2 min
Remote Keystroke Sniffing with Meterpreter
Earlier this afternoon, I committed some code
to allow keystroke sniffing through
Meterpreter sessions. This was implemented as set of new commands for the stdapi
extension of Meterpreter. Dark Operator, author of many great Meterpreter
scripts, already wrote a nice blog post describing how to use the new keystroke
sniffer, but I wanted to cover some of the internals and limitations as well.
The keyscan_start command spawns a new thread inside of the
3 min
VMWare, Virtual PC, and FDCC Images
Update: A couple folks
pointed out that the
VMWare Converter
automates most of the issues covered in this post.
On August 20th, 2007 NIST's Federal Desktop Core Configuration
project released its initial set of Windows virtual
machine images as a security reference. This set has been updated to consist of
Windows XP SP2 and
2 min
Metasploit Mass Exploitation for Dummies
One of the features added in the 3.2 release
of the Metasploit Framework
was the ability to restrict the db_autopwn command to specific ports and modules
matching a given regular expression. This feature can be used to run one or more
exploits against a specific range of hosts at the same time.
In the example below, we will demonstrate how to launch the MS08-067
exploit
against e
1 min
Metasploit DDoS Redux
The good news is that the DDoS against the Metasploit web servers has stopped,
the bad is that I won't have time to go into the details of the attack and the
mitigation methods until next week. All Metasploit services should be
operational again, please let me know if you find something broken. I would like
to thank everyone who offered us assistance during the attack, without their
help this would have been much more frustrating.
The bandwidth graph for the affected period can be seen below.
0 min
Pathetic DDoS vs Metasploit (Round 3)
The incoming connection rate has exceeded 15Mbps of just SYN packets, so we
decided to point www.metasploit.com and metasploit.com back to 127.0.0.1 for a
little while. This is more to keep our ISP happy than any fear of bandwidth
charges. We ran a packet capture of the incoming SYN traffic for about 8 hours;
it takes up approximately 60Gb of disk space. In the meantime, if you want to
access the Metasploit web site, please use:
https://www.metasploit.com/
Thanks!
-HD
0 min
Pathetic DDoS vs Metasploit (Round 2)
It looks like our little DDoS buddy got sent home from school early today --
the flood started up again, this time ignoring the DNS name for the
metasploit.com web site and instead targeting both IP addresses configured on
the server. While SSL service is still unaffected (including Online Update over
SVN), folks who wish to visit the Metasploit web site will need to do so using
an alternate port until we roll out the next countermeasure.
<We also host the main web server for Attack Research.
1 min
Metasploit Decloak v2 (UnAnonymizer)
The Metasploit Decloak Engine is now back
online with a handful of new updates and bug fixes. Decloak identifies the real
IP address of a web user, regardless of proxy settings, using a combination of
client-side technologies and custom services. The first version was announced in
June of 2006
and
was eventually made obsolete by changes to the Flash plugin and improvements in
the Tor
4 min
MS08-068: Metasploit and SMB Relay
Today, Microsoft released bulletin MS08-068, which addresses a well-known flaw
in the SMB authentication protocol. This attack was first publicly documented by
Sir Dystic during @tlantacon in 2001 and implemented in Metasploit 3 in July of
2007. The attack abuses a design flaw in how SMB/NTLM authentication is
implemented and works as follows.
The SMB client tries to access a remote SMB service on an attacker's machine. A
user can be forced to access the SMB resource if they are running Intern
3 min
Metasploit 3.2 BSD Licensing
The slides from the talk egypt and I gave at SecTOR 2008 are now online
. One of the highlights was a
change in licensing -- instead of the existing EULA-like license, the 3.2
release will be provided under the 3-clause BSD license. The text below is an
extended version of a rant I shared with Kelly Jackson Higgins over at Dark
Reading .
The original version of Metasploit (1.0 and
1 min
Metasploit (2**5/10.0)
Silence can mean one of two things - the project is dead, or we are working on
some really big things and aren't quite ready to announce them. Well, the
project is not dead In the next two weeks, some major changes will be announced
that cover the source code, development team, and licensing of the Metasploit
Framework. Folks who have been following the development tree may not be
suprised, but we are taking some giant steps forward from the 3.1 release.
In the meantime, users should stay away
1 min
Improved WinDBG opcode searching
Goaded by some coworkers about the opcode searching functionality of windbg
prompted me to add a new option to jutsu today: searchOpcode
You can search for sets of instructions in conjunction, it will assemble them,
providing you the machine code, then search for the instructions in executable
memory. Instructions are delimited by pipes. I plan to add some limited wildcard
functionality in the near future as well.
0:000> !jutsu searchOpcode pop ecx | pop ecx | ret
Searching for:
> pop e
1 min
Byakugan WinDBG Plugin Released!
Today, HD merged in an amalgamation of windbg tools and plugins with a funny
name into the main metasploit tree. We've been working on this collection for
awhile now, and currently it represents (I think) a good step towards turning
windbg from simply a good debugger into a powerful platform for exploit
development.
The work that's currently released includes:
tenketsu - the vista heap emulator/visualizer which allows you to track how
input to a program effects the heap in real time.
jutsu
1 min
Karmetasploit Wireless Fun
I just posted the first public documentation on Karmetasploit. This project is
a combination of Dino Dai Zovi and Shane Macaulay's KARMA
and the Metasploit Framework. The
result is an extremely effective way to absorb information and remote shells
from the wireless-enabled machines around you. This first version is still a
proof-of-concept, but it already has an impressive feature list:
- Capture POP3 and IMAP4 passwords (clear-text and SSL)
- Accept
4 min
DNS Attacks in the Wild
In a recent conversation with Robert McMillan (IDG), I described a in-the-wild
attack against one of AT&T's DNS cache servers, specifically one that was
configured as an upstream forwarder for an internal DNS machine at BreakingPoint
Systems. The attackers had replaced the cache entry for www.google.com with a
web page that loaded advertisements hidden inside an iframe. This attack
affected anyone in the Austin, Texas region using that AT&T Internet Services
(previously SBC) DNS server. The att
1 min
Evilgrade Will Destroy Us All
Francisco Amato of Infobyte Security Research just
announced ISR-evilgrade v1.0.0 , a
toolkit for exploiting products which perform online updates in an insecure
fashion. This tool works in conjunction with man-in-the-middle techniques (DNS,
ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video
uses the CAU/Metasploit DNS
exploit