1. New Shiny in the
Metasploit Framework
Derbycon 2015 Edition
1

2. James Lee
@egyp7
Metasploit Developer
Community Manager
# whoami
2

3. First some numbers
3

4. Rapid7 has 71 Public
Repositories
4

5. Repos You Probably Care About
metasploit-framework
metasploit-payloads
metasploit-omnibus
5

6. Repos You Might Find Interesting
6
github-connector
ssh-badkeys

7. 7

8. Over 1200
Pull Requests landed
8

9. Over 7500
commits
git log --since '2014-09-26' --oneline | wc -l
9

10. git log --since '2014-09-26' --format='%aE' | sort -u
Almost 200
unique authors
10

11. 11

12. 358
new modules
12

13. Modules
13

14. 20 Local Priv Escalation
14

15. Local exploit suggester
15

16. 16
exploit/unix/webapp/wp_admin_shell_upload

17. Anti-Virus Products
17

18. 18
auxiliary/gather/mcafee_epo_xxe

19. 19
exploit/linux/http/symantec_web_gateway_restore

20. 20
exploit/windows/browser/malwarebytes_update_exec

21. 21
js-beautifier
exploit/multi/fileformat/js_unpacker_eval_injection

22. Browser Exploitation
22

23. 21 browser exploits
23

24. 24

25. 25

26. 26

27. 27

28. SOHO Routers
28

29. 29

30. Credentials
30

31. Service
31
Cred
Cred
Cred
Old and Busted

32. Core
Private
Public
Realm
Blank Username
SNMP Community
NTLM Hash
SMB Domain
Postgres DB
Username
Password
SSH Key
Non-replayable Hash
32

33. Core
Service
33
Login
Login
Login Service

34. Java Serialization
34

35. Java Serialization with RMI, JMX
35
auxiliary/gather/java_rmi_registry
exploits/multi/misc/java_jmx_server
exploits/multi/misc/java_rmi_server

36. SMB
36

37. Kerberos
Partial implementation
● Enough to exploit MS14-068
37

38. SMB Server
38
Partial implementation
● Serve a single file
● Enough to exploit most DLL hijacks

39. Payload Improvements
39

40. Interactive Powershell
Can upgrade to meterpreter
Mostly compatible with existing Post API
Powershell Session Type
40

41. Unicode support
Meterpreter handles unicode in filesystems
● Still have to have support in your terminal
41

42. UUID Tracking
Embed Universally Unique ID in payloads
● Makes a payload identifiable
● Track which EXE got this session
Generate unique machine ID for each session
● Makes a machine identifiable
● Track whether we’ve popped this box before
42

43. Paranoid Mode
Set a real TLS cert for payload handlers
● Verify it from Meterpreter side
● Bail if we’re being MitM’d
Whitelist UUIDs in the handler
● Don’t start sessions for
things that aren’t a payload
43

44. Meterpreter Transport Reliability
44

45. Runtime Transport Control
reverse_tcp vs reverse_http vs reverse_https
Bind
● tcp://:8000/
IPv6
● tcp6://fe80::82e6:50ff:fe08:2e50:8000?en0
HTTP(S)
● https://1.2.3.4/<generated URI>
45

46. Configurable timeouts
● Session
● Communication
● Retry total
● Retry wait
46

47. Stageless Meterpreter
Skip staging and put
everything in one
payload
47

48. 48

49. NTDS.dit
Domain controllers store accounts
Multi-GB file for large orgs
Downloading giant files sucks
49

50. NTDS.dit Solution
50
windows/gather/credentials/domain_hashdump
Uses a C extension to parse on target
Send back a few at a time

51. Infrastructure
51

52. Ruby 2.1.6
52

53. 53

54. 54
Omnibus

55. Random
55

56. 56
Removed Replacement
msfpayload
msfvenom
msfencode
msfcli msfconsole

57. Workspace in Your Prompt
57

58. Tab-completing LHOST
58

59. Questions?
59

60. Images Returned in
Google results for this
Presentation
60

62. 62

63. 63

64. 64

65. 65

66. 66

67. 67