Post Metasploitation

5,394 views

Published on

Presented at Defcon 20

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,394
On SlideShare
0
From Embeds
0
Number of Embeds
140
Actions
Shares
0
Downloads
97
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Post Metasploitation

  1. 1. POST METASPLOITATION
  2. 2. egypt
  3. 3. WHY THIS TALK?• Get more shells• Get better shells• Do more with them, faster
  4. 4. ASSUMPTIONS• You’ve heard of Metasploit• You’ve got a shell• You have some goal that isn’t that shell
  5. 5. WHY METASPLOIT?
  6. 6. LARGE OPEN SOURCE COMMUNITY
  7. 7. > C
  8. 8. POST MODULE DESIGNShould be minimal• Complexity is hard to debug and maintain• Do one thing and do it well – Resource scripts can automate multiple modules
  9. 9. POST MODULE DESIGNShould be readable• Consistent structure• Consistent option names• Consistent output
  10. 10. POST MODULE DESIGNShould be reliable• Detect relevant variables• Never crash session/host if you can avoid it• Clean up
  11. 11. POST MODULE DEVELOPMENTLike Aux modules in many ways• Define a run() method• Optional setup(), cleanup() methods• Have Actions• Can include Exploit / Auxiliary mixins• Should report something
  12. 12. POST MODULE STRUCTURE
  13. 13. METASPLOIT POST API• DSL*-like interface for automating shells• Abstracts out common stuff• Platform-agnostic methods for – Reading/writing binary files – Running shell commands – Listing users*Domain Specific Language
  14. 14. POST-EXPLOITATION SECRET SAUCE
  15. 15. PresencePersistencePivoting[1]: I totally stole this from Mubix
  16. 16. PRESENCE• Examine your environment – Users – Machine• One issue here is getting an unfamiliar shell – Never played on Solaris, what do you do?
  17. 17. WHAT USERS ARE/HAVE LOGGED IN?
  18. 18. PRESENCE - THE MACHINE• What does this box do?• What processes are running? – AV, Tripwire – ssh-agent, pageant – Editors – Database servers• What does it talk to?
  19. 19. WHAT DOES THIS MACHINE TALK TO?
  20. 20. PERSISTENCE• Passwords!• Backdoors• Re-introducing vulnerabilities
  21. 21. TEMPORARY PERSISTENCE• Reverse http(s) payloads• Doesnt survive reboot but useful for keeping shells when network is spotty
  22. 22. MORE PERMANENT OPTIONS• Autoruns – Drop an exe in the right place, maybe mod registry – Simple, effective• Task scheduler, cron, launchd• Enable RDP• Enable root login for ssh
  23. 23. PIVOTING• Passwords!• Privilege escalation• Trust relationships• Route, portfwd• auxiliary/server/socks4a• Explicit "comm" arg to Rex::Socket creation
  24. 24. POST-EXPLOITATION EXPLOITATION• For when you absolutely, positively have to have root – (and don’t mind the occasional kernel panic)• We can kinda blur the line between local and remote here
  25. 25. $ -> #• Just like with network exploitation, not always an exploit• Passwords (sudo)• Trust relationships (suid executables)• Misconfiguration (all sorts of shit)
  26. 26. DEMO: MULTI/LOCAL/SETUID_NMAP "Nmap should never be installed with special privileges (e.g. suid root) for security reasons."
  27. 27. DEMO: LINUX/LOCAL/SOCK_SENDPAGE AKA Wunderbar Emporium
  28. 28. EXPLOIT::LOCAL• Inherit from Exploit – Provides payloads and handlers – Create executables, etc• Include Post mixins – Provides session interaction – Write files, manipulate registry, etc
  29. 29. COMPILING/ASSEMBLING WITH METASM• Can compile C for x86/x86_64• Can assemble x86, x86_64, mips, arm, ppc and more
  30. 30. TRUST RELATIONSHIPS• Windows Authentication – NTLM auth is relay-able – Automatic domain auth
  31. 31. SMB RELAY Attacker Target Victim begins NTLM authentication against the attacker Victim
  32. 32. SMB RELAY Attacker Target Attacker begins NTLM auth against Target Victim
  33. 33. SMB RELAY Attacker Target Target replies with 8-byte challenge Victim
  34. 34. SMB RELAY Attacker Target Attacker sends Targets challenge to Victim Victim
  35. 35. SMB RELAY Attacker Target Victim calculates challenge response and replies with final authentication packet Victim
  36. 36. SMB RELAY Attacker Target Attacker logs into Target with Victims credentials Victim
  37. 37. SMB RELAY• Well-known attack• Some mitigations break it, but largely still useful and will be for a long time
  38. 38. SMB RELAY + LNK FILEDrop LNK file (post/windows/escalate/droplnk)Setup a relay (exploit/windows/smb/smb_relay)Wait for an Admin to openthat directory Victim Create LNK file Target Compromised File Server
  39. 39. AUTOMATIC DOMAIN AUTH• Windows stores creds in memory and does NTLM auth using your current token• When you do something in the GUI that requires auth, it happens automatically using those creds• If your user has Local Admin on another box, you can create/start services (usually)
  40. 40. SC_HANDLE WINAPI OpenSCManager(__in_opt LPCTSTR lpMachineName,__in_opt LPCTSTR lpDatabaseName,__in DWORD dwDesiredAccess );
  41. 41. SC_HANDLE WINAPI CreateService(__in SC_HANDLE hSCManager,__in LPCTSTR lpServiceName,__in_opt LPCTSTR lpDisplayName,__in DWORD dwDesiredAccess,__in DWORD dwServiceType,__in DWORD dwStartType,__in DWORD dwErrorControl,__in_opt LPCTSTR lpBinaryPathName,__in_opt LPCTSTR lpLoadOrderGroup,__out_opt LPDWORD lpdwTagId,__in_opt LPCTSTR lpDependencies,__in_opt LPCTSTR lpServiceStartName,__in_opt LPCTSTR lpPassword );
  42. 42. DEMO: OWNING DC USING DA TOKEN Yay automatic authentication
  43. 43. CONCLUSIONS• Metasploit is awesomesauce• If it doesnt already do what you need, its easy to add new modules• Stick around for Daves talk!
  44. 44. QUESTIONS?• Twitter: @egyp7• IRC: #metasploit on FreeNode

×