Skip to main content

Finding Meterpreter

In our recent post on the Command Line Kung Fu blog, Advanced Process Whack-a-Mole, we tried to find meterpreter using these two commands:

Windows command line:
C:\> tasklist /FI "modules eq metsrv.dll"
PowerShell
PS C:\> Get-Process | ? { $_.Modules -like "*(metsrv.dll)*" }
In version MetaSploit 3.3, and presumably future versions, the metsrv.dll is not visible due to Reflective DLL injection. It does work on v2 and v3.0-3.2. However, there are still footprints of meterpreter in v3.3. Two other dll's are loaded with meterpreter that many processes don't load.
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\IPHLPAPI.DLL
We can look for processes that have these two dll's loaded using either of these two commands.

Windows command line:
C:\> tasklist /fi "MODULES eq rsaenh.dll" /fi "MODULES eq iphlpapi.dll"
PowerShell
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*"}
The problem is, some processes load these dll's so it isn't a 100% sign of pwnage. The processes include:
explorer.exe
iexplore.exe
lsass.exe
svchost.exe
winlogon.exe
If IE were compromised it wouldn't be obvious, but it is obvious if Icecast was.
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName

ProcessName
-----------
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogon
It is also apparent if meterpreter has been migrated to a process that doesn't normally load the dll's. In my testing I migrated to calc. Here are the results now.
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*"} | select ProcessName

ProcessName
-----------
calc
explorer
Icecast2
IEXPLORE
lsass
svchost
svchost
svchost
winlogon
If we had a baseline of processes that load these dll's then we can use PowerShell to filter out processes that don't normally load the dll's.
PS C:\> Get-Process | ? { $_.Modules -like "*(rsaenh.dll)*" 
-and $_.Modules -like "*(iphlpapi.dll)*" -and
"explorer","iexplore","lsass","svchost","winlogon" -notcontains  $_.ProcessName }

ProcessName
-----------
calc
Icecast2

In this example Icecast2 was the initial point of compromise and meterpreter has migrated to calc.

While this isn't a perfect way to find meterpreter it is better than nothing.

UPDATE:
According to Stephen Fewer, one of the MetaSploit developers:
iphlpapi.dll is imported by the meterpreters stdapi extension for the route and ipconfig commands.


rsaenh.dll (The Microsoft Enhanced Cryptographic Provider DLL) is being loaded via advapi32.dll after a call from the openssl subsystem within meterpreter calling advapi32!CryptAcquireContext[1]

Comments

Popular posts from this blog

3 Years of DirecTV User-Agent Command Injection

I found a bug in one of my DirecTV devices in 2015 after I got DirecTV. DirecTV didn't have a bug bounty program at that time so I used it as a demo in my classes. When AT&T bought DirecTV it then fell under AT&T's bug bounty, which is awarded quarterly. I forgot to submit it in the first post-merger quarger (2015Q4), so I submitted it 2016Q1. Screenshots from the bug bounty submission are at the bottom of this post.

EDIT: I in NO way want to steal the thunder from Ricky Lawshae and or diminish his hard work (although I think we can both agree this is about the lamest work either of use have ever had to do ;) ). My goal is to show how long crappy bugs like this sit.

I got bored a few years ago and decided to see what services the devices in my house expose.  A simple Nmap scan found listening web server on one of the devices. I browsed to it and I see this:


This is one of my DirecTV devices (I have DirecTV, solely so I can watch my precious Green Bay Packers on Sundays.…

Doll Hacking: The Good, The Bad(words) and the Ugly (features)

The age of internet connected toys is upon us. Increasingly, we are seeing children's toys connected to the internet, commonly through an app. I recently purchased a My Friend Cayla (http://www.myfriendcayla.com/) for uh…testing. I wanted to test the security of the device to see how safe it is for children.

In short, the toy does a good job of protecting children from inappropriate content, but any device (phone, tablet, laptop) can connect to the toy and play or record audio. That last bit scares me. The only protection against recording and arbitrary sound output is that only one device can be connected at a time. An opportunistic bad guy would only need to wait for the tablet or phone to go out of range or run out of battery.
Initial TestingI first needed to get a basic understanding of what Cayla can do and how she works. So I turned her on, connected her to my iPad via Bluetooth, and played with the app.

She began speaking and asking questions about me and my day. She is quite …

Extracting Access Point Names from Packet Captures

Years ago, while working as a Network Engineer, I did a bit of sniffing of our wireless access points. I noticed that some access point, mainly Cisco, broadcast the Access Point's name. I also noticed that the same access point will use a slightly different MAC Address (BSSID) for each SSID (ESSID). Typically the last nibble (half byte), or two, changes. I thought that was interesting, and moved on.

Now that I work as a penetration tester I want to correlate those access points, so I can tell exactly how many devices there are and the MAC addressing scheme. That way I can better identify something that is out of place, like a well place rogue.

Initially I did this by hand, and by hand means: teh suck!!!1! I knew there had to be a better way to do this, so I broke out scapy. I'll walk you through the process of creating a python script that extracts all the AP' MAC addresses, along with their corresponding Name and [E]SSID (if broadcast).

Let's start by looking a packet pr…