Silence is golden
Taking screenshots of compromised systems can give you a lot of information that might otherwise not be readily available. Screenshots can also add a bit of extra spice to what might be an otherwise dry report. For better or worse, showing people that you have a shell on their system often doesn't have much impact. Showing people screenshots of their desktop can evoke a visceral reaction that can't be ignored. Plus, it's always hilarious seeing Microsoft Outlook open to the phishing email that got you a shell. In OSX, this can be accomplished with the module
post/osx/capture/screenshot. Prior to this week's update, doing so would trigger that annoying "snapshot" sound, alerting your victim to their unfortunate circumstances. After a small change to that module, the sound is now disabled so you can continue hacking on your merry way, saving the big reveal for some future time when letting them know of your presence is acceptable.
Check your sums before you wreck your sums
Sometimes you just want to know if a particular file is the same as what you expect or what you've seen before. That's exactly what checksums are good at. Now you can run several kinds of checksums from a meterpreter prompt with the new
checksum command. Its first argument is the hash type, e.g. "sha1" or "md5", and the rest are remote file names.
Metadata is best data, everyone know this
As more and more infrastructure moves to the cloud, tools for dealing with the various cloud providers become more useful.
If you have a session on an AWS EC2 instance, the new
post/multi/gather/aws_ec2_instance_metadata can grab EC2 metadata, which "can include things like SSH public keys, IPs, networks, user names, MACs, custom user data and numerous other things that could be useful in EC2 post-exploitation scenarios." Of particular interest in that list is custom user data. People put all kinds of ridiculous things in places like that and I would guess that there is basically 100% probability that the EC2 custom field has been used to store usernames and passwords.
For a while now,
msfvenom has been able to produce ELF library (.so) files with the
elf-so format option. Formerly, these only worked with the normal linking system, i.e., it works when an executable loads it from /usr/lib or whatever but due to a couple of otherwise unimportant header fields, it didn't work with
LD_PRELOAD. For those who are unfamiliar with
LD_PRELOAD, it's a little bit of magic that allows the linker to load up a library implicitly rather than as a result of the binary saying it needs that library. This mechanism is often used for debugging, so you can stub out functions or make them behave differently when you're trying to track down a tricky bug.
It's also super useful for hijacking functions. This use case provides lots of fun shenanigans you can do to create a userspace rootkit, but for our purposes, it's often enough simply to run a payload so a command like this:
will result in a complete mettle session running inside a
Exploit modules (1 new)
- Windows Capcom.sys Kernel Execution Exploit (x64 only) by OJ Reeves, and TheWack0lian
Auxiliary and post modules (3 new)s
- ColoradoFTP Server 1.3 Build 8 Directory Traversal Information Disclosure by RvLaboratory, and h00die
- MYSQL Directory Write Test by AverageSecurityGuy
- Gather AWS EC2 Instance Metadata by Jon Hart
As always, you can update to the latest Metasploit Framework with a simple
msfupdate and the full diff since the last blog post is available on GitHub: 4.12.28...4.12.30