metasploitation
play

Metasploitation H D Moore Director of Security Research (Exploit - PowerPoint PPT Presentation

Jun 10, 2023 •378 likes •675 views

Metasploitation H D Moore Director of Security Research (Exploit automation and IPS evasion) BreakingPoint Systems CanSecWest 2006 Agenda Introduction Metasploit 3 Automation IPS Evasion Examples 2 Introductions - Who?

  1. Metasploitation H D Moore Director of Security Research (Exploit automation and IPS evasion) BreakingPoint Systems CanSecWest 2006

  2. Agenda  Introduction  Metasploit 3  Automation  IPS Evasion  Examples 2

  3. Introductions - Who?  BreakingPoint Systems  Director of Security Research  We build hardware to break things  The Metasploit Project  Founder, developer, researcher  We build software to break things 3

  4. Introductions - What?  Metasploit v3.0  New features, massive changes  Starting to be usable :-)  Automation  Auxiliary modules, databases, events  “Turning Metasploit into Nessus”:-)  Evasion  Finding the “bump in the wire”  Low-visibility IPS fingerprinting  Integration with Metasploit 3 4

  5. Metasploit v2.5  April 2006 status  127 remote exploits, 75 payloads  Found in 17 books, 950 blogs, 190 articles  27,000 IPs used msfupdate in 2006  Growing pains...  Load time increasing (200+ modules)  Client-side exploits are a pain  Automation is doable, but klunky  Concurrency depends on fork() 5

  6. Metasploit v3.0  Completely rewritten in Ruby  Object oriented model was a better fit  Code compression at ~40%  2.5 was 40K lines Perl, 3.0 is 86K lines Ruby  New design, new features, new goals  Focused on flexibility and automation  Closer integration between features  Development guide and API docs! 6

  7. Metasploit v3.0 - Architecture libraries rex custom plugins protocol tools framework-core framework-base interfaces modules msfconsole exploits security tools msfcli payloads msfweb encoders web services msfwx nops integration msfapi auxiliary 7

  8. Metasploit v3.0 – New features  Multitasking through Ruby threads  Share single instance with many users  Great for team-based penetration testing  Multi-user plugin is only ~20 lines of code :-)  Concurrent exploits and sessions  Support for passive exploits and recon mods  Multiple payload sessions open at once  Suspend and restore payload sessions  Share payload sessions with other users  Handle multi-victim exploits :-) 8

  9. Metasploit v3.0 – New features  Extensive exploit module “Mixins”  Write advanced exploits in only 3 lines :-)  Mixins for SMB, DCERPC, HTTP, FTP...  Huge boost for module consistency  Example FTP server exploit: connect buf = Rex::Text.rand_text_english(2048, payload_badchars) seh = generate_seh_payload(target.ret) buf[229, seh.length] = seh send_cmd( ['USER', buf] , false ) handler disconnect 9

  10. Metasploit v3.0 – New features  Shiny new interfaces!  Console uses module hierarchy/regex  Web interface uses ERB / AJAX  GUI version now in development: 10

  11. Metasploit v3.0 – Opcode Database  Opcode DB has been enhanced  Online database of win32 DLL information  Stores the location of usable 'opcodes'  Multi-language support being expanded  Framework integration  New command-line tool for queries  Building an 'opcode pool' system  Automated return address updates  Combine this with fingerprinting... 11

  12. Metasploit v3.0 – Executable processing  msf pescan  Command-line tool for EXE processing  Discovers usable return addresses  Partially used to create the Opcode DB  Now handles Resources and TLBs  msf rpcscan  Extracts MIDL information from PE files  Creates boilerplate for new exploits  Still in development... 12

  13. Metasploit v3.0 – Exploit upgrades  Rewrite of all exploit modules  Massive number of bug fixes  Improved randomness, use of Mixins  Exploit module structure  Single exploit can target many platforms  Simplified the meta-information fields  Mixins can also modify exploit behavior  Target brute forcing  Passive exploits 13

  14. Metasploit v3.0 – Payload upgrades  Enhancements  Bug fixes and size improvements  New “cmd” modules, “php” payloads...  Meterpreter  Consolidation of standard modules  Wicked cool API and remote scripting # Process migration pid = client.sys.process['calc.exe'] client.core.migrate(pid) # Mirror the remote hard drive in one line client.fs.dir.download(“/tmp/”, “C:\\”, true) 14

  15. Metasploit v3.0 – Auxiliary modules  The problem...  Not all exploits fit into the standard structure  Recon modules overlapped with exploits  No standard for information sharing  Auxiliary modules  Catch-all for interesting security tools  Perform reconnaissance and reporting  Integrate with third-party utilities  Report data in a standard format 15

  16. Metasploit v3.0 – Events  Event callbacks for common operations  Sessions – new session, closed session  Sockets – new socket, new connection  Database – object creation, modification  Interface – console start, other UI actions  Event handlers hook and extend  Register with the EventManager  Export a method to hook the event  Catch the event, process the argument  Extend the object :-) 16

  17. Metasploit v3.0 – Plugins  The Ruby language rocks  Ability to redefine anything at runtime  Plugins can alter almost anything  Framework plugins  Extend and replace Framework code  Hook events and filter parameters  Simplify feature development  Examples:  Socket tracing and filtering  Multiuser exploit console 17

  18. Metasploit v3.0 – Database  Support for common databases  Postgres, SQLite, MySQL, etc.  Based on ActiveRecord from RoR :-)  Simplified API and thread-safety  Implementation defined by plugins  Monitor sockets with db_tracker.rb  Interact with the database (search, etc)  DB object creation/modification throws events  Persistent storage of session data  Reporting is just another plugin 18

  19. Metasploit v3.0 – Automation  Turning Metasploit into Nessus  Database backend provides “KB” function  Auxiliary modules for assessment/discovery  Event coordinator for triggering modules  Report generator uses the database  Development status  75% of the database schema  50% of the Auxiliary module API  Handful of discovery modules  Integration with Nessus/Nmap 19

  20. Metasploit v3.0 – Automation  Creating a professional mass-rooter  Auxiliary modules perform discovery  Exploit modules perform vuln checks  Plugins automate exploitation  Plugins automate post-exploitation  Dump XML reports via ActiveRecord  Useful framework for all security tools  Extensive protocol support, friendly API  Passive tools work well with event system  Most APIs are accessible from Rex 20

  21. Metasploit v3.0 – Evasion  Evasion is finally taken seriously  Evasion options now a separate class  Protocol stacks integrate IDS evasion  Mixins expose these to exploit modules  Strong evasion techniques  Multi-layered evasion defeats most solutions  Client-side attacks impossible to detect  WMF = HTTP + Compress + Chunked + JScript  Deep protocols offer so many options  LSASS = TCP + SMB + DCERPC 21

  22. Metasploit v3.0 – Evasion options Example evasion options TCP::max_send_size TCP::send_delay HTTP::chunked HTTP::compression SMB::pipe_evasion DCERPC::bind_multi DCERPC::alter_context 22

  23. Metasploit v3.0 – Evasion features  IPS fingerprinting  Implemented as Auxiliary modules  Use low-risk signature deltas to ID  Linux-based IPS depends on bridging...  IPS evasion  Configure an 'evasion profile'  Override exploit / evasion options  Uses per-IPS evasion techniques 23

  24. Metasploit v3.0 – Offensive IPS  IPS filtering for the attacker  Socket hooking plugins can filter data  Not all vendors encrypt their signatures  Lets create an application layer IPS :-)  The “ips_filter” plugin  Monitor all socket transactions  Block packets that would trigger a alert  Challenges  Signatures are often for decoded data  Formats are difficult to convert to RE 24

  25. Metasploit v3.0 – Status  Metasploit Framework v3.0-alpha-r3  User interfaces are still a bit rough  Module caching a huge improvement  Over half of the exploits are ported  Only support Linux / OS X / BSD  Should work with Cygwin...but not Native yet  Metasploit Framework v3.0-alpha-r4  Includes database, plugins, auxiliary modules  IPS detection features depend on time  Target release date is April 12th 25

  26. Metasploit v3.0 – Other Projects  Metasploit Research Toolkit (skape)  Standalone disassembler, emulator, mmu  eEye-style return detection, input tracing  Metasploit Anti Forensics Tools (vinnie)  Standalone tools, moving to meterp modules  Completely hoses Encase :-)  Miscellaneous small projects  IDARub – see it at RECon 2006 (spoonm)  Hamachi – publicly available (hdm) 26

  27. Metasploit v3.0 – Miscellaneous  Metasploit Framework License v1.0  Keep source code open, prevent abuse  Restricts commercial product integration  Free to use for commercial services  Metasploit / Hacker Foundation  Early stages, working on non-profit status  Pave the way for research grants  T-shirts, internships, educational material... 27

  28. Questions? Questions? Contact information: hdm[at]metasploit.com http://metasploit.com/projects/Framework/msf3/ http://metasploit.blogspot.com/ 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2014 Welcome! AGENDA The Share Business concept, vision & strategies Operations

2014 Welcome! AGENDA The Share Business concept, vision & strategies Operations

AGM 2014 Welcome! AGENDA The Share Business concept, vision & strategies Operations The year in brief Summary THE SHARE Nasdaq OMX Stockholm Mid Cap Market cap 140602: 2 776 MSEK 14 107 (8 286) shareholders at

491 views • 28 slides
DESIGN EMPHASIS 2018 FINALISTS Design Emphasis 2018 Finalist Honorable Mention Commercial

DESIGN EMPHASIS 2018 FINALISTS Design Emphasis 2018 Finalist Honorable Mention Commercial

DESIGN EMPHASIS 2018 FINALISTS Design Emphasis 2018 Finalist Honorable Mention Commercial Furniture Mattie Hinkley Design Emphasis 2018 Finalist Merit Commercial Furniture Nicholas Iacobucci Design Emphasis 2018 Finalist Winner

389 views • 14 slides
Resilient Communities An initiative of 1 Mike Kazmierski President & CEO EDAWNs

Resilient Communities An initiative of 1 Mike Kazmierski President & CEO EDAWNs

Resilient Communities An initiative of 1 Mike Kazmierski President & CEO EDAWNs Economic Update Reno to Racine July 17, 2018 Overview Of Reno Growth THE NEW NEVADA What Is EDAWN Non-Profit That Leads Economic Development

373 views • 23 slides
Coolidge Corner Naming Process Presented by the Bee-lievers of Change Overview Overview In May

Coolidge Corner Naming Process Presented by the Bee-lievers of Change Overview Overview In May

Coolidge Corner Naming Process Presented by the Bee-lievers of Change Overview Overview In May 2018, Brookline Town Meeting Members voted to change the name of the Edward Devotion School. Changing the name reaffirms Brooklines

465 views • 28 slides
Environmental Issues Related to the Gas Industry Environmental Monitoring, Evaluation &

Environmental Issues Related to the Gas Industry Environmental Monitoring, Evaluation &

Environmental Issues Related to the Gas Industry Environmental Monitoring, Evaluation & Protection in NY: Linking Science & Policy Sept. 25, 2005 Diane Saber, Ph.D. Gas Technology Institute Des Plaines, IL Technology Development vs.

159 views • 13 slides
S B C STOCKHOLM BIOINFORMATICS CENTER arne@sbc.su.se Oral Presentation 2 Arne Elofsson S

S B C STOCKHOLM BIOINFORMATICS CENTER arne@sbc.su.se Oral Presentation 2 Arne Elofsson S

Oral and Written presentation techniques 1 Oral Presentation Techniques Preparation Tricks Delivery Easy rules Writing Techniques Organization Grammar Arne Elofsson S B C STOCKHOLM BIOINFORMATICS CENTER

487 views • 24 slides
Firefly Synchronization of ad- hoc networks Dr. Michael Emmerich Natural Computing Group

Firefly Synchronization of ad- hoc networks Dr. Michael Emmerich Natural Computing Group

Firefly Synchronization of ad- hoc networks Dr. Michael Emmerich Natural Computing Group Synchronizing using pulse-coupled oscillators: Fireflies, Heart, and Wireless Networks FIREFLIES SYNCHRONIZATION Simple Systems, Complex Behavior

342 views • 30 slides
How can researchers prepare to make the switch to open science? Associate Professor Siouxsie

How can researchers prepare to make the switch to open science? Associate Professor Siouxsie

How can researchers prepare to make the switch to open science? Associate Professor Siouxsie Wiles University of Auckland @SiouxsieW Who? blah blah blah. BACTERIA blah blah blah blah GLOW WORMS blah blah blah LEGO blah blah

685 views • 24 slides
(Exam Success and well- being) Exam Success Context Change curve Key dates

(Exam Success and well- being) Exam Success Context Change curve Key dates

Post 16 Study Skills (Exam Success and well- being) Exam Success Context Change curve Key dates Uncontrollables Sixth Form learning environment Staff said (practical tips) Students said Emotional Well-being

938 views • 57 slides
Road to Blended Learning How to use TCI Strategies in a Middle School Classroom Meet the

Road to Blended Learning How to use TCI Strategies in a Middle School Classroom Meet the

Road to Blended Learning How to use TCI Strategies in a Middle School Classroom Meet the Speakers! Dawn Smith Tom McClellan National Account Manager Customer Success Manager What Well Be Covering The Cooperative, Tolerant yet

347 views • 24 slides
RX J0806+15 and RX J1914+24: recent results and status Gavin Ramsay ( Armagh Observatory )

RX J0806+15 and RX J1914+24: recent results and status Gavin Ramsay ( Armagh Observatory )

RX J0806+15 and RX J1914+24: recent results and status Gavin Ramsay ( Armagh Observatory ) Overview of talk Remind you what they are! Recent observational work since Nijmegen Meeting. Modelling and theoretical work. Their current status. RX

683 views • 26 slides
FROM RESEARCH-LED TEACHING TO RESEARCH-LED LEARNING: EDUCATION FOR AN UNKNOWN FUTURE Emeritus

FROM RESEARCH-LED TEACHING TO RESEARCH-LED LEARNING: EDUCATION FOR AN UNKNOWN FUTURE Emeritus

FROM RESEARCH-LED TEACHING TO RESEARCH-LED LEARNING: EDUCATION FOR AN UNKNOWN FUTURE Emeritus Professor Angela Brew, Macquarie University Chair of ACUR Rising voices: young people fight for climate action Are you preparing students for this

345 views • 7 slides
THE PRESENTATION SECRETS OF STEVE JOBS: HOW TO BE INSANELY GREAT IN FRONT OF ANY AUDIENCE

THE PRESENTATION SECRETS OF STEVE JOBS: HOW TO BE INSANELY GREAT IN FRONT OF ANY AUDIENCE

THE PRESENTATION SECRETS OF STEVE JOBS: HOW TO BE INSANELY GREAT IN FRONT OF ANY AUDIENCE Download Free Author: Carmine Gallo Number of Pages: 271 pages Published Date: 01 Sep 2016 Publisher: McGraw-Hill Education - Europe Publication

361 views • 4 slides
I am Ferdie and I am Hilarys eldest grandchild. I have a sister Aurora who is 3 and a cousin

I am Ferdie and I am Hilarys eldest grandchild. I have a sister Aurora who is 3 and a cousin

I am Ferdie and I am Hilarys eldest grandchild. I have a sister Aurora who is 3 and a cousin Ronja who is also 3. My granny looked after me before I went to school and now she looks after the two little girls every Wednesday. I made this

366 views • 21 slides
2016 BPC Update 287-2731 www.thinkfirstspraylast.org pesticides@maine.gov What I plan to cover

2016 BPC Update 287-2731 www.thinkfirstspraylast.org pesticides@maine.gov What I plan to cover

2016 BPC Update 287-2731 www.thinkfirstspraylast.org pesticides@maine.gov What I plan to cover Rule and staff changes Ag Basic reminder Storm water sampling results Pollinator protection plan Upcoming WPS changes Whos

599 views • 47 slides
Using DNA from many samples to distinguish pedigree relationships of close relatives Amy L.

Using DNA from many samples to distinguish pedigree relationships of close relatives Amy L.

Using DNA from many samples to distinguish pedigree relationships of close relatives Amy L. Williams @amythewilliams February 24, 2020 Family History Technology Workshop Massive datasets: Many close relatives / small pedigrees >100,000

474 views • 21 slides
Interventions for patients with suicidal ideation Dr. Eduardo Chachamovich, MD, PhD Associate

Interventions for patients with suicidal ideation Dr. Eduardo Chachamovich, MD, PhD Associate

Interventions for patients with suicidal ideation Dr. Eduardo Chachamovich, MD, PhD Associate Professor, Department of Psychiatry McGill Medical Director Northern Mental Health Program, Douglas University Mental Health Institute Overview 1.

444 views • 21 slides
PRO WPF 4.5 IN VB: WINDOWS PRESENTATION FOUNDATION IN .NET 4.5 Download Free Author: Matthew

PRO WPF 4.5 IN VB: WINDOWS PRESENTATION FOUNDATION IN .NET 4.5 Download Free Author: Matthew

PRO WPF 4.5 IN VB: WINDOWS PRESENTATION FOUNDATION IN .NET 4.5 Download Free Author: Matthew MacDonald Number of Pages: 1104 pages Published Date: 03 Dec 2012 Publisher: Springer-Verlag Berlin and Heidelberg GmbH & Co. KG Publication

197 views • 3 slides
A BPA Biosensor A BPA Biosensor The Bisphenolics : Jason Gardiner, Saul Godkewitsch, Benny Hung,

A BPA Biosensor A BPA Biosensor The Bisphenolics : Jason Gardiner, Saul Godkewitsch, Benny Hung,

A BPA Biosensor A BPA Biosensor The Bisphenolics : Jason Gardiner, Saul Godkewitsch, Benny Hung, Christopher Kelly, David Lancaster, Anthony Lott, Justin Pahara, Kelly Robinson, Tom Tran, Winnie Xu, Saima Zamir Our Advisors: James Maclagan,

701 views • 36 slides
Catalogue-presentation Our company LLC Siberian Ecological Products (Russia) is exporting

Catalogue-presentation Our company LLC Siberian Ecological Products (Russia) is exporting

Catalogue-presentation Our company LLC Siberian Ecological Products (Russia) is exporting ecological food products grown in the territory of the Altai Mountains and Siberian taiga. It should be noted that truly unique ecosystem has survived in

517 views • 13 slides
Turkish Grain Update 2017/18 19 April 2018 Faik Gen AgriPro Limited Main Topics 1. Turkey 2.

Turkish Grain Update 2017/18 19 April 2018 Faik Gen AgriPro Limited Main Topics 1. Turkey 2.

Turkish Grain Update 2017/18 19 April 2018 Faik Gen AgriPro Limited Main Topics 1. Turkey 2. Grains Supply & Demand 3. Turkish Wheat Product Exports 4. Russia-Turkey Trade War 5. Conclusions Turkey Turkey Fact File Population: 80.5

467 views • 35 slides
FLORAL MERCHANDISING PRESENTED BY: STACY McCOY CONTINENTAL FLOWERS Confidential Information of

FLORAL MERCHANDISING PRESENTED BY: STACY McCOY CONTINENTAL FLOWERS Confidential Information of

FLORAL MERCHANDISING PRESENTED BY: STACY McCOY CONTINENTAL FLOWERS Confidential Information of Continental Flowers Page 1 9/8/2020 MERCHANDISING GOALS Merchandising: the activity of promoting the sale of goods, especially by their

493 views • 18 slides
Potash With Purpose Leading the way to sustainable food security. TSXV:GSP July 2020

Potash With Purpose Leading the way to sustainable food security. TSXV:GSP July 2020

TSX: GSP Potash With Purpose Leading the way to sustainable food security. TSXV:GSP July 2020 gensourcepotash.ca Caution Regarding Forward-Looking Statements TSX: GSP This presentation does not constitute and offer to sell, will meet

515 views • 32 slides
Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028

Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001 Larry Clinton President ISA Former Academic came to DC in mid-80s Legislative Director for Chair Congressional Internet Committee

497 views • 47 slides

More recommend