SlideShare una empresa de Scribd logo

Weaponizing the Windows API with Metasploit's Railgun

Descargar como PPTX, PDF
T
TheLightcosine

Thelightcosine's DefCon 20 talk on Railgun

TecnologíaEducación
1 de 43
“If you don’t think you’re a newb, then you’re not trying hard enough” - HD Moore
Post-exploitation
Endless Possabilities
 Goto Payload for Windows  DLL, compiled C  Usually injected into process memory  Enhanced CMD shell  Provides basic post-exploitation API
 Often run with SYSTEM Privs  Can be migrated into a user’s process
 Railgun is an extension to the Meterpreter STDAPI  Allows Arbitrary Loading of DLLs  As long as you know the path of the DLL, you can access it’s functions
 Since Windows API DLLs are always at known paths, we can always load them
 Dynamic access to the entirety of the Windows API on the system  By calling APIs from user processes, we can impersonate users  Anything becomes possible
 June 2010 – Railgun submitted to Metasploit by Patrick HVE  Sept 2010 – 64bit support added by Stephen Fewer  Feb 2011 – Chao-mu takes over Railgun support, resumes new feature work  Fall 2011 – Chao-mu disappears  Aug 2012 – YOU start contributing to Railgun  Dec 2012 – Mayans predict Railgun-related Apocalypse?
 LoadLibrary function opens a Handle to the DLL  GetProcAddress maps a function pointer to the specified function  Memread and Memwrite functions for manipulating memory space
 Ruby code lives in lib/rex/post/meterpreter/extensio ns/stdapi/railgun  User/module writer defines the DLL and the needed functions  Functions are then avilable as methods  Can define at runtime or use definition files
def self.create_dll(dll_path = 'advapi32') dll = DLL.new(dll_path, ApiConstants.manager) dll.add_function('CredEnumerateA', 'BOOL', [ ['PCHAR', 'Filter', 'in'], ['DWORD', 'Flags', 'in'], ['PDWORD', 'Count', 'out'], ['PBLOB', 'Credentials', 'out']])  A look at Railgun Definitions
1. Function Name 2. Function Return Type 3. Array of Parameters 1. Param type 2. Param Name 3. IN/OUT/INOUT Parameter
 Railgun knows about Windows constants  They are defined in api_constants.rb in the railgun folder  Easy to add new constants as needed there
 If it quacks like a duck…  Pass as a Fixnum or Bignum  String representation of constants can also be passed in
 Pointer to a DWORD  Pass a Fixnum  Pass the Content of the DWORD not the pointer  If it is an OUT only paramter, pass a 4 (size of a DWORD)  Pass nil for a NULL Pointer
 Pass as Ruby strings. Will be converted seamlessly  If OUT only, pass fixnum of the size of the buffer (including null byte)
Definition Usage dll.add_function( ms_enhanced_prov = "Microsoft Enhanced Cryptographic 'CryptAcquireContextW', Provider v1.0" 'BOOL',[ prov_rsa_full = 1 ['PDWORD', 'phProv', 'out'], crypt_verify_context = 0xF0000000 ['PWCHAR', 'pszContainer', alg_md5 = 32771 'in'], alg_rc4 = 26625 ['PWCHAR', 'pszProvider', 'in'], advapi32 = client.railgun.advapi32 ['DWORD', 'dwProvType', 'in'], acquirecontext = advapi32.CryptAcquireContext ['DWORD', 'dwflags', 'in']]) W(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context) Used in the SmartFTP password Recovery Module
 Pass in Ruby True/False values exactly as expected
Definition: dll.add_function( 'IsDebuggerPresent', 'BOOL',[]) Usage: >> client.railgun.kernel32.IsDebuggerPresent() => {"GetLastError"=>0, "return"=>false}
 Handled the same as DWORDs but Fixnums passed in will be truncated to the appropriate length
 Anything that’s not a string or a DWORD  Treated as a ruby string  Railgun will not help you parse structures
Definition Usage dll.add_function( 'WlanGetProfile', profile['name'] = 'DWORD',[ @host_process.memory.rea ['DWORD', 'hClientHandle', 'in'], d(ppointer,512) ['PBLOB', 'pInterfaceGuid', 'in'], ppointer = (ppointer + 516) ['PBLOB', 'strProfileName', 'in'], ['LPVOID', 'pReserved', 'in'], ['PDWORD', 'pstrProfileXML', rprofile = 'out'], @wlanapi.WlanGetProfile(wl ['PDWORD', 'pdwFlags', 'inout'], an_handle,guid,profile['nam e'],nil,4,4,4) ['PDWORD', 'pdwGrantedAccess', 'out']]) Used in the wlan_profile post module
 Pointers and Handles of any kind are really just numbers, so treat them as DWORDs  If it can be treated as a number it’s a DWORD  Otherwise it’s a PBLOB  If neither works, add support for it yourself =)
 The function will return a hash  Hash will always contain at least GetLastError  Hash will return any OUT values
 Will return 0 if there was no error  Otherwise will contain the windows system Error code encountered  Errors codes can be looked up at http://msdn.microsoft.com/en - us/library/windows/desktop/ ms681381(v=vs.85).aspx
acquirecontext = advapi32.CryptAcquireCon textW(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context) createhash = advapi32.CryptCreateHash (acquirecontext['phProv'] , alg_md5, 0, 0, 4)
 Complex structure types that you will have to parse yourself  Strings you don’t know the length of  Large number of string reads (SLOWWWW)
Microsoft will help you own things
Seriously…
They even give you tools!
 Anything you can do with the windows API is available  Without increasing the size of the payload
 Get the OS to Decrypt stored SmartFTP Passwords  Enumerate and decrypt stored RDP passwords  Scan for Wireless APs  Enumerates Domain controllers on the victim’s network
 Enough of these ugly slides  Let’s see it in action

Recomendados

Functional Programming with Groovy
Functional Programming with GroovyFunctional Programming with Groovy
Functional Programming with Groovy
Arturo Herrero
 
bluespec talk
bluespec talkbluespec talk
bluespec talk
Suman Karumuri
 
Querydsl overview 2014
Querydsl overview 2014Querydsl overview 2014
Querydsl overview 2014
Timo Westkämper
 
The art of readable code (ch1~ch4)
The art of readable code (ch1~ch4)The art of readable code (ch1~ch4)
The art of readable code (ch1~ch4)
Ki Sung Bae
 
What do you mean, Backwards Compatibility?
What do you mean, Backwards Compatibility?What do you mean, Backwards Compatibility?
What do you mean, Backwards Compatibility?
Trisha Gee
 
The Art Of Readable Code
The Art Of Readable CodeThe Art Of Readable Code
The Art Of Readable Code
Baidu, Inc.
 
Querydsl fin jug - june 2012
Querydsl fin jug - june 2012Querydsl fin jug - june 2012
Querydsl fin jug - june 2012
Timo Westkämper
 
Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8
Hermann Hueck
 

Recomendados

Functional Programming with Groovy
Functional Programming with GroovyFunctional Programming with Groovy
Functional Programming with Groovy
Arturo Herrero
 
bluespec talk
bluespec talkbluespec talk
bluespec talk
Suman Karumuri
 
Querydsl overview 2014
Querydsl overview 2014Querydsl overview 2014
Querydsl overview 2014
Timo Westkämper
 
The art of readable code (ch1~ch4)
The art of readable code (ch1~ch4)The art of readable code (ch1~ch4)
The art of readable code (ch1~ch4)
Ki Sung Bae
 
What do you mean, Backwards Compatibility?
What do you mean, Backwards Compatibility?What do you mean, Backwards Compatibility?
What do you mean, Backwards Compatibility?
Trisha Gee
 
The Art Of Readable Code
The Art Of Readable CodeThe Art Of Readable Code
The Art Of Readable Code
Baidu, Inc.
 
Querydsl fin jug - june 2012
Querydsl fin jug - june 2012Querydsl fin jug - june 2012
Querydsl fin jug - june 2012
Timo Westkämper
 
Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8
Hermann Hueck
 
Spring has got me under it’s SpEL
Spring has got me under it’s SpELSpring has got me under it’s SpEL
Spring has got me under it’s SpEL
Eldad Dor
 
Design Patterns
Design PatternsDesign Patterns
Design Patterns
Betclic Everest Group Tech Team
 
Groovy.pptx
Groovy.pptxGroovy.pptx
Groovy.pptx
Giancarlo Frison
 
Cassandra summit 2013 - DataStax Java Driver Unleashed!
Cassandra summit 2013 - DataStax Java Driver Unleashed!Cassandra summit 2013 - DataStax Java Driver Unleashed!
Cassandra summit 2013 - DataStax Java Driver Unleashed!
Michaël Figuière
 
ChtiJUG - Cassandra 2.0
ChtiJUG - Cassandra 2.0ChtiJUG - Cassandra 2.0
ChtiJUG - Cassandra 2.0
Michaël Figuière
 
concurrency gpars
concurrency gparsconcurrency gpars
concurrency gpars
Paul King
 
[grcpp] Refactoring for testability c++
[grcpp] Refactoring for testability c++[grcpp] Refactoring for testability c++
[grcpp] Refactoring for testability c++
Dimitrios Platis
 
Fun Teaching MongoDB New Tricks
Fun Teaching MongoDB New TricksFun Teaching MongoDB New Tricks
Fun Teaching MongoDB New Tricks
MongoDB
 
Silicon Valley JUG: JVM Mechanics
Silicon Valley JUG: JVM MechanicsSilicon Valley JUG: JVM Mechanics
Silicon Valley JUG: JVM Mechanics
Azul Systems, Inc.
 
Designing with Groovy Traits - Gr8Conf India
Designing with Groovy Traits - Gr8Conf IndiaDesigning with Groovy Traits - Gr8Conf India
Designing with Groovy Traits - Gr8Conf India
Naresha K
 
Ice mini guide
Ice mini guideIce mini guide
Ice mini guide
Ady Liu
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTRT3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
David Gómez García
 
Semantic code transformations in MetaJS
Semantic code transformations in MetaJSSemantic code transformations in MetaJS
Semantic code transformations in MetaJS
Dmytro Dogadailo
 
groovy rules
groovy rulesgroovy rules
groovy rules
Paul King
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
CloudIDSummit
 
Oleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoCOleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy
 
Jafka guide
Jafka guideJafka guide
Jafka guide
Ady Liu
 
MySQL Proxy tutorial
MySQL Proxy tutorialMySQL Proxy tutorial
MySQL Proxy tutorial
Giuseppe Maxia
 
Geneva JUG - Cassandra for Java Developers
Geneva JUG - Cassandra for Java DevelopersGeneva JUG - Cassandra for Java Developers
Geneva JUG - Cassandra for Java Developers
Michaël Figuière
 
Electromagnetic railgun (emrg)
Electromagnetic railgun (emrg)Electromagnetic railgun (emrg)
Electromagnetic railgun (emrg)
Navin Kumar
 
Railgun
RailgunRailgun
Railgun
sauravsaxena3
 

Más contenido relacionado

La actualidad más candente

Cassandra summit 2013 - DataStax Java Driver Unleashed!
Cassandra summit 2013 - DataStax Java Driver Unleashed!Cassandra summit 2013 - DataStax Java Driver Unleashed!
Cassandra summit 2013 - DataStax Java Driver Unleashed!
Michaël Figuière
 
concurrency gpars
concurrency gparsconcurrency gpars
concurrency gpars
Paul King
 
Fun Teaching MongoDB New Tricks
Fun Teaching MongoDB New TricksFun Teaching MongoDB New Tricks
Fun Teaching MongoDB New Tricks
MongoDB
 
groovy rules
groovy rulesgroovy rules
groovy rules
Paul King
 
Geneva JUG - Cassandra for Java Developers
Geneva JUG - Cassandra for Java DevelopersGeneva JUG - Cassandra for Java Developers
Geneva JUG - Cassandra for Java Developers
Michaël Figuière
 

La actualidad más candente (20)

Spring has got me under it’s SpEL
Spring has got me under it’s SpELSpring has got me under it’s SpEL
Spring has got me under it’s SpEL
 
Design Patterns
Design PatternsDesign Patterns
Design Patterns
 
Groovy.pptx
Groovy.pptxGroovy.pptx
Groovy.pptx
 
Cassandra summit 2013 - DataStax Java Driver Unleashed!
Cassandra summit 2013 - DataStax Java Driver Unleashed!Cassandra summit 2013 - DataStax Java Driver Unleashed!
Cassandra summit 2013 - DataStax Java Driver Unleashed!
 
ChtiJUG - Cassandra 2.0
ChtiJUG - Cassandra 2.0ChtiJUG - Cassandra 2.0
ChtiJUG - Cassandra 2.0
 
concurrency gpars
concurrency gparsconcurrency gpars
concurrency gpars
 
[grcpp] Refactoring for testability c++
[grcpp] Refactoring for testability c++[grcpp] Refactoring for testability c++
[grcpp] Refactoring for testability c++
 
Fun Teaching MongoDB New Tricks
Fun Teaching MongoDB New TricksFun Teaching MongoDB New Tricks
Fun Teaching MongoDB New Tricks
 
Silicon Valley JUG: JVM Mechanics
Silicon Valley JUG: JVM MechanicsSilicon Valley JUG: JVM Mechanics
Silicon Valley JUG: JVM Mechanics
 
Designing with Groovy Traits - Gr8Conf India
Designing with Groovy Traits - Gr8Conf IndiaDesigning with Groovy Traits - Gr8Conf India
Designing with Groovy Traits - Gr8Conf India
 
Ice mini guide
Ice mini guideIce mini guide
Ice mini guide
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTRT3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
T3chFest2016 - Uso del API JavaScript de Photoshop para obtener fotos HDTR
 
Semantic code transformations in MetaJS
Semantic code transformations in MetaJSSemantic code transformations in MetaJS
Semantic code transformations in MetaJS
 
groovy rules
groovy rulesgroovy rules
groovy rules
 
CIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC ConnectCIS14: Developing with OAuth and OIDC Connect
CIS14: Developing with OAuth and OIDC Connect
 
Oleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoCOleksandr Valetskyy - DI vs. IoC
Oleksandr Valetskyy - DI vs. IoC
 
Jafka guide
Jafka guideJafka guide
Jafka guide
 
MySQL Proxy tutorial
MySQL Proxy tutorialMySQL Proxy tutorial
MySQL Proxy tutorial
 
Geneva JUG - Cassandra for Java Developers
Geneva JUG - Cassandra for Java DevelopersGeneva JUG - Cassandra for Java Developers
Geneva JUG - Cassandra for Java Developers
 

Destacado

Electromagnetic Railgun Internship Abstract
Electromagnetic Railgun Internship AbstractElectromagnetic Railgun Internship Abstract
Electromagnetic Railgun Internship Abstract
Marjorie Ferrone
 

Destacado (6)

Electromagnetic railgun (emrg)
Electromagnetic railgun (emrg)Electromagnetic railgun (emrg)
Electromagnetic railgun (emrg)
 
Railgun
RailgunRailgun
Railgun
 
Railgun akr
Railgun akrRailgun akr
Railgun akr
 
Electromagnetic Railgun Internship Abstract
Electromagnetic Railgun Internship AbstractElectromagnetic Railgun Internship Abstract
Electromagnetic Railgun Internship Abstract
 
Railgun
RailgunRailgun
Railgun
 
Railguns
RailgunsRailguns
Railguns
 

Similar a Weaponizing the Windows API with Metasploit's Railgun

Smoothing Your Java with DSLs
Smoothing Your Java with DSLsSmoothing Your Java with DSLs
Smoothing Your Java with DSLs
intelliyole
 
Google apps script database abstraction exposed version
Google apps script database abstraction exposed versionGoogle apps script database abstraction exposed version
Google apps script database abstraction exposed version
Bruce McPherson
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
Luca Lusso
 

Similar a Weaponizing the Windows API with Metasploit's Railgun (20)

Tame Accidental Complexity with Ruby and MongoMapper
Tame Accidental Complexity with Ruby and MongoMapperTame Accidental Complexity with Ruby and MongoMapper
Tame Accidental Complexity with Ruby and MongoMapper
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer Code
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]
 
Metasploit Railguns presentation @ tcs hyderabad
Metasploit Railguns presentation @ tcs hyderabadMetasploit Railguns presentation @ tcs hyderabad
Metasploit Railguns presentation @ tcs hyderabad
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Smoothing Your Java with DSLs
Smoothing Your Java with DSLsSmoothing Your Java with DSLs
Smoothing Your Java with DSLs
 
Getting Input from User
Getting Input from UserGetting Input from User
Getting Input from User
 
Unit-2 Getting Input from User.pptx
Unit-2 Getting Input from User.pptxUnit-2 Getting Input from User.pptx
Unit-2 Getting Input from User.pptx
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Python RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsPython RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutions
 
Google apps script database abstraction exposed version
Google apps script database abstraction exposed versionGoogle apps script database abstraction exposed version
Google apps script database abstraction exposed version
 
Sa
SaSa
Sa
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
 
Kerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit eastKerberizing spark. Spark Summit east
Kerberizing spark. Spark Summit east
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programming
 
Presentation of Python, Django, DockerStack
Presentation of Python, Django, DockerStackPresentation of Python, Django, DockerStack
Presentation of Python, Django, DockerStack
 
NodeJS for Beginner
NodeJS for BeginnerNodeJS for Beginner
NodeJS for Beginner
 
Brad Wood - CommandBox CLI
Brad Wood - CommandBox CLI Brad Wood - CommandBox CLI
Brad Wood - CommandBox CLI
 
Euruko 2009 - DataObjects
Euruko 2009 - DataObjectsEuruko 2009 - DataObjects
Euruko 2009 - DataObjects
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

Weaponizing the Windows API with Metasploit's Railgun

  • 1.
  • 2.
  • 3.
  • 4. “If you don’t think you’re a newb, then you’re not trying hard enough” - HD Moore
  • 7.
  • 8.  Goto Payload for Windows  DLL, compiled C  Usually injected into process memory  Enhanced CMD shell  Provides basic post-exploitation API
  • 9.  Often run with SYSTEM Privs  Can be migrated into a user’s process
  • 10.
  • 11.  Railgun is an extension to the Meterpreter STDAPI  Allows Arbitrary Loading of DLLs  As long as you know the path of the DLL, you can access it’s functions
  • 12.  Since Windows API DLLs are always at known paths, we can always load them
  • 13.  Dynamic access to the entirety of the Windows API on the system  By calling APIs from user processes, we can impersonate users  Anything becomes possible
  • 14.
  • 15.  June 2010 – Railgun submitted to Metasploit by Patrick HVE  Sept 2010 – 64bit support added by Stephen Fewer  Feb 2011 – Chao-mu takes over Railgun support, resumes new feature work  Fall 2011 – Chao-mu disappears  Aug 2012 – YOU start contributing to Railgun  Dec 2012 – Mayans predict Railgun-related Apocalypse?
  • 16.  LoadLibrary function opens a Handle to the DLL  GetProcAddress maps a function pointer to the specified function  Memread and Memwrite functions for manipulating memory space
  • 17.  Ruby code lives in lib/rex/post/meterpreter/extensio ns/stdapi/railgun  User/module writer defines the DLL and the needed functions  Functions are then avilable as methods  Can define at runtime or use definition files
  • 18. def self.create_dll(dll_path = 'advapi32') dll = DLL.new(dll_path, ApiConstants.manager) dll.add_function('CredEnumerateA', 'BOOL', [ ['PCHAR', 'Filter', 'in'], ['DWORD', 'Flags', 'in'], ['PDWORD', 'Count', 'out'], ['PBLOB', 'Credentials', 'out']])  A look at Railgun Definitions
  • 19. 1. Function Name 2. Function Return Type 3. Array of Parameters 1. Param type 2. Param Name 3. IN/OUT/INOUT Parameter
  • 20.  Railgun knows about Windows constants  They are defined in api_constants.rb in the railgun folder  Easy to add new constants as needed there
  • 21.
  • 22.  If it quacks like a duck…  Pass as a Fixnum or Bignum  String representation of constants can also be passed in
  • 23.  Pointer to a DWORD  Pass a Fixnum  Pass the Content of the DWORD not the pointer  If it is an OUT only paramter, pass a 4 (size of a DWORD)  Pass nil for a NULL Pointer
  • 24.  Pass as Ruby strings. Will be converted seamlessly  If OUT only, pass fixnum of the size of the buffer (including null byte)
  • 25. Definition Usage dll.add_function( ms_enhanced_prov = "Microsoft Enhanced Cryptographic 'CryptAcquireContextW', Provider v1.0" 'BOOL',[ prov_rsa_full = 1 ['PDWORD', 'phProv', 'out'], crypt_verify_context = 0xF0000000 ['PWCHAR', 'pszContainer', alg_md5 = 32771 'in'], alg_rc4 = 26625 ['PWCHAR', 'pszProvider', 'in'], advapi32 = client.railgun.advapi32 ['DWORD', 'dwProvType', 'in'], acquirecontext = advapi32.CryptAcquireContext ['DWORD', 'dwflags', 'in']]) W(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context) Used in the SmartFTP password Recovery Module
  • 26.  Pass in Ruby True/False values exactly as expected
  • 27. Definition: dll.add_function( 'IsDebuggerPresent', 'BOOL',[]) Usage: >> client.railgun.kernel32.IsDebuggerPresent() => {"GetLastError"=>0, "return"=>false}
  • 28.  Handled the same as DWORDs but Fixnums passed in will be truncated to the appropriate length
  • 29.  Anything that’s not a string or a DWORD  Treated as a ruby string  Railgun will not help you parse structures
  • 30. Definition Usage dll.add_function( 'WlanGetProfile', profile['name'] = 'DWORD',[ @host_process.memory.rea ['DWORD', 'hClientHandle', 'in'], d(ppointer,512) ['PBLOB', 'pInterfaceGuid', 'in'], ppointer = (ppointer + 516) ['PBLOB', 'strProfileName', 'in'], ['LPVOID', 'pReserved', 'in'], ['PDWORD', 'pstrProfileXML', rprofile = 'out'], @wlanapi.WlanGetProfile(wl ['PDWORD', 'pdwFlags', 'inout'], an_handle,guid,profile['nam e'],nil,4,4,4) ['PDWORD', 'pdwGrantedAccess', 'out']]) Used in the wlan_profile post module
  • 31.  Pointers and Handles of any kind are really just numbers, so treat them as DWORDs  If it can be treated as a number it’s a DWORD  Otherwise it’s a PBLOB  If neither works, add support for it yourself =)
  • 32.  The function will return a hash  Hash will always contain at least GetLastError  Hash will return any OUT values
  • 33.  Will return 0 if there was no error  Otherwise will contain the windows system Error code encountered  Errors codes can be looked up at http://msdn.microsoft.com/en - us/library/windows/desktop/ ms681381(v=vs.85).aspx
  • 34. acquirecontext = advapi32.CryptAcquireCon textW(4, nil, ms_enhanced_prov, prov_rsa_full, crypt_verify_context) createhash = advapi32.CryptCreateHash (acquirecontext['phProv'] , alg_md5, 0, 0, 4)
  • 35.  Complex structure types that you will have to parse yourself  Strings you don’t know the length of  Large number of string reads (SLOWWWW)
  • 36.
  • 37. Microsoft will help you own things
  • 39. They even give you tools!
  • 40.
  • 41.  Anything you can do with the windows API is available  Without increasing the size of the payload
  • 42.  Get the OS to Decrypt stored SmartFTP Passwords  Enumerate and decrypt stored RDP passwords  Scan for Wireless APs  Enumerates Domain controllers on the victim’s network
  • 43.  Enough of these ugly slides  Let’s see it in action