Endpoint

7/6/2009
04:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tool And Managed Service 'Penetration-Test' End Users

New User Attack Framework (UAF) could eventually work with Metasploit's hacking tool, researchers say

A security researcher next month plans to release a Metasploit-style hacking tool and a managed service that lets organizations wage realistic and complex email-borne phishing attacks on their end users to gauge their risk of multilayered client attacks.

The so-called User Attack Framework (UAF) includes metrics, tracking details of the victim's actions when hit with phishing bait, and it can exploit the victim's browser, harvest his credentials, and even attack his operating system.

"There is been pen-testing of networks and applications. This is pen-testing users," says Joshua Perrymon, CEO for PacketFocus, and the author of the tool behind UAF. UAF, which is written in Ruby, is based on a tool Perrymon initially built for phishing users called Lunker.

Perrymon had planned to release Lunker as an open-source tool in September at the Open Web Application Security Project (OWASP) conference in New York, but held back at the last minute amid worries such a tool in its raw form could be abused by the bad guys after seeing how easily it duped users in beta tests with several banks and government agencies. Around 80 percent of the users in the beta tests visited the phishing Websites after receiving the malicious URLs via email, and 60 percent were duped into giving up their credentials once they got there, he says.

So Perrymon decided not to release Lunker and instead expand it into more of an overall end-user attack framework, with both a commercial tool and managed services option, as well as a bare-bones, open-source tool that wasn't as potentially lethal, he says. "I didn't feel comfortable releasing Lunker publicly because of how powerful it was. I didn't want to release it...in turnkey form with an 80 to 90 percent success rate it had," he says. "I decided to release a tool that was a commercial version and not let the tool run wild."

UAF isn't the first such service -- Intrepidus Group offers PhishMe, a Web-based service for helping companies find the weakest links in their targeted phishing defense. The service, which was announced a year ago, lets companies spear-phish their employees both for risk assessment purposes and also to educate users. The "victimized" users get instant feedback: They are redirected to educational messages and information, including a PhishMe educational comic strip and links to their corporate sites for more information.

Perrymon says UAF is different because it's a managed security service that relies on security experts to run the phony phishing attacks, and it provides metrics and reporting. "This is a user attack framework instead of a phishing attack framework," like Lunker was aimed at providing, he says. "And even though it uses email as the attack vector, there are a lot of different ways it can attack the user."

UAF could be integrated with Metasploit at some point, says HD Moore, creator of Metasploit. "A few people have been working on similar projects over the years, and I'm excited that someone is going to finally release one," Moore says. "There's a good chance we can share code and do integration on the Metasploit side as well."

UAF tracks specific details of a multilayer phishing attack, such as when a phishing email was sent; if the user clicked on it and, if so, at what time; whether the user provided his credentials; and a count of how many payloads were successful. "We don't want to make this a canned Outlook attack," he says.

The metrics data can help an organization determine how effective it was at stopping at attack, for instance, or what tricks users fell for, Perrymon says. "This is not a tool where we spoof and see if someone gives information. We want to track the whole process to help an organization apply security awareness to the problem," he says. "At the end of the day, that's what's going to protect them against these [user] attacks. Technology can't."

UAF can run on Linux and Windows, he says. The free, open-source version of UAF software is aimed at penetration testers, and doesn't contain all of the functionality of the commercial tool or managed service. "You have to use your own mail server, so we're not going to provide a way to send anonymous attacks. This gives companies that may not want to purchase it a way to test their organization in a safe manner," he says.

The commercial tool, meanwhile, will be priced around $5,000, and the managed service, from $2,500 to $10,000 per year. PacketFocus is looking for beta testers for the product and service, as well ([email protected]).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.