Perimeter
6/27/2011
05:00 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

New Metasploit Tools Help Find Security Blind Spots

Upcoming vSploit modules for the Metasploit Framework imitate compromised or vulnerable hosts in the network

How do you know the security solutions you've deployed are doing what they're supposed to do? Are there blind spots in your network where attack or compromise traffic might go unnoticed? It's a hard enough problem to assess in a large enterprise, and even harder for a one- to two-person security team in an SMB environment. But new Metasploit Framework modules developed by Marcus Carey of Rapid7 and planned for release during Black Hat USA and Defcon should help ease some of that pain by helping to find those blind spots.

The new modules are being dubbed vSploit because they are "virtualizing exploitation attributes." What does that mean? In Marcus' blog discussing vSploit, he states the "vSploit modules imitate compromised or vulnerable hosts on networks."

The idea is simple: Using these modules, a security pro can test whether his intrusion detection/prevention system (IDS/IPS), data leakage protection (DLP), and security information and event management (SIEM) solutions are working without endangering his production network.

Sure, you might say that you could test the same systems by actively exploiting vulnerabilities or by infecting a virtual machine with malware, but what if something were to go wrong? Suppose you put in the wrong IP address and crashed a critical server. Or maybe your infected virtual machine began attacking and infecting other systems on your network. While you might have tested your systems this way for years (I'm guilty of it in a past life), there are a whole slew of things that could go wrong. And, believe me, an accidental malware spread or crashed server is not the type of problem you want or have time to mop up when you're already overworked.

Marcus has two vSploit modules that he has demonstrated in videos posted at the Rapid7 blog. The first is a module designed to test solutions that monitor for personally identifiable information (PII). When run, the module creates a Web service that serves up randomly generated names, Social Security numbers, credit card numbers, passwords, and more. When a Web browser connects to the Web service, the fake PII is transferred and should cause alarms in any monitoring systems set to flag that type of data when seen on the network. Similarly, it can be used to test Web scanners that can detect PII hosted on websites.

The Web_PII module also has a feature that enables SSL, so the data transfer is encrypted and easily demonstrates how many network-based monitoring solutions can be evaded due to their inability to analyze encrypted Web traffic.

The second vSploit module simulates a compromised system requesting known malicious domains. In one example, Marcus demonstrates how the dns_beacon module can emulate a Windows system compromised by the ZeuS botnet. A network device monitoring for known malicious domains in DNS requests or a SIEM monitoring DNS logs for suspicious queries should immediately flag this traffic.

There is more in the works from Marcus, and the results should help enable everyone from the single-person security team on up to the security team of a Fortune 100 to perform easier testing and validation without live exploits and malware. I've provided a few updates to the Web_PII module that fit some testing scenarios that I've encountered, and I'm hoping to contribute more as the project matures. Look for more details as Defcon approaches in August.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-0965
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted SOAP response.

CVE-2014-3022
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted URL that triggers an error condition.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.