Metasploit Express Thoughts

Initial Metasploit Express Thoughts

On April 22, Rapid7, a leader in vulnerability management and the recent acquirer of Metasploit LLC, announced the release of a commercial Metasploit product labeled “Metasploit Express.” The commercial release of the once totally open source exploit framework signifies both advancement in the legitimacy of exploitataion frameworks and the growing need from within the market place for exploitation assistance solutions. Of course neither of these positive signals will ease the quesy feeling that most Metasploit framework evangelists will have with the release of a commercial offering. Nor is it likely that the release will do much good for the exploitation framework market or have a major impact on the vulnerability management market.

The Product

Not much is known about Metasploit Express from a product standpoint as the Beta release (which SecAnalysis writers are signed up for) has not gone live yet. Supposedly Metasploit express is essentially the same product as the well-known open source Metasploit framework with a few basic exceptions. Most notably the commercial offering now has a “full graphical user interface” and is now supported by Rapid7′s customer support staff. In addition Metasploit Express also boasts automated exploits, and exploitation of common insecure configuratoins (notably insecure username and passwords configurations).

Market Impact

From a market perspective there is not a lot of good that comes from the commercial release of Metasploit Express. The exploitation framework market is already relatively small, thus the commercial entrance of a major player like Metasploit makes it even more difficult for companies like the current leaders, CORE Security and Immunity to generate business. Although the business models of the two reigning leaders are strong enough to be resilient against a more saturated market, it is not unlikely that both companies will be forced to reduce some investment into research and/or product improvements. This is particulary unfortunate as both companies have made large strides at creating more effective and enterprise ready products in recent years.

Many will no doubt argue that offering Metasploit commercially will shed some much needed light on the exploitation framework market. That message may be easy to push, however, it is difficult to justify. If anything the entrance of Metasploit into the commercial realm confuses the marekt. Integrations such as the one boasted by CORE IMPACT (which now integrates Metasploit exploits into the IMPACT framework) become a touch more interesting. The licensing model leveraged by the open source Metasploit Framework is currently very flexible, however, what happens if no one is buying Metasploit Express because CORE offers essentially the same thing in their integrated IMPACT product (with several competitive differentiators).? Furthermore, what will happen if Rapid7 determine that they could increase revenue by cutting into CORE’s current market share? How will the Metasploit licensing change? How will CORE cope with the new market competition? These questions will most likely pan out with the natural progression of the market.

Of course the exploitation market impact is less of a concern to Rapid7 when considering the vulnerability management market, where Rapid7 is focused. However, unfortunately, the impact on the vulnerability management market is minimal at best. The vulnerability management market is still primarily predicated on compliance and not on security. Thus, the addition of an easy to use penetration testing capability does little to make Rapid7′s current offerings anymore attractive. Furthermore, Metasploit Express does little to differentiate Rapid7 from vulnerability management market competitors. Especially when considering the fact that most of the market players already have integrations with penetration testing tools. In addition, there is little that a commercial Metasploit version adds in terms of marketability of the Rapid7 name. The acquisition of Metasploit may have granted Rapid7 some much needed publicity, however, the commercial release of a Metasploit version does little to that end. If anything the commercial release raises questions about Rapid7′s intent, which is not necessarily positive publicity.

There is one major positive for Rapid7 however, and it comes from the perspective of investors. Over the past few years Rapid7 has shown growth through innovation and business tactics. Adding a commercial capability for the Metasploit Framework will show investors the potential for further growth in revenue with minimal investment (as much of the necessary development has already been done by the community for Metasploit Express). Thus, it is not unlikely that Rapid7 will be able to capitalize on investor interest in their company to create further growth (if Rapid7 is interested of course).

Thoughts

The new features boasted in Metasploit Express all seem relevant although it is unclear what is not “full” about the current Graphical User Interface (GUI) leveraged by the open source Metasploit framework. Also automation largely already exists in the? the autopawn capabilities boasted by the open source Metasploit Framework.? This raises the question, what is really the difference?

It would seem as though the development is more focused on ease of use than anything. However, shouldn’t this have been the focus of the open source version as well? It is the opinion of SecAnalysis that “ease of use” as a competitive differentiator between a commercial offering and a open source solution is rarely a good thing. In such a scenario the vendor benefits from the open source project being clunky, broken, and unusable.? Many may argue that this will not be the case with the Metasploit Framework, however, this does raise the question, “If Metasploit express advancements are making the Metasploit Framework capabilities easier to use, where is the incentive for the open source project to move in the same direction?”

HD Moore and team are well over due for getting paid for the excellent work they have done on the open source Metasploit Framework. They represent one of the most influential and yet humble and easy to work with teams within the security industry. There is no question that any profit HD and team gain is well earned. Where there are questions are within the realm of the purpose of releasing a commercial Metasploit offering. Visionaries and pioneers within the security, especially in the realm of exploitation frameworks, people like HD Moore as well as David and Justine Aitel (of Immunity) have earned their place amongst the leaders in the security industry. Up until this point there has been a relative balance between all of the much needed market players in exploitation frameworks. This is largely due to the vision that HD Moore had for his Metasploit Framework. As the exploitation framework market continues to evolve, one can only hope that HD Moore has found the components to realize his vision and Rapid7 is not defining (if not destroying) that vision to push their business agenda…

The Battle for My Home Network

In considering new topics for blog posts, I came to realize that it may be interesting to spend a few posts discussing aspects of my home network. While I do not by any means consider my home infrastructure the Fort Knox of home network security, I would venture to say it is a little bit above and beyond the average home network. To start the series, I would like to talk about something very near and dear to my heart, Vulnerability Management. Several years ago, after progressing in my entry-level position as a State Police Information Security Officer, I was given a lateral promotion into a Vulnerability Management Coordinator (VMC) position within a large state government.

Due in no small part to the fact that I was still a little “wet behind the ears” I was extremely dependent on tools in the early phases of my transition into the role of VMC. Thus, I am very selective when it comes to choosing the right vulnerability scanner, even in my home. Over the next two days I will be selecting a primary vulnerability scanner for my home network by researching industry leading freeware/community/trial vulnerability management solutions. In particular the following vulnerability scanners will be considered:

• Tenable Nessus (Home Feed)
• Rapid7 NeXpose (Community Edition)
• SAINT
• eEye Retina

| The Battle For My Home Network

Playing with NeXpose and Metasploit

a href=”http://secanalysis.com/index.php/blog/1-blog/17-a-bit-of-perspective-on-the-acquisition-of-metasploit”>My thoughts on the Rapid7 acquisition of the Metasploit project aside, Rapid7 and HD Moore’s Metasploit team have been quick to produce an interesting integration between Rapid7′s NeXpose vulnerability scanner and the Metasploit exploitation framework. In particular, Metasploit is now capable of leveraging NeXpose’s vulnerability scanning engine to determine vulnerabilities that can be exploited via Metasploit modules. Better yet this can all be done for FREE (as in Beer) with NeXpose Community Edition, Rapid7′s recent free release of their Rapid7 Enterprise vulnerability scanning product. Granted, this capability scanning/exploitation can also be produced with a simple PERL program and the Tenable Nessus free scanning engine as well. Competitively Core Impact has long been able to import Languard, IP360, Nessus, Qualysguard and Retina scan results for automatic exploitation as well.

Personally though, when it comes to free products, I actually already prefer NeXpose Community Edition (CE) to the current version of Nessus. Although I must admit this preference is not grounded in any type of scientific comparison between the two products but rather a bit of lasting disdain for the Nessus product since Tenable closed the open-source project in 2006.? In my humble opinnion the open-source spinoff created in the gNessus project, now known as OpenVas may have kept the spirit of the Nessus project alive but failed to maintain a unified Nessus community, which seems to have resulted in less development and passion in the project itself. As for the Nessus product itself, I have found the free version a bit frustrating. Regardless, NeXpose CE is a viable alternative to any vulnerability scanning engine as long as a user doesn’t need to scan more than 24 IP addresses at a time (product limitation). Regardless, the integrated Metasploit and NeXpose capabilities tore apart the SecAnalysis vulnerability lab in no time at all…

Getting Started

In order to begin working with Metasploit and NeXpose within the SecAnalysis vulnerability lab I first began by reading the Metasploit user’s guide for intructions on how to use the NeXpose plugin. I realize that a lot of folks don’t like to do the upfront reading but as is normally the case, I strongly recommend it.? The Metasploit user guide NeXpose intructions can be found here.

Once I got the instruction reading out of the way I got started. I turned up a few of the virtual machines I had handy. In particular I turned on the following:

1. A vulnerable Windows 2000 machine with IIS 4.0 running
2. A vulnerable Windows XP machine
3. A patched Windows XP machine
4. A vulnerable Windows 7 machine
5. A vulnerable Windows 2003 machine
6. A vulnerable Windows 2008 machine
7. A FreeBSD machine with FreeNas

| Hacking Made Easy Way With NeXpose and Metasploit

Quick Look: Paterva Mesh

Summary

Mesh is a simple but powerful browser plugin that parses websites for useful information such as E-mail addresses, phone numbers, and other information. I won?t sit here and tell you that Mesh by Paterva (same people as Maltego) is an end-all data reconnaissance tool, it?s not. However, the features of Mesh are none-the-less extremely useful.

Mesh parses sites for the following information:

1. IP Address Discovery
2. Netblock Discovery
3. E-mail Address Discovery
4. Phone Number Discovery
5. Dates Discovery

While this may seem a touch remedial, consider that Mesh uses some of the same methodologies to see past obfuscation to pull information from websites as many spam crawlers do. For example, MontecilloM at SecAnalysis.com shows up without any user interaction in the E-mail list when Mesh is running. This can be very useful to anyone conducting recon or investigation work. (Especially because the information can be piped into Maltego for more in-depth searches)

Things I Like

I really enjoy the simplicity of Mesh. It is as simple as Cntrl + Shift + M and watch for results. Combing Mesh with a few Google hacking tricks for locating information can be extremely useful. Below I simply clicked Google Maps which dumped a number of basic phone numbers.

Things I dislike

To be honest I sometimes found myself wishing that I could set Mesh up to do some automatic scanning. I guess that is really Maltego?s job, however I have to note that it was something I wanted. I also found that I wanted to be able to save off particular bits and pieces of findings off to a particular category, for example if I was doing a search on ?Jon Doe? and I found a phone number, I would like to save that to a specific location so that I could also add an E-mail address if I found it underneath ?Jonathan Doe.?

Thoughts

As more and more information makes its way to the Internet in the form of personal information on social networks and the likes, simple yet powerful data recognition tools such as Mesh become all the more important. Philosophical thoughts aside Mesh is so simple to install and utilize you should really just go download it and try it out.

Capabilities Analysis

When using a tool for any type of security capability it is important to understand the capabilities and limitations of those solutions. Thus, in order to determine what Mesh was capable and incapable of, I created a very simple test page that had some different ways of writing or obfuscating Email addresses, phone numbers, and IP addresses.

Figure 1: Mesh E-mail detection results

You?ll notice that there were a number of ways that Mesh saw beyond the minor obfuscation techniques such as writing E-mail addresses in formats such as ?Address at site.com.? Mesh also uses key words such as ?Me at? or ?Correspondence at? to detect when an E-mail address might be present. However, to my surprise Mesh did not detect the E-mail address housed simply in the html code via mailto: also Mesh did not detect the E-mail address using dashes.

As you will notice the phone number detect is pretty straight forward, however Mesh did not detect the International number. Finally, Mesh did a good job of detecting IP addresses but for some reason does not detect the simple CIDR notation as a netblock. See below in Figures 2 and 3.

Figure 2: Mesh with phone number formats

Figure 3: Mesh with IP address formats

Check It Out

Check out Mesh by downloading it free at http://www.paterva.com/web4/index.php/client/mesh

A Brief Analysis of Shodan

What Is Shodan

Shodan (http://shodan.surtri.com) is an engine that searches a database of banners and headers recovered from scans conducted over port 21/TCP, 22/TCP, 23/TCP, and 80/TCP. In many ways utilizing the Shodan engine is much like a more reconnaissance specific Google Hacking engine. On the one hand the Shodan engine does not produce sensitive data that a search engine such as Google might produce (password files, spreadsheets, etc.). On the other hand, conducting reconnaissance activities on Shodan can be far more efficient than similar attempts utilizing other search engines to try to find system information.

The reason for this primarily pertains to the fact that Shodan specifically produces IP addresses/hostnames, header information, and banner grabs. Thus, Shodan is a highly functional tool for finding victims for targeted attacks with less false-positives. Furthermore, Shodan produces information that typically is not published on a site that would be indexed within a search engine like Google.

What Does This Mean?

These capabilities have several significant implications. Most notably this shifts a great deal of system-level reconnaissance to be more passive in nature. In other words, attackers can view the results of reconnaissance such as a banner grab, without actually touching a system to get that information (Shodan already hit the system). This allows attackers to passively:

1. Conduct vulnerability assessments without alerting a potential target in anyway.

2. Determine victims for a specific exploit.

What Is The Impact On Defense?

For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan. This is again due to the fact that it will not touch their systems. Instead security monitors can expect to see attacks utilizing Shodan for reconnaissance to trigger less alarms. This means that there may be no alerts before an attempted exploit against a vulnerable system. Common alerts may have previously included network or vulnerability scans or banner grabbing attempts.

In addition, hack attempts that attempt to find vulnerable systems by trying to exploit a multitude of non-vulnerable targets will also be less prevalent in an attack utilizing Shodan for reconnaissance. To clarify these attacks can be viewed much like an person who has found a key to an apartment. This person may try every single apartment within the complex in order to find the doors where the key works. The result in this type of attack is typically a large number of alerts in an IPS. However, if Shodan is utilized for reconnaissance, the attacks will become more targeted and therefore will trigger less alerts.

Potential Prevention Techniques

Unfortunately, there is not a simple way to prevent an organization from showing up in the Shodan database. Although the Shodan scan engine is likely custom written (based on the developers biographic information), the scans will likely trigger similar events to any other reconnaissance scan. It may be possible to isolate future Shodan scans as they are likely to come out of the San Diego area, possibly from an ISP such as Cox Communications (again based on the developers biographic information). Unfortunately, this would likely require trending and analysis beyond what I currently have access to.

Shodan Usage

Shodan works much like any other search engine, however one can specifically target systems via a number of methods. This syntax even includes a switch that allows a user to specify geographic location by country. (May be good for future Cyberwar)

Syntax Options:

1. + (equivalent to an AND operation)
2. - (equivalent to a NOT operation)
3. * (wildcard)
4. country:
5. hostname:
6. ports: (limited to 21/TCP,22/TCP,23/TCP, and 80/TCP)
7. net: (in CIDR notation)
8. *Note Shodan only produces 100 results for free

A Brief Analysis of Shodan

Shodan (http://shodan.surtri.com) is an engine that searches a database of banners and headers recovered from scans conducted over port 21/TCP, 22/TCP, 23/TCP, and 80/TCP. In many ways utilizing the Shodan engine is much like a more reconnaissance specific Google Hacking engine. On the one hand the Shodan engine does not produce sensitive data that a search engine such as Google might produce (password files, spreadsheets, etc.). On the other hand, conducting reconnaissance activities on Shodan can be far more efficient than similar attempts utilizing other search engines to try to find system information.

The reason for this primarily pertains to the fact that Shodan specifically produces IP addresses/hostnames, header information, and banner grabs. Thus, Shodan is a highly functional tool for finding victims for targeted attacks with less false-positives. Furthermore, Shodan produces information that typically is not published on a site that would be indexed within a search engine like Google.

What Does This Mean?

These capabilities have several significant implications. Most notably this shifts a great deal of system-level reconnaissance to be more passive in nature. In other words, attackers can view the results of reconnaissance such as a banner grab, without actually touching a system to get that information (Shodan already hit the system). This allows attackers to passively:

1. Conduct vulnerability assessments without alerting a potential target in anyway.

2. Determine victims for a specific exploit.

What Is The Impact On Defense?

For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan. This is again due to the fact that it will not touch their systems. Instead security monitors can expect to see attacks utilizing Shodan for reconnaissance to trigger less alarms. This means that there may be no alerts before an attempted exploit against a vulnerable system. Common alerts may have previously included network or vulnerability scans or banner grabbing attempts.

In addition, hack attempts that attempt to find vulnerable systems by trying to exploit a multitude of non-vulnerable targets will also be less prevalent in an attack utilizing Shodan for reconnaissance. To clarify these attacks can be viewed much like an person who has found a key to an apartment. This person may try every single apartment within the complex in order to find the doors where the key works. The result in this type of attack is typically a large number of alerts in an IPS. However, if Shodan is utilized for reconnaissance, the attacks will become more targeted and therefore will trigger less alerts.

Potential Prevention Techniques

Unfortunately, there is not a simple way to prevent an organization from showing up in the Shodan database. Although the Shodan scan engine is likely custom written (based on the developers biographic information), the scans will likely trigger similar events to any other reconnaissance scan. It may be possible to isolate future Shodan scans as they are likely to come out of the San Diego area, possibly from an ISP such as Cox Communications (again based on the developers biographic information). Unfortunately, this would likely require trending and analysis beyond what I currently have access to.

Shodan Usage

Shodan works much like any other search engine, however one can specifically target systems via a number of methods. This syntax even includes a switch that allows a user to specify geographic location by country. (May be good for future Cyberwar)

Syntax Options:

1. + (equivalent to an AND operation)
2. - (equivalent to a NOT operation)
3. * (wildcard)
4. country:
5. hostname:
6. ports: (limited to 21/TCP,22/TCP,23/TCP, and 80/TCP)
7. net: (in CIDR notation)
8. *Note Shodan only produces 100 results for free

Interesting Shodan Searches

Here are a few searches that I tried that produced interesting results. For some ideas on devices, vendors, and models please see the phenolit default password list.

WebServer Detection

1. IIS+2.0

2. IIS+3.0

3. IIS+4.0

4. IIS+5.0

5. IIS+6.0

6. Websphere+4.0

7. Websphere+5.0

8. Websphere+6.0

9. ?Oracle HTTP Server?

10. Jrun

11. RaidenHTTPd

12. ?IBM HTTP?

13. Tru64

14. iCern

15. Lotus-Domino + 1.0

16. Apache (tons of versions with this, too many to list)

17. Windweb

CMS Detection

1. Joomla

2. Drupal

3. WordPress

4. Typo3

Network Device Detection

1. Linksys

1. Linksys+wrt54g

2. Linksys+wap54g

3. Linksys+BEFDSR41w

4. Linksys+BEFSX41

5. Linksys+wap200

6. Linksys+CIT400 (This is a telephony kit…interesting)

7. Linksys+RVS4000

8. Linksys+WET54G

9. Linksys+WAG54GX2

10. Linksys+WAG54GS

2. Netgear

1. Netgear+DG834

2. Netgear+PS121v2

3. Netgear+WGR614v9

4. Netgear+WAG302v2

5. Netgear+DG834PN

3. Cisco

3. Cisco+RVo82

4. Cisco+CSS

5. Cisco+PIX

6. Cisco+VPN

7. Cisco+Server

4. Fuji+Xerox

5. JetDirect

Other

1. Xerver

2. port:23+ list+of+built-in+commands

3. port:80+iisstart.html

4. Server: SQ-WEBCAM

5. ?Anonymous+access+allowed?

6. Golden+FTP+Server

7. ?Server:+iWeb?+HTTP

8. passwd

9. passwd+user+vname

10. deleted

Analysis of an Obfuscated iFrame

Introduction

Obfuscated attacks against iFrames are wildly out of control in the IT world today. Legitimate enterprise websites and personal websites alike are unknowingly hosting these attacks. The attacks simply redirect users to a third party website hosting an exploit and more often than not pieces of malware. I have been given uncomfirmed reports that malware writers earn $1.50 for every system they deliver this malware to, which means that people are more than willing to deliver the attacks. In this research report we will look at a piece of obfuscated javascript in order to understand how attackers are hiding their activities on legitimate websites.

Below is a real iframe attack found on an exploited website.

Simple Analysis

It is rare that attack will be found in such readable form. In fact it is usually all put onto a single line, I simply broke it out into a more readable format. In some cases it is easy to find this code because it is by far the longest line in page. Regardless, below is the simple flow of this code works.

1. Initialize variables k1, k2, t1,t2, and h.

2. Deobfuscate k1 and k2

3. Write h to the user

Resulting deobfuscated code (*note that the frame is set to be virtually invisible 1×1 pixel)

Indepth Analysis

Variable Initalization

Let’s take a look at what’s happening here. First we have two hideous and large javascript string variables called “k1″ and “k2″ These variables contain obfuscated strings (I know tough to believe). Next we have two integer variables t1 and t2. Both variables are initialized to zero, these are dumb variables are meant to fuel the while loops later on in the code. Finally we have a string variable “h” which is initialized to NULL. h is basically the end variable that combines “behgczzazbzc” with the decoded k1 and k2 variables this provides the actual attack.

While Loops

The while Loops are relatively unimportant as they are merely deobfuscating the k1 and k2 variables and adding the deobfuscated information to the h string. In order to do this the attacker is using two predefined functions, the “String.FromCharCode()” function and the charCodeAt() attribute of the k1 string.

String.FromCharCode() is a function that returns the characters that correspond to the ISO-Latin-1 numerical position passed to the function. E.G. String.FromCharCode(65) = A

A reference sheet for ISO-Latin-1 characters and their numeric position can be viewed here.

In order to get the proper position to insert into the String.FromCharCode() the attack code first converts the current ISO-Latin-1 character into it’s corresponding position. This is done by using the string attribute charCodeAt() function. The while loops add a small amount of complication to this action by shifting the ISO-Latin-1 character position by -3 and -2.

Adding To the String

In the attack code (between the while loops), there is a simple addition to the string that adds the domain to the actual attack. There is no way to determine this is the domain until after the code is deobfuscated. The reason this is segmented in the code is because the attacker can quickly change the domain of the attack while preserving the overall attack extension.

Putting it All Together

The attack code finishes up by writing the document to the victim with the document.write() function. This is important to recognize because by the time the variable k1 reaches this function, it is deobfuscated. Therefore, an analyst can simply change this function to be none malicious in order to see what is actually obfuscated in the code. For example instead of document.write() one could use document.alert()

Detecting/Defending Against These Attacks

Anti-virus/Anti-malware

Some anti-virus and anti-malware solutions flag and stop these attacks from affecting end-users. Unfortunately however, research points to the fact that very few are actually capable of detecting these attacks.? I rolled this attack up into an HTML file and submitted it to virus total where 41 anti-virus/anti-malware scanners assessed the file. Of those 41 scanners, only three detected there was an issue.

Browser Protection Software:

• Trusteer Browser Protection Software
• Kace Browser Protection Software
• HP/Symantec/Mozilla Browser Sandboxing Software
• Various Virtual Browser Sandboxing Solutions

Content Filtering Technology

Content filtering technology could help in two ways, first it could detect the issue on the page to begin with and proactively categorize the page to preven tthe victim from accessing the attack code. Second, if the attack code is delivered to the victim the content filtering system could still prevent the victim from actually accessing the malicious website hosting the exploit and malware.

Example Content Filtering System Software:

• BlueCoat WebFilter
• WebSense WebFilter
• ScanSafe WebFilter/Malware Scanner
• Many many other

IPS Technology

Intrusion Prevention Systems can be used to block the exploit from getting to the victim. Unfortunately, in many cases the actual prevention is often based on the exploit and not the vulnerability. This means that the exploit can be altered to bypass the IPS fairly easily by altering the signature and/or behavior of the attack. Of course finely tuned and sophisticated IPS’ have less issues with this.

Example IPS:

• Sourcefire SNORT
• IBM Internet Security Systems Proventia
• McAfee Network Security Platform (formerly Intrushield IPS)
• TippingPoint Digital Vacine
• Many many others