Automated security tools have been one of the most significant advancements in information security. Automation
has become a necessity given the increasing complexity of networks and software -- and the threats targeting them.
The concept of security automation is nothing new. The Security Administrator Tool for Analyzing Networks (SATAN) started the automated security tool revolution in 1995, and since then automation has evolved to include binary analysis, malware research, sandboxes, vulnerability scanning, code scanning and more.
As with any information security tool, Metasploit can be used to do both good and harm.
Specific to automated vulnerability assessment, hacking with Metasploit has arguably become the most popular way to use such a tool, and has become a critical tool in defending an enterprise's network. Unfortunately, it is so good at identifying and exploiting an organization's weak spots that most attackers now know Metasploit is a simple way to find and exploit a vulnerable system.
In this tip, I will discuss how Metasploit works, why enterprises would want to use it and how to put controls in place to ensure attackers can't use Metasploit to sneak inside your organization.
How Metasploit works
Created by H.D. Moore in 2003, the open source Metasploit software is one of several tools that can be used to automate many of the steps of penetration testing. When new exploits are discovered, which happens constantly, Metasploit overseer Rapid7 and the 200,000-plus users of Metasploit work to add the exploit to Metasploit's catalog. Then, anyone using Metasploit can use it to test whether the exploit works against particular systems.
Metasploit is extendable with the Metasploit Framework where the controlling interface identifies a vulnerability, exploits it, delivers the exploit and -- in some interfaces -- includes post-exploitation tools and reporting. The Metasploit Framework imports data from a vulnerability scanner, uses details about vulnerable hosts to identify vulnerabilities to exploit, and launches an attack using a payload to exploit the system. All of this can be managed by the Metasploit Web Interface using one of the several different interfaces available (e.g., command line tool, Web-based graphical user interface, commercial tools).
Attackers can import results from a vulnerability scanner into Armitage, an open source security tool in the Metasploit Framework, and identify the vulnerabilities with Metasploit modules. Once these vulnerabilities are identified, attackers can use an applicable exploit to compromise the system to get a shell or launch the meterpreter in Metasploit to control the system.
The payload is the commands to execute on the local system once access has been gained through an exploit. This can include documentation and a database of techniques to develop a working exploit after identifying the vulnerability. The payload database includes modules to extract passwords from the local system, install other software or to control the hardware much like previous tools, such as BO2K, have.
Using Metasploit to secure your enterprise
Using Metasploit as part of a general vulnerability management program can verify that a vulnerability has been closed by patching, changing a configuration or implementing a compensating control. For example, if a patch isn't available yet but disabling a specific system feature will prevent a network being exploited, you can use Metasploit to verify that the proposed tactic (the disabling of the system) works as expected. Metasploit also verifies that the exploit attempt is detected by security monitoring tools.
Another benefit of Metasploit is that it helps demonstrate the seriousness of a vulnerability by showing someone how easy it is to exploit it and completely compromise a system. For example, a remotely exploitable vulnerability could be identified on a target system, and then a payload could be configured within Metasploit to open a remote shell on the target system so that an attacker can steal data or install a keylogger. Using Metasploit for pen-testing to automate many of the manual checks will allow pen-testers to bypass certain areas and focus only on the areas that require in-depth analysis.
One of the most common uses for Metasploit in the enterprise is to prioritize patch or vulnerability management decisions. Once a Metasploit module has been released for a vulnerability, enterprises can place a higher priority on patches, especially due to the fact that the current generation of script kiddies can now easily compromise systems using it. In addition, any vulnerability identified with a Metasploit module already available should be at the top of an enterprise's list of vulnerabilities to patch or mitigate.
Defending against Metasploit
As with any information security tool, Metasploit can be used to do both good and harm. Black hats and other malicious hackers can use Metasploit against enterprises to identify exploits that will grant them unauthorized access to networks, applications and data.
Metasploit attacks can be best defended against using standard security controls such as patching, running applications or processes with least privileges, limiting network access to only trusted hosts, and other common controls that are covered in the SANS Top 20 Critical Security Controls or the OWASP Top Ten. A Metasploit attack can be detected across a network unless its "encode" option is used to prevent network traffic from being detected by an intrusion detection system. Barring that, Metasploit activity can also be detected by monitoring for anomalies on the network or by using a host-based detection tool that detects Metasploit executables running on the local system.
Just as a hammer can be used for good or harm, Metasploit can be used to keep a corporate network together or tear it apart. Despite the fact that Metasploit detects vulnerabilities and provides the front-line defense an enterprise network needs, it is critical to remember that attackers have access to the very same tool that will identify the very same vulnerabilities.
Having Metasploit in an enterprise's security toolkit is beneficial, but organizations must also leverage other tools and technologies to defend against the attackers using Metasploit against them.
About the author:
Nick Lewis, CISSP, is the information security officer at Saint Louis University. Nick received his Master of Science degree in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Boston Children's Hospital, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.