Here are my notes from the Black Hat USA 2008 presentation called ‘MetaPost Exploitation‘ by Val Smith and Colin Ames. The MetaPost Exploitation slides are now online, as well as demo movies at offensivecomputing.net. If you do any sort of enterprise level penetration testing, you should definitely check it out.

  • Credential Management
    • Wordpad and paper don’t scale well
    • Need to organize and track hosts
  • Metapass
    • Metasploit module / addon
    • Automated exploitation
      • find_token
      • fgdump
  • Stealth
    • Don’t leave tools around
    • Disable or clear log files
    • Flood log files with false positives
    • Bypass IDS by utilizing alternate protocols
      • IR ports
      • Bluetooth
      • IPv6
      • UDP
  • Persistence
    • Introduce your own vulnerability to software currently running
      • Add a hidden field in a web form that runs through a command processor
    • Utilize nagios, cfengine, sms or any other automated patching systems
    • Replace VNC with older version that has an authentication bypass vulnerability
      • Copy registry password so victim doesn’t notice change
    • Re-enable the support / guest account and add it to the administrators group
  • User Identity Theft
    • Incognito
    • FU/FUTO
  • Feature Modification
    • Install VNC via command line (see slides for syntax)
    • Enable Remote Desktop via command line (see slides for syntax)
    • Disable or add exceptions to security software
      • AV
      • Firewalls
      • Logging
    • Modify local security policies
  • Abusing The Scheduler
    • AT often not disabled
    • AT runs as SYSTEM by default
    • AT is as good as having a shell (but a little slow)