The Use of Metasploit Tool in Development Lifecycle
Total Page:16
File Type:pdf, Size:1020Kb
Masaryk University Faculty of Informatics The use of Metasploit tool in development lifecycle Bachelor’s Thesis Miroslav Maceček Brno, Spring 2016 Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Miroslav Maceček Advisor: RNDr. Petr Švenda, Ph.D. i Acknowledgement I would like to express my gratitude to my collegues and friends for their support. I woul like to thank to my advisor RNDr. Petr Švenda, Ph.D. for his patience. iii Abstract This bachelor thesis explore the use of Metasploit in the web applica- tion development process. Firstly, it describes structure and general workflow of an open source Metasploit Framework. It also describes most extensive plugin for web application testing Wmap. This plu- gin is tested against application Mutillidae II, which contains a lot of known vulnerabilities. The success of this test is evaluated afterwards. This text describe a couple different ways of creating customized test scenarios, which evaluates OwnCloud and LimeSurvey applications. iv Keywords Metasploit, penetration testing, web application, development process, Mutilidae II v Contents 1 Introduction ............................ 1 2 Metasploit ............................. 3 2.1 Metasploit Framework Components ............. 3 2.1.1 Libraries . 3 2.1.2 Interfaces . 3 2.1.3 Modules . 4 2.1.4 Mixins and Plugins . 5 2.2 General Workflow ....................... 5 3 Wmap Plugin ........................... 7 3.1 List of modules ........................ 7 3.1.1 wmap_ssl . 7 3.1.2 wmap_server . 7 3.1.3 wmap_dir . 9 3.1.4 wmap_file . 10 3.1.5 wmap_unique_query . 11 3.1.6 Managing modules . 11 4 Test Environment ......................... 13 4.1 Mutillidae II .......................... 13 4.2 LimeSurvey .......................... 14 4.3 OwnCloud .......................... 14 5 Use of the Metasploit ...................... 17 5.1 Mapping the Application ................... 17 5.2 Discovering Vulnerabilities . 18 5.3 Analyzing the Results .................... 19 5.3.1 Mutillidae II Results . 19 5.3.2 LimeSurvey Results . 21 5.3.3 OwnCloud Results . 21 6 Test Automation ......................... 23 6.1 Resource Scripts ........................ 23 6.2 Plugins ............................ 23 6.3 Auxiliary Module Custom Commands . 23 6.4 Custom Auxiliary Modules . 24 6.5 Metasploit Remote API .................... 24 6.6 Ruby Programming ...................... 24 7 Creating Resource Script .................... 25 vii 8 Conclusion ............................. 27 Bibliography . 29 A An appendix ............................ 31 viii 1 Introduction Web applications take important role in today’s world. They perform lot of useful functions and they are used daily by a significant amount of people. A lot of users count on them without realising that neither of them is a 100% secure. There are applications which contain or han- dle financial transactions, personal information, classified or private documents. These data draw attackers, seeking their way to gain an unauthorized access to them and eventually selling them or releasing them publicly. Every successful attack can cause significant losses to the owners and to the companies responsible for the data. To prevent such damage a penetration testing was introduced. The purpose of this thesis is to explore the possibilities of Metas- ploit[1] as a tool for the web application penetration testing. This verification consists of running and evaluating tests on the application with known vulnerabilities Mutillidae II[2]. Large partion of the text describes Wmap plugin. 1 2 Metasploit Metasploit Project was started in 2003 by H. D. Moore as a computer security project to provide a public resource to exploit development. One of its most famous sub-projects is Metasploit Framework. It used to be written in Perl, but it was completely rewritten in Ruby in 2007. This originally open source project has been acquired by a commercial security company Rapid7 in 2009[3]. 2.1 Metasploit Framework Components Metasploit Framework is a modular system based on a few core com- ponents: libraries, interfaces, modules, mixins, and plugins[4]. 2.1.1 Libraries At the core of Metasploit Framework are libraries. These libraries contain a set of classes and utilities that manage the various parts of Metasploit Framework, such as modules, plugins, and interfaces. ∙ REX - Ruby Extension Library, is the most fundamental com- ponent of Metasploit Framework. It handles sockets, protocols, servers and text transformations. ∙ Core - The Core library (msfcore) provides the basic API. It en- ables exploits, sessions, and plugins to interact with the different interfaces. ∙ Base - The Base library (msfbase) provides wrapper routines and utility classes for easier work with the Core library. 2.1.2 Interfaces There are several interfaces that can be used to access and utilize the functionality of Metasploit Framework. ∙ MSFconsole - The console interface, also known as msfconsole, provides an easy and interactive way to access the features and options within Metasploit Framework. 3 2. Metasploit ∙ MSFgui - MSFgui is a Java based graphical interface that pro- vides the same functionality as the console with the additional benefits of GUI. Additionally, msfgui enables you to connect to a remote msfrpcd session on a remote host. ∙ MSFcli - MSFcli runs directly from the command line. MSFcli enables you to automate exploit testing without the use of an interactive interface. ∙ Armitage - Armitage is a graphical user interface that visually streamlines the features within the Metasploit Framework, such as host discovery, server-side and client-side exploitation, pivot- ing, and privilege escalation. 2.1.3 Modules Modules are the core components of Metasploit Framework. A mod- ule is a piece of software that can perform a specific action, such as exploitation, fuzzing, and scanning. Each task that you can perform with Metasploit Framework is defined within a module. Modules that are available can be located in the following directory: <installation di- rectory>/metasploit/msf3/modules. There are several module types available that depend on the purpose of the module and the type of action that the module performs. ∙ Exploit - Executes a sequence of commands to target a specific vulnerability in order to provide the attacker with access to the targeted system. ∙ Auxiliary - Performs arbitrary actions like information gathering, database fingerprinting, network scanning. ∙ Post-Exploitation - Enables attacker to gather more informations or to gain further access. ∙ Payload - It is the shell code that runs after an exploit successfully compromises a system. The payload enables attacker to define how he wants to connect to the shell and what he wants to do to the target system. 4 2. Metasploit ∙ NOP generator - Generates a series of random bytes that can be used to bypass standard IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) NOP sled signatures. ∙ Payload encoder - A payload encoder enables attacker to evade IDS and IPS signatures that are looking for specific bytes of a payload. 2.1.4 Mixins and Plugins A mixin provides way for sharing a code between modules. A plugin works directly with the API. It is a component that extends, enhances or alters the functionality of the Metasploit Framework. 2.2 General Workflow The following section provides a brief description of the general work- flow for the Metasploit Framework. ∙ Choose a module - The type of module which user should use is defined by the purpose of the task. All modules can be listed by show all command. If the user already knows what kind of module does he need, he can narrow down the search by entering show and the type of module mentioned in 2.1.3 eg. show Payload. Selected module has to be loaded via load for future usage. ∙ Configure the module - Available options for loaded module can be displayed by show option. If an option is required, user must specify a value for it. Otherwise, it can be left empty. ∙ Set the option - For specifying options, user can use set and unset command. Changes made with these commands work only within the current module context. ∙ Select a target - before running an exploit module, the user has to choose a vulnerable target. List of potential targets can be displayed by show targets. 5 2. Metasploit ∙ Select a payload - After selecting the target, user can display list of payloads for given vulnerability with show payloads. The chosen payload has to be set with set command. ∙ Run the module - The command for running the module is exploit. 6 3 Wmap Plugin Wmap is a web application scanner for Metasploit originatelly created from the tool SQLMap[5]. It is integrated in Metasploit Framework and it consists of several modules. „As of Metasploit Framework version 3.3.2, every exploit module has been assigned a rank based on its potential impact to the target system."[6] Nearly all of the 39 default modules have normal ranking, which means that „The exploit is otherwise reliable, but depends on a specific version and can’t (or doesn’t) reliably autodetect."[6] There is one exception. It is the module exploit/multi/http/lcms_php_exec with excellent ranking (exploit will never crash the service). Since there is no available data supporting this ranking system I did not consider it meaningful and reliable. This plugin is capable of reading all gathered traffic stored in the Metasploit database. The test itself runs all enabled modules and allows user to configure nodes for distributed clients storing all results to the central database. In case there are no nodes configured, the test will be run from the local host. 3.1 List of modules 3.1.1 wmap_ssl auxiliary/scanner/http/cert This module checks the server certificate if it is valid and not expired. auxiliary/scanner/http/ssl Parse the server SSL certificate to obtain the common name and signa- ture algorithm. 3.1.2 wmap_server auxiliary/admin/http/tomcat_administration Detects the Tomcat administration interface.