Results

Rapid7 Inc.

06/17/2019 | News release | Distributed by Public on 06/17/2019 07:23

Metasploit Hackathon Wrap-Up: What We Worked On

The Metasploit project just wrapped up its second global open-source hackathon from May 30 to June 2 in Austin, Texas. This event was an opportunity for Metasploit committers and contributors to get together, discuss ideas, write some code, and have some fun.

In addition to the regular Rapid7 committer crew, Metasploit developers joined from around the world to take part in the event. Some projects just got started, some were finished, and more ideas were discussed for the future. It was great having many of the Metasploit crew able to work together directly for a few days, and to get to know each other better. Thanks especially to everyone who helped make the event happen!

Here is a sampling of hackathon results, in the developers' own words:

zeroSteiner's report: Meterpreter logging, sequencing, and obfuscation

So, at the hackathon, I worked on more projects than I completed, but I got started on an internal logging channel for Meterpreter. This will help folks, including module developers, troubleshoot their Meterpreter sessions remotely without having to worry about accessing PTYs or other streams to get the messages from.

I also helped out OJ with the string eradication from Meterpreter's TLVs by implementing his lookup tables in the Python Meterpreter. Finally, I started work on a sequenced UDP transport. When completed, this would offer users the ability to use stagers for Meterpreter sessions and help with egress evasion in instances where TCP is limited and UDP is not.

The primary issue I worked on was troubleshooting the handler's ability to receive frames issued by the Meterpreter side and implementing general sequence and error-handling logic to handle the stateless nature of UDP communications.

OJ's report: Meterpreter obfuscation, encryption, and W^X memory

I ripped the method strings out of the TLV protocol, so instead we have integer identifiers. This means that if any TLV packets go across the wire in plain text (which they can still do in some cases) those strings no longer exist and can't be fingerprinted.

I also added the ability to renegotiate TLV encryption keys on the fly (with the goal of being able to do that automatically after a period of time).

I also got started on removing RWX allocations from stagers.

timwr's report: iOS exploits, Meterpreter remote control, post-exploit trolling

During this Hackathon, I assisted Brent with getting a new iOS exploit landed, plus fixing some bugs on keyboard and mouse control.

I teamed up with zeroSteiner to start on adding a logging channel to the Java Meterpreter and fixing some minor Python Meterpreter bugs. Brendan and I got some more of the automated tests passing.

I also worked with wvu to fix some bugs on the java Meterpreter (in shell_command_token and expand_path). We also improved the play_youtube module and added epic sax guy as the default video.

busterb's report: Ruby, libraries, and removing 'expand_path'

I, too, started more than I finished, but got a lot of small and big things into the tree. I worked with jmartin-r7 and timwr to get Mettle's iOS dylib support packaged, which made its debut with Tim's exploit for CVE-2018-4233, targeting all 64bit iOS 10-11.2 devices.

I poked at a few minor annoyances, quieting some Ruby 2.6 warnings, and started tackling new Windows Meterpreter warnings unveiled when building with a mingw-w64 toolchain. I broke, then subsequently fixed, automatic Content-Length header insertion in HTTP requests and responses, which was some foundational work to enable HTTP proxy code that Boris was working on.

The rest of my time was spent reviewing existing PRs, landing Tim's keyboard/mouse control code for Meterpreter, some commits to implement RW^RX support in the Reflective DLL Injection code for Meterpreter, and on a tree-wide flensing of the 'expand_path' API, switching to getenv in most places. This change will make it easier to get consistent results from all session types, since getenv is easier to implement than expand_path consistently across different session types.

h00die's report: Hashes, crackers, brocade switches, traceroute, and epic sax

During this hackathon, I was able to finish the hashcat integration and cracker overhaul #11695 (a 6,400-line change). With help from jmartin-r7 and timwr, we were able to identify an issue with osx 10.7 hash enumeration and test additional osx hashes with the cracker overhaul. Pooling great minds, wvu and rageltman were able to identify and propose a fix for the ssh_login libraries #11905.

With this, a brocade config dumper and eater was finally born #11927. An idea born a year ago of building a traceroute and network diagram creator for pentest reports was started and is close to being ready for submission. Last, busterb and OJ have volunteered configs or to test a new ubiquiti config eater.

None of this would have been possible without the pro-level support of ccondon-r7 and two hours of epic sax.

rageltman's report: HTTP proxies, SSH enhancements and server support

During this hackathon, I completed work on the HTTP proxy, permitting HTTP CONNECT request servicing via TCP / HTTP implementation with full bidirectional comms. This also led to some library cleanup across all of our proxy libraries, which has left us with a wonderful place to implement proxy MITM for all (socks and http) proxies.

Working with wvu and h00die, we found lib-level issues in the SSH scanner implementation that cause breakage on a number of embedded devices/locked-down servers. A fix is in the works for this presently. I also assisted zeroSteiner a bit with the UDP implementation for Meterpreter transport. Last, the base-level implementation for Rex::Proto::Ssh::Server was started and is still ongoing, which will give framework users the ability to catch reverse-ssh sessions, log SSH auth attempts, deliver exploits to vulnerable ssh clients connecting, and test protocol clients for weaknesses.

I learned more in five days than I have all year. Huge thanks to Rapid7 for hosting the event, ccondon-r7 for herding the cats so masterfully, and everyone in attendance for their invaluable input, corrections, and good humor. Finally meeting some of the folks with whom I've worked for years and finding that they're all even better to work with in person as well as great human beings is a lung-full of fresh air and excellent motivation to continue building and pushing code. Y'all rock! Thanks for an awesome week.

P.S. I've never had such epic sax before-my cultural awareness is now greatly increased.

chiggins' report: coding and community inspiration

Austin is one of my favorite cities and I was lucky enough to go there and spend a weekend with the wonderful Metasploit crew for a hackathon. The biggest takeaway for me was being surrounded by some mega-intelligent people and trying to soak up as much information as possible.

Sometimes it's hard to find time to contribute to an open-source project, but it was definitely good to be able to get everyone in the same room together and work things out. Being able to dig deep in some code and yell across the room for some guidance is extremely helpful and super rewarding.

It was inspiring being able to have discussions with people that tend to use tools in ways that are a little different, and brainstorm on how to improve on what's already there and where we see the future going. It was truly a fantastic experience and I'm already looking forward to the next time we're all able to get together.