authentication and authorization steps are complete and cannot be circumvented.
2. Mistrust of user input Users should be treated as “hostile agents” as data is verified on the server side and as strings are stripped of tags to prevent buffer overflows.
3. End-to-end session encryption Entire sessions should be encrypted, not just portions of activity that contain sensitive information. In addition, secure applications should have short timeouts that require users to reauthenticate after periods of inactivity.
4. Safe data handling Secure applications will also ensure data is safe while the system is in an inactive state. For example, passwords should remain encrypted while being stored in databases, and secure data segregation should be
implemented. Improper implementation of cryptography components has commonly opened many doors for unauthorized access to sensitive data.
5. Eliminating misconfigurations, backdoors, and default settings A common but insecure practice for many software vendors is shipping software with backdoors, utilities, and administrative features that help the receiving administrator learn and implement the product. The problem is that these enhancements usually contain serious security flaws. These items should always be disabled before shipment and require the customer to enable them; and all backdoors should be properly extracted from source code.
6. Security quality assurance Security should be a core discipline during the designing of the product, the specification and developing phases, and during the testing phases. An example of this is vendors who create security quality assurance (SQA) teams to manage all security-related issues.
So What Should We Do from Here on Out?
There are several things that we can do to help improve the situation, but it requires every- one involved to be more proactive, more educated, and more motivated. Here are some suggestions that should be followed if we really want to improve our environments:
1. Stop depending on firewalls. Firewalls are no longer an effective single countermeasure against attacks. Software vendors need to ensure that their developers and engineers have the proper skills to develop secure products from the beginning.
2. Act up. It is just as much the consumers’ responsibility as the developers’ to ensure that the environment is secure. Users should actively seek out documentation on security features and ask for testing results from the vendor. Many security breaches happen because of improper configurations by the customer.
3. Educate application developers. Highly trained developers create more secure products. Vendors should make a conscious effort to train their employees in areas of security.
4. Access early and often. Security should be incorporated into the design process from the early stages and tested often. Vendors should consider hiring security consultant firms to offer advice on how to implement security practices into the overall design, testing, and implementation processes.
5. Engage finance and audit. Getting the proper financing to address security concerns is critical in the success of a new software product. Engaging budget committees and senior management at an early stage is also critical.
and Tools
■ Chapter 4 Using Metasploit
■ Chapter 5 Using the Backtrack Live CD Linux Distribution
73
4
Using Metasploit
This chapter will show you how to use Metasploit, an exploit launching and develop- ment platform.
• Metasploit: the big picture
• Getting Metasploit
• Using the Metasploit console to launch exploits
• Using Metasploit to exploit client-side vulnerabilities
• Using the Metasploit Meterpreter
• Using Metasploit as a man-in-the-middle password stealer
• Using Metasploit to auto-attack
• Inside Metasploit exploit modules
Metasploit: The Big Picture
Metasploit is a free, downloadable tool that makes it very easy to acquire, develop, and launch exploits for computer software vulnerabilities. It ships with professional-grade exploits for hundreds of known software vulnerabilities. When H.D. Moore released Metasploit in 2003, it permanently changed the computer security scene. Suddenly, any- one could become a hacker and everyone had access to exploits for unpatched and recently patched vulnerabilities. Software vendors could no longer drag their feet fixing publicly disclosed vulnerabilities, because the Metasploit crew was hard at work devel- oping exploits that would be released for all Metasploit users.
Metasploit was originally designed as an exploit development platform, and we’ll use it later in the book to show you how to develop exploits. However, it is probably more often used today by security professionals and hobbyists as a “point, click, root” envi- ronment to launch exploits included with the framework.
We’ll spend the majority of this chapter showing Metasploit examples. To save space, we’ll strategically snip out nonessential text, so the output you see while following along might not be identical to what you see in this book. Most of the chapter examples will be from Metasploit running on the Windows platform inside the Cygwin environment.
Getting Metasploit
Metasploit runs natively on Linux, BSD, Mac OS X, and Windows inside Cygwin. You can enlist in the development source tree to get the very latest copy of the framework, or
75
just use the packaged installers from http://framework.metasploit.com/msf/download.
The Windows console application (msfconsole) that we will be using throughout this chapter requires the Cygwin environment to run. The Windows package comes with an AJAX browser-based interface (msfweb) which is okay for light usage, but you’ll eventu- ally want to install Cygwin to use the console in Windows. The Cygwin downloader is www.cygwin.com/setup.exe. Be sure to install at least the following, in addition to the base packages:
• Devel readline, ruby, and subversion (required for msfupdate)
• Interpreters ruby
• Libs readline
• Net openssl