Friday, September 30, 2011

Windows Shellbags and Post Exploitation

Via securityaegis and seen in Twitter.

Shellbags are a set of registry keys that store the preferences of each folder that has been opened at least one time with Windows Explorer (local,remote, portable devices, etc.).

From a Post Exploitation point of view, this information offers us a good idea of the activities being carried in the exploited desktop computer. Thus, we can figure out how critical the computer and the the information it holds are for our costumer.

The linked post comments that, during a big engagement, we may pop up a shell in a computer that belongs to HR, R&D, etc..  but, at first sight, we could not distinguish how important it is compared to several other similar desktops among the organization.

Below you can find a demo of the meterpreter script in action.

Untitled from Securityaegis on Vimeo.

Thursday, September 22, 2011

Embedding Msfconsole in Python scripts through the XMLRPC interface

During the last days I have been playing with the Metasploit's XMLRPC interface and I have had lots of fun! :)

I have created a set of Python classes that permit to interact with Metasploit in different ways, hiding the complexity of the the XMLRPC calls.

This class permits to launch non-interactive jobs in Metasploit, which will be ran in backgroud.

This class permits to embed a full Metasploit console in your Python script. It also offers a bit of automation, because it permits to launch some tasks in background or foreground before we start interacting the console.

The following code launches an auxiliary module to find which SSH version is running a particular server. This script launches the task and then starts interacting with the created console

#! /usr/bin/env python

import signal
from pymsf import pymsf
import os
import sys

def signal_controlc(signal,frame):

myconsole = pymsf.MsfConsole()

opts = {
"RHOSTS": sys.argv[1],
print "launching"
signal.signal(signal.SIGINT, signal_controlc)

# ./

                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|

       =[ metasploit v3.7.2-release [core:3.7 api:1.0]
+ -- --=[ 699 exploits - 361 auxiliary - 54 post
+ -- --=[ 224 payloads - 27 encoders - 8 nops
       =[ svn r12982 updated 94 days ago (2011.06.20)

Warning: This copy of the Metasploit Framework was last updated 94 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:

[*], SSH server version: SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(ssh_version) >

The following code launches batch jobs in our running Metasploit console, trying to login to a SSH server. The script keeps waiting until the job has finished and then lists the existing sessions in case we have created a new one.

#! /usr/bin/env python

from pymsf import pymsf
import os
import sys
from time import sleep

batch = pymsf.MsfBatch()

opts = {
"RHOSTS": sys.argv[1],
"RPORT": "22",
"USERNAME": 'root',
"PASSWORD": sys.argv[2],
"THREADS": "8",
"USER_AS_PASS": 'false',

if before < batch.numSessions():
        print "New session created. Listing opened sessions"

print "Finish"

./ toor
New session created. Listing opened sessions
auxiliary/scanner/ssh/ssh_login  ::

The code can be found here

Monday, September 19, 2011

Tracking the Attackers with a Web Honeypot

GlastopfNG is a web Honeypot that simulates vulnerable web applications in order to attract  intruders and understand their attacks.

The following talk is mainly focused in the researcher's point of view, getting statistics and finding new attacks, but I understand that this tool is extremely useful for the defenders because it may help us to spot and study the attackers as well.

Its key features are:

  • Dynamically generate dorks in order to attract the attacker
  • Pattern matching engine.
  • Extensible with modules to detect and react to new attacks.
  • Custom reporting. We can write our own report module that could feed our alerting system.


Thursday, September 15, 2011

Analyzing Malicious PDF Files with Peepdf [Spanish]

Via securitybydefault

peepdf is a tool written in Python that analyzes the tree structure in the PDF file. This kind of tool is really helpful to have a first impression and decide whether a PDF file could be malicious or not.

The commented post uses  peepdf to find the objects containing the Javascript code that makes the heap spry and the shellcode.

Once shellcode is extracted, they use a standard debugger to conclude that it downloads  a version of the Zeus trojan

Friday, September 9, 2011

Team Tactics In Armitage

Via Securitytube.

I have found this great video that explains how to use Armitage in a team scenario. Great tool!

You can find a complete  training  in a series of 6 videos posted by Raphael Mudge in his profile on Securitytube.

Armitage and Metasploit Training - Team Tactics from Raphael Mudge on Vimeo.

Tuesday, September 6, 2011

Some Post Exploitation Goodness

Via (Rob Fuller)

Rob Fuller has created three documents in Google Docs with a list of commands that can be used to gather information during the post exploitation phase in Windows, Linux and OSX systems.

I am sure the lists are  going to be really useful for many people with the help of some Metasploit Scripting skills.

Unix Post Exploitation

Windows Post Exploitation

OSX Post Exploitation