1 Attack Vector: Credentials

According to the Verizon Data Breach Investigations Report, credentials are the number #1 attack vector used to compromise networks. This news comes with no surprises. Credentials have been and most likely will continue to be one of the top attack vectors for years to come.

With credentials-based attacks becoming exponentially more topical, it's become more critical than ever to focus on credentials management and reuse. Metasploit has always provided the ability to leverage credentials in attacks, but it was a cumbersome and inefficient process. There was not an easy way to manage and use credentials that were collected from compromised systems. So in 2014, we dedicated a great deal of time to developing new features that enabled our users to easily manage and reuse credentials easily and efficiently.

Managing Credentials Made Easy

In August of 2014, we have released a major feature, a one-stop shop, to handle all credentials, in a single view in Metasploit Pro. Since then, we have received tons of feedback from our customers in terms of how it has helped them streamline the process of managing and using credentials, especially with large projects. Additionally, we also introduced a new feature that simplifies using credentials on other targets. Reusing credentials is a very common practice, but it was a very manual process before. With this improvement, we expected to save our users a lot of time by enabling them to reuse credentials very quickly and efficiently.

These two features were only half of the story. Metasploit Pro had a bruteforce feature prior that was lacking certain features and was cumbersome to use. We also needed to provide more tools to our users to help them save even more time on their penetration testing engagements. Fast forward to December of 2014; we released a new MetaModule that simplified to reuse credentials, and we made significant improvements to bruteforce functionality.

Owning the Network with Credentials

The new bruteforce workflow not only looked significantly better, but it also included new functionality that enabled customers to test common factory defaults and previously collected credentials. Password mutations, which were removed in Metasploit 4.10.0, were re-added to the bruteforce workflow to enable users to append and prepend characters to passwords as well as perform leetspeak substitutions. The new "Time Between Attempts" configuration helps prevent account lockouts during bruteforce attempts. I was particularly excited about the Credentials Domino MetaModule. It completely automates the credentials reuse scenario thereby enabling our users to focus on other parts of testing process that may require more manual effort. It also comes with network visualization view that analyzes the results of the reuse attempts which makes it very easy to clearly identify weak hosts within a network.

As we wrapped 2014, I felt really good about the improvements and new features we have added to Metasploit. I strongly believe 2015 will be a great year for us. We will continue to add new features, and improve usability along the way.

As always, your feedback is really important to us, feel free to reach out to us here on the Community, via Rapid7 Customer Portal, or tweet us @rapid7 and @metasploit any time.

Eray Yilmaz - @erayymz

Sr. Product Manager, Metasploit

P.S. Please feel free to watch our Feature Friday on credentials as an attack vector, as well as a demo of the Credentials Domino MetaModule.