The Effectiveness of Exploit Frameworks and Point-and-Click Hacking

February 3, 2009

Within the past two weeks we hacked into and gained access to privileged customer information at three financial institutions.  I was personally involved in one of the three projects, making me realize how trivial it really is.  We’ve used the exact same vulnerability exploit at multiple institutions (financial and non-financial) over the past three months.  This particular exploit has become so trivial that it’s not even impressive anymore.  At one of our recent projects, Hassan, our senior network security consultant, told me that he had gained domain admin.  I asked him how and the conversation went something like this:

Hassan:       I have domain admin.

Brian:          How?

Hassan:      MS08-067

Nothing else needed to be said.  He had found a few other vulnerabilities which allowed him the same privileges such as a vulnerable Backup Exec application and even a missing security patch from 2002 on a Windows 2000 machine. But the MS08-067 vulnerability is currently the most popular exploit amongst the assessment team.  Why is it so popular?  Once it’s identified (through Nessus scanning) a few carefully placed mouse clicks in one of our exploit frameworks – either Metasploit or Core Impact – gives us a variety of options such as a VNC session to the host, our own administrator account, the entire SAM database of the vulnerable system (domain SAM if the host is a domain controller), and / or a system privileged command shell.  There are many more options available, but these are the most popular.

There is at least one Internet worm virus that is exploiting this issue and more are sure to follow.  Once a system is exploited the worm attempts to contact all other hosts on the local subnet to propagate itself.  The worm does various things such as attempting to brute force local passwords, connect to external URLs, and transfer potentially sensitive data.  It only takes a single infected laptop connected to the corporate LAN to wreak havoc.  Most anti-virus vendors are detecting the initial worm at this point, but that does little to combat the variants that are sure to follow.

This is just one example of many to illustrate the fact that vulnerabilities are quickly followed by publicly available exploit code.  For this particular vulnerability, we had the exploit code in our commercial framework, Core Impact, for about a month before it was developed for Metasploit, an open source exploit framework.

The hackers love exploit frameworks like Metasploit because they can accomplish the task of breaking into a system with about 95% less effort than if they were to write their own exploit code.  This greatly decreases the skills required to hack into a target organization, turning what was once considered an elite skill into a few simple mouse clicks.  In Core Impact, you simply pick a target, drag-n-drop the particular exploit you want to run onto the target, and the framework does the rest – a hacking “Wizard” if you will.  And, this is just one exploit out of thousands available.  Metasploit even gives you your choice of interfaces including a GUI application, a web based application, or for you die hard command line fans, a command line interface.

So how do we combat this you might ask?

The bottom line for any strategy is to patch your systems in a timely manner.   If you’re not patching your systems within two weeks of a critical security patch release, then your risk exposure is greatly increased because that’s normally how long it takes for exploit code to begin circulating in the wild.  Occasionally, exploit code is circulating before a patch is released.  You might consider the following to enhance your system patching and monitoring strategy:

1.       Patch your systems and applications. Regularly check for security patches from not only Microsoft, but also for other applications in your environment including Backup Exec, MySQL, Oracle, etc.  Keep a list or spreadsheet with all of your non-Microsoft applications and document dates when you’ve patched or checked for patches for those applications.  It’ll take some time to complete the list because I doubt you’ll be able to sit down and compile a complete list of all of your non-Microsoft applications without a modest amount of research.  You might start by consulting your business continuity plan as it should contain a list of applications that need to be recovered.

2.       Scan yourself. Get a copy of Nessus and Microsoft Baseline Security Analyzer and learn how to use them.  Also get a few other tools such as SNScan to scan for SNMP issues and NetScan to scan for open file shares.  These tools are simple to use and most are free.  Nessus is roughly $1200 for a commercial license but its money well spent and in our opinion, the best vulnerability assessment tool available for the money.  If you’re unable to allocate resources to accomplish this, engage a firm like TrustCC to perform periodic scans.  By engaging a competent firm, you can be assured that our teams have the most current tools available to provide an accurate assessment.  Many of our clients have us perform assessments on a quarterly basis.  We are also happy to help train your IT staff on performing self assessments.

3.       Control vendors. Application vendors, especially in the financial services market, are notorious for poor security practices.  Incorporate application security practices into the contracting process to ensure that the applications you purchase do not leave gaping security holes in your network.  Understand how the application works, what types of privileges are required, what accounts are set up as default, what are the application’s password requirements and do they comply with your own internal policies, does the application require a service account, can the passwords for the application’s default account(s) be changed without affecting functionality, does the application have a back-end database and if so, what security controls are in place on the backend database (i.e., SQL SA account with a default password that cannot be changed, Oracle default accounts, etc.).  If your application is implemented by the vendor, you’ll also want to closely monitor the implementation process because they are there for one task-get the system up and running-often trumping good security practices.

There are other strategies that we have seen over the years, but these are the most common attributes of a well managed security infrastructure.  So while you may not be able to directly combat exploit frameworks like Core Impact and Metasploit, you can implement a few simple processes to make it more difficult for the bad guys to steal your stuff.



One comment

  1. thank you friend for the information .. very interesting ..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: