Posts by David Maloney

4 min Metasploit

Introducing RubySMB: The Protocol Library Nobody Else Wanted To Write

The Server Message Block (SMB) protocol family is arguably one of the most important network protocols to be conversant in as a security professional. It carries the capability for File and Print Sharing, remote process execution, and an entire system of Named Pipes that serve as access points to any number of services running on a machine, such as Microsoft SQL Server. For users of Metasploit [], they will know SMB as the protocol used for PSExec [https:/

4 min

Replacing Pedantry with Positive Interaction

The recent vBulletin hack is the most recent case of a compromise being labeled as a ‘sophisticated attack.' Predictably, the internet exploded with people complaining about this label, stating that it was just SQL Injection. The same thing occurred with the news of the TalkTalk breach. Before that, the Playstation Network breach comes to mind, although there have surely been many in between. I will issue my mea culpa right now. I have publically blasted people for this in the past. But today I

5 min Metasploit

Safely Dumping Domain Hashes, with Meterpreter

UPDATE: It has been pointed out that there is prior work worth noting. This blog post [] by Damon Cortesi [] talked about using Volume Shadow Copy to get the SAM file back in 2005. As with all things in our Industry, we stand on the shoulders of those who came before us. We would certainly not want to take away from anyone else's previous work and accomplishments. Dumping the stored password

9 min Metasploit

12 Days of HaXmas: Buffer Overflows Come and Go, Bad Passwords are Forever

This post is the fourth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. This summer, the Metasploit team began the large undertaking of reworking credentials throughout the project. Metasploit, as you already know, began as a collection of traditional exploits. Over the years it has grown into much more than that. Credentials were first introduced into Metasploit in the form of Auxiliary Sc

7 min Metasploit

PSExec Demystified

Multiple modules inside the Metasploit Framework bear the title PSExec, which may be confusing to some users. When someone simply refers to “the PSExec module”, they typically mean exploit/windows/smb/psexec, the original PSExec module. Other modules are more recent additions, and make use of the PSExec technique in other ways. Here's a quick overview of what these modules are for: Metasploit Module Purpose Comment exploit/windows/smb/psexec Evading anti-virus detection Service EXE

8 min Metasploit

The Odd Couple: Metasploit and Antivirus Solutions

I hear a lot of questions concerning antivirus evasion with Metasploit, so I'd like to share some the information critical to understanding this problem. This blog post is not designed to give you surefire antivirus (AV) evasion techniques, but rather to help you understand the fundamentals of the issue. A Quick Glossary Before we begin, let's define a few terms. This will be important for understanding some of the things we will discuss. Payload: A payload is the actual code that is being del

6 min Metasploit

Abusing Windows Remote Management (WinRM) with Metasploit

Late one night at Derbycon [], Mubix [] and I were discussing various techniques of mass ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we have any Metasploit modules for this yet?" After I got back , I began digging. WinRM/WinRS WinRM is a remote management service for Windows that is installed but not enabled by default in Windows XP and higher versions, but you can install it on older operating systems as well. Win

8 min Metasploit

Recon, Wireless, and Password Cracking

The Metasploit Framework continues to grow and expand with the support of the community. There have been many new features added to the Metasploit Framework over the past month. I am very excited to be able to share some of these new developments with you. Mubix's Recon Modules Mubix's post-exploitation modules form his Derbycon talk are now in the repository. The resolve_hostname module, originally called 'Dig', will take a given hostname and resolve the IP address for that host from the windo