This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
The practical phase of this project begins with setting a penetration test environments that are including different user interfaces for Metasploit Framework. During this phase, we shall see how to conduct a penetration test followed by examining and summarize the results and benefits of penetration testing. Finally, this report will explore the relation between computer forensics and penetration testing.
In the last decade, the Internet has been subject to extensive security attacks. A large collection of threats: Worms, break-ins, crackers, hijacking hackers, phreakers, spoofing, man-in-the-middle, password-sniffing, denial-of-service, and many other attacks. Since the Internet was a result of academic researches to share information, high security measures were overseen. In some of its modules, security was intentionally weak for easiness in sharing. Although the introduction of electronic commerce has pushed for "tougher security" in the Internet, there is yet an enormous amount of users extremely vulnerable to attacks because they are not aware of the simplicity of the attacks and still believe that a "strong" password is enough.
The accomplishment of the Internet has brought change to the world; however, not all of these changes have been prolific. The connectivity of computers to the internet increased and the unrestrained development of the size and complexity of systems has made internet security a bigger headache . With thousands of sites introduction daily and limited means available to monitor the integrity and security of these sites the existence of vulnerabilities was foreseeable.,
Eventually, exploits became widespread causing the information security experts to step up and act. The result was the emergence of vulnerability testers to attempt to exploit such vulnerabilities far before others got the opportunity. In an attempt to overcome the security problems and comply with the required security procedures, security experts have developed several security reassurance methods including software engineering environments, layered design, proof of correctness and penetration testing.
H.D. Moore in 2003 founded the Metasploit Project. His sole purpose was to create a penetration testing tool that could be easily operated by even beginner users to execute penetration testing, patch verification, and development the project formerly known today as the Metasploit Framework. Like any other security tool, this software often described as a double-edged sword for that it could cause significant harm if it used for the wrong cause. .
Penetration testing is an inclusive method to test the operational, integrated, and trusted computing base . The practice involves an active investigation of the system for any possible vulnerability, including poor or inadequate system configuration, software and hardware defects, and operational flaws in the process or technical measures .
Security functional testing is different from penetration testing. It validates the correct performance of the system's security controls while, penetration testing states the difficulty and complexity for an exploiter to penetrate an institute's security measures to prevent unauthorized access to its information systems. This done by simulates attacks by an unauthorized user using either manual method or automated tools or a combination of both.
Understanding Metasploit Framework
The Metasploit Framework is a tool that collectively combines exploits into one central location ideally for security researchers. Version 1.0 written by H.D. Moore using Perl sporting curses based front-end. Version 2.0, also written in Perl and included the help of a few additional developers. For Version 3.0, Metasploit received a complete overhaul. Written in the powerful scripting language Ruby, Metasploit 4.0 now boasts the power of automation due to the nature of Ruby's status as an object-oriented language. Additionally, Metasploit considered as multi -platform running on most variations of UNIX and Windows .
The Metasploit Framework developed with the purposes of making security experts' lives easier. The original main users are considered to be network professionals, network security administrators, developers, and other security researches. Each would use the tool within the guidelines of their own discipline; network security professionals for penetration testing, security administrators for patch installation verification, product vendors for regression testing, and other security researchers for perhaps development of other exploits .
The Metasploit Framework can be a bit confusing for novice users as the Linux distribution offers no Graphic User-Interface (GUI). Therefore learning the semantics and syntax of the framework is essential to the effective use of the software.
The primary outline of the majority of attacks in Metasploit revolves around the following foundation;
1. Selecting an exploit and configures it.
2. Inspection for susceptibility.
3. Selecting a payload and configures it.
4. Selecting an encoding system.
5. Performing the exploit.
One of the key components of Metasploit is the exploits. At the time of this paper's writing Metasploit contains 613 exploits, 306 auxiliary modules, 215 payloads, and 20 encoders. Exploits target specific Operating Systems, applications, and/or services .
Additionally, auxiliary modules exist within the context of Metasploit and can be declared just as easily as exploits. In Metasploit, an auxiliary module defined as a module without a payload. Auxiliary modules serve as accessories to the Metasploit Framework and can be used in a variety of facets to expand upon the capabilities of the program. Just a few of their features include making Metasploit act as a vulnerability scanner, port scanner, HTTP client, FTP client, SMB client, and etc .
Next there are the various payloads that exist for each exploit., After an exploit initiated and the remote target or targets selected a payload must be selected to be executed after the breach., The payloads of Metasploit are Operating System specific, though generic payloads do exist .
Additionally, payloads in Metasploit come in three main variations; singles, stagers, and stages .
Singles are independent and uncomplicated command-line executions such as adding a user to a target system. Stagers establish are liable network connection while remaining small enough to deliver the stage. Because sometimes acquiring both a reliable connection and limited overhead can be difficult, several variations in stagers exist.
Stages are the final piece of the puzzle of stagers as they provide the components for the stager to deploy. Table 1 shows the differences between the three in syntax form.
Table 1. Showing Payload Types
Here, we can see that the single payload type includes the whole process of 'shell_bind_tcp,' while the latter two differ in path. The stager in this case is the 'bind_tcp' module while the 'shell' acts as the stage by which the stager can download its resources .
Overall, payloads serve as post -exploitation commands that can be as easy as adding a user to the targeted system or binding a command shell to a designated port. Additional options include; VNC injection, remote shell execution, meterpreter execution, and backdoor installations .
Lastly, in order to provide another layer of promiscuity payload encoders may be added to the exploit to ensure the connection between the attacker and victim remains encrypted. These works, in much the same way as hashes by encapsulating the content of the payload with predetermined key obfuscating it from detection.
Now that we understand the dictation and origins of Metasploit we can move on to the applications of the product. We will begin with a brief synopsis of a few common attacks followed by some distinguishing characteristics of the Metasploit Framework. While Metasploit primarily identified as a one-stop exploitation application its sole purpose revolves not just around the exploitation of remote systems, but also around the development of new ones. With the 3.0 iteration of Metasploit, near complete automation is possible as scanning, fingerprinting, identifying vulnerabilities, exploiting, and reporting can be configured with some degree of work.
2.1 Example Attacks
Considering one of the most commonly attacked sources are web servers, it seems to terrify to think that Metasploit houses an exploit that within eight, commands can compromise an Apache Web Server .
The attack we're referring to utilizes chunked encoding to craft an invalid request on the server causing at the bare minimum a Denial-of-Service attack; though with some OSes remote code execution is possible. This instigated by a stack overflow that controlled on 64-bit OSes where return addresses stored on the stack heap. In the collaborative experiment of Rajani, Mohamed, and Stanbury, the results indicated a successful breach with remote code execution being successful in the form of adding users with full permissions and writing files to the root directory on the web server .
In the days of prevalent e-commerce, some are considering these additions to the Metasploit Program as disorganized.
Another big target for exploits reside in database servers that house large amounts of data ranging from social security numbers to financial data. One of the leaders in database management is Oracle with an approximate market share of 40 percent .
The majority of databases use the same language, Structured Query Language (SQL), thus often exploits targeting databases using this language. Because of this no free penetration testing software currently offers an independent direct exploit to the system .
As we mentioned previously, a key feature of the Metasploit Framework is development. At the Black Hat USA Conference in 2009 Chris Gates and Mario Ceballos, presented a method for exploiting Oracle through SQL injection techniques utilizing custom-built auxiliary modules . Their attacks consisted of seven steps that make up what they considered the basis of pen testing;
1. Detect a system running Oracle.
2. Determine Oracle Version.
3. Determine Oracle SID.
4. Guess/ Brute force Logins (Username/Password).
5. Privilege Escalation via SQL Injection.
6. Manipulate Data/Post Exploitation
7. Hide and cover Tracks.
Each step required a separate auxiliary module to locate a system, the inclusive NMap used to direct a port scan searching for commonly used Oracle ports, 1521 1540. A homemade TNS mix-ins added to the Metasploit trunk allowing it to craft TNS packets to determine the Oracle version. In order to guess the Oracle SID, a SID enumerator used as subsequent to version 18.104.22.168 Oracle no longer freely gives out this information. A dictionary list by Pete Finnigan used to feed the pre-existing auxiliary module for Bruteforcing the username/password combination. Privilege escalation of the username gathered in step four accomplished by SQL injection vulnerability in the DBMS_EXPORT_EXTENSION package. For post exploitation, the win32exec module used to execute a remote command on the machine to create a user on the system for future access .
One of the powerful payloads discussed above, meterpreter, originally emerged in Metasploit version 2.2 . What makes meterpreter so powerful is its elusiveness in being detected by even the most knowledgeable security analysts. Meterpreter is an advanced dynamically integrated payload that resides entirely in-memory by injecting DLL stagers. Once a compromised system discovered and exploited the meterpreter payload establishes a client side command interpreter with which to communicate .
This allows the attacker remotely interact with the host system without having to establish separate connections. Under normal circumstances, once a system exploited a single payload is delivered that is only able to execute one command. This one command could be something as simple as adding a user or opening a remote shell with which to communicate. In doing this, a resulting cmd.exe process would be created in the process list with SYSTEM rights .
Immediately, this would raise red flags. However, with meterpreter DLL injection used to upload the meterpreter process into the compromised processes' heap. Normally, an uploaded DLL would be written to the disc, yet meterpreter alters the way the Load Library utilizes core API calls redirecting them to the memory location of the meterpreter DLL .
The truly beautiful thing about meterpreter is its ability to remain undetectable by most commonly implemented host based IDSes. By embedding itself into preexisting processes and not altering system files on the hard-drive, the HIDS never made any wiser. Not to mention, the process in which meterpreter hides can be changed at a whim so tracking it and stopping the process becomes rather difficult even to the trained eye.
2.3 Penetration Testing Automation
For years the dream of automating penetration testing, often abbreviated as pentesting, considered a dream. The challenges facing post-exploitation automation include; visible processes, file transfer capabilities, and exploit expiration .
The only way around executing a separate visible process would be to install a root kit or backdoor, though this requires the transfer and installation of additional malware. This brings up the capability of a payload to transfer/install files to the remote system. To do this requires an advanced payload that will most likely be compromised in its writing of data to the remote system. Lastly, exploit expiration refers to the acknowledgement that some exploits can only be run once. Absence of separate sessions to enlist multiple tasks the process can become time consuming if not impossible. This would require the use of another exploit to complete other tasks .
According to Irani and Weippl's research on post - exploitation automation, meterpreter in conjunction with commonly installed scripting languages provides just the right tools for a solution to these problems .
Meterpreter's distinctive ability to remain hidden in current processes through DLL injection allows a method around the visible process problem. Additionally, because the process is not blatantly listed the use of a root kit or back door is not necessary, thereby, voiding the need for file uploading and the risk of running into anti -virus scans. Though, on that note, an analysis conducted by Mark Baggett, found that only 3 out of 32 reputable antivirus programs interpreted a stand - alone meterpreter payload as a security risk .
Lastly, meterpreter also provides users with the ability to open independent sessions allowing for efficient multitasking. With the help of meterpreter post -exploitation scripts can be ran with the capability of not only further exploiting the current system, but previously non-exploitable machines, as well. Pivoting is the technique of using an exploited machine to exploit a previously safe-guarded machine .
Not to go into too much detail, but the port forwarding service of meterpreter provides this capability allowing for a connection back to the initial attacker. The point is that the automation of post -exploitation tasks extends far beyond just automating the initial system. With the right script automation can be implemented to scan an entire network for vulnerabilities.
Metasploit Framework freely available for anyone to use, it is extremely vital to keep up-to-date on the advancements in securing data as even a novice user can pick up this tool and within hours become dangerous threat. For this reason, it seems imperative that administrators implement every security measure to protect their network. Here, we'll cover a few pieces of software that will help in thwarting the threats of this product.
According to a study conducted in 2008 by Mark Baggett of the SANS Institute, "today's antivirus products are all but entirely ineffective in detecting Metasploit payloads" . Baggett's technique involved extracting Metasploit payloads to run them through the collective virus database housed at VirusTotal.com. The results suggested not using encoders payloads detected approximately 19% of the time while when using encoders, this percentage dropped to around7% .
While the majority of antivirus distributions picked up little to nothing, there was a common trend in one that did recognize a threat. F-Secure performed the best with a 72% detection rate while notably Panda and Kaspersky did well against encoded and non-encoded attacks, respectively .
Overall, though some of the big names of the industry were quite often fooled. Based on the research provided by Baggett it seems relatively safe to say that the answer for protection against Metasploit payloads does not reside in antivirus software.
3.2 ModSecurity (modsec)
ModSecurity is an open-source intrusion detection and prevention system designed for web servers. Just like any other IDS, Modsec, checks inbound requests against a set of preconfigured rules that designated by the user. However, unlike most IDSes Modsec performs, not as a separate application, but as a module of the web server.
Additionally, requests screened at the HTTP level rather than the TCP/IP level allowing for a much greater range of specifications to be tested at the application layer .
In section 2.1 vulnerability in Apache web server, concerning chunked encoding used to remotely run random code. In order to circumvent this attack, the George Mason University researchers employed the tactics of Modsec specifically to reject all incoming chunk encoded requests to the server. The result was a success in that all chunk encoded requests were dropped disallowing the attack to succeed .
For many, attacking systems on the Internet is an easy and affordable mean to learn penetration tactics because it provides a wealth of targets and opportunities. It is illegal approach that results in many cases of people going to jail or having to pay large sums of money in fines and restitution. However, it is possible for those who wish to learn penetration testing without any legal risks by staging a penetration test environment.
Creating a PenTest lab to learn and practice different techniques of ethical hacking, does not require specific hardware or in depth knowledge of networking. In fact, the whole PenTest environment could be built on one desktop computer or laptop it all depends on the utilization of the applications used to create the penetration test environment.
The minimum requirements for creating a working PenTest environment are;
A computer or a laptop with a CPU speed more than 500 MHz and 2GB RAM.
Internet Protocol (LAN TCP/IP).
An active (DHCP) server (if no network present a soft DHCP could be used) configured with Pool Starting Address: 192.168.1.2 and IP Subnet Mask: 255.255.255.0
VMware Player or Oracle VM Virtual Box.
Metasploit Framework or any Metasploit Framework user interface.
A Metasploitable VM image.
In Figure 3.1, There are two pieces of hardware, a laptop and a wireless router. These are not a requirement; a desktop and a wired router will do the job. The OS on the Laptop is Microsoft Windows and VMware Player used to run all LiveCDs that contain the target server and Metasploit framework.
If a network connection cannot be obtained, the router could be replaced by a software application capable of providing the same functionality as seen in Figure 3.2.
The above configuration is enough to attempt replicating any penetration test carried out in this project although, the PenTest lab for this project created to provide near to a real environment with different OS platforms to test, several Metasploit Framework interfaces and internal and external networks.
Figure 3.2 illustrates the project testing environment setup. There are 3 workstations with configurations enough to run 4 virtual machines simultaneously, Red Hat enterprise Linux Server 6.3, 3 Laptops, IPad a, 3 smart phones and 2 LANs contacted to each other throw the internet.
Table 3.1 lists all the operating systems running on virtual workstations. Some of these OSes downloaded from the internet as VMS while others marked in green has been created to be used in this project.
MS Windows XP
Oracle Solaris 11.11
MS Windows Vista
Mac OS x Lion 10.7
MS Windows 7
Red Hat server 6.3
MS Windows 8
MS Windows Server 2008
MS Windows Server 2012
BitNami Joomla 3.0.2-0