metasploit-framework/dev/bh/bh05.tex

328 lines
8.6 KiB
TeX

\documentclass{beamer}
\usepackage{graphicx}
\usepackage{color}
\mode<presentation> { }
\usepackage[english]{babel}
\usepackage[latin1]{inputenc}
\usepackage{times}
\usepackage[T1]{fontenc}
% I think this looks cool, but whateva! - skape
%\usepackage{beamerthemeshadow}
% Love from spoon
\newcommand{\pdfpart}[1]{\label{pdfpart-#1}\pdfbookmark[0]{#1}{pdfpart-#1}\part{#1}}
\newenvironment{sitemize}{\vspace{1mm}\begin{itemize}\itemsep 4pt\small}{\end{itemize}}
% Presentation meta-information
\title{Beyond EIP}
\author[spoonm \& skape] {spoonm \& skape}
\date[BlackHat 2005] {BlackHat, 2005}
\subject{Beyond EIP}
% Add a spacer between each part
\AtBeginPart{\frame{\partpage}}
% Turn off the navigation on the bottom yo
\setbeamertemplate{navigation symbols}{}
% spoon hates berkeley!
%\usetheme[width=2.2cm]{Berkeley}
%\usecolortheme{sidebartab}
\begin{document}
\begin{frame}[t]
\titlepage
\end{frame}
\part{Introduction}
\section{Introduction}
\begin{frame}[t]
\frametitle{Who are we?}
\begin{sitemize}
\item spoonm
\begin{sitemize}
\item Full-time student at a Canadian university
\item Metasploit developer since late 2003
\end{sitemize}
\item skape
\begin{sitemize}
\item Lead software developer by day
\item Independent security researcher by night
\item Joined the Metasploit project in 2004
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{What will we discuss?}
\begin{sitemize}
\item Payload stagers
\begin{sitemize}
\item Windows Ordinal Stagers
\item PassiveX
\item Egghunt
\end{sitemize}
\pause
\item Payload stages
\begin{sitemize}
\item Library Injection
\item The Meterpreter
\item DispatchNinja
\end{sitemize}
\pause
\item Post-exploitation suites
\begin{sitemize}
\item Very hot area of research for the Metasploit team
\item Suites built off of advanced payload research
\item Client-side APIs create uniform automation interfaces
\item Primary focus of Metasploit 3.0
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{Background: the exploitation cycle}
\begin{sitemize}
\item \textbf{Pre-exploitation} - Before the attack
\begin{sitemize}
\item Find a bug and isolate it
\item Write the exploit, payloads, and tools
\end{sitemize}
\pause
\item \textbf{Exploitation} - Leveraging the vulnerability
\begin{sitemize}
\item Find a vulnerable target
\item Gather information
\item Initialize tools and post-exploitation handlers
\item Launch the exploit
\end{sitemize}
\pause
\item \textbf{Post-exploitation} - Manipulating the target
\begin{sitemize}
\item Command shell redirection
\item Arbitrary command execution
\item Pivoting
\item Advanced payload interaction
\end{sitemize}
\end{sitemize}
\end{frame}
\pdfpart{Exploitation Technology's State of Affairs}
\section{Pre-exploitation}
\begin{frame}[t]
\frametitle{Payload encoders}
\begin{sitemize}
\item Robust and elegant encoders do exist
\begin{sitemize}
\item SkyLined's Alpha2 x86 alphanumeric encoder
\item Spoonm's high-permutation Shikata Ga Nai
\end{sitemize}
\pause
\item Payload encoders generally taken for granted
\begin{sitemize}
\item Most encoders use a static decoder stub
\item Makes NIDS signatures easy to write
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{NOP generators}
\begin{sitemize}
\item NOP generation hasn't publicly changed much
\begin{sitemize}
\item Most PoC exploits use predictable single-byte NOPs (\texttt{0x90}), if any
\item ADMmutate's NOP generator easily signatured by NIDS (Snort, Fnord)
\item Not considered an important research topic to most
\end{sitemize}
\pause
\item Still, NIDS continues to play chase the tail
\begin{sitemize}
\item The mouse always has the advantage; NIDS is reactive
\item Advanced NOP generators and encoders push NIDS to its limits
\item Many protocols can be complex to signature (DCERPC fragmentation)
\end{sitemize}
\pause
\item Metasploit 2.4 released with a wide-distribution
multi-byte x86 NOP generator (Opty2)
\end{sitemize}
\end{frame}
\section{Exploitation}
\begin{frame}[t]
\frametitle{Exploitation techniques}
\begin{sitemize}
\item Exploitation techniques have become very mature
\begin{sitemize}
\item Linux/BSD/Solaris techniques are largely unchanged
\item Windows heap overflows can be made more reliable (Oded/Shok)
\item Windows SEH overwrites make exploitation easy, even on XPSP2
\end{sitemize}
\pause
\item Exploitation vectors have been beaten to death
\pause
\item ...so we wont be talking about them
\end{sitemize}
\end{frame}
\section{Post-exploitation}
\begin{frame}[t]
\frametitle{Standard payloads}
\begin{sitemize}
\item Standard payloads provide the most basic manipulation
of a target
\begin{sitemize}
\item Port-bind command shell
\item Reverse (connectback) command shell
\item Arbitrary command execution
\end{sitemize}
\pause
\item Nearly all PoC exploits use standard payloads
\pause
\item Command shells have poor automation support
\begin{sitemize}
\item Platform dependent intrinsic commands and
scripting
\item Reliant on the set of applications installed on the
machine
\item Hindered by by chroot jails and host-based ACLs
\end{sitemize}
\end{sitemize}
\end{frame}
\begin{frame}[t]
\frametitle{``Advantage'' payloads}
\begin{sitemize}
\item Advantage payloads provide enhanced manipulation of
hosts, commonly through the native API
\item Help to reduce the tediousness of writing payloads
\item Core ST's InlineEgg
% TODO: Elaborate on InlineEgg
% TODO: others...
\end{sitemize}
\end{frame}
\pdfpart{Payload Stagers}
\begin{frame}[t]
\frametitle{What are payload stagers?}
\begin{sitemize}
\item Typically small stubs that load and execute another payload
\item Useful in conditions where size is limited
\end{sitemize}
% TODO: diagram of a stager?
\end{frame}
\section{Windows Ordinal Stagers}
\begin{frame}[t]
\frametitle{Introduction}
\end{frame}
\begin{frame}[t]
\frametitle{Implementation: reverse stager}
\end{frame}
\section{PassiveX}
\begin{frame}[t]
\frametitle{Overview}
\end{frame}
\begin{frame}[t]
\frametitle{Implementation}
\end{frame}
\begin{frame}[t]
\frametitle{Practical use: HTTP tunneling}
\end{frame}
\begin{frame}[t]
\frametitle{Pros \& cons}
\end{frame}
\section{Egghunt}
\begin{frame}[t]
\frametitle{Overview}
\end{frame}
\begin{frame}[t]
\frametitle{Hunting for eggs with SEH}
\end{frame}
\begin{frame}[t]
\frametitle{Hunting for eggs with system calls}
\end{frame}
\pdfpart{Payload Stages}
\begin{frame}[t]
\frametitle{What are post-exploitation stages?}
\end{frame}
\section{Library Injection}
\begin{frame}[t]
\frametitle{Overview}
\end{frame}
\begin{frame}[t]
\frametitle{Types of library injection}
\end{frame}
\begin{frame}[t]
\frametitle{In-memory library injection on Windows}
\end{frame}
\begin{frame}[t]
\frametitle{In-memory library injection on UNIX}
\end{frame}
\begin{frame}[t]
\frametitle{Library injection in action: VNC}
\end{frame}
\section{Meterpreter}
\begin{frame}[t]
\frametitle{Overview}
\end{frame}
\begin{frame}[t]
\frametitle{Design goals}
\end{frame}
\begin{frame}[t]
\frametitle{Communication protocol specification}
\end{frame}
\begin{frame}[t]
\frametitle{Client/Server architecture}
\end{frame}
\begin{frame}[t]
\frametitle{Extension flexibilities}
\end{frame}
\begin{frame}[t]
\frametitle{Meterpreter extensions in action: Stdapi}
\end{frame}
\section{DispatchNinja}
\begin{frame}[t]
\frametitle{Cool dN stuff here}
\end{frame}
\pdfpart{Post-Exploitation Suites}
\section{Post-Exploitation Suites}
\subsection{Motivations \& Goals}
\end{document}