Rapid7 Blog

Brendan Watters  

AUTHOR STATS:

5

Building a Backpack Hypervisor

Researcher, engineer, and Metasploit contributor Brendan Watters shares his experience building a backpack-size hypervisor.…

Researcher, engineer, and Metasploit contributor Brendan Watters shares his experience building a backpack-size hypervisor.

Virtual Machine Automation (vm-automation) repository released

Rapid7 just released a new public repo called vm-automation. The vm-automation repository is a Python library that encapsulates existing methodologies for virtual machine and hypervisor automation and provides a platform-agnostic Python API. Currently, only ESXi and VMWare workstation are supported, but I have high hopes…

Rapid7 just released a new public repo called vm-automation. The vm-automation repository is a Python library that encapsulates existing methodologies for virtual machine and hypervisor automation and provides a platform-agnostic Python API. Currently, only ESXi and VMWare workstation are supported, but I have high hopes we will support other hypervisors in time, and we would love to see contributors come forward and assist in supporting them! That's awesome. I want to get started now! Great! Instructions on how to use the library are here: https://github.com/rapid7/vm-automation Why? The Metasploit team has an embarrassment of riches when it comes to modules and payloads thanks to our amazing community and staff. To give some idea of the embarrassment of riches, feel free to launch msfconsole and check the output: =[ metasploit v4.15.0-dev-7e1b50a ] + -- --=[ 1665 exploits - 953 auxiliary - 294 post ] + -- --=[ 486 payloads - 40 encoders - 9 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] We have 486 payloads, 1,665 exploits, nearly 1,000 aux modules, and 294 post modules. Additionally, we have 443 super-awesome contributors across the globe sending us modules every single day. All this is impressive, and we are incredibly thankful for everyone's support. At the same time, this is a challenge to test—especially since Microsoft and Linux keep updating things to break our code without warning (don't they know who we are?!). One of the efforts that we are working on is some test automation to help us maintain our modules and payloads—or at least know when things break faster—and to streamline the PR landing process. To do that we made a testing infrastructure that uses virtual and physical machines as attackers and targets; then we launch payloads, scripts, and modules on the virtual machines and track the responses. As we are all lazy, it needed automation, so we looked for a clean, simple way to interact with different kinds of vms that was consistent across hypervisors. In a former life, I was also an instructor and CTF developer; as a result, I know that ability to script vm management tasks makes life much easier for a lot of people beyond the narrow case of module and payload testing in Metasploit, so we split the library for automating vm tasks into a separate repo for anyone to use (and contribute new ideas!). Aren't there already things that do this? Yes...sort of. There are multiple projects out there that exist and give varying amounts of control over vms using lots of different languages. Pyvmomi is one great example; it allows spectacular levels of customization and power over virtual machines that the average CTF-er or tester has absolutely no need to use, while simple tasks like getting a list of snapshots take ~40 lines of code. I certainly do not want to denigrate or disparage Pyvmomi: they provide an awesome API, and I know people who need that level of power over virtual machines, but it is just too powerful and complex for a lot of hobby-level hypervisor scripters. This library wraps a lot of Pyvmomi API calls into simple, comprehensible API calls to support the majority of what most hypervisor script users would need, while abstracting a lot of the complexities in Pyvmomi. Also, Pyvmomi only supports ESXi, and this library leverages Pyvmomi API calls to support ESXi, but then uses VMrun.exe to support VMware workstation. So while much of the underlying code is changing, the functions to interact with vms remain the same across hypervisors, supporting the main goal for this repo: one function call, multiple hypervisors. So what is it you say you do around here? The supported functions are currently limited to those you might want to automate a CTF or test-range: checkTools Returns the state of VMWare tools deleteSnapshot Deletes a given snapshot getArch Returns the vm architecture getFileFromGuest Pulls a file from the virtual machine getSnapshots Updates the vm object's snapshot list attribute getVmIp Updates the vm object's IP address to match the vm getUsername Returns the vm's username isPoweredOff Returns true or false isPoweredOn Returns true or false makeDirOnGuest Creates a directory on the specified vm powerOn Turns on the vm powerOff Turns off the vm revertToSnapshot Reverts the vm to a given snapshot runCmdOnGuest Runs a command or executable on the vm setPassword Updates the password in the vm object setUsername Updates the username in the vm object takeSnapshot Takes a snapshot of the vm updateProcList Updates the process list in the vm object uploadAndRun Uploads a script or executable file and runs it uploadFileToGuest Uploads a file to the vm waitForTask Waits for a given task to complete before allowing continued execution. Most of the API calls can be synchronous or asynchronous. This function allows us to toggle between the two. How are you implementing the functions? The basic layout is this: for each hypervisor (currently two), there are two classes. The first class is the hypervisor class. It contains all the attributes required to make the hypervisor work, like IP address, login information, and vm list. The other class is the vm class with supporting functions and attributes associated with the vms to handle normal vm interactions with snapshots, process lists, IP addresses, and the hypervisor. By overloading the function names across the vm classes, we can interact with any vm exactly the same, regardless of the hypervisor (or type of hypervisor) on which it runs. Moving forward The obvious thing is that we need to support more hypervisors: I would love to support cheaper or free virtualization options like VirtualBox or even Hyper-V. I hope that this library proves as useful to others as it would have been to me over the years. I welcome anyone who would like to contribute, especially if they want to start work on supporting extra hypervisors! It is a relatively simple project. I think if we do it right it will see a lot of use, and we can help a lot of people.

Metasploit Wrapup

Metasploit Hackathon We were happy to host the very first Metasploit framework open source hackathon this past week in the Rapid7 Austin. Eight Metasploit hackers from outside of Rapid7 joined forces with the in-house team and worked on a lot of great projects, small and…

Metasploit Hackathon We were happy to host the very first Metasploit framework open source hackathon this past week in the Rapid7 Austin. Eight Metasploit hackers from outside of Rapid7 joined forces with the in-house team and worked on a lot of great projects, small and large. @bcook started the hackathon working with @sempervictus on his amazing backlog of framework features, including REX library improvements, UDP sessions, TLS encrypted sessions, and support for running framework in Rubinius . We had a lot of good chats on how to move forward with bigger features, and our trees have begun to converge more. @zerosteiner worked on server support for the Net-ssh library, and gave right after dropped Railgun support for OSX Meterpreter, and gave a talk on it at BSides Cleveland. On the module side, we got the long-awaited DNS injection module from @kingsabri rewritten and enhanced. @bcook worked a lot with @mubix's, whose intense testing and feedback made the module really great. Mubix served a unique role at the hackathon to of testing everyone's ideas and providing a critical eye on usability and reliability in engagements. @bcook also worked with @sure-fire testing public PoC code for CVE-2017-3881 on a variety of Cisco gear, and we were able to convert @artkond's great research into another module PR. @bperry stopped by with his guitar, and worked on a plugin for the Arachni web scanner. In his words, "This complements the sqlmap plugin well, going from general web app scanning with arachni to full exploitation with sqlmap straight from Metasploit. It's something I've wanted in Metasploit for a while now.". He also composed a song for the occasion. @bcook worked on a long-awaited search function for the Metasploit RPC interface while @mubix added a nifty new plugin that publishes an RSS feed of shells as they come in. While testing various things, @mubix noticed that his database was taking a long time to delete a workspace. @darkbushido took a look and found that we could speed up deleting workspaces by several orders of magnitude by using a different method. Joining the hackathon virtually, @oj completed his PR for an all-new crypto layer for Meterpreter transports, which provides application-layer encryption for sessions independent of the transport used. It also has the nice effect of reducing the size of Windows meterpreter 5-fold! @bwatters-r7, @hdm, @kernelsmith, @acammack-r7, and @izobashi also worked on a number of interesting projects as well, like a socks5 proxy, automated payload testing, selfhash support, and mimipenguins integration. We will be covering those as the make their way into the PR queue. In total, the hackathon was a great success and we look forward to having another one soon. Passwords In the continual game of cat and mouse with Windows password storage, Rogdham has brought the mice back on top this week. SQUEEK! Previously, Windows stored hashes using RC4 hashing, but Windows 10 uses AES128. With this update, the hashdump module will work with the AES128 hashes, too. catch yourself before you wrek yourself No one likes seg faults while you're trying to be stealthy, so kudos to tkmru who added some error handling to our armle reverse_tcp payload. Previously, the payload would segfault if it could not call back. Now, if it fails to call back, it fails silently, because the best kind of failure is the kind no one notices! New Modules Exploit modules (4 new) Netgear DGN2200 dnslookup.cgi Command Injection by SivertPL and thecarterb exploits CVE-CVE-2017-6334 Symantec Messaging Gateway Remote Code Execution by Mehmet Ince exploits CVE-CVE-2017-6326 Easy File Sharing HTTP Server 7.2 POST Buffer Overflow by Marco Rivoli and bl4ck h4ck3r Auxiliary and post modules (1 new) Riverbed SteelHead VCX File Read by Gregory DRAPERI and h00die Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.14.26...4.14.28 Full diff 4.14.26...4.14.28 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Metasploit Wrapup

A fresh, new UAC bypass module for Windows 10!Leveraging the behavior of fodhelper.exe and a writable registry key as a normal user, you too can be admin! Unpatched as of last week, this bypass module works on Windows 10 only, but it works…

A fresh, new UAC bypass module for Windows 10!Leveraging the behavior of fodhelper.exe and a writable registry key as a normal user, you too can be admin! Unpatched as of last week, this bypass module works on Windows 10 only, but it works like a charm!Reach out and allocate somethingThis release offers up a fresh denial/degradation of services exploit against hosts running a vulnerable version of rpcbind. Specifically, you can repeatedly allocate up to four gigabytes of RAM on the remote host with predictably bad results. It becomes worse when you realize that the allocation process is outside tracked memory, so that memory will not be unallocated. As a bonus, the granularity of the module accommodates those who wish to be truly evil by allowing them to simply degrade a host's performance, rather than completely crashing it.Hardware agnosticismThanks to our great community, this release contains a fix for a troublesome bug where a Meterpreter session would crash under a specific set of circumstances when running on an AMD CPU. The exact cause is yet to be determined, but it appears the AMD chip becomes confused about the memory it can access, and inserting an otherwise bogus move instruction causes the chip to recover or somehow right itself, allowing it to execute the originally-offending instruction. If you are a bit of a hardware junkie, feel free to read more.Improved reportingThere were multiple fixes to help in a less exciting, but still incredibly important, aspect of pen-testing: reporting. We fixed a bug in vulnerability reporting where [Metasploit](https://www.rapid7.com/products/metasploit/) was not correctly tracking the attempted vulnerabilities so reports would be less accurate than they could be. Also, an update to our scanner modules increases the CVE references for each scan to allow better reporting or researching for methods of attack.Download now supports terrible networksA new feature allows Metasploit users to control the block size when downloading files. In most cases, this is not important, but on a network that might be slow or laggy, the ability to control block size will result in more reliable downloads. Included is an adaptive flag to drop the block size in half every time a block transfer fails. If you've never had to redteam on a bad network, count yourself lucky; if you have, you'll love this new feature.It happens to the best of usIn addition to adding functionality and fixing user bugs, this release also includes a security fix reported by our community. The CSRF vulnerability is now patched; we send a hearty thank you to the reporter, @SymbianSyMoh!New ModulesExploit modules (2 new) DC/OS Marathon UI Docker Exploit by Erik DaguerreWindows UAC Protection Bypass (Via FodHelper Registry Key) by amaloteaux and winscriptingblogAuxiliary and post modules (1 new)* RPC DoS targeting *nix rpcbind/libtirpc by Pearce Barry and guidovranken exploits CVE-2017-8779Get itAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requsts 4.14.23...4.14.26Full diff 4.14.23...4.14.26To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Metasploit Wrapup

It has only been one week since the last wrapup, so it's not like much could have happened, right? Wrong! Misery Loves Company After last week's excitement with Metasploit's version of ETERNALBLUE (AKA the Wannacry vulnerability), this week SAMBA had its own "Hold My…

It has only been one week since the last wrapup, so it's not like much could have happened, right? Wrong! Misery Loves Company After last week's excitement with Metasploit's version of ETERNALBLUE (AKA the Wannacry vulnerability), this week SAMBA had its own "Hold My Beer" moment with the disclosure that an authenticated (or anonymous) client can upload a shared library to a SAMBA server, and that server will happily execute the library! The vulnerability is present in all versions of SAMBA since 2010 and was only patched a few days ago. That length of time paired with the number, simplicity, and price points of the devices that run SAMBA mean that this vulnerability will be around for a very, very long time. The always-original internet appears to have dubbed this "Sambacry" whereas we here at Rapid7 have taken a more animated path in our references. In the scant week since the vulnerability was released, we've already landed and improved a module that takes advantage of the vulnerability, and it works on fifteen different computing architectures. Because SAMBA runs on so many different architectures, and we're supporting them, this really is the perfect opportunity to go out and play with the new and improved POSIX Meterpreter! Make New Friends, But Keep the Old Just because we had a shiny new exploit does not mean we forgot about our old friend from last week, ETERNALBLUE. This update sees several improvements to last week's module, including: An improved architecture verification when port 135 is blocked Ignoring and continuing if the target does not reply to an SMB request OS Verification We've Got Your Back Not too long ago, we added a module to migrate from one architecture to another on Windows hosts. Unfortunately, if you were running as an elevated user, the new session did not maintain those privileges. Now, if you try to migrate as SYSTEM, we'll stop you and make sure you really want to privdesc(?) yourself. Speaking of Running Metasploit in Strange Places zombieCraig has extended support for the hardware bridge in Metasploit, squashing bugs and adding two new commands: testerpresent and isotpsend. The first sends keepalive packets in the background to maintain the diagnostic connection, and the second allows communication with ISO-TP compatible modules. We've also added a module to dump credentials on scadaBR systems. Target your Target For those who have enjoyed the recent Office Macro exploit, you can now embed it into custom docx templates for that personal touch. New Modules Exploit modules (5 new) Samba is_known_pipename() Arbitrary Module Load by hdm, Brendan Coles, and steelo exploits CVE-CVE-2017-7494 Octopus Deploy Authenticated Code Execution by James Otten VX Search Enterprise GET Buffer Overflow by Daniel Teixeira Auxiliary and post modules_(2 new)_ ScadaBR Credentials Dumper by Brendan Coles WordPress Traversal Directory DoS by CryptisStudents and Yorick Koster exploits CVE-CVE-2016-6897 Get It As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 4.14.20...4.14.23 Full diff 4.14.20...4.14.23 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. More Improvements release-notes

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now