![Page 1: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/1.jpg)
Weaponizing the
Windows API
With Metasploit’s Railgun
![Page 2: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/2.jpg)
Who is
this
guy? Twitter & IRC:
thelightcosine Core Developer for Metasploit Pro Community Contributor
Penetration Tester
![Page 3: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/3.jpg)
Shouto
uts
Rel1k Mubix Dookie2000ca Corelanc0der Todb Egypt HDM
![Page 4: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/4.jpg)
“If you don’t think you’re a newb, then you’re not trying hard enough”
- HD Moore
![Page 5: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/5.jpg)
Post-exploitation
![Page 6: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/6.jpg)
Endless Possabilities
![Page 7: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/7.jpg)
Meterpre-what?
![Page 8: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/8.jpg)
Win
dow
s
Mete
rpre
ter
Goto Payload for Windows
DLL, compiled C
Usually injected into process memory
Enhanced CMD shell
Provides basic post-exploitation API
![Page 9: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/9.jpg)
Win
dow
s
Mete
rpre
ter
Often run with SYSTEM Privs
Can be migrated into a user’s process
![Page 10: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/10.jpg)
So what is Railgun?
![Page 11: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/11.jpg)
Railg
un
Railgun is an extension to the Meterpreter STDAPI
Allows Arbitrary Loading of DLLs
As long as you know the path of the DLL, you can access it’s functions
![Page 12: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/12.jpg)
Railg
un
Since Windows API DLLs are always at known paths, we can always load them
![Page 13: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/13.jpg)
The W
indow
s A
PI Dynamic access to the
entirety of the Windows API on the system
By calling APIs from user processes, we can impersonate users
Anything becomes possible
![Page 14: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/14.jpg)
Let’s talk about Railgun
![Page 15: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/15.jpg)
A b
rief
His
tory
of
Railg
un
June 2010 – Railgun submitted to Metasploit by Patrick HVE
Sept 2010 – 64bit support added by Stephen Fewer
Feb 2011 – Chao-mu takes over Railgun support, resumes new feature work
Fall 2011 – Chao-mu disappears
Aug 2012 – YOU start contributing to Railgun
Dec 2012 – Mayans predict Railgun-related Apocalypse?
![Page 16: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/16.jpg)
How
it works
LoadLibrary function opens a Handle to the DLL
GetProcAddress maps a function pointer to the specified function
Memread and Memwrite functions for manipulating memory space
On the C side
![Page 17: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/17.jpg)
How
it works
Ruby code lives in lib/rex/post/meterpreter/extensions/stdapi/railgun
User/module writer defines the DLL and the needed functions
Functions are then avilable as methods
Can define at runtime or use definition files
On the Ruby side
![Page 18: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/18.jpg)
def self.create_dll(dll_path = 'advapi32')
dll = DLL.new(dll_path, ApiConstants.manager)
dll.add_function('CredEnumerateA', 'BOOL', [
['PCHAR', 'Filter', 'in'],
['DWORD', 'Flags', 'in'],
['PDWORD', 'Count', 'out'],
['PBLOB', 'Credentials', 'out']])
A look at Railgun Definitions
![Page 19: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/19.jpg)
Anato
my o
f a
Functio
n
1.Function Name
2.Function Return Type
3.Array of Parameters1.Param type
2.Param Name
3. IN/OUT/INOUT Parameter
![Page 20: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/20.jpg)
A w
ord
about
consta
nts
Railgun knows about Windows constants
They are defined in api_constants.rb in the railgun folder
Easy to add new constants as needed there
![Page 21: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/21.jpg)
Supported Data Types
![Page 22: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/22.jpg)
DW
OR
D
If it quacks like a duck…
Pass as a Fixnum or Bignum
String representation of constants can also be passed in
![Page 23: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/23.jpg)
PD
WO
RD
Pointer to a DWORD
Pass a Fixnum
Pass the Content of the DWORD not the pointer
If it is an OUT only paramter, pass a 4 (size of a DWORD)
Pass nil for a NULL Pointer
![Page 24: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/24.jpg)
PC
HA
R a
nd
PW
CH
AR
Pass as Ruby strings. Will be converted seamlessly
If OUT only, pass fixnum of the size of the buffer (including null byte)
![Page 25: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/25.jpg)
Definition
dll.add_function( 'CryptAcquireContextW', 'BOOL',[
['PDWORD', 'phProv', 'out'],
['PWCHAR', 'pszContainer', 'in'],
['PWCHAR', 'pszProvider', 'in'],
['DWORD', 'dwProvType', 'in'],
['DWORD', 'dwflags', 'in']])
Usagems_enhanced_prov = "Microsoft
Enhanced Cryptographic Provider v1.0"
prov_rsa_full = 1
crypt_verify_context = 0xF0000000
alg_md5 = 32771
alg_rc4 = 26625
advapi32 = client.railgun.advapi32
acquirecontext = advapi32.CryptAcquireContextW(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context)
Used in the SmartFTP password Recovery Module
![Page 26: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/26.jpg)
Bool
Pass in Ruby True/False values exactly as expected
![Page 27: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/27.jpg)
Definition:
dll.add_function( 'IsDebuggerPresent', 'BOOL',[])
Usage:
>> client.railgun.kernel32.IsDebuggerPresent()
=> {"GetLastError"=>0, "return"=>false}
![Page 28: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/28.jpg)
Byt
es
and W
ord
s Handled the same as DWORDs but Fixnums passed in will be truncated to the appropriate length
![Page 29: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/29.jpg)
PB
LOB
Anything that’s not a string or a DWORD
Treated as a ruby string
Railgun will not help you parse structures
![Page 30: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/30.jpg)
Definitiondll.add_function( 'WlanGetProf
ile', 'DWORD',[
['DWORD', 'hClientHandle', 'in'],
['PBLOB', 'pInterfaceGuid', 'in'],
['PBLOB', 'strProfileName', 'in'],
['LPVOID', 'pReserved', 'in'],
['PDWORD', 'pstrProfileXML', 'out'],
['PDWORD', 'pdwFlags', 'inout'],
['PDWORD', 'pdwGrantedAccess', 'out']])
Usage
profile['name'] = @host_process.memory.read(ppointer,512)
ppointer = (ppointer + 516)
rprofile = @wlanapi.WlanGetProfile(wlan_handle,guid,profile['name'],nil,4,4,4)
Used in the wlan_profile post module
![Page 31: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/31.jpg)
Faki
ng u
nsu
pport
ed
Data
Typ
es
Pointers and Handles of any kind are really just numbers, so treat them as DWORDs
If it can be treated as a number it’s a DWORD
Otherwise it’s a PBLOB
If neither works, add support for it yourself =)
![Page 32: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/32.jpg)
Dealin
g w
ith
Retu
rn V
alu
es The function will return a
hash
Hash will always contain at least GetLastError
Hash will return any OUT values
![Page 33: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/33.jpg)
GetL
ast
Err
or Will return 0 if there was
no error
Otherwise will contain the windows system Error code encountered
Errors codes can be looked up at http://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
![Page 34: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/34.jpg)
Retu
rned O
UT
Para
mete
rs
acquirecontext = advapi32.CryptAcquireContextW(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context)
createhash = advapi32.CryptCreateHash(acquirecontext['phProv'], alg_md5, 0, 0, 4)
![Page 35: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/35.jpg)
Tric
ky S
ituati
ons Complex structure types
that you will have to parse yourself
Strings you don’t know the length of
Large number of string reads (SLOWWWW)
![Page 36: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/36.jpg)
Tric
ks o
f th
e
Trade MSDN is your friend,
use it! Find examples of code
that use the same calls Write it in C first
![Page 37: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/37.jpg)
Microsoft will help you own
things
![Page 38: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/38.jpg)
Seriously…
![Page 39: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/39.jpg)
They even give you tools!
![Page 40: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/40.jpg)
So What?Why do we care about all this stuff?
![Page 41: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/41.jpg)
What
it m
eans
Anything you can do with the windows API is available
Without increasing the size of the payload
![Page 42: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/42.jpg)
Exa
mple
M
ayh
em
Get the OS to Decrypt stored SmartFTP Passwords
Enumerate and decrypt stored RDP passwords
Scan for Wireless APs
Enumerates Domain controllers on the victim’s network
![Page 43: Weaponizing the Windows API with Metasploit's Railgun](https://reader036.vdocument.in/reader036/viewer/2022081504/5586d651d8b42aed428b45a0/html5/thumbnails/43.jpg)
Dem
o t
ime
Enough of these ugly slides
Let’s see it in action