So I started tinkering with Camtasia and decided what better way to do two things... Compare "tools" and show off music I make out of boreDumb.

http://infiltrated.net/metasploit-versus-canvas/

Anyhow, I will explain more about this sample video some time along with why its not always worth relying on one tool

Hehe...  you two just like pushing each others' buttons, don't you?  <grin>
I liked the music selection!

[edit: and yes, the db_autopwn was a long one to sit through, twice]

I didn't want anyone coming back stating "well he probably... which is why metasploit didn't"... Indeed it was annoying for ME to sit through it (which I did). At the end, I did the vid for two reasons: 1) Had to figure out Camtasia 2) Wanted to show others why reliance on any tool is not a good idea.

In the meantime, I created my own "autopwn" program. Does the following

1) Scans the network using parallel hosts - this is to avoid setting off alarms
2) uses a combination of NMAP's version
3) Takes all the output from all parallel hosts and uploads them to a central location. Parses out all the data uniquely
4) Takes the parsed out data and scours for the maximum rated exploit against the version
5) Runs along using wget to download the exploit in a directory named after the target

On 4, I like to avoid being noisy, so instead of running inconsistent exploits against say IIS, what I do *sometimes* is install the exact version if I can find it, then test against my version. This allows me to get a higher percentage rate of a working exploit against the machine I'm testing


ASCII explanation


On my fuzzbox setup, I don't have it down to a science yet but am working on it. My goal isn't point and click fire and forget more like a "Laser Guided Missile" approach. I truly believe in trying to be as inconspicuous as possible when I can so many of the tools are run from typical command line Linux and BSD VM images. When I use nmap of HPING my timing variables are LOOOOONG to avoid tripping up IDS's, e.g., each port can sometimes take up to 1-2 minutes which is why I use multiple machines and many-a-decoys. I also tend to aim for busy traffic times (business hours) to get "lost in the sauce" I don't know... I just try to think about it from the following perspective... "If I was a network assassin, how would I work without leaving a trace and being as effective as possible." This makes me think of countering myself at the same time... "What would I do if someone did this to me..."

Can't wait to see your tool in action, sil.

While CANVAS is definitely an awesome tool, it's another one of those, like Core Impact, that simply falls outside my price range for many smaller gigs, so I only have $$ for it, when I know I've got larger jobs lined up.

What gets me uptight (sorry... <rant on>)is all the attention Core gets, etc, when you then see the folks FROM Core, offering pentesting services as low as a few thousand $$.  So let's see...  A pentester in the field MIGHT be able to compete with Core's services, except that it costs the pentester more $$ for a quarterly license to Core than it costs someone to hire Core in to DO a pentest...  I think they lost their marketing sense somewhere along the line...<rant off>  I've already lost out on a few gigs where Core would've come in handy, because they offer their own services so low, it wasn't cost effective for me to even continue to bid on the gig...   

So sil, if you start creating tools, and putting them out there 'affordably,' you might be able to make some serious $$, from those who are sick of paying over the top $$ for minimal licenses to the commercial products. <hint hint>

Paint drying implies progress though...

No, there's a thread on TE with people bitching about it too. Someone called last week and was told that we should be getting the results in a week. My manager called the week before that and was told the same thing. Saturday will be week #9. *sigh*

I'll check out the goods when I'm back home and off of this terrible hotel internet.

What's going on HD. Thanks for coming around and commenting it's definitely nice for others to see the involvement from other heavyweights in the industry. Now if I can lure out druid, dino and maybe Dave @ Immunity to chime in here from time to time, I'm sure it would inspire others to keep moving forward in their careers, hobbies, etc., as well as continue posting informative stuff

"first, the SQLite adapter is no longer supported for automation as of 3.4.0, as it hits all sorts of fun bugs when you run more than a few threads." That's definitely good to know. I wish you guys threw in a timer of sorts (sleep N) after each attempt. The option would allow for keeping covertness. Worry little I can use sleep as is, just saying. Maybe I will do a quick and dirty write up when I have time on how to mimick this effect (say Canvas' covertness, effect) with Metasploit

"Second, the db_autopwn command is complete trash but too many people still use it for us to just remove the command. Its definitely due for a rewrite." It's good for the low hanging fruit but I wouldn't rely on it. For the sake of the video, it was the easiest mechanism to get a point across. With this said, I feel like the video is tainted so I will re-do it using both community metasploit and metasploit express using targetted attacks instead. "I recommend trying Metasploit Express (our commercial product)." Going to give it a whirl in a bit and repost.

I may do a Core versus Express versus Metasploit video who knows. My Impact updates are well... Outta date. Maybe I'll email Ivan to throw me a bone (updated Impact) for a no-holds-barred video.

NOTE : The initial video was and is not meant to pit two tool as "one being better than the other" in fact on the contrary. The video was and is meant to show the reliance on specific tools in this industry is a no-no. For example, in the Rage Against the Vista Machine (http://www.infiltrated.net/Rage-Against-the-Vista-Machine/) video, the Social Engineering Toolkit (using Metasploit as a backend) was able to do some trickery to compromise a Vista machine whereas Canvas doesn't have "that many" clientsides. I will state though, the clientsides on Canvas are "extreme" in every since of the word as is Cloudburst.

Express versus Canvas. Express was updated today, my Canvas is lacking - hasn't been updated since early this year (January). I tuned Express down to Normal to use more exploits as "Great" was solely trying about 50 or so attacks against this machine.

If you're curious to know which exploit Canvas using to get a foot in the door:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Anyhow
http://www.infiltrated.net/Metasploit-Express-Versus-Canvas/

Snapshot is/isn't your friend. On the initial video, system was/is fully updated. On every reboot, I do it all over each day The particular Windows2K3 machine I use has been used/ abused like the girls at Cat House (http://en.wikipedia.org/wiki/Cathouse:_The_Series). I use it for Pai Mei, learning RCE, testing retarded code and so on. On my initial test fully patched. On snapshots it only updates as far back as *MAYBE* (big maybe here) ... 09 with some patches NOT being applied because they break a lot of things I use on that machine.

Next time (maybe tomorrow after work) I'll post the patch level. The initial video (http://infiltrated.net/metasploit-versus-canvas/) though as shown on the title was patched up to that moment. Reboot = snapshot of last version I use.