metasploit railguns presentation @ tcs hyderabad
DESCRIPTION
Usage of railguns on meterpreterTRANSCRIPT
Weaponzing Metasploit Railgun on Windows API
A.Chaitanya Krishna
To My MentorsVivek Ramachandran (SecurityTube.net)
Bharath (Kiva Cyber securities)
My friends
Agenda
Introduction to Metasploit Framework
Keywords
Introduction to Metasploit
Meterpreter
Enhancing Meterpreter using Railguns
Adding Railguns Functions and Dlls on fly
Demo
Buzz Words
Vulnerability Weakness existed in a system which could be compromised.
Exploit Code which works on the target vulnerability system.
Payload Actual Code that lets an attacker to gain access after exploitation
Metasploit Framework
Used for Penetration Testing
IDS signature development
Exploit Development
Buzzing word security community
Widely used Tool for Development and Testing Vulnerabilities
Why we need to opt Metasploit
Widely accepted tool for the Testing vulnerabilities
Makes complex tasks more ease
Posses rich set of modules organized in systematic manner
Has Regular updates
Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules
Meterpreter
Its a default Goto Payload for Windows
Provides Enhanced Command Shell for the attacker
Consists of default set of core commands
Can be extended at runtime by shipping DLLs on the Victim machine
Meterpreter >
Provides basic post-exploitation API
Working of Meterpreter
Getting a meterpreter shell undergoes 3 different stages
sends exploit + Stage 1 Payload
sends DLL injection payload
meterpreter DLL starts communication
Sample Scenario
Backtrack Windows XP
192.168.47.128192.168.47.129
Sends Combination of Payload and Exploit
Why Railguns
Meterpreter extension that allows an attacker to run any DLL’s
Allows arbitrary loading of DLL’s
Windows API DLL’s are known paths. So we can load them very easily
Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>>
Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine
Hello World DLLs
As windows operating system is known for its rich set of DLLs
Contains shipped in DLLs along with windows as well as from installed applications
Can be called on the fly using the irb mode or can be statically define them
/opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
Introduction to DLLs and Functions
Not all functions are defined to call.
Need to add our own DLLs to call them during the runtime.
Appropriate Function to be called for particular DLL
Client.railgun.user32.MessageBoxA(0, “Hello Null Hyderabad, Welcome to the meet”, “NullCon” , “MB_OK”)
Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>>
Anatomy of Functions
Function Name
Function Return Type
Out Parameters
Array of Parameters
In Parameters are the arguments through which we pass input to the function
Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed
by Railgun
Necessity of DLLs and Functions
In the middle of our penetration testing we need to call additional API for support to our work.
Can be called during fly or else we need to define them statically
/opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
unless client.railgun.known_dll_names.include? ‘NullCon ‘
print_status "Adding NullCon.dll" client.railgun.add_dll(‘NullCon','C:\\WINDOWS\\system32\\NullCon.dll')
else print_status “NullCon DLL has already loaded.. skipping" end
Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>> ?> client.railgun.known_dll_names
Adding Functions on fly
=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"]
client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[ ["pwchar", "domainname", "in"],["pwchar", "username", "in"],["pwchar", "oldpassword", "in"],["pwchar", "newpassword", "in"])
Meterpreter > irb[*] Starting IRB shell[*] The ‘Client’ variable holds meterpreter client>>
Adding Functions on fly
= = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70 @return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N
>> client.railgun.netapi32.NetUserChangePassword(‘nil’, “NullCon”, “NullCon”, “NullCon123”)
That’s all
Client.railgun.user32.MessageBoxA(0, “That’s what in my slides to show”, “NullCon” , “MB_OK”)