SysAdmin Corner: Introduction to Pentesting and the Pwn Plug – Part 1

Metasploit Community Framework

All of the bells, whistles and graphs provided by the very expensive pentesting platform Metasploit Pro are actually window dressing for the completely free Metasploit Community Framework, which is easily one of the most powerful, overused and poorly understood tools that exists in security.  The framework is huge – and there is simply no way to cover it effectively even if I wrote a hundred tutorials on it… so when we do cover it later in this series, plan on it barely scratching the surface. 

Metasploit contains an utterly ridiculous amount of software vulnerabilities for nearly every type of OS and service combination that you are likely to encounter in the wild, and is updated religiously by hackers everywhere.  Along with the vulnerabilities themselves, the framework provides built-in code (called payloads) that work with the different types of vulnerabilities (they’re sorted for you, so you don’t need to worry about what won’t work with a chosen exploit).  Hardcore pentesters can even roll their own, and useful ones are encouraged to be submitted to the framework.

The framework is self-updating and self-contained, with a vast array of tools built in (including a comprehensive database interface to track results of each stage of the process).  Because of the regular updates and the newer commercial version (the Metasploit Express license), the Community Framework has changed and likely will change again.  The biggest change in recent memory is the loss of the “Autopwn” functionality, which expedited testing across a wide variety of hosts.  However, Fast-track, which we’ll cover in a moment, helps to bring that back.

On the Pwn Plug in particular, it’s important to note that Metasploit has been pared down to specific functionality for pentesters, instead of being the complete “hack-in-the-box” that it’s come to be known for.  Those who are familiar with certain features will likely find them needing to be separately installed, but for most people that are trying to genuinely test (instead of just break) networks, the changes won’t be very noticeable. 

SET

Metasploit is a great test of a network’s exposed services, but it ignores two of the most powerful exploits known to the industry – users, and browsers (Metasploit’s Browser Autopwn is part of the community framework, but it doesn’t provide any direct method for getting someone to go to the attack site).  And as we have covered earlier, users suck.  The Social Engineering Toolkit, or SET, is pure proof of that concept – it’s designed to create phishing mails and tie them to well-dressed autopwn websites that exploit a user’s browser upon opening and (upon success) phoning home with a Meterpreter shell. 

Any good pentest should test more than just the systems, and SET is a perfect example of how to go about that.  Not only do you learn which systems are running highly exploitable browsers, you also get to see who in the office either clicks through every warning as if it’s gibberish or has their security settings largely disabled.  The benefits of this should already be so obvious to you that I don’t need to spell them out here. 

Speeding up the process with Fast-track

Fast-track is, in a way, the “poor man’s Metasploit Pro.”  It’s an open-source wrapper to the Metasploit framework that is designed to speed up pentesting by automating common but advanced tasks.  Now, based on my entire argument with things like CORE Impact and Metasploit Pro, you would think that I would find a tremendous amount of issue with this – and indeed, there’s a reason why it’s being included last on my highlights reel.  

Fast-track is just that – it relieves the pentester of quite a lot of work that could have yielded additional information if each test was performed by hand.  However, what differs about it is its purpose – Fast-track is not meant to scan for everything, it’s meant to scan for what vulnerabilities are well-documented, quickly repairable and come up again and again in pentests.  Most of these vulnerabilities are widely discussed and the technique for using them has become obsolete by newer versions, so there is little to gain by wasting time learning about them.  This time is much better spent going out and downloading the patches or updates that will make them obsolete on your system, as well. 

Testing passwords with Hydra

We all know that “12345” is the same password that an idiot would have on his luggage, but what about on your database?  Many users’ internal passwords are not very secure and many common “group” ones are even less than that.  How many SQL users are there with no password, or “hello”?  How many routers sit at the default password?

Hydra makes finding this information much easier, offering a fast and effective brute-force for both username and passwords on a variety of different protocols including MySQL/MSSQL/Oracle, Cisco setups, IMAP/POP3 email, HTTP/HTTPS, and a bunch more. 

The W3AF framework

Some sysadmins get the extra joy of having to worry about a large majority of webapps on their systems, which can be tricky to test.  On the next page, we’ll highlight some extra tools that are specific to webapps.  However, since we’re covering frameworks now, it’s a perfect time to bring up W3AF. 

The W3AF framework is, in essense, the Metasploit of webapps.  The framework functions very similarly to Metasploit, has a very large number of features and exploits, and is used in much the same way.  It isn’t updated nearly as consistently (it’s a much smaller team), so it’s possible to miss some of the newest issues.  Therefore, if webapps are a big part of your business, it’s worth keeping an eye out elsewhere and counting on W3AF to make sure that you don’t accidentally fall prey to some of the established vulnerabilities or recent trends.  However, it’s a well-built toolset and one that we’ll be looking into in detail as we examine webapps in future tutorials.