The Ethical Hacker Network - Metasploit, now with Pivot

Andrew Waite

Hero Member

Offline

Posts: 928

Metasploit, now with Pivot

« on: June 26, 2009, 03:03:11 AM »

Mubix (Rob Fuller/Room362) has just released a Meterpreter script allowing an active session to download and initiate the the recent Cygwin bundled Metasploit. Get to the script and binary downloads via his blog post.

I haven't had a chance to fully play with it yet, but it opens up some interesting possibilities and should definitely come in handy.


	Logged

-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk

apollo

Full Member

Offline

Posts: 146

Re: Metasploit, now with Pivot

« Reply #1 on: June 26, 2009, 08:34:38 AM »

Let us know! I'd be interested in what, if anything, it left behind once you were done with it.


	Logged

CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+

xXxKrisxXx

Hero Member

Offline

Posts: 512

Re: Metasploit, now with Pivot

« Reply #2 on: June 27, 2009, 03:47:22 PM »

This is looking like another promising feature in the framework. Can't wait for CG to do a blog entry on Carnal0wnage about it -hints- Wink


	Logged

eCPPT, GCIH, OSCP, OSWP

LSOChris

Guest

Re: Metasploit, now with Pivot

« Reply #3 on: June 29, 2009, 06:27:20 AM »

we'll see,

im not a huge fan on putting any binaries on boxes that i'm pretty sure will send an AV alert though


	Logged

Andrew Waite

Hero Member

Offline

Posts: 928

Re: Metasploit, now with Pivot

« Reply #4 on: June 29, 2009, 06:53:03 AM »

Chris, good point. I hadn't look at using the script in live environments yet, just playing around with my home lab.

AV coverage appears pretty weak so far, VirusTotal results for the 5MB mini binary currently show 27% flagging as malicious. Coverage is also fairly random, some of the big boys flag it (Kaspersky, MS, Trend) whilst other large AV players treat it as benign (Symantec, McAfee, AVG). Of course heuristic and active scanning may trip other flags as you delve deeper.

Not sure how this will change in the future as more AV firms get to grips with the release, your milage may vary.....


	Logged

-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk

Ketchup

Hero Member

Offline

Posts: 1021

Re: Metasploit, now with Pivot

« Reply #5 on: June 29, 2009, 11:50:19 AM »

I run AVG on most of my machines. I noticed that the mini framework executable itself does not set off the AntiVirus scanner. However, once installed, some of payloads and exploits start attracting AVG. This must be the heuristics engine at work.

Arguably, if you have control of the box, you can take a swipe at disabling the AntiVirus prior to uploading msf. I wonder how Core's agent gets around AV. Does anyone know? Did they make a deal? Wink


	Logged

~~~~~~~~~~~~~~
Ketchup

Jhaddix

Sr. Member

Offline

Posts: 317

Re: Metasploit, now with Pivot

« Reply #6 on: July 01, 2009, 03:35:55 PM »

Couldnt we obfuscate the binary(ies)? using garbage insertion, variable renaming, code reordering, encapsulating/encrypting code or data, or branching functions? i'd be a lot of work, but virus writers do it.... just an idea...


« Last Edit: July 01, 2009, 03:37:49 PM by Jhaddix »	Logged

GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/

UNIX

Hero Member

Offline

Posts: 1235

Re: Metasploit, now with Pivot

« Reply #7 on: July 02, 2009, 12:04:52 AM »

Often it is already enough to change some "things" by simply using an hex-editor to bypass av-software. When the soure-code is available it is of course even easier to make it undetectable.


	Logged

Ketchup

Hero Member

Offline

Posts: 1021

Re: Metasploit, now with Pivot

« Reply #8 on: July 02, 2009, 05:44:34 AM »

i think that the problem occurs mostly when the mini msf exe is exploded on the other side. at least for me, the AV picks up random rb files as potentially dangerous files. it basically appears to know that something isn't right, but doesn't know exactly what. this is likely the heuristics engine kicking in.

i think that if you exploit a linux box and upload a linux version of msf, you should be golden. on a windows box with a/v, it really depends on the a/v. i think that the way to go is an agent based approach like Core does. i believe their agents sits entirely in RAM and just listens for and passes commands.


	Logged

~~~~~~~~~~~~~~
Ketchup

hayabusa

Hero Member

Offline

Posts: 1633

Re: Metasploit, now with Pivot

« Reply #9 on: July 02, 2009, 07:37:16 AM »

I'd agree with Ketchup on this one. Modifying the base exe's is easy, as you can quickly do that to pass them by AV's. It's a pretty common tactic, nowadays. I've done that with netcat and other tools to insert them through a box I've compromised with msf. However, if you want to pivot, you have many more files and such that are involved, and a lot of the AV's are using a more heuristic approach (finally...)

Pushing a single agent, that gets past the AV, and is capable of performing the same functions, would tend to be both cleaner and easier, and cleanup is simpler, by removing the single agent from disk / memory.


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

Jhaddix

Sr. Member

Offline

Posts: 317

Re: Metasploit, now with Pivot

« Reply #10 on: July 03, 2009, 03:11:18 AM »

Actually I talked to Rob and the removal of certain exploits brings down the virus detection significantly. This in conjunction with flipping some bits on the exc almost makes it perfect.


	Logged

GSEC, GPEN, GWAPT, ECPPT, WAHHlive, LSOAdvancedPenTester

http://www.securityaegis.com
http://www.pentesterscripting.com
http://code.google.com/p/pentest-bookmarks/

Pages: [1] Go Up

« previous next »