\documentclass{beamer} \usepackage{graphicx} \usepackage{color} \mode { } \usepackage[english]{babel} \usepackage[latin1]{inputenc} \usepackage{times} \usepackage[T1]{fontenc} % I think this looks cool, but whateva! - skape %\usepackage{beamerthemeshadow} % Love from spoon \newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}} \newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}} % Presentation meta-information \title{Beyond EIP} \author[spoonm \& skape] {spoonm \& skape} \date[BlackHat 2005] {BlackHat, 2005} \subject{Beyond EIP} % Add a spacer between each part \AtBeginPart{\frame{\partpage}} % Turn off the navigation on the bottom yo \setbeamertemplate{navigation symbols}{} % spoon hates berkeley! %\usetheme[width=2.2cm]{Berkeley} %\usecolortheme{sidebartab} \begin{document} \begin{frame}[t] \titlepage \end{frame} \part{Introduction} \section{Introduction} \begin{frame}[t] \frametitle{Who are we?} \begin{sitemize} \item spoonm \begin{sitemize} \item Full-time student at a Canadian university \item Metasploit developer since late 2003 \end{sitemize} \item skape \begin{sitemize} \item Lead software developer by day \item Independent security researcher by night \item Joined the Metasploit project in 2004 \end{sitemize} \end{sitemize} \end{frame} \begin{frame}[t] \frametitle{What will we discuss?} \begin{sitemize} \item Payload stagers \begin{sitemize} \item Windows Ordinal Stagers \item PassiveX \item Egghunt \end{sitemize} \pause \item Payload stages \begin{sitemize} \item Library Injection \item The Meterpreter \item DispatchNinja \end{sitemize} \pause \item Post-exploitation suites \begin{sitemize} \item Very hot area of research for the Metasploit team \item Suites built off of advanced payload research \item Client-side APIs create uniform automation interfaces \item Primary focus of Metasploit 3.0 \end{sitemize} \end{sitemize} \end{frame} \begin{frame}[t] \frametitle{Background: the exploitation cycle} \begin{sitemize} \item \textbf{Pre-exploitation} - Before the attack \begin{sitemize} \item Find a bug and isolate it \item Write the exploit, payloads, and tools \end{sitemize} \pause \item \textbf{Exploitation} - Leveraging the vulnerability \begin{sitemize} \item Find a vulnerable target \item Gather information \item Initialize tools and post-exploitation handlers \item Launch the exploit \end{sitemize} \pause \item \textbf{Post-exploitation} - Manipulating the target \begin{sitemize} \item Command shell redirection \item Arbitrary command execution \item Pivoting \item Advanced payload interaction \end{sitemize} \end{sitemize} \end{frame} \pdfpart{Exploitation Technology's State of Affairs} \section{Pre-exploitation} \begin{frame}[t] \frametitle{Payload encoders} \begin{sitemize} \item Robust and elegant encoders do exist \begin{sitemize} \item SkyLined's Alpha2 x86 alphanumeric encoder \item Spoonm's high-permutation Shikata Ga Nai \end{sitemize} \pause \item Payload encoders generally taken for granted \begin{sitemize} \item Most encoders use a static decoder stub \item Makes NIDS signatures easy to write \end{sitemize} \end{sitemize} \end{frame} \begin{frame}[t] \frametitle{NOP generators} \begin{sitemize} \item NOP generation hasn't publicly changed much \begin{sitemize} \item Most PoC exploits use predictable single-byte NOPs (\texttt{0x90}), if any \item ADMmutate's NOP generator easily signatured by NIDS (Snort, Fnord) \item Not considered an important research topic to most \end{sitemize} \pause \item Still, NIDS continues to play chase the tail \begin{sitemize} \item The mouse always has the advantage; NIDS is reactive \item Advanced NOP generators and encoders push NIDS to its limits \item Many protocols can be complex to signature (DCERPC fragmentation) \end{sitemize} \pause \item Metasploit 2.4 released with a wide-distribution multi-byte x86 NOP generator (Opty2) \end{sitemize} \end{frame} \section{Exploitation} \begin{frame}[t] \frametitle{Exploitation techniques} \begin{sitemize} \item Exploitation techniques have become very mature \begin{sitemize} \item Linux/BSD/Solaris techniques are largely unchanged \item Windows heap overflows can be made more reliable (Oded/Shok) \item Windows SEH overwrites make exploitation easy, even on XPSP2 \end{sitemize} \pause \item Exploitation vectors have been beaten to death \pause \item ...so we wont be talking about them \end{sitemize} \end{frame} \section{Post-exploitation} \begin{frame}[t] \frametitle{Standard payloads} \begin{sitemize} \item Standard payloads provide the most basic manipulation of a target \begin{sitemize} \item Port-bind command shell \item Reverse (connectback) command shell \item Arbitrary command execution \end{sitemize} \pause \item Nearly all PoC exploits use standard payloads \pause \item Command shells have poor automation support \begin{sitemize} \item Platform dependent intrinsic commands and scripting \item Reliant on the set of applications installed on the machine \item Hindered by by chroot jails and host-based ACLs \end{sitemize} \end{sitemize} \end{frame} \begin{frame}[t] \frametitle{``Advantage'' payloads} \begin{sitemize} \item Advantage payloads provide enhanced manipulation of hosts, commonly through the native API \item Help to reduce the tediousness of writing payloads \item Core ST's InlineEgg % TODO: Elaborate on InlineEgg % TODO: others... \end{sitemize} \end{frame} \pdfpart{Payload Stagers} \begin{frame}[t] \frametitle{What are payload stagers?} \begin{sitemize} \item Typically small stubs that load and execute another payload \item Useful in conditions where size is limited \end{sitemize} % TODO: diagram of a stager? \end{frame} \section{Windows Ordinal Stagers} \begin{frame}[t] \frametitle{Introduction} \end{frame} \begin{frame}[t] \frametitle{Implementation: reverse stager} \end{frame} \section{PassiveX} \begin{frame}[t] \frametitle{Overview} \end{frame} \begin{frame}[t] \frametitle{Implementation} \end{frame} \begin{frame}[t] \frametitle{Practical use: HTTP tunneling} \end{frame} \begin{frame}[t] \frametitle{Pros \& cons} \end{frame} \section{Egghunt} \begin{frame}[t] \frametitle{Overview} \end{frame} \begin{frame}[t] \frametitle{Hunting for eggs with SEH} \end{frame} \begin{frame}[t] \frametitle{Hunting for eggs with system calls} \end{frame} \pdfpart{Payload Stages} \begin{frame}[t] \frametitle{What are post-exploitation stages?} \end{frame} \section{Library Injection} \begin{frame}[t] \frametitle{Overview} \end{frame} \begin{frame}[t] \frametitle{Types of library injection} \end{frame} \begin{frame}[t] \frametitle{In-memory library injection on Windows} \end{frame} \begin{frame}[t] \frametitle{In-memory library injection on UNIX} \end{frame} \begin{frame}[t] \frametitle{Library injection in action: VNC} \end{frame} \section{Meterpreter} \begin{frame}[t] \frametitle{Overview} \end{frame} \begin{frame}[t] \frametitle{Design goals} \end{frame} \begin{frame}[t] \frametitle{Communication protocol specification} \end{frame} \begin{frame}[t] \frametitle{Client/Server architecture} \end{frame} \begin{frame}[t] \frametitle{Extension flexibilities} \end{frame} \begin{frame}[t] \frametitle{Meterpreter extensions in action: Stdapi} \end{frame} \section{DispatchNinja} \begin{frame}[t] \frametitle{Cool dN stuff here} \end{frame} \pdfpart{Post-Exploitation Suites} \section{Post-Exploitation Suites} \subsection{Motivations \& Goals} \end{document}