SlideShare a Scribd company logo

Metasploit Railguns presentation @ tcs hyderabad

Download as PPTX, PDF
Chaitanya krishna
Chaitanya krishna

Usage of railguns on meterpreter

Education
1 of 21
A.Chaitanya Krishna
Vivek Ramachandran (SecurityTube.net) Bharath (Kiva Cyber securities) My friends
Agenda Introduction to Metasploit Framework Keywords Introduction to Metasploit Meterpreter Enhancing Meterpreter using Railguns Adding Railguns Functions and Dlls on fly Demo
Buzz Words Vulnerability Weakness existed in a system which could be compromised. Exploit Code which works on the target vulnerability system. Payload Actual Code that lets an attacker to gain access after exploitation
Metasploit Framework Widely used Tool for Development and Testing Vulnerabilities Buzzing word security community Used for Penetration Testing IDS signature development Exploit Development
Why we need to opt Metasploit Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules
Meterpreter Meterpreter > Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Provides basic post-exploitation API
Working of Meterpreter Getting a meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload meterpreter DLL starts communication
Sample Scenario Sends Combination of Payload and Exploit Backtrack Windows XP 192.168.47.129 192.168.47.128
Why Railguns Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> Meterpreter extension that allows an attacker to run any DLL’s Allows arbitrary loading of DLL’s Windows API DLL’s are known paths. So we can load them very easily Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine
Hello World DLLs As windows operating system is known for its rich set of DLLs Contains shipped in DLLs along with windows as well as from installed applications Can be called on the fly using the irb mode or can be statically define them /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
Introduction to DLLs and Functions Not all functions are defined to call. Need to add our own DLLs to call them during the runtime. Appropriate Function to be called for particular DLL Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> Client.railgun.user32.MessageBoxA(0, “Hello Null Hyderabad, Welcome to the meet”, “NullCon” , “MB_OK”)
Anatomy of Functions Function Name Function Return Type In Parameters are the arguments through which we pass input to the function Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed by Railgun Out Parameters Array of Parameters
Necessity of DLLs and Functions In the middle of our penetration testing we need to call additional API for support to our work. Can be called during fly or else we need to define them statically /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> ?> client.railgun.known_dll_names => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"] unless client.railgun.known_dll_names.include? ‘NullCon ‘ print_status "Adding NullCon.dll" client.railgun.add_dll(‘NullCon','C:WINDOWSsystem32NullCon.dll') else print_status “NullCon DLL has already loaded.. skipping" end
Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[ ["pwchar", "domainname", "in"], ["pwchar", "username", "in"], ["pwchar", "oldpassword", "in"], ["pwchar", "newpassword", "in"]) = = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70 @return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N >> client.railgun.netapi32.NetUserChangePassword(‘nil’, “NullCon”, “NullCon”, “NullCon123”)
That’s all Client.railgun.user32.MessageBoxA(0, “That’s what in my slides to show”, “NullCon” , “MB_OK”) Chaitanyapentest@gmail.com

Recommended

Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
n|u - The Open Security Community
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community
 
Metasploit
MetasploitMetasploit
Metasploit
Institute of Information Security (IIS)
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
henelpj
 
Metaploit
MetaploitMetaploit
Metaploit
Ajinkya Pathak
 
Metasploit
MetasploitMetasploit
Metasploit
Raghunath G
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
Ashok Reddy Medikonda
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploit
Aashish R
 

Recommended

Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
n|u - The Open Security Community
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
n|u - The Open Security Community
 
Metasploit
MetasploitMetasploit
Metasploit
Institute of Information Security (IIS)
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminar
henelpj
 
Metaploit
MetaploitMetaploit
Metaploit
Ajinkya Pathak
 
Metasploit
MetasploitMetasploit
Metasploit
Raghunath G
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
Ashok Reddy Medikonda
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploit
Aashish R
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
E Hacking
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
Anurag Srivastava
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Metasploit
MetasploitMetasploit
Metasploit
henelpj
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
Dennis Maldonado
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
Tom Eston
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
Metasploit
MetasploitMetasploit
Metasploit
ninguna
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
Arpit Agarwal
 
Metasploit
MetasploitMetasploit
Metasploit
penetration Tester
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
M.Syarifudin, ST, OSCP, OSWP
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course Syllabus
Security Scope
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
VeilFramework
 
Linux operating system
Linux operating systemLinux operating system
Linux operating system
Mohamed Essam
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
Distributed System by Pratik Tambekar
Distributed System by Pratik TambekarDistributed System by Pratik Tambekar
Distributed System by Pratik Tambekar
Pratik Tambekar
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 

More Related Content

What's hot

Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
devilback
 

What's hot (20)

Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
 
Metasploit
MetasploitMetasploit
Metasploit
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course Syllabus
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
Linux operating system
Linux operating systemLinux operating system
Linux operating system
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 

Similar to Metasploit Railguns presentation @ tcs hyderabad

Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)services
Rafael Winterhalter
 
Firebird 3: provider-based architecture, plugins and OO approach to API
Firebird 3: provider-based architecture, plugins and OO approach to API Firebird 3: provider-based architecture, plugins and OO approach to API
Firebird 3: provider-based architecture, plugins and OO approach to API
Mind The Firebird
 

Similar to Metasploit Railguns presentation @ tcs hyderabad (20)

Distributed System by Pratik Tambekar
Distributed System by Pratik TambekarDistributed System by Pratik Tambekar
Distributed System by Pratik Tambekar
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)services
 
Rmi
RmiRmi
Rmi
 
Rmi
RmiRmi
Rmi
 
Breaking the monolith to microservice with Docker and Kubernetes (k8s)
Breaking the monolith to microservice with Docker and Kubernetes (k8s)Breaking the monolith to microservice with Docker and Kubernetes (k8s)
Breaking the monolith to microservice with Docker and Kubernetes (k8s)
 
Deltacloud API
Deltacloud APIDeltacloud API
Deltacloud API
 
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexusMicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
 
The use of Symfony2 @ Overblog
The use of Symfony2 @ OverblogThe use of Symfony2 @ Overblog
The use of Symfony2 @ Overblog
 
Tdd,Ioc
Tdd,IocTdd,Ioc
Tdd,Ioc
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
Firebird 3: provider-based architecture, plugins and OO approach to API
Firebird 3: provider-based architecture, plugins and OO approach to API Firebird 3: provider-based architecture, plugins and OO approach to API
Firebird 3: provider-based architecture, plugins and OO approach to API
 
Windows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelWindows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock Kernel
 
Unit 1
Unit 1Unit 1
Unit 1
 
LLVM
LLVMLLVM
LLVM
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGEPRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
 
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's RailgunWeaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
 
DevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless ArchitectureDevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless Architecture
 

Recently uploaded

Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
joachimlavalley1
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
Excellence Foundation for South Sudan
 

Recently uploaded (20)

Matatag-Curriculum and the 21st Century Skills Presentation.pptx
Matatag-Curriculum and the 21st Century Skills Presentation.pptxMatatag-Curriculum and the 21st Century Skills Presentation.pptx
Matatag-Curriculum and the 21st Century Skills Presentation.pptx
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
 
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
UNIT – IV_PCI Complaints: Complaints and evaluation of complaints, Handling o...
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 
How to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERPHow to Create Map Views in the Odoo 17 ERP
How to Create Map Views in the Odoo 17 ERP
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Solid waste management & Types of Basic civil Engineering notes by DJ Sir.pptx
Solid waste management & Types of Basic civil Engineering notes by DJ Sir.pptxSolid waste management & Types of Basic civil Engineering notes by DJ Sir.pptx
Solid waste management & Types of Basic civil Engineering notes by DJ Sir.pptx
 
Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdf
 
NLC-2024-Orientation-for-RO-SDO (1).pptx
NLC-2024-Orientation-for-RO-SDO (1).pptxNLC-2024-Orientation-for-RO-SDO (1).pptx
NLC-2024-Orientation-for-RO-SDO (1).pptx
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptxJose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
Jose-Rizal-and-Philippine-Nationalism-National-Symbol-2.pptx
 
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxStudents, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
 
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXXPhrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
Phrasal Verbs.XXXXXXXXXXXXXXXXXXXXXXXXXX
 
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptxMARUTI SUZUKI- A Successful Joint Venture in India.pptx
MARUTI SUZUKI- A Successful Joint Venture in India.pptx
 
B.ed spl. HI pdusu exam paper-2023-24.pdf
B.ed spl. HI pdusu exam paper-2023-24.pdfB.ed spl. HI pdusu exam paper-2023-24.pdf
B.ed spl. HI pdusu exam paper-2023-24.pdf
 
Introduction to Quality Improvement Essentials
Introduction to Quality Improvement EssentialsIntroduction to Quality Improvement Essentials
Introduction to Quality Improvement Essentials
 

Metasploit Railguns presentation @ tcs hyderabad

  • 2. Vivek Ramachandran (SecurityTube.net) Bharath (Kiva Cyber securities) My friends
  • 3. Agenda Introduction to Metasploit Framework Keywords Introduction to Metasploit Meterpreter Enhancing Meterpreter using Railguns Adding Railguns Functions and Dlls on fly Demo
  • 4. Buzz Words Vulnerability Weakness existed in a system which could be compromised. Exploit Code which works on the target vulnerability system. Payload Actual Code that lets an attacker to gain access after exploitation
  • 5. Metasploit Framework Widely used Tool for Development and Testing Vulnerabilities Buzzing word security community Used for Penetration Testing IDS signature development Exploit Development
  • 6. Why we need to opt Metasploit Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules
  • 7. Meterpreter Meterpreter > Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Provides basic post-exploitation API
  • 8. Working of Meterpreter Getting a meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload meterpreter DLL starts communication
  • 9. Sample Scenario Sends Combination of Payload and Exploit Backtrack Windows XP 192.168.47.129 192.168.47.128
  • 10.
  • 11. Why Railguns Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> Meterpreter extension that allows an attacker to run any DLL’s Allows arbitrary loading of DLL’s Windows API DLL’s are known paths. So we can load them very easily Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine
  • 12. Hello World DLLs As windows operating system is known for its rich set of DLLs Contains shipped in DLLs along with windows as well as from installed applications Can be called on the fly using the irb mode or can be statically define them /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
  • 13. Introduction to DLLs and Functions Not all functions are defined to call. Need to add our own DLLs to call them during the runtime. Appropriate Function to be called for particular DLL Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> Client.railgun.user32.MessageBoxA(0, “Hello Null Hyderabad, Welcome to the meet”, “NullCon” , “MB_OK”)
  • 14. Anatomy of Functions Function Name Function Return Type In Parameters are the arguments through which we pass input to the function Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed by Railgun Out Parameters Array of Parameters
  • 15.
  • 16. Necessity of DLLs and Functions In the middle of our penetration testing we need to call additional API for support to our work. Can be called during fly or else we need to define them statically /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
  • 17.
  • 18. Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> ?> client.railgun.known_dll_names => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"] unless client.railgun.known_dll_names.include? ‘NullCon ‘ print_status "Adding NullCon.dll" client.railgun.add_dll(‘NullCon','C:WINDOWSsystem32NullCon.dll') else print_status “NullCon DLL has already loaded.. skipping" end
  • 19.
  • 20. Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[ ["pwchar", "domainname", "in"], ["pwchar", "username", "in"], ["pwchar", "oldpassword", "in"], ["pwchar", "newpassword", "in"]) = = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70 @return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N >> client.railgun.netapi32.NetUserChangePassword(‘nil’, “NullCon”, “NullCon”, “NullCon123”)
  • 21. That’s all Client.railgun.user32.MessageBoxA(0, “That’s what in my slides to show”, “NullCon” , “MB_OK”) Chaitanyapentest@gmail.com