Posted by: Jeromie Jackson
credit union information security practitioner's conference, cuispa, cuispa 2011, metasploit, penetration testing, pentest, rapid7, social engineering
I will be presenting at the 6th Credit Union Information Security Practitioner’s (CUISPA) conference demonstrating Rapid7′s Metasploit Framework and a few other tools I use during social engineering and penetration tests. Organizations realize attacks are often blended in today’s environment. Phishing scams, tailgating behind employees entering the office, and local wireless hacking are all common attack vectors. The Top 5 Physical Penetration Testing Tools come from my toolbox I carry when conducting penetration tests for credit unions, banks, and many other verticals. Interesting to note many of the tools are leveraging Metasploit under the hood.
#1 Rapid7 Metasploit
Creating Command & Control (C&C) USB sticks, CDs marked with tempting notations such as “Payroll,” and malicious attachments are greatly simplified by using Metasploit. Metasploit is the de-facto standard when it comes to penetration testing frameworks. Tremendous open source resources have been applied to Metasploit, and tools that rely on the framework. The creator HD Moore joined Rapid7 and now is focused on continually pushing the product forward with new features and interface improvements. Just a few of the many functions Metasploit has:
Ability to hide within running processes
Screen capture, keyboard logger, and camera tools
Extensive enumeration of host information
Pivoting ability – enabling a compromised machine to act on behalf of the attacker
I recommend checking out videos on YouTube , http://Securitytube.net/, as well as Irongeek’s site. The Metasploit Framework is free but requires a fair amount of background knowledge to use. Rapid7 has built two commercial versions based on the Metasploit Framework that offer a graphical user interface, workflows, and advanced penetration testing features. Metasploit Express is software for general security professionals who need an easy-to-use solution to verify vulnerabilities. Metasploit Pro is best for full-time penetration testers who require an advanced solution.
#2 Social Engineering Toolkit (SET)
The Social Engineering Toolkit (SET) has simplified many of the technical details of creating social engineering payloads and infrastructure. Spear-Phishing, infectious websites, mass mailing, infectious Command & Control (C&C) payloads for USB sticks and CD’s, and tabnabbing are easily accomplished. Metasploit is the underlying engine for much of the functionality of the tool, however extensive work continues to be done to expand the functionality of SET. This is definitely one of the tools you want in your bag of tricks.
Karma provides the ability to easily erect an wireless Access Point (AP) that will respond to all SSID requests. Users come into the area where the AP is and look to establish network access. The rogue AP automatically responds and establishes initial connectivity. Using DNSspoof, a DHCP3 server, and Karmasploit, which integrates Karma with Metasploit, it is possible to redirect everyone connecting to an infected website. Regardless of what they request (Google, Facebook, Twitter, etc.) they are instantly attacked with Metasploit Autopwn features. A great video demonstrates the how the attack takes place.
#4 BackTrackBackTrack is certainly the most popular bootable ISO for penetration testing, vulnerability assessment, and general security. BackTrack 4 R1 was just recently released. Many security toolsets are quirky and require a lot of tweaking to get working properly. By leveraging Backtrack it is easy to hurdle over the technical issues and get to the business at hand. Metasploit, SET, vulnerability scanners, port scanners, brute force password tools, and a tremendous number of other tools are easily accessed. Metasploit Pro users can use VPN pivoting to tunnel BackTrack tools through a compromised target as if you were on the host’s local network. If you are using VMware and wish to use Aircrack & other wireless toolsets, it is generally necessary to use a USB wireless card. On-board wireless chip sets will generally be seen as ETH0 and not provide the additional wireless functionality.
#5 Browser Exploitation Framework (BeEF)
The Browser Exploitation Framework (BeEF) is a great tool for manipulating a victim’s browser. Have you ever had a cross-site scripting issue that needed to be able to present to management? Ever wanted to do something more interesting than a simple pop-up? With BeEF you gain access to the browser. Port scanning, command shells, and other directed commands can be sent to the victim. John Strand put together a primer video that’s definitely worth checking out.
Have fun, be safe, and use the tools wisely. Follow me and Rapid7 on Twitter.