By guest blogger Robert Jones, Information Security Manager, City of Corpus Christi
I had the opportunity to participate in a tech preview of Metasploit Pro's new credentials features. In our shop, we use Metasploit Pro, Nexpose, UserInsight and ControlsInsight, all by Rapid7. I certainly wish I could spend the majority of my time pentesting, but instead I often times I find myself using Metasploit to educate users by showing them how I can compromise their machines. It is incredibly compelling when a user sees their system owned right in front of them, at which point you have one more person more inclined to operate their systems in a more secure manner. But, raising education and awareness one user at a time is not always the best use of your company's time. It is often the case that organizations need to put some type of policy or updated procedure in place to mitigate a risk across the organization. To do this, it is often more appropriate to be able to demonstrate a risk across a larger cross-section, or even the entire organization, to put the risk into a proper context.
While we might be showing users the output of a hashdump and telling them how this scrambled text can be reused on other systems where the credentials are valid, for these larger scale activities, maximizing your count of shelled systems gets exponentially expensive in terms of time when you're attempting to exhaust all avenues that open up from harvested credentials. I am a command-line kind of guy, but pitting my typing against my backspace prowess isn't really feasible for me when shelling more than a handful of machines. This is where the backspace key and clock work in tandem to humble me. The development effort that was put into making these activities more efficient is well-spent and a welcome addition.
To get started with the tech preview, I spun up a virtual machine, installed the pre-release package without issue, and had it up and running in a few minutes. The testing process did not require much of my time, and I would estimate that I spent less than 30-45 minutes actually testing the steps that were asked of me, mostly being along the lines of making sure that items in the application produced the desired result when clicked. There is also a degree of latitude as far as what targets to hit, so instead of using Metasploitable or another intentionally vulnerable target, I pointed this tech preview at our Nexpose platform and imported a list of hosts to try this out on. After all, I want to see how this is going to help me save time in a more authentic scenario than a lab. So, I originally set up a single credential, aimed it at all of the systems, and watched as they indicated whether these credentials were valid against these hosts. It wasn't long after making sure I followed the test steps that I was spending more time cloning credentials based on certain character patterns that I've observed in the past here and aiming additional sets of credentials at these hosts. I honestly had no desire to do this from a command line with each permutation. I think this feature is actually rekindling a relationship with my mouse, as I can't imagine anything other than a purist's love of a black background to warrant doing this stuff from the command line again.
One thing that was not part of the tech preview, but I hope to see in the future, is taking a harvested set of credentials and automatically reusing them for any authenticated exploits during an auto-exploitation routine, thereby expanding the attack surface of your targets where you may otherwise need to only attempt the remote/unauthenticated exploits, or be forced to go into the modules and selectively set those authenticated exploits to use a particular set of credentials. This would need more thought and planning than I've done as I write this, but I envision a list of harvested credentials on that new credentials tab growing over time that would be a great list, specific to my environment, that might yield additional targets when using some type of "authenticated upload and execute" or similar exploits requiring valid credentials to test.
While I have this opportunity, I also want to encourage everyone to provide candid feedback to Rapid7. While many of us may operate in the mindset that we aren't a large enough customer to warrant the vendor's attention, I have witnessed on many occasions that a quick note almost always results in a same-day response from one of the development teams. This isn't a canned response or some default of "We'll review it and thanks" kind of thing. Often, it results in a direct conversation to discuss further. I've often seen new features added in a week or two that directly address the feedback, and I've never worked with a software company that valued feedback and acted on it at this level. The end result is that we, as a community, end up with tools that make our jobs easier and more efficient, making us better at our jobs. If you think of an improvement to their solutions, please share it with them. It is well worth the effort.
Note from Rapid7: If you'd like to learn more about the new credentials features and see Metasploit Pro in action, please reserve a space on our free upcoming webcast "Credentials Are the New Exploits: How to Effectively Use Credentials in Penetration Tests"