Day 1 first slot – Metasploit
Dino Dai Zovi – Macsploitation with Metasploit
The fact that a Metasploit track was added to Day 1 of Blackhat was entirely too full of awesome to pass up checking out. The very first slot seemed like a good place to start and the first to speak was Dino Dai Zovi about Macsploitation with Metasploit.
Dino is a co-author of The Mac Hacking Handbook and focuses on Mac vulnerability research. Macs are starting to have an increased market share and can get owned like any other operating system. One issue though is that there is far fewer tools to help a pen-tester exploit Mac machines.
Dino along with the folks at Metasploit have added some tools to their all ready comprehensive package to assist pen testers in hacking into Macs. The specific hack that Dino spoke of was completed in 3 stages. The first stage involves establishing a TCP connection via a “dumb remote execution loop.” The second stage is where the bundle is injected into nmap’d memory, and the third stage is where the bundle is compiled and does whatever you want.
Some functions set up in the metasploit library for this hack include, “take a pic of the vic” and setting up a meterpreter reverse shell listener. His demo was supposed to take a picture of him on a MacBook but it failed because of a problem between VMs.
Chris Gates – Attacking Oracle with Metasploit Framework
Chris (carnal0wnage) is becoming more and more well known for his domination of Oracle as of late. He didn’t release anything new at BlackHat but it was still an impressive talk none the less. His focus on Oracle, like Dino, spawned from the lack of support for this specific topic in pen-testing. All of the exploits are years old but still effective.
The exploit he described are very easy as long as you know four things. You must have the IP address, the Port number, the Service ID, and a Username and Password. The anatomy of this attack revolves first around gaining all of that information. Determine the location of the database, the version of Oracle it is using, and the SID in your reconnaissance phase. With the help of metasploit you can guess/bruteforce some usernames and passwords.
He jumped straight into the demo (all ready up on vimeo)in which he located a database, determined the version and bruteforced some valid usernames and passwords all via metasploit. He picked a user to login as and then was able to dump the information from the database or even get shell on the database server.
Always impressive and always fun.
(Sorry for the delay on getting these up, I’m posting them whenever I have the time/internet access.)
-Matt
