01 metasploit - the elixir of network securityminisites.qaiglobalservices.com/stc2012/paper_...
TRANSCRIPT
Metasploit – The Elixir of NetworkSecurity
Harish Chowdhary |Software Quality Engineer, Aricent Technologies|
Shubham Mittal |Penetration Testing Engineer, Iviz Security|
And Your Situation Would Be…
Main Goal
Learn why and how to test computernetworks against the most common butreally serious security attacks usingMETASPLOITMETASPLOIT
What are we going to talk about
� Penetration Testing
� Why Bother?
� Testing Network with - METASPLOIT� Testing Network with - METASPLOIT
� Proof of Concept (Demonstration)
� (Mitigation Strategies)
� Conclusion
Penetration TestingA penetration test is a method of evaluating the security
of a computer system or network by simulating an attack
from a malicious source, known as a Black Hat Hacker,
or Cracker. WikipediaEnvironmental
Attacks
Input Attacks
Logic and Data
Attacks
Why Bother?� Active pen-testing teaches you things that security planning
will not
� Are your users and system administrators actually following
their own policies?
� host that claims one thing in security plan but it totally different
in reality
� Raises security awareness� Raises security awareness
� Helps identify weakness that may be leveraged by insider
threat or accidental exposure.
� Provides Senior Management a realistic view of their security
posture
� Great tool to advocate for more funding to mitigate flaws
discovered
� If I can break into it, so could someone else!
How dangerous are Cyber attacks
� October 12, 2011 Sony has suffered a data breach involving
the usernames and passwords of about 93,000 customers.
Attackers were able to reuse to logon to people's
PlayStation Network , or Sony Online Entertainment , or
Sony Entertainment Network accounts.
� 6 June 2012 over six million passwords were stolen in a
hack of the professional networking site linkedin.com.
� 10 June 2012 Anonymous attacked and brought down the
website run by Computer Emergency Response Team India
(CERT-In), the country's premier agency dealing with cyber
security contingencies
How dangerous are Cyber attacks� July 12, 2012 A Yahoo security breach exposed 450,000
usernames and passwords from a site on the huge web
portal indicates that the company failed to take even basic
precautions to protect the data.
� 2012: Latest SQL Injection Campaign Infects 1 Million Web
Pages with the lilupophilupop.comPages with the lilupophilupop.com
� During the period December 2011 to February 2012, a total
number of 112 government websites were hacked,” Minister
of State for Communications and IT Sachin Pilot told the Lok
Sabha.
� September 10, 2012 — Network World —Anonymous has
claimed responsibility for knocking domain provider
GoDaddy offline.Source : http://openspace.org.in
Hacked out of Business
Severity Of Cyber Attacks
Current State : Network Security
Severity Of Cyber Attacks
Severity Of Cyber Attacks
Penetration Testing• Application Security Review
• Application Security AssessmentApplication SecurityApplication Security
• Secure Network Architecture & System Integration
• Network Security Managed OperationsNetwork & System SecurityNetwork & System Security
• Security Management Reviews & Risk Assessment
• Security Policy & Process Development & ImplementationSecurity Governance & ComplianceSecurity Governance & Compliance • Security Policy & Process Development & Implementation
• ISO27001 Consulting
Security Governance & ComplianceSecurity Governance & Compliance
• BCM & ITDR Consulting
• BCM Compliance Services
Business Continuity / Disaster Recovery
Business Continuity / Disaster Recovery
• Consulting & System Integration
• Support & MaintenanceIdentity & Access ManagementIdentity & Access Management
• Professional Services
• Remote Security Operation CentreManaged Security ServicesManaged Security Services
Diagrammatic Representation
Process of PenTest
Focusing Network PenTest
Network Security Testing
What is Metasploit
� According to the Metasploit Team;
“The Metasploit Framework is a platform for writing, testing, and using
exploit code. The primary users of the Framework are professionals
performing penetration testing, shellcode development, and
vulnerability research.
� It is becoming the de facto standard for vulnerability assessmentand PenTest.
� largest ruby project in existenceFind vulnerability ->choose exploit -> check if exploit applies -> configure
payload -> configure encoding to evade IDS and AV-> execute the exploit� Includes an extensive shell code and opcode database with full
source code.
What is MetasploitTo understand the use of Metasploit we have to
understand the some basic terminologies.
� Vulnerability
“The word vulnerability, refers to a weakness in a systemallowing an attacker to violate the confidentiality, integrity,allowing an attacker to violate the confidentiality, integrity,availability, access control, consistency or auditmechanisms of the system or the data and applications ithosts”.
� Exploits
An exploit is a security attack on a vulnerability
Can exploits give access to a secured system?
Ans: NO
What is Metasploit� Exploits have more potential
� They are commonly used to install system malware orgain system access or recruit client machines into anexisting ‘botnet’
� This is accomplished with the help of a Payload
The payload is a sequence of code that is executed� The payload is a sequence of code that is executedwhen the vulnerability is triggered
� Payloads are very useful because they provide aninteractive shell that can be used to completely controlthe system remotely
� To make things clear, an Exploit is really broken up intotwo parts,
� EXPLOIT = Vulnerability + Payload
Hot Spots
� In a network, filtering and complex rules are
generally applied on the basis of these basic
factors
� TCP or UDP
� Source IP address� Source IP address
� Source Port Number
� Destination IP address
� Destination Port Number
� Now we have and Metasploit at our disposal and
now we also have the HOT SPOTS to target the
NETWORK.
I
SAMPLE PENETRATION TEST
*Note: Demonstration of the Penetration Test is only for the
Research Purposes
DON'T BE IRRESPONSIBLE...SERIOUSLYDON'T BE IRRESPONSIBLE...SERIOUSLY
USE OF THESE TOOLS ON MACHINES NOT LEGALLY
OWNED BY YOU COULD END UP PUTTING A NASTY
MARK ON YOUR CRIMINAL RECORD
This is not a live demo or real scenario of a Network Pentest.
Network is emulated which is really close to the “Real One”
The Attack � To conduct a Software Exploitation Attack using
Metasploit Framework against a Victim machine in
order to gain system access
� To make things interesting, the Victim’s machine will
also have AV in order to see how it reacts to thealso have AV in order to see how it reacts to the
attack.
� We use MS08-067 exploit – Critical - CVE-2008-4250
� MS08-067 is Vulnerability in Server Service Could
Allow Remote Code Execution (958644)
� On Microsoft Windows 2000, Windows XP, and
Windows Server 2003 systems, an attacker could
exploit this vulnerability without authentication to run
arbitrary code
Outline of Network
Topology� To emulate the real time network we created network
of three virtual machines on WIN 7 Host Machine.
� VICTIM -WinXP Machine with SP2 and SP3 Flavor
Ip.addr = 192.168.242.132Ip.addr = 192.168.242.132
� VICTIM -WinXP Machine with SP3 and AV
Ip.addr = 192.168.242.133
� Attacker –Back|Track 5 r3 with Metasploit
Ip.addr = 192.168.242.134
Tools: Used in the PenTest� Automatic tools are required to detect and exploit the
vulnerabilities quickly to save crucial amount of time.
You can use the following Tools:
Nmap 6.01
Hyperion for Exploit /Payload EncryptionHyperion for Exploit /Payload Encryption
Havij can be used to detect SQL injection on the
website hosted target using network
SQL Inject Me (FireFox AddOn)
Acunetix Web Vulnerability Scanner
DEMO
Evaluate Impact on the Network
and Reporting
� It reveals the information about all the existing
vulnerabilities in the network.
� How deep a hacker can go inside the Network.
� How much data can be lost or altered.
� Report them accurately
Recommended Countermeasures
Discipline
� Code review
� QA Test Plans� QA Test Plans
� Test with an intruder’s mindset
� Periodic Penetration Testing
Recommended Countermeasures(Contd.)
Best Practices� Use principle of least-privilege
� Use names should be harder to guess
� Use aliases to provide more layers of separation between the dataand the intruderand the intruder
� Keep up-to-date on patches
� Escaping all User Supplied Input
� Use third-party code and applications evaluation services for greaterscrutiny
Conclusion
Thank You