metasploit-framework/dev/bh/bh05.tex

\documentclass{beamer}
\usepackage{graphicx}
\usepackage{color}

\mode<presentation> { }

\usepackage[english]{babel}
\usepackage[latin1]{inputenc}
\usepackage{times}
\usepackage[T1]{fontenc}
% I think this looks cool, but whateva! - skape
%\usepackage{beamerthemeshadow}

% Love from spoon
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}

% Presentation meta-information
\title{Beyond EIP}
\author[spoonm \& skape] {spoonm \& skape}
\date[BlackHat 2005] {BlackHat, 2005}
\subject{Beyond EIP}

% Add a spacer between each part
\AtBeginPart{\frame{\partpage}}

% Turn off the navigation on the bottom yo
\setbeamertemplate{navigation symbols}{}
% spoon hates berkeley!
%\usetheme[width=2.2cm]{Berkeley}
%\usecolortheme{sidebartab}

\begin{document}

\begin{frame}[t]
  \titlepage
\end{frame}

\part{Introduction}

\section{Introduction}
\begin{frame}[t]
    \frametitle{Who are we?}

    \begin{sitemize}
        \item spoonm
        \begin{sitemize}
            \item Full-time student at a Canadian university
            \item Metasploit developer since late 2003
        \end{sitemize}

        \item skape
        \begin{sitemize}
            \item Lead software developer by day
            \item Independent security researcher by night
            \item Joined the Metasploit project in 2004
        \end{sitemize}
    \end{sitemize}
\end{frame}
\begin{frame}[t]
    \frametitle{What will we discuss?}

    \begin{sitemize}
        \item Payload stagers
        \begin{sitemize}
            \item Windows Ordinal Stagers
            \item PassiveX
            \item Egghunt
        \end{sitemize}

        \pause
        \item Payload stages
        \begin{sitemize}
            \item Library Injection
            \item The Meterpreter
            \item DispatchNinja
        \end{sitemize}

        \pause
        \item Post-exploitation suites
        \begin{sitemize}
            \item Very hot area of research for the Metasploit team
            \item Suites built off of advanced payload research
            \item Client-side APIs create uniform automation interfaces
            \item Primary focus of Metasploit 3.0
        \end{sitemize}
    \end{sitemize}
\end{frame}
\begin{frame}[t]
    \frametitle{Background: the exploitation cycle}

    \begin{sitemize}
        \item \textbf{Pre-exploitation} - Before the attack
        \begin{sitemize}
            \item Find a bug and isolate it
            \item Write the exploit, payloads, and tools
        \end{sitemize}

        \pause
        \item \textbf{Exploitation} - Leveraging the vulnerability
        \begin{sitemize}
            \item Find a vulnerable target
            \item Gather information
            \item Initialize tools and post-exploitation handlers
            \item Launch the exploit
        \end{sitemize}

        \pause
        \item \textbf{Post-exploitation} - Manipulating the target
        \begin{sitemize}
            \item Command shell redirection
            \item Arbitrary command execution
            \item Pivoting
            \item Advanced payload interaction
        \end{sitemize}
    \end{sitemize}
\end{frame}

\pdfpart{Exploitation Technology's State of Affairs}

\section{Pre-exploitation}
\begin{frame}[t]
    \frametitle{Payload encoders}

    \begin{sitemize}
        \item Robust and elegant encoders do exist
        \begin{sitemize}
            \item SkyLined's Alpha2 x86 alphanumeric encoder
            \item Spoonm's high-permutation Shikata Ga Nai
        \end{sitemize}

        \pause
        \item Payload encoders generally taken for granted
        \begin{sitemize}
            \item Most encoders use a static decoder stub
            \item Makes NIDS signatures easy to write
        \end{sitemize}
    \end{sitemize}
\end{frame}

\begin{frame}[t]
    \frametitle{NOP generators}

    \begin{sitemize}
        \item NOP generation hasn't publicly changed much
        \begin{sitemize}
            \item Most PoC exploits use predictable single-byte NOPs (\texttt{0x90}), if any
            \item ADMmutate's NOP generator easily signatured by NIDS (Snort, Fnord)
            \item Not considered an important research topic to most
        \end{sitemize}

        \pause
        \item Still, NIDS continues to play chase the tail
        \begin{sitemize}
            \item The mouse always has the advantage; NIDS is reactive
            \item Advanced NOP generators and encoders push NIDS to its limits
            \item Many protocols can be complex to signature (DCERPC fragmentation)
        \end{sitemize}

        \pause
        \item Metasploit 2.4 released with a wide-distribution
        multi-byte x86 NOP generator (Opty2)
    \end{sitemize}
\end{frame}

\section{Exploitation}
\begin{frame}[t]
    \frametitle{Exploitation techniques}

    \begin{sitemize}
        \item Exploitation techniques have become very mature
        \begin{sitemize}
            \item Linux/BSD/Solaris techniques are largely unchanged
            \item Windows heap overflows can be made more reliable (Oded/Shok)
            \item Windows SEH overwrites make exploitation easy, even on XPSP2
        \end{sitemize}

        \pause
        \item Exploitation vectors have been beaten to death
        \pause
        \item ...so we wont be talking about them
    \end{sitemize}
\end{frame}

\section{Post-exploitation}
\begin{frame}[t]
    \frametitle{Standard payloads}

    \begin{sitemize}
        \item Standard payloads provide the most basic manipulation
        of a target
        \begin{sitemize}
            \item Port-bind command shell
            \item Reverse (connectback) command shell
            \item Arbitrary command execution
        \end{sitemize}

        \pause
        \item Nearly all PoC exploits use standard payloads

        \pause
        \item Command shells have poor automation support
        \begin{sitemize}
            \item Platform dependent intrinsic commands and
            scripting
            \item Reliant on the set of applications installed on the
            machine
            \item Hindered by by chroot jails and host-based ACLs
        \end{sitemize}
    \end{sitemize}
\end{frame}

\begin{frame}[t]
    \frametitle{``Advantage'' payloads}

    \begin{sitemize}
        \item Advantage payloads provide enhanced manipulation of
        hosts, commonly through the native API
        \item Help to reduce the tediousness of writing payloads

        \item Core ST's InlineEgg

        % TODO: Elaborate on InlineEgg
        % TODO: others...
    \end{sitemize}
\end{frame}

\pdfpart{Payload Stagers}

\begin{frame}[t]
    \frametitle{What are payload stagers?}

    \begin{sitemize}
        \item Typically small stubs that load and execute another payload
        \item Useful in conditions where size is limited
    \end{sitemize}

    % TODO: diagram of a stager?
\end{frame}

\section{Windows Ordinal Stagers}
\begin{frame}[t]
    \frametitle{Introduction}
\end{frame}
\begin{frame}[t]
    \frametitle{Implementation: reverse stager}
\end{frame}

\section{PassiveX}
\begin{frame}[t]
    \frametitle{Overview}
\end{frame}
\begin{frame}[t]
    \frametitle{Implementation}
\end{frame}
\begin{frame}[t]
    \frametitle{Practical use: HTTP tunneling}
\end{frame}
\begin{frame}[t]
    \frametitle{Pros \& cons}
\end{frame}

\section{Egghunt}
\begin{frame}[t]
    \frametitle{Overview}
\end{frame}
\begin{frame}[t]
    \frametitle{Hunting for eggs with SEH}
\end{frame}
\begin{frame}[t]
    \frametitle{Hunting for eggs with system calls}
\end{frame}

\pdfpart{Payload Stages}

\begin{frame}[t]
    \frametitle{What are post-exploitation stages?}
\end{frame}

\section{Library Injection}
\begin{frame}[t]
    \frametitle{Overview}
\end{frame}
\begin{frame}[t]
    \frametitle{Types of library injection}
\end{frame}
\begin{frame}[t]
    \frametitle{In-memory library injection on Windows}
\end{frame}
\begin{frame}[t]
    \frametitle{In-memory library injection on UNIX}
\end{frame}
\begin{frame}[t]
    \frametitle{Library injection in action: VNC}
\end{frame}

\section{Meterpreter}
\begin{frame}[t]
    \frametitle{Overview}
\end{frame}
\begin{frame}[t]
    \frametitle{Design goals}
\end{frame}
\begin{frame}[t]
    \frametitle{Communication protocol specification}
\end{frame}
\begin{frame}[t]
    \frametitle{Client/Server architecture}
\end{frame}
\begin{frame}[t]
    \frametitle{Extension flexibilities}
\end{frame}
\begin{frame}[t]
    \frametitle{Meterpreter extensions in action: Stdapi}
\end{frame}

\section{DispatchNinja}
\begin{frame}[t]
    \frametitle{Cool dN stuff here}
\end{frame}

\pdfpart{Post-Exploitation Suites}

\section{Post-Exploitation Suites}
    \subsection{Motivations \& Goals}

\end{document}