Perimeter
6/27/2011
05:00 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

New Metasploit Tools Help Find Security Blind Spots

Upcoming vSploit modules for the Metasploit Framework imitate compromised or vulnerable hosts in the network

How do you know the security solutions you've deployed are doing what they're supposed to do? Are there blind spots in your network where attack or compromise traffic might go unnoticed? It's a hard enough problem to assess in a large enterprise, and even harder for a one- to two-person security team in an SMB environment. But new Metasploit Framework modules developed by Marcus Carey of Rapid7 and planned for release during Black Hat USA and Defcon should help ease some of that pain by helping to find those blind spots.

The new modules are being dubbed vSploit because they are "virtualizing exploitation attributes." What does that mean? In Marcus' blog discussing vSploit, he states the "vSploit modules imitate compromised or vulnerable hosts on networks."

The idea is simple: Using these modules, a security pro can test whether his intrusion detection/prevention system (IDS/IPS), data leakage protection (DLP), and security information and event management (SIEM) solutions are working without endangering his production network.

Sure, you might say that you could test the same systems by actively exploiting vulnerabilities or by infecting a virtual machine with malware, but what if something were to go wrong? Suppose you put in the wrong IP address and crashed a critical server. Or maybe your infected virtual machine began attacking and infecting other systems on your network. While you might have tested your systems this way for years (I'm guilty of it in a past life), there are a whole slew of things that could go wrong. And, believe me, an accidental malware spread or crashed server is not the type of problem you want or have time to mop up when you're already overworked.

Marcus has two vSploit modules that he has demonstrated in videos posted at the Rapid7 blog. The first is a module designed to test solutions that monitor for personally identifiable information (PII). When run, the module creates a Web service that serves up randomly generated names, Social Security numbers, credit card numbers, passwords, and more. When a Web browser connects to the Web service, the fake PII is transferred and should cause alarms in any monitoring systems set to flag that type of data when seen on the network. Similarly, it can be used to test Web scanners that can detect PII hosted on websites.

The Web_PII module also has a feature that enables SSL, so the data transfer is encrypted and easily demonstrates how many network-based monitoring solutions can be evaded due to their inability to analyze encrypted Web traffic.

The second vSploit module simulates a compromised system requesting known malicious domains. In one example, Marcus demonstrates how the dns_beacon module can emulate a Windows system compromised by the ZeuS botnet. A network device monitoring for known malicious domains in DNS requests or a SIEM monitoring DNS logs for suspicious queries should immediately flag this traffic.

There is more in the works from Marcus, and the results should help enable everyone from the single-person security team on up to the security team of a Fortune 100 to perform easier testing and validation without live exploits and malware. I've provided a few updates to the Web_PII module that fit some testing scenarios that I've encountered, and I'm hoping to contribute more as the project matures. Look for more details as Defcon approaches in August.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web