We here at SecureState heavily rely on the Open Source tools that are available from the information security community. Like many penetration testing and research teams we rely on gems such as the Metasploit Framework, Responder, and Empire. We like to support to give back to the community and help others like us by contributing to these projects as well as by releasing and maintaining our own Open Source tools including King Phisher and Termineter. In this blog we’ll explore the contributions that our team made during 2017.
The Metasploit Framework
In 2017 we submitted the following 4 modules to the Metasploit Framework.
CVE-2017-8464 (Windows LNK Processing)
This module targeted a vulnerability (not found by us) in the processing of LNK files on Windows systems. It was heavily based on an existing Metasploit module that was intended to be used in conjunction with a USB-style attack vector.
CVE-2017-9769 (Windows Razer Synapse)
Probably one of the more exciting exploit modules that was released was for one of two vulnerabilities we did find in gaming peripheral company Razer’s Synapse application. This Local Privilege Escalation (LPE) exploit leveraged a flaw in the driver that allowed a critical security check to be bypassed.
DC/OS Marathon UI
This feature abuse module allows Metasploit to execute code when the DC/OS Marathon UI creates a new Docker container. Being a feature abuse, this module is likely to have better longevity than the other exploits which have patches available for their respective vulnerabilities.
Gnome Keyring Dumping
Last but not least in the Metasploit category, this auxiliary module demonstrated a large effort in bringing Railgun functionality to non-Windows platforms. The module itself allowed users that had a Python Meterpreter session on a Linux system to dump the network passwords out of the Gnome Keyring service. This wrapped the native API calls and did not require spawning any new processes or writing anything to disk.
As was just mentioned, the new Railgun support for OSX and Linux creates a lot of opportunities for new post-exploitation functionality. The Railgun API allows functions in native libraries on the compromised host to be called through Meterpreter. This is already heavily used by many of the Windows post-exploit modules and we hope to see new modules for the newly support platforms in the coming year.
Empire – Wlrmdr
For the Empire project we added the new Wlrmdr module that can be used for social engineering attempts. This module utilizes the Windows logon reminder service to launch a customized balloon reminder in a user’s taskbar.
BeEF – Get Cookie Automatic Rule
This submission was created for a specific need while we were performing one of our red team engagements. When a browser is hooked through cross site scripting, it automatically captures any cookies for the site and logs them.
Various Bug Fixes
Sometimes contributions to have to be cutting edge techniques or provide new features but rather improve on or fix existing functionality. To that end we reported issues we noticed in MimiPenguin, and proposed a fix for Ruler. Having maintained open source projects ourselves, we understand the value of detailed bug reports and how they aid in project development.
The SecureState Projects
2017 was a major year for King Phisher, with 4 major releases, and 10 new plugins. With the integration of the plugin catalog, it’s now also easier than ever to install and update plugins for the King Phisher client. We expect a lot of plugin development to continue as new features are added outside of the core application. Finally, we released 4 new email phishing templates and 1 new website template.
And then there’s Termineter, the open source Smart Meter testing framework. This particular tool saw some long over due improvements since it’s first release almost 6 years ago in 2012. We’ve made numerous improvements to it through our testing with additional clients over the year and have finally tagged it with the well-deserved version 1.0 tag. This release saw a new module, a better user interface and many other improvements, but that’s a topic for another blog.
We hope everyone found our contributions as useful as those that we have benefited from. Here’s to what improvements 2018 may bring, and happy hacking.