbers
@NTXISSA #NTXISSACSC3
Rapid7 has 71 Public Repositories
5
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Repos You Probably Care About
metasploit-frameworkmetasploit-payloadsmetasploit-omnibus
6
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Repos You Might Find Interesting
7
github-connectorssh-badkeys
@NTXISSA #NTXISSACSC3
@NTXISSA #NTXISSACSC3
Over 1200Pull Requests landed
9
@NTXISSA #NTXISSACSC3
Over 7500commits
git log --since '2014-09-26' --oneline | wc -l
10
@NTXISSA #NTXISSACSC3
git log --since '2014-09-26' --format='%aE' | sort -u
Almost 200unique authors
11
@NTXISSA #NTXISSACSC3 12
@NTXISSA #NTXISSACSC3
358new modules
13
@NTXISSA #NTXISSACSC3
Modules
@NTXISSA #NTXISSACSC3
20 Local Priv Escalation
15
@NTXISSA #NTXISSACSC3
Local exploit suggester
16
@NTXISSA #NTXISSACSC3 17
exploit/unix/webapp/wp_admin_shell_upload
@NTXISSA #NTXISSACSC3
Anti-Virus Products
@NTXISSA #NTXISSACSC3 19
auxiliary/gather/mcafee_epo_xxe
@NTXISSA #NTXISSACSC3 20
exploit/linux/http/symantec_web_gateway_restore
@NTXISSA #NTXISSACSC3 21
exploit/windows/browser/malwarebytes_update_exec
@NTXISSA #NTXISSACSC3 22
js-beautifier
exploit/multi/fileformat/js_unpacker_eval_injection
@NTXISSA #NTXISSACSC3
Browser Exploitation
@NTXISSA #NTXISSACSC3
21 browser exploits
24
@NTXISSA #NTXISSACSC3 25
@NTXISSA #NTXISSACSC3 26
@NTXISSA #NTXISSACSC3 27
@NTXISSA #NTXISSACSC3 28
@NTXISSA #NTXISSACSC3
SOHO Routers
@NTXISSA #NTXISSACSC3 30
@NTXISSA #NTXISSACSC3
Credentials
@NTXISSA #NTXISSACSC3
Service
32
Cred
Cred
Cred
Old and Busted
@NTXISSA #NTXISSACSC3
Core
Private
Public
Realm
Blank Username
SNMP Community
NTLM Hash
SMB Domain
Postgres DB
Username
Password
SSH Key
Non-replayable Hash
33
@NTXISSA #NTXISSACSC3
Core
Service
34
Login
Login
Login Service
@NTXISSA #NTXISSACSC3
Java Serialization
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Java Serialization with RMI, JMX
36
auxiliary/gather/java_rmi_registryexploits/multi/misc/java_jmx_serverexploits/multi/misc/java_rmi_server
@NTXISSA #NTXISSACSC3
SMB
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Kerberos
Partial implementation• Enough to exploit MS14-068
38
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
SMB Server
39
Partial implementation• Serve a single file• Enough to exploit most DLL hijacks
@NTXISSA #NTXISSACSC3
Payload Improvements
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Interactive PowershellCan upgrade to meterpreterMostly compatible with existing Post API
Powershell Session Type
41
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Unicode support
Meterpreter handles unicode in filesystems• Still have to have support in your terminal
42
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
UUID Tracking
Embed Universally Unique ID in payloads• Makes a payload identifiable• Track which EXE got this session
Generate unique machine ID for each session• Makes a machine identifiable• Track whether we’ve popped this box before
43
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Paranoid Mode
Set a real TLS cert for payload handlers• Verify it from Meterpreter side• Bail if we’re being MitM’d
Whitelist UUIDs in the handler• Don’t start sessions for
things that aren’t a payload
44
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Meterpreter Transport Reliability
45
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Runtime Transport Control
reverse_tcp vs reverse_http vs reverse_https
Bind• tcp://:8000/IPv6• tcp6://fe80::82e6:50ff:fe08:2e50:8000?en0HTTP(S)• https://1.2.3.4/<generated URI>
46
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Configurable timeouts
● Session● Communication● Retry total● Retry wait
47
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Stageless Meterpreter
Skip staging and put everything in one payload
48
@NTXISSA #NTXISSACSC3 49
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
NTDS.dit
Domain controllers store accounts Multi-GB file for large orgsDownloading giant files sucks
50
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
NTDS.dit Solution
51
windows/gather/credentials/domain_hashdump
Uses a C extension to parse on targetSend back a few at a time
@NTXISSA #NTXISSACSC3
Infrastructure
@NTXISSA #NTXISSACSC3
Ruby 2.1.6
53
@NTXISSA #NTXISSACSC3 54
@NTXISSA #NTXISSACSC3 55
Omnibus logo
@NTXISSA #NTXISSACSC3
Random
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Workspace in Your Prompt
57
@NTXISSA #NTXISSACSC3NTX ISSA Cyber Security Conference – October 2-3, 2015
Tab-completing LHOST
58
@NTXISSA #NTXISSACSC3
Questions?
@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 60
Thank you
