Metasploit (part 2) Fundamentals

00:04

Now I want to start looking at a tool called Medicine. Lloyd, we're going to use it extensively throughout the class, so I want to start with some of the basics of using medicine. Ploy we will come back to. It was easier just to get the syntax down now

00:18

so we don't have to keep coming back to it throughout the class.

00:21

Let's start by taking a look at some of the source case we're gonna use thes free, Open source. Edition of medicine Ploy. It's Let's go to use your share medicine boy Dash framework in Cali,

00:37

would you? L s on this directory. We can see

00:40

we're medicine plate programs as well as

00:44

mass late modules, all of medicine. Flight is going to be in our modules.

00:50

We go into the module's directory weaken, see different parts of my display It the auxiliary modules and coders, exploited stops, payload and post modules.

01:00

We will see all of these, except we're actually not going to work with the NOX, particularly in this class. But we will see examples of some of the other modules at any point. If we work with a certain module and you want to see its source code. You can just come into this directory

01:18

on dhe, go into the relevant folder and moved down to be particular module. These are all written in the ruby programming language. We may not be familiar with Ruby. We will actually take a look at a simple example of writing a medicine flight module towards the end of the course. We do exploit development,

01:37

but primarily we won't really need to know

01:38

any ruby

01:41

or really any of the nitty gritty of how these were we able to use the medicine, Lloyd framework, as is

01:48

again, we will take a quick example of

01:51

building our own module.

01:53

So, for example, we can go into, say, exploits. That's always, son.

02:00

All of our platforms that is broken down by a platform

02:02

say windows

02:06

and how that s and b

02:13

on these air all our windows as and be exploit modules have quite a few of them there.

02:19

The first example we're going to take a look at is many people's favorite. And unfortunately for the state of security, despite this age one that comes up quite a lot on life in tests, even today, going to look at this mess away. Underscore 067 Underscoring that FBI Darby Darby is for Ruby.

02:38

It's again. This is written in

02:40

ruby language.

02:43

We could take a look at it

02:46

again just to use the medicine framework. You don't need to know much, ruby or, well, any ruby.

02:53

But

02:53

again, if you ever want to

02:55

what's really going on behind the scenes, you can look at

02:59

the model code. This one

03:02

may seem a little bit sassy even again. We will take a look at how to build at least a simple example of one of these models in this class.

03:12

So let's actually pretend for a second that there is no medicine, Lloyd, that we have to do this without medicine, Boyd or some other exploitation for him work. There are others like a canvas or

03:23

core impact.

03:25

The display is just one example of exploitation tool kit, or

03:30

we call it a framework. Must pretend they don't exist.

03:35

And we are tasked with exploiting this m s 0867 vulnerability that we have found on our dentist.

03:43

Naturally, your question might be How do you know that that vulnerability is there

03:47

in our environment, and that's a very good question and one that we will answer extensively throughout the course. But for now, for this one particular vulnerability, you can just believe May that it's there so we can learn how to use medicine. There are several other vulnerabilities present, so you will have

04:05

plenty of chances to discover vulnerabilities, verify that they're there and then exploit them.

04:12

But again, for this case, let's just take my word for it and I'll tell you that in miso 8067 is in fact, present on your Windows X P system.

04:23

So again, let's just pretend no medicine boy, no other exploitation tool kit. We have a couple of options. We can, as we have in our lab, set up

04:31

our own version of

04:33

our target in our case is coming to be Windows X P Service back three.

04:39

On DDE.

04:40

We can try and build an exploit for it manually.

04:44

That will require some skill on our part. We will have to figure out how to make a working exploit. That's something we're going to look at a little bit in this class, but it does take

04:56

a certain amount of time and effort to become a skilled exploit developer. And even with a certain amount of skill, it may take

05:01

a good deal of time to build a working exploit for vulnerability, depending on the complexity of the vulnerability, how hard it is to exploit it.

05:11

So we may be limited on the amount of time our time may be better spent working on other vulnerabilities rather than building an exploit from scratch. It really just depends on how much time we have for our test

05:23

as well as how many other things we could be doing that may not always be feasible to build it from scratch. Also, depending on what the target is in this case, just the operating system and probably get a hold of that.

05:34

But it may be some proprietary system, some

05:39

system that costs a lot of money.

05:42

It may be more than we're getting paid for the test, just to

05:45

by the software to hopefully build an exploit. Foreign cost may be a factor. It may just be show old. It may be impossible to get

05:55

working version of it, so you may not always have that opportunity to even build it yourself. If you want to

06:01

So then we would have another option,

06:04

which would be to see if we can reuse some code on the Internet,

06:08

which

06:09

we always have to be a little bit wary of that, unlike our tools like medicine. Will you do that? Everything to a large extent, You hopefully won't see anything in medicine. What ever does anything

06:20

it doesn't claim? Thio. I've never seen anything like that. There is a large group of

06:27

people who do go through all this code and vetted before it is allowed into the framework.

06:31

But not so with just any old thing out on the Internet.

06:35

If you've ever been on the Internet ever, you probably know that people can say whatever they want about anything, same thing with code. They can put up code that does anything and say it does anything else. There have been some examples of exploits that have been put out online that

06:53

don't do at all what they say they're going to do. They exploit other systems

06:57

like, say, I try and run an exploit against X p here on my Callie machine, and instead of exploiting the X P machine it instead, we'll attack my Callie system, or it may in fact actually exploit the Windows X P machine like it says it will.

07:13

But then, instead of, say, giving us control of that system, it may just destroy it.

07:18

And certainly our clients wouldn't like that very much. We do have to be wary, but let's take a look at an example. I'm gonna open up this Ice Weasel browser, so that's the

07:30

the world with a.

07:30

But it's a nice weasel on top of it.

07:33

Those is a derivative of Firefox.

07:38

Let's just go to one of my favorites. There are others.

07:42

Security Focus Packet Storm.

07:46

There's some other places to find them and let's go to exploit Dash, D v dot coms exploit database that is

07:51

the successor to the wildly popular mill worm site.

07:56

This is just basically an aggregator of public exploits as well as some white papers,

08:03

some other things as well.

08:05

But primarily it's a dumping ground for public exploits,

08:09

and again, you kind of have to be worry about what's on here. It may or may not be super malicious, so I would always encourage you to make sure you can read

08:22

everything and I had so let's just do a search.

08:24

The name is Odo 67

08:31

and see what comes up

08:35

seems to be a white paper here about the conficker worm, which did use it miss a wayto 67

08:43

So let's just go to the 1st 1 That seems to be an exploit.

08:48

All right, so here's an example of public exploit. This is written in Python, my favorite programming language, So I might have a little

08:56

one up here that

09:00

I can at least kind of read this and

09:03

hopefully be able to look up anything I don't understand again, I do

09:07

definitely encourage you to read the source code of anything that you get off line and make sure you do understand it all. But if there's anything you don't understand or can't understand, then replace it. For example,

09:20

here we have shell code

09:22

on, then a lot of Hexi decimal bites After it. I always when I do live classes, ask anyone in the class if they could figure out exactly what it does. Course not cheating and reading the comment here that says

09:35

bye. Import TCP

09:37

port 4444 So it puts us in a kind of philosophical bind here that I said medicine. It doesn't exist, but yet says it used medicinally to create the shell code.

09:48

But, you know,

09:50

we could put that there even if it wasn't made by medicine bullet or that if it doesn't make a vine shell again, I can't really read that again. I always ask, Can anybody read that and tell me what it does? I always say, If you can, you have a job That, of course, probably they would get much better job offers. Don't you think I could give them

10:09

if they could in fact tell me what that does? Whose chances are it's probably encoded as well, So it would be very difficult for a human being to take that lump of Hexi decimal on. Say, I know exactly what it does

10:22

and human readable format. So this would be something that if I was working with this exploit, I would want to replace this. We will, when we get into exploit development, see how we can replace this. We'll do an example of working with the public exploit like this,

10:39

so that would be something I would definitely want to take out and replace with shell code that I trust.

10:46

And, you know, some Stubbs here is well, also things I can't read,

10:50

But primarily it looks like code that I could look up if I don't quite understand. It seems to be talking s and b

11:00

um, a little bit more weirdness here, but this is

11:05

believe

11:05

working with the structure of the S and B packet. So that's something I could look up

11:11

primarily. It looks like the only thing I would really need to change is the shell codes pieces. They definitely want to make sure they are good.

11:20

And also we are working with with those experts of respect. Three.

11:26

This particular exploit works against Windows 2000 and Windows 2003 service back to so two targets, which is fairly rare among public exploits. They usually just work against one.

11:39

But neither of these targets are targets, so this may not work out of the box. We may have to change a few things like a return address, and we'll get more into that when we do exploit development

11:50

will build something quite like this ourselves

11:54

who's may not work for us. We can always build our own lab and try it. As we have here, if we fail to exploit the system and make it go down in some way, we can always just restarted a restore from snapshot at worst.

12:07

But we certainly don't want to run this against a client without verifying that it works on their platform and doesn't do anything particularly malicious, only anything that we ask it to do.

12:20

So we would

12:22

have to make some changes to this still still take us a bit more time and effort.

12:28

Hence Inter medicinally, where someone else has done the heavy lifting for us.

12:31

So he has

12:33

few benefits with medicine. Boyd one. Being there is a lot of oversight with it. There are people who it's their job to look at. Venice Plate models that air contributed

12:43

by the investment community on Make sure that they are all above board, do what they say they're going to do before they go into the framework.

12:52

Additionally began here we see only two targets with medicine do do a pretty good job off. If the target is vulnerable, it is on the target list. The offsets return address, et cetera, for it are in play, so you can just choose the correct

13:09

payload

13:11

and,

13:11

well correct target and then get ahead of myself. There also the payloads. Here we're stuck with

13:18

what claims to be a buying shell or a shell that listens locally on port 4444 That is the default from that exploit that will open up the case of Windows Command. Don t x C and listen on a port on away from our attack machine would call back to it

13:35

with Net cat or telling that go to

13:39

I p address of X p and 4444 And when we connect, we would be presented with our command shell.

13:46

But we're limited to this particular payload and less we regenerate the shell code, which we should,

13:52

but with medicine. Lloyd, we have a wide variety of payloads available to us. Anything that

13:58

is written for Windows we should be able to use as long as it fits in the space. And we'll get to space for exploits when we do exploit development.

14:07

But we should have a few more options, will see that we d'oh, we have lots of different things. We could make it do

14:15

so certainly a step up. From this, we will see a couple of cases where we will have to work with public exploits and again will

14:24

work with lot ourselves during exploit development. But if we have the option, I always like to go for medicine, Lloyd.