Posts by Egypt

4 min Metasploit

Metasploit Wrapup

It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update. Hacking like No Such Agency I'll admit I was wrong. For several years, I've been saying we'll never see another bug like MS08-067 [https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi], a full remote hole in a default Windows service. While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067 did, EternalBlue [https://www.rapi

3 min Metasploit

Metasploit Wrapup

Faster, Meterpreter, KILL! KILL! You can now search for and kill processes by name in Meterpreter with the new pgrep and pkill commands. They both have flags similar to the older ps command, allowing you to filter by architecture (-a), user (-u), or to show only child processes of the current session's process (-c). We've also added a -x flag to find processes with an exact match instead of a regex, if you're into that. Fun with radiation Craig Smith has been killing it lately with all his h

2 min Metasploit

Metasploit, Google Summer of Code, and You!

Spend the summer with Metasploit I'm proud to announce that the Metasploit Project has been accepted as a mentor organization in the Google Summer of Code! For those unfamiliar with the program, their about page [https://summerofcode.withgoogle.com/about/] sums it up nicely: > Google Summer of Code is a global program focused on introducing students to open source software development. Students work on a 3 month programming project with an open source organization during their break from univer

6 min Android

Weekly Metasploit Wrapup

Welcome back to the Metasploit Weekly Wrapup! It's been a while since the last one, so quite a bit has happened in that time including 75 Pull Requests. Stageless mettle The rewrite of meterpreter for POSIX systems, mettle, now supports a stageless mode. You can now build standalone static executables for almost a dozen architectures and run them on everything from small home routers to cell phones to servers and mainframes. It can also take its configuration from the command line, so you don't

3 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

Taking Care of Universal Business: the Handler's Tale With a few exceptions, payloads have to have a handler. That's the guy who waits with the car while your exploit runs into the liquor store. To run an exploit module, we have to select and configure a payload first. In some cases, Metasploit can do this for you automatically, by just guessing that you probably wanted the best payload for the target platform and architecture. Once the payload is set up, we have to have a way to talk to it --

2 min Metasploit

Metasploit Wrapup

Finding stuff For a very long time, msfconsole's search command has used a union of the results of all search terms. This means that if you do something like search linux firefox, you'll get a list of all modules that mention linux, regardless of the application they target, and all modules that mention firefox, regardless of their platform. Most people are probably expecting the intersection, i.e. you probably wanted to see only the modules that target Firefox on Linux. So now that's what happe

1 min Metasploit

Metasploit Weekly Wrapup

Terminal velocity The terminal/shell interface has been around for decades and has a rich and storied history. Readline is the main library for shells like msfconsole to deal with that interface, but it's also possible for commandline tools to print ANSI escape sequences that the terminal treats specially. When a shell like msfconsole has asynchronous output going to the terminal at unpredictable times, such as when a new session connects, that output can clobber the current prompt. That makes

2 min Metasploit

Metasploit Wrapup

Everything old is new again As you probably already know, hardware manufacturers are not always great at security. Today we'll be picking on Netgear, who produce a WiFi router called the WNR2200 [http://www.netgear.com/home/products/networking/wifi-routers/wnr2200.aspx]. This cute little device, brand new out of the box on store shelves today, runs Linux 2.6.15 with Samba 3.0.24. For those of you keeping score at home, those versions were released in 2007. Way back in 2007, Samba had a pre-auth

3 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

What time is it? If you want to run some scheduled task, either with schtasks or cron, you have to decide when to run that task. In both cases, the schedule is based on what time it is according to the victim system, so when you make that decision, it's super helpful to know what the victim thinks the current time is. As of #7435 [https://github.com/rapid7/metasploit-framework/pull/7435], Meterpreter has a localtime command that gives you that information and then it's peanut butter jelly time.

2 min AWS

Weekly Metasploit Wrapup

Silence is golden Taking screenshots of compromised systems can give you a lot of information that might otherwise not be readily available. Screenshots can also add a bit of extra spice to what might be an otherwise dry report. For better or worse, showing people that you have a shell on their system often doesn't have much impact. Showing people screenshots of their desktop can evoke a visceral reaction that can't be ignored. Plus, it's always hilarious seeing Microsoft Outlook open to the phi

3 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

Extra Usability Commandline tools in general are powerful, but come with a learning curve. When you've been using a tool for a long time, that curve becomes a status quo that embeds itself in your fingers. That isn't always a good thing because it tends to make you blind to how things can be better and it takes an effort of introspection to notice inefficiencies. Even then, you weigh those inefficiencies against the effort required to improve. An example of that is msfconsole's route command, w

2 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

Security is hard I usually focus exclusively on the Metasploit Framework here on these wrapups, but this week is a little special. This week the Metasploit commercial products (Pro, Express, and Community) come with a fix for a couple of vulnerabilities. You heard that right, remotely exploitable vulns in Metasploit. Our lovely engineering manager, Brent Cook, helpfully wrote up the details [/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401] yesterday. TL;DR - Three bugs, two o

2 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

PHP Shells Rising from the Flames Phoenix Exploit Kit is your standard run-of-the-mill crimeware system, written in PHP, whose creator apparently got popped by the FSB earlier this year [http://krebsonsecurity.com/tag/phoenix-exploit-kit/]. Like many exploit kits, it has a back door, this one allowing you to eval whatever PHP code you like by sending it in a GET parameter (subtly named 'bdr'). Of course running arbitrary PHP allows us control of the underlying operating system to various degrees

2 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

Windows Privilege Escalation In the long long ago, Windows users pretty much universally had local Administrator accounts. While that's still true in less mature environments, I think we have done a pretty good job as an industry of convincing folks to reduce users' privileges. Back in those days, privilege escalation exploits weren't all that useful because every exploit, executable, and Word macro already gave you the highest privileges. Today that's less true. Even worse for the enterprising

3 min Metasploit

Weekly Metasploit Wrapup

House keeping Since the last Wrapup, we've been continuing our long-running project of breaking up some of the old cobweb-encrusted parts of the framework codebase into smaller pieces that are easier to deal with. A few things, lib/sshkey and lib/bit-struct in particular, that for historical reasons were just slightly modified copies of a gem, have been pulled out entirely in favor of the upstream release. A bunch of other things have been pulled out into their own repositories, making the whole