SlideShare una empresa de Scribd logo
1 de 43
Descargar para leer sin conexión
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
Weaponizing the Windows API with Metasploit's Railgun
“If you don’t think you’re a
newb, then you’re not trying
hard enough”
-   HD Moore
Post-exploitation
Endless Possabilities
Weaponizing the Windows API with Metasploit's Railgun
 Goto Payload for Windows
 DLL, compiled C
 Usually injected into process
  memory
 Enhanced CMD shell
 Provides basic post-exploitation
  API
 Often run with SYSTEM Privs
 Can be migrated into a user’s
 process
Weaponizing the Windows API with Metasploit's Railgun
 Railgun is an extension to
  the Meterpreter STDAPI
 Allows Arbitrary Loading
  of DLLs
 As long as you know the
  path of the DLL, you can
  access it’s functions
 Since Windows API DLLs
  are always at known
  paths, we can always
  load them
 Dynamic access to the
  entirety of the Windows
  API on the system
 By calling APIs from user
  processes, we can
  impersonate users
 Anything becomes
  possible
Weaponizing the Windows API with Metasploit's Railgun
 June 2010 – Railgun submitted
  to Metasploit by Patrick HVE
 Sept 2010 – 64bit support
  added by Stephen Fewer
 Feb 2011 – Chao-mu takes
  over Railgun support, resumes
  new feature work
 Fall 2011 – Chao-mu
  disappears
 Aug 2012 – YOU start
  contributing to Railgun
 Dec 2012 – Mayans predict
  Railgun-related Apocalypse?
 LoadLibrary function opens a
 Handle to the DLL
 GetProcAddress maps a
 function pointer to the
 specified function
 Memread and Memwrite
 functions for manipulating
 memory space
 Ruby code lives in
  lib/rex/post/meterpreter/extensio
  ns/stdapi/railgun
 User/module writer defines the
  DLL and the needed functions
 Functions are then avilable as
  methods
 Can define at runtime or use
  definition files
def self.create_dll(dll_path = 'advapi32')
 dll = DLL.new(dll_path, ApiConstants.manager)



 dll.add_function('CredEnumerateA', 'BOOL', [
  ['PCHAR', 'Filter', 'in'],
  ['DWORD', 'Flags', 'in'],
  ['PDWORD', 'Count', 'out'],
  ['PBLOB', 'Credentials', 'out']])




    A look at Railgun
     Definitions
1. Function Name
2. Function Return Type
3. Array of Parameters
 1. Param type
 2. Param Name
 3. IN/OUT/INOUT Parameter
 Railgun knows about
  Windows constants
 They are defined in
  api_constants.rb in the
  railgun folder
 Easy to add new constants
  as needed there
Weaponizing the Windows API with Metasploit's Railgun
 If it quacks like a duck…
 Pass as a Fixnum or
  Bignum
 String representation of
  constants can also be
  passed in
 Pointer to a DWORD
 Pass a Fixnum
 Pass the Content of the
  DWORD not the pointer
 If it is an OUT only
  paramter, pass a 4 (size
  of a DWORD)
 Pass nil for a NULL
  Pointer
 Pass as Ruby strings.
  Will be converted
  seamlessly
 If OUT only, pass fixnum
  of the size of the buffer
  (including null byte)
Definition                              Usage
dll.add_function(                       ms_enhanced_prov = "Microsoft
                                           Enhanced Cryptographic
    'CryptAcquireContextW',                Provider v1.0"
    'BOOL',[                            prov_rsa_full = 1
['PDWORD', 'phProv', 'out'],            crypt_verify_context =
                                           0xF0000000
['PWCHAR', 'pszContainer',
                                        alg_md5 = 32771
   'in'],
                                        alg_rc4 = 26625
['PWCHAR', 'pszProvider', 'in'],        advapi32 = client.railgun.advapi32
['DWORD', 'dwProvType', 'in'],          acquirecontext =
                                           advapi32.CryptAcquireContext
['DWORD', 'dwflags', 'in']])               W(4, nil, ms_enhanced_prov,
                                           prov_rsa_full,
                                           crypt_verify_context)



Used in the SmartFTP password Recovery Module
 Pass in Ruby True/False
  values exactly as expected
Definition:
dll.add_function( 'IsDebuggerPresent', 'BOOL',[])


Usage:
>> client.railgun.kernel32.IsDebuggerPresent()
=> {"GetLastError"=>0, "return"=>false}
 Handled the same as
  DWORDs but Fixnums
  passed in will be
  truncated to the
  appropriate length
 Anything that’s not a
  string or a DWORD
 Treated as a ruby string
 Railgun will not help you
  parse structures
Definition                             Usage
dll.add_function( 'WlanGetProfile',    profile['name'] =
    'DWORD',[                             @host_process.memory.rea
['DWORD', 'hClientHandle', 'in'],         d(ppointer,512)
['PBLOB', 'pInterfaceGuid', 'in'],     ppointer = (ppointer + 516)
['PBLOB', 'strProfileName', 'in'],
['LPVOID', 'pReserved', 'in'],
['PDWORD', 'pstrProfileXML',           rprofile =
   'out'],                                @wlanapi.WlanGetProfile(wl
['PDWORD', 'pdwFlags', 'inout'],
                                          an_handle,guid,profile['nam
                                          e'],nil,4,4,4)
['PDWORD', 'pdwGrantedAccess',
   'out']])



Used in the wlan_profile post module
 Pointers and Handles of
  any kind are really just
  numbers, so treat them
  as DWORDs
 If it can be treated as a
  number it’s a DWORD
 Otherwise it’s a PBLOB
 If neither works, add
  support for it yourself =)
 The function will return a
  hash
 Hash will always contain at
  least GetLastError
 Hash will return any OUT
  values
 Will return 0 if there was no
  error
 Otherwise will contain the
  windows system Error code
  encountered
 Errors codes can be looked
  up at
  http://msdn.microsoft.com/en
  -
  us/library/windows/desktop/
  ms681381(v=vs.85).aspx
acquirecontext =
  advapi32.CryptAcquireCon
  textW(4, nil,
  ms_enhanced_prov,
  prov_rsa_full,
  crypt_verify_context)


createhash =
  advapi32.CryptCreateHash
  (acquirecontext['phProv']
  , alg_md5, 0, 0, 4)
 Complex structure types that
  you will have to parse
  yourself
 Strings you don’t know the
  length of
 Large number of string reads
  (SLOWWWW)
Weaponizing the Windows API with Metasploit's Railgun
Microsoft will help
 you own things
Seriously…
They even give you
      tools!
Weaponizing the Windows API with Metasploit's Railgun
 Anything you can do with the
  windows API is available
 Without increasing the size of
  the payload
 Get the OS to Decrypt
  stored SmartFTP Passwords
 Enumerate and decrypt
  stored RDP passwords
 Scan for Wireless APs
 Enumerates Domain
  controllers on the victim’s
  network
 Enough of these ugly slides
 Let’s see it in action

Más contenido relacionado

La actualidad más candente

Spring has got me under it’s SpEL
Spring has got me under it’s SpELSpring has got me under it’s SpEL
Spring has got me under it’s SpELEldad Dor
 
Cassandra summit 2013 - DataStax Java Driver Unleashed!
Cassandra summit 2013 - DataStax Java Driver Unleashed!Cassandra summit 2013 - DataStax Java Driver Unleashed!
Cassandra summit 2013 - DataStax Java Driver Unleashed!Michaël Figuière
 
concurrency gpars
concurrency gparsconcurrency gpars
concurrency gparsPaul King
 
[grcpp] Refactoring for testability c++
[grcpp] Refactoring for testability c++[grcpp] Refactoring for testability c++
[grcpp] Refactoring for testability c++Dimitrios Platis
 
Fun Teaching MongoDB New Tricks
Fun Teaching MongoDB New TricksFun Teaching MongoDB New Tricks
Fun Teaching MongoDB New TricksMongoDB
 
Silicon Valley JUG: JVM Mechanics
Silicon Valley JUG: JVM MechanicsSilicon Valley JUG: JVM Mechanics
Silicon Valley JUG: JVM MechanicsAzul Systems, Inc.
 
Designing with Groovy Traits - Gr8Conf India
Designing with Groovy Traits - Gr8Conf IndiaDesigning with Groovy Traits - Gr8Conf India
Designing with Groovy Traits - Gr8Conf IndiaNaresha K
 
Ice mini guide
Ice mini guideIce mini guide
Ice mini guideAdy Liu
 
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTRT3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTRDavid Gómez García
 
Semantic code transformations in MetaJS
Semantic code transformations in MetaJSSemantic code transformations in MetaJS
Semantic code transformations in MetaJSDmytro Dogadailo
 
groovy rules
groovy rulesgroovy rules
groovy rulesPaul King
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCloudIDSummit
 
Oleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoCOleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoCOleksandr Valetskyy
 
Jafka guide
Jafka guideJafka guide
Jafka guideAdy Liu
 
Geneva JUG - Cassandra for Java Developers
Geneva JUG - Cassandra for Java DevelopersGeneva JUG - Cassandra for Java Developers
Geneva JUG - Cassandra for Java DevelopersMichaël Figuière
 

La actualidad más candente (20)

Spring has got me under it’s SpEL
Spring has got me under it’s SpELSpring has got me under it’s SpEL
Spring has got me under it’s SpEL
 
Design Patterns
Design PatternsDesign Patterns
Design Patterns
 
Groovy.pptx
Groovy.pptxGroovy.pptx
Groovy.pptx
 
Cassandra summit 2013 - DataStax Java Driver Unleashed!
Cassandra summit 2013 - DataStax Java Driver Unleashed!Cassandra summit 2013 - DataStax Java Driver Unleashed!
Cassandra summit 2013 - DataStax Java Driver Unleashed!
 
ChtiJUG - Cassandra 2.0
ChtiJUG - Cassandra 2.0ChtiJUG - Cassandra 2.0
ChtiJUG - Cassandra 2.0
 
concurrency gpars
concurrency gparsconcurrency gpars
concurrency gpars
 
[grcpp] Refactoring for testability c++
[grcpp] Refactoring for testability c++[grcpp] Refactoring for testability c++
[grcpp] Refactoring for testability c++
 
Fun Teaching MongoDB New Tricks
Fun Teaching MongoDB New TricksFun Teaching MongoDB New Tricks
Fun Teaching MongoDB New Tricks
 
Silicon Valley JUG: JVM Mechanics
Silicon Valley JUG: JVM MechanicsSilicon Valley JUG: JVM Mechanics
Silicon Valley JUG: JVM Mechanics
 
Designing with Groovy Traits - Gr8Conf India
Designing with Groovy Traits - Gr8Conf IndiaDesigning with Groovy Traits - Gr8Conf India
Designing with Groovy Traits - Gr8Conf India
 
Ice mini guide
Ice mini guideIce mini guide
Ice mini guide
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTRT3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
 
Semantic code transformations in MetaJS
Semantic code transformations in MetaJSSemantic code transformations in MetaJS
Semantic code transformations in MetaJS
 
groovy rules
groovy rulesgroovy rules
groovy rules
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
 
Oleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoCOleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoC
 
Jafka guide
Jafka guideJafka guide
Jafka guide
 
MySQL Proxy tutorial
MySQL Proxy tutorialMySQL Proxy tutorial
MySQL Proxy tutorial
 
Geneva JUG - Cassandra for Java Developers
Geneva JUG - Cassandra for Java DevelopersGeneva JUG - Cassandra for Java Developers
Geneva JUG - Cassandra for Java Developers
 

Destacado

Destacado (6)

Electromagnetic railgun (emrg)
Electromagnetic railgun (emrg)Electromagnetic railgun (emrg)
Electromagnetic railgun (emrg)
 
Railgun
RailgunRailgun
Railgun
 
Railgun akr
Railgun akrRailgun akr
Railgun akr
 
Electromagnetic Railgun Internship Abstract
Electromagnetic Railgun Internship AbstractElectromagnetic Railgun Internship Abstract
Electromagnetic Railgun Internship Abstract
 
Railgun
RailgunRailgun
Railgun
 
Railguns
RailgunsRailguns
Railguns
 

Similar a Weaponizing the Windows API with Metasploit's Railgun

Tame Accidental Complexity with Ruby and MongoMapper
Tame Accidental Complexity with Ruby and MongoMapperTame Accidental Complexity with Ruby and MongoMapper
Tame Accidental Complexity with Ruby and MongoMapperGiordano Scalzo
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer CodeQuang Ngoc
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]Olivier Dony
 
Metasploit Railguns presentation @ tcs hyderabad
Metasploit Railguns presentation @ tcs hyderabadMetasploit Railguns presentation @ tcs hyderabad
Metasploit Railguns presentation @ tcs hyderabadChaitanya krishna
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Smoothing Your Java with DSLs
Smoothing Your Java with DSLsSmoothing Your Java with DSLs
Smoothing Your Java with DSLsintelliyole
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Python RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsPython RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsSolution4Future
 
Google apps script database abstraction exposed version
Google apps script database abstraction   exposed versionGoogle apps script database abstraction   exposed version
Google apps script database abstraction exposed versionBruce McPherson
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Luca Lusso
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastJorge Lopez-Malla
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 
Presentation of Python, Django, DockerStack
Presentation of Python, Django, DockerStackPresentation of Python, Django, DockerStack
Presentation of Python, Django, DockerStackDavid Sanchez
 
Euruko 2009 - DataObjects
Euruko 2009 - DataObjectsEuruko 2009 - DataObjects
Euruko 2009 - DataObjectsDirkjan Bussink
 

Similar a Weaponizing the Windows API with Metasploit's Railgun (20)

Tame Accidental Complexity with Ruby and MongoMapper
Tame Accidental Complexity with Ruby and MongoMapperTame Accidental Complexity with Ruby and MongoMapper
Tame Accidental Complexity with Ruby and MongoMapper
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer Code
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]
 
Metasploit Railguns presentation @ tcs hyderabad
Metasploit Railguns presentation @ tcs hyderabadMetasploit Railguns presentation @ tcs hyderabad
Metasploit Railguns presentation @ tcs hyderabad
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Smoothing Your Java with DSLs
Smoothing Your Java with DSLsSmoothing Your Java with DSLs
Smoothing Your Java with DSLs
 
Unit-2 Getting Input from User.pptx
Unit-2 Getting Input from User.pptxUnit-2 Getting Input from User.pptx
Unit-2 Getting Input from User.pptx
 
Getting Input from User
Getting Input from UserGetting Input from User
Getting Input from User
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Python RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsPython RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutions
 
Google apps script database abstraction exposed version
Google apps script database abstraction   exposed versionGoogle apps script database abstraction   exposed version
Google apps script database abstraction exposed version
 
Sa
SaSa
Sa
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit east
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programming
 
Presentation of Python, Django, DockerStack
Presentation of Python, Django, DockerStackPresentation of Python, Django, DockerStack
Presentation of Python, Django, DockerStack
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for Beginner
 
Brad Wood - CommandBox CLI
Brad Wood - CommandBox CLI Brad Wood - CommandBox CLI
Brad Wood - CommandBox CLI
 
Euruko 2009 - DataObjects
Euruko 2009 - DataObjectsEuruko 2009 - DataObjects
Euruko 2009 - DataObjects
 

Último

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 

Último (20)

Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 

Weaponizing the Windows API with Metasploit's Railgun

  • 4. “If you don’t think you’re a newb, then you’re not trying hard enough” - HD Moore
  • 8.  Goto Payload for Windows  DLL, compiled C  Usually injected into process memory  Enhanced CMD shell  Provides basic post-exploitation API
  • 9.  Often run with SYSTEM Privs  Can be migrated into a user’s process
  • 11.  Railgun is an extension to the Meterpreter STDAPI  Allows Arbitrary Loading of DLLs  As long as you know the path of the DLL, you can access it’s functions
  • 12.  Since Windows API DLLs are always at known paths, we can always load them
  • 13.  Dynamic access to the entirety of the Windows API on the system  By calling APIs from user processes, we can impersonate users  Anything becomes possible
  • 15.  June 2010 – Railgun submitted to Metasploit by Patrick HVE  Sept 2010 – 64bit support added by Stephen Fewer  Feb 2011 – Chao-mu takes over Railgun support, resumes new feature work  Fall 2011 – Chao-mu disappears  Aug 2012 – YOU start contributing to Railgun  Dec 2012 – Mayans predict Railgun-related Apocalypse?
  • 16.  LoadLibrary function opens a Handle to the DLL  GetProcAddress maps a function pointer to the specified function  Memread and Memwrite functions for manipulating memory space
  • 17.  Ruby code lives in lib/rex/post/meterpreter/extensio ns/stdapi/railgun  User/module writer defines the DLL and the needed functions  Functions are then avilable as methods  Can define at runtime or use definition files
  • 18. def self.create_dll(dll_path = 'advapi32') dll = DLL.new(dll_path, ApiConstants.manager) dll.add_function('CredEnumerateA', 'BOOL', [ ['PCHAR', 'Filter', 'in'], ['DWORD', 'Flags', 'in'], ['PDWORD', 'Count', 'out'], ['PBLOB', 'Credentials', 'out']])  A look at Railgun Definitions
  • 19. 1. Function Name 2. Function Return Type 3. Array of Parameters 1. Param type 2. Param Name 3. IN/OUT/INOUT Parameter
  • 20.  Railgun knows about Windows constants  They are defined in api_constants.rb in the railgun folder  Easy to add new constants as needed there
  • 22.  If it quacks like a duck…  Pass as a Fixnum or Bignum  String representation of constants can also be passed in
  • 23.  Pointer to a DWORD  Pass a Fixnum  Pass the Content of the DWORD not the pointer  If it is an OUT only paramter, pass a 4 (size of a DWORD)  Pass nil for a NULL Pointer
  • 24.  Pass as Ruby strings. Will be converted seamlessly  If OUT only, pass fixnum of the size of the buffer (including null byte)
  • 25. Definition Usage dll.add_function( ms_enhanced_prov = "Microsoft Enhanced Cryptographic 'CryptAcquireContextW', Provider v1.0" 'BOOL',[ prov_rsa_full = 1 ['PDWORD', 'phProv', 'out'], crypt_verify_context = 0xF0000000 ['PWCHAR', 'pszContainer', alg_md5 = 32771 'in'], alg_rc4 = 26625 ['PWCHAR', 'pszProvider', 'in'], advapi32 = client.railgun.advapi32 ['DWORD', 'dwProvType', 'in'], acquirecontext = advapi32.CryptAcquireContext ['DWORD', 'dwflags', 'in']]) W(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context) Used in the SmartFTP password Recovery Module
  • 26.  Pass in Ruby True/False values exactly as expected
  • 27. Definition: dll.add_function( 'IsDebuggerPresent', 'BOOL',[]) Usage: >> client.railgun.kernel32.IsDebuggerPresent() => {"GetLastError"=>0, "return"=>false}
  • 28.  Handled the same as DWORDs but Fixnums passed in will be truncated to the appropriate length
  • 29.  Anything that’s not a string or a DWORD  Treated as a ruby string  Railgun will not help you parse structures
  • 30. Definition Usage dll.add_function( 'WlanGetProfile', profile['name'] = 'DWORD',[ @host_process.memory.rea ['DWORD', 'hClientHandle', 'in'], d(ppointer,512) ['PBLOB', 'pInterfaceGuid', 'in'], ppointer = (ppointer + 516) ['PBLOB', 'strProfileName', 'in'], ['LPVOID', 'pReserved', 'in'], ['PDWORD', 'pstrProfileXML', rprofile = 'out'], @wlanapi.WlanGetProfile(wl ['PDWORD', 'pdwFlags', 'inout'], an_handle,guid,profile['nam e'],nil,4,4,4) ['PDWORD', 'pdwGrantedAccess', 'out']]) Used in the wlan_profile post module
  • 31.  Pointers and Handles of any kind are really just numbers, so treat them as DWORDs  If it can be treated as a number it’s a DWORD  Otherwise it’s a PBLOB  If neither works, add support for it yourself =)
  • 32.  The function will return a hash  Hash will always contain at least GetLastError  Hash will return any OUT values
  • 33.  Will return 0 if there was no error  Otherwise will contain the windows system Error code encountered  Errors codes can be looked up at http://msdn.microsoft.com/en - us/library/windows/desktop/ ms681381(v=vs.85).aspx
  • 34. acquirecontext = advapi32.CryptAcquireCon textW(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context) createhash = advapi32.CryptCreateHash (acquirecontext['phProv'] , alg_md5, 0, 0, 4)
  • 35.  Complex structure types that you will have to parse yourself  Strings you don’t know the length of  Large number of string reads (SLOWWWW)
  • 37. Microsoft will help you own things
  • 39. They even give you tools!
  • 41.  Anything you can do with the windows API is available  Without increasing the size of the payload
  • 42.  Get the OS to Decrypt stored SmartFTP Passwords  Enumerate and decrypt stored RDP passwords  Scan for Wireless APs  Enumerates Domain controllers on the victim’s network
  • 43.  Enough of these ugly slides  Let’s see it in action