Metasploit Evolved
H.D. Moore
Metasploit has continuously evolved since its inception in 2003, switching focuses, development teams, licenses, and languages as the demands of the security community changed. This talk focuses on the organizational and development changes that have taken place over the last year and where things are headed in the future. This briefly touches on the dozens of new features and technologies that have been or are currently being integrated, paving the way for more in-depth talks by the developers focused on these areas.
Meterpreter Advances
H.D. Moore
The Meteterpreter payload system is one of the most powerful features of the Metasploit Framework and the basis for many post-exploitation activities. This talk dives into the latest features of the Meterpreter as well as some advanced techniques for the creative penetration tester. Examples include keyboard, video, and audio monitoring, in-memory application backdoors, Meterpreter as a trojan, anti-goodware features, and a whole lot more.
Hacking the Next Internet
H.D. Moore
IPv6 is slowly but surely being deployed on a global scale, but most local networks already have IPv6 enabled hosts. This talk covers the basics of IPv6 host discovery, port scanning, and penetration testing, using the Metasploit Framework as the primary tool.
H.D. Moore is director of security research at BreakingPoint Systems where he leads exploit and protocol development for BreakingPoint's network test products. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects.
Metasploit Autopsy: Recontructing the Crime Scene
Peter Silberman
Steve Davis
Meterpreter is becoming the new frontier of malicious payloads, allowing an attacker to upload files that never touch disk, circumventing traditional forensic techniques. The stealth of meterpreter creates problems for incident responders. Such as how does a responder determine what occurred on a box exploited by meterpreter?
During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes’ address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes’ memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session – completely from memory – and determine what the attacker was doing on the exploited machine.
The talk will conclude with the demonstration of a new tool, the audience will see how an attacker using meterpreter is no longer hidden from the forensic investigator, as we recreate the meterpreter session from memory.
Peter Silberman works at MANDIANT on the product development team. For a number of years, Peter has specialized in offensive and defensive kernel technologies, reverse engineering, and vulnerability discovery. He enjoys automating solutions to problems both in the domain of reverse engineering and rootkit analysis. Although he is college educated, Peter does not believe formal education should interfere with learning.
Steve Davis is a Consultant in Mandiant’s Alexandria, Virginia office. Mr. Davis specializes in exploit research and development, malware analysis, and application and network vulnerability assessments. He has developed numerous internal tools to aid in penetration tests and malware analysis. Mr. Davis has also instructed malware analysis and wireless security courses at industry standard conferences, to include Black Hat, and to private clientele.