Metasploit – The Elixir of NetworkSecurity

Harish Chowdhary |Software Quality Engineer, Aricent Technologies|

Shubham Mittal |Penetration Testing Engineer, Iviz Security|

And Your Situation Would Be…

Main Goal

Learn why and how to test computernetworks against the most common butreally serious security attacks usingMETASPLOITMETASPLOIT

What are we going to talk about

� Penetration Testing

� Why Bother?

� Testing Network with - METASPLOIT� Testing Network with - METASPLOIT

� Proof of Concept (Demonstration)

� (Mitigation Strategies)

� Conclusion

Penetration TestingA penetration test is a method of evaluating the security

of a computer system or network by simulating an attack

from a malicious source, known as a Black Hat Hacker,

or Cracker. WikipediaEnvironmental

Attacks

Input Attacks

Logic and Data

Attacks

Why Bother?� Active pen-testing teaches you things that security planning

will not

� Are your users and system administrators actually following

their own policies?

� host that claims one thing in security plan but it totally different

in reality

� Raises security awareness� Raises security awareness

� Helps identify weakness that may be leveraged by insider

threat or accidental exposure.

� Provides Senior Management a realistic view of their security

posture

� Great tool to advocate for more funding to mitigate flaws

discovered

� If I can break into it, so could someone else!

How dangerous are Cyber attacks

� October 12, 2011 Sony has suffered a data breach involving

the usernames and passwords of about 93,000 customers.

Attackers were able to reuse to logon to people's

PlayStation Network , or Sony Online Entertainment , or

Sony Entertainment Network accounts.

� 6 June 2012 over six million passwords were stolen in a

hack of the professional networking site linkedin.com.

� 10 June 2012 Anonymous attacked and brought down the

website run by Computer Emergency Response Team India

(CERT-In), the country's premier agency dealing with cyber

security contingencies

How dangerous are Cyber attacks� July 12, 2012 A Yahoo security breach exposed 450,000

usernames and passwords from a site on the huge web

portal indicates that the company failed to take even basic

precautions to protect the data.

� 2012: Latest SQL Injection Campaign Infects 1 Million Web

Pages with the lilupophilupop.comPages with the lilupophilupop.com

� During the period December 2011 to February 2012, a total

number of 112 government websites were hacked,” Minister

of State for Communications and IT Sachin Pilot told the Lok

Sabha.

� September 10, 2012 — Network World —Anonymous has

claimed responsibility for knocking domain provider

GoDaddy offline.Source : http://openspace.org.in

Hacked out of Business

Severity Of Cyber Attacks

Current State : Network Security

Severity Of Cyber Attacks

Severity Of Cyber Attacks

Penetration Testing• Application Security Review

• Application Security AssessmentApplication SecurityApplication Security

• Secure Network Architecture & System Integration

• Network Security Managed OperationsNetwork & System SecurityNetwork & System Security

• Security Management Reviews & Risk Assessment

• Security Policy & Process Development & ImplementationSecurity Governance & ComplianceSecurity Governance & Compliance • Security Policy & Process Development & Implementation

• ISO27001 Consulting

Security Governance & ComplianceSecurity Governance & Compliance

• BCM & ITDR Consulting

• BCM Compliance Services

Business Continuity / Disaster Recovery

Business Continuity / Disaster Recovery

• Consulting & System Integration

• Support & MaintenanceIdentity & Access ManagementIdentity & Access Management

• Professional Services

• Remote Security Operation CentreManaged Security ServicesManaged Security Services

Diagrammatic Representation

Process of PenTest

Focusing Network PenTest

Network Security Testing

What is Metasploit

� According to the Metasploit Team;

“The Metasploit Framework is a platform for writing, testing, and using

exploit code. The primary users of the Framework are professionals

performing penetration testing, shellcode development, and

vulnerability research.

� It is becoming the de facto standard for vulnerability assessmentand PenTest.

� largest ruby project in existenceFind vulnerability ->choose exploit -> check if exploit applies -> configure

payload -> configure encoding to evade IDS and AV-> execute the exploit� Includes an extensive shell code and opcode database with full

source code.

What is MetasploitTo understand the use of Metasploit we have to

understand the some basic terminologies.

� Vulnerability

“The word vulnerability, refers to a weakness in a systemallowing an attacker to violate the confidentiality, integrity,allowing an attacker to violate the confidentiality, integrity,availability, access control, consistency or auditmechanisms of the system or the data and applications ithosts”.

� Exploits

An exploit is a security attack on a vulnerability

Can exploits give access to a secured system?

Ans: NO

What is Metasploit� Exploits have more potential

� They are commonly used to install system malware orgain system access or recruit client machines into anexisting ‘botnet’

� This is accomplished with the help of a Payload

The payload is a sequence of code that is executed� The payload is a sequence of code that is executedwhen the vulnerability is triggered

� Payloads are very useful because they provide aninteractive shell that can be used to completely controlthe system remotely

� To make things clear, an Exploit is really broken up intotwo parts,

� EXPLOIT = Vulnerability + Payload

Hot Spots

� In a network, filtering and complex rules are

generally applied on the basis of these basic

factors

� TCP or UDP

� Source IP address� Source IP address

� Source Port Number

� Destination IP address

� Destination Port Number

� Now we have and Metasploit at our disposal and

now we also have the HOT SPOTS to target the

NETWORK.

I

SAMPLE PENETRATION TEST

*Note: Demonstration of the Penetration Test is only for the

Research Purposes

DON'T BE IRRESPONSIBLE...SERIOUSLYDON'T BE IRRESPONSIBLE...SERIOUSLY

USE OF THESE TOOLS ON MACHINES NOT LEGALLY

OWNED BY YOU COULD END UP PUTTING A NASTY

MARK ON YOUR CRIMINAL RECORD

This is not a live demo or real scenario of a Network Pentest.

Network is emulated which is really close to the “Real One”

The Attack � To conduct a Software Exploitation Attack using

Metasploit Framework against a Victim machine in

order to gain system access

� To make things interesting, the Victim’s machine will

also have AV in order to see how it reacts to thealso have AV in order to see how it reacts to the

attack.

� We use MS08-067 exploit – Critical - CVE-2008-4250

� MS08-067 is Vulnerability in Server Service Could

Allow Remote Code Execution (958644)

� On Microsoft Windows 2000, Windows XP, and

Windows Server 2003 systems, an attacker could

exploit this vulnerability without authentication to run

arbitrary code

Outline of Network

Topology� To emulate the real time network we created network

of three virtual machines on WIN 7 Host Machine.

� VICTIM -WinXP Machine with SP2 and SP3 Flavor

Ip.addr = 192.168.242.132Ip.addr = 192.168.242.132

� VICTIM -WinXP Machine with SP3 and AV

Ip.addr = 192.168.242.133

� Attacker –Back|Track 5 r3 with Metasploit

Ip.addr = 192.168.242.134

Tools: Used in the PenTest� Automatic tools are required to detect and exploit the

vulnerabilities quickly to save crucial amount of time.

You can use the following Tools:

Nmap 6.01

Hyperion for Exploit /Payload EncryptionHyperion for Exploit /Payload Encryption

Havij can be used to detect SQL injection on the

website hosted target using network

SQL Inject Me (FireFox AddOn)

Acunetix Web Vulnerability Scanner

DEMO

Evaluate Impact on the Network

and Reporting

� It reveals the information about all the existing

vulnerabilities in the network.

� How deep a hacker can go inside the Network.

� How much data can be lost or altered.

� Report them accurately

Recommended Countermeasures

Discipline

� Code review

� QA Test Plans� QA Test Plans

� Test with an intruder’s mindset

� Periodic Penetration Testing

Recommended Countermeasures(Contd.)

Best Practices� Use principle of least-privilege

� Use names should be harder to guess

� Use aliases to provide more layers of separation between the dataand the intruderand the intruder

� Keep up-to-date on patches

� Escaping all User Supplied Input

� Use third-party code and applications evaluation services for greaterscrutiny

Conclusion

Thank You