Metasploit Takes Aim at Cisco Security Exploitation
Open source penetration testing framework goes after Cisco in new release but Cisco isn't worried.
The Metasploit security vulnerability testing framework is getting an update this week with the Metasploit 3.5.1 release, which includes new capabilities that take aim at networking gear from Cisco.
Metasploit provides a framework with which security researchers can test and enumerate the security posture of their networks. The addition of specific features that target Cisco (NASDAQ: CSCO) equipment isn't directly related to any specific, newly discovered exploits in Cisco technology.
"We did not coordinate with Ciscos PSIRT (Product Security Incident Response Team) as the two vulnerabilities exploited by this feature are over 10 years old authentication bypass flaws in the IOS HTTP service," HD Moore, Rapid7 Chief Security Officer and Metasploit chief architect told InternetNews.com. "There are a number of tools that support each of these attacks methods individually, but the value provided by this release is in the attack chaining and automation."
Moore added that any new vulnerabilities discovered by his research team will follow the standard Rapid7 disclosure process, which does include vendor notification.
In an email statement sent to InternetNews.com, a Cisco spokesperson confirmed that no new security vulnerabilities have been disclosed in relation to the Metasploit 3.5.1 release.
"As a matter of policy, Cisco takes security vulnerabilities very seriously and continues to take active measures to safeguard the security and reliability of our equipment," Cisco's spokesperson stated. "Cisco reinforces its normal advice to customers about the importance of upgrading to the latest software patches to protect their networks. We will continue to monitor any discussion and if a product vulnerability is revealed, we will follow our well-established process for the public reporting of vulnerabilities and corrective measures. "
As to why Cisco equipment was specific targeted by Rapid7 in the Metasploit 3.5.1 release, Moore noted that Rapid7 has recently brought their Cisco target network online and received a number of Cisco-specific submissions from the community.
"This gave us an opportunity to leverage the results from some background research projects into a suite of new functionality, then tie these features together into a cohesive auditing workflow within the commercial Metasploit products," Moore said.
Moore explained that target areas covered in the Metasploit 3.5.1 release include the IOS HTTP service, the IOS/CatOS configuration file format, and configuration file acquisition tools for the Telnet, SSH, HTTP, and SNMP protocols. While Cisco's IOS operating system is widely deployed across Cisco's networking equipment, Cisco also uses Linux and the NX-OS operating system. Moore noted that while the Metasploit 3.5.1 release primarily covers IOS, the penetration tests of Cisco's Linux and NX-OS based equipment will also benefit from the improvements to the brute force tools and general automation.
As part of the penetration testing capabilities for Cisco equipment, Metasploit is leveraging existing capabilities for brute force exploitation. Moore explained that the first step in enumerating Cisco networking gear security is to either exploiting an authentication bypass vulnerability or brute forcing access through Telnet, SSH, HTTP, and SNMP.
"This step builds on our existing brute force tools and leverages a highly tuned password list based on a research project that harvested configuration files from web forum posts and analyzed passwords for trends," Moore said. "This yielded some surprising results, for example, one of the most common SNMP community strings is 'public@es0', due to a Cisco example configuration that has been copied by less-than-careful administrators."
Once the penetration tester has access, Metasploit then acquires the device's configuration file. Moore noted that once the configuration file is acquired, the embedded passwords, community strings, VPN keys, and wireless credentials are extracted and stored within the Metasploit database.
"Finally, we make it simple for the user to apply the extracted passwords to other hosts on the network, identifying any other systems with a shared password," Moore said.
The core community version of Metasploit 3.5.1 is an open source project. Back in October of 2009, Metasploit was acquired by security tools vendor Rapid7 and has since added the Metasploit Express and Metasploit Pro commercial editions. The commercial versions of Metasploit provide additional usability and management features over the open source edition.
"The open source Metasploit Framework contains the individual modules and mixins that make up the Cisco-specific features," Moore said. "These are usable from the standard console and are not restricted in any way."
Moore added that Metasploit Express and Metasploit Pro combine these modules with the Workflow Manager to automatically chain attacks and accomplish all of these steps automatically.
"As an example, you can use the SNMP brute force module in the free version of Metasploit, then use the TFTP module to download the configuration file once a SNMP community has been identified," Moore said. "In the commercial versions of the product, the brute force is automatically chained to the configuration download and data import."
The other difference between the commercial editions and the open source community edition has to do with the included passwords.
"The additional 'top' passwords discovered by our research are only available in the commercial editions today, but we plan to merge these back into the main dictionary at a later date," Moore said.
Keep up with security news. Follow eSecurityPlanet on Twitter: @eSecurityP.