metasploit railguns presentation @ tcs hyderabad

Weaponzing Metasploit Railgun on Windows API

A.Chaitanya Krishna

To My MentorsVivek Ramachandran (SecurityTube.net)

Bharath (Kiva Cyber securities)

My friends

Agenda

Introduction to Metasploit Framework

Keywords

Introduction to Metasploit

Meterpreter

Enhancing Meterpreter using Railguns

Adding Railguns Functions and Dlls on fly

Demo

Buzz Words

Vulnerability Weakness existed in a system which could be compromised.

Exploit Code which works on the target vulnerability system.

Payload Actual Code that lets an attacker to gain access after exploitation

Metasploit Framework

Used for Penetration Testing

IDS signature development

Exploit Development

Buzzing word security community

Widely used Tool for Development and Testing Vulnerabilities

Why we need to opt Metasploit

Widely accepted tool for the Testing vulnerabilities

Makes complex tasks more ease

Posses rich set of modules organized in systematic manner

Has Regular updates

Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules

Meterpreter

Its a default Goto Payload for Windows

Provides Enhanced Command Shell for the attacker

Consists of default set of core commands

Can be extended at runtime by shipping DLLs on the Victim machine

Meterpreter >

Provides basic post-exploitation API

Working of Meterpreter

Getting a meterpreter shell undergoes 3 different stages

sends exploit + Stage 1 Payload

sends DLL injection payload

meterpreter DLL starts communication

Sample Scenario

Backtrack Windows XP

192.168.47.128192.168.47.129

Sends Combination of Payload and Exploit

Why Railguns

Meterpreter extension that allows an attacker to run any DLL’s

Allows arbitrary loading of DLL’s

Windows API DLL’s are known paths. So we can load them very easily

Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>>

Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine

Hello World DLLs

As windows operating system is known for its rich set of DLLs

Contains shipped in DLLs along with windows as well as from installed applications

Can be called on the fly using the irb mode or can be statically define them

/opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def

Introduction to DLLs and Functions

Not all functions are defined to call.

Need to add our own DLLs to call them during the runtime.

Appropriate Function to be called for particular DLL

Client.railgun.user32.MessageBoxA(0, “Hello Null Hyderabad, Welcome to the meet”, “NullCon” , “MB_OK”)

Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>>

Anatomy of Functions

Function Name

Function Return Type

Out Parameters

Array of Parameters

In Parameters are the arguments through which we pass input to the function

Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed

by Railgun

Necessity of DLLs and Functions

In the middle of our penetration testing we need to call additional API for support to our work.

Can be called during fly or else we need to define them statically

/opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def

unless client.railgun.known_dll_names.include? ‘NullCon ‘

print_status "Adding NullCon.dll" client.railgun.add_dll(‘NullCon','C:\\WINDOWS\\system32\\NullCon.dll')

else print_status “NullCon DLL has already loaded.. skipping" end

Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>> ?> client.railgun.known_dll_names

Adding Functions on fly

=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"]

client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[ ["pwchar", "domainname", "in"],["pwchar", "username", "in"],["pwchar", "oldpassword", "in"],["pwchar", "newpassword", "in"])

Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>>

Adding Functions on fly

= = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70 @return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N

>> client.railgun.netapi32.NetUserChangePassword(‘nil’, “NullCon”, “NullCon”, “NullCon123”)

That’s all

Client.railgun.user32.MessageBoxA(0, “That’s what in my slides to show”, “NullCon” , “MB_OK”)

Chaitanyapentest@gmail.com