metasploit vsploit modules - · pdf filemetasploit vsploit modules 1 marcus j. carey david...
TRANSCRIPT
![Page 1: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/1.jpg)
Metasploit vSploit Modules
1
Marcus J. Carey
David “bannedit” Rude
Will Vandevanter
![Page 2: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/2.jpg)
Outline
• Objective of vSploit Modules
• Metasploit Framework architecture
• What are Metasploit modules?
• vSploit modules
• vSploit and Intrusion Kill Chains• vSploit and Intrusion Kill Chains
• Writing Metasploit Modules
• Live Demo
2
![Page 3: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/3.jpg)
• Metasploit Project founded in 2003
• Open Source penetration testing platform based with over
1 million downloads in the past year
• Acquired by Rapid7 in 2009
• HD Moore joined Rapid7 as Chief Security Office and Chief
Metasploit overview
• HD Moore joined Rapid7 as Chief Security Office and Chief
Architect of Metasploit
• Rapid7 remains committed to the Community
• Metasploit Framework is the foundation for the
commercial editions Metasploit Express and Metasploit
Pro
3
![Page 4: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/4.jpg)
LIBRARIES INTERFACES
Rex
MSF Core
Console
CLI
TOOLS
Metasploit Framework Architecture
MODULES
MSF Core
MSF Base
Payload Encoder NOP Auxiliary
PLUGINS RPC
Exploit
GUI &Armitage
4
![Page 5: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/5.jpg)
LIBRARIES INTERFACES
Rex
MSF Core
Console
CLI
TOOLS
Metasploit Framework Architecture
MODULES
MSF Core
MSF Base
Payload Encoder NOP Auxiliary
PLUGINS RPC
Exploit
GUI &Armitage
5
![Page 6: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/6.jpg)
What are Metasploit Modules?
• More than just exploits
• Payloads – the “arbitrary code” you hear about in
advisories
• Encoders – add entropy to payloads, remove bad
characters
• NOP – create sophisticated nopsleds
• Auxiliary – Like an exploit module but without a payload
– Underappreciated
6
![Page 7: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/7.jpg)
Which would you pick for a training drill?
Live Ammo? Or Paint Balls?
7
= Live Exploits = vSploit Modules
![Page 8: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/8.jpg)
Introducing: vSploit Modules
• New spin on auxiliary modules
– Focus on attack response emulation
– Not intended for exploitation
– Continues with Metasploit roots as security testing and validation
framework
– Allows organizations to understand their current security – Allows organizations to understand their current security
investment
• Stand-alone compatibility
– No exploitation used
– Possible to remove exploit modules if necessary in some
environments
8
![Page 9: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/9.jpg)
• Evaluate devices on their own merit
• Minimal traffic evasion
• Trigger alerts on purpose
• Ensure proper network device placement
• Test and train security staff
vSploit: Purpose
• Test and train security staff
• Test security architecture without exploits
9
![Page 10: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/10.jpg)
• Many network based security offering monitor network
traffic for behavior
• Many devices are signature based
• Need to be placed on network properly to see interesting
traffic
vSploit: Interesting Traffic
• Good test cases are hard to emulate
10
![Page 11: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/11.jpg)
• IDS
• IPS
• DLP
• Firewalls
• Network Intelligence Devices
vSploit: Network Traffic Device
• Network Intelligence Devices
11
![Page 12: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/12.jpg)
• ESIM
• Netflow collectors
• Other Log correlation devices (ie. Splunk)
• Network-based vulnerability analysis devices
Security Monitoring
12
![Page 13: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/13.jpg)
• Signature-based
• Looks for known suspicious traffic
• SQL injections
• Attack responses
• Alert on suspicious behavior
IDS/IPS
• Alert on suspicious behavior
13
![Page 14: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/14.jpg)
• Similar to IDS
• Concerned with data leakage
• Personally Identifiable Information (PII)
– Social security numbers
– Payment information
Data Loss Prevention (Network Based)
• Protected Health Information (PHI)
– Medical records
• PCI-related data
– Credit card numbers
14
![Page 15: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/15.jpg)
• Collects system logs
• Significant capital investment
• Provides correlation
• Provides reporting
• Key to most security operations efforts
Enterprise Security Information Management (ESIM)
• Key to most security operations efforts
15
![Page 16: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/16.jpg)
Network
vSploit: Interesting Traffic
Client Sends Request for Interesting Traffic and Designated Port
Network Traffic
AnalysisDevice
Client
MSF #1 Sends Signature Matching String
MSF
![Page 17: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/17.jpg)
vSploit: Simulating Malicious DNS Queries
MSF
DNS Server
Metasploit sends out DNS Query to Internal DNS, i.e.. Domain Controller
foo.rufoo.cnfoo.kp
ESIM
Logs
![Page 18: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/18.jpg)
Intrusion Kill Chains
![Page 19: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/19.jpg)
Intrusion Kill Chains
19
![Page 20: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/20.jpg)
Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance Web Analytics Firewall ACL
Weaponization NIDS NIPS
Delivery Vigilant user Proxy Filter In-line AV Queuing
Exploitation HIDS Patch DEP
Kill Chain – Course of Action Matrix
Installation HIDS *chroot* jail AV
C2 NIDS Firewall ACL NIPS Tarpit DNS redirect
Actions on Objectives
Audit log Quality of Service
Honeypot
20
Source: Hutchins, Cloppert, Amin – Lockheed Martin
![Page 21: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/21.jpg)
Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance Web Analytics Firewall ACL
Weaponization NIDS NIPS
Delivery Vigilant user Proxy Filter In-line AV Queuing
Exploitation HIDS Patch DEP
vSploit Testing Detection Capabilities
Installation HIDS *chroot* jail AV
C2 NIDS Firewall ACL NIPS Tarpit DNS redirect
Actions on Objectives
Audit log Quality of Service
Honeypot
21
Source: Hutchins, Cloppert, Amin – Lockheed Martin
![Page 22: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/22.jpg)
Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance Web Analytics Firewall ACL
Weaponization NIDS NIPS
Delivery Vigilant user Proxy Filter In-line AV Queuing
Exploitation HIDS Patch DEP
vSploit Testing Detection Capabilities
Installation HIDS *chroot* jail AV
C2 NIDS Firewall ACL NIPS Tarpit DNS redirect
Actions on Objectives
Audit log Quality of Service
Honeypot
22
Source: Hutchins, Cloppert, Amin – Lockheed MartinUnable to perform tests in red.
![Page 23: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/23.jpg)
vSploit Modules Screen Shots
![Page 24: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/24.jpg)
vSploit: Web PII Module - Configuration
![Page 25: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/25.jpg)
vSploit Web PII Module - In Action
![Page 26: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/26.jpg)
vSploit: HTTP File Download Server
![Page 27: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/27.jpg)
vSploit Web Beaconing - Configuration
![Page 28: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/28.jpg)
vSploit: Web Beaconing – In Action
![Page 29: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/29.jpg)
vSploit: DNS Beaconing – Wireshark Analysis
![Page 30: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/30.jpg)
vSploit: Vulnerable Headers
30
![Page 31: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/31.jpg)
vSploit: Vulnerable Headers PCAP
31
![Page 32: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/32.jpg)
Writing Metasploit Modules
![Page 33: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/33.jpg)
• http://pine.fm/LearnToProgram/
• The Little Book of Ruby
• Humble Little Book of Ruby
• Metasploit Repository Documentation
http://r-7.co/iNmOBt
Where to Learn Ruby
http://r-7.co/iNmOBt
33
![Page 34: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/34.jpg)
Auxiliary Module Basics
34
![Page 35: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/35.jpg)
Auxiliary Module: Code can be simple
35
![Page 36: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/36.jpg)
Using IRB in Metasploit
36
![Page 37: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/37.jpg)
Exploit Written in Python
37
![Page 38: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/38.jpg)
Same Exploit in Metasploit
38
![Page 39: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/39.jpg)
Where to put it…
• Official modules live in msf3/modules/– Subdirectories organized by module type (exploit/,
auxiliary/, post/, … )
• ~/.msf3/modules/ has same structure, loaded at
startup if it exists
• ~/.msf3/modules/auxiliary/vsploit is a the • ~/.msf3/modules/auxiliary/vsploit is a the
location for vSploit modules
39
![Page 40: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/40.jpg)
Quick demos
![Page 41: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/41.jpg)
• vSploit documentation in Rapid7 Community
– https://community.rapid7.com
vSploit Documentation
![Page 42: Metasploit vSploit Modules - · PDF fileMetasploit vSploit Modules 1 Marcus J. Carey David “bannedit” Rude Will Vandevanter](https://reader034.vdocument.in/reader034/viewer/2022042708/5a7985267f8b9a770a8cab8f/html5/thumbnails/42.jpg)
Questions?
@iFail
Marcus J. Carey
@msfbannedit
David “bannedit” Rude
@willis__ <- two underscores
Will Vandevanter