Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tactical Meterpreter Scripting Carlos PerezDarkoperatorCarlos_perez[at]darkoperator.com DarkoperatorCarlos_perez[at]darkoperator.com.

Published byGabriella Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "Tactical Meterpreter Scripting Carlos PerezDarkoperatorCarlos_perez[at]darkoperator.com DarkoperatorCarlos_perez[at]darkoperator.com."— Presentation transcript:

1 Tactical Meterpreter Scripting Carlos PerezDarkoperatorCarlos_perez[at]darkoperator.com DarkoperatorCarlos_perez[at]darkoperator.com

2 Who am I Member of Pauldotcom http://pauldotcom.com Member of Metasploit Project Owner of web site “Shell is Only the Beginning” at http://www.darkoperator.com Solution Architect by day to pay the bills Member of Pauldotcom http://pauldotcom.com Member of Metasploit Project Owner of web site “Shell is Only the Beginning” at http://www.darkoperator.com Solution Architect by day to pay the bills

3 What we will Cover Pointer for automating post exploitation. Making sure we run the right task on the right target with the right permissions Going beyond the standard Meterpreter API. Pointer for automating post exploitation. Making sure we run the right task on the right target with the right permissions Going beyond the standard Meterpreter API.

4 Advantages Stealthy – No disk access and no new process – Limited forensic evidence and impact – User Reflective DLL Injection – Uses Windows Native API Powerful – Channelized communication system – Encrypted channel with SSL – TLV protocol has few limitations Extensible – Runtime feature augmentation – New features without rebuilding Stealthy – No disk access and no new process – Limited forensic evidence and impact – User Reflective DLL Injection – Uses Windows Native API Powerful – Channelized communication system – Encrypted channel with SSL – TLV protocol has few limitations Extensible – Runtime feature augmentation – New features without rebuilding

5 Built-In Extensions Stdapi – Provides “unix-like” tools for the Windows platform – Manipulate file system, registry, network, processes, upload/Download files... – Automatically loaded when Meterpreter starts Priv – Provides in-memory pwdump alternative – Includes timestomp for anti-forensics work Incognito – Utilities for finding and hijacking security tokens Stdapi – Provides “unix-like” tools for the Windows platform – Manipulate file system, registry, network, processes, upload/Download files... – Automatically loaded when Meterpreter starts Priv – Provides in-memory pwdump alternative – Includes timestomp for anti-forensics work Incognito – Utilities for finding and hijacking security tokens

6 Scripting Meterpreter takes advantage of most of the Metasploit Framework API Not limited available API alone – Use of Windows Command Line Tools – Upload of Necessary Tools – Use of Windows own scripting capabilities Scripts can be run upon session creation Meterpreter takes advantage of most of the Metasploit Framework API Not limited available API alone – Use of Windows Command Line Tools – Upload of Necessary Tools – Use of Windows own scripting capabilities Scripts can be run upon session creation

7 Think Tactically Not all versions of Windows are the same in shell System is not the same as Local User or Domain User Use Environment Variables Use Random Names for any files created on target host Check for countermeasures Cleanup after your self Use Functions so as to keep code reusable Manage Exceptions Not all versions of Windows are the same in shell System is not the same as Local User or Domain User Use Environment Variables Use Random Names for any files created on target host Check for countermeasures Cleanup after your self Use Functions so as to keep code reusable Manage Exceptions

8 Versions of Windows Availability of commands Different Countermeasures Features installed Location of Files Different switches of commands Use client.sys.config.sysinfo[‘OS’] for OS version Availability of commands Different Countermeasures Features installed Location of Files Different switches of commands Use client.sys.config.sysinfo[‘OS’] for OS version

9 Level of Access Newer versions of Windows limits access to Administrator Administrator != System – Incognito (Vista, Windows 7 and Win2k8) – Hashdump (Vista, Win7 and Win2k8) Domain access is some times is better than System Newer versions of Windows limits access to Administrator Administrator != System – Incognito (Vista, Windows 7 and Win2k8) – Hashdump (Vista, Win7 and Win2k8) Domain access is some times is better than System

10 Checking for Right Permission and OS We execute according to target and privilege

11 Use Environment Variables Useful for enumeration Counter security thru obscurity Find best location to store files Use client.fs.file.expand_path(“varname”) to expand an environment variable Use variable with cmd /c when executing commands Useful for enumeration Counter security thru obscurity Find best location to store files Use client.fs.file.expand_path(“varname”) to expand an environment variable Use variable with cmd /c when executing commands

12 When uploading or creating files use random names for files. – Prevents overwriting by several instances of a script running – Offensive by obscurity Use the ruby rand function for creating random numbers for file names When uploading or creating files use random names for files. – Prevents overwriting by several instances of a script running – Offensive by obscurity Use the ruby rand function for creating random numbers for file names Do not use Static Naming

13 Execution of WMIC

14 Check for Countermeasures We make sure we get a unique and useful name Check for presence of AV/HIPS/Firewalls If setting a listener check for Windows Firewall Mode Check for UAC Check Policy Settings * Check checkcountermeasures script Check for presence of AV/HIPS/Firewalls If setting a listener check for Windows Firewall Mode Check for UAC Check Policy Settings * Check checkcountermeasures script

15 Check for UAC

16 Clean Up Reusable Code Delete any Uploaded File Clear the Eventlog log = client.sys. eventlog.open('security') log. clear Change MACE on Files – Copy MACE of Another File – Clear MACE of file or directory Kill any processes not needed Delete any Uploaded File Clear the Eventlog log = client.sys. eventlog.open('security') log. clear Change MACE on Files – Copy MACE of Another File – Clear MACE of file or directory Kill any processes not needed

17 Clear Event Logs

18 Change MACE

19 Some Final Recommendations Build a good lab for testing with different scenarios Test in as many versions of Windows as Possible Make sure your code is compatible with Ruby 1.9 for future compatibility Build a good lab for testing with different scenarios Test in as many versions of Windows as Possible Make sure your code is compatible with Ruby 1.9 for future compatibility

20 Reference Metasploit Documentations - http://metasploit.com/framework/suppor t/ http://metasploit.com/framework/suppor t/ My Script Collection - http://www.darkoperator.com/meterpret er/ http://www.darkoperator.com/meterpret er/ Meterpreter Section of Mastering Metasploit Class - https://metasploit.com/metasploit_bh200 9.pdf https://metasploit.com/metasploit_bh200 9.pdf My blog in http://www.darkoperator.comhttp://www.darkoperator.com Metasploit Documentations - http://metasploit.com/framework/suppor t/ http://metasploit.com/framework/suppor t/ My Script Collection - http://www.darkoperator.com/meterpret er/ http://www.darkoperator.com/meterpret er/ Meterpreter Section of Mastering Metasploit Class - https://metasploit.com/metasploit_bh200 9.pdf https://metasploit.com/metasploit_bh200 9.pdf My blog in http://www.darkoperator.comhttp://www.darkoperator.com

21 Special Thanks To – HD Moore – Pauldotcom Crew Paul Larry John Mick – HD Moore – Pauldotcom Crew Paul Larry John Mick

22 QUESTIONS?

Download ppt "Tactical Meterpreter Scripting Carlos PerezDarkoperatorCarlos_perez[at]darkoperator.com DarkoperatorCarlos_perez[at]darkoperator.com."

Similar presentations

© University of Reading 2007www.reading.ac.uk Huw Wright - IT Services Vista Deployment.

© University of Reading 2007www.reading.ac.uk Huw Wright - IT Services Vista Deployment.
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
® IBM Software Group © 2010 IBM Corporation What’s New in Profiling & Code Coverage RAD V8 April 21, 2011 Kathy Chan

® IBM Software Group © 2010 IBM Corporation What’s New in Profiling & Code Coverage RAD V8 April 21, 2011 Kathy Chan
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)

SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Maintaining Windows Server 2008 File Services

Maintaining Windows Server 2008 File Services
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.

11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.

Chapter 8 Hardening Your SQL Server Instance. Hardening  Hardening The process of making your SQL Server Instance more secure  New features Policy based.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Similar presentations

Ads by Google