A Penetration Tester's Toolkit
Take a look at the report in detail by clicking on the IP in the report. Here you will see a grid broken down by level of concern. As you can see, this very basic vulnerability scan returned a lot of good information. In particular, let's look at the RPC issue. Open that up and take a look at the listing (Figure 7).
Figure 7. A Lot Going on Here for a Fresh Build
What you can take away from this is that RPC is a service of concern and that Nessus by itself has an exploit against it. The plugin ID tells you which plugin to use to test the exploit; the name gives you some detail about the issue, and port and severity are self-explanatory. By clicking on the name, you pull up a window that provides plenty of detail, including what versions are affected, patches released to fix it and various other tidbits (Figure 8).
Figure 8. Detailed Results
This gives us plenty to work with, but let's make sure that we really can exploit this and that there is, indeed, cause for concern. You could do that with Nessus (give it a try!), but rather than relying solely on Nessus, let's bring in the final tool, the heavy-hitter Metasploit.
Why use two different tools that can do the same job? Preference, mostly. I find that Metasploit is much better suited for exploits than Nessus. That's not to say Nessus doesn't get the job done, but Metasploit was built specifically for this purpose. If nothing else, a third tool presents another compelling piece of evidence to support your findings. It never hurts to have an extra set of eyes.
Before going any further, I should say this: I have a ton of respect for the power behind Metasploit. Be sure to read all the documentation before ever attempting a run of Metasploit against a remotely used box. Metasploit is a lot of fun, but kind of in the way that fireworks are a lot of fun (obviously, accidents can happen if you're not careful).
Start by opening a terminal,
su to root (if you have given a regular
user access to the proper files/directories for Metasploit, it's
best to run as said user instead of root), and run the command
Figure 9. Behold, Metasploit
Once you get a prompt back, the first thing to do is select your exploit to test. To see all available exploits, type the following, then go get a cup of coffee, because this takes a minute...or two:
Okay, for the purpose of this example, let's use the following command (Figure 10 shows the results), which corresponds to the previous error shown from Nessus (Figure 8):
Figure 10. Exploits Listed and Exploit Selected
You could use another exploit, which simply would crash the box, but let's try not to be too destructive. With your exploit selected, now you need to choose a payload. A payload is the set of instructions to send via the exploit to get the desired results. In this case, you want to broadcast a message to the computer. First, list your payloads by running the following:
Next, select the payload by using the following command:
set payload windows/speak_pwned
Figure 11. Payload Selected
Finally, show the options for this payload to see what you need to append to this command to run the exploit. In this case, you need to give it the IP of the box in question (which makes sense—Metasploit is not a mind-reading tool). Listing 2 shows the output.
Listing 2. Output of Exploit
msf exploit(ms08_067_netapi) > set payload windows/speak_pwned payload => windows/speak_pwned msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes Pipe name to use (BROWSER, SRVSVC) Payload options (windows/speak_pwned): Name Current Setting Required Description ---- --------------- -------- ----------- Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101 RHOST => 192.168.56.101 msf exploit(ms08_067_netapi) > exploit [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 3 - lang:English [*] Selected Target: Windows XP SP3 English (AlwaysOn NX) [*] Attempting to trigger the vulnerability... [*] Exploit completed, but no session was created. msf exploit(ms08_067_netapi) >
As you can see, the exploit completed. And, if you have sound on your virtual machine, you will have heard something to the effect of "pwnd". If you take a look at the Windows machine, you will see that a service crashed in this exploit—a rather typical side effect (Figure 12).
Figure 12. We broke the box.
You could try a few other exploits (actually quite a few), but this gives you a good idea of how something simple like sending an audible could cause an issue. Again, be careful, and always play on a test box.
As you can see, these three tools, when used together, make for a powerful investigation and the basis for a good report. Used wisely, these tools can help defend your network against these very exploits. I often find myself simply using Nmap to do random scans on my subnet for new computers, Nessus to investigate further and find vulnerabilities, and Metasploit to disable the device if necessary (it happens more than you think). I also use these tools for generating reports, giving presentations to management and keeping my network healthy in general. I learn something new every time I run them, either about the tools themselves or my network, thus keeping it interesting. Give the tools a try and see what you think and enjoy!
Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.
- The Tiny Internet Project, Part I
- SUSECON 2016: Where Technology Reigns Supreme
- Linux Journal October 2016
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Free Today: September Issue of Linux Journal (Retail value: $5.99)
- Bitcoin on Amazon! Sort of...
- Android Browser Security--What You Haven't Been Told
- Epiq Solutions' Sidekiq M.2
- Securing the Programmer