open source cyber weaponry
DESCRIPTION
Open Source Cyber Weaponry HD Moore, Rapid7/MetasploitTRANSCRIPT
![Page 1: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/1.jpg)
Open Source
Cyber Weaponry
![Page 2: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/2.jpg)
introduction
Chief Security
Officer
Founder & Chief
Architect
![Page 3: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/3.jpg)
background
Perspective• 15 years of software development
• 12 years of penetration testing
• Involved in OSS since 1995
• Ex-USAF contractor
![Page 4: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/4.jpg)
1999
Military contracting circa 1999• Ultra-secretive and ultra-competitive
• Teams furiously reinventing wheels
• Open source was still “sketchy”
• Little code sharing
![Page 5: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/5.jpg)
1999
Security tools circa 1999• Vulnerability scanning was still edgy
• Penetration testing 100% manual
• Offensive tools in their infancy
• No comprehensive exploit toolkits
• Teams hoarded modified public code
![Page 6: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/6.jpg)
1999
“Cyber Weapons” circa 1999• Shatter-your-drive-remotely stuff
• Scary words and half-truths
• Focused on DE, EMPs, etc
![Page 7: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/7.jpg)
boom
![Page 8: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/8.jpg)
today
Military contracting today• Still ultra-secretive and ultra-competitive
• Still reinventing well-defined wheels
• Offense is becoming acceptable
• More use of open-source code
• Better informed customers
![Page 9: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/9.jpg)
today
Security tools today• Vulnerability scanning is well understood
• Penetration test automation is growing
• Tons of commercial and OSS tools
• Exploit code has been productized
• Wide array of niche tools
![Page 10: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/10.jpg)
today
“Cyber Weapons” today• Term usually reserved for offensive tools
• Tons of contractors working on these
• Similar requirements to commercial
• No longer far from reality
![Page 11: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/11.jpg)
cyber weapons
Offensive cyber tools• Common goals
• Permissions and accountability
• Usable by lightly-trained staff
• Great attack visualization
• Multiple tool integration
• Modular design
• Non-commercial projects exist (NETT)
• Integration with defense is important
![Page 12: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/12.jpg)
cyber weapons
Offensive components• Reconnaissance
• Attack Vectors
• Payloads
• Control
• Data
![Page 13: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/13.jpg)
cyber weapons
The “cyber” sniff test• How portable is the target-facing software?
• How do they add new exploit vectors?
• How much is written in Java?
• How big is their exploit team?
• How big is their payload team?
• How do they handle stealth?
• Who are their security experts?
• Does it work on real networks?
• What targets are supported?
• What OSS does it use?
![Page 14: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/14.jpg)
cyber weapons
The Open Source requirement• Costs scale poorly with commercial deps
• OSS security tools adapt faster
• OSS provides transparency
• OSS tools set a minimum bar
![Page 15: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/15.jpg)
cyber weapons
Open Source components• Nmap for host & service detection
• Snort or Suricata for traffic analysis
• Metasploit for exploits and payloads
• DRADIS for notes and reporting
• Linux, PostgreSQL, Apache
• Ruby, Perl, Python, PHP
![Page 16: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/16.jpg)
metasploit
The Metasploit Framework• Created in the summer of 2003
• An exploit development platform
• Licensed under New BSD
• Popular and gigantic• Over 450,000 lines of code
• Over 100,000 users/mo
• ~600 exploit modules
• ~200 payloads
![Page 17: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/17.jpg)
metasploit architecture
Rex
MSF Core
MSF Base
Payloads Exploits Encoders Nops Aux
MODULES
LIBRARIES INTERFACES
Console
CLI
RPC
GUIPLUGINS
TOOLS
![Page 18: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/18.jpg)
metasploit
Lego, for network attacks• Choose a specific exploit module
• Choose a compatible payload
• Configure options
• Launch!
![Page 19: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/19.jpg)
metasploit
888 888 Y8P888
888 888 888
88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888
888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888
888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.
888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
888
888
888
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 578 exploits - 296 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r9949 updated today (2010.08.03)
msf >
![Page 20: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/20.jpg)
metasploit
Advantages of a modular design• Extend framework with proprietary modules
• Use your payloads with our exploits
• Use our payloads with your exploits
• Split work by classification level
![Page 21: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/21.jpg)
metasploit
Automation with Metasploit• Create resource scripts with embedded Ruby
• Create console plugins to add commands
• Create new modules to drive a process
• Call Ruby directly from the console prompt
• Talk to the builtin XMLRPC daemon
![Page 22: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/22.jpg)
metasploit
Platform requirements• Any recent Windows, BSD, or Linux
• Ruby 1.8.7+ (including 1.9.x)
• OpenSSL
![Page 23: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/23.jpg)
metasploit
Exploit coverage• Linux (x86, ARM, MIPS, PowerPC)
• Windows (x86, x64)
• OS X (ARM, PowerPC, x86)
• Solaris (x86, SPARC)
• AIX (PowerPC)
• IRIX (MIPS)
• Java
• PHP
![Page 24: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/24.jpg)
metasploit
Payload features• The Meterpreter (Win32, PHP, Java)
• Encrypted control channels
• Extensible at runtime
• Full OS control
• Scriptable
• Staged and unstaged command shells
• Ruby-based C / ASM compiler
• Post-exploitation scripting
![Page 25: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/25.jpg)
metasploit
Additional modules• Over 200 modules for information gathering
• Scan large networks for data leaks
• Exploit logic bugs for access
• Capture data from clients
• Find new flaws
![Page 26: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/26.jpg)
metasploit
Database support• Automatically store all gathered data
• Track all events (commands, sessions)
• Easily build reports from this data
![Page 27: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/27.jpg)
metasploit capabilities
Stealth and evasion• Exploits and payloads are randomized
• Exploits use custom protocol stacks• Low-level SMB, HTTP, RPC control
• Timing and fragment evasion
• Payloads never write to the disk
• Limited forensic footprint
• Simple to control
![Page 28: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/28.jpg)
metasploit capabilities
Full support for IPv6• Complete socket support and payloads
• Great for compromising link-local Ips
• Works great with real IPv6 links
![Page 29: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/29.jpg)
metasploit capabilities
Infinitely customizable• Ruby lends to a flexible object model
• Modify any code via loadable plugins
• Override specific libraries
![Page 30: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/30.jpg)
metasploit capabilities
Instant remote desktop hijack• Use the “vncinject” payload with any exploit
• Instantly gain desktop access to the target
• Even on logged-off systems
![Page 31: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/31.jpg)
metasploit capabilities
![Page 32: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/32.jpg)
metasploit capabilities
Relay attacks through targets• Use the “meterpreter” payload type
• Launch the exploit, gain a session
• Set a route for the target’s network
• Launch exploits from the first target
• Working with Windows, PHP, Java
![Page 33: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/33.jpg)
metasploit capabilities
Dump and pass Windows hashes• Dump the hashes from a Win32 target
• Use any hash as the SMB password
• Provides “psexec” to other targets
• Uses our custom SMB protocol stack
![Page 34: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/34.jpg)
metasploit capabilities
Search for and acquire evidence• Meterpreter scripts for find & download
• Gather passwords and sensitive docs
• Works for all Meterpreter platforms
![Page 35: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/35.jpg)
metasploit capabilities
Interact with targeted users• Determine whether the user is idle
• Install a hotkey hook inside of Winlogon
• Force lock the user’s desktop
• Read the captured password
![Page 36: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/36.jpg)
metasploit express
Metasploit Express• Commercial product from Rapid7
• Not a fork, but a direct extension
• Built by the same core team
• Pays for OSS development
• Uses the open APIs
![Page 37: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/37.jpg)
![Page 38: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/38.jpg)
metasploit examples
Mined the public NTP servers• Discovered over 21m NTP client systems
• Resulted in a great map of infrastructure
• Identified a potential 20Gbps DDoS risk
• A single Metasploit module + console
![Page 39: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/39.jpg)
metasploit examples
Scanned 3.1 billion IPs• Identifying vulnerable VxWorks devices
• Resulted in a 100+ vendor CERT advisory
• Also, a single Metasploit module
• Took 3 days and $19
![Page 40: Open Source Cyber Weaponry](https://reader033.vdocument.in/reader033/viewer/2022052823/55514834b4c905c6268b4f06/html5/thumbnails/40.jpg)
summary
Cyber is what you make of it• Most of the parts exist in OSS
• Metasploit is easy to build on
• Free to use, free to extend