Penetration testing on the cheap and not so cheap

Admins charged with assessing network security can choose from solid open source offerings and enterprise-grade tools

 

I've been doing a lot of vulnerability and penetration testing for a customer who wants to see various simulated attacks and possible outcomes. I've been a penetration tester going on 10 years, and it is easily the most enjoyable task I can be asked to perform. Breaking in is fun -- and far easier to pull off when you use one of the many handy vulnerability-testing tools available today.

 

Overall, breaking in to a company isn't that hard once you know what you're doing. I've yet to find a company with perfect patching or with all the traditional security features from the last 20 years enabled sufficiently. Still, when you're asked to do it on a deadline in a particular way, it can take work. It isn't like the movies where pen testers can guess master passwords in 60 seconds before the bad guys arrive.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
That's where vulnerability testing tools come in handy. I've long been a fan of the freeware program Cain & Abel. No tool makes it easier to perform ARP poisoning, password sniffing, man-in-the-middle attacks, or digital certificate spoofing. It doesn't get updated as frequently as many other tools, but what it can do is laudable.
Like any budget-minded pen tester, I love free Metasploit. It comes with hundreds of exploits and payloads, and it is available in a GUI and a command-line version. HD Moore, Metasploit's main original contributor, always garners the largest packed rooms at Las Vegas Black Hat conferences.
When it comes to professional penetration testing, using a professional-grade tool is always a smart choice. They simply do more and work better than free tools. Although there are dozens and dozens of professional testing tools, I've messed with only a handful. One day I need to do a thorough test review again.
Among them is Rapid7's commercial offerings, which boast features and functionality you can't get in the free versions of Metasploit. Immunity Canvas is, and has always been, a top vulnerability testing tool. Dave Aitel, Immunity's founder and hacker extraordinaire, and the DailyDave community will always keep Canvas on the top of every penetration tester's wish list.
I recently spent several weeks with the Core Security Technologies Impact tool, which I looked at many years ago for InfoWorld. I was blown away by how much it has improved since the simple days of firing off remote exploits. Today it is a thoroughly interactive tool capable of launching soup-to-nuts attacks against almost any target. What impressed me the most was how well it automated client-side attacks. A typical free tool might create the crucial exploit needed and maybe even a simulated Web link for the "unsuspecting" victim to download from, but Impact does it all with a user-friendly wizard.
The main screen automates every step a manual attacker would make, from information gathering, attacking, and privilege escalation to cleanup. The process takes you almost literally step by step. But if you just want to break in, you begin by choosing the Client Side RPT feature. Clicking on the Client-side Attack and Penetration option starts the wizard.

Impact prompts you for the email addresses to which to send the "malicious" email. You can choose to send a single-exploit attack, a multi-exploit attack, or a phishing email to harvest credentials or information. You can then opt to send your exploit using a Web link or as a file attachment; you can also decide to exploit the email client itself. Using a file attachment often works better in getting by network defense tools.

Next, you select which exploit to send. Impact offers a range of hundreds of premade exploit modules.

After that, you create a subject line and text to send along with the accompanying exploit. The next windows allow you to specify the connect-back method and port. You can select any port, including HTTP and HTTPS. I often go with the latter to better hide malicious code from prying network attack detection tools.

Finally, you select the initial payload actions and wait. By simply ticking a checkmark, I was able to tell Impact to make an agent be persistent (live through a reboot) and to dump the currently logged on user's authentication credentials.

Once the email is sent, it's a matter of waiting for the target victim or victims to receive it. When a victim opens the email and/or attachment, the exploit goes off, takes control of the system, installs the Impact agent, and establishes a remote management channel back to the tester's computer. After that, the sky's the limit.
Using Impact made me yearn for the days when all I did was penetration testing -- man, the hours and hours I could have saved using Impact or a tool like it.
Some people complain about how easy pen testing tools make it to exploit an environment, as if the bad guys are usually wielding a mainstream or commercial tool. I tell critics that the bad guys have their own custom tools, specialized for their type of work. Most penetration testing tools, especially the ones I mentioned here, are made for IT security teams so that we can test our own defenses before the bad guys do. It also lets us demonstrate particular exploits to senior management more easily. The bad guy doesn't need these tools. We do.