SlideShare ist ein Scribd-Unternehmen logo

Metasploit Railguns presentation @ tcs hyderabad

Als PPTX, PDF herunterladen
Chaitanya krishna
Chaitanya krishna

Usage of railguns on meterpreter

Bildung
1 von 21
A.Chaitanya Krishna
Vivek Ramachandran (SecurityTube.net) Bharath (Kiva Cyber securities) My friends
Agenda Introduction to Metasploit Framework Keywords Introduction to Metasploit Meterpreter Enhancing Meterpreter using Railguns Adding Railguns Functions and Dlls on fly Demo
Buzz Words Vulnerability Weakness existed in a system which could be compromised. Exploit Code which works on the target vulnerability system. Payload Actual Code that lets an attacker to gain access after exploitation
Metasploit Framework Widely used Tool for Development and Testing Vulnerabilities Buzzing word security community Used for Penetration Testing IDS signature development Exploit Development
Why we need to opt Metasploit Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules
Meterpreter Meterpreter > Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Provides basic post-exploitation API
Working of Meterpreter Getting a meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload meterpreter DLL starts communication
Sample Scenario Sends Combination of Payload and Exploit Backtrack Windows XP 192.168.47.129 192.168.47.128
Why Railguns Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> Meterpreter extension that allows an attacker to run any DLL’s Allows arbitrary loading of DLL’s Windows API DLL’s are known paths. So we can load them very easily Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine
Hello World DLLs As windows operating system is known for its rich set of DLLs Contains shipped in DLLs along with windows as well as from installed applications Can be called on the fly using the irb mode or can be statically define them /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
Introduction to DLLs and Functions Not all functions are defined to call. Need to add our own DLLs to call them during the runtime. Appropriate Function to be called for particular DLL Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> Client.railgun.user32.MessageBoxA(0, “Hello Null Hyderabad, Welcome to the meet”, “NullCon” , “MB_OK”)
Anatomy of Functions Function Name Function Return Type In Parameters are the arguments through which we pass input to the function Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed by Railgun Out Parameters Array of Parameters
Necessity of DLLs and Functions In the middle of our penetration testing we need to call additional API for support to our work. Can be called during fly or else we need to define them statically /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> ?> client.railgun.known_dll_names => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"] unless client.railgun.known_dll_names.include? ‘NullCon ‘ print_status "Adding NullCon.dll" client.railgun.add_dll(‘NullCon','C:WINDOWSsystem32NullCon.dll') else print_status “NullCon DLL has already loaded.. skipping" end
Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[ ["pwchar", "domainname", "in"], ["pwchar", "username", "in"], ["pwchar", "oldpassword", "in"], ["pwchar", "newpassword", "in"]) = = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70 @return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N >> client.railgun.netapi32.NetUserChangePassword(‘nil’, “NullCon”, “NullCon”, “NullCon123”)
That’s all Client.railgun.user32.MessageBoxA(0, “That’s what in my slides to show”, “NullCon” , “MB_OK”) Chaitanyapentest@gmail.com

Empfohlen

Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demon|u - The Open Security Community
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginnern|u - The Open Security Community
 
Metasploit
MetasploitMetasploit
MetasploitInstitute of Information Security (IIS)
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminarhenelpj
 
Metaploit
MetaploitMetaploit
MetaploitAjinkya Pathak
 
Metasploit
MetasploitMetasploit
MetasploitRaghunath G
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploitAashish R
 

Empfohlen

Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demon|u - The Open Security Community
 
Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginnern|u - The Open Security Community
 
Metasploit
MetasploitMetasploit
MetasploitInstitute of Information Security (IIS)
 
Metasploit seminar
Metasploit seminarMetasploit seminar
Metasploit seminarhenelpj
 
Metaploit
MetaploitMetaploit
MetaploitAjinkya Pathak
 
Metasploit
MetasploitMetasploit
MetasploitRaghunath G
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network SecurityAshok Reddy Medikonda
 
Penetration testing using metasploit
Penetration testing using metasploitPenetration testing using metasploit
Penetration testing using metasploitAashish R
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Metasploit
MetasploitMetasploit
Metasploitninguna
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android DemoArpit Agarwal
 
Metasploit
MetasploitMetasploit
Metasploitpenetration Tester
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSecurity Scope
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Linux operating system
Linux operating systemLinux operating system
Linux operating systemMohamed Essam
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Distributed System by Pratik Tambekar
Distributed System by Pratik TambekarDistributed System by Pratik Tambekar
Distributed System by Pratik TambekarPratik Tambekar
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 

Weitere ähnliche Inhalte

Was ist angesagt?

Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitRaghav Bisht
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Metasploit
MetasploitMetasploit
Metasploithenelpj
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Metasploit
MetasploitMetasploit
Metasploitninguna
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android DemoArpit Agarwal
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSecurity Scope
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Linux operating system
Linux operating systemLinux operating system
Linux operating systemMohamed Essam
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 

Was ist angesagt? (20)

Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Metasploit
MetasploitMetasploit
Metasploit
 
Metasploit - Basic and Android Demo
Metasploit - Basic and Android DemoMetasploit - Basic and Android Demo
Metasploit - Basic and Android Demo
 
Metasploit
MetasploitMetasploit
Metasploit
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
SSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course SyllabusSSMF (Security Scope Metasploit Framework) - Course Syllabus
SSMF (Security Scope Metasploit Framework) - Course Syllabus
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
Linux operating system
Linux operating systemLinux operating system
Linux operating system
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 

Ähnlich wie Metasploit Railguns presentation @ tcs hyderabad

Distributed System by Pratik Tambekar
Distributed System by Pratik TambekarDistributed System by Pratik Tambekar
Distributed System by Pratik TambekarPratik Tambekar
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)servicesRafael Winterhalter
 
Breaking the monolith to microservice with Docker and Kubernetes (k8s)
Breaking the monolith to microservice with Docker and Kubernetes (k8s)Breaking the monolith to microservice with Docker and Kubernetes (k8s)
Breaking the monolith to microservice with Docker and Kubernetes (k8s)Tamir Dresher
 
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexusMicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexusEmily Jiang
 
The use of Symfony2 @ Overblog
The use of Symfony2 @ OverblogThe use of Symfony2 @ Overblog
The use of Symfony2 @ OverblogXavier Hausherr
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법GangSeok Lee
 
Firebird 3: provider-based architecture, plugins and OO approach to API
Firebird 3: provider-based architecture, plugins and OO approach to API Firebird 3: provider-based architecture, plugins and OO approach to API
Firebird 3: provider-based architecture, plugins and OO approach to API Mind The Firebird
 
Windows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelWindows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelHardway Hou
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsDr. Ramchandra Mangrulkar
 
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGEPRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGEEditor IJCTER
 
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's RailgunWeaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's RailgunTheLightcosine
 
DevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless ArchitectureDevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless ArchitectureMikhail Prudnikov
 

Ähnlich wie Metasploit Railguns presentation @ tcs hyderabad (20)

Distributed System by Pratik Tambekar
Distributed System by Pratik TambekarDistributed System by Pratik Tambekar
Distributed System by Pratik Tambekar
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Monitoring distributed (micro-)services
Monitoring distributed (micro-)servicesMonitoring distributed (micro-)services
Monitoring distributed (micro-)services
 
Rmi
RmiRmi
Rmi
 
Rmi
RmiRmi
Rmi
 
Breaking the monolith to microservice with Docker and Kubernetes (k8s)
Breaking the monolith to microservice with Docker and Kubernetes (k8s)Breaking the monolith to microservice with Docker and Kubernetes (k8s)
Breaking the monolith to microservice with Docker and Kubernetes (k8s)
 
Deltacloud API
Deltacloud APIDeltacloud API
Deltacloud API
 
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexusMicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
 
The use of Symfony2 @ Overblog
The use of Symfony2 @ OverblogThe use of Symfony2 @ Overblog
The use of Symfony2 @ Overblog
 
Tdd,Ioc
Tdd,IocTdd,Ioc
Tdd,Ioc
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
Firebird 3: provider-based architecture, plugins and OO approach to API
Firebird 3: provider-based architecture, plugins and OO approach to API Firebird 3: provider-based architecture, plugins and OO approach to API
Firebird 3: provider-based architecture, plugins and OO approach to API
 
Windows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelWindows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock Kernel
 
Unit 1
Unit 1Unit 1
Unit 1
 
LLVM
LLVMLLVM
LLVM
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGEPRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
 
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's RailgunWeaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
 
DevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless ArchitectureDevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless Architecture
 

Kürzlich hochgeladen

Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 

Kürzlich hochgeladen (20)

Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 

Metasploit Railguns presentation @ tcs hyderabad

  • 2. Vivek Ramachandran (SecurityTube.net) Bharath (Kiva Cyber securities) My friends
  • 3. Agenda Introduction to Metasploit Framework Keywords Introduction to Metasploit Meterpreter Enhancing Meterpreter using Railguns Adding Railguns Functions and Dlls on fly Demo
  • 4. Buzz Words Vulnerability Weakness existed in a system which could be compromised. Exploit Code which works on the target vulnerability system. Payload Actual Code that lets an attacker to gain access after exploitation
  • 5. Metasploit Framework Widely used Tool for Development and Testing Vulnerabilities Buzzing word security community Used for Penetration Testing IDS signature development Exploit Development
  • 6. Why we need to opt Metasploit Widely accepted tool for the Testing vulnerabilities Makes complex tasks more ease Posses rich set of modules organized in systematic manner Has Regular updates Contains different types 1000 + exploits , 200 + Payloads, 500+ Auxiliary Modules
  • 7. Meterpreter Meterpreter > Its a default Goto Payload for Windows Provides Enhanced Command Shell for the attacker Consists of default set of core commands Can be extended at runtime by shipping DLLs on the Victim machine Provides basic post-exploitation API
  • 8. Working of Meterpreter Getting a meterpreter shell undergoes 3 different stages sends exploit + Stage 1 Payload sends DLL injection payload meterpreter DLL starts communication
  • 9. Sample Scenario Sends Combination of Payload and Exploit Backtrack Windows XP 192.168.47.129 192.168.47.128
  • 10.
  • 11. Why Railguns Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> Meterpreter extension that allows an attacker to run any DLL’s Allows arbitrary loading of DLL’s Windows API DLL’s are known paths. So we can load them very easily Railgun gives us flexibility and power to call arbitrary functions in DLL's on victims machine
  • 12. Hello World DLLs As windows operating system is known for its rich set of DLLs Contains shipped in DLLs along with windows as well as from installed applications Can be called on the fly using the irb mode or can be statically define them /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
  • 13. Introduction to DLLs and Functions Not all functions are defined to call. Need to add our own DLLs to call them during the runtime. Appropriate Function to be called for particular DLL Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> Client.railgun.user32.MessageBoxA(0, “Hello Null Hyderabad, Welcome to the meet”, “NullCon” , “MB_OK”)
  • 14. Anatomy of Functions Function Name Function Return Type In Parameters are the arguments through which we pass input to the function Out Parameters are full-fledged data pointers and complete memory allocation is entirely managed by Railgun Out Parameters Array of Parameters
  • 15.
  • 16. Necessity of DLLs and Functions In the middle of our penetration testing we need to call additional API for support to our work. Can be called during fly or else we need to define them statically /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/railgun/def
  • 17.
  • 18. Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> ?> client.railgun.known_dll_names => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi"] unless client.railgun.known_dll_names.include? ‘NullCon ‘ print_status "Adding NullCon.dll" client.railgun.add_dll(‘NullCon','C:WINDOWSsystem32NullCon.dll') else print_status “NullCon DLL has already loaded.. skipping" end
  • 19.
  • 20. Adding Functions on fly Meterpreter > irb [*] Starting IRB shell [*] The ‘Client’ variable holds meterpreter client >> client.railgun.add_funcution('netapi32', 'NetuserChangePassword', 'DWORD',[ ["pwchar", "domainname", "in"], ["pwchar", "username", "in"], ["pwchar", "oldpassword", "in"], ["pwchar", "newpassword", "in"]) = = > => #<Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::DLLFunction:0x00000006d4fa70 @return_ me", "in"], ["PWCHAR", "oldpassword", "in"], ["PWCHAR", "newpassword", "in"]], @windows_name="N >> client.railgun.netapi32.NetUserChangePassword(‘nil’, “NullCon”, “NullCon”, “NullCon123”)
  • 21. That’s all Client.railgun.user32.MessageBoxA(0, “That’s what in my slides to show”, “NullCon” , “MB_OK”) Chaitanyapentest@gmail.com