The Metasploit penetration testing framework has always been about finding ways to exploit IT, in an effort to improve defense. The new Metasploit 4.5 release from security vendor Rapid7 goes a step further than its predecessors, offering a new phishing engine and updated exploit modules.
"The phishing engine is part of a larger Social Engineering module that supports a wide range of client-side exploitation and security assessment capabilities," said HD Moore, chief architect of Metasploit and chief security officer for Rapid7.
Moore told eSecurity Planet that the new phishing engine is a simplified version of the Metasploit Pro Social Engineering component. "This allows full customization of the campaign and malicious content can be loaded as email attachments, file format exploits, or using browser-based exploits based on the framework's browser_autopwn module," he said.
Browser_autopwn is an exploit module that debuted in the Metasploit 3.2 release in November of 2008. The general idea behind browser-autopwn is to fingerprint a user's browser, then automatically enable an attack with an array of exploit modules for the given browser and its associated plugins.
Security Lessons for Enterprises
The goal with Metasploit's phishing engine is to enable an enterprise to test all the various layers of its IT defense.
"Security awareness training helps, but should be combined with both endpoint and perimeter solutions such as browser sandboxing and Web proxies," Moore said. "If you launch the campaign from outside of the network, you can perform a test that reflects every level of defense."
Alternatively, an administrator can launch an internal-only campaign, which ignores perimeter defenses and lets the test focus on security awareness and endpoint mitigations, Moore said.
Open Source and Other Editions
Metasploit is available in three different editions: community (open source), Express and Pro. The Pro version was introduced in 2010 as the top end of the commercial offerings for Metasploit, providing enterprise-class capabilities. The new phishing engine is specific to the Pro version of Metasploit, though Moore noted that other editions including the open source framework have also seen improvements in the area of phishing related attacks.
According to Moore, the improvements across all editions of Metasploit include better logic in browser_autopwn, bug fixes and enhancements to exploit payloads. Additionally, all versions of Metasploit 4.5 benefit from the introduction of local exploits that can be used to escalate privileges to administrator from low-privileged user sessions.
"Every exploit in Metasploit Pro is also available in Metasploit Express, Metasploit community, and the open source framework," Moore said. "The 4.5 release wraps up months of hard work by both our in-house team and the community at large."
Moore said the exploits he finds most interesting are those that target logic flaws or weak configurations, as they tend to be incredibly reliable and are almost always a surprise. Recent examples of this include the Tectia SSH authentication bypass flaw and the various Java sandbox escapes.
Weak configurations and weak passwords can also potentially be found in Metasploit itself. Metasploit 4.5 includes a Web Interface Login Utility that can be used by a researcher to test the security of a Metasploit installation.
"This module launches a dictionary attack against the Metasploit RPC interface," Moore explained.
Attacks are less likely to succeed against Metasploit Pro, as it includes the capability to rate limit login requests and it introduces random delays to failed login attempts. Moore noted that additionally, when user accounts are created in Pro, the platform enforces a minimum complexity standard that makes any form of brute force attack unlikely to succeed.
"With that, we understand that users of the framework can configure the standalone RPC daemon in less secure ways, and recognize that any tool that helps our user base audit their involvement is a good thing," he said.