Questions about Metasploit Framework

[artart]

Hi guys, I am writing a graduation work at the university. Here is the main idea: I need to write a programm that will alow me to do attack modelling for IDS testing.

So, let's suppose, I know target OS, open ports and running services (by running nmap, for exaple).

Now I'd like to filter exploits (by ports, OS, etc) from Metasploit, that I might use. But I don't know how to do this.

Can I make a request to postgresql DB, or exploits don't store there? Or should I use msfconsole instead?

I need to write a programm, that would do this automatically taking as input Nmap scan result. For example, in Armitage there is a function Find Atacks. It does what I want, but I need to write something similar by myself.

Next step is splitting these exploits by groups and building an attack tree or attack scenarios.

After that the programm should run exploits and define, whether they were successfull or not.

So, please, help me, if you know answer to one of my quistions. Maybe there is some API for Metasploit, for example for C or Java, it would be much easier to write such programm.

Thanks a lot.

[cooper]

The only real API for metasploit is the one you get when creating a module. Now, you could create your own auxiliary module that does what you want from within the Metasploit framework, however your requirements go way, way beyond what Metasploit can provide. You see, Metasploit doesn't have something that reliably defines a module as being a good fit for, say, an english Windows 7 SP1. It doesn't have something that reliably identifies a module as being appropriate for running against a DNS server. These and other traits that define the usage scenario of an exploit are described in plain text in the description of the module without any identifiable structure. It may say "For Windows XP, 7, 8, 8.1" or "For Windows server 2008 R2 but not Windows Server 2008". How do you intend to parse those texts reliably in such a way that you can identify from within your module that the other module is applicable? If you manage to do that, you've got another subject for graduation right there.

One thing you can do is look at the advanced search function of exploit-db.com which allows you to search for exploits using the data provided by an nmap scan. Problem here is that you get exploit code, which can be in any language from Python to perl to shellscript to asm. You need to almost always modify this code to provide, say, a sensible payload.

Finally, the whole point of Metasploit modules is to be undetectable. To quote the wiki page on writing a Metasploit exploit:

Stealth is usually an important element to think about. Can your exploit achieve code execution without dropping a file? Can the input look more random so it's more difficult to detect? How about obfuscation? Is it generating unnecessary traffic? Can it be more stable without crashing the system so much, etc, etc.

I'm sure your IDS will start tripping like a hippie with In A Gadda Da Vida by Iron Butterfly on repeat, but it probably only has very limited use in the real world.

Also, I might have gotten my definitions wrong, but an attack has absolutely *NOTHING* to do with an exploit. If a new service appears on a machine - let's say your friendly vendor has dreamt up a new service to be run on a machine that needs to have a port exposed to the outside world - does that mean you can't include it in your attack modelling because no exploit was made for it just yet?

What I think you(r program) need(s) to do is know about where on the network the assets are, possibly with a means of qualifying their criticality, find out by what means what part of the network can access those assets (only machine A is authorized to connect during working hours) and how exposed the machines on that part of the network are. Basically, work out the path to the assets, find out what an attacker needs to do to reach specific points and work on preventing this.

Example:

If only Erica from Accounting is allowed into the Payroll system from her own machine during her working hours +/- 1 hour, which is only mondays 9-5, wednesday 9-1 and fridays 9-5, try to get the firewall in front of the payroll machine to at the very least flag accesses to the Payroll machine outside those times or from other systems which have no business accessing it in the first place. Erica is an otherwise normal employee, so she has an email account. You probably can't prevent her from receiving email on that specific machine so this is a way into your network and onto the Payroll system. You can mitigate it to some degree by being more paranoid about emails sent to Erica. You might choose to configure her mail client to be considerably more strict about how it treats email, blocking all attachments while the rest of the staff can receive email regularly, even though the mailserver naturally does some sanitation on them. Since her machine is the only one that can access this vital resource, it is itself hardened and firewalled, preventing people on her network segment from hacking her box and using it as a pivot point toward the Payroll system.

And so on and so forth. That's how I view Attack Modelling. I may be way, WAY off in this (I'm a dev, not a pentester) so anybody feel free to correct me. But assuming I'm right, what use is there in flinging a bunch of exploits against a box and trying to figure out if it stuck?

[digip]

You can use the console for all of this, but for an easy visualization of exploits by category and groupings, armitage works great to drill down visually per OS, exploit type, etc. As for writing your own exploit code,you'll be on your own but for starters and any help in using metasploit, check out MSFU - http://www.offensive-security.com/metasploit-unleashed/Main_Page

[artart]

Cooper, thank you for such detailed answer. You cleared my mind. But I have a few more questions. If I still want to write a programm that would communicate with metasploit (for example run exploits), I should write a module? And don't you know, how Find Attacks function works in Armitage? Also, I have a thought about using a potgresql db (that is connected to Metasploit) for searching right exploits. Or there aren't any exploits, only records about hosts, ports, etc?

[cooper]

You're welcome.

I think that's your best option as I couldn't quickly find an external API to Metasploit and strictly speaking I can't imagine a good reason for a _framework_ to provide an external API.

No, I don't - as I said, I'm a dev, not a pentester.

If Metasploit stores anything about its exploits in a db, it will be the information which those exploits themselves provide, which is just a description field. Or do you seriously expect someone to basically manually do inventory on the various versions of the various exploits on the system, ordering them by applicability to system type? Who would want to do that job and why? It'll be impossible to keep up to date because even the simple concept of 'target system type' has so many variations it boggles the mind. Bottom line, whatever they store in the DB, it won't be of that much use to you in this specific context at least.