tag:blogger.com,1999:blog-9222823941653971224.post189968353257004135..comments2024-03-28T04:24:14.785-07:00Comments on Technicalinfo.net Blog: Musings on MetasploitGunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-9222823941653971224.post-32256444319386790212010-09-19T12:54:59.508-07:002010-09-19T12:54:59.508-07:00@HDM Don't get me wrong. I too enjoy breaking ...@HDM Don't get me wrong. I too enjoy breaking stuff and developing innovative evasions (and perhaps enjoy chaining the stuff together into a single minimally-sized payload most of all). But I'm also given to pause in perhaps that we should be rethinking what precisely our objectives are in this business? Granted we've all developed tools that make our lives easier during a pentest designed to replicate a known bad-guy technique (and of course Metaspolit is ace's ahead in this field), but perhaps we need to think a little further ahead in what needs to be done in helping to build the defenses? Naming and shaming doesn't appear to be making much progress - hence the "good enough" and "you get what you pay for" attitudes in protection development and (customer) spending.<br /><br />@Robert - you're a visionary star and you know it :-) I don't think that there's anyone left at IBM innovating in the IPS field. The folks that wanted to continue the battle all upped sticks and joined TippingPoint.Gunter Ollmannhttps://www.blogger.com/profile/00872922499284887206noreply@blogger.comtag:blogger.com,1999:blog-9222823941653971224.post-10631869199706174702010-09-19T11:10:53.578-07:002010-09-19T11:10:53.578-07:00I forget when I added gzip decompression to BlackI...I forget when I added gzip decompression to BlackICE Proventia (I think 2002). I do remember giving a presentation about it at ToorCon 2005.<br /><br />I put common SMB/MS-RPC evasions (like named-pipes fragging and DCE-RPC fragging) in BlackICE/Proventia in 2001. However, I admit it's an arms race: the stack is so complex that you can probably find a new evasion if you try hard enough. I haven't worked at IBM for 4 years, so I have no idea if they are keeping up with the latest evasions.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-9222823941653971224.post-19494378894391591922010-09-18T16:24:08.675-07:002010-09-18T16:24:08.675-07:00The kicking comment was a lapse in judgment, howev...The kicking comment was a lapse in judgment, however, the glee that you read in devising new attacks was genuine. The only way to build defensible systems is by attacking them. The IPS industry has done such a poor job of keeping up with evasions that the AV vendors are now stepping into their shoes. These endpoint protection products would not be necessary if the network-level folks could keep up with the sophistication of the attacks in the wild. For the last 6 years, the Metasploit Framework had a common setting that would prevent nearly all IPS products from catching SMB-based exploits. It wasn't until vendors were called on this earlier this year (by a test house, no less), that we saw significant improvements. For all the contortions of the SMB protocol stack, its nowhere near as complex as client-side attacks through the web, and the IPS industry has been fighting a losing battle there by almost any standard of measurement. While some vendors still make an honest effort at deep protocol inspection, others are content to ignore available tools and ship defensive systems that can be trivially evaded by public tools. Selling a customer a system that claims to protect them against attacks and fails miserably when those attacks are modified is bad for everyone. The customer thinks they are protected and the vendor has no motivation to improve their products. <br /><br />MMetasploit, and the rest of the security community are still woefully behind what the actual attackers are doing in the wild. For all of the accusations about tools like Metasploit being abused, we still have attacks like Stuxnet that put the entire industry to shame (software vendors and security folks alike). We are in a losing battle, and while the good guys are outgunned, they should by no means be defenseless. The work we do on the Metasploit project helps even the playing field and allows everyone, including the same vendors that complain about our tools, to build stronger defenses. <br /><br />Going back to motivations; you want the people who *enjoy* this work to be the ones doing it. Just like you want your IPS signatures written by people passionate about the technology, you want a similar level of motivation by the folks who are making sure that technology functions correctly.Anonymousnoreply@blogger.com