unmanned aerial vehicles
play

Unmanned Aerial Vehicles Exploit Automation with the Metasploit - PowerPoint PPT Presentation

Apr 27, 2023 •190 likes •793 views

Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1 # whoami James Lee egypt Core Developer, Metasploit Project Working full time on Metasploit for 2 User Interface Scanning for

  1. Unmanned Aerial Vehicles Exploit Automation with the Metasploit Framework James Lee 1

  2. # whoami ● James Lee ● egypt ● Core Developer, Metasploit Project ● Working full time on Metasploit for 2

  3. User Interface Scanning for Fingerprinting Servers Clients Exploiting Exploiting Servers Clients Post- Exploitation Overview 3

  4. Automating msfconsole ● Resource files ● A list of commands to be run in sequence ● Can be anything you would type at the msf> prompt ● setg ● save 4

  5. Resource files ● $ ./msfconsole -r foo.rc ● msf> resource foo.rc ● ~/.msf3/msfconsole.rc ● Loaded on startup 5

  6. Example Resource File setg RHOSTS 10.1.1.1-254 setg USERNAME Administrator setg PASSWORD password use auxiliary/scanner/smb/smb_login run use auxiliary/scanner/telnet/telnet_login run 6

  7. SERVERS 7

  8. Scanning ● Have to find servers before you can exploit them ● Metasploit has several ways to do this ● Run nmap and nexpose directly from the console Israeli Orbiter, surveillance UAV ● Import other tools‟ output ● MSF built-in scanners (auxiliary/scanner/*) 8

  9. nmap ● Two options: ● Run nmap normally with -oX and use db_import to store the results ● db_nmap command will run nmap and handle the import for you ● Either way, results get stored in the database 9

  10. ● nexpose_scan ● db_import ● If you have a Community license (free), limited to 32 IP addresses at a time ● Msf will scan the whole range in 32-address chunks 10

  11. Nexpose ● Also stores vulnerability references ● CVE, BID, … ● Without these, figuring out which exploits to run can be more difficult ● Can be used to launch exploits as well 11

  12. MSF Built-in Scanning ● Implemented as auxiliary modules ● Aux is like an exploit without a payload ● Usage similar to exploits ● Can go through FanWing Surveillance Platform meterpreter routes 12

  13. Faster Setup ● RHOSTS can be nmap-notation or “file:<filename>” ● File should contain nmap-notation address ranges ● e.g.: 10.1.1.2,5,7-254 10.2.2.* 10.3.3.0/24 13

  14. Faster Scanning ● set THREADS 256 ● Windows freaks out after 16 threads ● Cygwin doesn‟t handle more than about 200 ● Linux? Go to town. ● Caveat: tunneling through meterpreter 14

  15. Selected Scanners ● Informational ● Pwnage ● smb_version ● smb_login ● netbios/nbname ● telnet_login ● mssql_login ● vnc_none_auth 15

  16. Server Exploits ● The bulk of msf's exploit modules ● 385 as of Jan 9 ● Many protocols implemented in an exploit- friendly way ● smtp, imap, http, smb, dcerpc, sunrpc, ftp, … ● Wide range of protocol-level IDS evasions 16

  17. Automatically Exploiting Servers ● db_autopwn ● NeXpose plugin 17

  18. db_autopwn ● Need to have targets stored in the db ● If vulnerability references are available, can cross-reference against specific hosts ● Can just use matching ports if you don't have refs ● Checks global MinimumRank to limit exploits to a particular safety level 18

  19. NeXpose ● Scan, detect, exploit all in one command ● nexpose_scan -x <host range> Populates the db with hosts, services, vulns 1. Cross-references vulns and exploits 2. Throws exploits at vulnerable servers 3. ● Has the potential to give you tons of shells ● Can take a long time for lots of hosts ● Uses MinimumRank as well 19

  20. CLIENTS 20

  21. Client Fingerprinting ● User Agent ● Easy to spoof ● Easy to change in a proxy ● Some third-party software changes it ● Less often changed in JavaScript 21

  22. Fingerprinting the Client ● Various JS objects only exist in one browser ● window.opera, Array.every ● Some only exist in certain versions ● window.createPopup, Array.every, window.Iterator ● Rendering differences and parser bugs ● IE's conditional comments 22

  23. Internet Explorer ● Parser bugs, conditional comments ● Reliable, but not precise ● ScriptEngine*Version() ● Almost unique across all combinations of client and OS, including service pack ● ClientCaps 23

  24. Opera ● window.opera.version() ● Includes minor version, e.g. “ 9.61 ” ● window.opera.buildNumber() ● Different on each platform for a given version ● e.g.: “ 8501 ” == Windows ● Not precise, only gives platform, no version or service pack 24

  25. Hybrid Approach for FF ● Existence of document.getElementsByClassName means Firefox 3.0 ● If UA says IE6, go with FF 3.0 ● If UA says FF 3.0.8, it's probably not lying, so use the more specific value 25

  26. Firefox OS Detection ● Most of the objects used in standard detection scripts are affected by the User-Agent ● E.g., when spoofing as iPhone, navigator.platform = “iPhone” ● navigator.oscpu is not ● “Linux i686” ● “Windows NT 6.0” 26

  27. Safari / Webkit ● Infuriatingly standards compliant in JS ● Can detect its existence easily ● window.WebkitPoint, many others ● Most Safari-specific stuff has been around since 1.2, so not useful for version detection 27

  28. Chrome / Webkit ● Same javascript engine as Safari ● So far, no easy way to change UA ● navigator.vendor is always “Google Inc.” 28

  29. Client Exploits in MSF ● Extensive HTTP support ● Heapspray in two lines of code ● Sotirov's .NET DLL, heap feng shui ● Wide range of protocol-level IDS evasion ● Simple exploit in ~10 lines of code 29

  30. Automatically Exploiting Clients ● Browser Autopwn Auxiliary module ● I spoke about this at Defcon in 2009 ● Fingerprints a client ● Stores detection in the database ● Determines what exploits might work ● Uses MinimumRank, too ● Tries the ones most likely to succeed 30

  31. Advantages of Browser Autopwn ● OS and client detection is client-side, more reliable in presence of spoofed or broken UA ● Detection results automatically stored in the database ● Not written in PHP ● PHP sucks 31

  32. Browser Autopwn Usage msf> use auxiliary/server/browser_autopwn msf (browser_autopwn)> set URIPATH / msf (browser_autopwn)> set EXCLUDE opera msf (browser_autopwn)> set MATCH .* msf (browser_autopwn)> run [*] Starting exploit modules on host 10.1.1.1... [*] --- 32

  33. Automating Users ● Browser Autopwn automates the exploits but how do we get users to come to our evil web server? 33

  34. Karmetasploit ● Wireless Access Point of Doom ● Using aircrack-ng, appears to be every access point that anybody probes for ● “Why, yes, I am Office_WiFi , please connect” ● Lets you control the route, the DNS, everything ● “Yup, I'm your internal web server. And your email server. And your file server. And...” 34

  35. More on Karma ● Actually about 5 years old ● It still works amazingly well ● More info about getting it working is on our wiki: http://www.metasploit.com/redmine/projects/framework/wiki/Karmetasploit 35

  36. Assagai ● Complete phishing framework ● Uses Metasploit exploits and payloads ● Gathers other statistics ● Has common email templates 36

  37. 37

  38. 38

  39. 39

  40. Metaphish ● Use the target‟s public information against them ● See valsmith, Colin, and dkerb‟s talk from BH USA 2009 40

  41. Automating Post-exploitation ● Meterpreter scripts ● set AutoRunScript <script name> ● Plugins ● Can be auto loaded at startup with resource files 41

  42. Meterpreter scripts ● Just a ruby script ● Easy to write, lots of flexibility ● Access to Meterpreter API 42

  43. Meterpreter API ● Core + Extensions ● Core is basic, mostly useful for loading extensions ● Current extensions: ● Stdapi ● Priv, Incognito ● Espia ● Sniffer 43

  44. Meterpreter Stdapi: process ● client.sys.process ● Acts like a Hash, where keys are image names and values are process IDs ● client.sys.process [„explorer.exe‟] ● => 1408 44

  45. Meterpreter Stdapi: memory p = client.sys.process.open(pid,PROCESS_ALL_ACCESS) addr = p.memory.allocate(length) p.memory.write(addr , “stuff”) p.thread.create(addr) 45

  46. Meterpreter Stdapi: filesystem ● client.fs.file.upload_file(dest, source) ● client.fs.file.download_file(dest, source) ● client.fs.file.expand_path (“%TEMP%”) 46

  47. Priv and Incognito ● Stuff that requires privileges, SYSTEM preferred ● Priv ● Dump hashes, alter file MACE ● Incognito ● list impersonation/delegation tokens 47

  48. Espia ● client.espia.espia_image_get_dev_screen ● Returns a bitmap as a String ● From commandline , „screenshot‟ stores to file ● client.espia.espia_audio_get_dev_audio ● No command for this yet, only available from API 48

  49. Meterpreter Sniffer ● client.sniffer.capture_start ● Starts capturing ● client.sniffer.capture_dump ● Puts the captured packets into a buffer we can read ● client.sniffer.capture_dump_read ● Reads from the buffer 49

  50. Sniffer caveat ● The packet format isn‟t standard, so we have to convert it to PCAP to be useful ● Console command does it for you 50

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unmanned Aerial Vehicles James England NDF, BSc(Hons)For, MicFor GIS &amp; Mobile Mapping

Unmanned Aerial Vehicles James England NDF, BSc(Hons)For, MicFor GIS &amp; Mobile Mapping

South of Scotland Cluster Meeting Short Presentation about New technology in the Forest 12 th March 2014 James England Structure Overview of the presentations Introduction &amp; background Unmanned Aerial Vehicles James England NDF,

388 views • 21 slides
DRONES What are drones? Unmanned Aerial Vehicle (UAV). Informally known as the Drone, it is

DRONES What are drones? Unmanned Aerial Vehicle (UAV). Informally known as the Drone, it is

Unmanned Aerial Vehicles a.k.a DRONES What are drones? Unmanned Aerial Vehicle (UAV). Informally known as the Drone, it is a flying aircraft with no pilot inside . Can navigate autonomously by onboard computers or by using a

462 views • 23 slides
Optimizing Trajectories for Detection at Crossing . . . Unmanned Aerial Vehicles Strategy

Optimizing Trajectories for Detection at Crossing . . . Unmanned Aerial Vehicles Strategy

Patrolling the Border: . . . How to Describe . . . Constraints on . . . Simplification of the . . . Optimizing Trajectories for Detection at Crossing . . . Unmanned Aerial Vehicles Strategy Selected by . . . Towards an Optimal . . . (UAVs)

394 views • 13 slides
APPLICATION OF REMOTE SENSING BY UNMANNED AERIAL VEHICLES TO MAP VARIABILITY IN ONTARIO RIESLING

APPLICATION OF REMOTE SENSING BY UNMANNED AERIAL VEHICLES TO MAP VARIABILITY IN ONTARIO RIESLING

APPLICATION OF REMOTE SENSING BY UNMANNED AERIAL VEHICLES TO MAP VARIABILITY IN ONTARIO RIESLING AND CABERNET FRANC VINEYARDS Andrew G. Reynolds 1 , Ralph Brown 2 , Marilyne Jollineau 3 , Adam Shemrock 4 , Mehdi Shabanian 5 , Baozhong Meng 5 ,

1.11k views • 43 slides
Unmanned Aerial Vehicles Using WiFi Chitra R. Karanam and Yasamin Mostofi Department of

Unmanned Aerial Vehicles Using WiFi Chitra R. Karanam and Yasamin Mostofi Department of

3D Through-Wall Imaging With Unmanned Aerial Vehicles Using WiFi Chitra R. Karanam and Yasamin Mostofi Department of Electrical and Computer Engineering University of California Santa Barbara 16th ACM/IEEE International Conference on

558 views • 26 slides
Harnessing Unmanned Aerial Vehicles in Fruit, Vegetable, and Nut Crops Workshop funded through

Harnessing Unmanned Aerial Vehicles in Fruit, Vegetable, and Nut Crops Workshop funded through

Harnessing Unmanned Aerial Vehicles in Fruit, Vegetable, and Nut Crops Workshop funded through FY2014 USDA Specialty Crops Research Initiative (SCRI) Planning Grant UAVs in Agriculture Stress Detection Assessing Herbicide Monitoring

509 views • 31 slides
High Altitude Long Endurance Unmanned Aerial Vehicles HALE-UAVs A Brief Introduction Tanvi

High Altitude Long Endurance Unmanned Aerial Vehicles HALE-UAVs A Brief Introduction Tanvi

High Altitude Long Endurance Unmanned Aerial Vehicles HALE-UAVs A Brief Introduction Tanvi Prakash Asst. Manager Production and Technology Development Larsen &amp; Toubro Limited, Powai M. Tech (Aero-Structures) 2012-15 2 High Altitude

508 views • 31 slides
Anything is Possible AT ATEC EC-3D 3D Mi Miss ssio ion n St Statement atement ATEC-3D

Anything is Possible AT ATEC EC-3D 3D Mi Miss ssio ion n St Statement atement ATEC-3D

Unmanned Aerial Solutions Simon Spratley Anything is Possible AT ATEC EC-3D 3D Mi Miss ssio ion n St Statement atement ATEC-3D LTD will deliver the highest level of service to clients with the use of Unmanned Aerial Vehicles. It aims

310 views • 20 slides
American Opinions On the Use of Armed Military Drones What Is A Drone? Unmanned Aerial

American Opinions On the Use of Armed Military Drones What Is A Drone? Unmanned Aerial

American Opinions On the Use of Armed Military Drones What Is A Drone? Unmanned Aerial Vehicle Until recently drones have been used exclusively as combat surveillance vehicles Drones have recently been outfitted with weapons

384 views • 17 slides
Vision Sensors for Entomologically-inspired Micro Aerial Vehicles Dan Black, in collaboration

Vision Sensors for Entomologically-inspired Micro Aerial Vehicles Dan Black, in collaboration

Vision Sensors for Entomologically-inspired Micro Aerial Vehicles Dan Black, in collaboration with Professor Reid Harrison Insect Inspired Two kinds of vehicles: Micro Hovering Aerial Vehicles (MHAVs) ~ 50cm diameter Larger, but

507 views • 19 slides
UDT 2020 Missionized Riptide Unmanned Underwater Vehicles J. E. Filiberti 1 and R. M. Carvalho

UDT 2020 Missionized Riptide Unmanned Underwater Vehicles J. E. Filiberti 1 and R. M. Carvalho

UDT 2020 UDT Extended Abstract Unmanned, Remotely Piloted &amp; Autonomous Systems UDT 2020 Missionized Riptide Unmanned Underwater Vehicles J. E. Filiberti 1 and R. M. Carvalho Jr. 2 1 Senior Principal Scientist, BAE Systems FAST Labs,

556 views • 7 slides
Domestic Scan 17-01 Successful Approaches for the Use of Unmanned Aerial Systems (UAS) by

Domestic Scan 17-01 Successful Approaches for the Use of Unmanned Aerial Systems (UAS) by

NCH NCHRP 2 P 20-68A 68A US Do Domes estic S Scan P Program Domestic Scan 17-01 Successful Approaches for the Use of Unmanned Aerial Systems (UAS) by Surface Transportation Agencies Findings, Conclusions and Recommendations

315 views • 17 slides
Leading the Way with Long-Range Unmanned Aerial Systems (UAS) 1 Overview Introductions

Leading the Way with Long-Range Unmanned Aerial Systems (UAS) 1 Overview Introductions

Leading the Way with Long-Range Unmanned Aerial Systems (UAS) 1 Overview Introductions Classes of UAS Aircraft Myth-busting FAA and Utility BVLOS Operations Success Criteria Next Steps 2 Environmental Consultants Inc.

515 views • 25 slides
Drones (UAS): General Information, Uses and Applications Also known as UAS: Unmanned Aerial

Drones (UAS): General Information, Uses and Applications Also known as UAS: Unmanned Aerial

Drones (UAS): General Information, Uses and Applications Also known as UAS: Unmanned Aerial System Industrial or Occupational Use Drones 4K video 12 MP Digital Camera FPV (First Person View) Applications (uses) for Drones

502 views • 36 slides
Development and Testing of an Unmanned Aircraft Safety Beacon for Aerial Application Safety

Development and Testing of an Unmanned Aircraft Safety Beacon for Aerial Application Safety

Development and Testing of an Unmanned Aircraft Safety Beacon for Aerial Application Safety Wayne Woldt, Ph.D., P.E., and Jacob Smith Biological Systems Engineering and School of Natural Resources University of Nebraska-Lincoln 2016 NAAA

703 views • 26 slides
Initial Investigation into the Psychoacoustic Properties of Small Unmanned Aerial System Noise

Initial Investigation into the Psychoacoustic Properties of Small Unmanned Aerial System Noise

Initial Investigation into the Psychoacoustic Properties of Small Unmanned Aerial System Noise Andrew Christian and Randolph Cabell Structural Acoustics Branch NASA Langley Research Center Presented at DATAWorks 2018 The D efense and A

773 views • 32 slides
AG10 Stabilizes Pathogenic TTR Variants With High Potency Potential for an Effective Treatment

AG10 Stabilizes Pathogenic TTR Variants With High Potency Potential for an Effective Treatment

AG10 Stabilizes Pathogenic TTR Variants With High Potency Potential for an Effective Treatment for ATTR Cardiomyopathy ATTR-Cardiomyopathy (CM) And ATTR- Polyneuropathy (PN) Are Caused By Aggregation Of Misfolded TTR Monomers TTR

369 views • 17 slides
STD to LTD Transition Short Term Disability Benefits cover an employee for up to 125 work days.

STD to LTD Transition Short Term Disability Benefits cover an employee for up to 125 work days.

Virginia Hybrid Disability Plan STD to LTD Transition Short Term Disability Benefits cover an employee for up to 125 work days. Most disabilities will resolve before the 125 th work day. However, if a disabling condition doesnt resolve by the

511 views • 21 slides
Workplace Genetic Workplace Genetic Testing and Screening Testing and Screening Thomas H.

Workplace Genetic Workplace Genetic Testing and Screening Testing and Screening Thomas H.

Workplace Genetic Workplace Genetic Testing and Screening Testing and Screening Thomas H. Murray, Ph.D. Thomas H. Murray, Ph.D. The Hastings Center The Hastings Center The Promise The Promise The majority of potters do not die of The

349 views • 8 slides
Slides (for Schools Use) to Brief Parents on Excessive Internet Use Sharing with Parents on

Slides (for Schools Use) to Brief Parents on Excessive Internet Use Sharing with Parents on

Slides (for Schools Use) to Brief Parents on Excessive Internet Use Sharing with Parents on Excessive Internet Use Outline of Presentation To share on: Singapore: A Wired Nation What is Excessive Internet Use? Signs of Excessive

339 views • 16 slides
The Road Less Traveled: Concepts and Application of Myofascial Release Justin Scherff, PT, DPT

The Road Less Traveled: Concepts and Application of Myofascial Release Justin Scherff, PT, DPT

10/22/2019 The Road Less Traveled: Concepts and Application of Myofascial Release Justin Scherff, PT, DPT Goal/Objectives Goal: This course is designed to give participants a greater understanding of the myofascial system and how it is

357 views • 9 slides
Introduction to Ceylon Stphane pardaud Red Hat Geecon: An Introduction to Ceylon Executive

Introduction to Ceylon Stphane pardaud Red Hat Geecon: An Introduction to Ceylon Executive

Introduction to Ceylon Stphane pardaud Red Hat Geecon: An Introduction to Ceylon Executive summary What is Ceylon Why Ceylon Features and feel Demo The community Status 2 Geecon: An Introduction to Ceylon

1.03k views • 48 slides
Ubiquitous gaming Tuesday, May 25, 2010 is this the future of ubiquitous gaming? Tuesday, May

Ubiquitous gaming Tuesday, May 25, 2010 is this the future of ubiquitous gaming? Tuesday, May

Ubiquitous gaming Tuesday, May 25, 2010 is this the future of ubiquitous gaming? Tuesday, May 25, 2010 criteria it should be as easy to interact with computers as with everyday objects in the physical world. One way of ensuring this is to

425 views • 30 slides
April 13, 2017 Prese esented by Gale len She herw rwin in, Senior Staff Attorney, ACLU

April 13, 2017 Prese esented by Gale len She herw rwin in, Senior Staff Attorney, ACLU

April 13, 2017 Prese esented by Gale len She herw rwin in, Senior Staff Attorney, ACLU Womens Rights Project Gill llia ian Th Thom omas, Senior Staff Attorney, ACLU Womens Rights Project Step ephen Ber ergstein in, Partner,

966 views • 79 slides

More recommend