« previous 1 2 3 4 next »

Dark arts

An exploit is a program that makes use of an existing security problem, for example, to insert and execute its own code via a buffer overflow. The development of such exploits is black magic, even for experienced programmers. A successful attack, e.g., via a buffer overflow, requires a lot of hard work. The developer must experiment with jump addresses, must find a place for the "payload" containing the code to be infiltrated and also place this code into the memory of the attacked systems without any modifications.

Even minor changes on the target system for example, a different library version will disable the code that has been developed so carefully. For instance, developers can hardly find a "universal" memory address in various Windows versions where they can place their shellcode and execute it via a buffer overflow. As a result, they must start from scratch for each platform that reveals a specific security hole. The Metasploit Framework with its modular structure and flexible, reusable code facilitates such work.

Eager to attack

Primarily, the framework is a collection of exploits; a distinction is made between the actual attack mechanism, which needs to be adapted to the specific security hole, and the shellcode to be executed. The latter is provided by generic Perl modules, which allow the Metasploit user to focus on developing the attack code. As a matter of fact, the user may also design new shellcodes for existing attack modules, which can, in turn, be reused for other modules.

The simplest kind of shellcode binds a command shell such as those provided by cmd.exe or Bash to a network port, making its functions available for everybody who establishes a connection with this port. The "reverse shell" is more sophisticated; it also works behind an enterprise firewall. It establishes a network connection to a server to provide the shell prompt (it is termed "reverse" because the connection set-up works the other way round, compared to a Telnet or SSH session).

The "Meterpreter" is a special payload injected directly into a current process on the target system, which makes it hard to detect. Once initiated, the Meterpreter not only executes commands, but can also be enhanced with reloadable plug-ins. For example, the "Sam Juicer" delivers the password hashes of the attacked systems; thus, it is not necessary to invest a lot of work to transfer your own tools onto the target system.

The Reverse VNC-Payload gives full control over the desktop to an attacker.

The VNC payload is particularly spectacular. This framework triggers a new process on the attacked system to execute a modified VNC server without writing anything on the hard disk. Now attackers can work with a VNC client on the attacked system as though they were sitting right in front of it. The framework provides a total of about 70 different payloads.

Rich source to tap

With about 100 exploits, Metasploit cannot compete with tools such as Nessus, with almost 10,000 plug-ins, but this is not the goal anyway. In any case, the exploits provided by MSF are a rich source for developers and can be recycled with minimum effort to attack new security holes.

MSF offers practically everything that has caused administrators to lose sleep during the last few years. There are exploits for security holes in Samba, Apache and Microsoft's Internet Information Server (IIS) as well as modules to exploit vulnerabilities on the client side, such as the LSASS security hole, which is also used by the Sasser worm for dissemination. The framework also attacks FTP servers, backup programs, PHP and MySQL applications and many more. Such attacks are by no way limited to Windows systems but also include exploits for Linux or Sun Solaris.

« previous 1 2 3 4 next »