Blog Posts

When we talk to Metasploit users, they usually use it for either penetration testing, password auditing or vulnerability validation, but few use it for more than one of these purposes. By leveraging your investment in Metasploit, you can triple-dip at the same price - no extra licenses needed.

Penetration Testing

With penetration testing, you can identify issues in your security infrastructure that could lead to a data breach. Weaknesses you can identify include exploitable vulnerabilities, weak or shared passwords, vulnerable web applications, and low security awareness among your staff. Typically, penetration tests are set up as projects, although companies are starting to adopt penetration testing as a program to:

• Regularly assess the security of their infrastructure
• Test the security of new applications and systems before roll-out
• Re-test the security of systems after major changes

Password Auditing

Adding password auditing to your security program can really help you lower the risk of a data breach. By regularly scanning your network, Metasploit's brute forcing function can help you identify the following issues:

• Weak passwords that lack length or complexity
• Passwords contained in dictionaries
• Passwords that are easily guessed based on information about the infrastructure
• Vendor default passwords
• Replaying cached credentials
• Re-use of passwords across trust zones
• Development test credentials in a production environment
• Active accounts of previous employees

Vulnerability Validation

This is a lesser-known use case for Metasploit, but a very powerful one if used right. Vulnerability scanners can typically only detect if a vulnerable version of an application or operating system is installed on a system. However, not all vulnerabilities are exploitable, and only exploitable vulnerabilities can lead to a data breach. If you don't know which vulnerabilities put the company's data at risk, you have to fix all vulnerabilities. If you have ever read the long reports of vulnerability scanners, you know this is a daunting and audacious task. Most companies don't have the resouces to ever close this list out.

With Metasploit, you can validate whether a vulnerability is in fact exploitable. You should focus on remediating these vulnerabilities, and can safely ignore the vulnerabilities that cannot be exploited. After you have remediated an exploitable vulnerability, use Metasploit as your litmus test to see if it is now no longer exploitable. Metasploit can import the vulnerability scanning reports from all major vulnerability scanners, so you can leverage your existing infrastructure and investment.

While penetration testing and password auditing will increase the security of your infrastructure as a type of "security quality assurance", vulnerability validation is a tool that helps you reduce the workload of your security team and focus on issues that really matter.

If you're interested in testing out Metasploit Pro for either penetration testing or vulnerability validation, download a free trial now.

We've had a lot of people ask us how they can scan their own network to find out if they are vulnerable to the video conferencing issue described in

HD's blog post Board Room Spying for Fun and Profit and the various news coverage of the video conferencing story. Here's a quick how-to:

1. Download a free trial of Metasploit Pro.
2. Create a New Project and click on Scan on the Overview tab
   
3. Click on Advanced Options
4. Change Custom TCP source port to 1720
5. Uncheck UDP service discovery for faster scanning
6. Ensure that Scan H.323 video endpoints is checked
   
7. To validate an identified service, connect with a H.323-capable client such as NetMeeting (Windows XP), Ekiga (cross-platform, but buggy), Mirial Softphone (commercial), or ClearSea In the Cloud (only able to reach internet-exposed devices). For internal systems, I still rely on NetMeeting in a XP virtual machine as the most reliable H.323 client, however, this lacks the Pan-Tilt-Zoom (PTZ) and keypad controls of a more advanced client like Mirial or ClearSea In the Cloud.

Get your free trial of Metasploit Pro now and start your scan!

PCAnywhere, Anywhere

The big news this week centered around Symantec's pcAnywhere. For starters, there's a new ZDI advisory for a buffer overflow in the username field. More notably, though, was the advice in a Symantec white paper which advises customers to "disable or remove Access Server and use remote sessions via secure VPN tunnels." So, while the Metasploit elves bang away at a proper buffer overflow module, HD Moore busted out a pair of pcAnywhere service scanner modules, pcanywhere_tcp and pcanywhere_udp, and the Nexpose team wrote up a how-to blog post on auditing your infrastructure for pcAnywhere services using Dynamic Asset Groups. It's important to keep in mind that PCAnywhere has a tendency to show up as rogue software (not installed or approved by IT), so it would behoove one to audit one's network regularly -- to get started, you can download Metasploit here.

New Payloads

This week we also have a smattering of new payloads. Payload updates tend to be less frequent than modules, but these guys are pretty much what proves that a vulnerability is, in fact, exploitable. For that reason, it's always notable when new techniques and platforms are added into the mix. Community contributor argp provides  osx/x64/exec, which allows for arbitrary command execution against Mac OSX 64-bit platforms. We also have three new payloads for PHP targets: php/bind_perl_ipv6 (by Samy and cazz), php/bind_php_ipv6 (by diaul and James "egyp7" Lee), and php/bind_tcp_ipv6 (also by egyp7).

New Modules

Of course, no update would be complete without the usual smattering of new modules:

* vbseo_proc_deutf exploits BID-51647 against Crawlability's vbSEO plugin for vBulletin, submitted by EgiX

* ektron_cms400net, an auxiliary module which tests default passwords against Ektron CMS400.NET services, submitted by Justin Cacak.

* vmware_http_login, which targets VMWare Server, ESX, and ESXi for brute forcing, added by David "TheLightCosine" Maloney

* ms12_004_midi targets the Window Media Player bug CVE-2012-0003 (aka, MS12-004), provided by Wei "sinn3r" Chen, and Juan Vazquez

* hp_magentservice exploits CVE-2011-4789, a bug with HP Diagnostics Server's magnetservice.exe, submitted by hal

* find_vmx and enum_vbox, two post modules which enumerate local VMWare and Virtual Box virtual machines, also by TheLightCosine.

As always, thanks to everyone out there in open source land for their efforts on these.

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.

With Nexpose 5.1, you can now create platform-independent backups in order to migrate your installation to newer hardware or different supported OSes. For those of you on 32-bit platforms looking to migate to more modern hardware, look no further. Here is how you do it:

1. Navigate to the Nexpose Administration->Maintenance view and select the "Backup/Restore" tab. Check the "Platform-Independent" checkbox, provide a description and click "Start backup":

2. As long as there are no reports or scans running locally, Nexpose will restart into maintenance mode in order to perform the backup. Log back in and you can monitor the progress of the backup:

3. Install Nexpose on your new host and make sure it is fully initialized and ready to go. Create a new directory at <installdir>/nsc/backups. Copy the backup file from the backup location on the old host, <installdir>/nsc/backups/nxbackup_<dateofbackup>.zip, to the newly created "backups" directory on the new Nexpose host. Log in to the new instance of Nexpose and navigate to the Administration->Maintenance->Backup/Restore tab. You will see an entry for the backup that you made in step 2 and it will show as a "Platform-Independent" backup which means it can be restored to any supported platform. Click the "Restore" button to restore the backup:

4. The server will restart into maintenance mode and you can log in to monitor the progress. NOTE: Platform-independent backups may take longer to restore than platform-dependent backups. However, they take up much less disk space than platform-dependent backups. You may want to use this new feature in order to save disk space used by your backups.

5. Once the restore has completed, you should be able to log in and see all the data and customizations that were part of the backed-up Nexpose installation. Make sure you de-commission the old instance by shutting it down and uninstalling it so that the new install will be ready to accept new product and content updates. 

With the Enhanced Backup and Restore you can now save disk space on backups and migrate your Nexpose installation to new hardware or a new OS. Enjoy!