Skip to content

Change from PEM to DER for crypt TLV negotiation #13400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 21 commits into from
Closed

Change from PEM to DER for crypt TLV negotiation #13400

wants to merge 21 commits into from

Conversation

OJ
Copy link
Contributor

@OJ OJ commented May 6, 2020
edited by smcintyre-r7
Loading

Description

This started as "let's remove the BEGIN PUBLIC KEY stuff from the plaintext crypt TLV negoation" and ended up as that, plus "let's just refactor some areas of the API that do stupid stuff.

In short:

  • Support DER instead of PEM as it looks better on the plaintext wire.
  • After seeing the code in Mettle, I wanted to change the _raw() API functions in Windows Meterp so that the length parameter is required as well.
  • After making this change, go refactor a few TLV calls that don't need lengths specified because they're inherent in the values, so we don't need associated LENGTH TLVs (reduces packet size and sending of data that we're already sending).
  • Notice that some TLV types were wrong, so change them (from STRING to RAW).
  • Fix a few silly typos.

Validation

  • Grab the code from Metasploit Payloads and build/deploy it.
  • Grab the code from Mettle and build/deploy it.
  • Make sure that Windows Native sessions are encrypted (see sessions -x).
  • Make sure that PHP sessions are encrypted (see sessions -x).
  • Make sure that Mettle sessions are encrypted (see sessions -x).
  • Make sure that sessions work as expected in general.
  • Make sure that screenshot still works in Windows.
  • Make sure that railgun still works in Windows.
  • Make sure that the PE injector still works in Windows.
  • Make sure that the powershell extension still loads assemblies.

Next up we'll be adding support for encryption in Java, Android and Python, with a goal of enforcing it when all those payloads have support.

This was referenced May 6, 2020
Merged
Merged
@busterb
Copy link
Contributor

busterb commented May 28, 2020

Code looks fine here. @OJ would you mind targeting this PR to the 6.x branch instead of master?

@OJ OJ changed the base branch from master to 6.x May 28, 2020 21:27
@OJ
Copy link
Contributor Author

OJ commented May 28, 2020

Whoops! Sorry. Thought I'd done that already. Fixed!

@bwatters-r7 bwatters-r7 added the msf6 PRs that need to be landed into the msf 6 branch label Jun 8, 2020
OJ and others added 18 commits June 9, 2020 08:52
@OJ
Merge branch '6.x' of github.com:rapid7/metasploit-framework into 6.x
8b76be2
@OJ
Support removal of TLV strings
641f298 
This first bit of code aims to add a "map" to the packet functionality
that is able to translate to and from "method strings" to "command ids".
IDs are sent across the wire, and they're now integers. This removes the
need for the strings to be present in things like native meterp, and
hence makes things a little less obvious on the wire, and way less
obvious on disk/in the payload.

Given that we need this functionality in other Meterpreters to support
the removal of strings, some code has been added that can generate
source files for Python, C# and C. This code might move, but for now
it's at least in a spot where it's used the most.
@OJ
Java-related UINT command ID generation
d87cb8c
@OJ
Almost final refactor of how IDs are handled
8070074
@OJ
Refactor of command ids into separate files
364b7fa
@OJ
Remove networkpug
1fd771c 
This thing doesn't exist any more, so no need to have code referencing
it.
@OJ
Somehow lost a bang!
2ed4fa2 
Thanks @sempervictus
@OJ
Fix up packe spec tests
616fdae
@OJ
Update payload cache sizes
30a23c4
@OJ
Fix more specs
c08e864
@OJ
Fix missed cases of method strings
19f771f
@OJ
Re-remove the filter on the sniffer extension
b9013e3 
Not sure why, but this is causing issues. Gross.
@OJ
Fix silly typo in the android extension dispatcher
10529c8
@OJ
Fix a stupid mistake with core_patch_url
48290ac 
This was not originally ported to an int when it should have been.
@busterb @OJ
bump payloads version
6f7861f
@busterb @OJ
update sizes
6ec8e94
@busterb @OJ
reverse_python_ssl has has apparently stabilized in size
5b69fe9
@OJ
Pass DER-encoed public keys instead of PEM
209e463 
Just to reduce the more obvious thing going across the wire (ie. no more
"BEGIN PUBLIC KEY"). We now see binary blobs.
@OJ OJ force-pushed the crypt-tlv-pem-to-der branch from 972e21c to d1cfbb0 Compare June 9, 2020 00:42
@timwr timwr mentioned this pull request Jun 11, 2020
Merged
4 tasks
@OJ
Copy link
Contributor Author

OJ commented Jun 15, 2020

Not sure why this still looks so messy!

@smcintyre-r7
Copy link
Contributor

Alright the mettle, Windows and PHP implementations are all done. Once the Java and Python changes are made, I can bump the gems and get this PR landed.

@zeroSteiner zeroSteiner mentioned this pull request Jun 18, 2020
Merged
3 tasks
@OJ
Copy link
Contributor Author

OJ commented Jun 18, 2020

Great, thank you. I'll make sure the java stuff is lined up first thing this morning.

@smcintyre-r7
Copy link
Contributor

Alright, changes are now in for the Windows, Java, PHP and Python Meterpreters (metasploit-payloads v2.0.5) and Mettle (metasploit_payloads-mettle v1.0.1). All are still negotiating TLV encryption, and pass tests using the post/test/file and post/test/meterpreter modules.

I'll have this landed shortly with a bump in the respective gems and updates to the payload sizes.

@smcintyre-r7 smcintyre-r7 self-assigned this Jun 19, 2020
@smcintyre-r7
Copy link
Contributor

Something is off with this, I merged it in commit efbff6f however the GitHub web UI is not showing it as merged. I'm going to have to close this out manually. I suspect it's related to it also looking messy despite it merging cleanly.

Thanks for all your work on this @OJ!

@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Jun 19, 2020
edited by pbarry-r7
Loading

Release Notes

Updated transmission of the RSA key used to negotiate TLV encryption for Meterpreter to use the binary DER format instead of the text-based PEM format. This makes the key smaller, easier to process, and removes the static "BEGIN PUBLIC KEY" string.

@OJ
Copy link
Contributor Author

OJ commented Jun 19, 2020 via email

OJ pushed a commit to OJ/metasploit-framework that referenced this pull request Jun 23, 2020
@smcintyre-r7
Land rapid7#13400, Change from PEM to DER for crypt TLV negotiation
efbff6f
@pbarry-r7 pbarry-r7 added the rn-enhancement release notes enhancement label Aug 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@busterb busterb busterb approved these changes

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@smcintyre-r7 smcintyre-r7

Labels
enhancement library meterpreter msf6 PRs that need to be landed into the msf 6 branch rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@OJ @busterb @smcintyre-r7 @bwatters-r7 @pbarry-r7 @jmartin-tech