One of the most devastating aspects of the open source metasploit vulnerability testing framework is meterpreter, which exploits a host machine in memory without leaving a trace. Meterpreter is supposed to be undetectable by IPS systems making it difficult if not impossible for someone to know what an attacker may have done to the victims’ machine.
At the Black Hat security conference in Las Vegas, Mandiant security researchers Peter Silberman and Steve Davis are releasing a new forensic framework on Wednesday that will make it possible to detect whether or not a host was hit by Metapsloit’s meterpreter. The new tool could change the game when it comes to Metasploit-based attacks that previously could not be identified on the target machine.
“Metasploit’s meterpreter has been around since 2004 and it’s a memory resident host exploitation module and because it’s memory resident it breaks traditional disk forensics and the attacker leave no trace of the attack on the disk,” Silberman said. “Our talk is how we can use memory forensics to reconstruct what an attacker has done with meterpreter to give analysts some idea of what has occurred.”
In concert with the talk, the Mandiant researchers will release an open source tool called the Metasploit Forensic Framework. The goal of the tool is to make the undetectable, detectable. Metasploit itself is an open source vulnerability testing framework, but with meterpreter it has the stealth to evade most common security exploit detection mechanism.
Silberman explained that the way his tool works is the user first has to have some idea the machine has been compromised. Then using a free tool from Mandiant called memorize, which is a memory analysis tool, the user needs to acquire the memory for the process that has been compromised.
Once the memory has been acquired the Metasploit Forensic Framework comes into play. The Metasploit Forensic Framework is all about helping to recreate the crime scene of stealthy attack.
“You run the Metasploit Forensic Framework against the acquired memory and it will identify what Metasploit meterpreter modules are loaded,” Silberman said. “It will also tell you that the attacker accessed a particular registry key, or uploaded a file and other things an attacker could have done.”
Open source
Davis commented that the Metasploit Forensic Framework is open source and is licensed under the BSD license. He added that it’s modular so users can write their own modules as well, to cover all the different function that meterpreter offers now and in the future.
“It’s all open source, so you can see everything under the hood, there is no magic,” Davis said.
Meterpreter itself has been growing in recent weeks. According to Davis, Metasploit founder H. D. Moore has been adding new features at a rapid clip in the last few weeks. Silberman and Davis both expect that Moore and the Metasploit project contributors will be able to break the Forensic Framework soon enough. But that’s all part of the game.
“The tool focuses on a functionality of the Windows memory manager,” Silberman said. “The part of the tool that identifies specific commands could be defeatable by metasploit and we expect they will break the tool in the coming weeks after we release it. That’s just how the game is played. We’re going to raise the bar, they’re going to raise the bar and then we’ll sit back and figure out what the next move is.”
The actual meterpreter binary is also getting stealthier according to Davis and Silberman but there are still some tell-tale signs that server administrators can look for. One big item is SSL traffic coming from a port other than 80 or 443.
“It’s a cat and mouse game,” Silberman said. “But the stealthier you become the more you have to do to become stealthier. So the more they try to do it, they could actually make meterpreter easier to spot. Eventually there is only so much you can do to hide from a userland process perspective.”