際際滷

際際滷Share a Scribd company logo

Shiny

egypt
egypt

This document summarizes new features and improvements in the Metasploit framework, including over 1200 pull requests and 7500 commits added since September 2014. Key additions include 358 new modules, 20 modules for local privilege escalation, exploits targeting antivirus products and SOHO routers, improved SMB and Kerberos support, and enhancements to payloads such as interactive Powershell and UUID tracking.

1 of 67
Download to read offline
New Shiny in the Metasploit Framework Derbycon 2015 Edition 1
James Lee @egyp7 Metasploit Developer Community Manager # whoami 2
First some numbers 3
Rapid7 has 71 Public Repositories 4
Repos You Probably Care About metasploit-framework metasploit-payloads metasploit-omnibus 5
Repos You Might Find Interesting 6 github-connector ssh-badkeys
7
Over 1200 Pull Requests landed 8
Over 7500 commits git log --since '2014-09-26' --oneline | wc -l 9
git log --since '2014-09-26' --format='%aE' | sort -u Almost 200 unique authors 10
11
358 new modules 12
Modules 13
20 Local Priv Escalation 14
Local exploit suggester 15
16 exploit/unix/webapp/wp_admin_shell_upload
Anti-Virus Products 17
18 auxiliary/gather/mcafee_epo_xxe
19 exploit/linux/http/symantec_web_gateway_restore
20 exploit/windows/browser/malwarebytes_update_exec
21 js-beautifier exploit/multi/fileformat/js_unpacker_eval_injection
Browser Exploitation 22
21 browser exploits 23
24
25
26
27
SOHO Routers 28
29
Credentials 30
Service 31 Cred Cred Cred Old and Busted
Core Private Public Realm Blank Username SNMP Community NTLM Hash SMB Domain Postgres DB Username Password SSH Key Non-replayable Hash 32
Core Service 33 Login Login Login Service
Java Serialization 34
Java Serialization with RMI, JMX 35 auxiliary/gather/java_rmi_registry exploits/multi/misc/java_jmx_server exploits/multi/misc/java_rmi_server
SMB 36
Kerberos Partial implementation Enough to exploit MS14-068 37
SMB Server 38 Partial implementation Serve a single file Enough to exploit most DLL hijacks
Payload Improvements 39
Interactive Powershell Can upgrade to meterpreter Mostly compatible with existing Post API Powershell Session Type 40
Unicode support Meterpreter handles unicode in filesystems Still have to have support in your terminal 41
UUID Tracking Embed Universally Unique ID in payloads Makes a payload identifiable Track which EXE got this session Generate unique machine ID for each session Makes a machine identifiable Track whether weve popped this box before 42
Paranoid Mode Set a real TLS cert for payload handlers Verify it from Meterpreter side Bail if were being MitMd Whitelist UUIDs in the handler Dont start sessions for things that arent a payload 43
Meterpreter Transport Reliability 44
Runtime Transport Control reverse_tcp vs reverse_http vs reverse_https Bind tcp://:8000/ IPv6 tcp6://fe80::82e6:50ff:fe08:2e50:8000?en0 HTTP(S) https://1.2.3.4/<generated URI> 45
Configurable timeouts Session Communication Retry total Retry wait 46
Stageless Meterpreter Skip staging and put everything in one payload 47
48
NTDS.dit Domain controllers store accounts Multi-GB file for large orgs Downloading giant files sucks 49
NTDS.dit Solution 50 windows/gather/credentials/domain_hashdump Uses a C extension to parse on target Send back a few at a time
Infrastructure 51
Ruby 2.1.6 52
53
54 Omnibus
Random 55
56 Removed Replacement msfpayload msfvenom msfencode msfcli msfconsole
Workspace in Your Prompt 57
Tab-completing LHOST 58
Questions? 59
Images Returned in Google results for this Presentation 60
Shiny
62
63
64
65
66
67

More Related Content

Shiny