Perimeter
6/27/2011
05:00 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

New Metasploit Tools Help Find Security Blind Spots

Upcoming vSploit modules for the Metasploit Framework imitate compromised or vulnerable hosts in the network

How do you know the security solutions you've deployed are doing what they're supposed to do? Are there blind spots in your network where attack or compromise traffic might go unnoticed? It's a hard enough problem to assess in a large enterprise, and even harder for a one- to two-person security team in an SMB environment. But new Metasploit Framework modules developed by Marcus Carey of Rapid7 and planned for release during Black Hat USA and Defcon should help ease some of that pain by helping to find those blind spots.

The new modules are being dubbed vSploit because they are "virtualizing exploitation attributes." What does that mean? In Marcus' blog discussing vSploit, he states the "vSploit modules imitate compromised or vulnerable hosts on networks."

The idea is simple: Using these modules, a security pro can test whether his intrusion detection/prevention system (IDS/IPS), data leakage protection (DLP), and security information and event management (SIEM) solutions are working without endangering his production network.

Sure, you might say that you could test the same systems by actively exploiting vulnerabilities or by infecting a virtual machine with malware, but what if something were to go wrong? Suppose you put in the wrong IP address and crashed a critical server. Or maybe your infected virtual machine began attacking and infecting other systems on your network. While you might have tested your systems this way for years (I'm guilty of it in a past life), there are a whole slew of things that could go wrong. And, believe me, an accidental malware spread or crashed server is not the type of problem you want or have time to mop up when you're already overworked.

Marcus has two vSploit modules that he has demonstrated in videos posted at the Rapid7 blog. The first is a module designed to test solutions that monitor for personally identifiable information (PII). When run, the module creates a Web service that serves up randomly generated names, Social Security numbers, credit card numbers, passwords, and more. When a Web browser connects to the Web service, the fake PII is transferred and should cause alarms in any monitoring systems set to flag that type of data when seen on the network. Similarly, it can be used to test Web scanners that can detect PII hosted on websites.

The Web_PII module also has a feature that enables SSL, so the data transfer is encrypted and easily demonstrates how many network-based monitoring solutions can be evaded due to their inability to analyze encrypted Web traffic.

The second vSploit module simulates a compromised system requesting known malicious domains. In one example, Marcus demonstrates how the dns_beacon module can emulate a Windows system compromised by the ZeuS botnet. A network device monitoring for known malicious domains in DNS requests or a SIEM monitoring DNS logs for suspicious queries should immediately flag this traffic.

There is more in the works from Marcus, and the results should help enable everyone from the single-person security team on up to the security team of a Fortune 100 to perform easier testing and validation without live exploits and malware. I've provided a few updates to the Web_PII module that fit some testing scenarios that I've encountered, and I'm hoping to contribute more as the project matures. Look for more details as Defcon approaches in August.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com

Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.