![Page 1: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/1.jpg)
Weaponzing Metasploit Railgun on Windows API
A.Chaitanya Krishna
![Page 2: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/2.jpg)
To My MentorsVivek Ramachandran (SecurityTube.net)
Bharath (Kiva Cyber securities)
My friends
![Page 3: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/3.jpg)
Agenda
Introduction to Metasploit Framework
Keywords
Introduction to Metasploit
Meterpreter
Enhancing Meterpreter using Railguns
Adding Railguns Functions and Dlls on fly
Demo
![Page 4: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/4.jpg)
Buzz Words
Vulnerability Weakness existed in a system which could be compromised.
Exploit Code which works on the target vulnerability system.
Payload Actual Code that lets an attacker to gain access after exploitation
![Page 5: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/5.jpg)
Metasploit Framework
Used for Penetration Testing
IDS signature development
Exploit Development
Buzzing word security community
Widely used Tool for Development and Testing Vulnerabilities
![Page 6: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/6.jpg)
Why we need to opt Metasploit
Widely accepted tool for the Testing vulnerabilities
Makes complex tasks more ease
Posses rich set of modules organized in systematic manner
Has Regular updates
Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules
![Page 7: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/7.jpg)
Meterpreter
Its a default Goto Payload for Windows
Provides Enhanced Command Shell for the attacker
Consists of default set of core commands
Can be extended at runtime by shipping DLLs on the Victim machine
Meterpreter >
Provides basic post-exploitation API
![Page 8: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/8.jpg)
Working of Meterpreter
Getting a meterpreter shell undergoes 3 different stages
sends exploit + Stage 1 Payload
sends DLL injection payload
meterpreter DLL starts communication
![Page 9: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/9.jpg)
Sample Scenario
Backtrack Windows XP
192.168.47.128192.168.47.129
Sends Combination of Payload and Exploit
![Page 10: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/10.jpg)
![Page 11: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/11.jpg)
Why Railguns
Meterpreter extension that allows an attacker to run any DLL’s
Allows arbitrary loading of DLL’s
Windows API DLL’s are known paths. So we can load them very easily
Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>>
Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine
![Page 12: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/12.jpg)
Hello World DLLs
As windows operating system is known for its rich set of DLLs
Contains shipped in DLLs along with windows as well as from installed applications
Can be called on the fly using the irb mode or can be statically define them
/opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
![Page 13: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/13.jpg)
Introduction to DLLs and Functions
Not all functions are defined to call.
Need to add our own DLLs to call them during the runtime.
Appropriate Function to be called for particular DLL
Client.railgun.user32.MessageBoxA(0, “Hello Null Hyderabad, Welcome to the meet”, “NullCon” , “MB_OK”)
Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>>
![Page 14: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/14.jpg)
Anatomy of Functions
Function Name
Function Return Type
Out Parameters
Array of Parameters
In Parameters are the arguments through which we pass input to the function
Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed
by Railgun
![Page 15: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/15.jpg)
![Page 16: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/16.jpg)
Necessity of DLLs and Functions
In the middle of our penetration testing we need to call additional API for support to our work.
Can be called during fly or else we need to define them statically
/opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
![Page 17: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/17.jpg)
![Page 18: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/18.jpg)
unless client.railgun.known_dll_names.include? ‘NullCon ‘
print_status "Adding NullCon.dll" client.railgun.add_dll(‘NullCon','C:\\WINDOWS\\system32\\NullCon.dll')
else print_status “NullCon DLL has already loaded.. skipping" end
Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>> ?> client.railgun.known_dll_names
Adding Functions on fly
=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"]
![Page 19: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/19.jpg)
![Page 20: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/20.jpg)
client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[ ["pwchar", "domainname", "in"],["pwchar", "username", "in"],["pwchar", "oldpassword", "in"],["pwchar", "newpassword", "in"])
Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>>
Adding Functions on fly
= = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70 @return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N
>> client.railgun.netapi32.NetUserChangePassword(‘nil’, “NullCon”, “NullCon”, “NullCon123”)
![Page 21: Metasploit Railguns presentation @ tcs hyderabad](https://reader034.vdocuments.us/reader034/viewer/2022052411/557629b3d8b42a4e1c8b53c1/html5/thumbnails/21.jpg)
That’s all
Client.railgun.user32.MessageBoxA(0, “That’s what in my slides to show”, “NullCon” , “MB_OK”)