HackMiami Hack-A-Thon - Rapid7

Document Sample
HackMiami Hack-A-Thon - Rapid7 Powered By Docstoc
					                                                                                                           INDEPENDENT PRODUCT COMPARISON
	
  


HACKMIAMI	
  “PWN-­‐OFF”	
  PENETRATION	
  TESTING	
  COMPETITION	
  
Report	
  from	
  the	
  HackMiami	
  Catch	
  the	
  Flag	
  Ethical	
  Hacking	
  competition	
  
	
  
Metasploit	
  Express	
  placed	
  first	
  in	
  the	
  HackMiami	
  2010	
  penetration	
  testing	
  competition	
  held	
  between	
  Rapid7	
  
Metasploit	
  Express,	
  Core	
  Impact	
  Professional	
  and	
  Immunity	
  CANVAS.	
  As	
  a	
  result	
  of	
  its	
  many	
  impressive	
  
features,	
  including	
  ease-­‐of-­‐use	
  and	
  advanced	
  reporting	
  capabilities,	
  Metasploit	
  Express	
  ranked	
  highest	
  overall	
  
with	
  a	
  total	
  score	
  of	
  4.5	
  out	
  of	
  five	
  available	
  stars.	
   	
  
	
  
HackMiami	
  is	
  an	
  organization	
  made	
  up	
  of	
  a	
  variety	
  of	
  professionals	
  that	
  provide	
  innovative	
  technical	
  and	
  social	
  
collaboration	
  through	
  regular	
  meetings,	
  presentations,	
  labs	
  and	
  competitions	
  that	
  serve	
  to	
  develop	
  all	
  fields	
  of	
  
modern	
  technology.	
  This	
  document	
  is	
  a	
  reprint	
  of	
  the	
  full	
  report,	
  which	
  is	
  available	
  on	
  http://www.n00bz.net	
   	
   	
  
	
  




METASPLOIT	
  EXPRESS	
  SETUP	
  
Running	
  on	
  Ubuntu,	
  the	
  application	
  had	
  a	
  demo	
  license	
  that	
  restricted	
  the	
  usage	
  to	
  14	
  days.	
  The	
  demo	
  license	
  
allows	
  unrestricted	
  scanning	
  of	
  IP	
  Ranges	
  and	
  unlimited	
  functionality.	
   	
  

	
  

INTERFACE	
  
One	
  of	
  Core	
  Impact	
  Pro’s	
  strengths	
  is	
  to	
  have	
  a	
  simple	
  interface	
  and	
  make	
  penetration	
  testing	
  easy	
  as	
  drop,	
  
drag,	
  pwn.	
  Many	
  doubted	
  that	
  there	
  could	
  be	
  an	
  easier	
  way.	
  Thank	
  you	
  Rapid	
  7	
  for	
  proving	
  the	
  doubters	
  
wrong.	
  (I	
  was	
  one	
  of	
  them!)	
   	
  
While	
  the	
  application	
  runs	
  on	
  both	
  Windows	
  and	
  your	
  favorite	
  Linux	
  flavor,	
  Metasploit	
  Express’s	
  console	
  is	
  
accessed	
  by	
  a	
  web	
  browser.	
  The	
  interface	
  of	
  Metasploit	
  Express	
  follows	
  the	
  idea	
  of	
  KISS	
  (Keep	
  It	
  Simple	
  
Stupid).	
   	
  
	
  




       RAPID7 Corporate Headquarters                      545 Boylston Street Boston, MA 02116                      617.247.1717              www.rapid7.com
                                                                                                                INDEPENDENT PRODUCT COMPARISON
	
  



The	
  home	
  screen	
  is	
  divided	
  into	
  Discovery,	
  Penetration	
  (Bruteforce/Exploitation),	
  Evidence	
  Collection,	
  and	
  
Cleanup.	
  At	
  the	
  bottom	
  of	
  the	
  console	
  sits	
  the	
  log	
  that	
  keeps	
  track	
  of	
  everything	
  performed	
  by	
  the	
  tool.	
  

	
  




                                                                                                                                                      	
  
	
  
Clicking	
  on	
  Scan	
  loaded	
  the	
  scanning	
  engine	
  which	
  can	
  be	
  described	
  as	
  NMAP	
  Powered	
  Up	
  (DCERPC,	
  
POP3/SMB/Postgres	
  Fingerprinting).	
  
	
  
The	
  scanning	
  engine	
  performs	
  port	
  scanning	
  as	
  well	
  as	
  attempts	
  to	
  connect	
  using	
  http,	
  SMB,	
  SQL,	
  telnet,	
  and	
  
SSH	
  among	
  others.	
  It	
  was	
  impressive	
  to	
  see	
  the	
  scanning	
  engine	
  did	
  perform	
  basic	
  brute	
  forcing	
  such	
  as	
  
identifying	
  identical	
  user/pass	
  combo	
  or	
  no	
  password	
  on	
  SMB.	
   	
  
	
  
Once	
  completed,	
  entering	
  the	
  hosts	
  tab	
  off	
  the	
  menu	
  brings	
  up	
  the	
  screen	
  below.	
  The	
  top	
  menu	
  bar	
  allows	
  
other	
  options	
  to	
  be	
  performed	
  such	
  as	
  Brute	
  force,	
  Exploit,	
  or	
  Collect	
  Evidence.	
  Under	
  the	
  status,	
  if	
  the	
  
password	
  was	
  cracked	
  or	
  evidence	
  looted	
  (collected),	
  this	
  screen	
  identifies	
  the	
  status	
  with	
  a	
  colored	
  bubble.	
   	
  
	
  




                                                                                                                                                             	
  
	
  
Quote	
  from	
  the	
  crowd,	
  “The	
  interface	
  is	
  super	
  clean.	
  I	
  am	
  not	
  technical	
  and	
  I	
  can	
  tell	
  right	
  away	
  which	
  
machines	
  are	
  in	
  trouble.”	
  
	
  
	
  


       RAPID7 Corporate Headquarters                         545 Boylston Street Boston, MA 02116                         617.247.1717              www.rapid7.com
                                                                                                               INDEPENDENT PRODUCT COMPARISON
	
  


EXPLOITS	
  
Metasploit	
  Express	
  allows	
  2	
  options	
  once	
  you	
  completed	
  your	
  discovery	
  of	
  the	
  hosts.	
   	
  
	
  
The	
  first	
  is	
  brute	
  force.	
  Using	
  intelligence	
  and	
  knowledge	
  collected	
  from	
  the	
  discovery	
  phase,	
  the	
  tool	
  attempts	
  
to	
  break	
  in	
  by	
  trying	
  common	
  password	
  combinations	
  on	
  selected	
  services.	
  The	
  tool	
  also	
  highlights	
  Lockout	
  
Risk	
  such	
  as	
  SMB,	
  something	
  I	
  personally	
  have	
  done	
  and	
  drove	
  the	
  system	
  admins	
  crazy.	
  




The	
  other	
  option	
  is	
  Exploiting.	
  Anyone	
  who	
  is	
  familiar	
  with	
  the	
  Metasploit	
  Framework	
  is	
  aware	
  of	
  this	
  feature.	
  
This	
  is	
  not	
  just	
  autopwn.	
  This	
  Exploit	
  option	
  uses	
  new	
  logic	
  and	
  the	
  user	
  can	
  selects	
  exploits	
  based	
  on	
  a	
  rating	
  
system/stop	
  after	
  first	
  shell	
  is	
  gained.	
  This	
  can	
  minimize	
  the	
  chances	
  of	
  crashing	
  anything.	
  (Once	
  again,	
  angry	
  
admin.)	
  There	
  is	
  also	
  a	
  dry	
  run	
  to	
  see	
  what	
  could	
  work	
  without	
  actually	
  unleashing	
  the	
  exploits	
  on	
  the	
  targets.	
   	
  
	
  




       RAPID7 Corporate Headquarters                         545 Boylston Street Boston, MA 02116                        617.247.1717               www.rapid7.com
                                                                                                         INDEPENDENT PRODUCT COMPARISON
	
  



	
  

Using	
  knowledge	
  obtained	
  on	
  all	
  processes	
  ran	
  up	
  to	
  this	
  point,	
  the	
  Exploiting	
  task	
  unleashes	
  pwn-­‐ership	
  on	
  
the	
  targets.	
  
	
  




	
  
Using	
  the	
  web	
  front	
  end	
  to	
  generate	
  the	
  list	
  of	
  sessions	
  spawned,	
  I	
  wondered	
  how	
  the	
  shell	
  interaction	
  would	
  
play	
  out.	
  Metasploit	
  Express	
  wowed	
  many	
  when	
  the	
  tool	
  generated	
  both	
  a	
  Windows	
  Shell	
  (by	
  connecting	
  to	
  a	
  
VNC	
  service	
  connected	
  to	
  a	
  meterpreter)	
  and	
  a	
  Unix	
  Shell	
  all	
  within	
  the	
  browser.	
   	
  
	
  




	
  
Total	
  number	
  of	
  exploits	
  found:	
  16	
  shells	
  across	
  EIGHT	
  boxes	
  
	
  


       RAPID7 Corporate Headquarters                      545 Boylston Street Boston, MA 02116                    617.247.1717              www.rapid7.com
                                                                                                                  INDEPENDENT PRODUCT COMPARISON
	
  


Quote	
  from	
  the	
  crowd,	
  “The	
  tool	
  was	
  able	
  to	
  gain	
  in	
  only	
  a	
  few	
  minutes	
  16	
  shells	
  at	
  target	
  machines	
  (one	
  of	
  
them	
  was	
  a	
  VM	
  I	
  provided).”	
  
	
  
Quote	
  from	
  the	
  crowd,	
  ”Good	
  bye	
  drop,	
  drag,	
  pwn.	
  Hello	
  point,	
  click	
  pwn.”	
  


REPORTING	
  
Before	
  we	
  get	
  into	
  the	
  reporting	
  aspect	
  of	
  Metasploit	
  we	
  need	
  to	
  understand	
  what	
  goes	
  into	
  the	
  report	
  that	
  
the	
  decision	
  makers	
  want	
  to	
  see.	
  “Server	
  blah	
  blah	
  has	
  a	
  blah	
  blah	
  which	
  could	
  be	
  blah.”	
  
	
  
A	
  good	
  penetration	
  test	
  report	
  delivers	
  not	
  risks	
  to	
  the	
  servers,	
  but	
  illustrates	
  the	
  risk	
  more	
  than	
  a	
  number	
  
0.0-­‐10.0.	
  When	
  I	
  receive	
  an	
  audit	
  report,	
  the	
  first	
  thing	
  I	
  do	
  is	
  challenge	
  the	
  report.	
  Maybe	
  it	
  is	
  a	
  defensive	
  
method	
  a	
  la	
  Dr.	
  Freud.	
  One	
  think	
  you	
  can’t	
  argue	
  against	
  is	
  evidence.	
  (However,	
  that	
  still	
  doesn’t	
  stop	
  me	
  
personally	
  from	
  trying.)	
  
	
  
One	
  of	
  the	
  tasks	
  I	
  hate	
  the	
  most	
  when	
  performing	
  penetration	
  testing	
  is	
  collecting	
  evidence.	
   	
  
	
  
Once	
  a	
  machine	
  has	
  been	
  exploited,	
  Metasploit	
  Express	
  provides	
  a	
  function	
  every	
  penetration	
  tester	
  and	
  
auditor	
  will	
  love.	
  All	
  one	
  needs	
  to	
  do	
  is	
  click	
  the	
  Collect	
  button	
  and	
  the	
  machine	
  is	
  “Looted.”	
  




	
  
Among	
  the	
  goodies	
  collected	
  by	
  Metasploit	
  Express	
  are:	
  
RSA	
  keys	
  (both	
  public	
  and	
  private)	
  




	
  

	
  

	
  

	
  

	
  

	
  


       RAPID7 Corporate Headquarters                          545 Boylston Street Boston, MA 02116                          617.247.1717               www.rapid7.com
                                                                                                                     INDEPENDENT PRODUCT COMPARISON
	
  


Windows	
  SAM	
  file,	
  Windows	
  Processes,	
  Windows	
  Sysinfo	
  




	
  
	
  
A	
  screen	
  shot	
  of	
  what	
  is	
  on	
  the	
  monitor	
  at	
  the	
  time.	
   	
  




	
  
Getting	
  all	
  that	
  information	
  out	
  of	
  the	
  tool	
  is	
  just	
  as	
  easy	
  as	
  obtaining	
  the	
  information.	
  
	
  
Clicking	
  on	
  Report	
  will	
  allow	
  you	
  to	
  run	
  several	
  ad-­‐hoc	
  reports	
  in	
  PDF,	
  Word,	
  XML,	
  and	
  a	
  full	
  dump	
  in	
  a	
  zip	
  file.	
  
You	
  can	
  mask	
  username/passwords	
  when	
  generating	
  the	
  reports.	
  




	
  
One	
  of	
  my	
  favorite	
  reporting	
  options	
  is	
  the	
  Replay	
  Scripts.	
  The	
  Replay	
  Script	
  will	
  allow	
  someone	
  to	
  download	
  
the	
  Framework	
  and	
  Replay	
  the	
  attack	
  without	
  requiring	
  the	
  Express	
  Product.	
  
	
  
Click	
  here	
  to	
  download	
  the	
  replay	
  for	
  192.168.1.113	
  -­‐	
  A	
  Windows	
  NT	
  exploited	
  using	
  
exploit/windows/smb/ms06_040_netapi	
  
	
  
As	
  a	
  Sr.	
  Manager	
  from	
  a	
  Big	
  4	
  Public	
  Accounting	
  Firm	
  said,	
  “It	
  is	
  2010	
  and	
  I	
  can’t	
  believe	
  this	
  feature	
  is	
  only	
  
making	
  it	
  to	
  the	
  market	
  now.	
  By	
  allowing	
  a	
  client	
  to	
  retest	
  a	
  finding	
  will	
  allow	
  them	
  to	
  remediate	
  and	
  retest,	
  



       RAPID7 Corporate Headquarters                               545 Boylston Street Boston, MA 02116                        617.247.1717                www.rapid7.com
                                                                                                                 INDEPENDENT PRODUCT COMPARISON
	
  


this	
  will	
  save	
  time	
  on	
  our	
  part	
  and	
  consultant	
  fees	
  on	
  their	
  part.	
  By	
  providing	
  the	
  option	
  to	
  replay	
  the	
  attack,	
  
we	
  can	
  provide	
  our	
  clients	
  value	
  above	
  and	
  beyond	
  just	
  a	
  report.”	
   	
  


VALUE	
  AND	
  ADDITIONAL	
  FEATURES:	
  
Metasploit	
  Express	
  cost	
  $3000.	
  It	
  is	
  the	
  cheapest	
  in	
  price	
  of	
  our	
  tools	
  in	
  the	
  test;	
  however	
  the	
  cheap	
  price	
  does	
  
not	
  mean	
  a	
  lower	
  quality	
  tool	
  by	
  any	
  means.	
  
	
  
The	
  name	
  of	
  the	
  product	
  is	
  misleading.	
  When	
  one	
  thinks	
  of	
  the	
  word	
  express,	
  one	
  thinks	
  that	
  it	
  is	
  lacking	
  or	
  
scaled	
  down.	
  This	
  could	
  not	
  be	
  further	
  from	
  the	
  truth.	
  As	
  it	
  was	
  observed	
  from	
  the	
  demo,	
  express	
  was	
  the	
  
speed	
  that	
  it	
  pwned	
  machines	
  saving	
  the	
  tester	
  valuable	
  time	
  which	
  is	
  money.	
  
	
  
Included	
  with	
  the	
  purchase	
  of	
  Metasploit	
  Express	
  is	
  full	
  support	
  by	
  Rapid7	
  security	
  and	
  support	
  specialists	
  in	
  
addition	
  to	
  the	
  large	
  and	
  growing	
  Metasploit	
  community.	
  
	
  
This	
  is	
  the	
  first	
  commercial	
  release	
  of	
  the	
  Metasploit	
  project	
  and	
  the	
  team	
  at	
  Rapid	
  7	
  has	
  set	
  the	
  bar	
  up	
  very	
  
high.	
  The	
  rumor	
  mill	
  is	
  to	
  be	
  on	
  the	
  lookout	
  for	
  a	
  professional	
  version	
  with	
  even	
  more	
  features	
  packed	
  into	
  it.	
  
Look	
  out	
  vulnerable	
  machines	
  and	
  competitors	
  alike.	
  


SCORECARD	
  


       Category           Description                                                                                                                Score

                          The interface is super clean compared to the other applications. Metasploit
                          Express uses a web browser to interact with the application. It doesn't matter
       Interface                                                                                                                                     4 out of 5 points
                          what OS you are used to, if you have ever surfed the web, you can "Point,
                          Click, Pwn!"
                          Metasploit Express Generated 16 shells across EIGHT boxes. The speed at                                                    4.5 out of 5
       Exploits
                          which the targets fell justified the name "express."                                                                       points
                          With a single click, the evidence collection feature does the dirty work of
                          collecting evidence from the targets. This feeds into the reporting feature of the
                          tool. The reports generated out of Metasploit Express include the evidence                                                 4 out of 5 points
       Reporting
                          collected which includes user/password combinations, encryption keys and
                          screen shots of the target machine. In this case, a picture is worth a thousand
                          words.
                          A favorite feature of Metasploit Express is the Replay Scripts. By enabling one
       Additional                                                                                                                                    3.5 out of 5
                          to replay the attack without requiring the Express Product,a tester would be
       Features                                                                                                                                      points
                          able to provide value above and beyond just a report.

       Value              Metasploit Express was the most affordable with a list price of $3,000.                                                    5 out of 5 points

                                                                                                                                                     4.5 out of 5
       Total Score        Winner
                                                                                                                                                     points


ABOUT	
  RAPID7	
  
Rapid7	
  is	
  the	
  leading	
  provider	
  of	
  unified	
  vulnerability management,	
  compliance,	
  and	
  penetration	
  testing	
  
solutions,	
  delivering	
  actionable	
  intelligence	
  about	
  an	
  organization’s	
  entire	
  IT	
  environment.	
  	
   Rapid7	
  offers	
  the	
  
only	
  integrated	
  threat	
  management	
  solution	
  that	
  enables	
  organizations	
  to	
  implement	
  and	
  maintain	
  best	
  
practices	
  and	
  optimize	
  their	
  network	
  security,	
  Web	
  application	
  security	
  and	
  database	
  security	
  strategies.	
   	
  
	
  
Recognized	
  as	
  the	
  fastest	
  growing	
  vulnerability	
  management	
  company	
  in	
  the	
  U.S.	
  by	
  Inc.	
  Magazine,	
  Rapid7	
  
helps	
  leading	
  organizations	
  such	
  as	
  Liz	
  Claiborne,	
  Southern	
  Company,	
  the	
  United	
  States	
  Postal	
  Service,	
  the	
  
New	
  York	
  Times,	
  Carnegie	
  Mellon	
  University	
  and	
  the	
  National	
  Nuclear	
  Security	
  Administration	
  (NNSA)	
  to	
  

          RAPID7 Corporate Headquarters                       545 Boylston Street Boston, MA 02116                         617.247.1717               www.rapid7.com
                                                                                                             INDEPENDENT PRODUCT COMPARISON
	
  


mitigate	
  risk	
  and	
  maintain	
  compliance	
  for	
  regulations	
  such	
  as	
  PCI,	
  HIPAA,	
  FISMA,	
  SOX	
  and	
  NERC	
  .	
  Rapid7	
  also	
  
manages	
  the	
  Metasploit Project,	
  the	
  leading	
  open-­‐source	
  penetration	
  testing	
  platform	
  with	
  the	
  world’s	
  
largest	
  database	
  of	
  public,	
  tested	
  exploits.	
  	
   For	
  more	
  information,	
  visit	
  www.rapid7.com.	
  




              Noobz Network – Metasploit Pro Review




          Last year, HackMiami had a Pwn-Off in which Metasploit Express was declared the winner
          with 4.5/5 stars.              In comparing Express with Core, it was noted that, “Core includes not
          only Network Testing, but Web and Client Side/Phishing attack vectors as well. You will
          pay for these features however.”
          At	
  BlackHat/Defcon,	
  Rapid7	
  announced	
  that	
  it	
  would	
  take	
  its	
  offerings	
  to	
  the	
  next	
  level	
  along	
  with	
  
          a	
  video.	
  	
   http://www.youtube.com/watch?v=jXGF9Giz7No

          Behold, Metasploit Pro!
          Metasploit	
  Pro	
  includes	
  all	
  the	
  features	
  of	
  Express	
  along	
  with	
  Web	
  Attacks,	
  Social	
  Engineering,	
  
          VPN	
  pivoting	
  as	
  well	
  as	
  Team	
  Collaboration.

          Team Collaboration and VPN Taps
          @rodsoto	
  and	
  myself	
  decided	
  to	
  test	
  out	
  the	
  features	
  of	
  Pro.	
  	
   The	
  first	
  thing	
  we	
  tested	
  was	
  Team	
  
          Collaboration.	
  	
   Rod	
  was	
  in	
  Miami	
  and	
  I	
  was	
  in	
  Orlando.	
  	
   We	
  used	
  a	
  local	
  company,	
  
          NewServers.com	
  to	
  create	
  a	
  cloud	
  instance	
  of	
  Metasploit	
  Pro.	
  
          	
  
          First	
  thing	
  we	
  notice	
  is	
  that	
  the	
  menu	
  bar	
  has	
  some	
  updates.	
  	
   Campaigns	
  and	
  Web	
  Apps	
  are	
  2	
  new	
  
          attack	
  vectors	
  added	
  to	
  the	
  application.
          	
  
          	
  
          	
  
          	
  
          	
  
          	
  
          	
  
          	
  
          	
  

       RAPID7 Corporate Headquarters                       545 Boylston Street Boston, MA 02116                       617.247.1717               www.rapid7.com
                                                                                                             INDEPENDENT PRODUCT COMPARISON
	
  


         ‘Using	
  the	
  Hosts	
  tab,	
  Rod	
  scanned	
  our	
  1st	
  target.	
  




                                                                                                                                                                  	
  
         Express	
  had	
  Bruteforce	
  and	
  Exploit,	
  but	
  Pro	
  adds	
  a	
  new	
  button	
  to	
  the	
  top	
  of	
  the	
  Host	
  Page,	
  
         WebScan. Selecting	
  the	
  Web	
  Scan	
  button	
  launches	
  the	
  module	
  sharing	
  the	
  knowledge	
  obtained	
  in	
  
         the	
  scan.




                                                                                                                                                                  	
  
         	
  

         	
  

         	
  



       RAPID7 Corporate Headquarters                      545 Boylston Street Boston, MA 02116                        617.247.1717               www.rapid7.com
                                                                                                              INDEPENDENT PRODUCT COMPARISON
	
  


	
  

         The	
  Web	
  Application	
  Scan	
  crawls	
  the	
  site	
  looking	
  for	
  pages	
  and	
  forms.	
  




                                                                                                                                                                          	
  
         Once	
  identified,	
  the	
  user	
  can	
  Audit	
  the	
  forms	
  identified.	
  	
   The	
  tool	
  will	
  look	
  for	
  SQL	
  injections,	
  XSS,	
  
         as	
  well	
  as	
  RFI.	
  	
   More	
  on	
  this	
  later...	
  
         	
  
         The	
  scan	
  returned	
  that	
  no	
  web	
  vulnerabilities	
  were	
  identified	
  on	
  the	
  server.	
  	
   At	
  this	
  time	
  Rod	
  
         handed	
  off	
  the	
  project	
  to	
  me.	
  
         	
  
         Browsing	
  to	
  the	
  site,	
  I	
  saw	
  the	
  following	
  page.	
  	
   Integard	
  Pro.	
  




         Heading	
  over	
  to	
  the	
  CORELAN	
  Team’s	
  site	
  I	
  saw	
  the	
  advisory.	
  
         http://www.corelan.be:8800/advisories.php?id=CORELAN-­‐10-­‐061	
  and	
  found	
  the	
  Exploit	
  in	
  the	
  
         Modules	
  section.	
  

         	
  



       RAPID7 Corporate Headquarters                       545 Boylston Street Boston, MA 02116                         617.247.1717               www.rapid7.com
                                                                                            INDEPENDENT PRODUCT COMPARISON
	
  


         Launching	
  the	
  exploit	
  I	
  was	
  rewarded	
  with	
  a	
  Session.	
  




                                                                                                                               	
  




       RAPID7 Corporate Headquarters                    545 Boylston Street Boston, MA 02116   617.247.1717   www.rapid7.com
                                                                                                              INDEPENDENT PRODUCT COMPARISON
	
  




         New	
  to	
  the	
  Available	
  Actions	
  on	
  the	
  Session	
  screen	
  is	
  VPN	
  Pivot.	
  	
   Express	
  allows	
  a	
  Proxy	
  Pivot,	
  
         creating	
  a	
  gateway	
  through	
  the	
  compromised	
  machine	
  and	
  allows	
  you	
  to	
  scan	
  further	
  into	
  the	
  
         network.	
  	
   Metasploit	
  Pro	
  allows	
  the	
  user	
  to	
  create	
  a	
  VPN	
  	
   gateway	
  on	
  your	
  target	
  machine	
  to	
  
         which	
  you	
  have	
  an	
  encrypted	
  layer	
  2	
  connection.	
  VPN	
  pivoting	
  creates	
  a	
  virtual	
  Ethernet	
  adapter	
  
         on	
  the	
  Metasploit	
  Pro	
  machine	
  that	
  enables	
  you	
  to	
  route	
  ANY	
  traffic	
  through	
  the	
  target.	
  	
   The	
  
         keyword	
  is	
  ANY!	
  	
   If	
  you	
  have	
  a	
  special	
  tool	
  you	
  purchased	
  or	
  custom	
  tool	
  that	
  you	
  wrote,	
  you	
  can	
  
         use	
  it.	
  	
   This	
  virtual	
  tap	
  combined	
  with	
  all	
  the	
  attack	
  vectors	
  in	
  Metasploit	
  Pro	
  makes	
  this	
  a	
  very	
  
         powerful	
  feature.	
  




         	
  
         	
  
         	
  
         	
  
         	
  
         	
  
         	
  
         	
  
         	
  


       RAPID7 Corporate Headquarters                       545 Boylston Street Boston, MA 02116                         617.247.1717               www.rapid7.com
                                                                                                              INDEPENDENT PRODUCT COMPARISON
	
  


         We	
  had	
  a	
  second	
  target	
  machine	
  set	
  up	
  in	
  our	
  environment.	
  	
   This	
  was	
  out	
  on	
  the	
  internet	
  for	
  our	
  
         testing,	
  however	
  if	
  it	
  was	
  behind	
  a	
  firewall	
  our	
  network	
  tap	
  would	
  have	
  made	
  it	
  100%	
  available.	
  
         	
  




                                                                                                                                                                         	
  
         	
  
         	
  
         	
  
         Passing	
  the	
  Hash	
  we	
  collected	
  is	
  simple.	
  	
   Hashes	
  were	
  collected	
  when	
  we	
  Looted	
  the	
  first	
  
         server.	
   	
  	
  	
  
         	
  




                                                                                                                                                                          	
  
         	
  




       RAPID7 Corporate Headquarters                       545 Boylston Street Boston, MA 02116                         617.247.1717              www.rapid7.com
                                                                                                                   INDEPENDENT PRODUCT COMPARISON
	
  


         Let's	
  see	
  if	
  we	
  can	
  pass	
  the	
  hashes	
  to	
  the	
  second	
  server.	
  	
   To	
  pass	
  the	
  hash	
  using	
  Pro,	
  Select	
  the	
  
         Bruteforcing	
  attack	
  and	
  under	
  depth	
  select	
  known	
  only.




         	
  
         We	
  were	
  able	
  to	
  authenticate	
  to	
  the	
  second	
  server	
  since	
  a	
  common	
  username/password	
  was	
  
         used.	
  
         I	
  passed	
  the	
  project	
  back	
  to	
  Rod	
  to	
  exploit	
  the	
  2nd	
  Server.	
  
         	
  
         He	
  was	
  able	
  to	
  search	
  the	
  file	
  system	
  and	
  found	
  a	
  folder	
  called	
  TopSecret.	
  
         	
  




         	
  
         	
  
         	
  
         	
  
         	
  
         	
  
         	
  
         	
  


       RAPID7 Corporate Headquarters                          545 Boylston Street Boston, MA 02116                            617.247.1717                www.rapid7.com
                                                                                                                 INDEPENDENT PRODUCT COMPARISON
	
  


         He	
  emailed	
  me	
  to	
  check	
  the	
  Evidence	
  of	
  Server272.	
  	
   I	
  logged	
  into	
  the	
  Metasploit	
  Pro	
  server	
  and	
  
         found	
  the	
  Evidence	
  he	
  collected.




                                                                                                                                                                           	
  




         Web Application Attacks
         I	
  decided	
  to	
  test	
  the	
  Web	
  Application	
  Attacks	
  Module	
  to	
  further	
  show	
  how	
  it	
  works.	
  	
   I	
  fired	
  up	
  
         DVL	
  as	
  a	
  target.	
  	
   DVL	
  has	
  several	
  web	
  applications	
  that	
  are	
  insecure.	
  	
   A	
  perfect	
  test	
  of	
  the	
  Web	
  
         Attack	
  modules	
  of	
  Metasploit	
  Pro.	
  
         	
  
         First	
  thing	
  I	
  did	
  was	
  scan	
  the	
  host	
  and	
  the	
  scan	
  identified	
  port	
  80	
  was	
  open.	
  




       RAPID7 Corporate Headquarters                         545 Boylston Street Boston, MA 02116                          617.247.1717                www.rapid7.com
                                                                                                            INDEPENDENT PRODUCT COMPARISON
	
  


         Clicking	
  WebScan	
  passes	
  all	
  the	
  information	
  over	
  to	
  the	
  Web	
  Scanning	
  Module.	
  	
  




                                                                                                                                                                 	
  

         Launch	
  the	
  scan	
  and	
  the	
  application	
  does	
  the	
  rest.	
  	
   It	
  quickly	
  found	
  several	
  vulnerabilities.	
  	
  




         	
  


         	
  



       RAPID7 Corporate Headquarters                      545 Boylston Street Boston, MA 02116                        617.247.1717              www.rapid7.com
                                                                                                              INDEPENDENT PRODUCT COMPARISON
	
  



         Once	
  the	
  scan	
  is	
  completed,	
  a	
  list	
  of	
  findings	
  is	
  presented.	
  




         	
  
         	
  
         Metasploit	
  Pro	
  allows	
  you	
  to	
  see	
  the	
  fill	
  information	
  of	
  the	
  finding	
  as	
  well	
  as	
  replay	
  the	
  attack.	
  
         	
  




         	
  




       RAPID7 Corporate Headquarters                       545 Boylston Street Boston, MA 02116                          617.247.1717               www.rapid7.com
                                                                                                                  INDEPENDENT PRODUCT COMPARISON
	
  



         	
  

         This	
  is	
  available	
  for	
  SQL	
  attacks	
  as	
  well.	
  
         	
  




                                                                                                                                                                                  	
  




         When	
  SQL	
  Injections	
  and	
  XSS	
  are	
  identified,	
  the	
  tool	
  gives	
  you	
  the	
  ability	
  to	
  dive	
  deeper.


         When	
  a	
  problem	
  like	
  RFI	
  is	
  identified,	
  thanks	
  to	
  Meterpreter	
  a	
  la	
  PHP

         http://blog.metasploit.com/2010/06/meterpreter-­‐for-­‐pwned-­‐home-­‐pages.html	
  one	
  can	
  take	
  

         control	
  of	
  an	
  external	
  web	
  server	
  and	
  create	
  a	
  VPN	
  tap	
  and...	
  I	
  will	
  leave	
  it	
  up	
  to	
  your	
  imagination.	
  	
  




       RAPID7 Corporate Headquarters                          545 Boylston Street Boston, MA 02116                          617.247.1717                 www.rapid7.com
                                                                                                                INDEPENDENT PRODUCT COMPARISON
	
  




         Campaigns- Social Engineering
         Social	
  Engineering	
  is	
  the	
  new	
  attack	
  vector.	
  	
   Metasploit	
  Pro	
  offers	
  Social	
  Engineering	
  made	
  
         easy.	
  	
   You	
  can	
  use	
  Web	
  Campaigns,	
  Email,	
  or	
  my	
  favorite,	
  USB	
  Drive.	
  
         	
  




         	
  
         If	
  you	
  want	
  to	
  launch	
  a	
  Web	
  Campaign,	
  Setting	
  up	
  the	
  Web	
  Template	
  is	
  a	
  breeze.	
  	
   A	
  great	
  trick	
  is	
  
         to	
  go	
  to	
  a	
  real	
  site	
  and	
  copy	
  the	
  HTML	
  Source.	
  
         	
  
         Note:	
  	
   If	
  the	
  website	
  that	
  you	
  copy	
  &	
  paste	
  from	
  uses	
  relative	
  links,	
  remember	
  to	
  set	
  the	
  base	
  
         href	
  attribute	
  &	
  force	
  the	
  page	
  to	
  use	
  the	
  original	
  site’s	
  files	
  to	
  render.	
  —	
  more	
  information	
  here:	
  
         http://www.w3schools.com/tags/tag_base.asp	
  




       RAPID7 Corporate Headquarters                        545 Boylston Street Boston, MA 02116                          617.247.1717                www.rapid7.com
                                                                                                         INDEPENDENT PRODUCT COMPARISON
	
  


         You	
  select	
  your	
  Exploit	
  Settings	
  from	
  a	
  Dropdown	
  or	
  you	
  can	
  use	
  Browser	
  Autopwn.




                                                                                                                                                    	
  

                My	
  favorite	
  choice	
  is	
  the	
  Signed	
  Applet	
  Social	
  Engineering	
  Code	
  Exec.




         	
  
         	
  


       RAPID7 Corporate Headquarters                        545 Boylston Street Boston, MA 02116                  617.247.1717     www.rapid7.com
                                                                                                                 INDEPENDENT PRODUCT COMPARISON
	
  


         When	
  the	
  victim	
  browses	
  to	
  your	
  evil	
  site,	
  they	
  get	
  a	
  pop	
  up.	
  




                                                                                                                                                    	
  



         When	
  they	
  click	
  Run/Yes….	
  you	
  have	
  a	
  session.	
  




         Matt	
  over	
  at	
  Practical	
  Pwnage	
  (http://practicalpwnage.com/blog/)	
  wrote	
  up	
  a	
  tutorial	
  on	
  a	
  great	
  
         Social	
  Engineering	
  attack.	
  	
   I	
  highly	
  recommend	
  it.	
  




       RAPID7 Corporate Headquarters                        545 Boylston Street Boston, MA 02116                    617.247.1717   www.rapid7.com
                                                                                                          INDEPENDENT PRODUCT COMPARISON
	
  




         Final Notes:
         It	
  seems	
  like	
  Rapid7	
  celebrated	
  their	
  victory	
  with	
  Metasploit	
  Express	
  in	
  the	
  Pwn-­‐Off	
  but	
  also	
  asked	
  
         themselves	
  how	
  do	
  I	
  get	
  5/5.	
  	
   Looking	
  at	
  the	
  features	
  that	
  were	
  missing,	
  they	
  went	
  back	
  to	
  the	
  
         drawing	
  board	
  and	
  the	
  resulting	
  product	
  is	
  one	
  that	
  truly	
  deserves	
  the	
  title	
  Professional.	
  	
  



         Download	
  your	
  Free	
  Full	
  Featured	
  7-­‐day	
  trial	
  at:	
  http://www.rapid7.com/products/metasploit-­‐
         pro.jsp	
  

         You	
  can	
  also	
  contact:	
   	
  
         Brooke	
  Motta,	
  Sr.	
  Sales	
  Director	
  @	
  (857)288-­‐7412	
  or	
  by	
  email: brooke_motta@rapid7.com
         or
         Jennifer	
  Halfmann	
  @	
  (857)288-­‐7412	
  or	
  by	
  email:	
  Jennifer_Halfmann@rapid7.com	
  




                                                        Update: Version 3.5.1

         Rapid7	
  released	
  version	
  3.5.1	
  packed	
  with	
  lots	
  of	
  new	
  features	
  allowing	
  Pro	
  to	
  strike	
  fear	
  in	
  the	
  
         hearts	
  of	
  Blue	
  Teams.	
  
         	
  
         The	
  new	
  Metasploit	
  version	
  3.5.1	
  adds	
  a	
  lot	
  of	
  features	
  to	
  audit	
  your	
  network’s	
  password	
  security	
  
         on	
  many	
  levels.	
  	
   Version	
  3.5.1	
  	
   now	
  downloads	
  the	
  configuration	
  files	
  of	
  Cisco	
  routers	
  and	
  
         extracts	
  their	
  passwords.	
  	
   The	
  team	
  has	
  also	
  added	
  brute	
  forcing	
  of	
  UNIX	
  “r”	
  services,	
  such	
  as	
  
         rshell,	
  rlogin	
  and	
  rexec,	
  as	
  well	
  as	
  VNC	
  and	
  SNMP	
  services.	
  
         	
  
         Rapid7	
  has	
  added	
  email	
  attachments	
  to	
  social	
  engineering	
  campaigns	
  that	
  enable	
  you	
  to	
  send	
  out	
  
         malicious	
  PDF	
  and	
  MP3	
  files.	
  	
  
         	
  
         Metasploit	
  now	
  provides	
  additional	
  exploits	
  for	
  SAP	
  BusinessObjects,	
  Exim	
  mail	
  servers,	
  ProFTPD	
  
         file	
  transfer	
  installations,	
  SCADA	
  deployments	
  (BACnet,	
  Citect,	
  DATAC),	
  Novell	
  NetWare	
  servers,	
  
         Microsoft	
  Internet	
  Explorer,	
  and	
  browser	
  plugins	
  such	
  as	
  Adobe	
  Flash	
  and	
  Oracle	
  Java.	
  
         	
  
         Check	
  out	
  Rapid7's	
  Blog	
  write	
  up	
  about	
  it	
  here	
  and	
  the	
  Metasploit	
  blog	
  here.	
  
         	
  
         Tune	
  in	
  for	
  a	
  write	
  up	
  of	
  all	
  the	
  new	
  features	
  and	
  more	
  here	
  at	
  http://n00bz.net	
  




       RAPID7 Corporate Headquarters                     545 Boylston Street Boston, MA 02116                       617.247.1717              www.rapid7.com

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:9/29/2013
language:Unknown
pages:22
xiaocuisanmin xiaocuisanmin
About