Installing Metasploit Framework on OS X Yosemite

This Guide is adapted from Carlos Perez’s Blog (http://www.darkoperator.com/installing-metasploit-framewor/) (which is a must read) with some additions and fixes to make the setup work on OS X Yosemite. This post should help to alleviate some common issues with installing ruby and the Metasploit Framework on OS X. The main issues being that OS X ships with a newer version of Ruby that is not compatible with Metasploit and the version of libiconv installed with OS X causes issues installing the Nokogiri gem.

Xcode and Command Line Development Tools

The first step is to ensure that Software Update has been run and that OS X is updated. Once OS X has been updated, It is time to install Xcode.

Mac App Store – Xcode

Once Xcode has been installed launch Xcode from Applications and agree to the SDK License Agreement.

Instal Xcode developer tools  by typing:

xcode-select --install

Click Install in the dialog box that pops up and the package will be installed.


Java

Ensure that the latest versions of the Java 7 JRE and JDK are installed.

http://download.oracle.com/otn-pub/java/jdk/8u25-b17/jdk-8u25-macosx-x64.dmg
http://download.oracle.com/otn-pub/java/jdk/8u25-b17/jre-8u25-macosx-x64.dmg

Homebrew

Install homebrew by running the following command:

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Once Homebrew installs, run ‘brew doctor’ to finalize the installation of homebrew.

brew doctor

Once homebrew is installed and set up, the PATH needs to be updated to ensure that all homebrew binaries are executed correctly.

echo PATH=/usr/local/bin:/usr/local/sbin:$PATH >> ~/.bash_profile

Once this is done, load the new $PATH by sourcing it.

source ~/.bash_profile

From here we need to ensure that both versions and dupes are loaded into homebrew (We load in dupes for later, as a dependency for nokogiri is located in here.)

brew tap homebrew/versions
brew tap homebrew/dupes

Homebrew Installs

Before Metasploit can be installed, some more dependencies should be installed via homebrew.

Nmap

This can be installed either via the dmg from their site, or via homebrew. Homebrew tends to keep their packages updated and it is quite easy to install and manage.

brew install nmap

Install Ruby 1.9.3

Now time for the part the most frequently causes issues. Ruby 1.9.3. This is the version from homebrew that works best with Metasploit and is easiest to install and maintain.

brew install homebrew/versions/ruby193

Now, the most important part of the ruby installation, Ensuring that the ruby version you are running is in fact 1.9.3.

ruby –v

Installing and configuring PostgreSQL

Now, time to install the backend database that Metasploit uses.

brew install postgresql --without-ossp-uuid

If the Homebrew install did NOT complete this for you, the next step is to initialize the database for first time usage.

initdb /usr/local/var/postgres

As of 9.3.5_1 it looks like the homebrew installer wraps up by running this command for you.

Ensure that postgreSQL is set to launch on boot by issuing the following:

mkdir -p ~/Library/LaunchAgents
cp /usr/local/Cellar/postgresql/9.3.5_1/homebrew.mxcl.postgresql.plist ~/Library/LaunchAgents/

Start the PostgreSQL service:

launchctl load -w ~/Library/LaunchAgents/homebrew.mxcl.postgresql.plist

Create a new user msf* and a database msf with the user msf as the owner.

createuser msf -P -h localhost
createdb -O msf msf -h localhost

*Remember this password as it will be used when configuring Metasploit

Configuring VNCViewer

As Metasploit uses vncviewer for its VNC payloads, and OS X comes with a VNC client, we need to create the needed vncviewer file that will call the OS X vnc viewer.

echo '#!/usr/bin/env bash'>> /usr/local/bin/vncviewer
echo open vnc://\$1 >> /usr/local/bin/vncviewer
chmod +x /usr/local/bin/vncviewer

Installing Metasploit Framework

Installing the following gems needed for running the framework:

gem install pg sqlite3 msgpack activerecord redcarpet rspec simplecov yard bundler

Download the framework and prepare the directories:

cd /usr/local/share/
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
for MSF in $(ls msf*); do ln -s /usr/local/share/metasploit-framework/$MSF /usr/local/bin/$MSF;done
sudo chmod go+w /etc/profile
sudo echo export MSF_DATABASE_CONFIG=/usr/local/share/metasploit-framework/config/database.yml >> /etc/profile

Using brew and bundler the properly supported gems need to be installed.

brew install libiconv
gem install nokogiri –v ‘1.6.3.1’ -- --with-iconv-dir=/usr/local/Cellar/libiconv/1.14
bundle install

Now that the framework has been installed, and proper bundles installed. The database connection needs to be configured.

Save the following into /usr/local/share/metasploit-framework/config/database.yml replace <password> with the msf user’s password you set earlier.

vi /usr/local/share/metasploit-framework/config/database.yml

production:
  adapter: postgresql
  database: msf
  username: msf
  password: <password>
  host: 127.0.0.1
  port: 5432
  pool: 75
  timeout: 5

Now that this file has been created, source bash_profile to load the variables for the database.

source /etc/profile
source ~/.bash_profile

Now, to start Metasploit Framework as YOUR USER to it initializes the schema for the database for the first time as a NON ROOT user.

msfconsole

Once the console loads, ensure that the database is connected by issuing:

msf> db_status

it should return:

[*] postgresql connected to msf

Install Armitage

Execute the following commands to prepare the environment and download armitage to the correct location:

brew install pidof
curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz
tar -xvzf /tmp/armitage.tgz -C /usr/local/share
bash -c "echo \'/usr/bin/java\' -jar /usr/local/share/armitage/armitage.jar \$\*" > /usr/local/share/armitage/armitage
perl -pi -e 's/armitage.jar/\/usr\/local\/share\/armitage\/armitage.jar/g' /usr/local/share/armitage/teamserver

Lastly, create sym links for Armitage:

ln -s /usr/local/share/armitage/armitage /usr/local/bin/armitage
ln -s /usr/local/armitage/teamserver /usr/local/bin/teamserver

Now that the installing is complete, to launch these application I have created OS X .app files that will launch these from the Dock or /Applications/ (coming soon) However if you would like to use the terminal, due to the way variables are handled when using sudo, you will need to give the –E option.

sudo –E armitage
sudo –E msfconsole

Special thanks to Syph0n for creating this article

rm -rf /blackhat

Through a series of strange decisions I found myself on the way to Las Vegas over the same week of Black Hat, however, without a ticket to the Black Hat Briefings. This didn’t phase me in the slightest as I attended Black Hat last year and to be quite frank, I wasn’t impressed. This did raise an interesting question though: if I’m not wasting my time at Black Hat, what could I be doing?

This question was easily answered as just about every person I look up to in the InfoSec industry was heading to one place…BSides LV at the Tuscany Hotel. I’d never attended a BSides conference before and had no idea what to expect. How much are the tickets? How long are the queues for the talks? How much is the food and drinks? It turns out the answer is pretty much nothing to all of the above.

What I want to take away from an InfoSec conference is to have learned something, meet some interesting people, help other people who may have questions and generally have a good time doing it. Walking into BSides on Tuesday morning, I was warmly greeted and given a badge and a smile. That’s it. No spammy email address, no dollars, just a badge. Walking around BSides I saw that there is an abundance of tracks, workshops and a large chill out area with free drinks (as in beer), raffles and competitions.

I spent the large majority of the con on the red team for the “Joes vs Pros CTF” competition, which gives defensive security and network engineers a chance to feel the heat of a red team bashing the hell out of their network. Uptime is important for points and there is a gold team sending the blue team’s help desk requests, which need to be actioned whilst frantically trying to secure their network and kill our shells.

After competition closed on Tuesday, I had a chat with the winning blue team who did a really good job of locking us out whilst maintaining uptime on critical services. These guys got pummelled last year and came away with new skills and ideas that they implemented this year. A few of the members shared appreciation that they had learned more from competing in Joes vs Pros for a single day than they had from attending years of college and certifications. They mentioned that dealing with an active attack where they are forced to keep vulnerable software up and running taught them to look farther than just simple patching exercises. The creativity that they came up with was astounding – from setting up spoofed sites that had no back-end connected to it, to serving us honeypots and ban-hammering us on their firewalls.

The following day, the blues got their own red team members and needed to engage their opposing blue team. With a red team member assisting them with exploitation of the target machines, which were compromised the day before, the blues got to experience the attack from the red team’s point of view and learned how targets are enumerated as well as what weaknesses are exploited in the discovered applications. This information was then used to modify their own applications to make exploitation by the opposing team much more difficult or even impossible.

What I took away from this experience is that these blue team members are getting valuable training, whilst having a good time, essentially for the price of getting to Las Vegas. BSides volunteers make the con what it is and sponsor donations go towards the cost of setting up the competitions or providing prizes and drinks.

I learned a lot about BSides over my two days there. I attended some good talks, snuck into a workshop where attendees were taught to build a RFID reader that works from 4 feet away with only $35 of hardware, met some awesome people and had a great time doing it all.

All this made me really REALLY angry.

Even though there was good work being done and great knowledge being shared at the Tuscany Hotel, several blocks away the worlds largest “security” conference was being held and doing a fine job at advancing just about everything that is wrong with this industry.

Since starting work as a Penetration Tester, I’ve noticed one very big problem within the Information Security realm. By far, the biggest problem that currently exists in Infosec is that people still believe that they can “buy” security. Right out of the gate I will tell you “this is bullshit!” You cannot buy anything from any vendor that will stop your company getting compromised. Buzzwords like Next-Gen, Multi-Tiered, Smart and APT are just marketing turd-speak for devices that basically do nothing. And Black Hat is the single biggest culprit of promoting the use of these “magic bullets.”

After you’ve cleared away all the fluff around Black Hat, what you’re left with is a room full of “magic bullets” being shown off by booth babes and a bunch of “researchers” giving presentations to massive audiences about why they should buy them. To make matters worse, the amount of money spent on these devices each year is astronomical – yet more and more companies are getting compromised every day, now more than ever before.

I borrowed a ticket to visit the vendor-fest on Thursday for a couple of hours to see what, if anything, was better about this year than last. After all, 8000 people can’t be wrong, right? After looking at the briefings and seeing that there was hardly anything of value worth watching, I wandered over to the the vendor area. I ended up speaking to a golf shirt about his “magical DLP machine” which uses sophisticated algorithms and cutting edge buzzwords to hunt down people leaking trade secrets and PII. I asked him if the machine would catch someone exfiltrating credit card numbers and the response was a resounding “Oh definitely!” When asked what the machine would do if someone base64’d this same information first, he ran off to find someone with a brain. I then spoke to one of the “magical DLP machine” developers who told me that the CPU cycles taken to decrypt the traffic would be too much for such high throughput and base64 traffic would not be decoded before checking the contents.

Then I see the big one…a box that can detect 0-day malware. Oh wow. Problem solved. These guys have cracked the code. They have made a device smarter than all the Russians, Ukrainians and Belize malware-devs combined. Or have they? I challenge you. Deploy that thing in a public network and offer $1 million dollars to the person who deploys malware on the same network which the “magical DLP machine” cannot detect.

Vendor after vendor pitched me their next-gen, cutting edge, complex algorithm, layer-7 flashy box and each and every time, I could outwit their machines in under 5 minutes. Again, if you didn’t read it earlier…”YOU CAN’T BUY SECURITY!” Walking into Black Hat and throwing money at everything with a flashing light and a web console is not going to make you or your company more secure. Even if you bought each and every single device and had them professionally installed with maximum protections enabled, any pentester worth their salt could still compromise your network with a smile or a cleverly worded email. And that is the main reason why all these products do not work.

Chris Nickerson put it best. “You say your device can do this? Prove it! You say your company is secure? Prove it! You say the bad guys can’t get your customer data? Prove it!” If for one second you actually believe the hype regurgitated out by these pretty boys with their sunglasses and golf shirts who market some box that protects against everything, then you have already lost. If it could genuinely solve all your information security problems as soon as you plug it in, they could genuinely sell it for a bazillion dollars and you would gladly buy it.

But the reality is that you’re actually buying nothing. You’re buying a marketing pitch. Maybe you’re buying a few nights of peaceful sleep. Maybe you’re buying a bigger budget next year. Maybe you’re buying an alliance with some vendor. But you are not buying security and the vendors cannot prove that their solutions do anything to stop a determined attacker. All they can do is show you that in a perfect simulated test environment, it does something. Would it work in your environment? Maybe. Will it make you more secure? Probably not. Does the machine do all the things it says on the tin? Doubtful.

I’m not saying that there is no value in Black Hat. I’m saying there is no value in purchasing a $1500 ticket to attend a convention where you are encouraged to purchase more things. If you are in the security industry and attend Black Hat to network with clients, great. You could probably do that for free at one of the million parties held after hours. Just avoid all the golf-shirt, booth-boys running around with their sunglasses on at night calling themselves hackers because they work for a company whose product can detect SQLi vulnerabilities. “Shut up, you’re a sales monkey!” There are also some good talks at the briefings. Black Hat is not without any interesting material but from an attacker’s point of view, I find the content of Black Hat weak and lacking in this area compared to BSides.

If you are the principal or manager of a pentest team, please, don’t send your testers to Black Hat, allow them to attend BSides instead where they can actually learn, meet, teach and have fun.

P.S. All of the above is my opinion, which I’m entitled to. However, if you managed to read this far and wish to bitch at me for saying what I did, use the comment feature below and I’ll make every effort to respond if required.

installing unicornscan on debian/ubuntu

Looking back, I can’t remember a time where I used Nmap to perform UDP port scans. Pentesters are far too impatient to spend hours waiting for a UDP scan to finish in the hope of finding some badly configured service. Which is why I found it odd when I received a message saying “why do UDP scans take hours?

It never occurred to me that this poor dude was staring at the screen, Nmap torturing him every 30 seconds by telling him he won’t be done with this machine any time this week. I told him about this gem of a payload transmitter that just also happened to be an epic UDP port scanner, largely forgotten since the sad departure of the late Jack C. Louis. And seeing as this was a client supplied ‘jump-box’ and not something handy like Kali, I decided to take a crack at installing and showing the tester good ol’ unicornscan. (I didn’t realise installing unicornscan would take longer than the Nmap UDP scan itself)

Many, MANY hours later I finally got unicornscan working and decided to make a note on how to deploy this on an updated debian distro circa 2014.

Get the dependencies installed

sudo apt-get install postgresql libdnet-dev libpq-dev libpcap-dev bison flex

Download and Install unicornscan

wget http://sourceforge.net/projects/osace/files/unicornscan/unicornscan%20-%200.4.7%20source/unicornscan-0.4.7-2.tar.bz2/download -O unicornscan-0.4.7-2.tar.bz2
tar jxvf unicornscan-0.4.7-2.tar.bz2
cd unicornscan-0.4.7/
./configure CFLAGS=-D_GNU_SOURCE
make
sudo make install

Hope this helps.

norsec0de

data exfiltration over SSL with srvdir

Every now and then I come across some application that may or may not have been developed with penetration testing in mind but it ends up being damn helpful all the same. Yesterday I found a post about ‘srvdir‘ (surv~durr?) which is designed to share content over SSL/TLS via a public site.

When trying to exfiltrate data from a client site I normally spend a lot of time setting up tunnels, using disposable A records from afraid.org and one of my boxes in some east-european cave just so I can get the damn ‘payroll-summary-june-2014.pdf’ trophy off some box that is swimming in ssh-tunnel-fu. srvdir is the perfect answer to this problem and testing it has been awesome and full of those “Why didn’t I think of this?!!” rants.

Essentially, what srvdir does is to create a SSL tunnel to the mothership ‘srvdir.net’ and issue a subdomain that can be accessed externally to siphon the files off. Grabbing files is relatively painless with the odd 404 for the permission snobs. It supports basic http-auth for the paranoid and by the looks of it, tokens as well. It runs seamlessly on Windows, Linux and OSX and is relatively small.

read more