These presentations from May 8th, 2010 performed on the Brown Hotel in Louisville, Kentucky. on exploiting with the Metasploit framework has an tremendous value. Its from this month, still fresh! Its 7 hours of presentations, it takes a while to finish (I took almost a week! phew!) but its totally worth it!
It starts with Adrian “Irongeek” Crenshaw introducing Metasploit exploiting a Windows box via
msfconsole. Pretty neat.
Pwrcycle shows a good SYN scanning configuration on nmap with best practices for stealth using Decoys and taking advantage of fragmentation over IPS/IDSs. He also describes database (sqlite) integration on MSF and importing nmap scan results (XML). Pwrcycle also talks a little about db_autopwn that automatically exploits the target based on their open ports (from nmap scan). Quite kiddie and stealthless (as pwncycle itself mentions on the video), but funny tough.
Another great topic handed by pwncycle is Pivoting, the technique of jumping through machines to escalate your privileges. You go from a restricted environment to a more-featured on, on the compromised machine network and account privileges.
One that is very very exciting is Elliott “Nullthreat” Cutright that introduces stack overflow on a live demo (that was really cool) of a step-by-step basic example using an outdated version of tftpd for Windows (plugged on a debugger) while spawning the
On a great overview on the Meterpreter, Metasploit’s meta-interpreter payload, Martin “PureHate” Bos shows the advanced features you can easily achieve without tons of Assembly hacking like file transfers, hash dumping, and forth. It also mentions the capability of restoring de MAC (access, more specifically) times from a file. Forensics experts, go crazy! He also talks about psexec and event log clearing. Excellent!
This video introduces lots of concepts on post-exploitation like process migration, trace cleanup and even injecting the encoded (shikata ga nai polymorphic encoding, to avoid detection from AVs) meterpreter into executables to create backdoors (the creation of a persistent meterpreter backdoor is also covered). Martin also briefly shows Metasploit Experss, that is a portable Metasploit version.
David “ReL1K” Kennedy opens his talk showing how language packs may influence the exploit since it changes memory locations and then proceeds to the opensource python-driven metasploit-integrated Social-Engineering Framework that exploits our weakest link in security: the human element.
Exploitation is done by spoofing (cloning) websites (that is excelent paired with Ettercap’s dns_spoof), spoofing Meterpreter Java Applet signature or by exploiting serious browser flaws like the Aurora Memory Corruption (used as example in video) within the Metasploit integration.
David also talks about using commom services’ ports to bypass egress filtering and exploiting SQL Server vulnerabilities with Metasploit and FastTrack.
Videos can be watched online at Adrian’s website. The videos can also be downloaded in a better quality (files ~ 500MB).