Your SlideShare is downloading. ×
0
Open Source
Cyber Weaponry
introduction




Chief Security   Founder & Chief
   Officer          Architect
background

Perspective
• 15 years of software development
• 12 years of penetration testing
• Involved in OSS since 1995
...
1999

Military contracting circa 1999
• Ultra-secretive and ultra-competitive
• Teams furiously reinventing wheels
• Open ...
1999

Security tools circa 1999
 • Vulnerability scanning was still edgy
 • Penetration testing 100% manual
 • Offensive t...
1999

“Cyber Weapons” circa 1999
• Shatter-your-drive-remotely stuff
• Scary words and half-truths
• Focused on DE, EMPs, ...
boom
today

Military contracting today
• Still ultra-secretive and ultra-competitive
• Still reinventing well-defined wheels
• ...
today

Security tools today
 • Vulnerability scanning is well understood
 • Penetration test automation is growing
 • Tons...
today

“Cyber Weapons” today
• Term usually reserved for offensive tools
• Tons of contractors working on these
• Similar ...
cyber weapons

Offensive cyber tools
 • Common goals
   • Permissions and accountability
   • Usable by lightly-trained st...
cyber weapons

Offensive components
 • Reconnaissance
 • Attack Vectors
 • Payloads
 • Control
 • Data
cyber weapons

The “cyber” sniff test
 • How portable is the target-facing software?
 • How do they add new exploit vector...
cyber weapons

The Open Source requirement
 • Costs scale poorly with commercial deps
 • OSS security tools adapt faster
 ...
cyber weapons

Open Source components
 • Nmap for host & service detection
 • Snort or Suricata for traffic analysis
 • Me...
metasploit

The Metasploit Framework
 • Created in the summer of 2003
 • An exploit development platform
 • Licensed under...
metasploit architecture
                      LIBRARIES          INTERFACES

  TOOLS                 Rex                Co...
metasploit

Lego, for network attacks
 • Choose a specific exploit module
 • Choose a compatible payload
 • Configure opti...
metasploit

                    888                           888        Y8P888
                    888                   ...
metasploit

Advantages of a modular design
 • Extend framework with proprietary modules
 • Use your payloads with our expl...
metasploit

Automation with Metasploit
 • Create resource scripts with embedded Ruby
 • Create console plugins to add comm...
metasploit

Platform requirements
 • Any recent Windows, BSD, or Linux
 • Ruby 1.8.7+ (including 1.9.x)
 • OpenSSL
metasploit

Exploit coverage
 • Linux (x86, ARM, MIPS, PowerPC)
 • Windows (x86, x64)
 • OS X (ARM, PowerPC, x86)
 • Solar...
metasploit

Payload features
 • The Meterpreter (Win32, PHP, Java)
  • Encrypted control channels
  • Extensible at runtim...
metasploit

Additional modules
 • Over 200 modules for information gathering
 • Scan large networks for data leaks
 • Expl...
metasploit

Database support
 • Automatically store all gathered data
 • Track all events (commands, sessions)
 • Easily b...
metasploit capabilities

Stealth and evasion
 • Exploits and payloads are randomized

 • Exploits use custom protocol stac...
metasploit capabilities

Full support for IPv6
 • Complete socket support and payloads
 • Great for compromising link-loca...
metasploit capabilities

Infinitely customizable
 • Ruby lends to a flexible object model
 • Modify any code via loadable ...
metasploit capabilities

Instant remote desktop hijack
 • Use the “vncinject” payload with any exploit
 • Instantly gain d...
metasploit capabilities
metasploit capabilities

Relay attacks through targets
 • Use the “meterpreter” payload type
 • Launch the exploit, gain a...
metasploit capabilities

Dump and pass Windows hashes
 • Dump the hashes from a Win32 target
 • Use any hash as the SMB pa...
metasploit capabilities

Search for and acquire evidence
 • Meterpreter scripts for find & download
 • Gather passwords an...
metasploit capabilities

Interact with targeted users
 • Determine whether the user is idle
 • Install a hotkey hook insid...
metasploit express

Metasploit Express
 • Commercial product from Rapid7
 • Not a fork, but a direct extension
 • Built by...
metasploit examples

Mined the public NTP servers
 • Discovered over 21m NTP client systems
 • Resulted in a great map of ...
metasploit examples

Scanned 3.1 billion IPs
 • Identifying vulnerable VxWorks devices
 • Resulted in a 100+ vendor CERT a...
summary

Cyber is what you make of it
 • Most of the parts exist in OSS
 • Metasploit is easy to build on
 • Free to use, ...
questions




Questions?
 hdm@metasploit.com
Open Source Cyber Weaponry
Upcoming SlideShare
Loading in...5
×

Open Source Cyber Weaponry

3,363

Published on

Open Source Cyber Weaponry
HD Moore,
Rapid7/Metasploit

Published in: Technology
1 Comment
2 Likes
Statistics
Notes
  • Mil-OSS WG2: Open Source Cyber Weaponry from Joshua L. Davis on Vimeo.<br /><object type="application/x-shockwave-flash" data="http://vimeo.com/moogaloop.swf?clip_id=14172196&amp;server=vimeo.com&amp;show_title=1&amp;show_byline=1&amp;show_portrait=1&amp;color=&amp;fullscreen=1&amp;autoplay=0&amp;loop=0" width="350" height="288"><param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=14172196&amp;server=vimeo.com&amp;show_title=1&amp;show_byline=1&amp;show_portrait=1&amp;color=&amp;fullscreen=1&amp;autoplay=0&amp;loop=0"></param><embed src="http://vimeo.com/moogaloop.swf?clip_id=14172196&amp;server=vimeo.com&amp;show_title=1&amp;show_byline=1&amp;show_portrait=1&amp;color=&amp;fullscreen=1&amp;autoplay=0&amp;loop=0" width="350" height="288" type="application/x-shockwave-flash"></embed></object>
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
3,363
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
229
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Open Source Cyber Weaponry"

  1. 1. Open Source Cyber Weaponry
  2. 2. introduction Chief Security Founder & Chief Officer Architect
  3. 3. background Perspective • 15 years of software development • 12 years of penetration testing • Involved in OSS since 1995 • Ex-USAF contractor
  4. 4. 1999 Military contracting circa 1999 • Ultra-secretive and ultra-competitive • Teams furiously reinventing wheels • Open source was still “sketchy” • Little code sharing
  5. 5. 1999 Security tools circa 1999 • Vulnerability scanning was still edgy • Penetration testing 100% manual • Offensive tools in their infancy • No comprehensive exploit toolkits • Teams hoarded modified public code
  6. 6. 1999 “Cyber Weapons” circa 1999 • Shatter-your-drive-remotely stuff • Scary words and half-truths • Focused on DE, EMPs, etc
  7. 7. boom
  8. 8. today Military contracting today • Still ultra-secretive and ultra-competitive • Still reinventing well-defined wheels • Offense is becoming acceptable • More use of open-source code • Better informed customers
  9. 9. today Security tools today • Vulnerability scanning is well understood • Penetration test automation is growing • Tons of commercial and OSS tools • Exploit code has been productized • Wide array of niche tools
  10. 10. today “Cyber Weapons” today • Term usually reserved for offensive tools • Tons of contractors working on these • Similar requirements to commercial • No longer far from reality
  11. 11. cyber weapons Offensive cyber tools • Common goals • Permissions and accountability • Usable by lightly-trained staff • Great attack visualization • Multiple tool integration • Modular design • Non-commercial projects exist (NETT) • Integration with defense is important
  12. 12. cyber weapons Offensive components • Reconnaissance • Attack Vectors • Payloads • Control • Data
  13. 13. cyber weapons The “cyber” sniff test • How portable is the target-facing software? • How do they add new exploit vectors? • How much is written in Java? • How big is their exploit team? • How big is their payload team? • How do they handle stealth? • Who are their security experts? • Does it work on real networks? • What targets are supported? • What OSS does it use?
  14. 14. cyber weapons The Open Source requirement • Costs scale poorly with commercial deps • OSS security tools adapt faster • OSS provides transparency • OSS tools set a minimum bar
  15. 15. cyber weapons Open Source components • Nmap for host & service detection • Snort or Suricata for traffic analysis • Metasploit for exploits and payloads • DRADIS for notes and reporting • Linux, PostgreSQL, Apache • Ruby, Perl, Python, PHP
  16. 16. metasploit The Metasploit Framework • Created in the summer of 2003 • An exploit development platform • Licensed under New BSD • Popular and gigantic • Over 450,000 lines of code • Over 100,000 users/mo • ~600 exploit modules • ~200 payloads
  17. 17. metasploit architecture LIBRARIES INTERFACES TOOLS Rex Console CLI MSF Core RPC PLUGINS MSF Base GUI MODULES Payloads Exploits Encoders Nops Aux
  18. 18. metasploit Lego, for network attacks • Choose a specific exploit module • Choose a compatible payload • Configure options • Launch!
  19. 19. metasploit 888 888 Y8P888 888 888 888 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888 888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888 888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b. 888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888 888 888 =[ metasploit v3.4.2-dev [core:3.4 api:1.0] + -- --=[ 578 exploits - 296 auxiliary + -- --=[ 212 payloads - 27 encoders - 8 nops =[ svn r9949 updated today (2010.08.03) msf >
  20. 20. metasploit Advantages of a modular design • Extend framework with proprietary modules • Use your payloads with our exploits • Use our payloads with your exploits • Split work by classification level
  21. 21. metasploit Automation with Metasploit • Create resource scripts with embedded Ruby • Create console plugins to add commands • Create new modules to drive a process • Call Ruby directly from the console prompt • Talk to the builtin XMLRPC daemon
  22. 22. metasploit Platform requirements • Any recent Windows, BSD, or Linux • Ruby 1.8.7+ (including 1.9.x) • OpenSSL
  23. 23. metasploit Exploit coverage • Linux (x86, ARM, MIPS, PowerPC) • Windows (x86, x64) • OS X (ARM, PowerPC, x86) • Solaris (x86, SPARC) • AIX (PowerPC) • IRIX (MIPS) • Java • PHP
  24. 24. metasploit Payload features • The Meterpreter (Win32, PHP, Java) • Encrypted control channels • Extensible at runtime • Full OS control • Scriptable • Staged and unstaged command shells • Ruby-based C / ASM compiler • Post-exploitation scripting
  25. 25. metasploit Additional modules • Over 200 modules for information gathering • Scan large networks for data leaks • Exploit logic bugs for access • Capture data from clients • Find new flaws
  26. 26. metasploit Database support • Automatically store all gathered data • Track all events (commands, sessions) • Easily build reports from this data
  27. 27. metasploit capabilities Stealth and evasion • Exploits and payloads are randomized • Exploits use custom protocol stacks • Low-level SMB, HTTP, RPC control • Timing and fragment evasion • Payloads never write to the disk • Limited forensic footprint • Simple to control
  28. 28. metasploit capabilities Full support for IPv6 • Complete socket support and payloads • Great for compromising link-local Ips • Works great with real IPv6 links
  29. 29. metasploit capabilities Infinitely customizable • Ruby lends to a flexible object model • Modify any code via loadable plugins • Override specific libraries
  30. 30. metasploit capabilities Instant remote desktop hijack • Use the “vncinject” payload with any exploit • Instantly gain desktop access to the target • Even on logged-off systems
  31. 31. metasploit capabilities
  32. 32. metasploit capabilities Relay attacks through targets • Use the “meterpreter” payload type • Launch the exploit, gain a session • Set a route for the target’s network • Launch exploits from the first target • Working with Windows, PHP, Java
  33. 33. metasploit capabilities Dump and pass Windows hashes • Dump the hashes from a Win32 target • Use any hash as the SMB password • Provides “psexec” to other targets • Uses our custom SMB protocol stack
  34. 34. metasploit capabilities Search for and acquire evidence • Meterpreter scripts for find & download • Gather passwords and sensitive docs • Works for all Meterpreter platforms
  35. 35. metasploit capabilities Interact with targeted users • Determine whether the user is idle • Install a hotkey hook inside of Winlogon • Force lock the user’s desktop • Read the captured password
  36. 36. metasploit express Metasploit Express • Commercial product from Rapid7 • Not a fork, but a direct extension • Built by the same core team • Pays for OSS development • Uses the open APIs
  37. 37. metasploit examples Mined the public NTP servers • Discovered over 21m NTP client systems • Resulted in a great map of infrastructure • Identified a potential 20Gbps DDoS risk • A single Metasploit module + console
  38. 38. metasploit examples Scanned 3.1 billion IPs • Identifying vulnerable VxWorks devices • Resulted in a 100+ vendor CERT advisory • Also, a single Metasploit module • Took 3 days and $19
  39. 39. summary Cyber is what you make of it • Most of the parts exist in OSS • Metasploit is easy to build on • Free to use, free to extend
  40. 40. questions Questions? hdm@metasploit.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×