Last Saturday, our favorite South Florida hacker collective, HackMiami, took first place at the South Florida ISSA Hack the Flag contest in Fort Lauderdale, FL. Seven teams participated, defending systems running a variety of off-the-shelf services such as HTTP, SSH, FTP, while attempting to take control of other teams' systems. We think it's a useful case study, and wanted to share the results with you.
HackMiami was the first team to enumerate all servers in a range of 3,096 IP addresses using the discovery feature from our own Metasploit Express. Using screenshots of the Metasploit Express hosts overview, they tracked machines that could no longer be pinged or had moved to different IP addresses.
Tracking via screenshots is hardly ideal, so when discussing the results after the competition, we put together a script to help automate scenarios like this one, where you require on-going discovery scans.
This script simply specifies a configuration to the Metasploit Express discovery module, then instructs the RPC service to scan. Combined with a cron job (*/5 * * * * discover_rpc.rb), this is a powerful way to visualize a target network. Results will automatically populate in the Express interface. Everything within Express is highly automatable, and designed to speed up your pentesting workflow.
While the vulnerable servers were able to withstand bruteforce and auto-exploitation, the Metasploit Express banner grab, which uses both nmap and modules from the framework for additional fingerprinting, showed vsftp 2.0.4 running on one server, which accepted anonymous logons (and contains several fairly severe vulnerabilities). HackMiami used this to their advantage and won the competition. Congrats guys!
HackMiami chose to use Metasploit Express in large part because it had recently won over alternative commercial software in the HackMiami Pwn-Off, and we provide a 7-day trial available for free here. Download it and give it a shot!