April 7, 2007 at 9:48 pm #1254plikParticipant
First off, I really really need to thank everyone here. Combined you’ve manage to get me off my backside and actually do something* – rather than just read (and read and read and…) about infosec, with the occational bit of playing. I’ve now got my self a lab set up, and set out to learn some thing practical.
Now a while back I had a little go with Metasploit when it was 2.x, and to be frank it was a little scary and confusing. I could tell there was a lot of power under the hood, as it were, but I didn’t have the time to get to grips with it.
Now I’ve just set up a 2k server target and installed Metasploit 3 on my attack machine. Without reading any documentation, I started Metasploit for the first time and five clicks and two IPs added later I had owned the target.
Five clicks and a little common sense.
Is anyone nervous that this might be taking the edge off the skills of your profession? I’ve been unfortunate enough to work with “paper” MCSEs and CCNAs** who have NO idea about what they’re doing, and I don’t like the way they dilute the skills pool. I can foresee a rash of idiots with meta and a copy of nessus labeling themselves as security consultants (not to mention IRC channels worldwide filled with skiddies who think themselves uber-leet because they took a live CD into school and now have domain admin).
Now I’m not trying to put the metasploit team down, far from it, I can now use the “power” that was just outside my grasp and I can tell I’m going to have a lot of fun with it ;D and even after a few mins of use I can tell that some very very smart people have spent a long long time making this.
Nor am I trying to put pro-pentesters down, I know there’s more to pentesting than just scanning and running exploits*** and the skilled professionals will survive much longer than the unskilled, but how easy is too easy? Wouldn’t you like to keep it just a little bit black-art? or is it good that this tool makes it easier for poeple to aproach the topic and then progress to a higher understanding?
* this is no mean feat by any standards
** in the intrests of honesty you should know I have neither of these qualifications
*** please tell me I’m right on this one 😉
April 8, 2007 at 12:33 am #12342
would i like to keep it black art…yes.
do i remember wishing people would teach me stuff…yes (still do)
is clicking 5 times and 0wning a box too easy? is:
gcc sploit.c -o sploit
too easy too? yes…
do i think MSF is too easy to use…maybe a bit BUT…
if you hire some dude for an audit and all he runs is nessus and MSF and you think that’s a good job, then you deserve to get your money taken.
anyway, the power behind MSF is in the ability of its API to solve problems or build your own scripts and tools and exploits.
April 8, 2007 at 12:45 am #12343linuxstarvedParticipant
Plik it certainly is a concern, but honestly there is NOTHING we can do. Tools have become more sophisticated (read GUI-based) and skills that it took to hone are as easy as checking some boxes, see nmapfe. I would like to see a return to the command line, but it won’t happen.
The folks at metasploit deserve the praise, they have created a masterpiece, but it does lead to a watering down of the talent pool. This is inevitable however, in everything we do. The more technology evolves the easier it is to do something than it was ten years ago, and so it goes in the infosec community.
April 8, 2007 at 1:05 pm #12344CutawayParticipant
I think as you work with MSF more you will see that your fears are even more founded in reality. The types of things you can easily do with just a little more knowledge is incredible. For instance, did you realize that with just a little configuration and installing a database on your system you can import your Nessus NBE files and MSF will take this information, provide you with a list of possible exploits, automatically run them all for you, and provide you with a list of owned boxes? Very nice and efficient.
What the MSF people have done is provide the public with a tool that malicious individuals may have already achieved in some form or other. The point here is that it is better WE have access to this type of thing as well as malicious individuals so that we can sufficiently test our environments before deployment and during utilization.
Yes, script kiddies love this tool. Heck, I still consider myself a script kiddie because I do not understand how to write my own exploits and modify MSF to do additional tasks beyond gaining access to a system. My only saving grace is my knowledge of security architecture, project planning, and report writing. These are the benefits that I provide to a penetration team. I have gotten this same feeling from the majority of persons who patrol these forums. There are varied levels of experience and each person has their own strengths and weaknesses.
Which is why I always say, “Go forth and do good things” on just about every post. But, of course, I am sure people are starting to get a little sick of my catch phrase 😀
Go forth and do good MSF,
April 8, 2007 at 7:34 pm #12345plikParticipant
gcc sploit.c -o sploit
too easy too? yes…
But at least knowing that sploit has to be run against OS x of patch level y shows some prior knowlegde and understanding.
and Cutaway: I always do good things ;D
I guess I’ll just have to study more in order to be one step above the rest.
I suppose some of this stems from a job I use to be in years ago, where people paid me good(ish) money to build bike wheels for them, as there’s something of a black art to that. I was terrified that one day people would realise that anyone who could tell left from right and count up to three could do my job.
April 9, 2007 at 3:11 pm #12346
Do I think that writing exploits should be a “black art”? No. The full disclosure that HD Moore and the Metasploit team bring to the industry has done a tremendous amount of good by forcing vendors to improve their products, patch when bugs are discovered (and published) and develop secure testing methodologies. These are just some of the improvements to the industry.
A current example is the recent .ANI vulnerability. This exploit came out of work done by Alexander Sotirov. It bypassed all the current protections available such as GS, DEP, ASLR, and IE7’s Protected Mode.
This exploit targeted a bug that had already been “fixed and “patched” by Microsoft. Without the efforts of the security researchers out there this exploit would have been used by the usual cadre of spammers, phishers and bot herders and we would have been none the wiser. By releasing this exploit it forced Microsoft to release an out of cycle patch to fix the bug.
So is there a danger that script kiddies will use these tools to “go forth and do bad things”? Sure, but as with anything, you have to assess the risk posed by this and figure what the impact would be to not have access to these tools.
From an interview with HD Moore:
“Some pen-testers prefers doing things “by hands” and don’t believe in automatic tools… do you think Metasploit is giving more power to script kiddies, or pros need it as well?
H D Moore: The Metasploit Framework is definitely a “hands-on” tool. Every aspect of exploitation can be controlled, configured, and monitored by the user. Many of the convenience features, such as automatically attaching to a spawned command shell, can be disabled at run time. The automation features in version 3.0 are crude and would likely cause havoc if used on an enterprise network. The Framework is a great way to enhance existing tools and skill sets, but will never replace the role of the penetration tester or skilled analyst. On the flip side, you really need to understand security testing to effectively use the Metasploit Framework. The user must select an exploit, understand which target would be most effective, and choose a payload appropriate for the task. Compared to commercial solutions like Core Impact, Metasploit has a high learning curve and a serious “geek factor”. We like it that way. “
If you think Metasploit is easy, you should try Core Impact. It’s drag and drop exploiting at it’s finest. 🙂
If I am doing a pentest does using a 0-day to gain access to a client site have validity? Sure, but once again it’s all about risk and impact. Honestly, the client is more concerned about the public exploits. Also, there are far, far more vectors than just exploits to gain access to a site.
Just my $0.02.
The full interview: http://www.securityfocus.com/columnists/439
April 10, 2007 at 9:14 pm #12347
Don’t worry, hacking at its finer level is not and will not be in the near future a simple point and click procedure. It will always be a Black Art. Sure there a few weak systems that you do a simple point and click and breach it. Most boot camps teach it that way. Have you attack a raw installation of XP with no patches with a dcom exploit. Wow, now you’re a hacker! This has been written here before that to breach high level systems you need to know your tools inside and out. Understand the OS you are attacking completely. Understand the nature of the network and networking. Understand firewalls. I could go on and on! Often you need to be clever and sometimes sneaky. Do social engineering. I am of course speaking of a high level penetration test that involves trying to get in any way you can.
April 11, 2007 at 8:45 am #12348
I’ve no problem with hacking tools being easy. Security professionals cannot be experts in every field and to have straightforward tools at our disposal aids the speed and performance of assessments for our clients.
There’s always been an element of ease to hacking at a certain level, after all script kiddie is not a new term. Vulnerability assessment frameworks like metasploit provide a powerful platform to the good guys and I feel the benefits greatly outweigh the cost.
Kev’s got a good point, action without understanding limits an attacker. I hope infosec does not remain a black art. One day (maybe) security might not be an afterthought but a core part of development. The world of computing has quickly outpaced the attitude to security with the move from a domain of high cost, limited access and limited scope to one of low cost, virtually unlimited access and global scope. The world needs to catch up with itself.
- You must be logged in to reply to this topic.