Saturday, September 18, 2010

Musings on Metasploit

The week before last I attended and spoke at the OWASP AppSec 2010 conference on the first day, meanwhile HD Moore spoke on the second day.

It's always fun to watch HD Moore as he covers the latest roadmap for Metasploit - explaining the progress of various evasion techniques as they're integrated in to the tool and deriding the progress of various "protection" technologies.

A couple of things he said at the time stuck in my mind and I've been musing over them throughout last week. One comment - in response to a question that had been raised - was that IDS/IPS evasion is already sufficient within Metasploit and that further techniques would be "like kicking a cripple kid". Granted, not very PC - but that's the purpose of such statements.

I agree to a certain extent that IDS/IPS technologies can be evaded - but there's a pretty broad spectrum to IDS/IPS technologies and 'one size doesn't fit all'. For example, HD Moore mentioned that simply using HTTP compression (i.e. GZIP) is enough to evade the technology. Not so. For IDS/IPS technologies with full protocol parsing modules (rather than packet-based signature matching) such techniques won't work. But that's by the by. Depending upon the sophistication of the attacker and their knowledge of the strengths and weaknesses of the IDS/IPS technology, evasions can often be found in short order (depending upon the type of vulnerability being exploited). While it's obviously to HD Moores advantage to talk a good game on behalf of Metaspolit and novel evasion techniques, it doesn't hurt to be reminded that there is an agenda to making such broad claims.

The other comment he made related to the progress of adding more advanced payloads and exploit techniques. While I can't remember precisely the terms he used, the way he was discussing the topic - how much fun everyone was having inventing and developing the new techniques - I couldn't help by feel a little ashamed that things within the professional (attack-based) security field had reached this level.

What do I mean? Well, the way in which HD Moore was describing things to the audience I couldn't help but think in terms of physical weapons research. The description of the nestled exploit and evasion modules and how the developers/researchers were going about developing better, faster and more efficient techniques made me visualize a game of one-up man-ship between bullet designers. Something like the following...
Researcher 1: I think we should make a bullet that's Teflon coated but acts like a dum-dum bullet that expands to make a bigger hole in the target.

Researcher 2: No, I've got a better idea. Instead of using the dum-dum style of bullet, I've come up with a way of making it fragment quicker and completely eviscerate the target internally.

Researcher 1: How about we add that new flaming compound so that as the target gets eviscerated he'll combust at the same time.

Researcher 2: That's cool! I bet there'll be crimson smoke coming out of the target too.

Researcher 1: Ha ha. Cool! Lets build it and test it against those homeless people across the road.
I'm guessing you're thinking that I'm perhaps a little warped in thinking these kinds of things (and for writing them down). But it's something that sprung in to my mind at the time and again last week. How much is too much?

Granted, "good enough" protection can be defeated by using a "good enough" evasion technique. But I wonder when (or if) we'll ever need people to be more responsible for their actions developing what are effectively the cyber-equivalent of weapons? I strongly doubt that there'll ever be the cyber-equivalent of the Hague Convention though.


  1. The kicking comment was a lapse in judgment, however, the glee that you read in devising new attacks was genuine. The only way to build defensible systems is by attacking them. The IPS industry has done such a poor job of keeping up with evasions that the AV vendors are now stepping into their shoes. These endpoint protection products would not be necessary if the network-level folks could keep up with the sophistication of the attacks in the wild. For the last 6 years, the Metasploit Framework had a common setting that would prevent nearly all IPS products from catching SMB-based exploits. It wasn't until vendors were called on this earlier this year (by a test house, no less), that we saw significant improvements. For all the contortions of the SMB protocol stack, its nowhere near as complex as client-side attacks through the web, and the IPS industry has been fighting a losing battle there by almost any standard of measurement. While some vendors still make an honest effort at deep protocol inspection, others are content to ignore available tools and ship defensive systems that can be trivially evaded by public tools. Selling a customer a system that claims to protect them against attacks and fails miserably when those attacks are modified is bad for everyone. The customer thinks they are protected and the vendor has no motivation to improve their products.

    MMetasploit, and the rest of the security community are still woefully behind what the actual attackers are doing in the wild. For all of the accusations about tools like Metasploit being abused, we still have attacks like Stuxnet that put the entire industry to shame (software vendors and security folks alike). We are in a losing battle, and while the good guys are outgunned, they should by no means be defenseless. The work we do on the Metasploit project helps even the playing field and allows everyone, including the same vendors that complain about our tools, to build stronger defenses.

    Going back to motivations; you want the people who *enjoy* this work to be the ones doing it. Just like you want your IPS signatures written by people passionate about the technology, you want a similar level of motivation by the folks who are making sure that technology functions correctly.

  2. I forget when I added gzip decompression to BlackICE Proventia (I think 2002). I do remember giving a presentation about it at ToorCon 2005.

    I put common SMB/MS-RPC evasions (like named-pipes fragging and DCE-RPC fragging) in BlackICE/Proventia in 2001. However, I admit it's an arms race: the stack is so complex that you can probably find a new evasion if you try hard enough. I haven't worked at IBM for 4 years, so I have no idea if they are keeping up with the latest evasions.

  3. @HDM Don't get me wrong. I too enjoy breaking stuff and developing innovative evasions (and perhaps enjoy chaining the stuff together into a single minimally-sized payload most of all). But I'm also given to pause in perhaps that we should be rethinking what precisely our objectives are in this business? Granted we've all developed tools that make our lives easier during a pentest designed to replicate a known bad-guy technique (and of course Metaspolit is ace's ahead in this field), but perhaps we need to think a little further ahead in what needs to be done in helping to build the defenses? Naming and shaming doesn't appear to be making much progress - hence the "good enough" and "you get what you pay for" attitudes in protection development and (customer) spending.

    @Robert - you're a visionary star and you know it :-) I don't think that there's anyone left at IBM innovating in the IPS field. The folks that wanted to continue the battle all upped sticks and joined TippingPoint.