 Metasploit:
A Security Analyst's Best Friend
Kristy Westphal
If you are responsible for the security on your network, or are
a consultant who performs penetration tests of other networks, you
have probably wanted to test whether a potential vulnerability can
be exploited. It helps to have an exploitation toolkit with many
of the tools you may need to complete your penetration test ready
to go. The Metasploit framework is just such a toolset. According
to their Web site (http://www.metasploit.com), "The Metasploit
Framework is an advanced open-source platform for developing, testing,
and using exploit code. This project initially started off as a
portable network game and has evolved into a powerful tool for penetration
testing, exploit development, and vulnerability research."
Metasploit was created by "Spoonm" and H.D. Moore and is maintained
by a long list of volunteers. It runs on Unix and Windows (using
Cygwin) and has detailed documentation, which is unusual for a freeware
tool. Metasploit runs on the command line and also has an easy to
use Web GUI, which makes writing exploit code just a point and click
away. Although the Framework itself is written in Perl, it does
contain a smattering of C, assembler, and Python.
Releasing a framework like this on the Internet is controversial.
However, it is also useful for those of us who perform tests on
a regular basis but maybe don't have time to search the Web for
the version of the exploit that runs on the operating system that
you have available at the exact moment that you need it. Metasploit
provides one source for this. However, you must proceed with caution.
Be sure that you have the appropriate permission and the appropriate
platform with which to conduct your penetration test.
The Install
The heart of Metasploit is in the exploits, the payloads, and
the sessions that you can start with them. But to get to these,
you must install the code first. For this article, Metasploit was
run on a Fedora Linux platform. It was so easy to install that I
had to try it on others, so I tried Solaris 10 x86 and Windows XP.
For the Linux install, I simply downloaded the Unix compressed
tar archive and opened it on my system:
tar xvf framework-2.5.tar
The latest version of Metasploit was 2.5 at the time.
Once the tar file is open, you change into the framework-2.5 directory:
cd framework-2.5
And you are ready to go! There is no compiling needed; the binaries
are provided for you. If you prefer command line, the first binary
you can execute is the console:
./msfconsole
Or, if you would like to use the GUI, then start up the built-in Web
server:
./msfweb
The GUI is shown in Figure 1.
The Windows and Solaris installs also went smoothly. The same
binaries were available for both installs, just presented in different
formats. For example, the Windows install has three batch files
for you to run the console, the update tool, and the Web server,
instead of a compiled binary as on the Unix version.
Now what?
Any good attacker will first do some reconnaissance on the target
network. My favorite tool for this is the Nessus vulnerability scanner.
In this case, I scanned an unpatched, new install of Windows 2003
Server. Let the games begin!
My Nessus scan revealed several issues with my system, one of
the most notable being 135 port (RPC service), as well as other
standard Windows ports. Knowing this, I went to the available exploits
on Metasploit. You can't search for specific ones, but in the Web
interface you can filter based on the app, operating system, class,
or CPU type. I happened to filter on the CPU type (in this case,
x86) and found two possible exploits to try:
Microsoft LSASS MSO4-011 Overflow
Microsoft RPC DCOM MSO3-026
When I looked at their descriptions, the LSASS one appeared to be
more for Windows 2000 and Windows XP, so I discarded that option.
I selected the RPC DCOM exploit, the default option for the target,
and was then directed to the payload area. From there, you can choose
from a list of possible payloads to try on your victim. In this case,
I chose the win32_exec payload. Options are shown in Figure 2.
You can see in the payload detail page that there is a Check button.
This gives you a quick opportunity to check whether this exploit,
in combination with this payload, is an effective attack on your
victim. This may not always be implemented for all exploits. In
the case of the RPC DCOM exploit, it was not implemented, but I
proceeded anyway with my attack.
Once launched, the Exploit Output screen immediately showed that
it was successful. See Figure 3.
To ensure that my attack was indeed as successful as indicated,
I went to the victim system to see whether there was a connection
from the attacking box. Sure enough, when I went to a command prompt
and typed netstat -a to see all open network connections,
I saw one from a computer named WILMA (which is my attack system)
on port 2341. It had opened port 4444. See Figure 4 for a snapshot
of this netstat listing.
Another option is to click on the html link called "session 4"
in the Metasploit console. This goes to the command prompt that
I have created to the victim system. Figure 5 shows the interface
that Metasploit provides for accessing the command prompt.
Potential Uses of the Framework
I was able to exploit my unpatched Windows 2003 server. Now what?
You can tell your systems administrators that they have a problem.
Metasploit can be used in your audits to prove that yes, this vulnerability
is not a false positive. Of course, you always need to exercise
caution when doing this because not only does it disprove false
positives, but it also breaks things.
Metasploit can also come in handy if you need to check your system
security before an audit. You may decide that you need to check
the effectiveness of your new system build. Scan your system and
then try one or two things that appear to be vulnerable and see
if you can make it break. If so, then you may need to revisit your
build standards. If not, you have gone one step further in verifying
the security of your operating system.
Metasploit is also a great testing tool for your intrusion detection
systems. Think of how nice it would be to have the tool in hand
to test and tune your network intrusion detection system to see
the exploit itself coming across (not just the reconnaissance predecessor
to an attack). This in turn becomes an excellent teaching tool for
intrusion analysts because they can identify if and how an exploit
presents itself and, thus, understand what to look for in the future
when it really happens.
Conclusions
Metasploit is a versatile testing tool that can enhance your security
in many ways. It makes exploit testing more convenient and easier
to maintain, understand, and use. In addition to being useful for
pen-testing, it can enhance the layers of security on your network
inside and out. The ample documentation and resources help expedite
the learning curve (http://www.metasploit.com/books.html).
Metasploit is a must-have tool for every security and systems administrator's
toolkit.
Kristy Westphal has been a versatile information security professional
for 12 years and is currently the Chief Information Security Officer
with the Arizona Department of Economic Security. Skilled in troubleshooting
and process analysis, her specific expertise in security areas include:
operating system and network security, intrusion detection, incident
handling, vulnerability analysis, and policy development. |