'metasploit'에 해당되는 글 17건

  1. 2011.08.02 Metasploit Framework 4.0 Released!
  2. 2011.07.11 Testing Snort IDS with Metasploit vSploit Modules
  3. 2011.07.06 POC of Vsftpd backdoor discovered (1)
2011. 8. 2. 18:42

Metasploit Framework 4.0 Released!

It's been a long road to 4.0. The first 3.0 release was almost 5 years ago and the first release under the Rapid7 banner was almost 2 years ago. Since then, Metasploit has really spread its wings. When 3.0 was released, it was under a EULA-like license with specific restrictions against using it in commercial products. Over time, the reasons for that decision became less important and the need for more flexibility came to the fore; in 2008, we released Metasploit 3.2 under a 3-clause BSD license. Licensing is definitely not the only place Metasploit's fexibility has increased. Over the last 5 years, we've added support for myriad exploitation techniques, network protocols, automation capabilities, and even user interfaces. The venerable msfweb is gone along with the old gtk-based msfgui. Taking their place are the newer java-based msfgui and armitage, both of which have improved by leaps and bounds since their respective introductions.


Five years ago, every exploitation tool out there was focused on running an exploit and getting a shell (usually a crappy cmd.exe shell, at that). Today, Metasploit encompasses every aspect of a penetration test. Dozens of auxiliary modules assist with reconnaisance, more than two hundred others help with information gathering and discovery; hundreds of exploits get you a toe-hold on the network; and the newest addition to the module family, post modules, help simplify and automate increasing your access. All of the data you gather can be stored in a database. For high-quality reporting and even greater automation, Metasploit Pro rounds out an engagement. Five years ago, Metasploit had already come a long way in making exploit development easier but the widespread adoption of DEP and ASLR has pushed the project even further toward accelerating what has now become a much more difficult process.


All of that leads us to the Metasploit Framework version 4.0, released today.


To make the awesomeness of 4.0 stand out visually from its predecessors, we've built an array of stunning new ASCII art banners. My favorite, of course, is this one:



In addition to the visual differences, Metasploit Framework 4.0 comes with an abundance of new features and bug fixes. Contributor TheLightCosine continues with his onslaught of password-stealing post modules and another contributor, Silent Dream, has begun helping out in that arena as well. Other post modules have seen considerable improvement and expansion thanks to Carlos Perez. The recent Exploit Bounty netted a total of six new exploit modules, and other development added another 14 since the last release.


Adding to Metasploit's extensive payload support, Windows and Java Meterpreter now both support staging over http and Windows can use https. In a similar vein, POSIX Meterpreter is seeing some new development again. The last developer left it with little documentation on how to build it, so getting it to compile was a hurdle that we put off for too long. Now that it compiles, you can expect a more flexible payload for Linux. It still isn't perfect nor is it nearly as complete as the windows version, but many features already work.


Another flexibility improvement comes in the form of a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets. As always, you can get the latest version from http://www.metasploit.com/download/ and full details of this release can be found in the Release Notes.


Everyone on the Metasploit team is proud of the first major version bump in half a decade. May it bring you many shells.

출처 : Metasloit Blogs

Trackback 0 Comment 0
2011. 7. 11. 13:57

Testing Snort IDS with Metasploit vSploit Modules

One of my key objectives for developing the new vSploit modules was to test network devices such as Snort. Snort or Sourcefire enterprise products are widely deployed in enterprises, so Snort can safely be considered the de-facto standard when it comes to intrusion detection systems (IDS). So much that even third-party intrusion detection systems often import Snort rules.

Organizations are often having a tough time verifying that their IDS deployment actually work as intended, which is why I created several vSploit modules to test whether Snort sensors are seeing certain traffic. Because vSploit modules were made to trigger Snort alerts, so they don't obfuscate attacks to avoid detection.

However, not every rule is used in every environment. For example, if you aren't using Microsoft Frontpage on your network, you likely won't want to use Snort's Frontpage rules. On the other hand, if you are running Frontpage you may not want to try exploiting it because it may affect the production system. Because of Metasploit Framework's flexibility, you can use the vSploit Generic HTTP Server module to host a small web server that answers all testing requests, so production systems won't be affected.

You can run vSploit modules with a mix of Metasploit Framework, Metasploit Pro, and Metasploit Express, providing there is end-to-end network connectivity to the vSploit instances:

To try out the new vSploit modules, start up the vSploit Generic HTTP Server.

Then launch Frontpage-related attack attributes:

Verify that the packets are being transmitted in Wireshark:

Finally, verify that Snort IDS sees the activity:

Metasploit vSploit Modules will be released at DEFCON 19.

출처 : Metasploit Blog

Trackback 0 Comment 0
2011. 7. 6. 20:02

POC of Vsftpd backdoor discovered

vsftpd version of 2.3.4 downloadable source code was compromised and a backdoor added to the code. Evans, the author of vsftpd . This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was present in the vsftpd-2.3.4.tar.gz archive sometime before July 3rd 2011.

The bad tarball included a backdoor in the code which would respond to a user logging in with a user name by listening on port 6200 for a connection and launching a shell when someone connects.

If you have upgarded your VSFTPD check it out.

Affected versions :

  • vsftpd-2.3.4 from 2011-06-30

Metasploit demo :

  • use exploit/unix/ftp/vsftpd_234_backdoor
  • set RHOST localhost
  • set PAYLOAD cmd/unix/interact
  • exploit
  • id
  • uname -a 

출처 : PenTestIT

Trackback 0 Comment 1
  1. 0000 2012.09.20 23:25 address edit & del reply

    그냥 백도어있으면 그걸찾아서들어가는건가요
    아니면 리버스쉘처럼 Vsftpd취약한버전을사용하면그냥뚫리는건가요?