Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
“If you don’t think you’re anewb, then you’re not tryinghard enough”-   HD Moore
Post-exploitation
Endless Possabilities
 Goto Payload for Windows DLL, compiled C Usually injected into process  memory Enhanced CMD shell Provides basic pos...
 Often run with SYSTEM Privs Can be migrated into a user’s process
 Railgun is an extension to  the Meterpreter STDAPI Allows Arbitrary Loading  of DLLs As long as you know the  path of ...
 Since Windows API DLLs  are always at known  paths, we can always  load them
 Dynamic access to the  entirety of the Windows  API on the system By calling APIs from user  processes, we can  imperso...
 June 2010 – Railgun submitted  to Metasploit by Patrick HVE Sept 2010 – 64bit support  added by Stephen Fewer Feb 2011...
 LoadLibrary function opens a Handle to the DLL GetProcAddress maps a function pointer to the specified function Memrea...
 Ruby code lives in  lib/rex/post/meterpreter/extensio  ns/stdapi/railgun User/module writer defines the  DLL and the ne...
def self.create_dll(dll_path = advapi32) dll = DLL.new(dll_path, ApiConstants.manager) dll.add_function(CredEnumerateA, BO...
1. Function Name2. Function Return Type3. Array of Parameters 1. Param type 2. Param Name 3. IN/OUT/INOUT Parameter
 Railgun knows about  Windows constants They are defined in  api_constants.rb in the  railgun folder Easy to add new co...
 If it quacks like a duck… Pass as a Fixnum or  Bignum String representation of  constants can also be  passed in
 Pointer to a DWORD Pass a Fixnum Pass the Content of the  DWORD not the pointer If it is an OUT only  paramter, pass ...
 Pass as Ruby strings.  Will be converted  seamlessly If OUT only, pass fixnum  of the size of the buffer  (including nu...
Definition                              Usagedll.add_function(                       ms_enhanced_prov = "Microsoft        ...
 Pass in Ruby True/False  values exactly as expected
Definition:dll.add_function( IsDebuggerPresent, BOOL,[])Usage:>> client.railgun.kernel32.IsDebuggerPresent()=> {"GetLastEr...
 Handled the same as  DWORDs but Fixnums  passed in will be  truncated to the  appropriate length
 Anything that’s not a  string or a DWORD Treated as a ruby string Railgun will not help you  parse structures
Definition                             Usagedll.add_function( WlanGetProfile,    profile[name] =    DWORD,[               ...
 Pointers and Handles of  any kind are really just  numbers, so treat them  as DWORDs If it can be treated as a  number ...
 The function will return a  hash Hash will always contain at  least GetLastError Hash will return any OUT  values
 Will return 0 if there was no  error Otherwise will contain the  windows system Error code  encountered Errors codes c...
acquirecontext =  advapi32.CryptAcquireCon  textW(4, nil,  ms_enhanced_prov,  prov_rsa_full,  crypt_verify_context)createh...
 Complex structure types that  you will have to parse  yourself Strings you don’t know the  length of Large number of s...
Microsoft will help you own things
Seriously…
They even give you      tools!
 Anything you can do with the  windows API is available Without increasing the size of  the payload
 Get the OS to Decrypt  stored SmartFTP Passwords Enumerate and decrypt  stored RDP passwords Scan for Wireless APs En...
 Enough of these ugly slides Let’s see it in action
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
Upcoming SlideShare
Loading in …5
×

Weaponizing the Windows API with Metasploit's Railgun

1,293 views

Published on

Thelightcosine's DefCon 20 talk on Railgun

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Weaponizing the Windows API with Metasploit's Railgun

  1. 1. “If you don’t think you’re anewb, then you’re not tryinghard enough”- HD Moore
  2. 2. Post-exploitation
  3. 3. Endless Possabilities
  4. 4.  Goto Payload for Windows DLL, compiled C Usually injected into process memory Enhanced CMD shell Provides basic post-exploitation API
  5. 5.  Often run with SYSTEM Privs Can be migrated into a user’s process
  6. 6.  Railgun is an extension to the Meterpreter STDAPI Allows Arbitrary Loading of DLLs As long as you know the path of the DLL, you can access it’s functions
  7. 7.  Since Windows API DLLs are always at known paths, we can always load them
  8. 8.  Dynamic access to the entirety of the Windows API on the system By calling APIs from user processes, we can impersonate users Anything becomes possible
  9. 9.  June 2010 – Railgun submitted to Metasploit by Patrick HVE Sept 2010 – 64bit support added by Stephen Fewer Feb 2011 – Chao-mu takes over Railgun support, resumes new feature work Fall 2011 – Chao-mu disappears Aug 2012 – YOU start contributing to Railgun Dec 2012 – Mayans predict Railgun-related Apocalypse?
  10. 10.  LoadLibrary function opens a Handle to the DLL GetProcAddress maps a function pointer to the specified function Memread and Memwrite functions for manipulating memory space
  11. 11.  Ruby code lives in lib/rex/post/meterpreter/extensio ns/stdapi/railgun User/module writer defines the DLL and the needed functions Functions are then avilable as methods Can define at runtime or use definition files
  12. 12. def self.create_dll(dll_path = advapi32) dll = DLL.new(dll_path, ApiConstants.manager) dll.add_function(CredEnumerateA, BOOL, [ [PCHAR, Filter, in], [DWORD, Flags, in], [PDWORD, Count, out], [PBLOB, Credentials, out]])  A look at Railgun Definitions
  13. 13. 1. Function Name2. Function Return Type3. Array of Parameters 1. Param type 2. Param Name 3. IN/OUT/INOUT Parameter
  14. 14.  Railgun knows about Windows constants They are defined in api_constants.rb in the railgun folder Easy to add new constants as needed there
  15. 15.  If it quacks like a duck… Pass as a Fixnum or Bignum String representation of constants can also be passed in
  16. 16.  Pointer to a DWORD Pass a Fixnum Pass the Content of the DWORD not the pointer If it is an OUT only paramter, pass a 4 (size of a DWORD) Pass nil for a NULL Pointer
  17. 17.  Pass as Ruby strings. Will be converted seamlessly If OUT only, pass fixnum of the size of the buffer (including null byte)
  18. 18. Definition Usagedll.add_function( ms_enhanced_prov = "Microsoft Enhanced Cryptographic CryptAcquireContextW, Provider v1.0" BOOL,[ prov_rsa_full = 1[PDWORD, phProv, out], crypt_verify_context = 0xF0000000[PWCHAR, pszContainer, alg_md5 = 32771 in], alg_rc4 = 26625[PWCHAR, pszProvider, in], advapi32 = client.railgun.advapi32[DWORD, dwProvType, in], acquirecontext = advapi32.CryptAcquireContext[DWORD, dwflags, in]]) W(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context)Used in the SmartFTP password Recovery Module
  19. 19.  Pass in Ruby True/False values exactly as expected
  20. 20. Definition:dll.add_function( IsDebuggerPresent, BOOL,[])Usage:>> client.railgun.kernel32.IsDebuggerPresent()=> {"GetLastError"=>0, "return"=>false}
  21. 21.  Handled the same as DWORDs but Fixnums passed in will be truncated to the appropriate length
  22. 22.  Anything that’s not a string or a DWORD Treated as a ruby string Railgun will not help you parse structures
  23. 23. Definition Usagedll.add_function( WlanGetProfile, profile[name] = DWORD,[ @host_process.memory.rea[DWORD, hClientHandle, in], d(ppointer,512)[PBLOB, pInterfaceGuid, in], ppointer = (ppointer + 516)[PBLOB, strProfileName, in],[LPVOID, pReserved, in],[PDWORD, pstrProfileXML, rprofile = out], @wlanapi.WlanGetProfile(wl[PDWORD, pdwFlags, inout], an_handle,guid,profile[nam e],nil,4,4,4)[PDWORD, pdwGrantedAccess, out]])Used in the wlan_profile post module
  24. 24.  Pointers and Handles of any kind are really just numbers, so treat them as DWORDs If it can be treated as a number it’s a DWORD Otherwise it’s a PBLOB If neither works, add support for it yourself =)
  25. 25.  The function will return a hash Hash will always contain at least GetLastError Hash will return any OUT values
  26. 26.  Will return 0 if there was no error Otherwise will contain the windows system Error code encountered Errors codes can be looked up at http://msdn.microsoft.com/en - us/library/windows/desktop/ ms681381(v=vs.85).aspx
  27. 27. acquirecontext = advapi32.CryptAcquireCon textW(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context)createhash = advapi32.CryptCreateHash (acquirecontext[phProv] , alg_md5, 0, 0, 4)
  28. 28.  Complex structure types that you will have to parse yourself Strings you don’t know the length of Large number of string reads (SLOWWWW)
  29. 29. Microsoft will help you own things
  30. 30. Seriously…
  31. 31. They even give you tools!
  32. 32.  Anything you can do with the windows API is available Without increasing the size of the payload
  33. 33.  Get the OS to Decrypt stored SmartFTP Passwords Enumerate and decrypt stored RDP passwords Scan for Wireless APs Enumerates Domain controllers on the victim’s network
  34. 34.  Enough of these ugly slides Let’s see it in action

×