.

Metasploit, now with Pivot

<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Jun 26, 2009 3:03 am

Metasploit, now with Pivot

Mubix (Rob Fuller/Room362) has just released a Meterpreter script allowing an active session to download and initiate the the recent Cygwin bundled Metasploit. Get to the script and binary downloads via his blog post.

I haven't had a chance to fully play with it yet, but it opens up some interesting possibilities and should definitely come in handy.
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Fri Jun 26, 2009 8:34 am

Re: Metasploit, now with Pivot

Let us know!  I'd be interested in what, if anything, it left behind once you were done with it. 
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Sat Jun 27, 2009 3:47 pm

Re: Metasploit, now with Pivot

This is looking like another promising feature in the framework. Can't wait for CG to do a blog entry on Carnal0wnage about it -hints-  ;)
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

LSOChris

Post Mon Jun 29, 2009 6:27 am

Re: Metasploit, now with Pivot

we'll see,


im not a huge fan on putting any binaries on boxes that i'm pretty sure will send an AV alert though
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Jun 29, 2009 6:53 am

Re: Metasploit, now with Pivot

Chris, good point. I hadn't look at using the script in live environments yet, just playing around with my home lab.

AV coverage appears pretty weak so far, VirusTotal results for the 5MB mini binary currently show 27% flagging as malicious. Coverage is also fairly random, some of the big boys flag it (Kaspersky, MS, Trend) whilst other large AV players treat it as benign (Symantec, McAfee, AVG). Of course heuristic and active scanning may trip other flags as you delve deeper.

Not sure how this will change in the future as more AV firms get to grips with the release, your milage may vary.....
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Jun 29, 2009 11:50 am

Re: Metasploit, now with Pivot

I run AVG on most of my machines.  I noticed that the mini framework executable itself does not set off the AntiVirus scanner.  However, once installed, some of payloads and exploits start attracting AVG.  This must be the heuristics engine at work. 

Arguably, if you have control of the box, you can take a swipe at disabling the AntiVirus prior to uploading msf.  I wonder how Core's agent gets around AV.  Does anyone know?  Did they make a deal? ;)
~~~~~~~~~~~~~~
Ketchup
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Wed Jul 01, 2009 3:35 pm

Re: Metasploit, now with Pivot

Couldnt we obfuscate the binary(ies)? using garbage insertion, variable renaming, code reordering, encapsulating/encrypting code or data, or branching functions? i'd be a lot of work, but virus writers do it.... just an idea...
Last edited by Jhaddix on Wed Jul 01, 2009 3:37 pm, edited 1 time in total.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Thu Jul 02, 2009 12:04 am

Re: Metasploit, now with Pivot

Often it is already enough to change some "things" by simply using an hex-editor to bypass av-software. When the soure-code is available it is of course even easier to make it undetectable.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Jul 02, 2009 5:44 am

Re: Metasploit, now with Pivot

i think that the problem occurs mostly when the mini msf exe is exploded on the other side.  at least for me, the AV picks up random rb files as potentially dangerous files.  it basically appears to know that something isn't right, but doesn't know exactly what.  this is likely the heuristics engine kicking in. 

i think that if you exploit a linux box and upload a linux version of msf, you should be golden.  on a windows box with a/v, it really depends on the a/v.  i think that the way to go is an agent based approach like Core does.  i believe their agents sits entirely in RAM and just listens for and passes commands.
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Jul 02, 2009 7:37 am

Re: Metasploit, now with Pivot

I'd agree with Ketchup on this one.  Modifying the base exe's is easy, as you can quickly do that to pass them by AV's.  It's a pretty common tactic, nowadays.    I've done that with netcat and other tools to insert them through a box I've compromised with msf.  However, if you want to pivot, you have many more files and such that are involved, and a lot of the AV's are using a more heuristic approach (finally...)

Pushing a single agent, that gets past the AV, and is capable of performing the same functions, would tend to be both cleaner and easier, and cleanup is simpler, by removing the single agent from disk / memory.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Fri Jul 03, 2009 3:11 am

Re: Metasploit, now with Pivot

Actually I talked to Rob and the removal of certain exploits brings down the virus detection significantly. This in conjunction with flipping some bits on the exc almost makes it perfect.

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software