Live-Fire Security Testing with Armitage and Metasploit
Metasploit also has modules to run a dictionary-based password-guessing attack against most services. Search for _login in the module browser to find these modules. To attack SSH, highlight several hosts in the targets view and double-click the ssh_login module.
Metasploit gives you a lot of flexibility for executing password-guessing attacks. Set the USERNAME and PASSWORD options if you want to try one user name and password. Set USERPASS_FILE to a file with “username password” entries on each line. Or set USER_FILE and PASS_FILE to attempt access using every user name from USER_FILE with every password from the PASS_FILE.
Metasploit comes with several user name and password word lists. On BackTrack, they're located in /pentest/exploits/framework3/data/wordlists. Double-click a file-expecting option name (for example, PASS_FILE) to set the option using a file-chooser dialog. Click Launch to begin the password-guessing attack. Armitage displays the attack's progress in a new tab.
Metasploit stores successful logins in its database. Go to View→Credentials to see them. You can use these credentials to log in to a host as well. Right-click a host, select Login, and choose the service to log in to. If the login yields a session, the host turns red with lightning bolts (just like a successful exploit). A session is an active shell or agent that you can interact with.
Password-guessing attacks are an important part of a penetration test. You should verify that common user name and password combinations do not give access to your network resources. Also, guessed credentials make other attacks possible. For example, the snmp_login module might find a community string that an attacker uses to write a new configuration file to your Cisco device.
To use exploits and launch password-guessing attacks, attackers need network access to your services. A configured firewall will stop many attacks. However, attackers are not out of options. Determined attackers will use client-side exploits and social engineering to get inside your network's perimeter.
Go to Attacks→Browser Attacks→multi→java_signed_applet to launch a cross-platform client-side attack. This attack starts a Web server with a malicious Java applet. The applet asks visitors to grant the applet full rights to their local system. Disguise this applet as a neat game, and you may get access to a lot of hosts.
Use Attacks→Evil Files→windows→adobe_pdf_embedded_exe to generate a PDF file with an embedded executable that connects back to Metasploit. This attack asks users to take an action that runs this embedded executable. Most users are unaware of the security risks with opening a PDF file.
Click Attacks→Browser Autopwn to start a Web server that will use the browser fingerprint of each visitor to send an exploit. If you e-mail every user in your organization with this link, how many hosts would you compromise?
I recommend testing these client-side attacks on your workstations and seeing what's possible. User education is the best defense against these attacks. Consider demonstrating these attacks at your next training event. Users who can recognize attacks will add to your security posture.
One compromised host allows attackers to attack your network from the inside. Metasploit's pivoting feature allows you to bounce your attack traffic through a compromised host. Pivoting makes client-side attacks very dangerous.
Pivoting works like a router within Metasploit. You choose a network and set a compromised host as the gateway. Metasploit uses these routes for all of its attacks and scanning modules. Right-click a compromised host and navigate to Meterpreter→Pivoting→Setup to configure this feature. Armitage shows a green line between pivot hosts and their known targets (Figure 7).
Metasploit has a built-in proxy server. Use this if you want to use an external tool, like Firefox, through the pivots you have set up. Go to Armitage→SOCKS Proxy to launch this feature.
Post-exploitation is what happens after access. A successful attack gives you shell access on non-Windows hosts. Successful Windows exploitation gives you access to Meterpreter.
Meterpreter is a powerful post-exploitation agent built in to Metasploit. Meterpreter runs from the memory of the process you attacked. Through it, you can browse and download files, view processes, take screenshots, log keystrokes, run privilege escalation exploits and interact with a command shell.
Armitage provides an intuitive interface for much of Meterpreter's functionality. Figure 8 shows the file browser. Right-click a compromised host and navigate to the Meterpreter menu to explore these functions.
Meterpreter is powerful, but Armitage has a few tricks for shell access too. Right-click a compromised host and navigate to the Shell menu. Select Interact to open the command shell in a tab. Use Upload to upload a file using the UNIX printf command. Choose Disconnect to close the session.
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
|Dart: a New Web Programming Experience||May 07, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- Validate an E-Mail Address with PHP, the Right Way
- New Products
- Developer Poll
- Tech Tip: Really Simple HTTP Server with Python
- not living upto the mobile revolution
2 hours 33 min ago
- Deceptive Advertising and
3 hours 9 min ago
- Let\'s declare that you have
3 hours 9 min ago
- Alterations in Contest Due
3 hours 11 min ago
- At a numbers mindset, your
3 hours 12 min ago
- Do not get Just Almost any
3 hours 15 min ago
- A fantastic rule-of-thumb to
3 hours 17 min ago
- Keren mastah..
4 hours 14 min ago
- mini tablet compare
5 hours 33 min ago
- Looking Good
9 hours 6 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.