CIT 480: Securing Computer Systems

Vulnerability Scanning and Exploitation Frameworks

Vulnerability Scanners Vulnerability scanners are automated tools that scan hosts and networks for potential vulnerabilities, including

– Configuration errors – Known unpatched vulnerabilities

Vulnerability Databases

Advantages Vulnerability scanners can identify thousands of potential security issues.

– Automatically and quickly. – On a regular basis, to ensure no systems have become

vulnerable. Can identify problems missed by or misconfigured by administrators.

Lets security know where problems exist.

Essential part of defense in depth.

Drawbacks Results only as good as vulnerability database.

– Must keep vulnerability db up to date. Some reported vulnerabilities are false positives.

– Must check for existence of actual vulnerability. – Configure scanner to ignore false +s in future scans.

Human threats are better than scanner – Can use zero day vulnerabilities not found in db. – Can find misconfigurations or combinations of security

problems that lead to vulnerabilities that scanner cannot find.

Vulnerability Scanners

OpenVAS Architecture

OpenVAS In-progress Scans

OpenVAS Vulnerability Report

Exploitation Frameworks Exploitation frameworks allow users to

– Choose and configure an exploit from a database of exploits.

– Launch exploits on specified targets to verify whether a vulnerability is present or not.

Useful for – Verifying vulnerability scanner results. – Performing penetration tests. – Convincing management that a problem exists.

Exploitation Frameworks

Metasploit Architecture

Metasploit Interfaces msfconsole

– Interactive command line interface. msfcli

– Non-interactive command line interface. – msfcli windows/smb/ms08_067_netapi RHOST=192.168.56.101

PAYLOAD=windows/shell/bind_tcp

Armitage – Interactive graphical interface.

Exploit Configuration 1. OS and Application Version

– Variants of exploit may need to be chosen. 2. Target selection

– IP address and port 3. Payload selection

– Select shellcode type, e.g. shell or desktop. 4. Encoding

– Encoding of exploit avoids IPS or AV detection.

Payloads Bind Shell

– Open a port on the exploited host offering a shell with no password required.

Reverse Shell – Target makes connection back to listening port on one

of your servers, offering a shell. Remote Desktop

– Remote desktop using RDP, VNC, NX, or X. Meterpreter

– Advanced payload with post-exploitation modules, including key logging, sniffing, hash dumping, etc.

Key Points Vulnerability scanners

– Automatically scan network to find vulnerabilities based on vulnerability database.

– Results only as good as vulnerability database. – Human attackers are better than scanners, so a

clean scan doesn’t indicate perfect security. Exploitation frameworks

– Verify vulnerability scanner results. – Assist in penetration testing.

References 1. David Kennedy et. Al., Metasploit: The

Penetration Tester’s Guide, No Starch Press, 2011.

Released under CC BY-SA 3.0 This presentation is released under the Creative Commons

Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free:

to Share — to copy and redistribute the material in any medium to Adapt— to remix, build, and transform upon the material to use part or all of this presentation in your own classes

Under the following conditions: Attribution — You must attribute the work to James Walden, but

cannot do so in a way that suggests that he endorses you or your use of these materials.

Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license.

Details and full text of the license can be found at https://creativecommons.org/licenses/by-nc-sa/3.0/