.

Canvas versus Metasploit

<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Jul 29, 2010 4:05 pm

Canvas versus Metasploit

So I started tinkering with Camtasia and decided what better way to do two things... Compare "tools" and show off music I make out of boreDumb.

http://infiltrated.net/metasploit-versus-canvas/

Anyhow, I will explain more about this sample video some time along with why its not always worth relying on one tool
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Aug 01, 2010 9:47 am

Re: Canvas versus Metasploit

Good stuff. As much as I like the music, you could probably do a bit of editing to shorten the length a bit. Sitting through autopwn twice got a bit tedious.

Also, how many times do you need to be told to use db_connect instead? ;)
The day you stop learning is the day you start becoming obsolete.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Aug 01, 2010 9:56 am

Re: Canvas versus Metasploit

Hehe...  you two just like pushing each others' buttons, don't you?  <grin>
I liked the music selection!

[edit: and yes, the db_autopwn was a long one to sit through, twice]
Last edited by hayabusa on Sun Aug 01, 2010 10:05 am, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sun Aug 01, 2010 10:19 am

Re: Canvas versus Metasploit

dynamik wrote:Good stuff. As much as I like the music, you could probably do a bit of editing to shorten the length a bit. Sitting through autopwn twice got a bit tedious.

Same here.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sun Aug 01, 2010 11:52 am

Re: Canvas versus Metasploit

I didn't want anyone coming back stating "well he probably... which is why metasploit didn't"... Indeed it was annoying for ME to sit through it (which I did). At the end, I did the vid for two reasons: 1) Had to figure out Camtasia 2) Wanted to show others why reliance on any tool is not a good idea.

In the meantime, I created my own "autopwn" program. Does the following

1) Scans the network using parallel hosts - this is to avoid setting off alarms
2) uses a combination of NMAP's version
3) Takes all the output from all parallel hosts and uploads them to a central location. Parses out all the data uniquely
4) Takes the parsed out data and scours for the maximum rated exploit against the version
5) Runs along using wget to download the exploit in a directory named after the target

On 4, I like to avoid being noisy, so instead of running inconsistent exploits against say IIS, what I do *sometimes* is install the exact version if I can find it, then test against my version. This allows me to get a higher percentage rate of a working exploit against the machine I'm testing


ASCII explanation

  Code:
scanner_1 ---
scanner_1    |
scanner_1    | -----> Machine_2_B_Tested
scanner_1    |
scanner_1 ---

scanner_1 ---
scanner_1    |
scanner_1    | -----> Send all data to Sorter
scanner_1    |
scanner_1 ---

Sorter ---> Parse out exploitable services
Sorter ---> Search CVEDetails.com for specifics (LWP is your friend)
Sorter ---> Search for high CVSS score on the above
Sorter ---> Search exploit-db.org, milw0rm, packetstorm for exploit
Sorter ---> Pass info to fuzzbox
Sorter ---> Tinker with peach, klocwork, beStorm and Paimei


On my fuzzbox setup, I don't have it down to a science yet but am working on it. My goal isn't point and click fire and forget more like a "Laser Guided Missile" approach. I truly believe in trying to be as inconspicuous as possible when I can so many of the tools are run from typical command line Linux and BSD VM images. When I use nmap of HPING my timing variables are LOOOOONG to avoid tripping up IDS's, e.g., each port can sometimes take up to 1-2 minutes which is why I use multiple machines and many-a-decoys. I also tend to aim for busy traffic times (business hours) to get "lost in the sauce" I don't know... I just try to think about it from the following perspective... "If I was a network assassin, how would I work without leaving a trace and being as effective as possible." This makes me think of countering myself at the same time... "What would I do if someone did this to me..."
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Mon Aug 02, 2010 2:59 am

Re: Canvas versus Metasploit

seems like a nice vid. will have a look at it later this week...busy busy busy!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Aug 02, 2010 7:49 am

Re: Canvas versus Metasploit

Can't wait to see your tool in action, sil.

While CANVAS is definitely an awesome tool, it's another one of those, like Core Impact, that simply falls outside my price range for many smaller gigs, so I only have $$ for it, when I know I've got larger jobs lined up.

What gets me uptight (sorry... <rant on>)is all the attention Core gets, etc, when you then see the folks FROM Core, offering pentesting services as low as a few thousand $$.  So let's see...  A pentester in the field MIGHT be able to compete with Core's services, except that it costs the pentester more $$ for a quarterly license to Core than it costs someone to hire Core in to DO a pentest...  I think they lost their marketing sense somewhere along the line...<rant off>  I've already lost out on a few gigs where Core would've come in handy, because they offer their own services so low, it wasn't cost effective for me to even continue to bid on the gig...  :-[

So sil, if you start creating tools, and putting them out there 'affordably,' you might be able to make some serious $$, from those who are sick of paying over the top $$ for minimal licenses to the commercial products. <hint hint>
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Aug 11, 2010 5:03 pm

Re: Canvas versus Metasploit

Fun with FreeBSD + SET + Windows Vista

http://www.infiltrated.net/Rage-Against ... a-Machine/

I was actually trying to get marketing staff to understand the problems with XSS + ARP spoofing. So I thought of a minimalist example of what could occur on teh Interwebs. MITM host --> pretend to be something you're not (in this video Google), craft an email as a potential client: "What is this litigation I hear about your company, I'd like to do business but not until I get clarity on this: http://www.SomeBogusCompanyYouCreateOnA ... ollars.com" fire it off. Instamagic reverse. If you know what you're doing, you'll take note that NO errors or warnings popped up and although private address ranges were used, one could leverage an EC2 host, register a domain, go as far as Googlebombing the domain for exposure into the top 10... Fire and forget.

To be concise, this is a valid demo anyone can give on client side attacks. If you *really* want it to be realistic and avoid detection, you can MITM and make the victim's side think that your machine is "WHATEVER.com" for more shock and awe

Anyway, I was bored today, working on material for some presentations I have coming around (client, security, sales) and I thought of a "OMG" spooky method of "you never saw that coming did you... firewall and all". In fact, the Vista machine is using Oracle's DLP (from another thread), has bitdefender, Trend Micro, Snare, etc., nary an alarm. In fact, I could have siphoned anything off my Vista machine onto my FBSD machine without a peep from my DLP application. Thanks Oracle!

Dynamik you get your ISACA results yet... I feel like I'm watching paint dry @ this point
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Aug 11, 2010 5:25 pm

Re: Canvas versus Metasploit

sil wrote:Dynamik you get your ISACA results yet... I feel like I'm watching paint dry @ this point


Paint drying implies progress though... :D

No, there's a thread on TE with people bitching about it too. Someone called last week and was told that we should be getting the results in a week. My manager called the week before that and was told the same thing. Saturday will be week #9. *sigh*

I'll check out the goods when I'm back home and off of this terrible hotel internet.
The day you stop learning is the day you start becoming obsolete.
<<

hdmoore

Newbie
Newbie

Posts: 5

Joined: Mon Aug 16, 2010 9:54 pm

Post Mon Aug 16, 2010 10:37 pm

Re: Canvas versus Metasploit

Great video! Canvas has come a long way in terms of usability.

There are two things I would like to point out about this demo; first, the SQLite adapter is no longer supported for automation as of 3.4.0, as it hits all sorts of fun bugs when you run more than a few threads. Second, the db_autopwn command is complete trash, the only exception is when you choose a specific set of modules with -m or through port exclusions. We have debated just getting rid of it, but too many people still use it for us to just remove the command. Its definitely due for a rewrite.

If you are looking for an even comparison, I recommend trying Metasploit Express (our commercial product). The exploit engine in Metasploit Express is not based on db_autopwn in any sense; instead, it buckets exploits by reliability, sorts by disclosure date, and orders the attacks to make sure the best exploit is always used first for a particular target. This engine will also leverage OS fingerprints and make sure that only a single attack is launched against a particular service of a particular host at the same time. This results is quick network-wide exploitation, all through a web browser, and with the full power of the Metasploit payloads.

You can get a free 7-day eval of Metasploit Express at the URL below. All proceeds from Metasploit Express directly contribute to the development of the open source Metasploit Framework.

http://www.metasploit.com/express

If you want to see how Metasploit Express stacks up against other commercial tools, take a look at the recent Hack Miami shootout results:

http://www.n00bz.net/metasploit-express/

-HD
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Aug 17, 2010 8:15 am

Re: Canvas versus Metasploit

What's going on HD. Thanks for coming around and commenting it's definitely nice for others to see the involvement from other heavyweights in the industry. Now if I can lure out druid, dino and maybe Dave @ Immunity to chime in here from time to time, I'm sure it would inspire others to keep moving forward in their careers, hobbies, etc., as well as continue posting informative stuff

"first, the SQLite adapter is no longer supported for automation as of 3.4.0, as it hits all sorts of fun bugs when you run more than a few threads." That's definitely good to know. I wish you guys threw in a timer of sorts (sleep N) after each attempt. The option would allow for keeping covertness. Worry little ;) I can use sleep as is, just saying. Maybe I will do a quick and dirty write up when I have time on how to mimick this effect (say Canvas' covertness, effect) with Metasploit

"Second, the db_autopwn command is complete trash but too many people still use it for us to just remove the command. Its definitely due for a rewrite." It's good for the low hanging fruit but I wouldn't rely on it. For the sake of the video, it was the easiest mechanism to get a point across. With this said, I feel like the video is tainted so I will re-do it using both community metasploit and metasploit express using targetted attacks instead. "I recommend trying Metasploit Express (our commercial product)." Going to give it a whirl in a bit and repost.

I may do a Core versus Express versus Metasploit video who knows. My Impact updates are well... Outta date. Maybe I'll email Ivan to throw me a bone (updated Impact) for a no-holds-barred video.

NOTE : The initial video was and is not meant to pit two tool as "one being better than the other" in fact on the contrary. The video was and is meant to show the reliance on specific tools in this industry is a no-no. For example, in the Rage Against the Vista Machine (http://www.infiltrated.net/Rage-Against ... a-Machine/) video, the Social Engineering Toolkit (using Metasploit as a backend) was able to do some trickery to compromise a Vista machine whereas Canvas doesn't have "that many" clientsides. I will state though, the clientsides on Canvas are "extreme" in every since of the word as is Cloudburst.
<<

hdmoore

Newbie
Newbie

Posts: 5

Joined: Mon Aug 16, 2010 9:54 pm

Post Tue Aug 17, 2010 10:07 am

Re: Canvas versus Metasploit

Awesome! Looking forward to seeing the next video, hopefully we can get db_autopwn rewritten/replaced in the next couple months. Covertness is the least of its problems right now, its simply not reliable.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Aug 17, 2010 3:34 pm

Re: Canvas versus Metasploit

Express versus Canvas. Express was updated today, my Canvas is lacking - hasn't been updated since early this year (January). I tuned Express down to Normal to use more exploits as "Great" was solely trying about 50 or so attacks against this machine.

If you're curious to know which exploit Canvas using to get a foot in the door:
http://www.microsoft.com/technet/securi ... 8-067.mspx

Anyhow ;)
http://www.infiltrated.net/Metasploit-E ... us-Canvas/
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Aug 17, 2010 4:00 pm

Re: Canvas versus Metasploit

sil wrote:If you're curious to know which exploit Canvas using to get a foot in the door:
http://www.microsoft.com/technet/securi ... 8-067.mspx


I actually was but forgot to ask, thanks. Am I missing something though? Didn't you say the system was fully patched? Why was that exploit able to execute successfully?
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Aug 17, 2010 4:12 pm

Re: Canvas versus Metasploit

dynamik wrote:I actually was but forgot to ask, thanks. Am I missing something though? Didn't you say the system was fully patched? Why was that exploit able to execute successfully?


Snapshot is/isn't your friend. On the initial video, system was/is fully updated. On every reboot, I do it all over each day :D The particular Windows2K3 machine I use has been used/ abused like the girls at Cat House (http://en.wikipedia.org/wiki/Cathouse:_The_Series). I use it for Pai Mei, learning RCE, testing retarded code and so on. On my initial test fully patched. On snapshots it only updates as far back as *MAYBE* (big maybe here) ... 09 with some patches NOT being applied because they break a lot of things I use on that machine.

Next time (maybe tomorrow after work) I'll post the patch level. The initial video (http://infiltrated.net/metasploit-versus-canvas/) though as shown on the title was patched up to that moment. Reboot = snapshot of last version I use.
Next

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software