nsploit: popping boxes using nmap - sector 2018 boxes... · nsploit: popping boxes using nmap...
TRANSCRIPT
Ryan LinnSecTor 2009
Nsploit: Popping boxes using Nmap
Sunday, September 27, 2009
Agenda
Introduction
What is Nsploit
Why Nsploit
Nmap and NSE
Metasploit, XMLRPC, Meterpreter
Nsploit Dissected
Demos and Walkthroughs
Questions
Thanks
Sunday, September 27, 2009
Introduction
Who am I?
Information Security Engineer at SAS
Writer for EthicalHacker.net
Contributed code to Metasploit and BeEF
Enjoy playing with tools and learning
Sunday, September 27, 2009
What is Nsploit
Series of Lua scripts to allow Nmap to talk to Metasploit
Consists of 3 parts
Library
Triggers
Config File
Uses Nmap’s NSE to trigger Metasploit modules based on detected conditions during scanning
Sunday, September 27, 2009
Why Nsploit
Curiosity To allow for targeted attacks to be launched
across multiple IPs To scan and trigger relevant exploits based on
NSE detection To use widely expanding vulnerability detection
Nmap modules and take it to the next level To be friendly enough not to burden exploit
developers In hopes that someone else may find something
even cooler to do with it
Sunday, September 27, 2009
Nmap and NSE
Nmap (http://www.nmap.org) is a “utility for network exploration or security auditing” Allows for highly configurable port scanning and
OS detection
Has a built in scripting engine called NSE (Nmap Scripting Engine) using Lua
Has been expanding from port scanning to include scripts to do further detection of versioning and vulnerability detection
Part of most security folks arsenal
Sunday, September 27, 2009
Nmap and NSE
What is Lua and how does it work with Nmap ?
Lua is a lightweight, embeddable scripting engine developed by Pontifical Catholic University of Rio de Janeiro
Scripting language for World of Warcraft
Embedded into Nmap
Nmap contains Lua libraries to facilitate common tasks and to extend Nmap’s scanning power
Sunday, September 27, 2009
Metasploit and XMLRPC
What is Metasploit
Framework for creating security tools and exploits (http://www.metasploit.com)
What is XMLRPC
XML based protocol for communicating between disparate systems
Frequently used over HTTP
In our case, it isn’t
Sunday, September 27, 2009
Meterpreter
What is Meterpreter
Metasploit payload that uses DLL injection and allows for advanced plugins and scripts to be executed on remote hosts.
Has ability to launch scripts
Windows only (for now)
Has the potential to dump hashes, impersonate users, manipulate processes, run commands
When used as a payload, can launch scripts automatically
Sunday, September 27, 2009
Sunday, September 27, 2009
Nsploit Dissected
Architecture
Metasploit with XMLRPC module enabled
○ Listening on a port (local or remote)
○ Waiting for commands to come in from Nmap
Nmap with NSE Libraries
○ NSE core library
○ NSE scripts that trigger Metasploit module execution
○ Config file to describe what gets called and to where
Sunday, September 27, 2009
Nsploit Dissected
Components
Nsploit library
○ Facilitates trigger creation
○ Contains XMLRPC communication pieces
○ Basic class to call Metasploit modules
○ Limits amount of code required to launch module
Sunday, September 27, 2009
Nsploit Dissected
Components
Nsploit triggers
○ NSE script
○ Contains or calls vulnerability detection logic
○ Called by Nmap based on port/service/protocol match
○ Act based on information discovered on own along with information discovered by Nmap
Sunday, September 27, 2009
Nsploit Dissected
Components
Nsploit config file
○ Contains information about what to launch
○ What payloads to use (when appropriate)
○ Payload settings
○ OS Specific settings
○ XML format
Sunday, September 27, 2009
Demos and Walkthroughs
Quick demo of things working
Overview of code layout
Examination of trigger module
Examination of config file
Features demo
Sunday, September 27, 2009
Questions?
Code can be found at: http://www.happypacket.net
Blog: http://blog.happypacket.net
Twitter: @sussurro
Email: [email protected]
Sunday, September 27, 2009
Thanks
To you for coming
To SecTor organizers and staff
To Nmap and Metasploit teams
To all who helped with ideas and troubleshooting
Sunday, September 27, 2009