 Okay, so first thing I'm going to introduce myself. My name is Marcus Cary, and I'm the community manager and I do security research at Rapid 7. And a couple of months ago I started playing around actually trying to write stuff. And this was before I joined Rapid 7. I've been in Rapid 7 like six months or something now. Before I started with Rapid 7, I started trying to be able to test network infrastructure devices. And then I got to Rapid 7 as a community manager. And I just started to, I kept on trying to do some of the stuff I was doing before. And since we do Metasploit at Rapid 7, I started adding stuff to Metasploit. Real quick background, I was a former U.S. Navy. I've been all over the world. I was at CT in the Navy. And I learned a lot of cool stuff there. Thanks, all those CTs out there. All those extra Navy guys out there. So I'm going to introduce my teammates. These guys also work for Rapid 7. Real quick, I'm going to let them introduce themselves real quick. My name is David Roode. I'm the exploit developer for Metasploit. Basically, I'm in charge of pretty much every single module that goes into Metasploit. I have to do code review of everything. And my past experience, I've been working in exploit Dove probably for five or six years at least. Prior to Metasploit, I worked for iDefense doing a lot of zero-day validation and stuff like that. I'm Will. I'm a pentester at Rapid 7. Been there about three years. Do all sorts of pentests. Anything from network pentests, web app pentests. They did talk on DDoSing, so we've done a little bit of that. I'm happy to be here. Okay, real quick. So what I'm going to do today, everything hopefully will be in a trunk within the next 24 hours. Dave? So what I'm going to do real quick is I'm going to go a quick little outline. I know everybody in here may not know what Metasploit is. There's a lot of people to do. So be patient with me if I'm going to start off a little bit slow here. But in the end, we're going to have a lot of demos. We're going to walk through some code on how we did this. And we're going to talk about from a pentesters perspective. Here's the actual outline. And we're going to just hopefully we'll have fun and hopefully you'll learn something. And after the talk, I'll be over there in the speaker lines for anybody that wants to beat me up or anything like that. Or ask questions. Real quick, Metasploit framework, the Metasploit project was founded in 2003 by H.D. Moore, who is the C.S.O. of Rapid 7 now. And so basically we actually, it kind of reminds me of the kind of like the sourcefire story, how sourcefires started up with an open source tool. And then we Metasploit got picked up by Rapid 7. I'm stuttering like a log up here. But basically the Metasploit framework is still open source, BSD license, and a lot of other commercial people use it. And we have Metasploit Express and Metasploit Pro. But everything here I'm going to talk about is going to be available in a Metasploit framework. And it's my intent and I'm kind of like a given community guy. A lot of people know me. So my whole purpose of doing this is trying to help organizations out. I come from a military background, government background. So I've always wanted to help people secure their systems and such. Alright, a little bit about the Metasploit framework architecture. And this slide right here, I'm not going to read the slides to you. But basically there's a lot of things in Metasploit framework. And these slides will be available afterwards, of course. The thing we want to concentrate on here is modules. And we use a combination of these modules to actually do, and actually most of this stuff has been used a long time just primarily for network exploitation. And I came to the Metasploit team from a defensive background. So my whole thing was like I want to actually help people defend networks and actually test their network infrastructure instead of just trying to exploit and host. And so here all these modules play some part in vSploit and Metasploit as a whole. In particular, we're talking about auxiliary modules. And in the end, when Dave comes up, he's going to talk about how anybody can contribute to do vSploit modules. As far as Metasploit development goes, if you want to actually start doing stuff that helps the community out, this is a really, really low threshold to actually start doing Metasploit development. So the whole point of this, I've deployed enterprise IDSs. I've built networks at large government places. I've did all kinds of defensive stuff. And sometimes you want to actually test to see if stuff is working, but you don't want to use live exploits. And a lot of people are concerned about running exploits on their network. A lot of people are adverse to that, and I definitely understand. So the vSploit thing is like doing paintball. So hopefully it doesn't knock anything over. And I can't say anything is 100% flawless. But in an ideal situation, we've had discussions even this morning where we're talking about, there could be a possibility to start sending stuff and IPS may shut a connection down if you have it in active mode, if you send it stuff that looks like exploitation or attack responses. So basically what I'm trying to do is it's really a new spin on auxiliary modules. Again, I'm not really trying to exploit anything. I'm kind of a nice guy. Some people say I look like Mr. T. Kimball Slice or something, but I'm a very nice guy. I'm scared of the mountains. It sucked. I actually drove here from Maryland. It was a four-day drive. That was crazy. So, man, I hate the mountains. I'm telling you. Okay, again, the purpose of the whole v-sport thing is to actually evaluate devices on their own merit. Now, what I'm saying is on their own merit, I don't want to evade anything. I want to try to be able to test devices exactly as they say. I want to see if things do what they do. I mean, there's a funny commercial where Dennis Green is saying, it's a funny American beer commercial. I want to see if the device is what it says it is, pretty much. So I don't want to do any kind of traffic evasion. The main thing is I want to ensure proper network device placement because there's a lot of different networks where people don't even understand their own infrastructure. So it's absolutely impossible for them to place a device like an IDS or IPS or DLP because they just don't know the layout of their own network. And it's really, really true. And even if a consultant came in and a consultant comes in, they want to actually deploy IDSes on someone's network. Half the time, the people that they're supposed to help them, they don't know where they place the devices on their network anyway. So this is an attempt for people in-house security people to be able to test out stuff, send these things to trigger alerts. And if it's not trigger alerts, you know that you have your devices placed in the wrong place. So it's also an opportunity to train security staff. And I'm going to talk about this now. One of the things that I actually wrote that didn't make it here, and Dave said because I suck at writing code, it didn't make it into the trunk yet. But I've actually wrote a scheduling function into Metasploit, and it'll be in pretty soon, where you can actually schedule exploitation to happen. So you can say, I want to exploit to happen at 2 o'clock on a Saturday night. And it could be an exploit or it could be a vSploit module. So that'll be in Metasploit pretty quick. Didn't make it for this talk. But the thing is, if you have a managed security provider at MSSP or whatever they call it, or just your regular knocker, S-knocker, whatever you want to call it, you want to know if they're actually watching things at 3 or 4 in the morning. So the ability to actually schedule exploitation and to actually schedule exploits is going to be in Metasploit very, very soon. If I could code better being there today for this demo. But I actually had it working, but HD said my code sucked. Okay, so really the real important thing here is like, you know, in the whole AV world, you have the e-car file where you can actually drop it and it alerts. Well, there's not a really good test case for network-based traffic. And so one of the big things is the last bolt is good test cases are hard to emulate. I've tested out big enterprise IDS systems. I've tested out DLP solutions at major government customers. And even sometimes the vendors don't have a really easy way for people to test out stuff. With DLP, sometimes they have files that look like DLP for the whole side. But it's kind of hard to generate traffic in any kind of way to actually point it towards something and send stuff that should trip those alerts. So some of the things I'm talking about testing here is IDSs, IPSs, DLP stuff, firewalls, and basically NetFlow collection, all these different things. And it's, again, it's just to be able to test, educate, and be able to respond to things. So what I'm calling interesting traffic. I used to do a lot of network engineering and we had this term, it's probably a Cisco term, interesting traffic. So basically what you want to do from a client, and this is one of the things that you can do from a web browser or many other things, so you have a Metasploit framework on one side, you have a web browser on one side, you can actually do requests, and then Metasploit framework is going to send you data that looks like PII or whatever other kind of traffic. Also another big thing that I tried to do, and this was dead simple. So some of the things I'm talking about is not going to be rocket science, but it works really well. Basically being able to do DNS queries over different times, and actually when the scheduling piece works, we're going to be able to emulate malware at scheduled times on your network. So real quick, IDS and IPSs are mostly signature based, and most organizations run signature based IDSs, looks for known traffic, so if it looks for known traffic, we just have to know what it's looking for and we can actually emulate that traffic in a controlled way without actually popping boxes. We can emulate SQL injections, we can emulate attack responses and other kind of suspicious behavior. And IDSs should be able to catch all that stuff. So a DLP, in my opinion, I mean even some IDSs have a DLP type functionality that we can put in social security, regular expressions and all kind of other things. Most of them are concerned with PII, since all these data breaches are occurring lately, it's a big market for DLP solutions now. And I tell you, it's good to know if you make a million dollar investment if that actual investment is actually paying off. And many times people can actually validate if their stuff works. So the ideal situation is this, if you're going to try to go out and procure stuff, you would want to use something like vSploit to actually test to see if those things work. As they say they work. If they say they catch credit cards, test it with credit cards. Socials, whatever you're trying to do. Medical information. And a real important piece is to be able to custom the traffic and Dave's going to be talking about it, be able to actually write your own vSploit modules to meet your environment. If you're a government person, if you're a bank, there's all kind of different ways to actually, a need to actually have the ability to generate traffic that's relevant to your environment. Okay, and also this is a big thing here. Sims are big and there's a million different definitions for Sims. I think this is the latest, this is kind of like the latest one I've seen a lot of analysts using. So I'm rolling with that, right? So basically they collect system logs, but one of the things that a lot of people have is they may have all these devices dispersed all over the network and I have really good friends that do large deployments of Sims. In many times, IDS's aren't even sending data to the Sim. This is a good way to send data all over my network, put in IP address range, send the data. Is my Sim seeing this traffic? Basically to test your Sims to see if they're logging that network-based traffic from your DLPs, your IPSs and all that stuff. So basically, here's what I did. And I apologize for people at the far back, because this is probably not that good, but once I'm going to do a demo, and so when you see the demo you'll see it much better. So basically I created a PII module and what the PII module does is it actually just generates web traffic that you can actually connect to it with your browser and I have it refreshing. So you have an option where it refreshes and generally speaking it generates a thousand lines of PII data and I even built a loan check in it to actually generate real looking credit card numbers because some devices are smart enough to do a loan check and so basically this will look like, if you place it in the right place in your network it will look like credit cards or SSNs are leaking. And also you have the capability to generate any kind of other traffic that you want to trigger. It meets a lot of criteria of different devices like DLP and IDS because it generates a three-way handshake and you're pulling data across the network. And that was a big, big challenge, but it's easy to do with Metasploit framework to be able to generate these things. So this web server module is typically used for stuff like DB, well browser auto-pwn and other kind of things in Metasploit, but I'm using everything for a totally different purpose than it is. I'm trying to use Metasploit more for good than evil. Okay, also I played around with all kind of stuff. I basically created a module that actually lets you download, randomly download stuff. Metasploit hosts that and sends files, harmless stuff. The web beaconing and I actually have, I think I might have changed the name of this to web querying, but actually when I got to Vegas after four days of travel, my Windows 7 laptop was totally blue screened and I lost everything. So this is actually like a good attempt of making good on presentation. So the web beaconing simply is, in a lot of government organizations, I see it time and time again that someone like US cert or some outside third party has to notify a government agency that they've been compromised and are beaconing to China or whatever it may be. They've been affected with zoos or any other kind of malware and it happens all the time. And what's funny about that is even though people may block that traffic, I often wonder like why didn't the organization see that traffic first? And so one of the things, I think this is one of the most important things that I've been doing is playing around with this web beaconing and actually doing more, doing research on the different types of malware and botnets and actually allowing people to upload their own list of DNS entries to actually test this out. And what's cool about it, I'm actually kind of a package junkie still. So I do wire start captures to make sure that everything is really happening. So basically the scenario would be this, you set Metasploit on your network on a different, on any kind of VLAN and just to test your network, just put it on your network and start doing these malicious queries. You know I have zoos, Mariposa and also the ability to do anything you want. I mean people are looking for different signatures and it actually, you can iterate this over a number of times. Also vulnerable headers. There's several vendors that actually do like passive vulnerability scanning like Tenable, Sourcefire actually can monitor. I think they have a product called RNA which actually sees what kind of devices you have on your network. And so sometimes people don't know. So one of these, this vulnerable header thing, what I did is I took a list of vulnerable headers, right? And I was like just drop these on the network to see if anybody's paying attention. So if you have IS4 or 5 server on your network that pops up and you don't know it, I mean do you have the ability to even see that? So these are the kind of things I'm talking about testing. And so here's a peak app of the actual, and you can probably see over there, if you can't see it, it's an old vulnerable header. Okay, I'm going to switch over to Dave real quick and he's going to be talking about writing vSploit modules for a second. So can I get a quick show of hands of how many people have actually written a module for Metasploit? Okay, so not too many of you. All right. This is just going to be like a really quick overview of some of the features and some of the, you know, like the ways of developing a module for Metasploit. First of all, Metasploit's written in Ruby, so if you're going to write a module for Ruby, or for Metasploit, it's really good to know Ruby and here's a few links and there's some book titles on there. The slides will be available after the talk so you can go back and look at them then. So Metasploit has a whole bunch of support for just about everything you can imagine. A lot of it originated for like a need for protocol support and all kinds of other kind of support that we needed for exploit development and post-exploitation and auxiliary modules and everything like that. So we have pretty much anything you can think of in there. And this comes in really handy when you're developing a module because you don't have to reinvent the wheel. It's already there for you. And this is just a few of the mix-ins that we have and what a mix-in is is basically like a library that you can include into your module and just call methods out of it. And we have ATP server, client, we have a scanner module and SMTP modules. So we have a lot of functionality in there and there's many, many more in there. You just have to look at the code and kind of dig in. All right, so I'm going to actually give you guys a little view of some code. So one of the modules that Marcus was just talking about is the web PII module. And basically what it does is it sets up a web server and it dumps a whole lot of data that looks like personal information. And the hopes is that DLP devices on your network will catch that stuff. So first of all, every module in Metasflight starts with this base class, Metasflight 3. Now we're on Metasflight 4, which just came out August 1st. So that class name is going to be changing to Metasflight 4. And with each module, you inherit the type of module that you're going to be writing, which is the MSF auxiliary in this case. And right here with the include, this is actually the mixins. Both of these are mixins. We actually wrote the PII mixin today. And what that does is generate all that PII data for you. So you can write any module you want. If you want that module to, you know, infiltrate PII information, you can do that. Just include this mixin and it's there for you. All the generating code is there. So you don't have to sit there and try to generate and match, you know, any kind of format for the PII. It's already there and done for you. And then we have the initialize for the class itself. Each module is a class. And this right here, this is the information structure. So this gives all the information to the users about what your module does, what the name of the module is, who wrote the module, what revision number you're actually on when the module, like when it was last updated. And you can also include references for anything that you write. If you find information out on the web and you think other people are going to find it useful, you can add those references into your module. And anyone who views your code can see that references. There's a lot of other things. It gets a little bit more complicated. Like you have default options and you can register options that you want for your module. So when someone is using your module, they have to configure it. They need to, you know, in this case we're using meta refresh as one of the options. So you can tell the module whether or not you want to auto refresh the web page with the PII data that it's dropping. And you can also change the amount of time and the number of PII entries that's generated. So this is just a function that Marcus wrote called create page. And it has this really awesome ASCII sheep. I love the ASCII sheep. Greatest accomplishment. It is your greatest accomplishment. All right. So right here he's actually building up the HTML of the web page that he's dropping. And you can see here he does a little check for the meta refresh option. So when you're actually writing a module and you want to get the information that the user configured, you access it through the data store. Everything is stored in the data store whenever there's an option that a user can set. So as long as you know the name of the option you can get the information out of that. It's just like a variable. So yeah, here he's just setting up the HTML. He's doing some more checking on some options. And right here we're using the mixin, the PII mixin that we wrote today to actually generate the PII data. And that's what this create PII call right here is. And that's actually what generates everything for you. And that will put the PII data on the page right here. Okay. And then this on request URI function, that's actually an overloaded function from the HTTP server mixin. So what happens is when a request for your web server comes in, this function is what's called. And you have the CLI and the request variables that are passed to the function. And that can give you detailed information about what the request was, where it came from, a whole lot of information about the client, user agent, everything. Everything that you could think of is in there in terms of a web request that would be coming your way. So right here is where he's calling that create page function that we went over. And this is the function that builds the page and has the awesome ASCII sheet that I love. And right here, the send response function. This is also part of the HTTP server mixin. So you can just call this directly. You don't have to do any kind of strange namespace convention or anything like that because you've already done it with the include. And this will just send the response to the client. And right here is the run function. And whenever you're writing an auxiliary module to actually run the module, the command is run. So the initial starting point of the module starts in the run function. So it's pretty simple. So that's just one of the modules that we did. Now I'll give you guys a quick look at the PII mixin that we wrote today. And this is the one that generates everything for you. So mixins are a little bit different. They're not really like a module. They're just something that you can include. It's a library that you include into your module and use the functionality of that library. So this is just defining the namespace of the library itself. So it starts off with MSF. And then down here you define that it's an auxiliary module. And finally, that the namespace should end with PII, which is the name of the mixin. And down here you have the initialize function, which is actually sort of an override of the auxiliary modules initialize. And this is what will set up options for that particular mixin. So the module itself, the auxiliary module, will inherit these options. So you'll have an entries option and an email domain option within the module if you include this. Okay, so here's some awesome Marcus code right here. I always pick on Marcus, but he's a really cool guy. I like Marcus. All right, so right here he's doing some code to create something that looks like a... I don't know, what are you trying to create here? So some function that looks like it's creating an account number of some kind. And here we have a function that's creating social security numbers and date of birth, passwords, some other stuff. Here's some general PII stuff. First names, last names, that kind of stuff. And here he's just checking the options to see how many entries to generate. And then everything returns back to the module that's using this. So it's pretty easy stuff. Another thing I wanted to show you guys is some of the support that we have in Metasploit for some really interesting string manipulation and randomization. Mostly it's used in exploit dev situations, but it could be useful in any kind of module, I imagine. So we have all kinds of stuff in here. We have an array of all the states, upper, alpha, lower, all that stuff. We can do, let's see, JavaScript comments. We can convert a string to JavaScript comments to Perl, to Java, UTF-8. Okay. All right, so just showing you that real quick. All right, so we'll move on now. Thanks, Dave. Real quick, Will's going to come up and he's going to talk about how people can use this from a pen tester's perspective. Right, so when I was brainstorming with Marcus, I was starting to talk about things that I just can't do on a pen tester or bad ideas. So one thing I'm not going to want to do is install malware on the corporate domain. I mean, obviously a terrible idea. ExfilTrading real PII data that puts me in a bad position and it's bad for the customer I'm working with. And then exploiting critical servers or systems. So I mean, depending on the scope of the engagement or what the goals are, there's certain servers that I'm just not going to want to attack because they're so business critical that if they went down, that could be a major issue. But there still are things that we can test for as part of those, so egress ports are one. So if we're modeling sort of the malware, we want to test what the command and control can go back out on. So if I'm on the corporate domain, I can begin to test, using vSploit, test all of my outbound connections and then I know how it can make outbound connections. Resolving blacklisted domains is another one. So I don't need to draw malware to do it. I can use vSploit to test these sorts of things. Sending known IDS signatures, that's another one that's in there. And that can also help on the pen test because then I can know what I might be able to get through if I was attacking, if it was an IPS rather than IDS. So we can send sets of rules, see how it behaves, and then exfiltrating simulated PII or other data. So rather than actually sending customer PII data so the credit card numbers, I can send the simulated ones. And the other thing I can do is I can sit with my client and I can say, is your network operations team catching this? Or we can do it with the scheduled part. We can do it at 2 a.m. One, did it get caught? And two, did you see the anomalous usage at that hour? So there's really good stuff that we can begin to test in sort of a simulated fashion rather than having to actually use data. So I wrote a module to do email and basically what it does is it will send the simulated PII data and you can set it to do, for instance, Gmail. So it'll connect to a Gmail server and actually send out via email a group of credit card numbers or whatever. And then also web. So another cool one would be if you wanted to post it to Pastebin or Wikipedia, you could test it out actually posting simulated PII data. So I'm trying to rush because we're running out of time here. So future thoughts, some other really cool stuff. Host-based DLP testing. So if you imagine our corporate environment, they have a host-based DLP across the environment. It may be very difficult to test in each instance, but if you were to say create a interpreter EXE, put it on all of them, have it run it, connect back to Metasploit, and then in an automated fashion actually test out if the data can leave that workstation and get out, for instance via Gmail which is a common way of getting it out. And then you could, using post-modules, add in other exfiltration methods. So if there was a new exfiltration method you wanted, you could just modify the post-module, still use the PII mix-in so it would be very short, very easy. And you could, with the client, say here's how I was able to get data out. Here's where your host-based DLP is failing you, or your network-based DLP, whatever it is. Then also IDS fingerprinting which was Bandit's idea, it was a really cool idea. So you know the signatures, you have known signatures for certain IDSs, and then you begin to send those signatures from a system and you can actually, in a passive way, fingerprint the IDS's stuff. So there's a lot of cool stuff that could be done with it and it could actually bring a lot of value in terms of the pen testing portion. Do you want to do your demos? Okay, real quick, I'm going to try to get some demos and hopefully the demo guides are kind. Okay, how does that look at the back? Do I need to increase the size? Should I raise this up a little bit? Okay, so right now, like I said, hopefully we're going to get as many of these modules in the trunk soon afterwards if we can keep Dave's over. We're going to get this stuff in the trunk soon as possible. So basically I used some research, 10 minutes. So basically I've been researching all over the place and actually one of our customers asked, can we simulate mariposa? And some of these things, and the whole point of this is sometimes on your network, there may be things that have been confiscated by the federal agents and all that stuff, but many times you can go into old networks and you can see people beaking out to all kind of crazy malware that's been retired a long time ago, but people aren't seeing it. So I think it's very, for things like mariposa, Zeus and all these things, what I did is I downloaded a list of all the DNS servers historically that they've been using. And I went out, I basically did DNS, I actually used a v-split module to go out and see which one still responded. And personally, I really don't care if somebody, I know some of these have been confiscated and such, but if they reply, I'm kind of wondering why are organizations not blacklisting some DNS names? So I think that you can show with this, I'm just gonna run this real quick. And it's straight out, I don't know what the ISP is here, but it just goes out and it starts resolving DNS entries to associate with mariposa historically. And what's kind of cool about this is this is a pretty safe thing to do on any network. Instead of actually having to install malware on a machine and look at it and you can't really do that, you wouldn't want to do that on a real environment, you can actually just do this and it would simulate that traffic. It's hung up for a second and I don't know if it's having a problem resolving something. But essentially it's dead simple, you put in an array of known bad stuff and you just do DNS queries on it. Okay, cool. So another thing I want to show you real quick is the WebPI module. Well, wouldn't you know it? Oh, okay, I'm good, hold on a second. So that's sending me a Politioner on that IP address there. I'll just go to it in a browser. And so basically it generates a list and this is a thousand pages of data that looks to be credit cards, CVV, social, and all kind of other stuff. And right here it says metasplay.org here. But if you're concerned with any kind of emails or anything else leaking out of your organization, you can easily replace that. And with a little bit of Ruby knowledge, you can actually go in and edit this to be relevant to your organization. Now I'm thinking this could be, if you're interested in, like if you're a bank, if you have credit card numbers, if you have your, these first couple of digits here usually indicate what kind of bank it is. So if I was a bank, I would put fake stuff there and see and let it leak out of the network to see if my systems are seeing it. Or if you're a medical institution and you have medical information, you can actually do that. Now, anytime this refresh, it generates, I didn't do the auto refresh thing. So you can actually do something because every 15 seconds it's gonna generate a thousand entries. So over time you can actually calculate and you can actually change this to say if your pen tests are like Will said, hey look, I put a server on your network and I leaked all this data out. I took all this information out. Did you actually see any of that data? You're not leaking real data, but you're just seeing if the organization even has the visibility. Do they have their monitoring devices in the right place? And one of the other things is, the next one I'm gonna show you real quick, is I've actually been playing around with the snort rules. What's up guys over there? My source fire guys in the house. So in a case, there's not a lot of environments that have all their snort rules turned on, but every once in a while there's environments that you might want this rule, this rule, and this rule. So by saying in those particular cases, what you wanna do is you wanna be able to send information to those particular servers that you're concerned about, and actually see. So I actually looked in the VRT rules and show options. And I'm actually using a scanner mixed in, and the scanner mixed in, you can actually send it to several devices. So if you have a VLAN of like a class C and you wanna actually be able to send stuff to that whole entire class C, you can put it in a range, you can put it in a singular IP address. What I'm gonna do is I'm gonna set our host to metasploit.com and I can run this and what it does is it just does HTTP requests that should generate some of these rules. Now I haven't vetted all every one of these work yet, but I know I've played around with snort a little bit and it definitely does trigger some of the rules. So if you're actually interested in some of these things going to your servers, you can do it. Now this is not intended to try to flood snort a blind operator or anything. It's just an attempt to be able to point particular rules of what I call attributes towards certain different assets and be able to see if you actually have your IDS configured properly. So I think that we're at the end now and I appreciate everyone for coming. Thank you very much.