Tactical Meterpreter Scripting Carlos PerezDarkoperatorCarlos_perez[at]darkoperator.com DarkoperatorCarlos_perez[at]darkoperator.com.

Slides:

Advertisements

Similar presentations

© University of Reading 2007www.reading.ac.uk Huw Wright - IT Services Vista Deployment.

Advertisements

IP ADDRESS MANAGEMENT [IPAM]

® IBM Software Group © 2010 IBM Corporation What’s New in Profiling & Code Coverage RAD V8 April 21, 2011 Kathy Chan

Lesson 17: Configuring Security Policies

SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Maintaining Windows Server 2008 File Services

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Remote Desktop Services Remote Desktop Connection Remote Desktop Protocol Remote Assistance Remote Server Administration T0ols.

Week #7 Objectives: Secure Windows 7 Desktop

Troubleshooting Windows Vista Security Chapter 4.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

Module 14: Configuring Server Security Compliance

Module 7: Fundamentals of Administering Windows Server 2008.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

Managing User Desktops with Group Policy

Scalable Game Development William Roberts Senior Game Engineer

Windows NT Chapter 13 Key Terms By Bill Ward NT Versions NT Workstation n A desktop PC that both accesses a network and works as a stand alone PC NT.

Securing ColdFusion and IIS David T Watts, CTO, Fig Leaf Software 28 July 2001.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,

1 Chapter Overview Publishing Resources in Active Directory Service Redirecting Folders Using Group Policies Deploying Applications Using Group Policies.

Compatibility and Interoperability Requirements

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

1 Chapter Overview Preparing to Upgrade Performing a Version Upgrade from Microsoft SQL Server 7.0 Performing an Online Database Upgrade from SQL Server.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Module 5: Implementing Group Policy

Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.

REMOTE LOGIN. TEAM MEMBERS AMULYA GURURAJ 1MS07IS006 AMULYA GURURAJ 1MS07IS006 BHARGAVI C.S 1MS07IS013 BHARGAVI C.S 1MS07IS013 MEGHANA N. 1MS07IS050 MEGHANA.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

P aul Asadoorian Founder & CEO, PaulDotCom Enterprises POST Exploitation Going Beyond The Happy Dance Carlos.

Module 4 Planning for Group Policy. Module Overview Planning Group Policy Application Planning Group Policy Processing Planning the Management of Group.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Esri UC 2014 | Technical Workshop | Administering Your Microsoft SQL Server Geodatabase Shannon Shields Chet Dobbins.

Administering Groups Chapter Eight. Exam Objectives In this Chapter:  Plan a security group hierarchy based upon delegation requirements  Plan a security.

Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Microsoft ® Official Course Module 6 Managing Software Distribution and Deployment by Using Packages and Programs.

Module 14: Advanced Topics and Troubleshooting. Microsoft ® Windows ® Small Business Server (SBS) 2008 Management Console (Advanced Mode) Managing Windows.

Planning Server Deployments Chapter 1. Server Deployment When planning a server deployment for a large enterprise network, the operating system edition.

PostExploitation CIS 5930/4930 Offensive Computer Security Spring 2014.

CIS 221 Lesson 2. What is the first phase of the of the Installation of Windows XP? MS-DOS phase Why is the MS-DOS phase needed? the computer required.

Web Programming Language

DIT314 ~ Client Operating System & Administration

Lesson 6: Configuring Servers for Remote Management

Maintaining Windows Server 2008 File Services

Active Directory Administration

Location of Cluster Files and Folders

Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools

Playing in the Devil's Playground

Web Application Penetration Testing ‘17

CIS 5930/4930 Offensive Security Spring 2013

Chapter 9: Managing Groups, Folders, Files, and Object Security

Mark Quirk Head of Technology Developer & Platform Group

Presentation transcript:

Tactical Meterpreter Scripting Carlos PerezDarkoperatorCarlos_perez[at]darkoperator.com DarkoperatorCarlos_perez[at]darkoperator.com

Who am I Member of Pauldotcom Member of Metasploit Project Owner of web site “Shell is Only the Beginning” at Solution Architect by day to pay the bills Member of Pauldotcom Member of Metasploit Project Owner of web site “Shell is Only the Beginning” at Solution Architect by day to pay the bills

What we will Cover Pointer for automating post exploitation. Making sure we run the right task on the right target with the right permissions Going beyond the standard Meterpreter API. Pointer for automating post exploitation. Making sure we run the right task on the right target with the right permissions Going beyond the standard Meterpreter API.

Advantages Stealthy – No disk access and no new process – Limited forensic evidence and impact – User Reflective DLL Injection – Uses Windows Native API Powerful – Channelized communication system – Encrypted channel with SSL – TLV protocol has few limitations Extensible – Runtime feature augmentation – New features without rebuilding Stealthy – No disk access and no new process – Limited forensic evidence and impact – User Reflective DLL Injection – Uses Windows Native API Powerful – Channelized communication system – Encrypted channel with SSL – TLV protocol has few limitations Extensible – Runtime feature augmentation – New features without rebuilding

Built-In Extensions Stdapi – Provides “unix-like” tools for the Windows platform – Manipulate file system, registry, network, processes, upload/Download files... – Automatically loaded when Meterpreter starts Priv – Provides in-memory pwdump alternative – Includes timestomp for anti-forensics work Incognito – Utilities for finding and hijacking security tokens Stdapi – Provides “unix-like” tools for the Windows platform – Manipulate file system, registry, network, processes, upload/Download files... – Automatically loaded when Meterpreter starts Priv – Provides in-memory pwdump alternative – Includes timestomp for anti-forensics work Incognito – Utilities for finding and hijacking security tokens

Scripting Meterpreter takes advantage of most of the Metasploit Framework API Not limited available API alone – Use of Windows Command Line Tools – Upload of Necessary Tools – Use of Windows own scripting capabilities Scripts can be run upon session creation Meterpreter takes advantage of most of the Metasploit Framework API Not limited available API alone – Use of Windows Command Line Tools – Upload of Necessary Tools – Use of Windows own scripting capabilities Scripts can be run upon session creation

Think Tactically Not all versions of Windows are the same in shell System is not the same as Local User or Domain User Use Environment Variables Use Random Names for any files created on target host Check for countermeasures Cleanup after your self Use Functions so as to keep code reusable Manage Exceptions Not all versions of Windows are the same in shell System is not the same as Local User or Domain User Use Environment Variables Use Random Names for any files created on target host Check for countermeasures Cleanup after your self Use Functions so as to keep code reusable Manage Exceptions

Versions of Windows Availability of commands Different Countermeasures Features installed Location of Files Different switches of commands Use client.sys.config.sysinfo[‘OS’] for OS version Availability of commands Different Countermeasures Features installed Location of Files Different switches of commands Use client.sys.config.sysinfo[‘OS’] for OS version

Level of Access Newer versions of Windows limits access to Administrator Administrator != System – Incognito (Vista, Windows 7 and Win2k8) – Hashdump (Vista, Win7 and Win2k8) Domain access is some times is better than System Newer versions of Windows limits access to Administrator Administrator != System – Incognito (Vista, Windows 7 and Win2k8) – Hashdump (Vista, Win7 and Win2k8) Domain access is some times is better than System

Checking for Right Permission and OS We execute according to target and privilege

Use Environment Variables Useful for enumeration Counter security thru obscurity Find best location to store files Use client.fs.file.expand_path(“varname”) to expand an environment variable Use variable with cmd /c when executing commands Useful for enumeration Counter security thru obscurity Find best location to store files Use client.fs.file.expand_path(“varname”) to expand an environment variable Use variable with cmd /c when executing commands

When uploading or creating files use random names for files. – Prevents overwriting by several instances of a script running – Offensive by obscurity Use the ruby rand function for creating random numbers for file names When uploading or creating files use random names for files. – Prevents overwriting by several instances of a script running – Offensive by obscurity Use the ruby rand function for creating random numbers for file names Do not use Static Naming

Execution of WMIC

Check for Countermeasures We make sure we get a unique and useful name Check for presence of AV/HIPS/Firewalls If setting a listener check for Windows Firewall Mode Check for UAC Check Policy Settings * Check checkcountermeasures script Check for presence of AV/HIPS/Firewalls If setting a listener check for Windows Firewall Mode Check for UAC Check Policy Settings * Check checkcountermeasures script

Check for UAC

Clean Up Reusable Code Delete any Uploaded File Clear the Eventlog log = client.sys. eventlog.open('security') log. clear Change MACE on Files – Copy MACE of Another File – Clear MACE of file or directory Kill any processes not needed Delete any Uploaded File Clear the Eventlog log = client.sys. eventlog.open('security') log. clear Change MACE on Files – Copy MACE of Another File – Clear MACE of file or directory Kill any processes not needed

Clear Event Logs

Change MACE

Some Final Recommendations Build a good lab for testing with different scenarios Test in as many versions of Windows as Possible Make sure your code is compatible with Ruby 1.9 for future compatibility Build a good lab for testing with different scenarios Test in as many versions of Windows as Possible Make sure your code is compatible with Ruby 1.9 for future compatibility

Reference Metasploit Documentations - t/ t/ My Script Collection - er/ er/ Meterpreter Section of Mastering Metasploit Class pdf 9.pdf My blog in Metasploit Documentations - t/ t/ My Script Collection - er/ er/ Meterpreter Section of Mastering Metasploit Class pdf 9.pdf My blog in

Special Thanks To – HD Moore – Pauldotcom Crew Paul Larry John Mick – HD Moore – Pauldotcom Crew Paul Larry John Mick

QUESTIONS?