Posts by Egypt

3 min Authentication

Weekly Metasploit Wrapup

Steal all the passwords I talk a lot about Authenticated Code Execution, but of course that's not the only thing that authenticated access can get you. This week's update comes with a couple of modules for using known credentials to extract more credentials. The first is for Symantec Brightmail, an email filtering gateway that comes with a management interface for administrators. Any account with read access is allowed to look at the encrypted LDAP credentials stored in Brightmail. Fortunately f

2 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

Check the computer, the mainframe computer This week's update comes with our first ever exploit module for z/OS, the operating system used by mainframes, from our friend Bigendian Smalls [https://twitter.com/bigendiansmalls] who also built the payloads. The module in question is an example of authenticated code execution by design [/2016/01/03/12-days-of-haxmas-authenticated-code-execution-by-design], which takes advantage of a design feature allowing users to submit jobs via uploading files to

2 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

Resolve, v. transitive Sometimes the biggest things that make working with a tool fun are the small things. One of those things is the recent addition of a resolve command for Meterpreter. It does what it sounds like: it resolves a hostname to an IP address on the victim system, taking advantage of the local DNS. Of course, that's not a huge thing, but it is pretty convenient. Strut, v. intransitive This update also comes with a fun exploit for Apache Struts, a web framework for webby things. I

1 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

I did some security research on industrial control systems for a while. It was a fun and rewarding experience in which I found tons of usually very simple bugs. Security in that sector was nascent, with the technology being brought forward from the dark ages of everything being on serial. Things are a bit different today, in no small part due to the fine work of many security researchers convincing vendors to step up their game and buyers learning how to ask the right questions before a purchase

2 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

(In)security Appliances IT management is a tough job with lots of moving parts. To deal with that reality, IT administrators use a lot of tools and automation to help keep an eye on all the devices they are responsible for, some custom, some off the shelf, and some big-box enterprisy stuff. What the sales rep won't tell you, though, is that every line of code you add to your network is more complexity. And as complexity increases, so does the risk of bugs. I made you a handy graph to illustrate

2 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

Meterpreter Unicode Improvements Pentesting in places where English is not the primary language can sometimes be troublesome. With this week's update, it's a little bit easier. After Brent's work making Meterpreter's registry system support UTF-8, you can now do things like use the venerable post/windows/gather/hashdump to steal hashes and other attributes of local users whose username contains non-ascii characters, e.g.: msf > use post/windows/gather/hashdump msf post(hashdump) > setg sessio

1 min Python

The Foam Goes Straight to Your Brain

Yesterday, we announced the availability of a PowerShell extension for Meterpreter [/2016/03/31/weekly-metasploit-wrapup], primarily as a toy for laughs because no one would seriously consider using it for anything important. But today? Today we've got a real treat for you. For serious programmers and serious pentesters, what you really want is a serious language. Something with the power of a Turing Machine and the readability of raw bytecode. Something beautiful and subtle, like a chainsaw. S

3 min Release Notes

Weekly Metasploit Wrapup

Powershell? In my Meterpreter? It's more likely than you think! Hot on the heels of his fantastic Python extension, the legendary OJ Reeves has once again busted out an awesome new ability for post-exploitation, this time by putting a fully functional powershell inside your native Windows Meterpreter sessions. Unlike the Python extension, which uploads an embedded interpreter, the new powershell extension loads the .NET runtime from the victim system. There's a lot of polish and more work to b

2 min Android

Weekly Metasploit Wrapup

A little entropy goes a long way Meterpreter can communicate via straight TCP or over HTTP(S), but whatever the transport, the protocol is pretty much the same. It uses what is called a TLV protocol, for Type-Length-Value [https://en.wikipedia.org/wiki/Type-length-value]. In truth, meterpreter actually does it in a different order: Length, Type, Value. Each meterpreter packet is a collection of TLVs and is itself a TLV. That makes it so you can skip over a type or even a whole packet without hav

2 min Release Notes

Weekly Metasploit Wrapup

I'm not your mother, clean up after yourself. An old friend of mine, axis2deployer [https://www.rapid7.com/db/modules/exploit/multi/http/axis2_deployer], is a fun authenticated code execution [/2016/01/03/12-days-of-haxmas-authenticated-code-execution-by-design] module that takes advantage of Axis2's ability to deploy new applications on a web server. It used to be a messy friend, leaving its files all over the living room floor for you to clean up manually. As of #6457 [https://github.com/rapi

2 min Release Notes

Weekly Metasploit Wrapup

Aaaaaand we're back! Last week was the first weekly update of the year and it comes with a super fun stuff. Tunneling The latest update allows you to tunnel reverse_tcp sessions over a compromised machine in a slightly less painful way. There is now a new datastore option, ReverseListenerComm, which lets you tell a meterpreter session tunnel connections back to your payload handler. Here's an example run to give you the idea: msf exploit(payload_inject) > show options Module options (e

6 min Haxmas

12 Days of Haxmas: Authenticated Code Execution by Design

This post is the tenth in the series, "The 12 Days of HaXmas." What's your favorite exploit? My favorite exploit is not an exploit at all. It's authenticated code execution by design. As an attacker, what you're really looking for is the ability to control a system in all the same ways that a system's normal users and administrators do. Administrators need to examine attributes of the system such as the users that log into it, the software installed on it, the services running on it, and most

1 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

Welcome to the last Metasploit update of the year! Since January 1st, 2015, we've had 6364 commits from 176 unique authors, closed 1119 Pull Requests, and added 323 modules. Thank you all for a great year! We couldn't have done it without you. Sounds The sounds plugin has been around for a long time, notifying hackers of new shells via their speakers since 2010. Recently, Wei sinn3r Chen gave it a makeover, replacing the old robotic voice with that of Offensive Security founder, Kali Linux Core

3 min Metasploit Weekly Wrapup

Weekly Metasploit Wrapup

Payloads New in the latest Metasploit release are stageless HTTP and HTTPS payloads for Python for those times when you would rather have the whole thing in one file instead of having to stage it. For more on the advantages and quirks of stageless payloads, check out @OJ [https://twitter.com/thecolonial]'s post on the subject [/2015/03/25/stageless-meterpreter-payloads] from when support was first added for Windows. Exploit Modules Does anybody remember that bash(1) bug from a little over a yea

2 min Release Notes

Weekly Metasploit Wrapup

Python extension for Windows Meterpreter Meterpreter offers some pretty powerful post-exploitation capabilities, from filesystem manipulation to direct Windows API calls with railgun, and everything in between. One thing that's been missing for a long time is on-victim scripting. With this update comes an experimental Python extension to remedy that. It's still in its infancy, so expect some kinks to be worked out over the next few weeks, but it is functional. OJ [https://twitter.com/thecolonia