3. background
Perspective
• 15 years of software development
• 12 years of penetration testing
• Involved in OSS since 1995
• Ex-USAF contractor
4. 1999
Military contracting circa 1999
• Ultra-secretive and ultra-competitive
• Teams furiously reinventing wheels
• Open source was still “sketchy”
• Little code sharing
5. 1999
Security tools circa 1999
• Vulnerability scanning was still edgy
• Penetration testing 100% manual
• Offensive tools in their infancy
• No comprehensive exploit toolkits
• Teams hoarded modified public code
6. 1999
“Cyber Weapons” circa 1999
• Shatter-your-drive-remotely stuff
• Scary words and half-truths
• Focused on DE, EMPs, etc
8. today
Military contracting today
• Still ultra-secretive and ultra-competitive
• Still reinventing well-defined wheels
• Offense is becoming acceptable
• More use of open-source code
• Better informed customers
9. today
Security tools today
• Vulnerability scanning is well understood
• Penetration test automation is growing
• Tons of commercial and OSS tools
• Exploit code has been productized
• Wide array of niche tools
10. today
“Cyber Weapons” today
• Term usually reserved for offensive tools
• Tons of contractors working on these
• Similar requirements to commercial
• No longer far from reality
11. cyber weapons
Offensive cyber tools
• Common goals
• Permissions and accountability
• Usable by lightly-trained staff
• Great attack visualization
• Multiple tool integration
• Modular design
• Non-commercial projects exist (NETT)
• Integration with defense is important
13. cyber weapons
The “cyber” sniff test
• How portable is the target-facing software?
• How do they add new exploit vectors?
• How much is written in Java?
• How big is their exploit team?
• How big is their payload team?
• How do they handle stealth?
• Who are their security experts?
• Does it work on real networks?
• What targets are supported?
• What OSS does it use?
14. cyber weapons
The Open Source requirement
• Costs scale poorly with commercial deps
• OSS security tools adapt faster
• OSS provides transparency
• OSS tools set a minimum bar
15. cyber weapons
Open Source components
• Nmap for host & service detection
• Snort or Suricata for traffic analysis
• Metasploit for exploits and payloads
• DRADIS for notes and reporting
• Linux, PostgreSQL, Apache
• Ruby, Perl, Python, PHP
16. metasploit
The Metasploit Framework
• Created in the summer of 2003
• An exploit development platform
• Licensed under New BSD
• Popular and gigantic
• Over 450,000 lines of code
• Over 100,000 users/mo
• ~600 exploit modules
• ~200 payloads
17. metasploit architecture
LIBRARIES INTERFACES
TOOLS Rex Console
CLI
MSF Core
RPC
PLUGINS MSF Base GUI
MODULES
Payloads Exploits Encoders Nops Aux
18. metasploit
Lego, for network attacks
• Choose a specific exploit module
• Choose a compatible payload
• Configure options
• Launch!
20. metasploit
Advantages of a modular design
• Extend framework with proprietary modules
• Use your payloads with our exploits
• Use our payloads with your exploits
• Split work by classification level
21. metasploit
Automation with Metasploit
• Create resource scripts with embedded Ruby
• Create console plugins to add commands
• Create new modules to drive a process
• Call Ruby directly from the console prompt
• Talk to the builtin XMLRPC daemon
23. metasploit
Exploit coverage
• Linux (x86, ARM, MIPS, PowerPC)
• Windows (x86, x64)
• OS X (ARM, PowerPC, x86)
• Solaris (x86, SPARC)
• AIX (PowerPC)
• IRIX (MIPS)
• Java
• PHP
24. metasploit
Payload features
• The Meterpreter (Win32, PHP, Java)
• Encrypted control channels
• Extensible at runtime
• Full OS control
• Scriptable
• Staged and unstaged command shells
• Ruby-based C / ASM compiler
• Post-exploitation scripting
25. metasploit
Additional modules
• Over 200 modules for information gathering
• Scan large networks for data leaks
• Exploit logic bugs for access
• Capture data from clients
• Find new flaws
26. metasploit
Database support
• Automatically store all gathered data
• Track all events (commands, sessions)
• Easily build reports from this data
27. metasploit capabilities
Stealth and evasion
• Exploits and payloads are randomized
• Exploits use custom protocol stacks
• Low-level SMB, HTTP, RPC control
• Timing and fragment evasion
• Payloads never write to the disk
• Limited forensic footprint
• Simple to control
28. metasploit capabilities
Full support for IPv6
• Complete socket support and payloads
• Great for compromising link-local Ips
• Works great with real IPv6 links
30. metasploit capabilities
Instant remote desktop hijack
• Use the “vncinject” payload with any exploit
• Instantly gain desktop access to the target
• Even on logged-off systems
32. metasploit capabilities
Relay attacks through targets
• Use the “meterpreter” payload type
• Launch the exploit, gain a session
• Set a route for the target’s network
• Launch exploits from the first target
• Working with Windows, PHP, Java
33. metasploit capabilities
Dump and pass Windows hashes
• Dump the hashes from a Win32 target
• Use any hash as the SMB password
• Provides “psexec” to other targets
• Uses our custom SMB protocol stack
34. metasploit capabilities
Search for and acquire evidence
• Meterpreter scripts for find & download
• Gather passwords and sensitive docs
• Works for all Meterpreter platforms
35. metasploit capabilities
Interact with targeted users
• Determine whether the user is idle
• Install a hotkey hook inside of Winlogon
• Force lock the user’s desktop
• Read the captured password
36. metasploit express
Metasploit Express
• Commercial product from Rapid7
• Not a fork, but a direct extension
• Built by the same core team
• Pays for OSS development
• Uses the open APIs
37.
38. metasploit examples
Mined the public NTP servers
• Discovered over 21m NTP client systems
• Resulted in a great map of infrastructure
• Identified a potential 20Gbps DDoS risk
• A single Metasploit module + console
39. metasploit examples
Scanned 3.1 billion IPs
• Identifying vulnerable VxWorks devices
• Resulted in a 100+ vendor CERT advisory
• Also, a single Metasploit module
• Took 3 days and $19
40. summary
Cyber is what you make of it
• Most of the parts exist in OSS
• Metasploit is easy to build on
• Free to use, free to extend