Dirección de Normatividad de Transporte Objetivo:

What you will learn...

• Setting up Metasploit Pro • Defining a project

• Running a check on a specific target • Validating the results

• Document findings • Prepare a report

What you should know...

• Networking • Databases

• Operating system skills

• Mail servers, web servers and other services

Let’s start by understanding what does a penetration test or pentest actually mean.

According to Wikipedia a pentest “is an attack on a computer system with the intention of finding security

weaknesses, potentially gaining access to it, its functionality and data”

If we look at NIST SP 800-53 Revision 4 they define penetration testing as “a test methodology in which

assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system”.

Penetration testing will help us identify threats, provide assurance to the organization, adopt and comply with legal requirements, best practice and last but not least will help an organization determine what must be done to prevent exploitation. There are two scopes of penetration testing: non-destructive and destructive tests. Do not engage in such activities without proper authorization and planning. Imagine what will be the result if you try this and end up running a one shot exploit which might render a business critical process unavailable.

The first step will be to perform the installation process which is simple. Once the setup is completed we’ll need to access the platform via web in order to set the username, password and other optional info.

Figure 2. Product Activation

Once we’ve activated the product this will be confirmed in the next screen.

Let’s make sure we have the latest version. For this we need to click on the Administration menu in the upper right corner and select Software Updates. In this case a new version was available.

Figure 3. Software update

For testing purposes Rapid7 is offering a virtual machine which can be downloaded to validate the features of Metasploit.

Make sure your test lab is properly configured and it prevents unauthorized access. If you can hack it, somebody else can also and the last thing you need is to introduce a backdoor in your infrastructure. I shall skip the part where we configure the test lab so that we can focus on the functionalities of the software.

Now that we have also a target it’s time to start defining the targets. The platform allows us to fine tune the process according to our needs.

Figure 5. Discovery

We can even define if we need to scan for devices with SNMP management using a variety of community strings. There are other options available such as: scan hosts individually (this will result in a slower scanning process, however it will speed up the population of the database process), dry run. The discovery process can be customized to include credentials. Fine tuning of the web scanning settings can be performed also (maximum requests, time limit, concurrent requests).

After we’ve finished setting the discovery parameters it’s time to hit the Launch Scan button in the bottom right corner to start the task.

Figure 7. Discovery task running

Once the process is completed we’re presented with a summary: number of hosts, services.

Figure 8. Discovery task completed

Now it’s time to check if we can exploit some of the services discovered. In order to perform this task we simply have to click on the exploit button presented in Figure 8. Discovery task completed.

The automated exploitation attempt configuration will be presented in the next screen. If we decide to target only one of the hosts discovered we can do that by leaving only that equipment in the target address. By default the reliability of the exploitation is set to great. Once more please note that this can render a service unavailable. There are several options in terms of reliability: excellent, great, good, normal, average, low.

Of course there are several options available for fine tuning such as: • excluding target addresses,

• payload settings

• payload type: Meterpreter or command shell

• connection type: automatic, bind (which is good for cases where NAT is available and all ports on the target system are not blocked) and reverse.

• listener ports • listener host • auto launch macro

• enable stage encoding for IPS evasion • exploit selection

• included ports • excluded ports

• skip exploits that do not match the host OS (we need to be careful since the OS fingerprinting might fail due to devices that are masking it)

• advanced settings • concurrent exploits • timeout

• transport evasion (each level applies different techniques: low is using delays in TCP packets, medium is sending small packets and high combines both)

• application evasion

• web application identification settings (HTTP basic authentication, initial cookie, user agent)

After we have defined the required settings all we need to do is click on Exploit and let Metasploit work its magic. A review of the settings that were chosen will be presented at the beginning of the exploitation task that is running.

When the task is completed we can review the results.

Figure 11. Automated exploit task finished

Since we have a session opened it’s time to collect some info and all we have to do is click on Collect button from Figure 10. Automated exploit task finished.

Evidence we can collect: • Universal • System information • System passwords • *Nix Shell • SSH keys • Windows • Screenshots • Installed Applications • Drives • Logged on Users • Primary Domain

• Collect other files (we need to define a filename pattern, maximum file count and maximum file size) After we have selected the information we require we need to click on the Collect System Data button. A new task is created in which we can see the progress and information about the data collected.

Figure 12. Data collection task started

Once the task is completed we can have a look at the host in order to see an overview of where we stand.

Figure 13. Overview host

The information is grouped several tabs: services, sessions, vulnerabilities, credentials, captured data, notes, file shares, attempts and modules.

The collected credentials will be added to a repository so that we can use them to try to gain access.

Figure 14. Host collected credentials

Figure 15. Shell access

Metasploit is providing also the option to start a web application scan, perform a web application audit and exploit the web application.

There are a number of predefined reports available including for PCI-DSS and FISMA compliance. Reports can be customized, new reports can be created.

Summary

Metasploit has many features including Phishing Campaigns, Quick PenTest, Vulnerability Validation, Web App Testing all delivered in a very clean and simple format with just a few clicks.

With the Pro version you get also Team Collaboration, VPN pivoting, Automation through Wizards, Social Engineering, Metasploit Pro API, Vulnerability Validation and many other interesting and useful features. You can use it as a standalone tool or start integrating it with different platforms from different vendors. It’s scalable, reliable and it comes in many versions which should cover existing needs.

About the Author

Cristian has a vast expertize in IT, Cyber Security, Risk Management, Governance.

Currently he is the IT & Cyber Security Director for UTI Grup. He is actively involved in multinational security initiatives and alliances, acts as a certified trainer for IT & Security and is a speaker at various summits and events. Previously he has covered several senior management roles in the financial industry, telecommunication, security. His professional services were endorsed by governmental and private institutions.

He’s involved in managing the development and implementation of the security strategy and global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security and works with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology, maintains relationships with law enforcement and other related government agencies.

He currently holds certifications from: EC-Council: Certified EC-Council Instructor, C|CISO (Certified Chief Information Security Officer), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI)

ISACA: CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager), CRISC (Certified in Risk and Information Systems Control), Mandiant: Advanced Malware Analysis, ISC2: SSCP, ISO 27001 Lead Auditor, IAEA & CNCAN: Information and Computer Security for Strategic and Critical Infrastructure, CISCO: CCAI, SonicWALL: CSSA, Symantec, IBM, McAfee, Veeam and other institutions and is certified in Security, Risk, Weapons and Ammunition, Strategic Management, Leadership and Managerial Communication.

HeartBleed Bug Exploiting with