Post on 14-Jan-2015
description
POST METASPLOITATION
egypt
WHY THIS TALK?
• Get more shells
• Get better shells
• Do more with them, faster
ASSUMPTIONS
• You’ve heard of Metasploit
• You’ve got a shell
• You have some goal that isn’t that shell
WHY METASPLOIT?
LARGE OPEN SOURCE COMMUNITY
> C
POST MODULE DESIGN
Should be minimal
• Complexity is hard to debug and maintain
• Do one thing and do it well
– Resource scripts can automate multiple modules
POST MODULE DESIGN
Should be readable
• Consistent structure
• Consistent option names
• Consistent output
POST MODULE DESIGN
Should be reliable
• Detect relevant variables
• Never crash session/host if you can avoid it
• Clean up
POST MODULE DEVELOPMENT
Like Aux modules in many ways
• Define a run() method
• Optional setup(), cleanup() methods
• Have Actions
• Can include Exploit / Auxiliary mixins
• Should report something
POST MODULE STRUCTURE
METASPLOIT POST API
• DSL*-like interface for automating shells
• Abstracts out common stuff
• Platform-agnostic methods for
– Reading/writing binary files
– Running shell commands
– Listing users
*Domain Specific Language
POST-EXPLOITATION SECRET SAUCE
Presence
Persistence
Pivoting
[1]: I totally stole this from Mubix
PRESENCE
• Examine your environment
– Users
– Machine
• One issue here is getting an unfamiliar shell
– Never played on Solaris, what do you do?
WHAT USERS ARE/HAVE LOGGED IN?
PRESENCE - THE MACHINE
• What does this box do?
• What processes are running?
– AV, Tripwire
– ssh-agent, pageant
– Editors
– Database servers
• What does it talk to?
WHAT DOES THIS MACHINE TALK TO?
PERSISTENCE
• Passwords!
• Backdoors
• Re-introducing vulnerabilities
TEMPORARY PERSISTENCE
• Reverse http(s) payloads
• Doesn't survive reboot but useful for keeping shells when network is spotty
MORE PERMANENT OPTIONS
• Autoruns
– Drop an exe in the right place, maybe mod registry
– Simple, effective
• Task scheduler, cron, launchd
• Enable RDP
• Enable root login for ssh
PIVOTING
• Passwords!
• Privilege escalation
• Trust relationships
• Route, portfwd
• auxiliary/server/socks4a
• Explicit "comm" arg to Rex::Socket creation
POST-EXPLOITATION EXPLOITATION
• For when you absolutely, positively have to have root
– (and don’t mind the occasional kernel panic)
• We can kinda blur the line between local and remote here
$ -> #
• Just like with network exploitation, not always an exploit
• Passwords (sudo)
• Trust relationships (suid executables)
• Misconfiguration (all sorts of shit)
DEMO: MULTI/LOCAL/SETUID_NMAP
"Nmap should never be installed with special privileges (e.g. suid root) for
security reasons."
DEMO: LINUX/LOCAL/SOCK_SENDPAGE
AKA Wunderbar Emporium
EXPLOIT::LOCAL
• Inherit from Exploit
– Provides payloads and handlers
– Create executables, etc
• Include Post mixins
– Provides session interaction
– Write files, manipulate registry, etc
COMPILING/ASSEMBLING WITH METASM
• Can compile C for x86/x86_64
• Can assemble x86, x86_64, mips, arm, ppc and more
TRUST RELATIONSHIPS
• Windows Authentication
– NTLM auth is relay-able
– Automatic domain auth
SMB RELAY
Victim
Attacker Target
Victim begins NTLM authentication against the attacker
SMB RELAY
Victim
Attacker Target
Attacker begins NTLM auth against Target
SMB RELAY
Victim
Attacker Target
Target replies with 8-byte challenge
SMB RELAY
Victim
Attacker Target
Attacker sends Target's challenge to Victim
SMB RELAY
Victim
Attacker Target
Victim calculates challenge response and replies with final authentication packet
SMB RELAY
Victim
Attacker Target
Attacker logs into Target with Victim's credentials
SMB RELAY
• Well-known attack
• Some mitigations break it, but largely still useful and will be for a long time
Drop LNK file (post/windows/escalate/droplnk) Setup a relay (exploit/windows/smb/smb_relay) Wait for an Admin to open that directory
File Server Compromised Target
Create LNK file
Victim
SMB RELAY + LNK FILE
AUTOMATIC DOMAIN AUTH
• Windows stores creds in memory and does NTLM auth using your current token
• When you do something in the GUI that requires auth, it happens automatically using those creds
• If your user has Local Admin on another box, you can create/start services (usually)
SC_HANDLE WINAPI OpenSCManager(
__in_opt LPCTSTR lpMachineName,
__in_opt LPCTSTR lpDatabaseName,
__in DWORD dwDesiredAccess );
SC_HANDLE WINAPI CreateService(
__in SC_HANDLE hSCManager,
__in LPCTSTR lpServiceName,
__in_opt LPCTSTR lpDisplayName,
__in DWORD dwDesiredAccess,
__in DWORD dwServiceType,
__in DWORD dwStartType,
__in DWORD dwErrorControl,
__in_opt LPCTSTR lpBinaryPathName,
__in_opt LPCTSTR lpLoadOrderGroup,
__out_opt LPDWORD lpdwTagId,
__in_opt LPCTSTR lpDependencies,
__in_opt LPCTSTR lpServiceStartName,
__in_opt LPCTSTR lpPassword );
DEMO: OWNING DC USING DA TOKEN
Yay automatic authentication
CONCLUSIONS
• Metasploit is awesomesauce
• If it doesn't already do what you need, it's easy to add new modules
• Stick around for Dave's talk!
• Twitter: @egyp7
• IRC: #metasploit on FreeNode
QUESTIONS?