Format string attacks remain difficult in both software and hackademic exercises as the techniques have not improved since their discovery. This session demonstrates advanced format string attack techniques designed to automate the process from creation to compromise as well as incorporate those techniques into the Metasploit framework. The audience is encouraged to bring a basic understanding of format string attacks in order to leave the presentation with the tools necessary to never write one again.
Earlier this week HD Moore gave a live webcast demoing the new highly anticipated Metasploit 4 release. The live demo went as smoothly as a live demo can go, and as always HD Moore is great to hear talk no matter what the topic is. This presentation was particularly excellent because he’s so passionate about the Metasploit project — which he single-handedly created nearly 10 years ago, and has since watched grow into the de-facto tool used by penetration testers and infosec warriors.
Some statistics about Metasploit over the years:
- 2003 – Metasploit 1.0 – 11 exploits
- 2004 – Metasploit 2.0 – 18 exploits
- 2007 – Metasploit 3.0 – 177 exploits
- 2011 – Metasploit 4.0 – 716 exploits
1 million unique downloads in the past 12 months
Rapid 7 sponsorship of Metasploit has doubled the line count of the codebase
HD’s excitement over new features that he and his team have been working on
for nearly a year was quite obvious, and he said that they’ve barely
slept in the last 3 months as the release date looms ever closer and
crunch time arrives.
Going through every new feature is beyond the scope of this quick blog post, so here’s the highlights as shown in the slides.
I’ll touch on a couple of new features and why they’re interesting. A number of new features are exclusive to Metasploit Pro, but a lot of the core stuff is available in every version of Metasploit, including the Metasploit Framework which is free and open source.
- Optimization for large scale penetration tests. Previously Metasploit really didn’t scale beyond a thousand hosts. Now it’s possible to load full vulnerability scans of upwards of 10,000 hosts without any issue.
- Standardized XML API. The entire XML API is documented and will be released under an open source license.
- Persistent agents and listeners. This is sweet. Now if you lose connection with a box you’ve compromised all isn’t lost. You can setup the payload to persistently attempt reconnects back to your listener. If the network goes down temporarily or a WiFi connection drops, all isn’t lost now. You can configure every aspect of it too, set an expiration date after which it’ll remove itself and other fun stuff.
- Full integration with John the Ripper. Rapid7 now sponsors the JtR project, and has fully integrated it into MSF. As sad as it is, most compromises happen via a trivially guessed password on a critical box. MSF now has many, many options for mutating wordlists as well as seeding password lists with data discovered during scanning.
- Full remote control of MSF via a brand new RPC interface written in Ruby (msfrpc-client).
- Support for imports from over a dozen other scanners , including Appscan, Netsparker and many more.
- Shiny graphs and pretty pictures to look at. Don’t really care about this, but it’s great for higher level suits and execs. MSF can now spit out a pretty report with all kinds of details and graphs after the pentest is complete.
Metasploit 4 looks like a great release and continues Rapid 7’s charge into the enterprise market, but without totally alienating the core users who’ve been using MSF for years.