Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research

Metasploit Toolkit FOR PENETRATION TESTING, EXPLOIT DEVELOPMENT, AND VULNERABILITY RESEARCH\ \ By David Maynor K. K. Mookhey \ Syngress\ Copyright © 2007 Elsevier, Inc.\ All right reserved.\ ISBN: 978-0-08-054925-5 \ \ \ Chapter One\ Introduction to Metasploit\ Solutions in this chapter:\ * Overview: Why Is Metasploit Here?\ * History of Metasploit\ * Metasploit Core Development\ * Technology Overview\ * Leveraging Metasploit on Penetration Tests\ * Understanding Metasploit Channels\ [\ \  ] Summary\ \ [\ \  ] Solutions Fast Track\ \ [\ \  ] Frequently Asked Questions\ \ Introduction\ For those of us who were fortunate enough to attend Blackhat Las Vegas 2004, the scene in hall {##} was unforgettable. The title of the talk was "Hacking Like in the Movies." HD Moore and spoonm were on stage presenting the arrival of their tool Metasploit Framework (MSF) version 2.2. The hall was packed to the gills. People stood in the aisles, and the crowd was spilling over to the main corridor. Two screens glowed to life—the black one on the left showing the MSF commands in action, and the blue one on the right showing a Windows system being compromised. Applause flowed freely throughout the session, and the consensus was clear, "Metasploit had come of age." But we should have known better. That was only a taste of things to come. With the arrival of MSF version 3.0, the entire approach to information security testing is likely to be revolutionalized. MSF 3.0 is not only an exploit platform, but it is in fact a security tool development platform. The application program interfaces (APIs), architecture, and indeed the philosophy behind the tool promise to make its launch one of the most exciting events in recent times.\ So what is Metasploit, and why is there such a buzz around the tool? This book introduces the reader to the main features of the tool, its installation, using it to run exploits, and advanced usage to automate exploits and run custom payloads and commands on exploited systems.\ Overview: Why Is Metasploit Here?\ Metasploit came about primarily to provide a framework for penetration testers to develop exploits. The typical life cycle of a vulnerability and its exploitation is as follows:\ 1. Discovery A security researcher or the vendor discovers a critical security vulnerability in the software.\ 2. Disclosure The security researcher either adheres to a responsible disclosure policy and informs the vendor, or discloses it on a public mailing list. Either way, the vendor needs to come up with a patch for the vulnerability.\ 3. Analysis The researcher or others across the world begin analyzing the vulnerability to determine its exploitability. Can it be exploited? Remotely? Would the exploitation result in remote code execution, or would it simply crash the remote service? What is the length of the exploit code that can be injected? This phase also involves debugging the vulnerable application as malicious input is injected to the vulnerable piece of code.\ 4. Exploit Development Once the answers to the key questions are determined, the process of developing the exploit begins. This has usually been considered a bit of a black art, requiring an in-depth understanding of the processor's registers, assembly code, offsets, and payloads.\ 5. Testing This is the phase where the coder now checks the exploit code against various platforms, service pack, or patches, and possibly even for different processors (e.g., Intel, Sparc, and so on).\ 6. Release Once the exploit is tested, and the specific parameters required for its successful execution have been determined, the coder releases the exploit, either privately or on a public forum. Often, the exploit is tweaked so that it does not work right out of the box. This is usually done to dissuade script kiddies from simply downloading the exploit and running it against a vulnerable system.\ All of this has undergone a bit of a paradigm shift. With Metasploit it is now quite straightforward for even an amateur coder to be able to write an exploit. The framework already comes with more than 60 exploits pre-packaged to work right out of the box. The development of new exploits is proceeding at a rapid pace, and as the popularity of the tool soars, the availability of exploits is also likely to increase. This is quite similar to the large number of plugins that Nessus now has.\ But this is only part of the story. Where Metasploit really comes into its own is in the way it has been architected and developed. It is now likely to become the first free (partially open-source, since it is now distributed under its own Metasploit License) security tool, which covers the entire gamut of security testing—recon modules to determine vulnerable hosts and interface with scanners such as Nmap and Nessus, exploits and payloads to attack the specific vulnerabilities, and post-exploitation goodies to stealthily own the system, and possibly the entire network.\ What Is Metasploit Intended for and What Does It Compete with?\ The MSF is an open-source tool, which provides a framework for security researchers to develop exploits, payloads, payload encoders, and tools for reconnaissance and other security testing purposes. Although, it initially started off as a collection of exploits and provided the ability for large chunks of code to be re-used across different exploits, in its current form it provides extensive capabilities for the design and development of reconnaissance, exploitation, and post-exploitation security tools.\ The MSF was originally written in the Perl scripting language and included various components written in C, assembler, and Python. The project core was dual-licensed under the GPLv2 and Perl Artistic Licenses, allowing it to be used in both open-source and commercial projects. However, the 3.0 version of the product is now completely re-written in Ruby and comes with a wide variety of APIs. It is also now licensed under the MSF License, which is closer to a commercial software End User License Agreement (EULA) than a standard open-source license. The basic intent is to:\ * Allow the MSF to remain open-source, free to use, and flee to distribute.\ * Allow module and plugin developers to choose their own licensing terms.\ * Prevent the MSF from being sold in any form or bundled with a commercial product (software, appliance, or otherwise).\ * Ensure that any patches made to the MSF by a third party are made available to all users.\ * Provide legal support and indemnification for MSF contributors.\ The MSF competes directly with commercial products such as Immunity's CANVAS and Core Security Technology's IMPACT. However, there is a major difference between the MSF and these commercial products in terms of its objectives. The commercial products come with user-friendly graphical user interfaces (GUIs) and extensive reporting capabilities in addition to the exploit modules, whereas the MSF is first and foremost a platform to develop new exploits, payloads, encoders, No Operator (NOP) generators, and reconnaissance tools. Moreover, it is also a platform to design tools and utilities that enable security research and the development of new security testing techniques.\ History of Metasploit\ The Metasploit project was originally started as a network security game by four core developers. It then developed gradually to a Perl-based framework for running, configuring, and developing exploits for well-known vulnerabilities. The 2.1 stable version of the product was released in June 2004. Since then, the development of the product and the addition of new exploits and payloads have rapidly increased.\ Road Map: Past, Present, and Future\ Although initially the framework did not provide any support for developers to interface with it, from version 2.2 onwards it has always been a developer-friendly product. The 2.x series was written primarily in Perl with snippets of assembly and C. The 3.x series is a complete rewrite in Ruby, with an overhaul of the architecture and the interfaces and APIs that it provides to users.\ With the speed at which the popularity of Metasploit continues to grow, it is quite likely that it will become the tool of choice, not only for running and coding exploits, but as a comprehensive framework for the entire gamut of penetration testing, including scanning remote systems, fingerprinting them, identifying vulnerabilities, running exploits against vulnerabilities, escalating privileges, and developing reports about the results found.\ The popularity of the tool can be gauged from some of the statistics in H. D. Moore's presentations at Cansecwest 2006 and 2007—the framework finds a mention in 17 books, 950 blogs, and 190 articles. Since the release of the 3.0 stable version in March 2007, the framework has been downloaded 20,000 times in less than two months. Also in the same period, the msfupdate utility used to update the framework directly from the command line has been used from over 4,000 IP addresses.\ Some of the current limitations of the platform are:\ * The various remote access interfaces of the product—primarily msfcli and msfweb—do not provide for any authentication of the remote user, and can thus be avenues for the power of the framework to be wrongly exploited. The Metasploit documentation clearly warns you about this.\ * No exploits for Web-based vulnerabilities. Currently no exploits exist within the MSF for Web application vulnerabilities such as cross-site scripting (XXS), Structured Query Language (SQL) injection, and others. There is research going on to create modules or plugins that perform Hypertext Transfer Protocol (HTTP) fuzzing, but this has not yet been included as part of version 3.0.\ * There are no reporting capabilities, which would help the tester produce a comprehensive report of the exploits run and the vulnerabilities discovered. Again, this is not the focus of the MSE Also, with version 3.0, developers have the ability to code plugins for the framework, thus adding as much functionality to the product as their creativity permits.\ The Metasploit project consists of more than just the MSE It also now includes:\ Metasploit Opcode Database\ This Web-based interface is probably the most comprehensive database of opcodes available anywhere on the Internet. As shown in Figure 1.1, it allows the user to search for opcodes either from a set of modules based on the opcode class, opcode meta type, or a specific opcode. It also allows for opcodes to be searched in windbg modules.\ Currently, the database consists of over 14 million opcodes, covering 320 different opcode types and 14 operating systems. It is available online at www. metasploit, com/op code_database, html.\ The current version of the framework also provides the msfopcodeutility to interface with the online opcode database from the command line.\ Metasploit Anti-forensics\ This is a collection of tools and documents to help defeat forensic analysis of compromised systems. The tools are released as part of a package titled (very imaginatively) the Metasploit Anti-Forensic Investigation Arsenal (MAFIA). This consists of:\ * Timestomp The first ever tool that allows you to modify all four New Technology File System (NTFS) timestamp values: modified, accessed, created, and entry modified.\ * Slacker The first ever tool that allows you to hide files within the slack space of the NTFS file system.\ * Sam Juicer A Meterpreter module that dumps the hashes from the SAM, but does it without ever hitting disk.\ * Transmogrify The first ever tool to defeat EnCase's file-signaturing capabilities by allowing you to mask and unmask your files as any file type.\ The future work planned under this project includes browser log manipulation, secure deletion of files, file meta-data modification, and documentation of anti-forensic techniques among others.\ The Anti-Forensics project is accessible at www.metasploit.com/projects/ antiforensics/.\ Advisories\ Members of the Metasploit team have also found vulnerabilities in various software products. They are documented at www.metasploit.com/research/vulns. This list includes vulnerabilities in PGP Desktop, Lyris ListManager, Google Search Appliance, and others.\ (Continues...)\ \ \ \ \ Excerpted from Metasploit Toolkit FOR PENETRATION TESTING, EXPLOIT DEVELOPMENT, AND VULNERABILITY RESEARCH by David Maynor K. K. Mookhey Copyright © 2007 by Elsevier, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.\ Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site. \ \

Chapter 1: Introduction to Metasploit Chapter 2: Architecture, Environment, and Installation Chapter 3: Metasploit Framework & Advanced Environment Configurations Chapter 4: Add-on Modules Chapter 5: Exploiting the Target Chapter 6: Converting Public Payloads Chapter 7: Writing New Payloads Chapter 8: Automating Exploitation Chapter 9: IPS Evasion Chapter 10: CASE STUDY I: Raxnet Cacti remote command execution Chapter 11: CASE STUDY II: Mercur Messaging 2005 SP3 IMAP Remote Buffer Overflow (CVE —2006-1255)Chapter 12: CASE STUDY III SlimFTPd String Concatenation Overflow]Chapter 13: CASE STUDY IV: WS-FTP Server 5.0.3 MKD Overflow Chapter 14: CASE STUDY V: MailEnable HTTP Authorization Header Buffer Overflow