Many organizations are making significant investments in technologies in order to tell if they have been compromised; however, frequently they find out when it is too late. There are several network-based attributes that, when combined, indicate possible compromises have taken place. Many pentesters are successful at compromising hosts; however, commonly they are restricted in what they can and can't do. There needs to be a way that they can sucessfully mimick threats and scenarios, even when restricted: a way that pentesters and defenders can test organizational awareness without just "popping shells". Currently you'd have to drop live malware on networks to show customers if their countermeasures can detect the activity, which is not feasible.
As such, there is a need for people to test their ability to find compromised hosts without spreading live malware on their network, or the need for an expensive stand alone lab. Are their countermeasures configured correctly? Is traffic bypassing their countermeasures? Can they spot that compromised host doing the bidding of an attacker? Basically, can organizations spot a wolf in sheep's clothing?
Over the last few years I've done tons of research on intrusion attributes and have deployed an alphabet soup of security solutions. To tackle the inability to do testing of these systems, I started to write my own framework in Python, mimicking malicious activities. Now that I've joined Rapid7, I've been talking with HD Moore about incorporating the concept into the Metasploit Framework and so I've dusted off my Ruby skills and started dabbling with developing Metasploit Auxiliary modules. After a few days I have some cool things working.
I'm dubbing the new auxiliary modules vSploit modules. The name vSploit was chosen because what we are doing is virtualizing exploitation attributes. vSploit modules imitate compromised or vulnerable hosts on networks. They are created to allow enterprises a chance to test their overall security architecture and design. In my experience, people deploy a whole host of systems such as IDS/IPS, Log correlation solutions, firewalls, proxies, you name it, but many times these products are not seeing the low hanging fruit that is indicative of breaches. vSploit modules are a way to test these solutions without actually releasing live exploits on your network. I'm working on Metasploit resource files to launch virtual intrusion scenarios.
I will be doing a webinar introducing the concept to you on June 14th, 2011 2pm EST on Identifying Infrastructure Blindspots with Metasploit Framework. In the talk I'll cover how to use vSploit modules to validate whether security solutions are working as expected. Hope you can join because I'm looking forward to your feedback.
Here is a quick demonstration of a few vSploit Modules:
vSploit Web PII Module
vSploit DNS Beacon Module