Metasploit Express Thoughts

Initial Metasploit Express Thoughts

On April 22, Rapid7, a leader in vulnerability management and the recent acquirer of Metasploit LLC, announced the release of a commercial Metasploit product labeled “Metasploit Express.” The commercial release of the once totally open source exploit framework signifies both advancement in the legitimacy of exploitataion frameworks and the growing need from within the market place for exploitation assistance solutions. Of course neither of these positive signals will ease the quesy feeling that most Metasploit framework evangelists will have with the release of a commercial offering. Nor is it likely that the release will do much good for the exploitation framework market or have a major impact on the vulnerability management market.

The Product

Not much is known about Metasploit Express from a product standpoint as the Beta release (which SecAnalysis writers are signed up for) has not gone live yet. Supposedly Metasploit express is essentially the same product as the well-known open source Metasploit framework with a few basic exceptions. Most notably the commercial offering now has a “full graphical user interface” and is now supported by Rapid7′s customer support staff. In addition Metasploit Express also boasts automated exploits, and exploitation of common insecure configuratoins (notably insecure username and passwords configurations).

Market Impact

From a market perspective there is not a lot of good that comes from the commercial release of Metasploit Express. The exploitation framework market is already relatively small, thus the commercial entrance of a major player like Metasploit makes it even more difficult for companies like the current leaders, CORE Security and Immunity to generate business. Although the business models of the two reigning leaders are strong enough to be resilient against a more saturated market, it is not unlikely that both companies will be forced to reduce some investment into research and/or product improvements. This is particulary unfortunate as both companies have made large strides at creating more effective and enterprise ready products in recent years.

Many will no doubt argue that offering Metasploit commercially will shed some much needed light on the exploitation framework market. That message may be easy to push, however, it is difficult to justify. If anything the entrance of Metasploit into the commercial realm confuses the marekt. Integrations such as the one boasted by CORE IMPACT (which now integrates Metasploit exploits into the IMPACT framework) become a touch more interesting. The licensing model leveraged by the open source Metasploit Framework is currently very flexible, however, what happens if no one is buying Metasploit Express because CORE offers essentially the same thing in their integrated IMPACT product (with several competitive differentiators).? Furthermore, what will happen if Rapid7 determine that they could increase revenue by cutting into CORE’s current market share? How will the Metasploit licensing change? How will CORE cope with the new market competition? These questions will most likely pan out with the natural progression of the market.

Of course the exploitation market impact is less of a concern to Rapid7 when considering the vulnerability management market, where Rapid7 is focused. However, unfortunately, the impact on the vulnerability management market is minimal at best. The vulnerability management market is still primarily predicated on compliance and not on security. Thus, the addition of an easy to use penetration testing capability does little to make Rapid7′s current offerings anymore attractive. Furthermore, Metasploit Express does little to differentiate Rapid7 from vulnerability management market competitors. Especially when considering the fact that most of the market players already have integrations with penetration testing tools. In addition, there is little that a commercial Metasploit version adds in terms of marketability of the Rapid7 name. The acquisition of Metasploit may have granted Rapid7 some much needed publicity, however, the commercial release of a Metasploit version does little to that end. If anything the commercial release raises questions about Rapid7′s intent, which is not necessarily positive publicity.

There is one major positive for Rapid7 however, and it comes from the perspective of investors. Over the past few years Rapid7 has shown growth through innovation and business tactics. Adding a commercial capability for the Metasploit Framework will show investors the potential for further growth in revenue with minimal investment (as much of the necessary development has already been done by the community for Metasploit Express). Thus, it is not unlikely that Rapid7 will be able to capitalize on investor interest in their company to create further growth (if Rapid7 is interested of course).

Thoughts

The new features boasted in Metasploit Express all seem relevant although it is unclear what is not “full” about the current Graphical User Interface (GUI) leveraged by the open source Metasploit framework. Also automation largely already exists in the? the autopawn capabilities boasted by the open source Metasploit Framework.? This raises the question, what is really the difference?

It would seem as though the development is more focused on ease of use than anything. However, shouldn’t this have been the focus of the open source version as well? It is the opinion of SecAnalysis that “ease of use” as a competitive differentiator between a commercial offering and a open source solution is rarely a good thing. In such a scenario the vendor benefits from the open source project being clunky, broken, and unusable.? Many may argue that this will not be the case with the Metasploit Framework, however, this does raise the question, “If Metasploit express advancements are making the Metasploit Framework capabilities easier to use, where is the incentive for the open source project to move in the same direction?”

HD Moore and team are well over due for getting paid for the excellent work they have done on the open source Metasploit Framework. They represent one of the most influential and yet humble and easy to work with teams within the security industry. There is no question that any profit HD and team gain is well earned. Where there are questions are within the realm of the purpose of releasing a commercial Metasploit offering. Visionaries and pioneers within the security, especially in the realm of exploitation frameworks, people like HD Moore as well as David and Justine Aitel (of Immunity) have earned their place amongst the leaders in the security industry. Up until this point there has been a relative balance between all of the much needed market players in exploitation frameworks. This is largely due to the vision that HD Moore had for his Metasploit Framework. As the exploitation framework market continues to evolve, one can only hope that HD Moore has found the components to realize his vision and Rapid7 is not defining (if not destroying) that vision to push their business agenda…

Playing with NeXpose and Metasploit

a href=”http://secanalysis.com/index.php/blog/1-blog/17-a-bit-of-perspective-on-the-acquisition-of-metasploit”>My thoughts on the Rapid7 acquisition of the Metasploit project aside, Rapid7 and HD Moore’s Metasploit team have been quick to produce an interesting integration between Rapid7′s NeXpose vulnerability scanner and the Metasploit exploitation framework. In particular, Metasploit is now capable of leveraging NeXpose’s vulnerability scanning engine to determine vulnerabilities that can be exploited via Metasploit modules. Better yet this can all be done for FREE (as in Beer) with NeXpose Community Edition, Rapid7′s recent free release of their Rapid7 Enterprise vulnerability scanning product. Granted, this capability scanning/exploitation can also be produced with a simple PERL program and the Tenable Nessus free scanning engine as well. Competitively Core Impact has long been able to import Languard, IP360, Nessus, Qualysguard and Retina scan results for automatic exploitation as well.

Personally though, when it comes to free products, I actually already prefer NeXpose Community Edition (CE) to the current version of Nessus. Although I must admit this preference is not grounded in any type of scientific comparison between the two products but rather a bit of lasting disdain for the Nessus product since Tenable closed the open-source project in 2006.? In my humble opinnion the open-source spinoff created in the gNessus project, now known as OpenVas may have kept the spirit of the Nessus project alive but failed to maintain a unified Nessus community, which seems to have resulted in less development and passion in the project itself. As for the Nessus product itself, I have found the free version a bit frustrating. Regardless, NeXpose CE is a viable alternative to any vulnerability scanning engine as long as a user doesn’t need to scan more than 24 IP addresses at a time (product limitation). Regardless, the integrated Metasploit and NeXpose capabilities tore apart the SecAnalysis vulnerability lab in no time at all…

Getting Started

In order to begin working with Metasploit and NeXpose within the SecAnalysis vulnerability lab I first began by reading the Metasploit user’s guide for intructions on how to use the NeXpose plugin. I realize that a lot of folks don’t like to do the upfront reading but as is normally the case, I strongly recommend it.? The Metasploit user guide NeXpose intructions can be found here.

Once I got the instruction reading out of the way I got started. I turned up a few of the virtual machines I had handy. In particular I turned on the following:

1. A vulnerable Windows 2000 machine with IIS 4.0 running
2. A vulnerable Windows XP machine
3. A patched Windows XP machine
4. A vulnerable Windows 7 machine
5. A vulnerable Windows 2003 machine
6. A vulnerable Windows 2008 machine
7. A FreeBSD machine with FreeNas

| Hacking Made Easy Way With NeXpose and Metasploit

Quick Look: Paterva Mesh

Summary

Mesh is a simple but powerful browser plugin that parses websites for useful information such as E-mail addresses, phone numbers, and other information. I won?t sit here and tell you that Mesh by Paterva (same people as Maltego) is an end-all data reconnaissance tool, it?s not. However, the features of Mesh are none-the-less extremely useful.

Mesh parses sites for the following information:

1. IP Address Discovery
2. Netblock Discovery
3. E-mail Address Discovery
4. Phone Number Discovery
5. Dates Discovery

While this may seem a touch remedial, consider that Mesh uses some of the same methodologies to see past obfuscation to pull information from websites as many spam crawlers do. For example, MontecilloM at SecAnalysis.com shows up without any user interaction in the E-mail list when Mesh is running. This can be very useful to anyone conducting recon or investigation work. (Especially because the information can be piped into Maltego for more in-depth searches)

Things I Like

I really enjoy the simplicity of Mesh. It is as simple as Cntrl + Shift + M and watch for results. Combing Mesh with a few Google hacking tricks for locating information can be extremely useful. Below I simply clicked Google Maps which dumped a number of basic phone numbers.

Things I dislike

To be honest I sometimes found myself wishing that I could set Mesh up to do some automatic scanning. I guess that is really Maltego?s job, however I have to note that it was something I wanted. I also found that I wanted to be able to save off particular bits and pieces of findings off to a particular category, for example if I was doing a search on ?Jon Doe? and I found a phone number, I would like to save that to a specific location so that I could also add an E-mail address if I found it underneath ?Jonathan Doe.?

Thoughts

As more and more information makes its way to the Internet in the form of personal information on social networks and the likes, simple yet powerful data recognition tools such as Mesh become all the more important. Philosophical thoughts aside Mesh is so simple to install and utilize you should really just go download it and try it out.

Capabilities Analysis

When using a tool for any type of security capability it is important to understand the capabilities and limitations of those solutions. Thus, in order to determine what Mesh was capable and incapable of, I created a very simple test page that had some different ways of writing or obfuscating Email addresses, phone numbers, and IP addresses.

Figure 1: Mesh E-mail detection results

You?ll notice that there were a number of ways that Mesh saw beyond the minor obfuscation techniques such as writing E-mail addresses in formats such as ?Address at site.com.? Mesh also uses key words such as ?Me at? or ?Correspondence at? to detect when an E-mail address might be present. However, to my surprise Mesh did not detect the E-mail address housed simply in the html code via mailto: also Mesh did not detect the E-mail address using dashes.

As you will notice the phone number detect is pretty straight forward, however Mesh did not detect the International number. Finally, Mesh did a good job of detecting IP addresses but for some reason does not detect the simple CIDR notation as a netblock. See below in Figures 2 and 3.

Figure 2: Mesh with phone number formats

Figure 3: Mesh with IP address formats

Check It Out

Check out Mesh by downloading it free at http://www.paterva.com/web4/index.php/client/mesh

A Brief Analysis of Shodan

Shodan (http://shodan.surtri.com) is an engine that searches a database of banners and headers recovered from scans conducted over port 21/TCP, 22/TCP, 23/TCP, and 80/TCP. In many ways utilizing the Shodan engine is much like a more reconnaissance specific Google Hacking engine. On the one hand the Shodan engine does not produce sensitive data that a search engine such as Google might produce (password files, spreadsheets, etc.). On the other hand, conducting reconnaissance activities on Shodan can be far more efficient than similar attempts utilizing other search engines to try to find system information.

The reason for this primarily pertains to the fact that Shodan specifically produces IP addresses/hostnames, header information, and banner grabs. Thus, Shodan is a highly functional tool for finding victims for targeted attacks with less false-positives. Furthermore, Shodan produces information that typically is not published on a site that would be indexed within a search engine like Google.

What Does This Mean?

These capabilities have several significant implications. Most notably this shifts a great deal of system-level reconnaissance to be more passive in nature. In other words, attackers can view the results of reconnaissance such as a banner grab, without actually touching a system to get that information (Shodan already hit the system). This allows attackers to passively:

1. Conduct vulnerability assessments without alerting a potential target in anyway.

2. Determine victims for a specific exploit.

What Is The Impact On Defense?

For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan. This is again due to the fact that it will not touch their systems. Instead security monitors can expect to see attacks utilizing Shodan for reconnaissance to trigger less alarms. This means that there may be no alerts before an attempted exploit against a vulnerable system. Common alerts may have previously included network or vulnerability scans or banner grabbing attempts.

In addition, hack attempts that attempt to find vulnerable systems by trying to exploit a multitude of non-vulnerable targets will also be less prevalent in an attack utilizing Shodan for reconnaissance. To clarify these attacks can be viewed much like an person who has found a key to an apartment. This person may try every single apartment within the complex in order to find the doors where the key works. The result in this type of attack is typically a large number of alerts in an IPS. However, if Shodan is utilized for reconnaissance, the attacks will become more targeted and therefore will trigger less alerts.

Potential Prevention Techniques

Unfortunately, there is not a simple way to prevent an organization from showing up in the Shodan database. Although the Shodan scan engine is likely custom written (based on the developers biographic information), the scans will likely trigger similar events to any other reconnaissance scan. It may be possible to isolate future Shodan scans as they are likely to come out of the San Diego area, possibly from an ISP such as Cox Communications (again based on the developers biographic information). Unfortunately, this would likely require trending and analysis beyond what I currently have access to.

Shodan Usage

Shodan works much like any other search engine, however one can specifically target systems via a number of methods. This syntax even includes a switch that allows a user to specify geographic location by country. (May be good for future Cyberwar)

Syntax Options:

1. + (equivalent to an AND operation)
2. - (equivalent to a NOT operation)
3. * (wildcard)
4. country:
5. hostname:
6. ports: (limited to 21/TCP,22/TCP,23/TCP, and 80/TCP)
7. net: (in CIDR notation)
8. *Note Shodan only produces 100 results for free

Interesting Shodan Searches

Here are a few searches that I tried that produced interesting results. For some ideas on devices, vendors, and models please see the phenolit default password list.

WebServer Detection

1. IIS+2.0

2. IIS+3.0

3. IIS+4.0

4. IIS+5.0

5. IIS+6.0

6. Websphere+4.0

7. Websphere+5.0

8. Websphere+6.0

9. ?Oracle HTTP Server?

10. Jrun

11. RaidenHTTPd

12. ?IBM HTTP?

13. Tru64

14. iCern

15. Lotus-Domino + 1.0

16. Apache (tons of versions with this, too many to list)

17. Windweb

CMS Detection

1. Joomla

2. Drupal

3. WordPress

4. Typo3

Network Device Detection

1. Linksys

1. Linksys+wrt54g

2. Linksys+wap54g

3. Linksys+BEFDSR41w

4. Linksys+BEFSX41

5. Linksys+wap200

6. Linksys+CIT400 (This is a telephony kit…interesting)

7. Linksys+RVS4000

8. Linksys+WET54G

9. Linksys+WAG54GX2

10. Linksys+WAG54GS

2. Netgear

1. Netgear+DG834

2. Netgear+PS121v2

3. Netgear+WGR614v9

4. Netgear+WAG302v2

5. Netgear+DG834PN

3. Cisco

3. Cisco+RVo82

4. Cisco+CSS

5. Cisco+PIX

6. Cisco+VPN

7. Cisco+Server

4. Fuji+Xerox

5. JetDirect

Other

1. Xerver

2. port:23+ list+of+built-in+commands

3. port:80+iisstart.html

4. Server: SQ-WEBCAM

5. ?Anonymous+access+allowed?

6. Golden+FTP+Server

7. ?Server:+iWeb?+HTTP

8. passwd

9. passwd+user+vname

10. deleted

Quick Look: VAM Lite

Summary

*NOTE SecAnalysis opinions have changed since the release of this article regarding the Nessus interface*

First of all this report will be a little less instructional since StillSecure does such a good job with their user guide. There is really no purpose of me producing one here.? The guide can be seen here. Regardless, awhile ago I had the pleasure of having an on-site meeting with the folks at StillSecure. StillSecure is a strong, well-known security vendor that provides vulnerability management, NAC, and IPS/IDS products. StillSecure also provides Managed Security Services to customers looking to outsource their security capabilities.? Awhile ago I noticed that StillSecure offers a freeware version of their VAM product labeled VAM Lite.? VAM Lite is a relatively simple but powerful vulnerability scanner that leverages a web based user interface. VAM Lite differs from the commercial VAM product through the following (according to the StillSecure Website):

• Vulnerability scanning is limited to 100 IP addresses
• StillSecure’s Security POV reporting module is disabled
• VAM Lite can not be run in a distributed scanning environment

I decided I’d give VAM Lite a shot in the lab to determine whether it could be a mainstay. I was actually pleasently surprised to see the ease and poewr of the product. Granted much of the scanning technology is similiar if not the exact same as Nessus, however, one of the biggest problems with the freeware version of Nessus is the fact that the interface is hideous (particularly for windows) and adds little additional functionality. Thus, VAM Lite addresses a primary issue with an excellent solution (the interface).? VAM Lite is a simple, effective solution that can address the needs of a small business environment. In a large environment one needs to be careful of accidentally crossing a low performance firewall as the connections table could fill up very quickly based on the initial port scanning engine.

Things I Like

• Simple setup
• Simple to use interface
• Powerful Nessus backed scan engine
• The vulnerability summary page gives a good overview

Things I Dislike

• The interface is a little bit slow
• The interface uses quite possibly the ugliest “loading” image
• Difficult to customize outside of working directly on the system

Vulnerability Summary Tab

Thoughts

I generally like the interface a lot better than I enjoy the Windows version of Nessus, VAM Lite also gives you a much nicer interface for management as opposed to simple reports. The simple to use interface and easy set up make it an excellent solution for labs or security enthusiasts who wish to test out products or systems in their environments.? VAM Lite comes in two forms, virtual machine and iso. For my part, the virtual machine was the best solution.? VAM Lite is a must have for laboratory environments and should be tried out by all (especially since it is free!).

Check It Out

Check out VAM Lite under the “Freeware Products” at StillSecure’s website www.stillsecure.com