Friday, December 16, 2011

"Metasploit : The Penetration Tester's Guide" Review

Dave Kennedy, Jim O'Gorman, Devon Kearns and Mati Aharoni set out to do the impossible.  How do you write a book about a software project that improves nearly every day?  How do you keep it relevant for more than a few weeks or months? Other books have tried and in my opinion failed, but this one is great.  It doesn't just teach you how to use this great security tool, it takes you through some of the thought and methodology involved in a professional penetration test.

Almost everyone can learn something from this book.  I particularly liked the following chapters because they contain the most complete coverage of topics that you won't find much on anywhere else:
Chapter 3 - Working with Databases in Metasploit
Chapter 5 - Resource Files

Although I found a few tips that I was able to immediately start utilizing on engagements, I think the book would be even better for those with less exposure to Metasploit and SET.  
Most of my gripes about the book stem from the content in Chapter 6 (Meterpreter).  Process migration is explained, but I think the authors should have gone into more depth about how to choose the right processes to migrate to.  Most Host IPS products protect a specific set of processes which should be avoided if at all possible. A warning similar to that about the use of bind shells on page 94 would have been have nice.  Another potential improvement to Chapter 6 could be a discussion on why NOT to kill antivirus.  If you have gone through the trouble getting code execution with Meterpreter with AV installed, why not leave AV alone?  Meterpreter is running in memory so in theory it shouldn't be affected by AV.  You should avoid uploading tools if at all possible. 
The acknowledgment on page 108 is completely accurate.  Generating a payload to bypass some AV products is nearly impossible using the methods described in the book.  Any popular method of generating payloads will eventually be reversed (for good reason) by the AV vendors.  There is a great discussion about this concept here and here.  For that reason, its normally best to find your own method and keep it private.

Overall, the book is well-written and organized.  If I were designing a course on penetration testing, this book would definitely be mandatory reading.  Its on the short list of books I would recommend to any security practitioner.  You can pick it up from amazon or directly from No Starch


Friday, December 9, 2011

Giving the Gift of Updates

The holidays are a time for family and friends.  For many geeks that means a lot of pro bono computer repairs and this year has started no different for me.  I started thinking of ways to quickly fix and secure the endless stream of laptops heading my way and here are some methods that have proved helpful.

Although it seems people are keeping their Windows machines patched, the third-party applications are another issue.  My family members still aren't adhering to the safe-browsing advice that I gave them so each "repair" is normally a complete OS wipe and reload.

After being asked to "fix" two laptops in a row with physically damaged DVD drives, I went ahead and dedicated a thumb drive to the Windows 7 install media.  The process is simple and it actually speeds up the installation process.  You also aren't dependent on potentially broken hardware.

The first step is to download the tool from Microsoft and install it.  Next find a suitable USB drive that is  at least as large as the installation DVD.  Then, choose the source iso file and select USB device.  Once the process is started, you will be presented with:

Once it is done, you will have a USB drive that you can use to reinstall or repair broken Windows 7 installations.

Another trick to speed up post-installation tasks is to use Ninite to create a single installation executable.  If you haven't used Ninite before, its extremely easy.  Just browse to the website and select the software you want to install:

Once you are done, click the "Get Installer" button at the bottom of the page and you will have a single executable for downloading and installing all of the software.  I know Ninite has saved me hours this year alone, but remember that you will need internet access for it to work.

Also, you can use Ninite for another purpose as well.  Last year, I renamed the Ninite binary to updates.exe and left it on the user's desktop.  I asked  them to run it with admin credentials every few weeks.  Although Windows Update was working properly, no one was patching anything else.

This year, I took it a step forward and created a task to run the updates.exe for them.  Now they will be prompted for credentials every once in a while (possibly increasing social-engineering risks), but at least they will hopefully be better protected from client-side attacks.

First I copied to the updates.exe to the 'c:\Windows\Tasks' folder to secure its permissions.  Then I created a task to run it every two weeks named "updates" with Schtasks:

schtasks /create /sc weekly /mo 2 /tn updates /tr c:\windows\tasks\updates.exe /rl highest

To test that the task is working properly:

schtasks /run /tn updates

The Ninite exe will only download applications that are either not installed or out-of-date.

Finally, Secunia's Personal Software Inspector (PSI) supports auto-updates for many products as well.  You can get the install from here and just like Ninite, its free for personal use.  It is a great tool which can be used by your non-"computery" friends and family to see what software they need to update.  The dashboard is helpful and easy to understand. 

I hope these methods equate to less OS installations next year and possibly less infected machines.