This article can also be found in the Premium Editorial Download "Information Security magazine: With SSL VPNs on the offense, will IPSec VPNs eventually be benched?."
Download it now to read this article plus other related content.
Exploit frameworks are the stuff of script-kiddies' dreams. It's trivially easy to use Metasploit, which includes three UIs: a command-line tool for scripting,a console prompt with specialized keywords as simple as "use [exploit]" and "set [payload]," and a point-and-click browser-based interface. Once the exploit and payload are assembled, the user executes the "exploit" command, launching the attack against a target.
CORE IMPACT's interface is even simpler to use; it shows a bird's-eye view of all penetrated machines on the network and the level of control the attacker has gained. The attacker merely needs to learn a single exploit framework's interface to choose, configure and launch exploits.
The attacker starts with a reconnaissance scan of the target. CORE IMPACT and CANVAS include built-in vulnerability and port scanners, while Metasploit users rely on third-party tools, such as the free Nessus or a commercial application such as Tenable Network Secu-rity's NeWT or Internet Security Systems' Internet Scan-ner. The attacker then runs the framework to launch an attack against vulnerabilities on the target machine.
The reconnaissance scanning and actual attack buy time for the IDS/IPS tools to detect the invasion. Although exploit frameworks increasingly include IDS and IPS evasion tactics, most attacks can still be spotted by up-to-date signatures. Nonetheless, these kinds of exploit tools make it more urgent
Sploits for the Good Guys
Exploit frameworks may aid the bad guys, but they also help security pros test their systems and harden their infrastructure.
Traditional scanners merely show whether a vulnerability might be present by checking version numbers and the behavior of a target machine. Exploit frameworks go further by actually attempting to exploit the vulnerability. Security managers can get a better picture of the holes in their network and the risks they face based on the difficulty of exploiting vulnerabilities.
Ideally, a security manager should use a vulnerability scanner and exploit framework in concert. The assess- ment team first runs a vulnerability scan and generates a report. For each identified vulnerability, the team employs an exploit framework to verify the flaw. Verifi-cation reduces false positives.
While this high degree of certainty is invaluable, some framework exploits can cause a target system or service to crash. Users need to exercise caution when running such tools and make sure the operations team is on standby to restart a service or reboot a system if things go awry.
Exploit frameworks can also help check IDS and IPS tools' functionality. When an IDS or IPS seems especially quiet, security managers often worry that their sensors are dead, misconfigured or simply inaccessible. Com-pounding the concern, enterprises may soon face attacks that disable IDS/IPS detection functionality, while putting the system in an endless loop and making them appear to be just fine.
To make sure your IDS/IPS tools are running properly, consider using an exploit framework to fire sploits at them on a periodic basis. Admittedly, a traditional vulnerability scanner would tell you if a sensor is functional, but it would also trigger an avalanche of alerts. A single sploit will tell you if your detector is still running properly without driving your analysis team batty.
One of the most common and obvious ways to use exploit frameworks is to enhance in-house penetration testing by performing more comprehensive tests in less time. Using an exploit framework, you can create a more systematic, repeatable test process with specifically chosen sploits and payloads to achieve the goals of the test, such as grabbing a given file from a target machine or getting command-shell access.
In the pre-framework days, many pen testers relied on a hodgepodge of sploits developed and collected over the years, with varying quality and different payloads. With exploit frameworks' comprehensive and constantly updated sets of exploits and payloads, a pen tester can focus more on the overall orchestration of an attack and the analysis of the results rather than spending exorbitant amounts of time researching, reviewing and tweaking individual exploits. The frameworks also offer an excellent development environment for pen testers who devise their own exploit code and payloads.
Exploiting the Sploits
Although exploit frameworks can greatly enhance your pen test exercises, they can't completely automate them. An experienced hand still needs to plan the test, launch the various tools, correlate tool output, analyze the results and dive deeper into the targets.
However, exploit frameworks shouldn't be overlooked as a means for improving management's security awareness. Most security pros have to work hard to make sure management understands security risks by emphasizing the need for hardened systems, thorough patching and solid incident response plans. Management's eyes glaze over after hearing for the umpteenth time the importance of good security practices, yet a single sploit is often worth more than a thousand words.
To help make your case, set up a lab demo of an exploit framework. Build a naked machine that contains a simple text file, such as "Please don't steal this important file!" Pick a reliable exploit, such as the Windows RPC-DCOM attack, and then show management how easy it is to compromise the target and snag that file.
Exploit frameworks are revolutionizing the development, distribution and usage of computer exploit code. Yes, these frameworks are indeed nasty weapons in the hands of the bad guys, but security pros can leverage them as handy tools to improve their operations. These tools provide deeper security assessments and verification of detection capabilities, improved pen tests and solidified management awareness. Security managers would be wise to learn how to exploit these frameworks as well as, if not better than, their adversaries.
This was first published in May 2005