Slide 1

Slide 1 text

1 Defcon XII 2004 M E T A S P L O I T Hacking Like in the Movies spoonm h d moore

Slide 2

Slide 2 text

2 Introduction Who are we? Independent researchers Work in the security industry What is this about? Exploit frameworks in general New exploit technology

Slide 3

Slide 3 text

3 Defcon XII 2004 Exploit Frameworks

Slide 4

Slide 4 text

4 Exploit Frameworks What is an exploit framework? Interface for launching exploits Standardized exploit modules Suite of reliable shellcode Library of common routines Often includes “pro” features

Slide 5

Slide 5 text

5 Exploit Frameworks Why are frameworks needed? 80% of exploit code is boilerplate Payloads are usually hardcoded Advanced techniques rarely used Most “coders” aren't programmers Nobody posts code for old bugs

Slide 6

Slide 6 text

6 Exploit Frameworks Public exploit frameworks Two stable commercial products CORE Impact Immunitysec CANVAS The Metasploit Framework New projects in development

Slide 7

Slide 7 text

7 Exploit Frameworks CORE Impact The first real exploit framework Pricey but extremely complete Written in Python/C++ (Win32) Pivoting through owned boxes Syscall proxy payload system

Slide 8

Slide 8 text

8 Exploit Frameworks Immunity CANVAS Second commercial framework Supports limited syscall proxying May pivot in the near future Less extensive than Impact Considerably less expensive

Slide 9

Slide 9 text

9 Exploit Frameworks Current Capabilities Point. Click. Command shell. Pivoting through owned boxes Automatic payload encoding Dynamic shellcode creation

Slide 10

Slide 10 text

10 Defcon XII 2004 Metasploit Framework

Slide 11

Slide 11 text

11 The Metasploit Framework Introduction Open source exploit framework Exploit development platform Written in Perl scripting language Runs on most modern platforms Focused on improving technology

Slide 12

Slide 12 text

12 The Metasploit Framework History Originally a network game Rewritten for professional use Evolved into open source project Four primary developers Handful of contributors

Slide 13

Slide 13 text

13 The Metasploit Framework Development status ~35 exploits, ~40 payloads Stable exploit and payload API Widely used by security firms Increasing use by system admins MSF 2.2 first dev-friendly release

Slide 14

Slide 14 text

14 The Metasploit Framework Components User interfaces Exploits Encoders Payloads Handlers Nops

Slide 15

Slide 15 text

15 The Metasploit Framework Pex Msf 3rd Party Libraries Base UI Module Utils Console Web CLI Payloads Console Exploits Encoders Nops Modules Libraries Interfaces Core Classes

Slide 16

Slide 16 text

16 The Metasploit Framework The command line interface Simple scriptable interface Useful for quick exploit tests Usage: ./msfcli [var=val] [MODE] Modes: (S)UMMARY Show various information about the module (O)PTIONS Show the available options for this module (A)DVANCED Show the advanced options for this module (P)AYLOADS Show available payloads for this module (T)ARGETS Show available targets for this module (C)HECK Determine if the target is vulnerable (E)XPLOIT Attempt to exploit the target

Slide 17

Slide 17 text

17 The Metasploit Framework The console interface Tab-completion exploit shell Session logging, history, environments + -- --=[ msfconsole v2.2 [35 exploits - 37 payloads] msf > use realserver_describe_linux msf realserver_describe_linux > set PAYLOAD linx86bind msf realserver_describe_linux(linx86bind) > set LPORT 3456 msf realserver_describe_linux(linx86bind) > set RHOST vulnhost msf realserver_describe_linux(linx86bind) > exploit [*] RealServer universal exploit launched against 192.168.1.2 [*] Kill the master rmserver pid to prevent shell disconnect [*] Connected to 192.168.1.2:3456... bash-2.05b#

Slide 18

Slide 18 text

18 The Metasploit Framework The web interface Standalone web service Proxies exploit shells

Slide 19

Slide 19 text

19 The Metasploit Framework Msfpescan – Return Address Fun Scans PE images for data (DLL, EXE) Finds universal return addresses Easy to script, easy to parse output Regular expression match support Can automatically disassemble code

Slide 20

Slide 20 text

20 The Metasploit Framework msfpescan found good returns DCOM – NT SP6 -> XP SP1 Serv-U – All versions NT->2K3 LSASS – Autodetect Universal Blackice – Mad Bruteforce Foo

Slide 21

Slide 21 text

21 The Metasploit Framework Other helper utilities msfdldebug » Download symbols msfpayload » Generate payloads msfpayload.cgi » CGI payload gen msfencode » CLI payload encoder msflogdump » Colorized session logs msfupdate » Online update system

Slide 22

Slide 22 text

22 The Metasploit Framework Summary Stable exploit development platform Designed to use with pen-tests Admins use it verify scan results Focused on technology (not $$$)

Slide 23

Slide 23 text

23 Defcon XII 2004 Exploit Technology

Slide 24

Slide 24 text

24 Exploit Technology Windows Remote DLL Injection In-process DLL injection Does not write files to disk Written by Jarkko and Skape Full access to Windows API Easily convert C/C++ to payload Reuse existing code (VNC)

Slide 25

Slide 25 text

25 Exploit Technology Windows VNC Server Injection Injects VNC server as new thread Reuses existing payload connection Based on RealVNC source code Adapted by Skape and HDM Breaks locked desktops Takes over WinLogon desktop

Slide 26

Slide 26 text

26 Defcon XII 2004 VNC Demo

Slide 27

Slide 27 text

27 Exploit Technology Interchangeable Payloads Exploits adapt to network conditions Reverse, Bind, Findsock, Exec “Encrypted” xor command shells Abstracted “cmd_” payloads Drop in new payloads as needed Integrated InlineEgg support

Slide 28

Slide 28 text

28 Defcon XII 2004 Payloads Demo

Slide 29

Slide 29 text

29 Exploit Technology MSF Socket Class Integrated SSL support for all sockets Can force connections to use proxies Pivot exploit requests through proxies New protocols are easy to integrate Raw IP support is somewhat working

Slide 30

Slide 30 text

30 Exploit Technology IDS Evasion “Polymorphic” encoders and nops Avoid signatures with exploit options First-exit event masking (snort 0-day) Multi-staged payloads can avoid sigs DCERPC request fragmentation

Slide 31

Slide 31 text

31 Defcon XII 2004 IDS Evasion Demo

Slide 32

Slide 32 text

32 Exploit Technology Perl Protocol Libraries Perl modules for complex protocols SMB stack already useful (LSASS) DCERPC stack used with DCOM Protocol stacks written as needed Applicable outside of security testing

Slide 33

Slide 33 text

33 Exploit Technology The Meterpreter Custom shell written as DLL payload Connection multiplexing (channels) Dynamically load extensions over net Built-in cryptography support Also written by Skape :)

Slide 34

Slide 34 text

34 Defcon XII 2004 Demonstrations

Slide 35

Slide 35 text

35 Defcon XII 2004 Questions?

Slide 36

Slide 36 text

36 Defcon XII 2004 Contact: [email protected] Materials: http://metasploit.com/bh/