Endpoint

7/6/2009
04:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Tool And Managed Service 'Penetration-Test' End Users

New User Attack Framework (UAF) could eventually work with Metasploit's hacking tool, researchers say

A security researcher next month plans to release a Metasploit-style hacking tool and a managed service that lets organizations wage realistic and complex email-borne phishing attacks on their end users to gauge their risk of multilayered client attacks.

The so-called User Attack Framework (UAF) includes metrics, tracking details of the victim's actions when hit with phishing bait, and it can exploit the victim's browser, harvest his credentials, and even attack his operating system.

"There is been pen-testing of networks and applications. This is pen-testing users," says Joshua Perrymon, CEO for PacketFocus, and the author of the tool behind UAF. UAF, which is written in Ruby, is based on a tool Perrymon initially built for phishing users called Lunker.

Perrymon had planned to release Lunker as an open-source tool in September at the Open Web Application Security Project (OWASP) conference in New York, but held back at the last minute amid worries such a tool in its raw form could be abused by the bad guys after seeing how easily it duped users in beta tests with several banks and government agencies. Around 80 percent of the users in the beta tests visited the phishing Websites after receiving the malicious URLs via email, and 60 percent were duped into giving up their credentials once they got there, he says.

So Perrymon decided not to release Lunker and instead expand it into more of an overall end-user attack framework, with both a commercial tool and managed services option, as well as a bare-bones, open-source tool that wasn't as potentially lethal, he says. "I didn't feel comfortable releasing Lunker publicly because of how powerful it was. I didn't want to release it...in turnkey form with an 80 to 90 percent success rate it had," he says. "I decided to release a tool that was a commercial version and not let the tool run wild."

UAF isn't the first such service -- Intrepidus Group offers PhishMe, a Web-based service for helping companies find the weakest links in their targeted phishing defense. The service, which was announced a year ago, lets companies spear-phish their employees both for risk assessment purposes and also to educate users. The "victimized" users get instant feedback: They are redirected to educational messages and information, including a PhishMe educational comic strip and links to their corporate sites for more information.

Perrymon says UAF is different because it's a managed security service that relies on security experts to run the phony phishing attacks, and it provides metrics and reporting. "This is a user attack framework instead of a phishing attack framework," like Lunker was aimed at providing, he says. "And even though it uses email as the attack vector, there are a lot of different ways it can attack the user."

UAF could be integrated with Metasploit at some point, says HD Moore, creator of Metasploit. "A few people have been working on similar projects over the years, and I'm excited that someone is going to finally release one," Moore says. "There's a good chance we can share code and do integration on the Metasploit side as well."

UAF tracks specific details of a multilayer phishing attack, such as when a phishing email was sent; if the user clicked on it and, if so, at what time; whether the user provided his credentials; and a count of how many payloads were successful. "We don't want to make this a canned Outlook attack," he says.

The metrics data can help an organization determine how effective it was at stopping at attack, for instance, or what tricks users fell for, Perrymon says. "This is not a tool where we spoof and see if someone gives information. We want to track the whole process to help an organization apply security awareness to the problem," he says. "At the end of the day, that's what's going to protect them against these [user] attacks. Technology can't."

UAF can run on Linux and Windows, he says. The free, open-source version of UAF software is aimed at penetration testers, and doesn't contain all of the functionality of the commercial tool or managed service. "You have to use your own mail server, so we're not going to provide a way to send anonymous attacks. This gives companies that may not want to purchase it a way to test their organization in a safe manner," he says.

The commercial tool, meanwhile, will be priced around $5,000, and the managed service, from $2,500 to $10,000 per year. PacketFocus is looking for beta testers for the product and service, as well ([email protected]).

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19349
PUBLISHED: 2018-11-17
In SeaCMS v6.64, there is SQL injection via the admin_makehtml.php topic parameter because of mishandling in include/mkhtml.func.php.
CVE-2018-19350
PUBLISHED: 2018-11-17
In SeaCMS v6.6.4, there is stored XSS via the member.php?action=chgpwdsubmit email parameter during a password change, as demonstrated by a data: URL in an OBJECT element.
CVE-2018-19341
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation near NULL starting at FoxitReader...
CVE-2018-19342
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample because of a "Read Access Violation starting at U3DBrowser+0x00000000...
CVE-2018-19343
PUBLISHED: 2018-11-17
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read), obtain sensitive information, or possibly have unspecified other impact via a U3D sample because of a "Data from Faul...