Welcome Guest. | Log In | Register | Membership Benefits


Topics:   Evil Bytes : SMB Security Tech Center

New Metasploit Tools Help Find Security Blind Spots

Upcoming vSploit modules for the Metasploit Framework imitate compromised or vulnerable hosts in the network

Jun 27, 2011 | 05:00 PM | 

By John H. Sawyer
Dark Reading

How do you know the security solutions you've deployed are doing what they're supposed to do? Are there blind spots in your network where attack or compromise traffic might go unnoticed? It's a hard enough problem to assess in a large enterprise, and even harder for a one- to two-person security team in an SMB environment. But new Metasploit Framework modules developed by Marcus Carey of Rapid7 and planned for release during Black Hat USA and Defcon should help ease some of that pain by helping to find those blind spots.

The new modules are being dubbed vSploit because they are "virtualizing exploitation attributes." What does that mean? In Marcus' blog discussing vSploit, he states the "vSploit modules imitate compromised or vulnerable hosts on networks."

The idea is simple: Using these modules, a security pro can test whether his intrusion detection/prevention system (IDS/IPS), data leakage protection (DLP), and security information and event management (SIEM) solutions are working without endangering his production network.

Sure, you might say that you could test the same systems by actively exploiting vulnerabilities or by infecting a virtual machine with malware, but what if something were to go wrong? Suppose you put in the wrong IP address and crashed a critical server. Or maybe your infected virtual machine began attacking and infecting other systems on your network. While you might have tested your systems this way for years (I'm guilty of it in a past life), there are a whole slew of things that could go wrong. And, believe me, an accidental malware spread or crashed server is not the type of problem you want or have time to mop up when you're already overworked.

Marcus has two vSploit modules that he has demonstrated in videos posted at the Rapid7 blog. The first is a module designed to test solutions that monitor for personally identifiable information (PII). When run, the module creates a Web service that serves up randomly generated names, Social Security numbers, credit card numbers, passwords, and more. When a Web browser connects to the Web service, the fake PII is transferred and should cause alarms in any monitoring systems set to flag that type of data when seen on the network. Similarly, it can be used to test Web scanners that can detect PII hosted on websites.

The Web_PII module also has a feature that enables SSL, so the data transfer is encrypted and easily demonstrates how many network-based monitoring solutions can be evaded due to their inability to analyze encrypted Web traffic.

The second vSploit module simulates a compromised system requesting known malicious domains. In one example, Marcus demonstrates how the dns_beacon module can emulate a Windows system compromised by the ZeuS botnet. A network device monitoring for known malicious domains in DNS requests or a SIEM monitoring DNS logs for suspicious queries should immediately flag this traffic.

There is more in the works from Marcus, and the results should help enable everyone from the single-person security team on up to the security team of a Fortune 100 to perform easier testing and validation without live exploits and malware. I've provided a few updates to the Web_PII module that fit some testing scenarios that I've encountered, and I'm hoping to contribute more as the project matures. Look for more details as Defcon approaches in August.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



SMB Security Reports

report Small Businesses, Big Losses: How SMBs Can Fight Cybercrime
Small and midsize businesses are falling prey to cyberattacks that cost them sensitive data, productivity and corporate accounts cleaned out by sophisticated banking Trojans. SMBs are typically on the hook for these losses and lack effective means to prevent them. In this report, we explain what makes these threats so menacing, and share best practices to defend against them.

report Five Security Flaws, Five Security Fixes For Small And Midsize Companies
Take a sneak peek at data from the Dark Reading/InformationWeek 2011 Strategic Security Survey, with a focus on the five biggest problems faced by small and midmarket companies. You?ll get a look at key security practices and processes for managing the complexity of security; enforcing policies; assessing risk; preventing data breaches; and managing scarce IT resources.

report SMBs in the Crosshairs: Understanding the Threats, Defending the Business
Cybercriminals are not only exploiting small and midsize businesses -- they're targeting them. While thefts of hundreds of thousands or even millions of credit card numbers and personal information records make headlines, many small companies' accounts have been cleaned out. In this Dark Reading Tech Center report, we identify how SMBs are exploited, where their security fails and how they can shore up their defenses.

Other reports from the SMB Security Tech Center:




Featured Webcasts
Featured Whitepapers
Featured Reports