Priveon Labs Security Blog

Day one is in the books and Blackhat talks thus far have been as good as, if not better than previous years. Out of several excellent talks attended today, one that particularly stood out was "Tactical Exploitation" hosted by HD Moore (of MetaSploit fame) and Valsmith (of Offensive Computing fame, also a MetaSploit contributor).

Although one might expect a presentation given by two MetaSploit contributors to deal exclusively with "bustin' shells" using conventional exploits, the Tactical Exploitation talk focused on out-of the box methods for vulnerability assessments. Specifically, the talk highlighted methods for exploiting trusted systems when a primary target is not directly available for compromise.

While Tactical Exploitation had multiple highlights, one non-traditional method of exploitation that was very cool involved IE's default "Automatically Detect Settings" checkbox (used to detect proxies). When invoked, IE broadcasts for a host named "WPAD" in order to retrieve automatic proxy configuration settings.

The exploit process basically involves an SMB server and SOCKS proxy - two features that have conveniently been added to MetaSploit 3.

After supplying the target host with SMB and proxy settings, MetaSploit authenticates back to the target using the client's initial SMB session credentials where it proceeds to upload the MetaSploit shell to the ADMIN$ share. HD Moore admitted that the code demoed was new, but that doesn’t make it any less cool (or frightening).

For more details on this and other highlights of the Tactical Exploitation Blackhat presentation, check out MetaSploit.Com.