post metasploitation
DESCRIPTION
Presented at Defcon 20TRANSCRIPT
![Page 1: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/1.jpg)
POST METASPLOITATION
![Page 2: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/2.jpg)
egypt
![Page 3: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/3.jpg)
![Page 4: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/4.jpg)
![Page 5: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/5.jpg)
![Page 6: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/6.jpg)
WHY THIS TALK?
• Get more shells
• Get better shells
• Do more with them, faster
![Page 7: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/7.jpg)
ASSUMPTIONS
• You’ve heard of Metasploit
• You’ve got a shell
• You have some goal that isn’t that shell
![Page 8: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/8.jpg)
WHY METASPLOIT?
![Page 9: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/9.jpg)
![Page 10: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/10.jpg)
LARGE OPEN SOURCE COMMUNITY
![Page 11: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/11.jpg)
> C
![Page 12: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/12.jpg)
POST MODULE DESIGN
Should be minimal
• Complexity is hard to debug and maintain
• Do one thing and do it well
– Resource scripts can automate multiple modules
![Page 13: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/13.jpg)
POST MODULE DESIGN
Should be readable
• Consistent structure
• Consistent option names
• Consistent output
![Page 14: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/14.jpg)
POST MODULE DESIGN
Should be reliable
• Detect relevant variables
• Never crash session/host if you can avoid it
• Clean up
![Page 15: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/15.jpg)
POST MODULE DEVELOPMENT
Like Aux modules in many ways
• Define a run() method
• Optional setup(), cleanup() methods
• Have Actions
• Can include Exploit / Auxiliary mixins
• Should report something
![Page 16: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/16.jpg)
POST MODULE STRUCTURE
![Page 17: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/17.jpg)
METASPLOIT POST API
• DSL*-like interface for automating shells
• Abstracts out common stuff
• Platform-agnostic methods for
– Reading/writing binary files
– Running shell commands
– Listing users
*Domain Specific Language
![Page 18: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/18.jpg)
POST-EXPLOITATION SECRET SAUCE
![Page 19: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/19.jpg)
Presence
Persistence
Pivoting
[1]: I totally stole this from Mubix
![Page 20: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/20.jpg)
PRESENCE
• Examine your environment
– Users
– Machine
• One issue here is getting an unfamiliar shell
– Never played on Solaris, what do you do?
![Page 21: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/21.jpg)
WHAT USERS ARE/HAVE LOGGED IN?
![Page 22: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/22.jpg)
PRESENCE - THE MACHINE
• What does this box do?
• What processes are running?
– AV, Tripwire
– ssh-agent, pageant
– Editors
– Database servers
• What does it talk to?
![Page 23: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/23.jpg)
WHAT DOES THIS MACHINE TALK TO?
![Page 24: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/24.jpg)
PERSISTENCE
• Passwords!
• Backdoors
• Re-introducing vulnerabilities
![Page 25: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/25.jpg)
TEMPORARY PERSISTENCE
• Reverse http(s) payloads
• Doesn't survive reboot but useful for keeping shells when network is spotty
![Page 26: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/26.jpg)
MORE PERMANENT OPTIONS
• Autoruns
– Drop an exe in the right place, maybe mod registry
– Simple, effective
• Task scheduler, cron, launchd
• Enable RDP
• Enable root login for ssh
![Page 27: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/27.jpg)
PIVOTING
• Passwords!
• Privilege escalation
• Trust relationships
• Route, portfwd
• auxiliary/server/socks4a
• Explicit "comm" arg to Rex::Socket creation
![Page 28: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/28.jpg)
POST-EXPLOITATION EXPLOITATION
• For when you absolutely, positively have to have root
– (and don’t mind the occasional kernel panic)
• We can kinda blur the line between local and remote here
![Page 29: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/29.jpg)
$ -> #
• Just like with network exploitation, not always an exploit
• Passwords (sudo)
• Trust relationships (suid executables)
• Misconfiguration (all sorts of shit)
![Page 30: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/30.jpg)
DEMO: MULTI/LOCAL/SETUID_NMAP
"Nmap should never be installed with special privileges (e.g. suid root) for
security reasons."
![Page 31: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/31.jpg)
![Page 32: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/32.jpg)
DEMO: LINUX/LOCAL/SOCK_SENDPAGE
AKA Wunderbar Emporium
![Page 33: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/33.jpg)
![Page 34: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/34.jpg)
EXPLOIT::LOCAL
• Inherit from Exploit
– Provides payloads and handlers
– Create executables, etc
• Include Post mixins
– Provides session interaction
– Write files, manipulate registry, etc
![Page 35: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/35.jpg)
COMPILING/ASSEMBLING WITH METASM
• Can compile C for x86/x86_64
• Can assemble x86, x86_64, mips, arm, ppc and more
![Page 36: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/36.jpg)
TRUST RELATIONSHIPS
• Windows Authentication
– NTLM auth is relay-able
– Automatic domain auth
![Page 37: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/37.jpg)
SMB RELAY
Victim
Attacker Target
Victim begins NTLM authentication against the attacker
![Page 38: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/38.jpg)
SMB RELAY
Victim
Attacker Target
Attacker begins NTLM auth against Target
![Page 39: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/39.jpg)
SMB RELAY
Victim
Attacker Target
Target replies with 8-byte challenge
![Page 40: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/40.jpg)
SMB RELAY
Victim
Attacker Target
Attacker sends Target's challenge to Victim
![Page 41: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/41.jpg)
SMB RELAY
Victim
Attacker Target
Victim calculates challenge response and replies with final authentication packet
![Page 42: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/42.jpg)
SMB RELAY
Victim
Attacker Target
Attacker logs into Target with Victim's credentials
![Page 43: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/43.jpg)
SMB RELAY
• Well-known attack
• Some mitigations break it, but largely still useful and will be for a long time
![Page 44: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/44.jpg)
Drop LNK file (post/windows/escalate/droplnk) Setup a relay (exploit/windows/smb/smb_relay) Wait for an Admin to open that directory
File Server Compromised Target
Create LNK file
Victim
SMB RELAY + LNK FILE
![Page 45: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/45.jpg)
AUTOMATIC DOMAIN AUTH
• Windows stores creds in memory and does NTLM auth using your current token
• When you do something in the GUI that requires auth, it happens automatically using those creds
• If your user has Local Admin on another box, you can create/start services (usually)
![Page 46: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/46.jpg)
SC_HANDLE WINAPI OpenSCManager(
__in_opt LPCTSTR lpMachineName,
__in_opt LPCTSTR lpDatabaseName,
__in DWORD dwDesiredAccess );
![Page 47: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/47.jpg)
SC_HANDLE WINAPI CreateService(
__in SC_HANDLE hSCManager,
__in LPCTSTR lpServiceName,
__in_opt LPCTSTR lpDisplayName,
__in DWORD dwDesiredAccess,
__in DWORD dwServiceType,
__in DWORD dwStartType,
__in DWORD dwErrorControl,
__in_opt LPCTSTR lpBinaryPathName,
__in_opt LPCTSTR lpLoadOrderGroup,
__out_opt LPDWORD lpdwTagId,
__in_opt LPCTSTR lpDependencies,
__in_opt LPCTSTR lpServiceStartName,
__in_opt LPCTSTR lpPassword );
![Page 48: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/48.jpg)
DEMO: OWNING DC USING DA TOKEN
Yay automatic authentication
![Page 49: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/49.jpg)
![Page 50: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/50.jpg)
CONCLUSIONS
• Metasploit is awesomesauce
• If it doesn't already do what you need, it's easy to add new modules
• Stick around for Dave's talk!
![Page 51: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/51.jpg)
• Twitter: @egyp7
• IRC: #metasploit on FreeNode
QUESTIONS?
![Page 52: Post Metasploitation](https://reader034.vdocuments.us/reader034/viewer/2022051110/54b5ed324a7959dd498b457e/html5/thumbnails/52.jpg)