nsploit: popping boxes using nmap - sector boxes with nmap… · waiting for commands to come in...

of 17 /17
Ryan Linn SecTor 2009 Nsploit: Popping boxes using Nmap Sunday, September 27, 2009

Author: others

Post on 14-Oct-2020




0 download

Embed Size (px)


  • Ryan LinnSecTor 2009

    Nsploit: Popping boxes using Nmap

    Sunday, September 27, 2009

  • Agenda


    What is Nsploit

    Why Nsploit

    Nmap and NSE

    Metasploit, XMLRPC, Meterpreter

    Nsploit Dissected

    Demos and Walkthroughs



    Sunday, September 27, 2009

  • Introduction

    Who am I?

    Information Security Engineer at SAS

    Writer for EthicalHacker.net

    Contributed code to Metasploit and BeEF

    Enjoy playing with tools and learning

    Sunday, September 27, 2009

  • What is Nsploit

    Series of Lua scripts to allow Nmap to talk to Metasploit

    Consists of 3 parts



    Config File

    Uses Nmap’s NSE to trigger Metasploit modules based on detected conditions during scanning

    Sunday, September 27, 2009

  • Why Nsploit

    Curiosity To allow for targeted attacks to be launched

    across multiple IPs To scan and trigger relevant exploits based on

    NSE detection To use widely expanding vulnerability detection

    Nmap modules and take it to the next level To be friendly enough not to burden exploit

    developers In hopes that someone else may find something

    even cooler to do with it

    Sunday, September 27, 2009

  • Nmap and NSE

    Nmap (http://www.nmap.org) is a “utility for network exploration or security auditing” Allows for highly configurable port scanning and

    OS detection

    Has a built in scripting engine called NSE (Nmap Scripting Engine) using Lua

    Has been expanding from port scanning to include scripts to do further detection of versioning and vulnerability detection

    Part of most security folks arsenal

    Sunday, September 27, 2009


  • Nmap and NSE

    What is Lua and how does it work with Nmap ?

    Lua is a lightweight, embeddable scripting engine developed by Pontifical Catholic University of Rio de Janeiro

    Scripting language for World of Warcraft

    Embedded into Nmap

    Nmap contains Lua libraries to facilitate common tasks and to extend Nmap’s scanning power

    Sunday, September 27, 2009

  • Metasploit and XMLRPC

    What is Metasploit

    Framework for creating security tools and exploits (http://www.metasploit.com)

    What is XMLRPC

    XML based protocol for communicating between disparate systems

    Frequently used over HTTP

    In our case, it isn’t

    Sunday, September 27, 2009


  • Meterpreter

    What is Meterpreter

    Metasploit payload that uses DLL injection and allows for advanced plugins and scripts to be executed on remote hosts.

    Has ability to launch scripts

    Windows only (for now)

    Has the potential to dump hashes, impersonate users, manipulate processes, run commands

    When used as a payload, can launch scripts automatically

    Sunday, September 27, 2009

  • Sunday, September 27, 2009

  • Nsploit Dissected


    Metasploit with XMLRPC module enabled

    ○ Listening on a port (local or remote)

    ○ Waiting for commands to come in from Nmap

    Nmap with NSE Libraries

    ○ NSE core library

    ○ NSE scripts that trigger Metasploit module execution

    ○ Config file to describe what gets called and to where

    Sunday, September 27, 2009

  • Nsploit Dissected


    Nsploit library

    ○ Facilitates trigger creation

    ○ Contains XMLRPC communication pieces

    ○ Basic class to call Metasploit modules

    ○ Limits amount of code required to launch module

    Sunday, September 27, 2009

  • Nsploit Dissected


    Nsploit triggers

    ○ NSE script

    ○ Contains or calls vulnerability detection logic

    ○ Called by Nmap based on port/service/protocol match

    ○ Act based on information discovered on own along with information discovered by Nmap

    Sunday, September 27, 2009

  • Nsploit Dissected


    Nsploit config file

    ○ Contains information about what to launch

    ○ What payloads to use (when appropriate)

    ○ Payload settings

    ○ OS Specific settings

    ○ XML format

    Sunday, September 27, 2009

  • Demos and Walkthroughs

    Quick demo of things working

    Overview of code layout

    Examination of trigger module

    Examination of config file

    Features demo

    Sunday, September 27, 2009

  • Questions?

    Code can be found at: http://www.happypacket.net

    Blog: http://blog.happypacket.net

    Twitter: @sussurro

    Email: [email protected]

    Sunday, September 27, 2009


  • Thanks

    To you for coming

    To SecTor organizers and staff

    To Nmap and Metasploit teams

    To all who helped with ideas and troubleshooting

    Sunday, September 27, 2009