Metasploit Railguns presentation @ tcs hyderabad


Published on

Usage of railguns on meterpreter

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Metasploit Railguns presentation @ tcs hyderabad

  1. 1. A.Chaitanya Krishna
  2. 2. Vivek Ramachandran ( (Kiva Cyber securities)My friends
  3. 3. Agenda Introduction to Metasploit Framework Keywords Introduction to Metasploit Meterpreter Enhancing Meterpreter using Railguns Adding Railguns Functions and Dlls on fly Demo
  4. 4. Buzz Words Vulnerability Weakness existed in a system which could be compromised. Exploit Code which works on the target vulnerability system. Payload Actual Code that lets an attacker to gain access after exploitation
  5. 5. Metasploit FrameworkWidely used Tool for Development and Testing Vulnerabilities Buzzing word security community Used for Penetration Testing IDS signature development Exploit Development
  6. 6. Why we need to opt Metasploit Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules
  7. 7. Meterpreter Meterpreter > Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Provides basic post-exploitation API
  8. 8. Working of Meterpreter Getting a meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload meterpreter DLL starts communication
  9. 9. Sample Scenario Sends Combination of Payload and ExploitBacktrack Windows XP192.168.47.129
  10. 10. Why RailgunsMeterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>> Meterpreter extension that allows an attacker to run any DLL’s Allows arbitrary loading of DLL’s Windows API DLL’s are known paths. So we can load them very easily Railgun gives us flexibility and power to call arbitrary functions in DLLs on victims machine
  11. 11. Hello World DLLsAs windows operating system is known for its rich set of DLLsContains shipped in DLLs along with windows as well as from installed applicationsCan be called on the fly using the irb mode or can be statically define them/opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
  12. 12. Introduction to DLLs and Functions Not all functions are defined to call. Need to add our own DLLs to call them during the runtime. Appropriate Function to be called for particular DLLMeterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>> Client.railgun.user32.MessageBoxA(0, “Hello Null Hyderabad, Welcome to the meet”, “NullCon” , “MB_OK”)
  13. 13. Anatomy of FunctionsFunction NameFunction Return Type In Parameters are the arguments through which we pass input to the function Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed by Railgun Out ParametersArray of Parameters
  14. 14. Necessity of DLLs and FunctionsIn the middle of our penetration testing we need to call additional API for support to our work.Can be called during fly or else we need to define them statically /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
  15. 15. Adding Functions on flyMeterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>> ?> client.railgun.known_dll_names=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"] unless client.railgun.known_dll_names.include? ‘NullCon ‘ print_status "Adding NullCon.dll" client.railgun.add_dll(‘NullCon,C:WINDOWSsystem32NullCon.dll) else print_status “NullCon DLL has already loaded.. skipping" end
  16. 16. Adding Functions on flyMeterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>> client.railgun.add_funcution(netapi32, NetuserChangePassword, DWORD,[ ["pwchar", "domainname", "in"], ["pwchar", "username", "in"], ["pwchar", "oldpassword", "in"], ["pwchar", "newpassword", "in"])= = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70@return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N>> client.railgun.netapi32.NetUserChangePassword(‘nil’, “NullCon”, “NullCon”, “NullCon123”)
  17. 17. That’s allClient.railgun.user32.MessageBoxA(0, “That’s what in my slides to show”, “NullCon” , “MB_OK”)