Skip navigation
All Places > Metasploit > Blog > Authors ckirsch
1 2 3 Previous Next

Metasploit

82 Posts authored by: ckirsch

Life-as-a-double-agent-cropped.jpgLike a double agent who's been turned, I switched from the offensive to the defensive side this week. After four years of working on Metasploit simulating attackers, I'll now be hunting them with UserInsight, Rapid7's new incident detection and response solution that helps organizations detect intruders on their network.

 

Working on Metasploit for the past four years definitely taught me a lot about attacker methodologies and the attacker mindset. I'm now a more paranoid person for it, which will be a huge help when hunting the bad guys going forward.

 

I've had a blast work with an awesome team of security researchers, including @todb, @_sinn3r, @_juan_vazquez_, @TheLightCosine, "the man who never sleeps" aka @hdmoore, and many extremely talented coders who are a little less in the limelight but are among the best in their field. Together, we released Metasploit Pro, Metasploit Community, Metasploit on Kali Linux (special shout out to Brandon, Dookie, Muts), and many cool new features, including our recent release, which focused on credentials.

 

I'd also like to thank our Metasploit open source contributors (you guys are the the reason Metasploit is so well respected and widely used), the folks who participated in the Metasploit T-shirt design competition (my wardrobe is full of them), and @dualcoremusic for writing and performing the Metasploit track (he tried hard, but I could never quite pull off the B-Boy Pose).

 

Because we've been playing musical chairs here at Rapid7, some very cool roles opened up. Throw your hat in the ring if you're interested:

 

Don't be shy - contact me on LinkedIn if you have additional questions on any of the roles or on UserInsight. Always happy to chat!

sean-duffy-video-still.pngBy guest blogger Sean Duffy, IS Team Lead, TriNet

 

Rapid7 invited me to participate in pre-release testing of Metasploit 4.10, a process they call Tech Preview. They asked me to openly share my thoughts with the community.

 

Preparation and Logistics

I always enjoy working with Rapid7. Preparatory meetings and documentation made the installation and testing process a breeze. Rapid7 was also kind enough to extend my testing and feedback sessions when work so rudely intruded on the fun. Zero complaints.

 

New Features

Testing focused on improvements in Metasploit Pro’s credential management.  Metasploit Pro now contains a new Credentials menu that includes credential management. It offers one-stop shopping to

  • Find previously obtained credentials from exploitation
  • Clone and modify existing credentials
  • Add new credentials
  • Validate credentials by testing where they work

 

I liken the functionality a bit to credential management for sites in Nexpose. It is quite handy to have this screen for managing all the credentials for all the hosts in a project.  In addition, there is new reporting specific to credentials, AND a John the Ripper module is now available with Metasploit (if you don’t have it already). Christian Kirsch provides a detailed review of the functionality in his release blog post now available on ‘The Street.’

 

My testing did find a few bugs, but most were addressed by the end of the Tech Preview. I also went a bit off the reservation to see if there were changes or improvements in other areas such as vulnerability validation and phishing campaigns. Nope – all worked as before.

 

Conclusion

I believe that this functionality will facilitate penetration testing by making access to credentials much easier to access and verify. I hope that it serves as a springboard to future functionality (such as interfacing with Nexpose and credentials stored there). And if Rapid7 is able to provide more effective methods of testing against websites with credentials, I will be eternally grateful.

 

Thanks, Rapid7. I look forward to what comes next!

 

Note from Rapid7: Hear Sean talk on this video about how he uses Metasploit Pro and Nexpose at Trinet (also linked from the video still on this post)

By guest blogger Robert Jones, Information Security Manager, City of Corpus Christi

 

manage-creds.pngI had the opportunity to participate in a tech preview of Metasploit Pro's new credentials features. In our shop, we use Metasploit Pro, Nexpose, UserInsight and ControlsInsight, all by Rapid7. I certainly wish I could spend the majority of my time pentesting, but instead I often times I find myself using Metasploit to educate users by showing them how I can compromise their machines. It is incredibly compelling when a user sees their system owned right in front of them, at which point you have one more person more inclined to operate their systems in a more secure manner. But, raising education and awareness one user at a time is not always the best use of your company's time. It is often the case that organizations need to put some type of policy or updated procedure in place to mitigate a risk across the organization. To do this, it is often more appropriate to be able to demonstrate a risk across a larger cross-section, or even the entire organization, to put the risk into a proper context.

 

While we might be showing users the output of a hashdump and telling them how this scrambled text can be reused on other systems where the credentials are valid, for these larger scale activities, maximizing your count of shelled systems gets exponentially expensive in terms of time when you're attempting to exhaust all avenues that open up from harvested credentials. I am a command-line kind of guy, but pitting my typing against my backspace prowess isn't really feasible for me when shelling more than a handful of machines. This is where the backspace key and clock work in tandem to humble me. The development effort that was put into making these activities more efficient is well-spent and a welcome addition.

 

To get started with the tech preview, I spun up a virtual machine, installed the pre-release package without issue, and had it up and running in a few minutes. The testing process did not require much of my time, and I would estimate that I spent less than 30-45 minutes actually testing the steps that were asked of me, mostly being along the lines of making sure that items in the application produced the desired result when clicked. There is also a degree of latitude as far as what targets to hit, so instead of using Metasploitable or another intentionally vulnerable target, I pointed this tech preview at our Nexpose platform and imported a list of hosts to try this out on. After all, I want to see how this is going to help me save time in a more authentic scenario than a lab. So, I originally set up a single credential, aimed it at all of the systems, and watched as they indicated whether these credentials were valid against these hosts. It wasn't long after making sure I followed the test steps that I was spending more time cloning credentials based on certain character patterns that I've observed in the past here and aiming additional sets of credentials at these hosts. I honestly had no desire to do this from a command line with each permutation. I think this feature is actually rekindling a relationship with my mouse, as I can't imagine anything other than a purist's love of a black background to warrant doing this stuff from the command line again.

 

One thing that was not part of the tech preview, but I hope to see in the future, is taking a harvested set of credentials and automatically reusing them for any authenticated exploits during an auto-exploitation routine, thereby expanding the attack surface of your targets where you may otherwise need to only attempt the remote/unauthenticated exploits, or be forced to go into the modules and selectively set those authenticated exploits to use a particular set of credentials. This would need more thought and planning than I've done as I write this, but I envision a list of harvested credentials on that new credentials tab growing over time that would be a great list, specific to my environment, that might yield additional targets when using some type of "authenticated upload and execute" or similar exploits requiring valid credentials to test.

 

While I have this opportunity, I also want to encourage everyone to provide candid feedback to Rapid7. While many of us may operate in the mindset that we aren't a large enough customer to warrant the vendor's attention, I have witnessed on many occasions that a quick note almost always results in a same-day response from one of the development teams. This isn't a canned response or some default of "We'll review it and thanks" kind of thing. Often, it results in a direct conversation to discuss further. I've often seen new features added in a week or two that directly address the feedback, and I've never worked with a software company that valued feedback and acted on it at this level. The end result is that we, as a community, end up with tools that make our jobs easier and more efficient, making us better at our jobs. If you think of an improvement to their solutions, please share it with them. It is well worth the effort.

 

Note from Rapid7: If you'd like to learn more about the new credentials features and see Metasploit Pro in action, please reserve a space on our free upcoming webcast "Credentials Are the New Exploits: How to Effectively Use Credentials in Penetration Tests"

By guest blogger Dustin Heywood, Manager, Security Assurance, ATB Financial

 

cred-reuse.pngRecently I was invited to participate in Metasploit Pro’s Tech Preview Program, where customers are given early access to new product releases.  I've taken part in this program before and I have always loved the experience.

 

For those of you who haven't been involved in a Rapid7 Tech Preview program: It starts out with a call with the customer engagement manager and the product management team, who gave me an overview of the upcoming product changes and logistics. I received a special tech preview build and license key, a test script, and access to a private Security Street space to discuss the new features with peers and Rapid7.

 

I really liked that Rapid7 doesn’t require that you follow the script. In fact, I had direct access to product management to ask questions, discuss bugs and get updated Tech Preview builds.

 

Rapid7 gathers feedback throughout the process, for example through a phone call and exit survey. I provided feedback on the good, the bad, and how useful I found the features. The entire process is seamless and highly rewarding, so I take part in every Tech Preview I can.

 

I won't spend a lot of time covering the new release (read this post for more info), but there are new features that definitely make life easier.  Metasploit Pro 4.10 is all about credential management & credential reuse.  Metasploit’s credential features definitely save us time in workflows.

 

Credentials reuse is a critical security issue. We have already started to leverage the new features in Metasploit Pro to make our penetration tests much more effective.  The ability to reuse credentials and raw hashes with just a few clicks is a major time saver, makes for extremely effective demonstrations, and allows for rapid system pivoting.

 

I had a few weeks to play with the new credentials menu before it was released and was very impressed.  Well done to Rapid7 on yet another amazing release.

 

Note from Rapid7: If you'd like to learn more about the new credentials features and see Metasploit Pro in action, please reserve a space on our free upcoming webcast "Credentials Are the New Exploits: How to Effectively Use Credentials in Penetration Tests"

We’ve given credentials a new boost with Metasploit 4.10. It’s now easier to manage, reuse and report on credentials as part of a penetration test.

 

Pentesters are shifting from exploits to credentials

 

There was one common theme that we heard from a lot of penetration testers we talked to over the past few months: You’re using more and more credentials on penetration tests. We even surveyed the Metasploit user base to make sure we didn’t ask a biased sample: 59% of you said that you use credentials for half or more of your penetration test compared to exploits.

 

credentials-versus-exploits.png

2014 Metasploit User Survey: “On an average pentest, do you focus more on exploits or credentials?”, N=561

 

This is not really surprising: Organizations are getting better at vulnerability management. (OK, I said better, not perfect.) You find it harder to find that MS08-067 on the network, especially now that Windows XP has been taken out of maintenance and is starting to disappear from corporate networks. (Well, they’re “starting” to take XP out of circulation.) Over the past few years, the Microsoft Windows engineering team has also been getting better at making exploitation harder, specifically through techniques such as canary values, data execution prevention (DEP), address space layout randomization (ASLR), the enhanced mitigation experience toolkit (EMET), plus 64-bit addressing pretty much made traditional memory corruption exploits impossible. Exploits also increase your chance of getting caught, because unlike credentials, there is no legitimate reason for using them.

 

You’ve probably used credentials for a while, but now they’re even more valuable: They’re easy to obtain through phishing, public leaks, or simply guessing. Once you have compromised your first machine, you can loot passwords, hashes, and SSH keys and reuse them against other parts of the network. Repeat until the domino effect brings the entire network under your control.

 

What’s more important: Attackers are using more credentials as well, so you’re mimicking their actions for more accurate risk assessment. In fact, credentials are the number one attack methodology in the 2014 Verizon Data Breach Investigation Report.

 

Metasploit gets a new credentials architecture

 

The Rapid7 Metasploit team revamped the way Metasploit handles credentials. Now, each credential comes with metadata such as its origin and where it was successfully used for logins. We’ve already ported 60 out of 180 auxiliary modules to the new architecture and have launched a community competition to help port the rest (see @todb’s blog post for more details and GitHub for a list of yet unported modules).

 

If you're using Metasploit Framework, the new architecture is immediately available to you if you are using the binary installers. In case you get your Metasploit Framework code straight from GitHub: We are working on merging the code bases on GitHub and will make these available in the coming weeks - watch this space.

 

Metasploit Express and Metasploit Pro simplify managing, reusing and reporting on credentials

 

While Metasploit Framework users will see improvements from the new credentials architecture, there’s even more good stuff in the commercial Metasploit editions: Metasploit Pro 4.10 increases the productivity for penetration testers who leverage credentials to take over large networks. Users rarely use unique passwords per application and passwords are often cached on systems. The new functionality in version 4.10 simplifies the reuse of credentials to simulate credentials-based attacks such as the ones recently experienced by Target and eBay. Metasploit now makes it easier to track and manage credentials, including where they were gathered and which systems they gave access to. Users can now quickly validate that credentials work on specific services and reuse them on other parts of the network. Penetration testers also have improved reports to convey results to IT operations, management, and auditors. These improvements are exclusive to Metasploit Express and Metasploit Pro.

 

New credentials management

 

Penetration testers often use spreadsheets or even a text editor to keep track of credentials. This hurts productivity because it’s difficult to efficiently reuse credentials across services as diverse as Windows, SQL Server and VNC. It’s also difficult to report on these credentials. If you’re already off-site writing your report, you may even discover that you forgot to note down some important details.

 

Metasploit Pro and Express now come with new credentials management that makes it a snap to track credentials, their origin, and where they can be used. You can find the new credentials management in the new Credentials menu under Manage. In addition to credentials captured by Metasploit, you can also import a variety of formats.

 

manage-creds3.png

 

Quick credential validation

 

We also overhauled the credentials tab on the single host view, which now shows you both the logins that can get you access to the machine as well as the captured credentials that were looted from the machine. The little key in the Validate column enables you to quickly check if a particular credential is valid.

 

The quick credential validation only checks if a credential works but does not create a session. Here’s how you create a session:

 

Metasploit Pro: Use the Known Credentials Intrusion MetaModule, and enter the IP range you’d like to target.

Metasploit Express: Use post-authentication modules specific to the service you are using, such as exploit/windows/smb/psexec for SMB credentials (go to Modules menu and select Search to use them).

 

The Quick Validation feature will turn credentials (the combination of a username plus a password, hash or SSH key) into logins (a credential that has been validated to be used on a certain host/service combination). You can only use the Credentials Intrusion MetaModule with logins, not with credentials. Other ways to create logins are the MetaModules for Single Password Testing, Pass the Hash, and SSH Key Testing as well as the new Credentials Reuse feature (see below).

 

single-host-view2.png

 

Efficient credentials reuse

 

Security best practice is to never share credentials across hosts and services. However, we all know that all good intentions go out of the window when users find it difficult to remember multiple passwords.

 

Metasploit Pro and Express now have a Credentials Reuse functionality, which you can find – surprise – in the new Credentials menu under Reuse. What’s powerful about this new feature is that you can filter and select individual hosts and services to try specific credentials on. This gives you the power to either try every credential against all services, one credential against one service, or any combination in between.

 

cred-reuse.png

 

Create clear and concise credential reports

 

We heard loud and clear from you that you loathe writing reports. Metasploit Pro and Express now create illustrative credentials reports for you. In addition to lists of passwords and compromised hosts, you will see diagrams that show you which hosts are most at risk from credentials abuse and which credentials provide access to the most machines. The reports will make it very easy to communicate your findings with the IT operations team or provide documentation to auditors.

 

credentials-report-1.png  credentials-report-2.png

 

New modules since Metasploit 4.9

 

At Rapid7, we believe that knowledge of vulnerabilities and access to exploits should not be pay for play. We make Metasploit exploits and auxiliary modules available in all editions, including the free Metasploit Framework and Metasploit Community editions. Some of these modules come from our internal team, but many are submitted through you, the Metasploit Community. Here’s a list of the new modules we added since version 4.9:

 

Exploit modules

 

Auxiliary and post modules

 

And It's All Available Now

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see our most excellent release notes.

Metasploit 4.9.2 and earlier vulnerable to OpenSSL vulnerabilities

 

The OpenSSL team today published a security advisory containing several critical vulnerabilities. The Metasploit editions Metasploit Pro, Metasploit Express, Metasploit Community and Metasploit Framework in versions 4.9.2 or earlier are vulnerable to these OpenSSL vulnerabilities, most notably CVE-2014-0224 and CVE-2014-0221. CVE-2014-0224 is exploited by Man-in-the-Middle (MITM) attacks that reduce the encryption strength of an SSL connection and therefore potentially expose transmitted data. CVE-2014-0221 is most likely to be limited to crashing systems using OpenSSL and is therefore a lesser concern.

 

Rapid7 is currently working on a security update and will announce its availability in this blog post as soon as it becomes available. To get alerted when this blog post is updated, please click the "Follow in" and select the "Email Update" option; please ensure that your Security Street preferences are set so that Security Street messages are forwarded to your email inbox.

 

How can I protect myself until an update is available?

 

Until the update is available and has been applied, Metasploit users should:

  • Only access the Metasploit web interface from a non-vulnerable browser. For the MITM attack to be successful, both the server and the client have to be vulnerable. The browsers officially supported by Metasploit are all non-vulnerable (see System Requirements), making the MITM attack fail even if the server is vulnerable.
  • Refrain from opening sessions since the communication between Meterpreter and Metasploit uses OpenSSL encryption.

 

We are continuing to research the impact these vulnerabilities may have on users and the industry. Once an update is available and you have applied it, you should cycle Metasploit user passwords.

 

Which Metasploit components are affected?

 

The following Metasploit components are affected :

  • Nginx
  • Ruby & Rails
  • Nmap
  • Postgres
  • Meterpreter

 

Is the Metasploit team working on modules to exploit these vulnerabilities?

 

You bet. Unfortunately, Tod broke our time machine last week so we were unable to release our exploits at the same time as the vulnerability disclosure but we're doing our best to catch up. If you have successfully written a module addressing any of these vulnerabilities, please create a pull request. We also accept Dogecoin donations to contribute towards our deductible for the time machine insurance policy. We'll update this blog post as modules become available.

 

UPDATE: Metasploit 4.9.3 available, addresses OpenSSL vulnerabilities (Updated 6/6/14, 2pm EST)

 

Metasploit release 4.9.3 is now available, addressing these vulnerabilities. Release notes: Metasploit 4.9.3 (Update 2014060501)

 

Recommended update procedure:

 

  • Update Metasploit and its dependencies to a non-vulnerable version
    • If you installed Metasploit using the binary installer from Rapid7.com
      • Enter the Metasploit Web UI at https://<METASPLOIT_IP>:3790/
      • Go to the Administration menu and choose the Software Update option.
      • Follow the instructions on your screen to update the software to version 4.9.3 or higher.
    • If you are using the pre-installed Metasploit version on Kali Linux
      • NOTE: The dependencies nmap, Ruby on Rails, and Postgres are provided by Kali Linux and beyond our control. Please check the Kali Linux website for more info.
      • On the command line, run: apt-get update && apt-get dist-upgrade
      • Kali Linux synchronizes its repositories with Debian every 6 hours
      • Verify that Nginx, Ruby, nmap and Postgres have updated to non-vulnerable versions
    • If you have used GitHub to install Metasploit Framework
      • Update using msfupdate command.
      • Update your local dependencies of Ruby, nmap, and Postgres to non-vulnerable versions
  • Change all Metasploit Pro/Express/Community user passwords that may have been compromised

 

If you have questions on this topic, please post a comment under this blog post or open a new discussion topic. If you are a Rapid7 customer, please feel free to contact our technical support team or your account executive for assistance.

 

New Modules

 

Incidentally, Metasploit 4.9.3 also includes some new modules since the last release. We've been kind of up to our eyeballs with patching and researching vectors for the new OpenSSL issues, so here's a quick update of new material since the end of May.

 

Exploit modules

 

Auxiliary and post modules

In the section about Point-of-Sale Intrusions, the Verizon 2014 Data Breach Investigations Report recommends to "Debunk the flat network theory" to protect POS devices. Here's what it says on page 19:

 

Debunk the flat network theory

Review the interconnectivity between stores and central locations and treat them as semi-trusted connections. Segment the POS environment from the corporate network

 

This struck me as a little odd since network segmentation is a well-known and common best practice on most networks. Also, there is a strong economic incentive for companies to segment their main corporate network from anything touching credit cards: If you segment off the parts of your network that contain credit card data, your PCI scope is limited to the segments that have credit cards. In other words, you will only have to implement PCI requirements and demonstrate compliance for part of your network, not your entire network. This can mean a huge reduction in compliance costs. Since businesses mostly follow the money, it seems hard to believe that network segmentation is not prevalent with today's retailers.

 

I believe that the culprit is more likely to be a bad process for change control. As networks evolve, they change organically. Even if your network segmentation was architected and executed perfectly on day one, it will have undergone several changes. I've often heard of data breaches where a firewall configuration was changed to test something and not changed back when the test was completed.

 

One way to solve this is to implement better change control processes, but this is hard to enforce, especially in smaller organizations where process is a much heavier burden on the organization. Even in larger organizations, people could make "quick changes" outside of the process. Therefore, it is a good idea to audit whether network segmentation is operational and effective. In fact, the new PCI 3.0 standard requires that you do this if you're using network segmentation to reduce your PCI scope.

 

Rapid7 Metasploit Pro can test network segmentation by sending packets between two segments, namely between Metasploit itself and a testing server. The MetaModule tests all ports between the two machines to determine which ports are open and closed. This enables you to compare "what is" to "what should be" and determine compliance with your internal security policy and ultimately with the PCI standard.

 

Segmentation Testing.png

 

If you would like to test out Metasploit Pro's Firewall and Network Segmentation Testing MetaModule, you can get a free Metasploit Pro trial from Rapid7.com.

One of my key take-aways in the Verizon Data Breach Incident Report was that credentials are a major attack vector in 2013. Especially within the POS Intrusions, brute forcing and use of stolen creds was a major problem.

 

verizon_fig22_bruteforcing.png

 

These techniques were primarily leveraged against two targets: Shared passwords on 3rd-party provided POS systems were the biggest problem, followed directly by weak passwords on remote access solutions that enable the help desk to quickly provide help to employees working on the POS devices.

 

verizon_fig23_desktopsharing.png

When I talk to security professionals, they often tell me that they leverage L0phtcrack for brute forcing. While it's a great tool, it's really specialized in offline cracking of password hashes. For offline cracking, you need to have access to a hash that is stored in a system, typically a Windows or Unix user password.

 

However, especially in the case of remote access solutions, this approach does not work - you need to test passwords directly against the live service. Metasploit includes auxiliary modules that help you brute force passwords against PC Anywhere and VNC services. Here's how you'd conduct an audit for these services on your network with Metasploit Express or Metasploit Pro:

 

  1. Run a discovery scan on your network, which will identify any VNC or PCAnywhere services listening on the network
  2. Hit the "Bruteforce" button
  3. Select only the services for PCAnywhere and VNC, and start the brute forcing process

 

Bruteforce_vnc_pcanywhere.png

 

Metasploit Pro will now test these services using a list of the most common passwords, which include host names from the discovery scan. You can also provide your own password list, which may include the name of the POS vendors you work with.

 

By the way, Metasploit Pro also comes with a John The Ripper integration that cracks looted password hashes, covering the offline angle as well.

 

If you don't currently use Metasploit Pro, you can download a free Metasploit Pro trial on Rapid7.com. If you're running Kali Linux, Metasploit comes preinstalled. Just fill in the trial form to get the key, enter "msfconsole" on a Kali terminal, type "go_pro" and enter the license key.

When think talk about anti-virus evasion, we mostly do so in the context of a penetration test: If the "bad guys" can evade AV solutions because they write custom payloads, then a penetration tester must do the same to simulate an attack. However, AV evasion is also critical to vulnerability validation. While a full-scale penetration test looks for any way into the network, vulnerability validation surgically examines one vulnerability on a specific host and tests if it is exploitable. Security professionals do vulnerability validation because it enables them to determine if a vulnerability is "real" so they can prioritize it; many also use the validation to demonstrate the security exposure to their peers in IT operations to get quick buy-in to patch or mitigate the risk. Metasploit Pro integrates with Rapid7 Nexpose Enterprise to pull reported vulnerabilities for validation and pushing both validated vulnerabilities and vulnerability exceptions back into Nexpose for reporting and future testing, a process we call "closed-loop" vulnerability management.

 

metasploit-vulnerability-validation-findings.png

 

When you validate a vulnerability, you use the exploit associated to the vulnerability to test if it can be used on the machine. The idea is not only to rule out false positives but also to test if mitigating controls can stop an attack. For example, you may have closed a port on the host, shut down a service, or made adjustments on your firewall to protect the system from an attack. While anti-virus solutions are also considered security controls, they are mostly effective against mass malware attacks, not targeted attacks by a skilled attacker. When validating a vulnerability, you should therefore use anti-virus evasion that mimics these types of attackers to get a realistic picture on whether a certain vulnerability leaves a system open to attacks. If you don't, you may create an exception and accept the risk as mitigated while you're actually still vulnerable to an attack, giving you a false sense of security that could result in a breach.

 

In the recent 4.9 release of Metasploit Pro, we have improved our anti-virus evasion and baked it into all processes that use payloads, including vulnerability validation. That means that simply by leveraging Metasploit Pro for vulnerability validation, you're already using anti-virus evasion to mimic a real-world attacker. AV evasion is not included in of Metasploit Framework, Community or Express, so we recommend that you use Metasploit Pro for vulnerability validations to get clean, realistic results. In fact, the classic Metasploit Framework payloads get flagged by most AV companies because they are readily available as open source, leading to false negatives in your vulnerability validation program.

 

If you don't have a copy of Metasploit Pro but would like to give it a go, simply sign up for the free Metasploit Pro trial from rapid7.com.

Many folks ask me how you can get started as a penetration tester. Save for a real-life penetration test, capture-the-flag (CTF) competitions hackers-dome.jpgare probably the most effective ways for you to hone your offensive security skills. What's best: they're a ton of fun, even for experienced pentesters. The folks over at CTF365.com have put together a one-off CTF called Hacker's Dome, which will start on May 17th and run for 48 hours, so save the date.

 

Hacker's Dome - First Blood CTF is a beginner/intermediate level which means that is open to anyone who wants to benchmark their hacking skills. Though it will last 48 hours the average time you're likely to spend on it would be few hours. The CTF is online only, leveraging the virtual platform from CTF365.com. Participants will get a VPN login to access the CTF network. First Blood winners will get prizes worth $6,000.

 

According to the CTF's rule page: “We design the challenges with public vulnerabilities or known misconfigurations. Most of them can be found on exploit-db.com or other public sources. We don’t target 0-day vulnerabilities, so you won’t have to disclose your knowledge about arcane methods for getting access to a machine. We use Kali and the basic tools for the purpose of demonstrating the concept of a CTF challenge when we discuss the technical aspects of a competition.”

 

At Rapid7, we're always happy to support these kind of community events, so we've donated one 1-year license of Metasploit Pro for the CTF raffle, which includes other awesome prizes. If you'd like to try out Metasploit Pro right now, or to participate in the CTF, you can download a free 14-day trial of Metasploit Pro.

 

You can participate the Hacker's Dome CTF for an fee of $46. The competition is free of charge for those of you who own a CTF365 Bronze Account and only $46 for those who wants just to play Hacker's Dome – First Blood CTF.

 

If this CTF sounds like a fun idea, block out that weekend and enroll now.

heartbleed.pngMetasploit 4.9.0 and earlier vulnerable to Heartbleed, update 4.9.1 addresses critical cases

 

The Metasploit editions Metasploit Pro, Metasploit Express, and Metasploit Community in versions 4.9.0 or earlier are vulnerable to the OpenSSL Heartbleed Vulnerability (CVE-2014-0160). Please update to version 4.9.1 to remediate critical vulnerabilities. See below for remediation instructions.

 

Metasploit Framework itself is not affected, but it has dependencies on other components that may need to be updated. If you have installed Metasploit Framework through GitHub, please check these dependencies yourself (listed below) and update them. If you have used the Metasploit binary installer from Rapid7.com, you will have all below the dependencies on your system, and your Metasploit update will update each one of them. For more information, please see the remediation steps below.

 

Due to the nature of the vulnerability, SSL key material and passwords should be assumed to be compromised and changed.

 

Affected Metasploit dependencies

 

In the aforementioned Metasploit versions, the following Metasploit components use a vulnerable version of OpenSSL that needs to be updated:

  • Nginx
  • Ruby
  • Nmap
  • Postgres

 

In the aforementioned Metasploit versions, the following Metasploit components use a non-vulnerable version of OpenSSL:

  • Meterpreter

 

How to remediate the Heartbleed vulnerability in Metasploit

 

If you are running these versions, please follow the following steps to remediate the vulnerability:

 

  • Update Metasploit and its dependencies to a non-vulnerable version
    • If you installed Metasploit using the binary installer from Rapid7.com
      • Enter the Metasploit Web UI at https://<METASPLOIT_IP>:3790/
      • Go to the Administration menu and choose the Software Update option.
      • Follow the instructions on your screen to update the software to version 4.9.1 or higher.
    • If you are using the pre-installed Metasploit version on Kali Linux
      • On the command line, run: apt-get update && apt-get dist-upgrade
      • Kali Linux synchronizes its repositories with Debian every 6 hours
      • Verify that Nginx, Ruby, nmap and Postgres have updated to non-vulnerable versions
    • If you have used GitHub to install Metasploit Framework
      • Metasploit itself is not vulnerable, but you should check that you're running non-vulnerable versions of Ruby, nmap, and Postgres
  • Replace SSL keys that may have been compromised (Metasploit Pro/Express/Community only)
    • Stop Metasploit (linux: /etc/init.d/metasploit stop,  windows: Start Menu -> Metasploit -> Services -> Stop Metasploit)
    • Remove all files from INSTALL_DIRECTORY/apps/pro/nginx/cert (specifically ca.crt, server.crt, and server.key)
    • Start Metasploit (linux: /etc/init.d/metasploit start, windows: Start Menu -> Metasploit -> Services -> Start Metasploit)
    • Metasploit will regenerate new self-signed SSL keys.  You will need to accept these in your browser when visiting https://<METASPLOIT_IP>:3790/
  • Change all Metasploit Pro/Express/Community user passwords that may have been compromised

 

Updating to Metasploit 4.9.1 solves the most pressing Heartbleed vulnerabilities but does not address low-risk vulnerability in nmap

 

While Metasploit version 4.9.1 updates Heartbleed vulnerabilities to protect Metasploit users from the most pressing risks posed through nginx, Postgres and Ruby, it does not update nmap and nmap will still be vulnerable. Rapid7 will make the update to nmap available in the near future and believes that the current level of vulnerability in nmap poses acceptable risk in the short term:

 

Nmap uses client-slide OpenSSL to scan services. An attacker would have to set up an SSL-enabled web server on the target network that you are scanning and actively exploit the Heartbleed vulnerability when you scan it. Heartbleed does not grant code execution on the machine, just information disclosure for the process-specific memory. Nmap does not use credentials for scanning and all scanning data it keeps in memory could be obtained by simply scanning the network. There is also a small chance that an attacker would be able to crash the nmap process.

 

Rapid7 believes that the Heartbleed vulnerability in nmap poses acceptable risk and that remediating all other Heartbleed vulnerabilities immediately outweighes waiting until we have tested a non-vulnerable version of nmap. However, we are working on providing an updated Metasploit version that includes a non-vulnerable and quality tested version of nmap as soon as possible. Updates to this status will be advertised in this blog post.

 

Metasploit 4.9.1 and Nexpose both include scanners for Heartbleed vulnerabilities

You can now also use all Metasploit editions to scan your network for other server-side Heartbleed OpenSSL vulnerabilities. Find out more in this blog post. Rapid7's vulnerability management solution, Nexpose, also has vulnerability checks for Heartbleed vulnerabilities.

 

Learn how to protect your organization from Heartbleed

 

Metasploit is by far not the only application affected by Heartbleed. To learn how to strategically think about addressing this vulnerability in your organization, watch our free webcast with Trey Ford "Heartbleed War Room: Briefing, Strategy and Q&A (on demand).

 

UPDATE: Metasploit release 4.9.2 available, addresses nmap Heartbleed vulnerabilities (4/11/14, 2:20pm EDT)

 

Metasploit update 4.9.2 is now available, addressing the remaining low-risk Heartbleed vulnerability in the nmap scanner that is installed with the Metasploit binary installer. Please update your Metasploit edition using the  Metasploit web UI in the Administration menu under the Software Update option. Because the nmap vulnerability does not have the risk of leaking private data, you do not have to change SSL key material or passwords after this update.


NOTE: This update does not affect Metasploit on Kali Linux, which uses the Kali-provided nmap version. Please verify that the nmap version you are using on Kali Linux is up to date and not vulnerable.

 

 

If you have questions on this topic, please post a comment under this blog post or open a new discussion topic. If you are a Rapid7 customer, please feel free to contact our technical support team or your account executive for assistance.

No-Vacancies.jpgPCI DSS Compliance is driving about 35% of all penetration tests, according to a Rapid7 Metasploit User Survey with more than 2,200 respondents earlier this year. With the changes introduced in PCI DSS version 3.0, penetration tests will become more complex and longer in duration, and more companies will feel the need to run penetration tests in the first place. Given that it takes a lot of time and money to train new penetration testers, this will cause consultants to book out early, and probably even increase prices per day.

 

PCI v3.0 changes will increase the demand for and duration of penetration tests

 

Requirement 11.3 demands that companies develop and stick to a penetration testing methodology, citing NIST SP 800-115 as an example. This new requirement has two knock-on effects:

 

  • It increases the documentation required to pass the pentest. Writing reports already takes about 30% of a consultant’s time. Even if consulting companies have template penetration testing methodologies, these will have to be discussed with clients and potentially adopted, both of which costs additional time.
  • While penetration testing has always been required by PCI DSS, version 2.0 did not define what a penetration test is. As a result, some companies, especially those using self-assessment questionnaires, simply submitted vulnerability scans or even an nmap scan and ticked the compliance box. With PCI DSS 3.0, this is no longer possible since a penetration test is much more clearly defined, specifically including exploitation as one of the techniques.

 

Requirement 11.3.3 calls for remediating all exploitable vulnerabilities and then retesting them. This has two levels of impact:

 

  • I have talked to many security consultants over the years who have been frustrated that some customers never address the holes they point out, leaving the consultant to the futile exercise of copying and pasting last year’s report. This will no longer fly this year, since you are required to remediate all exploitable vulnerabilities.
  • In the case that you find exploitable vulnerabilities, you will have to retest these vulnerabilities. This may involve your booking a second round of security consultants.

 

Requirement 11.3.4 asks companies to carry out active tests to ensure that network segmentation is operational and effective. This is a new requirement that needs to be covered as a standard part of the penetration test. This will also extend the duration of the penetration test.

 

Penetration Testers will book out early - and hourly rates will go up

 

As a result of more people needed penetration tests and the penetration tests being longer in duration, prices may also increase as a function of increased demand. The supply of penetration testing services is inelastic, meaning it is hard to increase the supply of penetration testing services because it is hard to train new staff on penetration testing skills. As a result, penetration testing companies will increase their hourly rate as they’re starting to get more and more booked out during the year, charging a premium for rising demand and to compensate for overtime payments and sacrificed vacations and weekend work.

 

penetration-testing-supply-demand.png

 

Seven Tips for Booking Your PCI 3.0 Penetration Testing Services

 

  1. Book penetration testing services early and reserve your slots. You will save on the hourly rate and secure a slot to complete your audit on time.
  2. In the Statement of Work, include a clause that the security consultant will use a penetration testing methodology that is accepted under PCI DSS v.3.0 and that the consultant will include this methodology in their final report.
  3. Make space in your project plan and budget for remediation and a second round of penetration testing.
  4. Don’t forget to book the second slot with the security consultant so that you have a time locked in to pass your audit on time.
  5. Ensure that network segmentation testing is covered as one of the actions in the Statement of Work.
  6. Pad your budget for increases in hourly rate and duration of penetration testing services for PCI DSS. Needs may vary depending on how early you book, how in-depth your previous year’s penetration test was, and how much you have to remediate after the penetration test. As a rough estimate, a 30% increase will probably cover your increased spending.
  7. If you have the resources in-house, consider moving penetration tests in-house. For PCI, the resource needs to qualified and independent from the people who are responsible for the security of the Cardholder Data Environment (CDE).

 

How Rapid7 can help

 

 

Learn more about Rapid7’s solutions for PCI DSS.

 

If you’d like to start a conversation, contact Rapid7. For more information about the new penetration testing requirements for PCI 3.0, view our free on-demand webcast “Implementing New Penetration Testing Requirements for PCI DSS 3.0“

Part of the Metasploit Framework, msfvenom is a command-line tool that helps penetration testers to generate stand-alone payloads to run on compromised machines to get remote access to the system. Msfvenom is a combination of two other Metasploit Framework tools: Msfpayload and Msfencode, which generate and encode payloads respectively.

 

msfvenom.png

Even if you have used Msfvenom before, chances are that you need to look up the tool's documentation every time you want to generate a payload. Msfvenom is a great tool, but getting all of the command line options right can be a challenge. With the new Payload generator, you can generate new payloads for any platform much more quickly:

Classic Payloads.png

 

Encoding the payload is easy, too. Simply type in the characters you'd like to see excluded from the payload.

 

payload-generator-encoding.png

 

You can choose different formats for the output format: EXE, raw bytes, and shellcode buffer.

 

payload-generator-output.png

 

We're making this new productivity feature available to you for free in Metasploit Community until April 30, 2014, after which it will become a Metasploit Pro exclusive feature again. You can get your free copy of Metasploit Community or a free Metasploit Pro trial on the Rapid7 website.

Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately.

 

Generate AV-evading Dynamic Payloads

 

Malicious attackers use custom payloads to evade anti-virus solutions. Because traditional Metasploit Framework payloads are open source and well known to AV vendors, they are often quarantined by AV solutions when conducting a penetration test, significantly delaying an engagement or even stopping a successful intrusion, giving the organization a false sense of security. Penetration testers must therefore have the ability to evade AV solutions to simulate realistic attacks.

 

The new Metasploit Pro 4.9 generates Dynamic Payloads that evade detection in more than 90% of cases and has the ability to evade all ten leading anti-virus solutions by creating a unique payload for each engagement that does not demonstrate the typical behavior flagged by heuristic algorithms. Dynamic Payloads significantly increase productivity of a penetration tester by saving many hours of creating custom payloads as well as trial and error to evade detection through encoding and ensure that organizations do not fall prey to a false sense of security.

 

Dynamic Payloads.png

 

With Dynamic Payloads, you’ll have these advantages:

 

  • Evade all leading anti-virus vendors: Dynamic Payloads evade the top 10 AV solutions in more than 90% of cases. No AV vendor detects all MSP payload options!
  • More stable sessions: Dynamic Payloads use error corrections to make sessions more stable than regular MSF sessions
  • IPS Evasion through stage encoding: Stager will encode the traffic when downloading the payload, which can help evade IPS

 

Dynamic payloads are exclusive to Metasploit Pro. To test the new AV evasion, get your free Metasploit Pro trial now.

 

Free Webcast: Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit Pro

 

If you would like to learn more about how Dynamic Payloads are used to evade anti-virus solutions, join us on the free webcast "Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit Pro" with Metasploit engineer David Maloney.

 

 

Easily generate stand-alone payloads with the Payload Generator

 

Penetration testers sometimes need a stand-alone payload to install on a machine they have compromised and want to control. Generating stand-alone payloads with msfvenom in Metasploit Framework is very cumbersome even for the most experienced Framework user. The new Payload Generator makes it very easy to generate Classic Payloads for any platform, architecture, stager, stage, encoding and output format.

 

Classic Payloads.png

 

The Payload Generator with Classic Payloads is available in the free Metasploit Community Edition as well as the commercial editions Metasploit Express and Metasploit Pro. Dynamic Payloads can also be downloaded as stand-alone executables and are exclusive to Metasploit Pro. To test the new payload generator, get your free Metasploit Community license or free Metasploit Pro trial now.

 

Test whether your network segmentation is operational and effective

Network segmentation is a security best practice that can help contain a breach to one part of the network by act of splitting a computer network into subnetworks, the so-called segments.

 

While network segmentation is not required by PCI DSS, it is often used to limit the scope the networking falling under PCI compliance. This can drastically limit the effort and cost of PCI compliance.

 

However, there is plenty of room for error in setting up network segmentation, and many companies learned this the hard way. In an interview with SearchSecurity, Try Leach, CTO of the PCI Security Standards Council said: "In the past, we've seen compromises where organizations thought they were doing the right thing, adequately segmenting off what they deemed to be their CDEs, only to find [the security controls were] never tested appropriately."

 

As a result, PCI version 3.0 added requirement 11.3.4, that requires that you conduct a penetration test to verify that your network segmentation is operational and effective. You need to be compliant by June 30, 2015.

 

Metasploit Pro 4.9 adds a new MetaModule for testing whether network segmentation is operational and effective. The MetaModule requires a target server, e.g. on a laptop, in the target network so that Metasploit Pro can test for open ports between the Metasploit Pro instance and the testing server.

 

Segmentation Testing.png

 

This and other MetaModules are exclusive to Metasploit Pro. To test your network segmentation, get the free Metasploit Pro trial now.


Boost your productivity with new and improved Task Chains

Security assessments contain many repetitive and tedious tasks, and long waiting times in between. This is not only frustrating for you as a penetration tester but also increases the cost of engagements to a level where it’s not feasible to test on a regular basis.

 

In a recent survey with more than 2,000 Metasploit users, Metasploit Pro users said that they save 45% of time compared to using Metasploit Framework. With Metasploit Pro 4.9, we’re increasing your productivity even further.

task-chains1.png

 

Using the new Task Chains’ drag & drop interface, you can create custom workflows, either for running on-demand or on a one-time or repeated schedule. For example, you could schedule a network discovery scan, followed by a single pass of MS08-067 exploitation, looting of credentials and screenshots, and an iterative login with known credentials and looting more credentials to come back to an owned network the next morning. Or you could watch it run while focusing on other tasks.

 

What would you do with the extra time you’ve gained from added productivity? You could conduct more assessments, focus your efforts on tasks that really require your expertise, clean up your inbox, or just get home earlier in the day.

 

Task chains are exclusive to Metasploit Pro. To start creating your custom workflows, get the free Metasploit Pro trial now.

 

This and other MetaModules are exclusive to Metasploit Pro. To test your network segmentation, get the free Metasploit Pro trial now.

 

Enjoy a more powerful Meterpreter payload

 

Since the 4.8 release, we have greatly improved Meterpreter's capabilities and reliability. While we were at it, we overhauled the Windows and POSIX Meterpreter development environment to make it easier to set up for researchers and open source contributors.

 

Exciting new Meterpreter functions include:

 

  • Monitor clipboards: automatically download contents of the target's clipboard, continously for the life of the session
  • Have a two-way video chat with your victim: have a heart-to-heart with your compromised client system, in real time
  • Query ADSI and WMI: enables hardcore Windows Domain hackers to rifle through Active Directory records
  • Access cleartext credentials: snarf in-memory passwords on 32-bit and 64-bit platforms with improved Mimikatz
  • Impersonate in-memory tokens: with the new and improved Incognito extension

 

Test your network with 118 new exploits, auxiliary and post-exploitation modules

 

Metasploit is constantly updating its arsenal of exploits, auxiliary and post-exploitation modules to ensure that you’re testing your network against the latest threats. We believe that sharing vulnerabilities and exploits broadly with the community increases security for everyone, which is why we also make all of our modules available in our free editions Metasploit Framework and Metasploit Community.

 

We’re adding new exploits at a rate of 1.2 per day, and here’s what we’ve added since version 4.8:

 

Exploit modules

 

Auxiliary and post modules

 

Please also note the release notes from this release versus the last weekly update.

 

Get your free Metasploit download or trial on the Rapid7 website now!

network-segmentation-testing.png

Network segmentation is the act of splitting a computer network into subnetworks, each being a network segment, which increases security and can also boost performance. It is a security best practice that is recommended (but not required) by PCI DSS and it makes the top 20 list of critical security controls suggested by SANS. Due to the ongoing investigation, the world doesn't have the full details on the Target breach yet, but there are strong indications that network segmentation could have considerably reduced the impact of that breach.

 

It appears that the attackers entered through an HVAC company that supplied heating/cooling systems to Target stores. While it was first speculated that this external  partner had remote access to the HVAC systems for maintenance, it was later disclosed that it was their EDI/Billing integration that turned out to be Target's soft spot.

 

While network segmentation cannot help you keeping attackers out, it can help you contain the impact of a breach to one part of the network. With solid network segmentation between the billing and the POS systems, Target may have avoided the attackers from reaching their pot of gold - the POS systems.


To help our customers audit if their network segmentation is effective, we are updating Metasploit Pro to test the connection between any two network segments, testing open ports between the Metasploit Pro instance and a network segmentation testing server.


In addition to this very quick and easy network segmentation test, you can use Metasploit Pro to conduct a penetration test from any network segment and try to reach another, such as the cardholder data environment (CDE). Metasploit Pro's VPN pivoting can help you traverse network segments connected by multi-homed machines.


The new Network Segmentation Testing MetaModule will be available soon - watch this space!

Filter Blog

By date: By tag: