Is Metasploit Really Useless ?

[EmaPat]

Hi to everyone,

This is a long time when HD MOORE has invented this stuff and everyone is scare regarding its server security, youtube is full of thousands of videos showing peoples making exploits running on computers, then the shell pop out and hope I have access to the system, but do you know that metasploit is the last thing to think about to make a real remote exploit ?

Metasploit and SET "Social Engineer Toolkit" are useless below is the reasons :

First of all, the goal of a real and smart attack is not destroying a system but instead get users credentials from the server, ask just yourself this question : What are you going to win if you just destroy e.g. google servers ? Instead it is better to leave the server working fine and steal credentials of some users for later use no ?

All successful Metasploit and SET attacks that steal credentials e.g. sniffing ssl traffic and decrypt it are almost local !!! But who sniff, attack or catch creds of his own network ? Those attacks are just STUPID. Maybe they will be useful for an agent who is managing a corporate server and wants to steal creds of this corporation for later use but this is very far for being useful to 99.999% of the rest of the world.

Lately, People are talking about Browser Web attacks and a revolution of exploitation, I want to know just what thos people are talking about ??? If you succeed to clone any website in the world ~~YAY I am a Hero~~ into something like 192.168.1.7:8081 but who care about your link ? ~~Shut up you are a complete idiot not a hero at all~~ because if you want this attack to succeed than you should give this link to the victim to click on it. And I am just talking about myself, I have never got such links from someone neither clicked on it.

All that to said that there is no single exploit that can create a shell to the victim machine if this one browse directly to the website "I mean here without clicking any abnormal link" we wants to steal credentials from it. Of course this exploit doesn't exist yet not because Google is strong, but because it can't be done for almost any website online. It is not a server security issue but rather it is network topology issue that makes it impossible for those tools even for normal configured servers.

So you still believe that Metasploit & Social Engineer toolkit can do something really useful for you ?

[bobbyb1980]

Haha I've been where you are brother, spending day after day trying to get shells and nothing, huh? Metasploit has many real world applications and there are several modules and servers and various other techniques employed by metasploit that many people around the world use everyday for exploitation purposes. It's not just about "taking credentials from servers". While that is one of the many objectives, there are a million other uses that come into play. Just remember that most attacks you try will not work, metasploit or not, but when you find that one that does work, it is going to work very well.

We could give you many examples and spoon feed you info but each hacker must forge their own path to the Gods, it's what separates us from the others : )

Go try the java applet attack then repeat what you just told us.

P.S - Try harder.

[digininja]

Have you ever done any penetration testing in the real world? Almost every time on an internal network test I'll use metasploit and my intention is never to destroy a machine or network.

For stealing credentials I would usually use the hashdump built in to msf then bring the hashes back to my machine to crack them. Admin passwords tend to be reused across entire networks so once you have a local admin password you can usually get access to most machines of the same class as you exploited (desktop, server etc).

To move up to domain access incognito makes token impersonation really simple, wander around the machines you have access to till you find a domain admin token, impersonate it and bump yourself up to domain admin. If DA is your goal then game over.

As for spoofing websites, clone the target, lace it with exploits then use phishing to get your client to visit it, as it looks like their own site, or one they would expect to see, they aren't suspicious. SET sets these type of things up really well and easily.

Not sure what you mean in your second to last paragraph but getting users to click on links you send them is usually fairly simple as long as you do your research and send the right kind of email.

Bottom line, MSF and SET are both very useful tools that me and my team use every day and wouldn't be without. We could do tests without them but why make it hard for yourself when others have done all the hard work in setting up such great frameworks?

[EmaPat]

It is nice to see so many people said GAME OVER once they got System Admin privileges. For servers attack and after getting SYS privs than there is nothing to do better than getting server databases into your computer do you ? Their are stored all users credentials but in hash ways so you still need to make some effort to revert it back to plain text. Strangely no body has writing a module to dump databases ORACLE, MSSQL and then download them with the known download tool in meterpreter.

[digininja]

Do you mean like my metasploit interesting data finder? http://www.digininja.org/metasploit/mssql_idf.php

And as I said, if DA is your goal then it is game over, it all depends on what your objectives are.

[Mr-Protocol]

The purpose of a pen test is to see how far you can go without disturbing actual uptime of servers. Pen testers (good ones) will actually avoid a known working exploit if it runs the risk of crashing a service.

As for stored hashed credentials you should look into what pure_hate_ and the oclhashcat team do ;). Also there was a good talk by Irongeek on such topics as well.

Also in regards to S.E.T. I find it a very useful tool. Instead of finding some 0day to get a foothold, just get their helpdesk or some new guy to click a link. Instant pivot point with 99% success rate. Hell even Kevin Mitnick uses it when he does pen testing.

[digininja]

I've sat in a few car parks outside clients offices calling people whose names I've found on linkedin trying to get them to visit URLs or to click links in emails I send them. Good fun when you know that if they do click it it can lead to you actually getting into the building as part of a physical test.

[EmaPat]

Harming or damaging servers wasn't by any way my goal and I have never do it against any server right now even if it is easiest in comparison to harvest credentials from database, just a tiny script can damage a server with dos but hard work is needed to gain access to sensitive info into databases. Tha is why I agree that a real pentest or hacker will never do something harmful to the server but a good behavior is after the attack everything will looks just normal as if nothing has be done ever.

I appreciate your tool for getting MSSQL creds. This the kind of tools I am talking about. Unfortunately there is no such tool available for other databases such oracle & mssql but before assuming your tool work for any situation please let me test it first and this require me some time of course. I am open to test any tools that grab users credentials from tables but give me some time to test them or at least get a look to their docs to see how well they can perform pentests. Don't hesitates to give further tools that grabs interesting data from database neither here or you can send it to email joashjohn alt rocketmail dot com

[TheKingUnderTheHill]

Metasploit can be used quite effectively in the real world, it simply depends

on who the attacker is, one of the biggest aspects of it is Social Engineering,

if the playing field doesnt work in your favour, then chance the targets perspective

anyone can be tricked into allowing an exploit into their system, its just that idiots

are fooled easier than most.

I know many Skiddies who use rubbish VB GUI tools and trial versions of software, yet

still get the results they want, a good social engineer will be able to get an exploit anywhere.

As a great man once said "You cant get a System Patch for Stupidity" ;)