Metasploit Railguns presentation @ tcs hyderabad
Download as PPTX, PDF0 likes1,949 views
This document discusses introducing Metasploit Framework and enhancing Meterpreter using Railguns. It provides an overview of key concepts like vulnerabilities, exploits, payloads, and Metasploit. It describes how Meterpreter works and its benefits. It then explains how Railguns allow calling arbitrary DLL functions to extend Meterpreter's capabilities. The document demonstrates adding Railgun functions and DLLs dynamically during a session to call new APIs.
![Why Railguns
Meterpreter > irb
[*] Starting IRB shell
[*] The ‘Client’ variable holds meterpreter client
>>
Meterpreter extension that allows an attacker to run any DLL’s
Allows arbitrary loading of DLL’s
Windows API DLL’s are known paths. So we can load them very easily
Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine](https://image.slidesharecdn.com/railgunspresentationtcshyderabad-121229231014-phpapp01/85/Metasploit-Railguns-presentation-tcs-hyderabad-11-320.jpg)
![Introduction to DLLs and Functions
Not all functions are defined to call.
Need to add our own DLLs to call them during the runtime.
Appropriate Function to be called for particular DLL
Meterpreter > irb
[*] Starting IRB shell
[*] The ‘Client’ variable holds meterpreter client
>> Client.railgun.user32.MessageBoxA(0, “Hello Null Hyderabad, Welcome to the meet”, “NullCon” , “MB_OK”)](https://image.slidesharecdn.com/railgunspresentationtcshyderabad-121229231014-phpapp01/85/Metasploit-Railguns-presentation-tcs-hyderabad-13-320.jpg)
![Adding Functions on fly
Meterpreter > irb
[*] Starting IRB shell
[*] The ‘Client’ variable holds meterpreter client
>> ?> client.railgun.known_dll_names
=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"]
unless client.railgun.known_dll_names.include? ‘NullCon ‘
print_status "Adding NullCon.dll"
client.railgun.add_dll(‘NullCon','C:WINDOWSsystem32NullCon.dll')
else
print_status “NullCon DLL has already loaded.. skipping"
end](https://image.slidesharecdn.com/railgunspresentationtcshyderabad-121229231014-phpapp01/85/Metasploit-Railguns-presentation-tcs-hyderabad-18-320.jpg)
![Adding Functions on fly
Meterpreter > irb
[*] Starting IRB shell
[*] The ‘Client’ variable holds meterpreter client
>> client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[
["pwchar", "domainname", "in"],
["pwchar", "username", "in"],
["pwchar", "oldpassword", "in"],
["pwchar", "newpassword", "in"])
= = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70
@return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N
>> client.railgun.netapi32.NetUserChangePassword(‘nil’, “NullCon”, “NullCon”, “NullCon123”)](https://image.slidesharecdn.com/railgunspresentationtcshyderabad-121229231014-phpapp01/85/Metasploit-Railguns-presentation-tcs-hyderabad-20-320.jpg)
Metasploit Railguns presentation @ tcs hyderabad
- 2. Vivek Ramachandran (SecurityTube.net) Bharath (Kiva Cyber securities) My friends
- 3. Agenda Introduction to Metasploit Framework Keywords Introduction to Metasploit Meterpreter Enhancing Meterpreter using Railguns Adding Railguns Functions and Dlls on fly Demo
- 4. Buzz Words Vulnerability Weakness existed in a system which could be compromised. Exploit Code which works on the target vulnerability system. Payload Actual Code that lets an attacker to gain access after exploitation
- 5. Metasploit Framework Widely used Tool for Development and Testing Vulnerabilities Buzzing word security community Used for Penetration Testing IDS signature development Exploit Development
- 6. Why we need to opt Metasploit Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules
- 7. Meterpreter Meterpreter > Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Provides basic post-exploitation API
- 8. Working of Meterpreter Getting a meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload meterpreter DLL starts communication
- 9. Sample Scenario Sends Combination of Payload and Exploit Backtrack Windows XP 192.168.47.129 192.168.47.128
- 11. Why Railguns Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> Meterpreter extension that allows an attacker to run any DLL’s Allows arbitrary loading of DLL’s Windows API DLL’s are known paths. So we can load them very easily Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine
- 12. Hello World DLLs As windows operating system is known for its rich set of DLLs Contains shipped in DLLs along with windows as well as from installed applications Can be called on the fly using the irb mode or can be statically define them /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
- 13. Introduction to DLLs and Functions Not all functions are defined to call. Need to add our own DLLs to call them during the runtime. Appropriate Function to be called for particular DLL Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> Client.railgun.user32.MessageBoxA(0, “Hello Null Hyderabad, Welcome to the meet”, “NullCon” , “MB_OK”)
- 14. Anatomy of Functions Function Name Function Return Type In Parameters are the arguments through which we pass input to the function Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed by Railgun Out Parameters Array of Parameters
- 16. Necessity of DLLs and Functions In the middle of our penetration testing we need to call additional API for support to our work. Can be called during fly or else we need to define them statically /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
- 18. Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> ?> client.railgun.known_dll_names => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"] unless client.railgun.known_dll_names.include? ‘NullCon ‘ print_status "Adding NullCon.dll" client.railgun.add_dll(‘NullCon','C:WINDOWSsystem32NullCon.dll') else print_status “NullCon DLL has already loaded.. skipping" end
- 20. Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[ ["pwchar", "domainname", "in"], ["pwchar", "username", "in"], ["pwchar", "oldpassword", "in"], ["pwchar", "newpassword", "in"]) = = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70 @return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N >> client.railgun.netapi32.NetUserChangePassword(‘nil’, “NullCon”, “NullCon”, “NullCon123”)
- 21. That’s all Client.railgun.user32.MessageBoxA(0, “That’s what in my slides to show”, “NullCon” , “MB_OK”) Chaitanyapentest@gmail.com