Episode65

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

Metasploit 3.0

The long awaited metasploit 3.0 has been released and has cool new stuff:

  • It is written in Ruby because 1) The metasploit developers like it 2) It supports xplatform threads 3) It is very module and object oriented. These are features that are good for a framework because when you exploit a host, you may want to exploit another, each exploit can be a module, etc... Python was not chosedn primarily for the syntax annoyances.
  • Rex is a powerful library that will operate with only the core ruby libs and handles the socket wrapper, and many networking protocols for you.
  • Ruby allows metasploit to natively support OS X, Linux, and Windows. No more Cygwin, yeaaaaah!
  • A new daedom called "msfd" was added that allows you to setup a central metasploit console to use by more people. So, you telnet to the port and two or more people can use the framework independently. Be certain to use different reverse shell ports.
  • Its even got cool stuff for fuzzing:

root@shinobi:/usr/local-beta/framework3/tools# ./pattern_create.rb 128

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2

dos/wireless/fuzz_beacon Wireless Beacon Frame Fuzzer

dos/wireless/fuzz_proberesp Wireless Probe Response Frame Fuzzer

  • Wireless exploits compliments of ruby-lorcon
  • Your targets memory is accessible from within a ruby shell post-exploitation. This means you can write code on the fly to attack a host, pull credentials from memory, etc..
  • Pivoting is supported via the route command, however it requires that you hav already exploited a host and deployed a metepreter payload (Windows only)
  • You can import Nmap XML and Nessus NBE files and work with that data in metasploit. So HOT! I really want to play with this more and see how extensible it is.
  • I did see the word "logging" a lot in the documentation, but not the word "report". It would be cool if someone would write an aux module to bring in all nma/nessus data, exploit, then report.

Links

Metasploit Framework Home

MSF Documentation - Includes user guide, developers guide, API guides.

Meterpreter Doc

Autopwn Doc

A Fun Tutorial of Ruby - From ducksauze

Recent Articles

Interview with HD on 3.0

Metasploit Release Notes Blog Posting

Stories For Discussion

VoIP Security Tools - [Paul] - A good collection of resources for VoIP security, which is really another dimension that we, as security professionals, now need to deal with. It can't be ignored anymore... [Larry] - We mentioned this a little while back, but it is finally out now. Funny, Cisco jsut released some patches for VOIP Vulns...

6-yr old PWNS UK House of Commons - [Larry] - Using a keylogger, and an unattended PC.

Ike-scan 1.8 Information Seepage - [Paul] - Remember when we talked about this tool? Well, Raul informed us that there was a phone home feature, we told cutaway about it, and he volunteered to document and research it and did a fantastic job! He even got the scoop from the vendor, who has since removed the feature. I think its important to send the message that we are watching for this stuff and you will be outed if you tool phones home.

SELinux response to Trusted Solaris - [Larry] - We mentioned the original article a few shows back, and RedHat responded. Basically, redhat agreed that they are down different paths, and that Redhat is not "Trusted" and probably never will be.

HACKING LOLZ - [Paul] - From the dark reading room article...

SANS Secure Coding - [Larry] SANS announced their new Secure Coding initiaitive and courses. I think it is a step in the right direction, but not everyone will be going....

Hacking Car Nav Systems - [Paul] - "hacker Daniele Bianco built tools that let an attacker inject fake messages to the navigation system, or launch a denial-of-service attack." HOT, come to butthead... " cause a denial-of-service (DOS) attack, which could crash not only a car's navigation system, but its climate control system, and stereo, too, he says." Okay, or, I send you to the middle on nowhere in the winter, turn off your heat, and blast "Feeling' Hot, Hot, Hot!". [Larry] - this is what happens when systems can take information form unauthorized/unauthenticated sources.

CanSecWest 07 PWN to OWN - [Larry] - Got the stones? If you can exploit the MBP, you get to keep it. Sure there are some specific rules, but what a great idea.

Metasploit 3.0 Released - [Paul] - I've been playing with 3.0 for quite some time and am glad to see it officially released. I now agree with the decision to move towards ruby, and with LORCON supporting ruby, it is now next on my list to pickup as a language. [Larry] - Not to mention, ruby and LORCON support will alegedly make it better for windows too.

Hacking RFID with SQL - [Larry] So, instead of hacking the RFID tech, go for the SQL backend...

More printer hacking fun - [Paul] - I tested this one and it works, crashed the ftp server on a printer. The exploit? try this: python /usr/lib/python2.3/ftplib.py -d [printer IP] -l -p `python -c 'print "A"*300'` [Larry] - Looks like the LIST and NLIST commands will have the same effect: see this too.

Secure IM - CarderIM - [Larry] - the "carders" didn't want to get caught, so they created thier own secure IM. Hmm...signatures? Homegrown Crypto?

Windows ANI vulnerability - [Larry] IE 6 and 7 on XP SP2. silent. Ouch.


Linksys WAG200G Information Disclosure - [Paul] - Send a packet to udp/916, and get all the passwords and keys. NICE!

Vista IPv6 Vulns - [Paul] - This is interesting because I believe that Vista and IPv6 are LARGELY untested and this is just the begining.