POST METASPLOITATION

egypt

WHY THIS TALK?

• Get more shells

• Get better shells

• Do more with them, faster

ASSUMPTIONS

• You’ve heard of Metasploit

• You’ve got a shell

• You have some goal that isn’t that shell

WHY METASPLOIT?

LARGE OPEN SOURCE COMMUNITY

> C

POST MODULE DESIGN

Should be minimal

• Complexity is hard to debug and maintain

• Do one thing and do it well

– Resource scripts can automate multiple modules

POST MODULE DESIGN

Should be readable

• Consistent structure

• Consistent option names

• Consistent output

POST MODULE DESIGN

Should be reliable

• Detect relevant variables

• Never crash session/host if you can avoid it

• Clean up

POST MODULE DEVELOPMENT

Like Aux modules in many ways

• Define a run() method

• Optional setup(), cleanup() methods

• Have Actions

• Can include Exploit / Auxiliary mixins

• Should report something

POST MODULE STRUCTURE

METASPLOIT POST API

• DSL*-like interface for automating shells

• Abstracts out common stuff

• Platform-agnostic methods for

– Reading/writing binary files

– Running shell commands

– Listing users

*Domain Specific Language

POST-EXPLOITATION SECRET SAUCE

Presence

Persistence

Pivoting

[1]: I totally stole this from Mubix

PRESENCE

• Examine your environment

– Users

– Machine

• One issue here is getting an unfamiliar shell

– Never played on Solaris, what do you do?

WHAT USERS ARE/HAVE LOGGED IN?

PRESENCE - THE MACHINE

• What does this box do?

• What processes are running?

– AV, Tripwire

– ssh-agent, pageant

– Editors

– Database servers

• What does it talk to?

WHAT DOES THIS MACHINE TALK TO?

PERSISTENCE

• Passwords!

• Backdoors

• Re-introducing vulnerabilities

TEMPORARY PERSISTENCE

• Reverse http(s) payloads

• Doesn't survive reboot but useful for keeping shells when network is spotty

MORE PERMANENT OPTIONS

• Autoruns

– Drop an exe in the right place, maybe mod registry

– Simple, effective

• Task scheduler, cron, launchd

• Enable RDP

• Enable root login for ssh

PIVOTING

• Passwords!

• Privilege escalation

• Trust relationships

• Route, portfwd

• auxiliary/server/socks4a

• Explicit "comm" arg to Rex::Socket creation

POST-EXPLOITATION EXPLOITATION

• For when you absolutely, positively have to have root

– (and don’t mind the occasional kernel panic)

• We can kinda blur the line between local and remote here

$ -> #

• Just like with network exploitation, not always an exploit

• Passwords (sudo)

• Trust relationships (suid executables)

• Misconfiguration (all sorts of shit)

DEMO: MULTI/LOCAL/SETUID_NMAP

"Nmap should never be installed with special privileges (e.g. suid root) for

security reasons."

DEMO: LINUX/LOCAL/SOCK_SENDPAGE

AKA Wunderbar Emporium

EXPLOIT::LOCAL

• Inherit from Exploit

– Provides payloads and handlers

– Create executables, etc

• Include Post mixins

– Provides session interaction

– Write files, manipulate registry, etc

COMPILING/ASSEMBLING WITH METASM

• Can compile C for x86/x86_64

• Can assemble x86, x86_64, mips, arm, ppc and more

TRUST RELATIONSHIPS

• Windows Authentication

– NTLM auth is relay-able

– Automatic domain auth

SMB RELAY

Victim

Attacker Target

Victim begins NTLM authentication against the attacker

SMB RELAY

Victim

Attacker Target

Attacker begins NTLM auth against Target

SMB RELAY

Victim

Attacker Target

Target replies with 8-byte challenge

SMB RELAY

Victim

Attacker Target

Attacker sends Target's challenge to Victim

SMB RELAY

Victim

Attacker Target

Victim calculates challenge response and replies with final authentication packet

SMB RELAY

Victim

Attacker Target

Attacker logs into Target with Victim's credentials

SMB RELAY

• Well-known attack

• Some mitigations break it, but largely still useful and will be for a long time

Drop LNK file (post/windows/escalate/droplnk) Setup a relay (exploit/windows/smb/smb_relay) Wait for an Admin to open that directory

File Server Compromised Target

Create LNK file

Victim

SMB RELAY + LNK FILE

AUTOMATIC DOMAIN AUTH

• Windows stores creds in memory and does NTLM auth using your current token

• When you do something in the GUI that requires auth, it happens automatically using those creds

• If your user has Local Admin on another box, you can create/start services (usually)

SC_HANDLE WINAPI OpenSCManager(

__in_opt LPCTSTR lpMachineName,

__in_opt LPCTSTR lpDatabaseName,

__in DWORD dwDesiredAccess );

SC_HANDLE WINAPI CreateService(

__in SC_HANDLE hSCManager,

__in LPCTSTR lpServiceName,

__in_opt LPCTSTR lpDisplayName,

__in DWORD dwDesiredAccess,

__in DWORD dwServiceType,

__in DWORD dwStartType,

__in DWORD dwErrorControl,

__in_opt LPCTSTR lpBinaryPathName,

__in_opt LPCTSTR lpLoadOrderGroup,

__out_opt LPDWORD lpdwTagId,

__in_opt LPCTSTR lpDependencies,

__in_opt LPCTSTR lpServiceStartName,

__in_opt LPCTSTR lpPassword );

DEMO: OWNING DC USING DA TOKEN

Yay automatic authentication

CONCLUSIONS

• Metasploit is awesomesauce

• If it doesn't already do what you need, it's easy to add new modules

• Stick around for Dave's talk!

• Twitter: @egyp7

• IRC: #metasploit on FreeNode

QUESTIONS?