 So I'm Druid. I'm going to talk briefly about metasploit telephony This is a turbo talk because it is a relatively new project that I'm working on So I'm going to try to speed through it a little bit here. So basically what is it? It's some core extensions for using telephony devices. It essentially provides a way for metasploit to drive Devices like modems things like that, which then gives you dial-up interfaces to remote systems What this does is it extends metasploit's potential target pool because traditionally metasploit is used for attacking network systems So you set your r-host you target systems that way what this does is allows you to dial-up to a system launch and exploit Add it over the dial-up connection. This lets you target things like vulnerabilities and bin login your Getty's Plugable authentication modules and BBS software, which yes does still exist so What this does is it currently just provides a modem object It has some methods to create a modem, which will attach to the serial port that you specify You can send it commands read your responses back Hang it up flush the buffers things like that. There's a few more But those are all the the main ones that you might use if you're using this to develop There's a accessors for the object to configure your modem Which are basically your baud rate data bits parody bits all of that good stuff All right, so how do you apply this? That's kind of the underlying telephony library right now So if you want to use this for dial-up exploitation, there is a module for Exploiting things over dial-up. It has some methods like connect dial-up disconnect puts gets There's also an expect which uses a regular expression So you can send something and then try to match something back on a regular expression And then like your your normal exploits you call your handler There's the configuration options for this which pretty much map to the configuration option accessors that I mentioned a minute ago for the modem object So in order to to make this actually work Because we're doing things a little bit differently than over a network socket We're actually using a local file socket things like that. We needed a new type of payload Which basically just interacts with the remote system over this this dial-up connection Basically if you make your your exploit available for platform Unix and Arc TTY Then this payload will become available for your use as as an exploit payload There's a test exploit that you can play around with if you just need to verify that your hardware works and Will dial up and connect and all of that stuff. It's in modules exploits test dial-up and all of this is in the Development SV entry right now if you want to play with it as you can see it's it's extremely simple It's basically just uses the connect dial-up method calls the handler and then disconnects afterward So this is how you use it Basically, you'd set your number to whatever number you want to dial your baud rate serial port that you're using that kind of thing And then set your your payload and run the exploit This is quickly what it looks like I'm not going to go over all that because we're a little bit pressed for time But basically it dials up and it connects and then drops you to your interactive shell In that particular example, I logged in manually This is a scripted interactive dial-up Using the expect method that I mentioned earlier, which will match on regular expressions as you can see it does the connection It looks for the login prompt it sends the username that you have stored in your data store looks for the password prompt and so forth Then once you're actually logged in it'll call the handler, which will drop you down to interactive mode for your session Basically, all it does is dials up connects it authenticates through the scripted portion if you wanted to you could potentially use these types of methods with the Puts and expect and things like that to write a local exploit out to a file on the remote system and then elevate privileges that way When I was originally implementing this it's kind of specific to the dial-up Library, but I think what I'm going to do is abstract that out to a more generalized expect type mechanism for any of your session manager Managed shells in this way you can then use it to script your sessions And expand that beyond what metasploit really does currently Which is puts it in your session manager and allows you to connect to it disconnect from it and interact with it manually So here's a Real exploit, which is a very good example of what type of bug you could attack using this. It's basically Pretty old you can see it from 2001 There's a bug in bin logins that are derived from system 5 Bin login which a lot of Unix has had Specifically Solaris, which is what this this particular exploit is for Basically, if you provide a large number of environment variable arguments to bin login with you know alongside your login name it would Still prompt you for the password, but then it wouldn't actually verify that password for the authentication And it would drop you into your shell as the user that you attempted to log into what's interesting about this is that Everything you're doing to exploit the bug is through the normal interaction with bin login over whether using our login telnet or dial up So it's a good example for for Demonstrating this new capability It's in exploit dial up multi login many arcs if you want to play around with it Works just like the test exploit you set your number baud rate all your modem parameters Set your payload and then run the exploit This is what it looks like again I'm gonna kind of skip over this because we're pressed for time But basically that's what it looks like once it Executes the the exploit it then drops your your dial up shell into the session manager So you're one probably wondering well, you know, this is great if you know systems that you want to attack But how do we find these using the same stuff we implemented metasploit war dialer While I was bugging HD for information on where to put this stuff in metasploit Kind of came up with the idea for war vox and he ran that way with war vox and I ran this way with the war dialer So now we have two war dialers They both work a little bit differently and they both have slightly different goals, but they're both awesome. So This one basically it's it's your standard war dialer. It has all the same types of options that you'd expect from a war dialer like tone-loak or You know hackers choice those types of tools You can detect most of your Connect strings and modem responses. Basically, you're still relying on the analog modem to do the detection And it stores all of the information in your metasploit working directory under logs war dial There's two things that are stored there. There's a G zipped marshal ruby scan database Which basically has all of the numbers that you're attempting to scan whether you scan them or not And what their their statuses are and then there's a tone-loak style found log file Which just notes the interesting ones like connections and faxes and stuff like that and it can also log to an SQL database So the options there's a few more than the exploit Options that were available. You can see you have a dial mask a dial prefix All of the modem options just like in the exploitation Usage of this There's a log method which tells it whether you're going to log to the file or the database There's a nudge string and for once you connect to try to prompt some information out of the remote system And that's about it. It's implemented as an auxiliary module So basically you would use the module just like any other auxiliary module set your parameters and then run it In this particular example, I was scanning for faxes So you can see that I've got the modem set to fax mode and it starts scanning Towards the beginning it realizes that you know, there's four Digits masked out of the dial mask. So there's 10,000 numbers to call sets up the database in your MSF working directory Start scanning and you can see here that on the second one it actually found effects So that's what it looks like while it's running To log to the database basically it uses the database abstraction layer already available in Metasploit Basically, all it does is it calls a report note method with the type of Wardale result. So it's in your Your Metasploit database with that that type you can search for those and I'll give you all of your results Eventually this should be able to interface with another project that I'm working on called tidbits Which is the internet database for information telephony systems Essentially what I want to do is have a online database available for people to go and search for pretty much any telephony system Or information system that's attached to a telephony device and answers the phone The interesting thing about this is I intend to make it public So I'm sure I'm gonna have a lot of anonymous submissions and things like that. So All of those are going to be inserted in basically an unverified queue The Metasploit war dialer should be able to query this database for unverified targets dial those and verify them if you're Set up with a verified account that way it essentially turns the Metasploit war dialer into a distributed war dialer So what's missing? Basically, like I said, this is relatively new. There's still a number of things that I'm trying to Implement one is direct voice over IP support the problem here is that There's not a really good Digital signal processor and software that will integrate with Voice over IP software This is kind of one of the reasons that warvox went the audio signal Processing route rather than connecting when we first started looking at you know, we were working on both of these war dialers It actually turned out for warvox's advantage to go this way and do the the post-processing audio analysis Because that allowed for warvox to have a lot more capability and batch processing and doing massive scanning There is one tool called IX modem which exists, but it uses a DSP that currently only Will detect fax carriers. It won't do data There are other DSPs that exist, but like I said, they're not really tied or Architected well for integration with VoIP. I believe the GNU radio project has most of the components that are needed But they're kind of geared towards RF so That's that's definitely one thing that there's a room for improvement more exploits I've identified a couple I haven't really looked at all of these yet to see if they're applicable for use by the dial-up exploitation stuff but There's definitely more to go there The one that I showcased earlier is in the development tree now You can go play with that if you want to and a friend of mine tipped me off to some renegade bbs o day So I need to verify if that still works in the current version and you might see that show up soon Also want to work a little bit on non-carrier signal processing Right now it's using a you know analog modem to do you the detection So you're either connecting to a fax or you're connecting to a modem This is kind of the same type of Analysis that warvox is doing currently so I think there's a lot of opportunity for bringing some of the warvox code back into Metasploit And improving the war dialer here to work in different modes So that's about it Because we're pressed for time I probably shouldn't take any questions here, but I'll be wandering around if you want to ask me about it after the talk. Thanks test test Okay, so because we're short on time. We want to make sure that everyone gets a chance to talk I have a 30 minute trunk and I'm actually have two co-speakers doing two other pieces to so we're moving really really quick Because of that we're probably gonna cut back on the break time between this track We want to make sure that everyone all the way up to the track has time So I'm gonna start almost immediately and we're gonna go from myself to JR to Carlos Perez And from there we're straight to the next thing So if you're one of the speakers of the you know six seven we have left Make sure you're ready to come out like the second year time starts because we want to make sure this time for everybody Thanks, so when you get started and just about one minute I want to make sure the rest of us can trickle in all right going to get started We're starting early to make room for the folks who just came in we're gonna move really quickly for the next three four hours straight till we're done With this kind of mini to mini even mini mini track is is a little bit about Betasploit What we've been doing lately some of the project goals Overviews and kind of barely touching an IPv6 But making it you know clear what we can currently do and then a lot of stuff But I'm a interpreter both from porting all to Unix platform with that was this gentleman did in about a week With basically no prep work to all the automation stuff that Carlos is doing some of the new tools that he's coming up with Let's go and get started. I'm gonna go in like micro machine guy mode So if you if you have any trouble you can always look at the slides later on or catch me afterwards and I'm happy to explain stuff So my name is H.T. Moore the project lead and core developer of Betasploit There's actually other core developers, but I've kind of been around probably longest since 2003 The other two gentlemen who are going to speak with me today are J.R. who's doing the metropeter pose export and Carlos Perez He's also known as dark operator who does most of the scripts for metropeter currently in Metasploit Some quick facts so as lots people like to argue we are still the biggest Ruby project in the world So it's one of those cases where if the Ruby interpreter starts to fail We don't like what the developers are doing will fork Ruby to make sure a metasploit still is an interpreter for it At this point because we have more code than them Second place is Puppet and Ruby on Rails. So if you're familiar with those projects They're actually still smaller the metasploit is right now by at least 10% We've got about 100,000 people who are doing SVN updates via unique IPs to the main Metasploit server every year now So this number is moving up from about 55,000 in 2006 to about 100,000 now So you can see there's a lot of people in this room a lot of people use metasploit So we're really happy the community project is really coming together a lot of folks are working on it And we feel like we're making a lot of progress There's actually a core group of about 20,000 users who update about once a week So we always see lots and lots of you know the same 20,000 IPs updating every single month to our servers So we know who you are, but thank you Something we noticed recently was there's 235 books currently mentioning metasploit so the product has gotten ridiculously huge We're mentioned about 65,000 plus blogs right now Who knows how many Twitter messages here and there and this is the first conference I've ever come to where the press release that the PR folks came to me and asked me who my agency was because we Actually have this good message. Well, we don't have an agency with you guys So thanks again for helping us get the new get the word out and kind of giving motivation to our developers to really kick-ass and get things done There's actually about 15 active developers But which 15 depends on what time of the month it is and who's sleeping and who's drinking and who's going where so It's a really loose-knit group of folks, but we tend to have you know about 15 people active at a given time in the project So quick goals in the short term we want to speed up our release cycles A lot of folks say well you break the metasploit tree every five minutes and the only updated version is trunk. Yes, we do that So unfortunately what that means is valsmith these guys over here have to find the exact SVN release That actually works properly and save it off for all their demos and then don't update ever So we're actually gonna try to fix that but having shorter release cycles We're gonna get three three out in the next month and kind of go for maybe a quarterly or you know semi you know semi only at the very late slowest release cycle Overhauling all wind 32 excuse me all of interpreters. We're actually adding POSIC support for you know, there's work on Mac OS X There's work on Linux on BSD everything We're actually making a portable Windows install and Mac OS X install a few folks got a link to the demo of the beta of that Basically you can put metasploit on a USB key. It'll work standalone anywhere It only required us to patch all of Ruby 191 and all of sigwin to make it work, but it works now Where we're completing the switch to Ruby 191 so you actually get about twice as fast Which is still really slow, but it's Ruby and it's a little bit faster than it was So if you're really tired of metasploit taking 10 seconds to start up one now It's only gonna take five seconds to start up with Ruby 191 going forward and most of our code is done for that as well We're gonna try to change a lot of the console improvements add some defaults make things easier for people to use So you don't have to type the same damn thing every time you use it and things just kind of work the way you expect them to Hopefully without breaking anything or you know making things worse You can see that we've got a ton of content all in this track both at black at and Defcon this year And like my job is exploit janitor and kind of code janitor So I have to go combine all the cool things these guys are working on actually put it into a release and make sure they Don't step on each other So the next thing that we're gonna do is actually work on all the work that happened the last two months leading up to this Merchant together and trying to break the tree and then get three three out So long-term wise on the code side We're gonna try to replace both the GUI and the current web version with a brand new web version That's much easier to use as it has cleaner support things like that Ideas that you'd be able to have a special part point Excuse me special menu from the website of the MSF web version to do things like browse files on the remote hose take screenshots Do videos do all your really cool like a metropod automation exploitation now using kind of a GUI browser interface So there'll be a lot of neat ways to go through and automate things and and set up kind of like little capture portals and stuff All through the web interface once we get that going We're also gonna be overhauling the console adding it so you can connect to remote Metasploit instance so you can have your MSF console talk to a shared server have everyone share the same exploits the same everything else While still keeping your local tools Tons of automation tons of automatic analysis tons of reporting stuff is going is in the works for folks use SMB relay Is anyone here use SMB relay stuff? Great so what the problem with SMB realize if you relay a connection that doesn't have administrative privileges in your target You don't get a command shell. You only get an SMB authenticated session So what we're gonna do is create a national dedicated SMB session type So if you don't get a real shell it defaults as an SMB session type instead And now you can basically you have a an SMB client on your hijack connection to upload files download files Actions of the registry do all the things you normally could as well as exploit things like you know weak service control permissions things like that Using that then a kid user account. So even if you don't have admin access, we're gonna get you something Let's try to fly through this We talked about task-based interfaces basically having a web app assessment UI wrapping all the stuff that a frame is doing with WMAP and have a nice configuration interface for that Ways to build persistent agents and backdoors directly from the UI Hopefully integrate some of the stuff these guys doing a meta fish and get that whole thing kind of bundled up in a UI As far as the project goes our goal right now is to have an industry-wide standard security tool platform for everybody to use That's free and keep it under the BSE license So the idea is anytime there's a crappy, you know prove a concept tool being released for one particular vulnerability Make sure you can actually add that to metasploit maintain that use it use it five years from now Not have to worry about compilers or headers changing things like that. So you really want this to be a standard platform ever can use We're actually looking at some sponsored feature development some some companies saying we'll pay you this to work on this feature Or we'll actually give you a developer for week to work on the one particular piece. So we're trying to leverage some that when we can We're looking at integrating further commercial tools from vulnerability scanners to IPS to IDS to SMS everything in between to make sure that if you've got a tool that has some information that we can use We can leverage that to either make that tool work or take information from that tool to make an exploit work One a good example of that is there's a tool called NetEffera And we were looking at ways to basically take the NetEffera agent and actually drop that using any standard metasploit module So you can kind of combine exploits with the remote agent system Lots of documentation lots of SDK stuff lots of good goals there Looking at ways for the end user to be able to script things and automate things easily without actually having to know ruby Which is a can be a little bit of a challenge. I think we can do it and Finally actually having automated regression testing and you know quality feedback if you possibly can So on the IPv6 side I've mentioned this on one conference before and some of the training But all of metasploit is IPv6 ready You support for it every core library every socket. We've actually have supported in the payloads for windows and Linux You can exploit anything over IPv6 pure IPv6 and just works right now All the stages vnc and jack metropeter that stuff just works great. No IPv4 traffic at all. Is there a question? No, it's just someone waving Audi. All right So all modern platforms right now actually ship with v6 on see if you had a Vista box Mac OS X of 1 2 Solaris it actually has a v6 address every time you plug it into an ethernet port and Metasploit can now exploit that so even if you have something like zone alarm or another firewall installed They normally blocks these types of connections. You can now bypass that firewall We're using the v6 address of the device to get your shell and metropeter vnc automation, etc Most admins have no idea how to filter these things or how to manage them so when you root a box you can do it through the fucking excuse me the v6 address and The admin will never actually see that in your your listing and the nice thing about this is Windows 2003 and XP with v6 installed won't actually show it in the net stat table either That's a great way to really screw with an admin who has no idea how you're in the box So basically you pick an exploit get an access all that IPv6 I was gonna do a demo, but we're running out of time So I'm gonna fly through this. This is the thing about these link local outages You can only exploit them locally on an internal network. However, once you're internal you can do all sorts of cool things over v6 No one will ever see you One quick thing before I hand it over to JR. There's a lot of metropeter improvements over the last Basically month I had a baby and I was home on paternal leave and so I had a baby on one shoulder just hacking away you know on laptop another and We managed to port all of metropeter to SSL so the entire metropeter session I was over TLS including migration So hopefully once your payload is actually up and running you never have to worry about some pesky admin senior connection ever again One of the other things we've worked on was keystroke logging So you can actually inject a keystroke log or in metasploit into whatever process you're currently in either the the actual What the admins type you normally on the desktop or you can inject into win log on and capture all the Console login credentials of a particular server or desktop We also have a packet sniffer. That's all in memory now through raw and is hooking using the micro OLAP SDK If anyone's familiar with the t-speed on that's completely standalone We use the same library We have a commercial license for it and the sniffer is now available to everyone for free And this is a full-blown packet sniffer for all versions of windows that runs in memory You can run from metropeter just put up in use sniffer, and it works great. So I was backtracking Some botnets and how to use it So finally metropeter is being ported to a lot of platforms Charlie Miller ported to Mac OS X using some of Dino's work with the library bundle loader and some of his own work But it's also being since basically Charlie took the long to give us code We're also porting it to a generic posix platform and JR here is going to talk about that about his Process for actually doing posix porting of a interpreter and some of the really neat tricks. He did in memory to make that happen So that further do here is a JR So I'm just going to talk a little bit about why Metropeter hasn't actually happened yet on Linux. I mean, but you know at least half the people here are running Linux and And they've targeted plenty of platforms where it would have been nice to have it and it seems like it should already be there I mean, what is it really? It's just a the stub that reads a library over the wire and Loads it. I mean that doesn't seem like that should be all that hard Well Yes, and no so in Windows load library get proc address or all the known address There are some hacking that had to be done to get around Reading it off of disk I mean you've got it as a blob in memory and most of the things that map libraries typically the APIs want to read it off disk But the all-in-all the infrastructure is there you hook the right calls and you can load a library from memory and it just works OS X it's fairly similar the Mako resolve is at a known address and You with very little code you can do inject a bundle into an arbitrary application Linux free BSD net BSD, etc deal open is actually a service provided by the runtime loader and Isn't necessarily it affects the dress, you know So you don't necessarily know how to get at it And the runtime loader will actually resolve references to DL open deal sim, etc at runtime. So unless you already have a Relationship with the runtime loader so to speak you can't actually get at that and Not to mention that you can't aren't guaranteed that the application that you're compromising at the other end is actually dynamically linked so escape actually wrote a paper on it and based what would be involved and Didn't sound like a whole lot of fun and So given that there it's not easy to Talk to the runtime loader. How do I provide the necessary services? Well, I cheat so Basically with what I've done is I Incorporated a full runtime loader into the stock initial stub which actually loads the Retorporate a runtime loop and the library is that it depends on the crypto and the SSL Once it's injected by the exploit So you can in principle actually launch arbitrary Applications doing this they have to be positioned independent. Otherwise. It's a destructive load But I'll talk a little bit about that later the nice thing is it's now completely decoupled from the application and You're limited only by the application binary interface to the system calls So anyway, I'm getting back to when I actually first started looking at doing the Linux interpreter a couple weeks ago Just talk a little bit about that starting with a pre-existing library loader What was involved in the L front time loader and next steps So first of all, I just took the windows interpreter and wherever possible I just shimmed the API's in the error returns to share as much code as possible the idea being that The current developers can just keep the code as is any bugs fixed will get fixed will mostly translate to the POSIX interpreter And I just assume that that would make it easier to maintain That was fairly tedious, but it wasn't obviously particularly interesting design work now that is HD pointed out everything's running over SSL that means that you need to have the SSL library Initially, he was using polar SSL Which is nice, but doesn't have which is nice and small, but doesn't have the right license So now he's using a open SSL Which live SSL depends on the crypto These are kind of bloated. So I actually put zealob into the stub as well Which reduces the footprint to the libraries by about 60% and so it's effectively a very crude packer and then I took Previously existing code the 32-bit Linux library loader And was initially going to work with that and just sort of accept that and I realized it had some limitations first of all it has to find the base of the libc shared object in memory and Which has actually pretty easy on Linux you just open up the proc and You get the mapping of the libc And then it resolves the symbols in your libraries against that libc Well anyway mention that here Well on other operating systems like free BSD open BSD You don't necessarily have that mapping free BSD now has a sys control interface, but historically you had to go through KVM Which meant that you either needed to be root which kind of defeats the purpose Or you needed to have a set UID binary which also defeats the purpose because you have to spawn a separate process to go read that Which is that you ID kind of stupid? Also like I mentioned earlier If you're relying on finding the base of your libc you can't work with a statically linked application And it also assumes that your payload will resolve all its symbols happily against the applications libc Which will probably work in general, but I mean, it's just one more thing that can go wrong And you have to ship any non libc functionality anyway, so Like in this case SSL etc. You can't rely on any Libraries in the applications address base And these are specific issues with it It was 32 bit Lennox only and it didn't support the most recent way of hashing symbols in glibc so anyway, I Decided to sort of go with an off-the-shelf solution so to speak. I took a free BSD is runtime loader all-front time loader rewrote it to mmap anonymous memory copy in the libraries from the decompressed buffer and then call back various stub code to map libraries to load So now the nice thing about this approach is porting to different platforms is just a matter of extending the C runtime for platform variations So free BSD Has its underscore start interface glibc on Lennox has a slightly different one different calling convention It has a libc underscore main underscore start that has to be shimmed in but by and large It's all just the same code and there's very little variation across platforms There's a good chance that all the BSD's may actually just be able to use the same code and the C read runtime interface doesn't vary at all Well now the quite next up is the question is what is this really? I mean it isn't just DL open It's it's actually a generic user level exec This isn't new. I don't haven't done anything terribly original Grug scape and others have have done some version of it before It isn't clear to me that any of those were cross-platform non-destructive IE didn't displace the existing sections and to robust the variations in libc So what's neat about this is one could in principle run arbitrarily many applications They'd have to be cooperatively context-switched because the whole point is the US doesn't know about them but basically you put hooks into your the libc that you ship over the wire with it and So up to the amount of space that you have in the heap you could have your X term your emacs Well emacs might not play nicely emacs does some weird things but vi etc all running inside Your hack to patchy heap Which I think is actually I don't know how useful that is but I find it pretty funny It requires some extra work that have to be in a stack allocated for each pseudo process You'd have to make exit not actually exit the process because that would kind of screw up your session Fork you wouldn't want to actually call into fork an exact simile So anyway, this is just a diagram that's kind of hard to read That shows you what the stub looks like the POSIX ELF interpreter is just Z-Lib the blobs which are showing over the right Which is the interpreter core lib crypto lib SSL and lib common, which is just a diet libc You don't need all the 1.2 megabytes of a g-libc The elf runtime loader and then just a simple decompressed loop and link And the so anyway the interpreter core is just a standalone position independent executable So I can actually test it with on the command line independently of this process So where do we stand now the The the event live vent loop works just fine on Linux it can be loaded into an arbitrary address space Next step is yeah, I don't not sure what the status of Charlie Miller's work is mean last I knew there was just the bundle injector we could just shim the bundle injector into the POSIX interpreter That would facilitate maximal code sharing and so now you have There you you just share One meter per turn code base amongst all the platforms It's been tested on 32 bit and six of D4 bit x86 free VSD and 32 bit x86 Linux There's some cleanup needed I did it over the course of a week wanted to get get it done by Defcon and Things got a little bit hasty in the process, but I'm in the process of getting it into the The metasplite tree, I don't have commit privileges, so I'm just bit by bit pushing in patches trying to Void breaking things that are there now any questions Hello everybody, my name is Carlos Perez also known as dark operator. I'm one of the members of the paul.com security Whitley podcast, I'm also An IT solution architect during the day working mainly in the area of virtualization and security in network infrastructure And during the night I spend almost all my time Scripting the meterpreter and running post exploitation and how I can help the community Once you get as a pen tester you penetrate that box How are you able to leverage the most time that you have available to get the most bang for your buck? so If you go to my website dark operator comm you'll find a lot of scripts are not part of the framework But I might be useful to you also Meta if we go to meterpreter meterpre has done a lot of advances The framework API is completely very well-written It is very useful. I have tried to port my meterpreter scripts to other frameworks, and it has been a complete nightmare In terms that in meterpreter only to execute one single command It is a single line of script if I try to do it Let's say and another brand of framework that I have to pay for a lots of money for It took me 67 lines of code just to execute one single windows command and get that output So the advantages of scripting meterpreters to for you to save time and automate your post exploitation They're wonderful. That's why I love meterpreter a lot You're not limited by the API alone. In fact, you can leverage the OS commands run those commands take the output out of those Shell commands either be in a windows or with the new meterpreter payloads are going to be for Mac OS or for Unix or Linux you can take that output process that use regular expressions and process that Also, you could upload the necessary tools to the target run those tools Then delete those tools and do the cleanup after work or you can use the owns the OS own scripting capabilities Right now if you go to my website, you will find a script called browser enum and most of the tasks that I'm doing for a numerating stuff inside Ie I'm using Just pure BB script WMI scripting to get that information some of the stuff that I've been working You will see that will leverage if the target has pearl I'll ever spiral if it has Python I'll ever spy fun So you're not limited only to the API. You're only limited to what you can imagine and how Miss Chivas you can be thinking of ideas and how to do that post exploitation on that box The scripts can be run upon session creation And what I'm the main purpose of my talk is for you to think tactically Many times I have seen many people send me scripts send me stuff and they just and where I run these scripts in my lab Most of the time they break debugging these scripts have been very kind of far So I started preaching to a lot of people how to automate their Their post exploitation interpreter, so I decided just to condense off that information into this and the line is just think tactically Don't think like I'm gonna just run the server series of step But think why am I running those steps? Are they necessary? What privilege do I have? In fact not all versions of an OS are the same in shell if you're running against a Windows XP machine it's not the same as a Windows Vista machine It's not the same as a Windows 7 machine the commands in that Machine will change in fact I've seen Windows commands that may change even if they're the same command is present in all versions of Windows The switches vary Summit will accept They're not case sensitive in one version and another version they're case sensitive in one version They don't need spaces between the options in another they do so you got to be very careful and test depending on the OS version also Being local user is Not the same as being as a domain user, so you have to check in your post automation What exactly do you want to do? How do you how do you want to give it inside that machine and you want to know what you're doing under what privilege level? So you know what actions to take and that way you can be even more stealthier and get more ban for your bug Of the work you're doing also use environment variables I have seen many people go and tell me I have run this script several times against this target network and It's always failing. I take that same script take it to my lab. It is working perfectly The only thing is that they're using full path. I Just changed their script to a variable use the temp variable use the wind fruit variable They run the script everything was working. What did this is that men do during this hardening procedure? They change the location path of those folders and windows so using variables is very important Also using these variables will make you if you're I find running a system my temp location a system It's going to be different as my temp location if I'm running as a Regular user in a box, so this will give me the advantage of where to put my data temporarily for where I need it Check for counter measures If they have contra mentions you have permission during your pen test to take them out take them out if you if you Don't have the permission bend the rules work around them Also use random names when you're creating files on the target. I have Me I remember a lot of times people going I'm creating this script for this class all my students were running it never worked They send me the script. I just check it in and all these students were overriding the data of each other in the target machine Then I had the pleasure of doing a pen test where I got four shells and one single box all at the same time and When I got those four shells The advantage that I had was I was not overriding my own data because I was using random names for the files I was creating on that target Also clean up after yourselves There's been many times, but my company has been called to go in and check the other work And another pen tester have done and I have found all of their toolkits or the tools their scripts and everything on that box and I can go to the client. Well, they just left this for the next guy who comes in so please clean up Use functions keep your code as module as possible every time you're running as writing scripts It's a lot easier if you have already a function already pre-made and you just copy paste that function You just time and time and time again. Do not reinvent the wheel on the versions of Windows As I mentioned later, you have the availability of commands Each version of Windows has different countermeasures Different features since are installed in different versions of Windows right now If I'm on a Windows 7 box or a Windows 2008 box or Vista box And I want to do something like doubly gets I have bit admin where I can go through a proxy HTTP download my tools I do not have that in Windows XP. I don't have in Windows 2003 So different features are installed different versions of Windows. So take advantage of them Location of files You in a Windows 7 box Windows 2000 box You cannot copy files in certain folders as you can in Windows 2002 and Windows XP So you got to be careful when you're doing your scripts to check for the OS version and according to that OS version take your commands You decide what commands are you going to run in that target and Also, as I mentioned different versions of Windows same command different switches Some are case sensitive others are not some require space others don't Level of access being administrator is not the same as system If you want to run in Cognito in a Windows 7 box Windows 2008 or Vista box You have to be system if you want to run hash dump on a Windows 7 or Windows 2008 also in Vista You have to be system on that box Microsoft's getting smarter and they're charging Their features set in their API calls. So we as attackers also adapt to this Domain access sometimes it's a lot better than being system if I pop Well, that's not wrong if I penetrate a sequel 2000 box and I get inside and This the misery make the mistake of running the systems in that sequel in that sequel box as A domain admin account Most of my work is be is going to be done through sequel Why am I going to go directly to cell and be system on that box and not leverage? That advantage of being a domain account that I can then touch other boxes inside that domain using as I mentioned using environment variables here You can see the API calls that I can use to for client dot FS dot file Expand path where I can expand that path if you're executing a command You can place your environment variables inside that command just by calling cmd Slash C and cmd will do the work for you of expanding that variable when you're doing this attack Also getting environment variables are very useful when you're doing an immersion of a target Chris Gates can talk about it When you get into a box Either being at Windows Linux or Unix and you see the variables You're gonna know if that box is running oracle or not You'll see if that box has pearl install or not You'll see if it has Python install or not and you can take advantage of those tools In fact, you will it will even be able to see even the version of Java that might be installing that box That could be very useful to you just by checking those environment variables So very important to information to have when you're automating your tests Also for finding the best place where to look at your or place your files Do not use static naming If you get several shells and you run your scripts in our run, you will overwrite your data also if the Sis admin smart and he's playing with metasploit and he knows that that script will create a file call TMP.exe he's gonna create rules in his hips or the AV vendor will create rules that will lock for TMP.exe So be stealthy Be mischievous think of Loki as your god when you're doing this kind of work Also Offensive to a security by doing this will also being obscure. I used Iran function I have friends that use the MD5 function inside Ruby to create their names. You can use whatever you want as long as they're Not the same as and they're random Check from counting merches check for a b hips firewalls punch holes through them If you're not if they won't let you disable them If setting listeners in a Windows box check for the firewall I have seen it time and time and time again when I'm teaching or co-hosting Penetration class and I see the students all of them going crazy setting up their listeners to the net cat They're trying to connect They're not able and we structure sort of laughing because we taught them three slides before 15 minutes before that they should check the firewall in the system if the admin is smart and right now Not all of them are that smart, but they're getting smarter because right now what Redmond is doing They're putting as default having it on so they're taking the decision off the admin So check for that firewall punch holes through it You'll see several scripts of mine like get gooey or get telnet That you will see instructions there that you could just take modify them why punch holes in those firewalls also check policy settings if You check my check counter measure script inside the SVM You will see how I can enumerate the policies in that box just by using the same commands that the Windows administrator might use For checking those GPO policies It will detect any version of of current hips They have a very large list of hips firewalls Antibiotic software and if you can give it the option to kill it in addition to detect it It will also give you all the sentence for that Windows firewall So if you want and it will also check for UAC in the case of a Windows Vista box or Windows Windows 7 box clean up after yourself The if you get permission in addition to deleting all of your uploaded tools Clean the event log Change maze in fact when you're changing the maze of file I prefer to copy it from another file just because I want to make the Forensic team or incident response team life more difficult I want to test their skill set so many times you will see like in my win-end script I'll just take the check disk maze and I'll copy it on to the files that I use when they go in the first thing that I Have seen many forensic teams answer in response teams trained to do is check for the default date that gets set when you clear a maze But if I didn't do that and I said another maze from another file that is in the system That probably was run two or three months ago I'm making their life a lot more difficult and also I'm making my client a lot smarter because not right now There will have to improve their techniques for handling incident response Kill any processes not needed. I have gone many times into a client And I found net cap listeners that were done from pentest that were that were done one or two months ago And the net cap listener was left on that client machine Backdoors left and the process is in memory. The machine has not been rebooted They removed the files from the from the false system, but they left that in that process running in memory if you're going to use any of these tools and You write your script make sure they script checks the processes and kill those processes as you leave I gotta give special thanks to HD more and the paul.com crew In fact the paul.com crews the ones are giving me the wicked ideas of how to be a bit more Evil when I'm doing my scripts and all my work is done on top of the shoulders of the work that HD has done and the press of the Metasploit team Thank you So just one quick note before you go on to the next talk, which is Mike Kershaw talking about his awesome work on 2 and wireless stuff So stick around for that. We'll still be moving really quickly Mike if you're ready Awesome, sweet. So let me just kill this one slide when we're done So basically metasploit right now depends entirely on its user base for for community for inspiration for development for QA for testing Without the feedback that we've been getting without people testing it and actually using it The project would have been dead four years ago and this talk wouldn't be happening So thanks again to the entire community for everything you've done and one more. Thank you to the DEF CON folks who put this together ping Jeff Nikita Valsmith for a railroading it all through and for all the folks who actually took their time out to come to the talk And for the folks who came up here to go speak. So thank you and here's Mike. Thanks All right, we guess we'll get started. I'm Mike Kershaw aka draghorn I wrote it and co-wrote low card lower con with Josh right, so I'll get through this pretty quick since we're a little short on time So metasploit you might not have realized is actually a time machine It is not a hippie good good doer time machine But when you get to bring back really cool weapons of the past with you So seriously Wi-Fi is shared media Remember shared media is the 80s in the 90s. It was a lot of fun Everyone's connections were visible to you all the time TCP hijacking local DNS hijacking all that stuff. Yeah, that's all back. It's all in Wi-Fi But everyone uses encryption, right? I mean everybody has to be smart in his view that now I mean you'd never ever take your system from work to an insecure network somewhere. I mean added Never happen anywhere would it? So what are going to do with this? Lorcan its injection library that Josh and I wrote a couple years ago Lorcan 2 is the latest version of it With a new improved API. That's actually a lot more pleasant to use Metasploit Racket, which is a very fast packet assembly and decode library in Ruby and the general Ruby network libraries like net DNS So why did we do Lorcan? Writing the same code over and over again sucks when you have to write all the control code Writing apps for every driver with separate quirks also sucks Writing apps for every OS sucks. Hopefully Lorcan doesn't actually suck Unfortunately, the first version of Lorcan kind of sucked The new API is a simpler. It's cleaner. It's modeled directly after p-cap So it should be a lot easier to use any app that uses p-cap if you just open the the Lorcan header You'll see almost every function you've seen in p-cap just prefixed with Lorcan instead of p-cap So for injection right now you need litics right now You need a Mac 8.0 to 11 supported driver you need a new kernel that probably means 2630 or even the wireless testing stuff Lorcan 2 will eventually expand back up to support mad Wi-Fi and J air peak up TX on Windows and whatnot But there's just wasn't time before the con There's no good way to do injection on Mac right now unless someone wants to write a user space USB stack if someone wants To write a user space USB stack come talk to me seriously So doing it with Ruby it's a really simple interface So you just load Lorcan you create a new interface or you create a new Lorcan device context Tell it what interface you want and you open it in injection mode it figures out how to do it It figures out what driver you're using it figures out if you need to make a a wrap for it Figures out all of that and then you just loop through the packets You get the raw dot 11 as a byte stream in Ruby or you get the dot three Which is the the data frames translated to look like ethernet so all the existing libraries that use ethernet and ruby You can feed them wireless packets directly decode them like they were like it was a standard packet before So you just do you know packet dot dot three gives you the ruby or either gives you the dot three translation You dump that in the racket Grab the tcb sequence right after out of it make packets the same way Create a new racket packet create the layer to stuff create, you know tcp context ip context in it Do whatever you want put a payload in And then you just turn it into a Lorcan packet so you make a new packet you turn the dot three into the what you just created with racket Set the dot 11 unique attributes like the network ID and if it's coming to her from the access point and then inject it There you go So what can we actually do with this well now that it's really that easy to decode dot 11 data manipulate it? Why aren't people doing it more often? It's really only marginally more difficult to make the awesome old attacks work again And I think we just forgot how great some of them were So we control layer two we don't have to own the internet. We have to own your internet. It's just as good DNS spoofing. Yeah, that's really easy ARP spoofing. Have we done tcp spoofing before? Yeah, we have Toast presented at Defcon about five years ago airpone. Why isn't everybody using this all the time when they're Attacking a wireless network really it's not just for shock porn anymore And if you don't get it ask the person next to you there'll be more than happy to explain it to you So TCP hijacking it's a standard layer to attack TCP's only as secure as it is such as I mean air quotes Because it's a random sequence number when I'm on your layer to it's not a random number anymore any stream is subject to abuse So standard TCP hijacking methods same as it always was just glide through it real quick You see the handshake go through you see the client request a web page you go Oh, well, that's the sequence number. It's expecting you hop in before the server replies send whatever you want Close the connection when you're done the server is far away. We're really close. That means we should be able to beat it pretty handily So what does it really get us to do this it gets us arbitrary content replacement for anything a user does that isn't encrypted And you can spoof landing sites and rewrite SSL if you want you can rewrite JavaScript Con SSL solves everything. I mean users would never pick something dumb like sure I'll accept that cert all the time. I mean users never have any problems Like that. I mean Obviously, it wouldn't happen So this makes life really hard for users and of course they're going to make bad decisions the operating system doesn't really help them Cryptic do you want to accept this if you're not a techie? You don't know so we're using layer 2 to create a layer 8 problem Even smart users can't beat Odei if you trusted that website. Yeah, too bad Now that flash file you were looking at is the latest metasploit payload or any other browser exploit or browser auto-pwn or Any other TCP service exploit like you know if there's a nice exploit for pop 3 replace their email stream It's like come at a split but a little bit sneakier So we can replace content, but what do we do now? Pretty much every website includes a ton of little JavaScript helper files If you look at a session with firebug while you're browsing you'll see it load, you know 1520 files or Urchin for Google analytics or jQuery nice standard file names So what do we get if we replace them arbitrary execution inside the security context of the website people are looking at? Some in your browser rewriting your DOM once we get in there We can do anything we want all your HTTP links are now an encrypted all your forms are now logged All your contents rewritten if I want I can include other JavaScript. I can include iframes I could use Kaminsky's socket and socket code from Torcon a couple years ago pretty much any fun You can think of I mean just replace the content anywhere you want So this really matters, but because local replaces fun But who here read our snakes VPN paper a couple weeks ago hands anyone Not nearly enough people you need to go read this Short version is you can fake out the browser and if you can replace the TCP stream You can tell it to cache JavaScript if I own your TCP session because of Wi-Fi. I own your HTTP content headers When I own your content headers, I can tell you cash this file for 10 years So if you go to Twitter from Starbucks and then loaded a load one of the helper JavaScript files You feed it a spiked file with airpone that loads an iframe in the background tell it to cast for 10 years when they take that laptop back to Corporate network behind all their firewalls behind all the protection and go visit Twitter again It's going to load the cashed copy off the hard drive and you've got execution inside their corporate network So the browser will keep this and use it every time until they clear their cache or reinstall their system Or trigger something else that causes it to update So you can load arbitrary code later just have your cache JavaScript Dynamically load something every time it gets a run. Of course, this would never work though I mean users would never go to Twitter at work, right? So you could also instead of replacing all the content Cache a staging JS would just load the original quest request for us Anything else we want to load with it. We cashed a little staging stub And then it gets loaded every time again and we can change the payload whenever we want whenever the user reloads So for a meta-split module, it's actually not vaporware. So how do we implement this in meta-split? Lurk on to exploit module and a threaded server module with regular expression matching for the URLs a YAML config so it can load files from the hard drive or strings that you give and You pretty much give it any data and it figures out what to do with it If you give it one with HTTP headers, it will use all the ones you gave it if you give it one with nothing It'll generate appropriate ones for you The demo gods have never smiled on me. So you get screenshots instead So just as simple as all the other meta-split modules load up the airplane module set the interface I rename all mine based on what kind of card it is because I've got 40 billion wireless cards But alpha zero Wi-Fi zero WLAN one whatever Set the response in this case. We're just Replacing every web page with hello where meta-split sucks to be you And run and it'll grab any HTTP request headers that come by and replace them Ta-da So but why do limit us to such a GDP we can hide a Chi map. I map and replace email Anything else TCP or well, why not do UDP DNS is UDP. That's convenient. It's way simpler than TCP Downside is right now the code I've got can't reliably win the race against DNS servers that are on the land with you But if your DNS servers are beyond your gateway, it's really really easy to win that race So that doesn't get its bellywick or a full domain onage But it does get us targeted per user replacement of any host name we want along with Including host names local to their land so you could take some domain name local to a Target's private network and suddenly redirected outside the network where we can capture everything they're doing So DNS overriding is also just that easy create a net DNS packet with Ruby dump the The racket payload into it that we got by grabbing the packet with Lorcan Set the response header to one take their question reflect it right back to them set the set an IP We want bounce it right back in with with Lorcan and there we go So what's next for this? Restoring old Lorcan drivers adding web endcode and decode that should be really simple. It just took time I didn't have adding WPA PSK in code. That's a little bit harder You need to both have the PSK the network name and you need to see the user associate It's a good thing. We can't create packets that will on a wireless network now and kick users off and watch them rejoin, isn't it? Need to actually get a release of Lorcan 2 out the door and need to start looking at adding some non 802 11 stuff like ZigBee and Bluetooth to it Can improve the metasploit integration there's a lot of layer 2 injection stuff in metasploit like the new DH client and whatnot No reason that won't work over wireless No reason you need to do all the decoding and see so we can do a Ruby native dot 11 library And then there's some general layer 2 handlers We can do to make things a lot simpler and link with payload generation of other modules like browser auto-pone and the Images and whatnot So let's mix this up a little bit more What happens when you get two packets in the same window with overlapping data same sequence number that hit the stack at the almost the same time In Linux you get the combination of the non overlapping bytes of the short packet and the long packet That's interesting So what does HTTP look like? Looks like a lot of headers that come back. That's like 270 bytes of headers What have we had an overlapping packet with really short headers that we collided at the same time? So we send an overlapping fragment that has just enough headers to get by and a JavaScript include you end up with something that looks like the following which is Your JavaScript running in the page Without ever knowing what the page originally was Combined with the remnants of the previous headers but we can fix those just open it up with the open up the document in our HTML and Look for the double carriage return and clear out the junk headers from before and the user will never notice There's a few problems doing this So there isn't quite a metasploit module for it yet We don't know the content length because we haven't seen it yet. We're beating the content length packet We don't know the length of the original headers, but there's a few ways around that too So if we've seen the user request before say JavaScript helper like urchin We know how long the headers are for the server that's sending it It's going to send it several more times and we know where the data begins so we can craft a overlay packet That's perfectly matched that Injects JavaScript at the beginning of the page Or we can just take a wild ass guess at it We can inject an overlay immediately. We can set no content length so the browser keeps waiting We can remember the source IP and source port pairs for that or I'm sorry source IP and destination port pairs for what we Overlaid wait for the real response read the length of it and then send a fin to shut down to shut down the connection when the Full data that we that the original server was sending has been sent We can also use the same trick to append the TCP streams What does an HTTP 1.0 stream look like for starters? It looks like HTTP 1.0, which is unlike my example, so I forgot to update these slides But it basically looks like you know response. Okay headers data in a fin packet What happens we beat that fin packet to the client? It means we advance the sequence numbers The real fin gets discarded and we get control over the TCP stream. We can keep appending however long we want to do Script includes after the end of HTML work just dandy in most browsers It really doesn't seem to care that you're not in the page anymore So now you can inject content at the end of pages without ever knowing the original original content as well So the limitations on that is that winning a fin race especially on small responses can be really hard I've only seen it work about 10% of the time maybe even a little less It really pisses off HTTP 1.0 because it expects the the connections to be Streaming so that it can do more than one request at a time and that that doesn't work anymore And you can't control the caching attributes, so it's a one-time attack, but it's still pretty useful and Wow, I burned through those fast Whoo, but Q&A if anybody has any questions I know I kind of hammered through those quick wasn't sure how much time I'd have the Lorcan 2 codes at 80211 ninja net and the meta split patches will be coming soon as soon as I actually get them to HD So I don't know got time for a couple questions if there are any. I don't see any hands anyway Hey, just so you guys know we are not David Maynard We're sort of flipping the schedule because we're going quickly. He's not here at the moment This is gonna be meta split autopsy Reconstructing to see the crime and then we'll sort of get back on track with probably Maynard next and then Dino Where the input's at Where's the input that we're gonna do this super fast too, so We did I'll give a brief introduction Before we even get it going, but we did 70 minutes of black hats, so we're gonna Just firehose it down you guys again And if you have questions and such just come see us after All right, we're gonna get started just gonna we're keep with the tradition of going quickly here It talks not the David Maynard talk obviously as I said This is metasploit autopsy Reconstructing the scene of the crime That's not important So why don't our slides match yours? This is a little graph. We did basically HD went on a kick sort of after we submitted our slides to blackhead and such And we had a lot of free time on his hands And so he added a lot of things like SSL changed the loader and a bunch of other things so that's a very scientific graph of of What what was what's going on? So that's why we sort of we were updating our slides and our tools up until last Friday So here we go So I'm gonna hand this off this demo is a little unique here. We believe in live demos Yeah, all right, so we believe in live demos And so the demo guys haven't been with us on this track yet. We're gonna hopefully change that real quick We're gonna pop this box. There's a slides are running off of it's knatted to the host only So please don't try to replicate this on our machine. It won't work. Um, and then we're gonna sort of go from there, so All right, Peter Britt just pretty much said it all we have our slides running off this fresh sp3 install And we're just basically gonna pop it with meterpreter Said in lieu of time. We just set everything up already All right, so we're just gonna do a few example attacks that a normal attacker would do First I'm just gonna do a normal execute to get a command shell All right, and just some things. I just want to see what users we have on the system Also, I'm doing that stop themes to show you guys that were actually on the system see themes go away It's all pretty much from that standpoint. Also, we're new a process listing and also let's do a hash dump So apparently everybody likes hash dumping. So all right, and that's pretty much it. We're gonna disconnect and You guys will see that Later in our talk how we're basically gonna be able to see exactly everything. I just did hopefully The demo gods are with us. Apparently they haven't been with Val and other guys. So let's hope that not our case All right, so we're just gonna go straight back into our presentation here All right, so real quick. We have a problem interpreters can reside completely in memory and If we did traditional disc forensics such as DD and then we tried to look at the actual Allocated disk and DD or n case or something like that. We wouldn't actually see that So we're gonna show you guys basically how we can reconstruct and when I say interpreter session I mean exactly what I just did there and that's going to be our interpreter session and Our solution is going to basically acquire the exploited process space using this tool that Peter will get into in just a minute Call memorized and we're basically going to parse out the interpreter protocol that uses for its network communication and You may be saying oh uses open a cell we'll get into that in just a minute But we're gonna reconstruct the entire interpreter. We'll call it a crime scene just because we're keeping with the CSI type stuff And it'll all top seeing all that goodness. So it's pretty much it for now All right real quick meant memorize as a tool it stands for memory and analyze if you put the two together You get a really cute name and obviously we had a really big budget for our marketing department to come up with that So We're pretty proud of that name Basically, it has the ability to do a lot of enumeration It does it all in physical memory minimal to no API calls for all of these things you see up here You get all running processes for each process you will enumerate the handle table will enumerate the memory sections Which is key to this talk will enumerate the open ports connections things like that Strings per process. We can also enumerate loaded drivers. We do rudimentary hook detection We'll do physical memory acquisition if you want or more importantly physical process acquisition Which is going to be what's loaded into the process address space and that is going to be everything that process is utilizing So that's sort of where we're going to go from there with this tool It has the ability to work on live or dead memory. It'll utilize the paging file if necessary We support an array of operating systems 64 bits supports coming in September and it will remain free and downloadable from our website So don't worry about that that changing process acquisition This all these slides are available on the black hat website by the way So when we skip them just go there and they're pretty beefy so you can sort of read and follow what we're doing So process acquisition what memorized does rely on memorized relies on the physical memory access That's one thing we'll discuss coming up. It also has its virtual It has its own virtual to physical address translation engine built in I'll scare you with a really cool image of how that works I won't go into details on it, but it is a nice image Memorize does not rely on Attaching to a process with a debugger because we don't debug it does not rely on opening handles or process or handles Do processes or threads? We don't make we make very inconsequential API calls And we're not relying on the virtual memory manager in the sense that we need them to do our translation We'll actually do the translation and if you think to dr6 root kits They won't work on us either because we're doing our own virtual to physical address translation. So it's a nice little benefit The requirements for process acquisition utilizing memorized are the following We need access to physical memory. This is pretty trivial. It was written about in frack We're going to skip these slides coming up. So just brace yourself for me to flip through them Ability to find all processes has also been talked about previously There are talks will sort of touch on that and then we need to parse memory sections And that's important because windows uses a structure and memory to represent the virtual address space of all processes If we parse the this structure that represents the virtual address space We have the virtual address space of that process which includes injected DLLs interpreted binaries things like that shellcode stack injected threads Here's how we open physical memory. We open a handle to device physical memory. It's rather trivial. It's an API call Windows 2003 service pack one We actually have to install a driver to open that handle because it's restricted to ring zero But from Windows 2000 to 2003 service pack zero You have the ability to open this handle from user land this handle does allow us to read from physical memory Here's our really cool Translation graphic. Yeah, that's all we're going to talk about memorize does this all in Internally, so you don't really have to worry about it, but we thought it was cool to show So once we have physical memory access to physical memory We are going to translate that virtual address to some offset within that section object We're going to seek to that offset and then we're just going to read what's in that physical memory So we map that physical memory into some buffer We're going to scan that buffer for some known signature Basically, that signature is going to be something that represents a known structure that we're aware of it where of in this case It's going to be a process structure the e process structure is Essentially what's used by kernel to represent processes every running user land process has an e process structure We use a d-word to identify The basically the beginning of the structure We do a bunch of checks after that because relying on one d-word a memory is ridiculous and will result in a lot of caveats and false positives There's a talk I gave a couple years ago on process detection and how to sort of weed those out So this is a slide. We're actually gonna spend some time on again. I'm sorry. We're gonna go so quickly here But sort of have to um so we find all processes and physical memory. That's awesome very nice Every e process structure has something called the VAD route VAD stands for virtual address descriptor And so it's a route and so basically it's a pointer to a binary self-balancing tree This binary self-balancing tree is what you would see in computer science 101. It's gonna have left right child pointers parent pointer It's gonna be very nice It's actually the binary tree contains what are called memory manager virtual address descriptor entries MM VAD entries These entries describe the memory section that it's a century that virtual address is represented So within an entry the entry is going to contain a virtual start address and a virtual size of each memory section utilized by windows Or by that process Every MM VAD entry that contains some kind of map DLL or executable will actually have a pointer to the DLL or executable path So we can enumerate all loaded DLLs from this virtual address tree The trees used by windows to manage the process virtual address space. Here's the structure itself through window bugs eyes You've got your starting VPN ending ending VPN, which are the starting virtual address and virtual size So confusing have all the clapping So Ali debug has a memory map view and this memory map view is very helpful and explaining to audiences what VADs look like Basically, this memory map view shows you the VAD flattened out so you can see it starts at hex 10,000 goes to hex 20 hex 30,000 and then there's space between hex 30,000 and hex 7b whatever That space is what windows uses to represent Essentially where it can allocate the next threads if it needs to so it's very important that windows is aware of what virtual Sections can be used and which are available By enumerating this tree we have the ability to completely enumerate a process address space Which gives us all the processes heaps all the processes stacks binary images things like that It's also going to give us freed memory, which becomes important later on so here's a cool graphic You have your kernel addresses they point to something in this case that that d word is what we use to find any process We do some more checks Where it becomes any we mark it as any process we parse it as such we dereference the virtual address root And we get a tree. This is the tree as it looks basically you have your starting ending and your left child and parent We write each starting and ending virtual address to disk In its own file so each entry in the tree represents its own file This is probably horrible resolution. Yep Basically, this is what the acquired address space looks like for a given process. We'll in our demo coming up. We'll Show you one that doesn't look that doesn't hurt your eyes So process acquisition. We did this really quickly It allows the dumping of a full address space You're gonna overcome most binary packing techniques because well It's unpacked and so it's running in memory. You can just acquire it very easily You capture communication protocol strings. That's very important to recognize. We're gonna talk about that coming up It obviously bypasses anti debugging techniques because it's not a debugger So obviously that should work And then you get things like unique things like DLLs that are only in memory think interpreter You also get things written to disk like if the injected thread or the actual shell code the stage shell code Then interpreter sent into memory for the exploit So you get a lot of really unique data that you wouldn't otherwise have I'll met us with time All right, I'm not really gonna go through this. I'm sure you guys know htmore and he developed this and it's all good So we're gonna skip all this Yeah, I know mind-blowing information. All right, so we're gonna get into interpreter and I'm sure you guys have been beat to death with this already today But we're just gonna get into some of the limitations that normal like shell would give us if we want to pop a Process and then start to execute arbitrary code So we're gonna be limited to specific things like standard error standard error standard out There's gonna be our handles that we're gonna be limited to interpreter is not gonna Have that specific feet because it provides the client server interpreter implementation Which is gonna give us client extensions such as uploading and downloading key logging and What have you networking which HD recently added? So these can all be completely memory resident unless a particular attacker wants to write something disk or write more malware to disk What have you? Another thing is interpretive scripts. These are very customizable. They can be created by anybody I know we just saw Chris has a bunch. We have I forget the guy's name Carlos has a bunch So we're gonna go into those a little bit But they can use it to automate something an attacker will want to do on the fly So let's say for example, I want to enable terminal terminal services on a specific Person that exploited process exploit what have you it's all easily able to automate all that So let's just skip all this for now. Also, let me get into a little bit of an interpreter under the hood Which is going to be our injection method. So we have the old injection method which developed by JR and escape so These are gonna excuse me JT. I'm very sorry. So what this is going to do is allow us to basically inject Some shellcode buffer that we have after we have exploited and load that into a specific process using load library And the way that's done is I'm not going to get into it very much But basically apply some use land hook to NT open section NT create section NT query attributes NT open file NT map view of section. So what that's going to allow us to do is basically Override the traditional method of load library which particularly looks for some type of DLL It's going to be on disk or on some type of samba share The new method which was recently added as a default injection method Which is going to be the reflective DLL and this is basically a neat little new method Which is going to use a mini PE loader, which is basically a shellcode stub at the beginning of the injected shellcode Which is basically going to walk down and load the environment and load the DLL and load where everything is ready to go So what that's going to do is Number one not have any handles to specific DLL so met serve DLL The old method it would leave a specific open handle because the operating system or the host process It was actually aware of that all happening. This new method leaves no Presence in the PEB. So we're going to be able to bypass that and it's going to make it even more stealthy coupled along with the open SSL implementation and Speaking of networking, we're not just going to dive in the networking aspect Originally packets were set in clear tax recently like I just said they were going to be wrapped in open SSL But the initial packet structure is going to remain the same So even though we have this encrypted nature over the network in memory everything is exactly the same And I'm going to get into why that's relevant in just a minute So interpretive communication, it's going to use this TLV structure for all intents and purposes I'm going to continue to refer to it as TLV, but in actuality. It's a LTV and what that is is actually a type length value field 32 bins are used for the length and type and then n number of bits are used for the value and also within that value We can have nested TLVs and that'll be more prevalent in the next few slides So to lay this all out of everything I just said we have a nice little diagram so you guys can see that So the attackers going to send the exploit just like we did before They're going to use a interpreter payload. We use bind TCP. I forgot to mention that So the attackers going to want to do something in this case We're going to do a get paid which is just going to return the Current process of the injected DLL. So the attackers going to execute the get paid requests It's going to be sent to the interpreter server That specific request is going to have this TLV packet It's going to have a type length value the type is going to be of the packet type Request there's going to be a length and then specifically a value the value is the most important aspect of this entire packet because this is what we're going to be using in our tool which we released later Excuse me. We released a black hat which is freely available for download. We have the link included in the slides But um, just keep note that this standard API sys process get paid So this is going to return an actual value that's going to be looked up in the interpreter function dispatcher table. So Interpreter is aware of all this packet structure and everything so it's going to parse all this out and then figure out What do I have to do? What does the attacker want me to actually execute and in this case? It's just simply going to be get current process ID, which is no big deal. So The interpreter looks up what it has to do and it's function dispatch table. It's going to point to get process ID Execute that actual code of get current process ID It's going to build a response on the heap It's going to then send that response back to the attacker and then it's going to free that packet From the heap. So as you can see just laid out very quickly. This is basically the interpreter communication structure and What we're going to do is go through and dive into a packet response now I said that there's the request packet in the response packet We're going to dive into response packet Peter get into some of the caveats dealing with a response packet versus a request packet And what our tool will actually parse out But just going through and as I said before we're going to have those nested TLVs This is going to be a specific one. We just looked at in terms of response So we basically have our length which is going to be the size of the response packet The type response packet now we have plain TLV type plane response. That's going to be changed. What's the new method? We can't recall the new method, but it's wrapped in open SSL So they change that specific parameter and the value is then going to be nested TLVs So we have our standard API sys process get PID, which is going to be the method We then have the communication channel, which is going to be TLV type request ID The specific values used just for interpreter server and client to keep track of what data goes where when it's displaying it to the user and also sending it to interpreter and Also going to be the TLV type PID This is going to be the actual response from the get current process ID. This is just the hexadecimal value and Finally a TLV type result. It's going to be if there was any type of error No, because we didn't have any specific error And you can see how that all makes a nice little packet structure Our tool MSFF, which Peter is going to get into in just a minute Basically parses all this out and you'll see that during our demo So I'm going to go through this really quickly. We just looked at it from a network perspective in memory This is a VAD file, which was dumped out from interpreter So just like it would look like on the network, we can see this parsed out in memory So we can see our standard API sys get process ID requests We're also going to have our TLV type request ID and the value The type PID which is going to be the result of get current process ID and Then the result which is going to be no real quick Yeah, we'll keep going here All right, we're going to go to the the actual framework because we have like 10 minutes So we want to do that and then do the demo Open source project written in Python. We haven't learned Ruby yet We may do so but it hasn't come to us yet So here we are it's pluggable to support rapid development for metasploit modules such as if HD wakes up one morning Besides to do something we can respond pretty quickly. That was the idea. We'll talk about how come that's not going to matter after Sunday so So how does it work? Basically it works like this you acquire the process with memorize you then Scan the acquired process looking for specific methods these methods correlate to commands that the attack are executed Basically we'll then take those methods we find because we know the TLV is so well-defined we can pivot around those methods We know what will come after the method. We know it will come before the method So we can parse out what was sent back to the attacker or what was sent to the victim machine depending on the method that we're actually looked looking to essentially reconstruct So you're gonna get things like the commands or results that were executed on the machine by the attacker You may see like a registry key that the attacker modified You may see the attacker did a hash dump and you'll see these things come out in our demo Here are all the supported commands. We tried to get everything in there all the sniffer commands that HD added PS CD you can see the one I point out is injected DLL is not an actual command interpreter Supports, but that will identify and name the injected DLLs So it'll say met serve DLL priv DLL standard API incognito whatever the DLL is so it'll pull the name out for you We can tell you if they did a timestamp migrate execute the execute command If they executed a command shell and did a bunch of commands into the command shell We can actually pull those commands out and show you it was displayed back So we didn't talk about scripts. I'm gonna go over it real quick when an interpreter script runs It actually makes method requests those method requests correlates to commands that interpreter understands if you Pull those if you execute those commands to find a memory and we find them You can sort of get an idea of what scripts were executed. So here's get gooey. Here's kill av It works pretty well if you see a process listing and then you see nav in Process Explorer and things like that disappear. You have a pretty good idea what happened All right real quick just so you guys know This tool it relies on a basically freed memory So met interpreter receives a packet that packet is freed the windows memory manager doesn't scrub the memory So when that memory is freed It sits there and those packets just sit there and they're just asking to be used so basically We utilize that in this demo in this attack if you will to reconstruct what happens with metterpreter HD was kind enough after he started our abstract not to patch it dirt before he will patch it on Sunday He said he's also going to zero out the mzpe header to make metterpreters more stealthy We will update the tool to identify metterpreter injected metterpreter binaries because we can There are many different ways we may do this just so you know, there's not just one way There's a dispatch table in metterpreter that has all the methods that metterpreter receives That's signaturable and pretty identifiable and will also allow us to signature which DL is loaded The import table in some cases can't be zeroed out. We can utilize the import table to determine what's going on Bottom line is at this point metterpreter has too much code in memory to be stealthy for memory memory analysis It's going to be very stealthy over the wire. It's going to be very stealthy on the system for disk forensics Using memory Analysis right now. We feel pretty confident notice. I put currently in there Please note that someone's going to come up with some good idea and break us really bad I have a feeling so but currently I feel comfortable comfortable saying that so here we are Caveats and gotchas acquired exploited process does not always yield a hundred percent result Basically, you're going to get partial results memory is volatile this tool depends on what's going on the system We've seen full session stay in memory four hours with heavy system use We've seen them disappear after three minutes with heavy system use it depends what we can say is you will get something Whether it's a migrate command. Maybe it's a hash dump You're going to get something that's going to alert you that you give you some idea of what the attacker did For example, if you see migrate to explore that EXE but you don't see them start a key logger No one really migrates to explore that EXE friend for any other reason except that they may want to start a key logger So you can infer these things so it'll take some extrapolation Basic conclusion the windows memory manager gives the an Memory forensic analysts a real good chance to see artifact memory. There's really no nothing taking this view of scrubbing memory correctly We believe it has a pretty large impact for memory forensics. This is just the first tool of its kind We hope that it'll spawn many more It has no impact on the men's point project whatsoever. There were some articles released saying researchers hacked metas point We did know such thing We just wrote this tool Metas point as I said is going to patch this and further make themselves stealthy So defense leave the offense which will leave to which will lead to defense We recognize is the cat mouse game and we're just happy to play So we just hope this research project will lead to more fun stuff All right, here we go So, please recall that we just exit we pop the machine I'm gonna go to my memorized directory one nine eight, right? All right, we're gonna Acquire process 1080. I'm also gonna verify that that was the actual process we exploited Just because we didn't write it down. Oh, it should be So memorize is running what you see here is in output. It's determined dynamically the Major version and the minor version no API calls made Yeah, we're good Just so you guys can see what the actual install directory of memorize looks like This is what it looks like all output is written to the audits directory And you have your batch scripts to help run the actual tool because people are scared of editing XML apparently Which was unbeknownst to us at the time that we wrote this tool. So here's the actual acquired address space I'm gonna put this in a list so you guys can see it We've got DLLs. You've got your dad your dot VAD files are your memory sections. So they're just unnamed It's still writing stuff to disk because this is a pretty big address space here So it's still going it's chugging along here It's essentially at enumerated all processes and physical memory. It's writing at the disk. Those are just warnings I don't worry about them That's the truth So all right, we're gonna go to our actual tool So again Really you think adding a dash all command is pretty straightforward. We didn't think of that until like the night before So that's why it's last there and it makes the most sense to have a dash all command So we're gonna use that command that we just thought of adding To on this example and two fingers all right here we go demo guys come on I got to specify what I want to do Yeah, it did. Yeah, that was not a bug. I just want to point out. Oh, what do you know? Today's a good day All right Whoa Where are we? Okay, so here's where the command was executed Successfully executed I should say right here. It's identified met served at DLL Here's actually where the attacker executed the command shell It's telling you what the process was it would substitute out with anything. It just happened to be command obviously Here's where the command shell prompt was sent back to the attacker. That's pretty nice to see You get a second little part of that standard API DLL was found priv DLL was found Don't see the net here's where the user the attacker executed or the results of the net user Command here's where the attacker executed net stop themes There's no because memory is not linear in the sense that your allocations will be at lower ranges depending on time Basically, you're gonna get you should get most of this, but it may be in different in a different order Here's where the attack where net themes will stop successfully that was sent back to the attacker if you recall Here our hashes that's pretty good to know Especially if this were a main controller it would be a lot longer and a lot more deadly. Here's our process listing So we can see the attacker did a process listing And here's the summary of Essentially what what was found when? We we have another demo. We're not gonna do it because we want everyone to get a chance to see all the other great talks on this track But it's not just remote attacks. We can do it on browsers We can do it on other things all of our slides are online This tool is also online at mandiant.com. So you can just grab it. It's open source freely available If you have a question either grab us or shout it out now while we start moving ourselves off stage for the next person Thank you guys And Peter learned how to use a Mac for this talk. So big round of applause Calling either Dino David Maynard Whoever wants up next who's coming? Okay Hi, my name is Dave Maynard. I'm going to second one. I'm gonna get my laptop set up All right. So like I said, my name is Dave Maynard. I am from a company called a rat of security And I am an unabashed mess boy fan, which is why I'm here If you're wondering what the large British gentleman in the short red had have to do with men's point The answer is nothing but considering that this talk was originally scheduled Well, it was supposed to be 70 minutes and then I got to the things that got cut down to Half an hour. I had to cut out a lot of stuff. So I figured to be fair to you. I should buy lots of people beer So if you go over to those people and show them your ID that we give you free beer Well, that's a that's a great response Thank you So let's get enthusiastic people were talking about metasploit here and metasploit is the coolest thing that ever happened exploitation technology period And the best part is it's free So like I said, my name is Dave Maynard and I'm gonna talk about application assessments So metasploit if you don't know what it is. I'm pretty sure you you're in the wrong track I'm not wearing a team of JJ shirts. So Where are you supposed to be? Before I continue I want to thank a few more. I'm sure you know being a metasploit track He's been thanked 400 times today, but I got to thank him again And also the Valsmith who made this track possible if you saw the behind-the-scenes communication Valsmith had with Everybody about hurting the cats involved to make something that this happened. You'd feel sad for him So I'd like to start by saying that the I don't know if you know this or not But every time you run a metasploit console you get a different banner and the cow is my favorite banner So breaking in that's what everybody thinks about metasploit, right? Metasploits use for penetration testing. I do pen tests I use metasploit all the time and I use metasploit all the time because it has high quality exploits great payloads and Meta-terrapid is pretty freaking awesome. I do exploit development. Metasploit is my my framework of choice because Because of ice because it has tons of functionality built in and you know if if our ht MacBook come on Steve jobs would be very sad about this. There's water in there. Wait, I gotta wipe this off before so If I were ht more I'd be very happy about the fact that everybody wants to rip off my show code to use in their exploits to go up on millworm, and there's also lots of other tools that make a right answer as possible like Opcode the opcode database piece can lots of other stuff I also do application assessments and this is where it gets interesting and a lot of people are always curious When I go on site, I'm like, yes, I'm doing an application assessment like oh, what are you gonna use? Are you gonna use? Something like a web inspect or you're gonna use nts, but I'm like no I'm gonna use metasploit, and they're always surprised by that So what metasploit does for you while you're doing an application assessment it can do everything for you So if you're familiar with metasploit the next few slides might be boring Feel free to Twitter check your email But if you're new to the split have you ever wondered why metasploit makes those highly quality reliable exploits? It's not fairies It's Rex. So if you if you're if you if you're just a user of metasploit You've never actually dug around inside it Look in lib Rex, and you'll find a whole lot of code for a whole lot of different stuff And it's very and the entire point of this talk if you want to go see another talk leave now I'll cut to the chase the entire point of this talk is that you can repurpose Rex code to do almost anything for an application for an application assessment or Vomedev Assignment that would generally take a developing a lot or writing a lot of different code that can be done easily in metasploit Rex is where most of functions metasploit metasploit stuff uses I have a screenshot of what I did to find dash find space dot pipe more So I came from a company called internet security systems. It's unfortunately no more They were purchased by IBM and they were absorbed back into a blob But when I was there I wrote one of my jobs was to test the IPS against all kinds of different exploits and One of the things I loved about metasploit is it was easy to write new versions of any exploit they had To evade almost any Any security tool one of the great things they have about it and it's really full features of DC RPC handling stuff They also have lots of other protocols like HTTP raise things. So here's a quick story. Have you heard joke about golf? Golf was a nice walk ruined by a little white ball. I You know in hindsight, I guess nobody here really plays golf never mind So app assessments are the same way. I used to love my job before I had to write statements of work, right? a lot of the a lot of statement works have to be written from the point of view that You know, you have to deliver a service You have to do it with a certain amount of tools things like that But a lot of the tools that you'd want to use for an application that's going to cost a lot of money Maintaining yearly licenses for these tools. It's cost prohibitive So, you know, you generally if you want to use them you have license for a specific gig Which means you have to pass the cost onto your customer, which means they don't want to do that Or I've run into lots of situations where people will only let list tools on certain lists Be used in their environment and luckily man's point is on every list. I've ever seen like this So how do you do the same work with less? Oftentimes like I said, I'll get information dumped on me at the last minute require something special So I'm gonna show you three quick examples so Dino can go but the quick examples All around revolve around using metasploit to Do an application assessment or something that would have generally taken you a whole lot of time That you could probably do in less than five or ten minutes But the the biggest thing about these examples isn't the examples themselves But it I want to show how easy it is to actually use metasploit to or like use a sorcery go through And it's easy once you like read examples to figure out how to do Additional stuff like to extend exploit things like that So the first one is like a web app proxy and like everybody has web app proxies, right? Like peros things like that. This is just an example. So you got a web app, you know, like I was actually on a gig once where web inspect and Nto were both blowing up. They couldn't scan a site due to CA's appminder. So I wrote a quick script in Metasploit that would basically proxy all the meta that would proxy all the Web inspect requests and rewrite them as necessary So if you were to actually look through it, one of the first exploits that I really studied on how I was written in Metasploit was the WMF bug And if you take a look at the code for WMF bug, originally when you know like file format vulnerabilities and stuff like that are released A lot of people will ask me how does metasploit do that? What do you generate a file and you email it to people? I know generally like for WMF, for instance It will actually run a web server and when you connect that web server it will send you bad content So if you if you take a look at that, it's pretty easy to repurpose that code to to take a web server Listen on a port take that request rewrite it and send it to your victim In fact, I did that in in about 20 minutes on a site once because like I said after two hours of trying to get a Commercial scanner do I want it was easier to make Metasploit do it and jeez I guess it was less than a hundred lines of code And it's Ruby code so a lot of lines are like you know prams and stuff, but you know they still count The best part of the code about this especially when you're doing application assessments is this is code You can leave behind with your client or something like that Generally like if you're using a specific or commercial tool or something like that and you produce results You you can sell them the results, but you can't really leave them the tool behind To use for further testing because you know it's commercial licenses things like that Metasploit scripts that you write for clients like this you can leave behind and it's great. Everybody everybody wins So example two is the AS 400. I just recently got done doing an AS 400 research project which we did a comprehensive audit of AS 400 stuff and Metasploit was instrumental in all that because there's lots of problems everywhere, but you know it's basically so if you were to go on to a client site and they have a new protocol or something like that or like for instance if you were working for an embedded device manufacturer and the embedded device manufacturer has a new router and router has port 23 open you could You could run one of the other fuzzers I wrote one in Metasploit in three easy steps So I have a template and I'm actually gonna make that available the longer talk This was all based on will be available on our website now send it to HD as well But I have a template that's just basically a blank exploit that you can use for you know everything You know you said our our port of 23 and I wrote a simple fuzzle loop that found bugs in the AS 400 talent server And you might be asking yourself where where would you find an example of a simple fuzzle loop? Well HD more Actually wrote one so one of the things that if I remember stuck on a project and I can't find something to do I find you know space dot pipe XRs grep-i for whatever I'm looking for and generally in the Metasploit tree You might find something that could help you for instance in this case I grabbed a shipper fuzz and down there at the bottom you might see the modules like jewelry DOS fuzz Right, so if you don't remember the the wireless fiasco a couple years ago These are all written during that But I always use them when I'm talking to people about Metasploit is examples of how to write quick and dirty fuzzers that produce great results So for instance, this is a create frame function from it. You can you can create a function similar to this And most of the fuzzers I write look very similar to this To test like for instance the tell that suboptions environment settings and things like that and until that it would take you literally Five minutes and the best thing about debugging it is You don't have to wait for a new build every time right, so Those were examples were quick and dirty So the thing I love about Metasploit the most is when you're doing application assessments and things like that It's just not always on a standard website. You might have to run on an odd You know, you might have to an application assessment on a platform or something like that And you might not have tools that you know you're used to Metasploit's there for you always for instance, this is Metasploit with a cow on an 800 from a couple years ago But recently I wrote a blog post on iPhone SMS hacking. I'm sure everybody heard about the Charlie Miller thing the SMS hacking So I decided to write a blog post about that where I take the information that I found find from the media and try to duplicate that Metasploit was instrumental in doing that And the as you can see here, this is actually metasploit running on my iPhone But one of the great things about this was that I was able to Wrap this I was able to take metasploit and put on iPhone and using the same development methodology I use for everything else I was able to knock out SMS messages that got populated in SMS DB and you know less than 10 minutes So whereas, you know, you might walk into an application assessment somewhere and you might need some ramp up time When when when you're used to doing a lot of this stuff in metasploit Like platform independence is important because there really is no ramp up time. It's the same interface that you're used to so Incidentally look for an update to that blog post this week about bugs that were not fixed in the iPhone 3.0.1. We're trying to have that done for this talk, but because everything's going short Yeah, so that's actually my talk. I tried to get it done really fast Yeah, does anybody have any questions? Why Well, I actually did that in 10 minutes. I should have I should have drugged this out some any questions comments suggestions Does everyone I started an 18 more loving circle right now? Those guys do apparently cool. Well, thank you very much for listening And I'm sorry if I sounded like that guy from the Michael machine commercials, but you know things were cut short Thank you very much Yes, sir. There's a question Well that that There's ways to do that, but to build a cleaner API. We actually have one we want to don't Contribute to metasploit for that very reason. So one of the things actually about that about fuzzing I actually also this is a strange thing since we're talking about application assessments I keep two directors in MS current directory in MS devil directory because I screw up the MS devil directory all the time and you know with code I write and stuff like that and The MS current is you know a pretty good working copy. So one of the useful things about fuzzing as you're asking is Like if you look at the wireless example here, you know It is bad when a single product like wire shark has its own directory and in mess plate So if you look at stuff like fuzz beacon The the Rex colon colon text out rant text So there's a whole bunch of different ways that mess plate and if you read direct documentation I should have had one in this slide deck, but actually I strangely don't there's a lot of different ways to generate padded information That makes like fuzzing more useful. So for instance with the The the firefox Font tag exploit came out a couple weeks ago. I wrote a version of that that works works on OS X and one of the reasons I was able to do it so quickly is I took the exploits Was on millworm ported it to men exploit and then use their text padding stuff to actually find out where where I was crashing in the The heap spray stuff That's always useful. I don't know if that answers your question or not. I don't know even that was really your question I just felt like going up on a tangent Right Any other questions? Well, so like I said, everybody should read the Rex documentation Especially if you're doing things like this You would be amazed at what you can do in mess plate in a couple lines of code that you know Somebody would think that would take a developer a week to do or a good exploit writer. Yes, sir Yeah We're actually publishing a resource report on that in the upcoming weeks We're we're licensing the security content we developed to various content perfect IPS and scanner vendors right now, but we're a regular there's a version of this being released to the public any other questions So while I'm here, I want to tell you a funny story about IBM in the AS 400 Using that's what I like I said, I found lots of bugs and if you ever have seen a default install of AS 400 There's a ton of open ports like 23 110 LPD, I can't report number off the top of my head, you know, all these things are open by default So we started finding bugs and we decided that you know, we're gonna try to respond to these to the vendor So I call IBM I call the support people or the people were supposed to be in charge of security And I said they tell me to send email to this the female address as an email And I tell them that we have bugs that would allow me to break into a telnet server on an AS 400 With no problem. I could log in like you QCC if I were and if you don't know what it is That's kind of like root. Oh, it's like the security officer for NAS 100 and they said to me and I'm serious that they Need a maintenance contract number to accept any bucks. I was like, well These you know, I bought these things on eBay. I don't really have a maintenance contract number and they're like call back When you do have a maintenance contract number So That was great. I should have submitted that one for the pony awards, but I didn't Any other questions comments? Cool. Thank you very much. Is all the beer gone? Wow So Dino's up next if he's oh, yeah, there you are. We're 20 minutes early, so May as well start anyway Thank you. Thank you. Just show of hands here. How many of you have popped a windows box with Metasploit in your lives? All right, it's pretty good. How many of you have ever popped a Linux box with Metasploit? All right, how many of you have popped a Mac with Metasploit? 234 Okay, so I want to change that. It's the goal of this entire talk Not because I hate Macs. I love Macs and I just want to see them have equal standing. Isn't that what we all want equality? So why think about Macsploitation? And why use Metasploit for it main reason is Macs are gaining more market share For consumers in business and as penetration testers your job was to demonstrate risk to your clients And if they have a bunch of Macs They may be under the impression that they have no no security risk for them And they don't need to do things like patch management or anything like that And so if you have you know nice some nice exploits some some Metasploit some interpreter goodness You can you know show them how it's done And as we all here know Macs can be compromised like anything else And it'll probably take roughly 3000 pound to own contests before you know the actual average Mac user actually believes it and one of our goals is like so We want to make the tools available in Metasploit. I just make Mac a kind of a first-class citizen for our first-class target and so we're going to talk about some of the tools that That Charlie and I wrote for our book the Mac Hacker's handbook And most of it has been contributed to Metasploit The stuff that's in there right now is the is my bundle injection stuff, which is like DLL injection for For Windows, but this is what basically injects bundles, which are sort of a low-level like DLLs for for OS 10 and I have the Charlie's interpreter stuff on my hard drive where it is sat for about four months And you know because basically HD has been really busy and I just didn't want to add to his workload So I thought I'd be a nice guy and just hoard it for a while But actually now that JR has made Put a interpreter to POSIX it's gonna make it much easier for us just to take the five lines that are actually different and then add those in So the first thing we need is for this the bundle injection. We need the Mako function resolver This is what you use to actually Resolve function names because it's great to be able to execute system calls But you want to do high-level functionality you need to be able to dynamically resolve these at runtime This is made very easy on the Mac platform because the dynamic linker called DYLD is always at the constant address And it begins with the same structure the mock header structure And you can just basically parse through that table and it's actually a pretty Pretty good format. It's really PE is very complicated because you have basically three or at least three or four Generations of linkers that are basically carried into the same format Mako is much cleaner very easy to parse assembly codes Very easy and all we need to do is basically parse through the the structure find what's called the symbol table and then do the familiar Roar 13 hash, which is the technique that LSD originally used although there's was a rawl seven and Now the one all the metasploit payloads do a roar 13 The same idea was done by Nemo in his frack paper OS X wars and X new hope which was basically Nemo going around everywhere He could and taking all the good ideas before anyone else could get to them He's like Colonel Colonel, you know, you know Colonel root kits check I can do that then it makes some resolution check I can do that if you're not familiar with a lot of Nemo's frack work You actually really need to check it out because he does some great stuff So how does the bundle injection work bundle injection is multi-stage process where the first stage is what I call The remote execution loop and this is just a think of it as a machine code interpreter It reads data over the socket throws it in memory and then executes it as machine code and then Repeats and what it does is sort of treats it as a function so that basically you can get a result And it will send it back as well on top of that we build a second stage Which is the inject bundle stage what this will do is this will read a bundle over the socket and load it into memory and Then actually link it and load it so on on Windows with the With the old DLL injection method required actually patching as I think in your talk J.R. I mentioned required patching a Lot of the API's in memory to sort of trick windows into thinking that it was loading a file when it was actually just reading a piece Of memory however an OS 10 the linker actually provides functions to do this for us There are two functions one called NS create object file image from memory, which is quite a mouthful And and it's link module and basically what these do is these respectively load and link a module For you just basically had pointed to some memory That is the actual file from disk just crammed into memory and it'll unpack it placing the memory segments Where they need to be and then and it's like module actually load up any dependent libraries link them in and what this means Is that the third stage which is just a arbitrary compiled bundle can use any framework on the system? and you can write it in C C plus plus objective C and That means you can use everything from quick time to their wireless frameworks to anything and it's Very great way to do things and I'll show you kind of a Skeleton code that you can use to actually write your own Actually, I kind of already gave a lot of this detail. So there's no real reason to Call it again. So Basically, here is the code if anyone can see that to a injectable bundle all it is is a set of three functions In its infinity and basically they're in it and finny are declared as respectively the constructor and the destructor and so those are called implicitly by the linker when it's loaded and implicitly by the linker when the module is unloaded and then you have a run function which takes the socket and This is actually called explicitly and this is where the bundle Does its thing whatever that might be and so the first thing I thought of when I wrote this was so what would be an interesting thing to Do that would use some of the unique Capabilities of macOS 10 and Apple hardware and what I did is I wrote what's called the eyesight capture bundle or what's Kind of been truncated what I call take a pic of the Vic And this shows just basically pretty much how easy it is to do Quicktime makes you know, it's a high-level API and they have a sequence grabber and you can just they actually have example code on On my Apple's website on how to do this and it was wrapped up into a package called Cocoa sequence grabber So basically all I do is I just include that code use it and all of a sudden we are grabbing pictures Perhaps a more familiar thing to do would be to load meterpreter So I'm not going to subject everyone to you know another description of what meterpreter is I'll assume that we all are familiar with that at this point and You can use meterpreter to pivot pivot through hosts hack, you know through there and Basically, but you know one of the key things to think about with meterpreter is that you have two components You have the server side but like binary code libraries that are loaded and you also have Clients side modules that actually interact with that so you know there's kind of two halves to it And so what? Charlie and I did as we wrote what we called Mac interpreter, which is just a port of the meterpreter to Mac OS 10 uses the inject bundle payload and Uses the you know the the dyld functions create object file from memory and link module to make sure that none of the Either the meterpreter itself or any of the libraries that it loads ever touch the disc So it's actually binary. It's pretty compatible with the windows meterpreter shares most of its source and just kind of if deft out stuff that doesn't make sense and Replace it with Mac implementations There are some limitations of what the meterpreter can do on Mac One of the most glaring and most annoying is you can't do process migration This is kind of one of the cooler features of meterpreter But the way that the Mac operating system works is whereas on Unix and Windows You can if you own a process meaning if you're the same excuse the same user as that process On what all these systems you can actually open its memory and debug it and read and write memory as it as needed And this is basically how meterpreter works on these you know process migration works on these platforms however on Mac OS 10 which is based on mock you actually need access to what's called the mock task port and this is Fairly highly protected and the default security policy is that you can only access the mock port Of other tasks if you are root Or if you are a member if your process is running as a group of a member called proc mod Which is basically just the debugger so on a stock system that doesn't have the developer tools There's really nothing you can't attach to any other processes either other processes that you own You can do it for a child process, but that's about it So you could use the process migration only as like a fork basically so you can run your meterpreter in a child process Well and let the let the parent process either continue executing if you have continued continuation of execution stubs and your exploits to actually keep it Doing that or or just let it crash and so then if the application is crashed you can keep doing stuff in the background Some things aren't actually implemented It's actually this slide is from Charlie. So when it says I think Charlie I got lazy for completely different other things and basically we're going to be trying to add a lot of this stuff to to metasploit and Let's actually do this. Let's I go back to the demo after this slide just so I can kind of play around in there to fill some time Some of the stuff that's already in metasploit right now We're going to add more of is a number of exploits from the Mac hackers handbook So the first one is actually a really great one that kind of slipped under the radar For many versions of tiger for probably most of the time that it was out There was a default out-of-the-box remote route that went through the firewall. So even if you took every every gooey Option turned on the firewall allowed strict filtering filtering turned on stealth mode turned on logging all this stuff You still had a remote route through MD and s responder it listened on a high high UDP port And the attacker could just scan for that and wait for a callback and it was actually a great really fun exploit So basically learning and truth the code for that There's a quick time RTSP content type overflow This is a simple stack overflow that actually makes a great exploit for demonstration because it's well behaved relatively simple and then the two respective exploits that Charlie and I used which I used for the windpwn to own the first year and Charlie used to windpwn to own the second year And all these payloads and stuff. So let's actually go to the bling All right, let me see this Okay, so what we're going to use is we're going to use the quick time RTSP exploit So this is this exploit was a vulnerability in handling the content type header In an RTSP response and while this could be embedded in a web page Next letter wrote right now just supports the standalone quick time player, but it's basically just a matter of changing offsets It's not actually, you know anything anything tough So you have to be a little patient VMware in OS 10 and VMware is kind of flaky sometimes, but let's bring this up, too so I've got the familiar Familiar Linus white console up here Set the variables, you know get the exploit running and first I'm just going to demo of just a simple shell Shell payload make sure all make sure all that works so just you know that player stalls and Go back to Back to this so we have our All right, and we have our command shell already running Okay, so you can see we have our shells very happy one thing to keep in mind is for a lot of applications There's two different sets of of Shells for OS 10 on in meta-sploit There's kind of the normal shells and there's another one called the V fork shells If your application that you're working that you're exploiting is actually multi-threaded this includes just about Anything of interest you want to use the V fork shells because those will actually work The normal ones will only work on single threaded applications So we're in a shell, you know, we can do sort of you know, whatever we want You know, so we can do the fun things. I tried to fly without a net apparently the sound on VMware isn't working But so basically some of my couple favorite things to do on like pen test for max is say is fun The other one is S been Green capture Looks like say is actually frozen it Okay, well, so basically capture screen is nothing you want to do is capture the screen looks great and reports so on But let's actually play with meter putter now. All right, so this time I just relaunched meta-sploit with the meter putter payload and Let's just do the same thing here. All right, so we got meter putter open, you know works Nicely we can do the same things that we can you know through a shell without you know Actually launching a obvious shell on their remote system the if you look at the The commands here. There's a new one in there So this is a command called take pic doesn't actually exist on the other platforms Let's just try it out and see what happens. It actually failed for my black hat demo so I know Knock on wood. Let's see what it does. Oh the green light turned off. Let's oh Nope, it's hanging. All right great Basically there seems to be in VMware. There's some like the device actually opening up in order to make it fast I didn't want like when you ever access the eyesight camera the little green light loads And so you want to leave it on just in long enough to actually capture one frame. Oh Wait, it finished. Oh, let's see what happens here Okay, so it actually what what the putt with the payload does it drops a file called temp eyesight dot jpeg You got it. Okay Make sure you can see that. All right. There we go. Thanks And that's about all I have So anyone has any questions? See one over there The question was is that vulnerability still present in the current release of quick time? The answer is no. There are actually no vulnerabilities in the current release of quick time That is that is the official party line that's that's I've been told to say by Steve and whatever Steve says I do so Any other okay see one back there does that work in blank blank blank Yes, it will yeah before show works everywhere before shows is nice I just didn't want to kick out Ramon's shell that asking his permission Any other questions I just didn't want to It or it was already there just for kicks Well, well basically so the so the old shell didn't work in multi-threaded applications So I wrote basically a new shell payload a new shell stage that actually worked in single-threaded and multi-threaded But I don't really code well with others And so I just did it from the beginning and I didn't want to kick someone else's code out So I kept it separate. Maybe eventually they'll be merged in so it'll just have to it'll just work There's a little more convenient So the simple example well his V fork shall work everywhere but the real cause is Basically you need to execute the V fork system call in a threaded application before you can fork So any application? Just about any application is multi-threaded. So client software is most often multi-threaded Network demons they'll typically they will commonly be single-threaded But you'll never find a single-threaded user like a desktop application And if you want more detail on the V fork thing read HD's PowerPC OS X tricks paper and he kind of talks about why you need it More detail. All right. Is there any more? All right, cool. Well, thank you very much So because we are so aggressive in managing our time we're now early so there's now a war box presentation So surprise it comes with a free vodka So if you can line up and we'll start pouring shots and then we'll start doing war box telephony stuff We have another surprise talk. So after war box Egypt's gonna do something After the war box talk you just gonna talk about the PHP metropeter supporting all of metropeter to PHP Already is anyone here actually used war box? Whoo, holy crap. There's actually users this thing is just you know Written in out of the blue one day for fun and I'm surprised people actually use it Cool. All right. Well, I'm gonna go ahead and get started for folks I've seen some of the materials before this may be duplicate, but there's a bunch of new stuff then including some live demos of Moscow Beijing's mother fun places. So First off, my name is HT Moore. I'm project leader for Metasploit yada yada yada So way back when when you used to break into boxes you had to use modems to do it It was really annoying. It took forever Everything was protected by a modem. I mean sorry everything that you got into via modem is protected by password There are very simple authentication tricks I mean besides like dial backs and maybe some hardware tokens are very few things that you really had to do on top Which is dialing into a system to get access Back then you just find all sorts of really cool things you'd find Unix boxes remote access servers pvp slip stuff Riders, which is all sorts of cool data services here and there What you still find today is that most of those other most of Unix most of most of the writers Most switches are no longer have direct dials But a lot of the HVAC skater power management radio gear has ever gone off of dial up So these days you only find the really interesting things when you start dialing So anyone here has used tone low the default map that it shows you when it shows you a call map is 100 by 100 numbers So it's basically down an entire 10,000 number exchange So it basically picks different color for each grid of that 100 by 100 exchange to indicate what type of call it was So each vertical row is sequential numbers starts off at 0 0 0 0 in the top left in 9 9 9 the bottom right So the way that you classify these things was via, you know carrier a busy voice fax time out But also the ability to manual classification so while you're dialing if you heard someone that sounded like they're hot You could like click the you know, oh, yeah a hot shake button And if there's some yelling asshole, there's the yelling asshole button So it's great because you can actually you know actually map out particular people's voices and you know Oh, I know this person's this type of person that was cool, but there's no way to automatically do that So I got started to start let me go back So I got started with this whole war-dialing thing again when Druid started doing his telephony stuff And I kind of got all OCD out and just dove into it and stopped caring about word-dialing and started caring more about voice stuff And it was fun But that's kind of the start was all of warbox work or excuse me all of Druid's work got me started in a warbox So the general tone look maps could look something like this So each one of these squares and colors represents the type of number whether it was we dialed it There's nothing there where there's a tone where there's a carrier Girl asshole fax maybe whatever happened to be each of those little yellow dots on the screen up here it corresponds to a carrier So you can see this is a probably residential network just based on the number of carriers and how things are scattered out there busier reds, and I think faxes are purple, but there's only it's hard to tell the colors on the screen here Here's a much denser network. This is probably a corporate network either excuse me a corporate phone range or some industrial park somewhere But you can see there's a whole lot more yellow so tons and tons dial-ups This is all from we know way back in 1993 1994 So just gonna keep this stuff in mind. We start going forward So we're dialing today is you're still looking for modems factors and tones It's still really effective. It's really large orgs that I've all kinds of crazy gear out there that You know, you don't really see that much anymore. You still find HVAC systems that take dial-ins all of Kmart's power For a while was managed through dial-ups from way back when and who knows what stores of switch ones would haven't still So basically the whole whole process is you start dialing a range and you keep dialing to you find stuff and you get a carrier You log it when you don't you log it and so on But this is really slow and inefficient because you have that basically have one modem one phone line and 60 seconds plus We each call that you dial was that's how long it takes for a moment for the modems to negotiate data So it was a really really slow process of going through 10,000 numbers because you have to basically spend 60 seconds per number So 10,000 minutes to dial in exchange about a week or so And there's there is commercial software out there for this But the only really usable commercial software is really expensive and still requires all those hardware investment to get running So if you look at sandstone's phone sweep, which is still kind of the premier war-dwelling tool out there The really basic version of the software with one modem will support of one modem and not included can do 60 calls Now our physics about one minute per call Starts at about $1,200 so not cheap for software If you want the phone sweep plus it supports up to 16 modems and can do up to 1,000 calls per hour Which is a lot and used to be That cost you $35,000 or $35,600 plus support plus tax plus, you know, whatever else I'm sure they'll give you a discount, but it's still more expensive than free SecureLogix has something called telesweep which will give you if you fill in enough sales forms on their website And that's handy for the folks you just walked in you already missed the vodka So you can blame everyone else over here for for drinking it better than you or at least faster than you So opens our souls for MS-DOS to get toned low THC scan on Unix systems You have I war which is probably the best one out there pause Which is Python based all the metaspoil stuff that a druid's been doing works great as a war dialer And there's a couple other ones out there like shock dial from Matt and Wardee things like that If we want to start the war dialing over voice over IP there's a few options Basically, you still need a modem But now you also need to convert her from voice over IP to modem to be able to use you based on analog Telephone adapter be able to make your calls So this is annoying because it costs money for your adapter now it costs money for your modem and you're still limited to this two hardware pieces Fortunately instead of paying for the phone line, you're not just paying for an adapter But it's still paying some money to do this and you're still limited by you know what your provider will support So if you have like a time-worn cable modem in the state and basically Southwest where they give you a free phone line This kind of is actually what started Druid's war dialing project was hey, I've got a free phone line What am I do with this thing? I don't want to use it. Okay. I'll just war dial forever till I cut it off Okay, so that was kind of the the the methodology in the behind doing going through this So the software is not really quite there yet for war dialing That's kind of what got Druid's Druid starting with HTAs and things like that But if you want to do direct voice over IP war dialing, there's I war which has had really basic support It's actually gotten a lot better recently and there's IAX modem that can only really handle facts is on the DSP side So if we're doled metasploit, so you know Druid started working this stuff I got excited about we're down again. You know is relieving my like, you know pre-teen adolescence. What not? So I want to go to USB modem from fries, which seems wrong all by itself that there's an RS232 on it Hook that up got a generic dual-stack SIP IAX HTA So you can handle both the SIP protocol and the IAX protocol the device I got didn't have a any Identifying marks on it. I bought like the cheapest one I could find from China and it was like Voigt gateway That's it. There is no brand. There is no company. There's no support. There's no documentation There's nothing but like some get a little web server There's probably stolen from somebody else, but it works It also has no FCC IDs. I don't really know whether I should use it or not or what kind of power to put into it Like there's nothing on this device So I actually need to start breaking it down to figure out what the hell the thing is, but it works whatever it is $25 So it that was the price So if you want to start using the word dollar metasploit if you saw Druid's talk earlier You already know how if you don't basically check out metasploit's scv on snapshot use axillary scanner So if any word dollar makes you have at least phone number one phone over excuse me one modem set up on your Your device hooked into metasploit and go to get you know go to town And if you need an ATA if you need like a Voigt provider you can find one of those for your AT for your adapter So the reality check on these unlimited ISPs like you know magic crack and all those other folks You sell you a little unlimited dialing lines is that they're not really unlimited They limit you to one outgoing call you're limited about 250 total destination numbers They charge you basically 40 bucks a month forward or 25 a month for it and they've really aggressive policies on auto dialing So if they see you doing like crazy amounts of numbers all the time They'll cut you off and some of you can go so far as charge you $100 per call You make after you reach your 250 destination number limit, so you just get screwed on charges So read your contracts really closely if you want to use one of these with the word dollar There's also a contract locks like this Toronto ISP I was using for a while said oh if you send it for us You know you're locked in for one and a half years at this rate and this and that and I finally got out of it But it's a pain in the ass and it was hidden in fine print So all the per minute ISPs look like they're more expensive at first because they charge you per minute But keep in mind the minute charge only starts when your call connects So if you dial 10,000 numbers only half of them connect you only paying 50 bucks if you disconnect within one minute And there are some little tricks around that but basically it's not that expensive to dial huge exchanges with the per minute ISPs They have better protocol support the staffing people aren't idiots You can usually do up to like 10 plus outgoing calls at the same time Which is really nice I've got one ISP that I've done up to 150 concurrent calls through at once And they started like actually shutting down their own switches and all sorts of things But they they took it anyways and they took their money and they're happy so Basically all these folks are really happy as long as they get paid and they're really set up for bulk services They don't really notice war-dwelling batters There are some hidden fees Vitality Vitality.net for example they run up to the nearest six second block and they include the ring time in the count But only after connection so if the call rings for 30 seconds And then it connects you already 30 seconds into your call and if you're at 31 seconds in your call They round you up to 36 so just keep that in mind when you're doing your testing that they will actually round you up So the default timeout in Warbox is 53 seconds to avoid this problem But you only get 20 seconds of audio because of the normal ring time So basically starting off with a standard boring war dialer. I did 40 hours straight of dialing covered about 2,000 numbers I found all these carriers I found what I thought were 4% of carriers and they're all these weird 300 bod Till the question till the question till the question strings on the screen Ends up that was just my VoIP modem being stupid my modem and my VoIP ATA being stupid and thinking that a fax machine was a Carrier being confused. So if you see a whole bunch of 300 bod connections over VoIP connection That's why so you're one of your devices sucks So basically is about a 45% answer rate and this is how it's panned out and about 4% of all the lines that I dialed were carriers, so I spent basically 40 hours to only find about 100 carriers They're mostly really fax machines and I spent about 13 dollars 25 cents on it So it's just generally pissed off that this whole process was really inefficient at horrible. So I do it this sucks I can do way better than this so then I got all crazy on I'm like alright screw this hardware screw the modem screw the ATA I just want raw audio. Let's let's get this done another way So I wanted to do a raw software modem actually looking up a DSP to the VoIP provider and the audio codex and doing straight up Like v90 over VoIP, but I'm really poor programmer and I suck at math and coding and DSPs and shit So I gave up on it really quick I tried using IX modem, but it was smarter than I was and it can only do fax I wore was really nice, but it wasn't really fleshed out because the client library They call had some bugs at the time. So Debeve didn't really finish it up yet So I kind of stepped back and said okay There's the problem with what I'm doing isn't that I've got bad hardware or I can't code The problem is that only 4% of the devices out there are actually modems or faxes So what's other 96% and there's got to be something cool in that other 96% of the numbers So I have the fun of tone look back Then it was sitting there in front of a bank of modems listening to all the brain of audio because you turn the sound way up So you know kick back and laugh at it all you know the person calling the wrong guy and what who's calling me? Stop calling me kids. So that stuff was a lot of fun So it was a lot of fun to like you know go through all the audio and that kind of crap and listen to callbacks And and mainly classifying lines. He thought really interesting cool was a lot of fun And you find all sorts of weird things you would never ever find in a normal word out like you'd find The the voice prompt to gte wireless gateways you'd find You know menu systems for the back end of radio transmitter stations all kinds of really cool stuff So war vox was kind of the solution I came up with we call every single number via voice for IP We record an audio sample of at least 20 seconds We process audio later on and then we move on to the next number. So this is super super scalable and cheap Even for uncompressed codex like a law and you law you're looking at 80k per connection. So you can basically do How do I do the math this I think it came out something like 1,000 concurrent Outbound dials at a time from a normal home ISP or home cable modem, but it's all downstream traffic You're not sending anything back out. You're not talking on it. You're just recording the audio So since it's all downstream traffic, you can dial like mad in these things And plus you have archive audio so now you can go back say, okay What did this number sound like at three in the morning on this time in this date with someone home? If the person home is that a guy picked up, okay was the guy picking up actually the husband You know, so there's lots of cool information and actually start building based on you know, dialing information this dialing stuff So basically that it comes down to the components are there's one little C app That's crappy that I wrote called I actually cord it dials over IX saves the raw audio file And that's all it does then there's a Ruby on Rails web UI that actually provides like interface to actually schedule your jobs Run your job stuff like that And this does your configure providers launch your dial jobs get the audio classified, etc And then there's a bunch of back-end Ruby code that actually does the processing and audio files and things like that So if you combine a whole bunch of voice for IPs at the same time You can scan like 10,000 numbers in about three hours. So it becomes crazy crazy fast start scanning anything you want Doing this stuff you go over about a hundred lines at a time You'll start shutting down small cities phone switches because they can't handle the traffic So I managed to actually overload a switch in Moscow. So it just dropped the entire exchange when it on as mid-dial They kind of went offline. I was like wow, they really need to upgrade that switch there But it's the kind of DOS stuff. You normally wouldn't think about in the normal course of business, right? But you can find a lot of really cool things It's really resource intensive because once you have all that audio you have to go crunch on it And since I said I can't code it's basically Ruby doing like DFTs and FFTs and crap like that So it's it's awfully slow I still call see for like the grunt work But it's still doing a lot of BS in the background of conversions and stuff and I can't code so it's low So if you want to optimize this crap great my solution is just to throw more hardware at it So I run it on eight core Xeon and so I don't care how long you take just get it done So it's the the lazy man's approach to to speeding up software So when you actually start looking at these audio files What you see is a just by looking at the audio graph you can see the lot of calls look the same Like hey, this is the waveform for this audio and they all kind of look the same They probably all sound the same so you can actually start visually identifying different things and we you know a frame Torres talked earlier about WMAP. He was helping me out early on trying to find different algorithms for finding ways to Match data and automatically classify stuff. So that's what I'm talking about next Hopefully I can get through this and give Egypt some time still So this is what a voice sample looks like blah blah blah blah blah blah, you know kind of an automated response It doesn't wait for you to say anything just it just goes here's what a fact looks like We kind of the squealing noise on all the crap. So this is that you can see the bars of the annoying noise Here's a human because they get really confused. They get a random call. They go. Hello Click so that's that's a human The problem is modem sound a whole lot like faxes when you actually start hearing this squealing noise And you're I mean some people are like, you know freaking rain man. It could be like, yeah, man That's a modem. That's the 3200 blog v2 bis running on this type of system on a max assets rack With this and this and then I'm not that person, but if you find them higher them because they're cool So if you look at the facts, here's kind of how it's split out If you actually look at the detail without all the fancy lines, this is all just done via a new plot by the way I don't have any like crazy graphic skills either So here's the facts. Here's a modem. So just by flipping between the two of them and kind of see there's a pretty significant difference of just what these things look like Unfortunately when you actually start getting down to the audio the frequencies they use are really similar They both have carrier frequencies. They all basically hover around 21 Hertz for their peak frequency So what I found out is not only so I ended wrapping the kiss FFT library for doing FFTs and see when Ruby's I can crunch it But basically modems all have 2250 Hertz and nothing else does so if you find more than about one second of 22 2250 Hertz frequency anyone your entire audio sample It's almost all as a modem and that's worked out almost perfectly If it's anything else and has a lot of 2100 Hertz, it's probably a fax along 1625 1660 1850, etc So the neat thing is okay now I've got these giant list of modems that I pulled out of new dial-up pulls out of the pop list for all available I basically dialed every single AOL access number in in the US and then compared all the audio to see what they look like So I dialed all these I checked the signal amplitude to check the frequencies I'll kind of looked at the different patterns Basically, you'll see exactly three different visual patterns pop out and three different audio samples and three different carriers when you actually connect To it you get different login prompts So all of the AOL dialed numbers in the US only have three different login prompts And you can tell which ones they are just by looking at the audio from the sample without ever connecting after your fingerprint So here's an example of amplitude graphs You can see all the little fat guys the like the really fat long guys are one the little shirts W guys are another and the kind of long skinny guys are another so just based on this We can see what brands of modems are in use across all AOLs pops in the US So you start identifying actual audio by looking at done Identifying actual hardware by looking at how the modems are configured and what the audio looks like Here's a frequency graph. It's tough to see from back there, but there's really only three different frequency charts here as well So the next term, okay So we can do modems we can do facts is we can figure out some of these tones But how do we actually do voice because I want to say not only is is that chick hot But how old is she like how high is her voice? I'm actually married never gets up and not actually that engine for that reason I think of it more of as a abstract reason that you know be interesting to see what they sound like So it's also interesting to find out you how old someone is based on their voice based on this based on that You can get kind of a you know anyways insert class when people buy voices my samples So the first way we did was super ghetto-tastic and a friend and I worked in this thing that looked at The silence versus noise gaps in the AK audio stream So how much noise is there how much silence how much noise how much silence it was super crappy But like we don't know math so it worked so we're like hey it did some stuff So we found that carriers and tones have very few transitions because there's you know beep silence beep silence Voice systems that talk all a lot have a whole lot of transitions and humans are mostly silence with one or two little You know really short blobs of noise in between as they go hello hello stop calling me you asshole stuff like that The only problem is that these signatures fail for time shifted audio if your sample starts halfway in like half a second Into the person saying the same thing again. It doesn't detect it properly because it's just the way the code worked So I started before we figured that at the time shifting broke at all We started matching every sample gets every other sample to automatically group stuff based on how they sounded So I'll show you some of the actual grass later on about how we automatically group these things and I'm short on time, so we're gonna haul ass So basically some fuzzy matching we found some things that sound the same like you can find all your this calls being answered by Audix or welcome to IBM or whatever the noise happens to be kind of match them up match up all the prompts together So we wanted to have better analysis We actually write signatures for any two-second chunk anywhere in an audio stream So we took every one second audio sample to the top 20 frequencies from each one sorted them by power Credit a fuzz amount for you know up and down this much of frequency up and down this much of power And then match two plus sequence two plus samples anywhere inside of the top 20 frequencies So this avoids the time shifting issues because the fuzz factor allows you to catch signals that have been warped Basically by the time shift and you can match any kind of pre-recorded audio segment really easily just by scanning for you know Anything you've heard before you can find again basically it can always rerun your processing after you've done it the first time Each time you update your signatures So you dial once and then you know keep tuning it to identify every single little bugger on the line And that works really well for any two second plus audio sample So basically we match every sample gets every other sample Look at basically every three second offset from any source call and you can create Really neat one of the many matches really slow multi to multi matches You can basically automatically group lines that have the similar sounding signatures inside of them So if every line is answered by audix the fragments of Verizon AT&T Whatever you can make them all grouped together based on what vendor what audio sample they actually have inside the line You can also match them all based on peak frequency And I'll show a graph of that later on and that actually does a pretty good job But it misses chances when there's any other louder tone on the call other than that peak frequency You can also group by matching signatures, and we'll talk about signatures next So the practical piece of all this is you can identify similar voice recordings anytime that a company has a standard response Anywhere inside the audio stream for as long as you record even if it's 10 minutes into it saying are you still there plus five day? Ba-ba-ba you can actually record that in the fingerprint that anywhere in your samples You can target specific PBX vendors. See if you know that a you know A via system is this default password if you know that this kind of mailbox allows you to do a bounce through and dial through Their system and start doing toll fraud. You know final those devices really easily So you can actually cut find some really neat things you can look at all things that don't match and say okay What the hell is this thing? It's actually a US phone number affording to a UK number because you can hear like kind of like you know Flubby ring tone that So you can actually pick out different countries ring tones and fording lines based on the sound You can find all kinds of all sorts of really neat things this way The problem with the voice signatures though and doing automated response is this woman This woman is a problem with all my voice signatures because she recorded all of them This is Pat Fleet or also knows like mob Bell's voice She recorded like 90% of all the audio you've ever heard on an automated response system out there was everyone loves her loves her voice Unfortunately because her voice is so similar each time she speaks The signatures have a really tough time figuring out, you know based on frequencies whether it's this tone or this tone Any time I run into her in a signature it conflicts with every other signature by her as well But keep in mind that because of this work so well in the sense You can actually take a recording of one person's voice saying hello And then scan an entire city trying to find them picking up the phone and then nail their phone number that way So there's just some really nice cool uber stalker things you can do with the system But you can always find Pat fleas so so when I start hacking voicemail a gentleman right before I started Talked about this basically if you have a system that allows you to call already spoofing most most void providers like to do this Most mobile providers in the US actually allowed to bypass authentication if you have the same caller D as the caller as the target line And unless you've got a pin set they go straight into it So the cool thing about this is you can actually create a signature for a welcome to your voicemail or you've entered Verizon Messaging or AT&T you've got one new message and actually start scanning huge blocks numbers using their own caller D as the as a source for it and basically determine which of your salespeople or Which hot chicks in this geographic area don't have passwords set on their voicemail and then go into their voicemail and then change their greetings So it's it's fun to do and you can basically mass audit your entire sales staff or your executive staff using this method So most iPhones are screwed most Verizon lines All sorts of cool things so I've been doing a bunch of mass audits And I'm out of time so I'm gonna haul ass again, but you can I can do a demo later on a third time And the nice thing is because this whole thing runs on a web interface basically Ruben rails You can actually do all the dials from your iPhone over 3g by going to the web interface and basically running like you know 150 plus dial scans directly from a concurrent line scans from this so you can go into a building make every single phone From like a mile of you start ringing at once. It's a lot of fun So it's all sorts of like fun little uses of this thing outside of just you know Well, you can really just annoy people with it But besides annoying them you can also do signatures like a friend of mine got a dial of the day He had no idea who it was so we dialed every line of 20 of the person that called them and found out It was actually some like bill collectors agency by finding one of the other lines besides the one that called him If one that called him if you return the call It says, you know, this is the children's cancer health foundation or something like that But really one of the other lines was you know, we're bill collectors for every other line So the way they trick you is that when you call back to bill collector They think it's a children's cancer foundation donation center, but it's really a bunch of bill collectors using spoof voicemail So anyways, so you can actually track those buggers down using a war box by calling all their lines to figure out who the hell called you Anyway, so you can start displaying some of these groups using canvas objects in HTML5 a lot of fun So here's a group by silence versus noise You can see big stripes of similar colored audio that were automatically grouped using the very first method that we came up with Using this method you can see another set of stripes and actually you can see between these two There's completely different patterns this was grouped by peak frequency of the call and this is grouped by Which one sound kind of the same through sounds versus noise So peak frequency means anytime that there's a really loud noise on the call If that was the loudest sound on there all the all the calls that had the same thing would basically be grouped together So this big stripe of little pink suckers right here in the middle or red suckers on the screen Those are all voicemails and that's actually that beep at the end of the voicemail That's about 1,000 Hertz and it's louder than what whatever the person said So you now group all the voicemail guys together just by the peak frequency alone So all kinds of cool things you new spectrum analysis. You can find tones. You can do this you can do that Here's a frequency challenge if you've seen the presentation before you were disqualified And I already gave away all the vodka that no one picked up last time I did this so What is this? 350 plus 440 it's a one solid tone. It's easy to pick up Sorry, I heard it over here Dial tone. Yes, absolutely right. That is a dial tone So we can do is actually start looking for dial tones across all the calls And you find forwarding lines where the line goes to a dial tone here And then here is it dials back out again Well, you can actually look for those dial tones and race the the forwarding line So you dial the number and you immediately in your void call basically send DTMF tones and that calls It makes it the forward or dial whatever number you want not their number So you can also just find straight up, you know dial tones like half of Korea is covered in these things If you dial all South Korea like every fifth line apparently is a dial tone. You can dial back out of I don't know why Maybe maybe just misconfigured telco or something, but it's a lot of fun So you can also find things like UK ringers US ringers busy signals Russian voicemail all based on the combination of tones So lots of Russian voicemail systems is 1420 Hertz Business signals are 40 plus 620 US ringers are 440 plus 400 and you can pick all these out really easily You can also do DTMF decoding using Luigi's tool DTMF to numb So if there is a DTMF like you can actually decode and see what the actual numbers were And I've integrated with Lumen vox you automatic transcription of the audio So you actually pick out certain strengths, but it's not doesn't work that great yet You can integrate this asterisk to do automatic automatic testing So I took this the agi script from to be even I wore so I can actually automatically return the same audio to my dialer from a Directory of pre-recorded samples, so I can actually automatically test my audio signatures my dialer So moving forward 101's public 102 is an SVN lots of really cool features check it out if you haven't already Legal aspects you're all fucked Look online if you care basically you can't dial in the US that potentially risking breaking the TCPA That was admitted in 2003 because of e-facts, but there's a kind of a legal page at war box You can look at it But look at your federal law look at your state law and if you have city statutes about it to look at those as well But they all apply I'm not going to do a demo because Egypt stuff is cool. Thank you for time and please welcome Egypt to talk about Metropoder PHP Yeah, no problem, no problem Okay, so scapes original talk about Metropoder was called beyond the IP and this is beyond r57 brief outline PHP has a bunch of stuff we can use There are a bunch of existing PHP payloads that we'll talk about shortly and some of the The stuff that's already already in metasploit that we'll talk about and Encoding and how we deal with with some of the problems writing PHP as a payload So running some system commands is relatively easy in PHP There's a bunch of ways for a system administrator to take these functions away from you, but there's so many of them that I don't care I'll just use a different one. There's system. There's exact. There's shell exact. There's pass through There's others based on third-party tools. There's actually a freaking pearl interpreter as an extension for PHP I mean really come on There's things for administering windows through PHP. There's a win32 service extension So you can start stop services. You can create services. You can write files You do whatever the hell you want because it's there intentionally Opening sockets is basically the same way. There's a whole bunch of different functions that do it socket fsoc open piece pfsoc open Are all built-in? Functions and they all do exactly what you think they do the best part is that they're not the only ones f open Which you normally would think would open a file, right? Well, it can take a file called HTTP colon slash slash blah blah blah calm and it actually opens up a bloody socket That's so cool If that doesn't work if all of those functions are unavailable to us But we can still run system commands then well we fall back to pearl or netcat or bash or Ruby or or you know anything that'll let us create a socket. There's all kinds of stuff that can they can let us talk out to the network Another cool thing that we can do is reusing Apache sockets. It's not Not really available for any other platform at the moment, but Apache Fails to set the the fd-clo exec flag on any of its file descriptors So when when you connect up to it you keep that socket in PHP And you can read and write to it do whatever you want. Yeah, I'm freaking cool There's a bunch of existing payloads My opinion most of them suck C99 and R57 are sort of the big guys. They're the ones that everybody uses They're the ones that you find on on pwned web servers all the time R57 has this giant chunk of base 64 goo at the bottom of it and if you actually go through and decode that it sends a shell to Russia really Okay, so there's also tons of private stuff Everybody's got their own PHP shell because it's really easy to write and you know a bunch of them are really simple They're just a form that runs the command and and gives you back All your feedback over HTTP. I think that's kind of boring. So we've got all this other stuff Why I make something better? Basically, I don't want to have to use HTTP. I want to be able to use a real socket or using Apache We can use the socket that already exists And as I said R57 especially but others A lot of the public ones have backdoors in them that sucks like if I get a shell I don't want to give it away. That's that's my shell. You can't have it So these are the the Metasploit payloads that are currently available. I committed one about a week ago or several days ago For download exec which lets you go directly to like a interpreter shell in windows or whatever But that's not quite as interesting as doing everything from PHP So I'm working on getting that together. There's still a few problems with it. I'll talk a little bit about that in a second But for the bind shell, it's really easy There's a socket create listen function and it does what you think it does it creates a socket and it listens on it So we can do that and then just run system commands and we win If that doesn't work, there's socket create socket bind socket listen that does exactly the same as a regular, you know The C system library calls socket bind and listen So the problem is that that this isn't exactly a shell I'm I'm basically creating a new shell process for every command and It for the most part, it's okay. It works fine, but CD doesn't work for example Reverse is basically the same way we can use socket create socket connect shell If that doesn't work, we've got fsock open if that doesn't work We can use P fsock open if that doesn't work. We can use curl That doesn't work. We can use the pearl extension. So anyway the problem with this is that the There's two different kinds of file descriptors basically in PHP The the stuff opened with fsock open or f open you have to use f right and The stuff opened with sockets you have to use socket right So that's kind of a bummer if we're if we're doing both file and socket stuff because we can't select on Both of them at the same time. So that becomes sort of an issue with With meturpter, but reverse so far. I mean just creating a shell is is relatively easy and we don't have to worry about that problem Find sock like I said only works on Apache on Unix C systems because it doesn't set the Chloe's egg flag PHP says that this is an Apache bug. Apache says this is a PHP bug. So I just think it's an awesome bug Conveniently this lets you write right to their log files because they leave all of their sockets or all of their file descriptors open So you can say hey, I love owning your system right in the middle of their log file and I mean Who doesn't like writing stuff like that? And Unlike unlike bind and reverse this is a real shell because I'm actually Calling out making a new sh process And running the whole thing over the socket and This is what it looks like. I think this is totally cool to be able to Type directly into a net cat session and actually be a shell On an Apache box. I think that's totally awesome So PHP has a number of ways of screwing us the first is disabled functions And that's a setting in PHP I and I that will basically turn off those functions and you can't call them Fortunately for us a lot of PHP administrators don't know about it and they never said it And so we can just run rampant do whatever the hell we want For those that do There's not a whole lot we can do other than just trying all of the other things that do what we want to do Most people in their disabled functions list miss one or more of the socket functions They miss one or more of the system functions as long as we've got one of them then we're good to go Another big problem is character filtering Magic quotes is a is a huge pain because it doesn't let us use quotes in our like an eval payload And what we want all of this stuff to be as Transparent as possible. We just throw up a blob of PHP And I don't care if it was an eval bug or a file upload bug or a remote file include I don't care. I just wanted to run my code. I just want my shell. I don't care how you do it SSL can sometimes be a pain in the ass But I mean on the server SSL can be kind of a pain in the ass, but also SSL is a pain in the ass because it's Now implemented by default in the ph there in the the normal meturper handlers So when HD made that commit it broke all of this stuff eventually we'll get that fixed we'll have that all together, but That's not quite implemented yet So yeah disabled functions if we don't have system try exact etc and filtering is sort of sort of easier to get around Unless we don't have parens or semi-colons we win Because you don't really need quotes it turns out that PHP parses bare words first as a constant and if a constant doesn't exist by that name then it tries it as a string But the the advantage here is that we don't need any quotes at all So we can just create this big chunk of what looks like a string as long as it doesn't start with a number and contains only Numbers and letters then it'll be parsed as a string There's a 998 character limit here. I assume this is something to do with PHP's internal Representation of identifiers because it's parsed as a constant it counts as an identifier and so it falls into all of those restrictions So that means it can't have a dash it can't have a plus because those are our other operators inside PHP But it's It's not that big of a deal because we can just put everything in base 64 and base 64 Has slashes and pluses which kind of stocks and equals signs but we can just turn all the slashes into true 43's and all the all the pluses into true 47's and It becomes the string that we want it to be This increases all of our payload by about a third But I mean it's not shellcode who cares it goes in an eval or it goes in a file include it doesn't the size doesn't really matter So yeah like I said meterpreter is now a lot better because of SSL and we can Hide our shell on a meterpreter session much more easily now It's a lot harder to find it on the network, but I don't have it in PHP yet. So it's broken The meterpreter is still work in progress Most of the core stuff is there. We've got process execution But because I haven't finished figuring out how to make channels work We can't see the output of an execution. So if we run a system command, we can't see the output up from it you can Write it to a file and download the file and that works just fine But there's no interaction So you can't at the moment You can't do just a regular shell and start typing in the shell and have it give you your feedback right away There's also no pivoting yet. All of that is coming. But there's like I said the problem with PHP's select and and the the difference between its its file descriptor types makes writing channels kind of a pain in the ass So that's coming but not for a while Filtering had well, that's the wrong way How much time do I have here? Oh sweet. I've got time for demos awesome Okay, so So we've got just this simple little PHP script. I don't know if you can read that The important parts here is there's a remote file include bug there. There's a remote file include bug there There's an eval bug there. Can you still read that? So we see we're just sending some code to be evaluated here now We set our host to set correctly port is set correctly Set payload PHP Shell find and with any luck here as long as I didn't piss off the demo gods earlier today Yay We have a show and all of this is going over the same socket as As the connection happened on so all of this is definitely going to go through a firewall Some some IDS's might be able to pull this out because it doesn't really look like HTTP traffic anymore Once you start typing commands, then it looks more like commands than HTTP, but It's still all over the same socket. It's definitely going to get through the firewall. I think it's awesome so we can also We can also create a linux reverse shell payload to do Using MSF payload We create file called reverse TCP. I'm being lazy here and and hosting it from the same web server I'm about to exploit but pay no attention to the man behind the curtain So we can set the payload now to PHP download exact So we're telling it to go download this binary save it to disk run it and Give us a shell. Hopefully. Oh Right, we have to set up a handler because there's no handler for download exact so No, hey, you give us a shell anyway, which I Don't know. Has everybody in here seen a handler before? Anybody hasn't okay. Well, I'll just talk about why that's important here Right quick The handlers is basically just a generic thing that'll catch and exploit payload coming back It doesn't really have any options of its own So we set the payload to be whatever we created that file to be that executable that we're sending up We set up all of the same options that we use to create that file We run the handler and That'll Let's see When we run the handler it will set up a thing to catch our shell basically so you can see here we're Not listening on 444 So if I wanted that to be dash J dash C so the dash J means run as a job and that'll put everything in the background and the dash Z means Something useful. What does that you see me? Oh Yes, don't don't interact with it right away. So we're running the the Handler in the background. We're ready to go. So if we go back and use our download exec payload again Woot, there's a show We can interact with it in the normal way or not Okay, well the payload failed but It got there at least So, yeah, those are the PHP payloads three questions. Okay Well, thanks