Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Point, Click, Root. 216

An anonymous reader writes "The Metasploit Project just released version 2.2 of the Metasploit Framework. This release includes a VNC server payload that can be used with almost any of the Windows exploits. The scary thing about this payload is that the VNC server executes as a new thread in the exploited process; without writing any files to the disk drive. Is this the end as we know it for simple remote command shell exploits? A couple articles have already mentioned this project."
This discussion has been archived. No new comments can be posted.

Point, Click, Root.

Comments Filter:
  • by Anonymous Coward on Thursday August 12, 2004 @12:37PM (#9950126)
    Here [slashdot.org]
  • by Osrin ( 599427 ) * on Thursday August 12, 2004 @12:37PM (#9950135) Homepage
    ... stated that they're not paying any attention to this.

    hummmm... that helps.
  • by BJZQ8 ( 644168 ) on Thursday August 12, 2004 @12:39PM (#9950152) Homepage Journal
    What a sad day when even taking over someone's machine can be done point-and-click style. Seemed so much more personal when you just had a remote shell.
    • by halivar ( 535827 ) <.bfelger. .at. .gmail.com.> on Thursday August 12, 2004 @12:44PM (#9950231)
      Well, it's just another result of how the GUI has dumbed down tech culture. Now not even the *crackers* can be bothered with CLI.

      What n00bs.
    • by lukewarmfusion ( 726141 ) on Thursday August 12, 2004 @12:46PM (#9950260) Homepage Journal
      Yeah, nothing like the friendly, warm command line to help guide you through tough times.

      Don't look at me - I post to Slashdot through a command line.
    • Re:Nothing that... (Score:4, Interesting)

      by Maestro4k ( 707634 ) on Thursday August 12, 2004 @12:52PM (#9950332) Journal
      • What a sad day when even taking over someone's machine can be done point-and-click style. Seemed so much more personal when you just had a remote shell.
      Those days have been gone for a while, script kiddies routinely point n' click to take over machines. They might have to *gasp* type something in an IRC channel to control their zombies but it's all highly idiot-proof. (Which is good I suppose since most script kiddies seem to be idiots.)
    • by uberdave ( 526529 ) on Thursday August 12, 2004 @04:32PM (#9953007) Homepage
      Back in the days of yore, my brother and his friends used to take pride in knowing a wide variety of tools and techniques for opening beer bottles. Then along came the twist off beer bottle cap, and my brother was heard to say: "Crap, now any idiot can open a beer.".

      It happens to all of us, our hard won skills, honed to perfection over years of use, the knowledge and techniques that make us special and separate us from the common man, get packaged into a user friendly, idiot proof tool. It's called progress.
  • by Anonymous Coward on Thursday August 12, 2004 @12:40PM (#9950164)
    The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.
    • The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.

      Parent has a good point, how often do you leave your servers logged in? Could be fun for unsuspecting people at their workstations, though. I can see it now, the calls coming in "OMG MY MOUSE IS TEH MOVING....HAXORS IN TEH MY pC!!11".

      Sigh. Never a dull moment in IT.
      • by nine-times ( 778537 ) <nine.times@gmail.com> on Thursday August 12, 2004 @12:51PM (#9950323) Homepage
        Parent has a good point, how often do you leave your servers logged in?

        On the other hand, hackers can VNC in and watch what you do without you knowing they're connected. Or while you're trying to type your password to log in, they could just keep typing a letter or two, thereby keeping you from logging in.

        • On the other hand, hackers can VNC in and watch what you do without you knowing they're connected.

          Last time I ran a VNC server on a windows desktop machine it used enough CPU time whenever anyone was connected for me to be aware it was happening. Unless this problem has been fixed, I wouldn't worry about not realizing it has happened.
      • Since VNC is based on graphic updates and mouse clicks, a locked machine is actually safe from a VNC "hacker". The hacker would only see the Windows locked workstation screen (not very exciting). Perhaps the payload could be used to catch login keystrokes, but I doubt Windows makes it possible to receive keystroke events during a login/unlock-workstation screen. If doing so is possible, it's a huge security flaw in Windows.
    • by Ytsejam-03 ( 720340 ) on Thursday August 12, 2004 @01:44PM (#9951020)
      The cool thing about the VNC payload is that it works if the machine is not logged in, or if the screen is locked.
      So does anything else that exploits a service running as LocalSystem. As long as the service is running, it does not matter the workstation is locked or not logged in.

      I assume you're saying this because you saw the screen shot linked in the summary. Notice that it says "System" at the top of the start menu. This is not the user's desktop, and you won't get to see the user's running apps. You'll have to exploit something running in the user's session to do that.

      This won't let you do anything that you could not already have done by installing, say, netcat with the same exploit.
  • by 192939495969798999 ( 58312 ) <info AT devinmoore DOT com> on Thursday August 12, 2004 @12:41PM (#9950181) Homepage Journal
    Microsoft should just post a big list of hacked machines, and turn everything wide open. After the script kiddie deluge is done, then we all go "phew! Wasn't that fun!" and go buy something else.
  • by Rosco P. Coltrane ( 209368 ) on Thursday August 12, 2004 @12:41PM (#9950185)
    ... is a preview of the site's front page in a few days [202.183.214.217], courtesy of your friends at dhs.gov [dhs.gov].
  • Umm... (Score:5, Interesting)

    by Trolling4Dollars ( 627073 ) on Thursday August 12, 2004 @12:42PM (#9950189) Journal
    How does something start off as a "portable network game" and end up as a f*cking remote GUI root?
  • by mr_z_beeblebrox ( 591077 ) on Thursday August 12, 2004 @12:43PM (#9950214) Journal
    I was seriously getting bummed by the low quality of todays script kiddie exploits. With the metasploits project finally real security minded people, tinkerers (hackers) and just plain good programmers can have a common place to post their hard won knowledge for "1337" kids online to use.
  • by wanerious ( 712877 ) on Thursday August 12, 2004 @12:44PM (#9950228) Homepage
    ...now this is a subject line you can get on board with.
  • Whoah (Score:3, Funny)

    by scooviduvoctagon ( 801935 ) on Thursday August 12, 2004 @12:45PM (#9950239)
    Imagine a DMCA cluster of these!
  • by JAD lifter ( 778578 ) on Thursday August 12, 2004 @12:45PM (#9950245)
    There is no reason to include a VNC server payload like this. Those legitimate security professionals who use Metasploit for pen testing should have the skills to create their own VNC payload, if they actually have a use for it. To include it ready made, point and click, easy to use like this just makes it that much easier for the script kiddiots out there.

    I am not against full disclosure or the dissemation of security tools I just happen to think that for every one security pro who uses this tool for good there will be a hundred script kiddies who use it for causing havoc. Rather than make life easier for the good guys this will just make it that much more difficult.
    • by winkydink ( 650484 ) * <sv.dude@gmail.com> on Thursday August 12, 2004 @12:54PM (#9950354) Homepage Journal
      You could say the same thing about virtually any cracking tool out there. Your logic ultimately falls back to "security through obscurity". To us a medial analogy, this never cures the disease, it only delays the onset of symptoms.
      • To us a medial analogy, this never cures the disease, it only delays the onset of symptoms.

        A medical analogy is actually very apt for security.

        Obscurity is a good first line of defense--comparable to keeping away from sick people--but it can and will be compromised, and more rigerous plans must accompany it.
    • by Wakko Warner ( 324 ) * on Thursday August 12, 2004 @02:22PM (#9951438) Homepage Journal
      I am not against full disclosure or the dissemation of security tools I just happen to think that for every one security pro who uses this tool for good there will be a hundred script kiddies who use it for causing havoc.

      There are already plenty of tools out there for that, with more being created every day. I for one am fed up with people who complain every single time something like this, which makes my life easier since I don't have to do any actual work to test out the machines on my network, is introduced.

      Isn't it better to discover, identify, and eliminate the weaknesses in one's network rather than wait for someone less trustworthy to discover, identify, and exploit them without your permission? Isn't that what software like this can help us accomplish?

      There's no stopping software like this. More and better software is being created all the time, and some of it can indeed be used by bad people to do bad things. Rather than complain and fret about the potential evil uses to which it can be put, the sensible person would welcome it as yet another useful tool in their security arsenal.

      Did you also whine about "nmap"?

      - A.P.
  • by grakwell ( 571986 ) on Thursday August 12, 2004 @12:46PM (#9950254)
    I have recently obtained a patent on One-Click Cracking.

    Our lawyers will be getting in touch with the MetaSploit group to discuss licensing options.

    Thank you,
    Jeff Bezos
    Founder and CEO
    amazon.com
  • by GillBates0 ( 664202 ) on Thursday August 12, 2004 @12:46PM (#9950256) Homepage Journal
    P01NT CL1CK W00T!
  • by Anonymous Coward on Thursday August 12, 2004 @12:46PM (#9950262)
    Has Microsoft released a timeline of when this toolkit will be integrated into VS.NET 2003?
  • by TommydCat ( 791543 ) on Thursday August 12, 2004 @12:48PM (#9950282) Homepage
    Congratulations adventurer!
    Your quest is at an end for you have reached the root of NetHack.
    Within, the Wizard of MS RAS has no power, the Oracle 8i speaks with utmost clarity, and the stack overflow bugs do not bite.
    • In case you seriously think Kerry will install someone better than Ashcroft, this should be an interesting read. Keep in mind that Kerry authored several sections of the Patriot Act.

      http://www.reason.com/hod/jb072604.shtml

      If you don't feel like reading, here's some highlights:

      This isn't the first time Kerry and Ashcroft have been at odds over civil liberties. In the 1990s, government proposals to restrict encryption inspired a national debate. Then as now, the American Civil Liberties Union (ACLU) and e
  • We are starting to see tools that really show what can be done out there in the wild... :)
  • Nasty. (Score:5, Insightful)

    by genixia ( 220387 ) on Thursday August 12, 2004 @12:50PM (#9950304)
    Ugh. This is going to be really popular with the script kiddies. I have to (grudgingly) admit that this is quite elegant though.

    I wonder if running your own (password-protected) vncserver will be any protection against this. I guess it depends on whether the payloaded vncserver can have its port changed or whether it is stuck with the default.

    If it can be changed then this is going to be very nasty. You couldn't even simply firewall all the vnc ports any more as the kiddie could configure the server to run on an unprivileged port. I suppose that SYN flag checking or using a connection-stateful firewall should protect against this.

    Yuck.

    • Re:Nasty. (Score:3, Interesting)

      by peacefinder ( 469349 ) *
      I imagine the exploit could include a VNC password change attempt. It would presumably only work on machines with a currently-logged-in admin user, but that's just the sort of thing a blackhat wants to find, no? It would be tamper-evident, at least.

      I agree: Yuck.
      • Re:Nasty. (Score:4, Insightful)

        by Firehawke ( 50498 ) on Thursday August 12, 2004 @01:20PM (#9950689) Journal
        Well, if that screenshot is any indication, it's running as System.. you wouldn't even have to have a logged-in Admin. You've got kernel-level access to the machine from that VNC.

        That doesn't answer whether it'd change ports if an existing VNC is there, but nevertheless, it looks like a particularly nasty and hard-to-track rootkit.
    • Re:Nasty. (Score:5, Informative)

      by Maradine ( 194191 ) * on Thursday August 12, 2004 @01:29PM (#9950806) Homepage
      I wonder if running your own (password-protected) vncserver will be any protection against this.

      Negative. One of the r-parameters you throw back (depending on whether you do a direct inject or a reverse tunnel inject) is what port the daemon is listening on. Keep in mind, you're not adding a VNC service or using an existing one, you're injecting the code into running memory. It will run even if there's another one hanging out on the system. Hell, it even bypasses the GINA.

      One of the things we haven't done over here is test it while another remote user is actively VNC-ing the box. That would be interesting.

      Also, keep in mind that VNC injection is only one of many payloads, and in my opinion, not nearly the most useful (but definitely the most fun).
  • What a cool tool (Score:5, Interesting)

    by ikeleib ( 125180 ) on Thursday August 12, 2004 @12:50PM (#9950305) Homepage
    For all the whining about how this makes it so easy for script kiddies, consider that it also makes it so easy for admins who are not in tune with the latest script kiddy 'sploits. This allows them to quickly test their networks in click-n-drool fashion. This can be a very useful tool.
    • by stratjakt ( 596332 )
      What does the VNC server payload have to do with using the tool to test your machines?

      A simple true/false (exploited/no exploited) is all an admin needs to know. Break it down to which specific exploit worked.

      This is just backorifice/subseven revisited.
      • The admin could use the VNC server to install a patch to close the vulnerability.

        Checking for exploits and fixing them could be done as part of one operation.

        Thus making things easier for the admins.

        • That's some flawed logic. Odds are the admin already has the means to login via Remote Desktop (or some other means). That's like saying: I'm testing my car's bumper by driving 100mph directly into the wall of my mechanic. If I get through the wall, the mechanic can fix it.
  • by burgburgburg ( 574866 ) <splisken06&email,com> on Thursday August 12, 2004 @12:50PM (#9950306)
    visually impaired black hat hackers, we resent that this program is not designed for wider access. It's just another example of the systematic discrimination that we face as we try to gain root and own you all. We will eventually succeed. And when we do, we'll make all web pages look like bad!
  • by Anonymous Coward on Thursday August 12, 2004 @12:51PM (#9950321)
    that anybody running VNC servers (or any remote access software) should have in place good firewalls and a good quality VPN requiring strong authentication.
  • by liquidsin ( 398151 ) on Thursday August 12, 2004 @12:55PM (#9950370) Homepage
    cuz, like, lurning all thoze command line thingz wuz totally hard, this wil maek me s0 much m0re 1337!!!!!!!one I totale r0x0rz n0w!!!!LOLOL
  • by BRSloth ( 578824 ) <julioNO@SPAMjuliobiason.net> on Thursday August 12, 2004 @12:57PM (#9950407) Homepage Journal
    Can you guys stop slashdoting the site? I want to download it just to show some co-workers a little "surprise"...
  • by James Turpin ( 789479 ) on Thursday August 12, 2004 @12:58PM (#9950431)
    ... to make security experts more valuable by making security vulnerablities easier to exploit.
  • by Animats ( 122034 ) on Thursday August 12, 2004 @01:02PM (#9950478) Homepage
    Now, at long last, hacking tools have caught up with the movie versions. Point and click at last. The attack even shows up on the attacked PC on screen! With windows opening and mouse movement, even. Watch for this tool showing up in a movie within a year.

    Incidentally, note that this isn't a hole in VNC. It's an attack that installs VNC. VNC doesn't have to be present on the target before the attack.

  • Great! (Score:4, Insightful)

    by Mysticalfruit ( 533341 ) on Thursday August 12, 2004 @01:11PM (#9950584) Homepage Journal
    So instead of a script kiddie, we're going to now have "click kiddie"...

    "I'm so l33t, I don't 3v3n type!"
  • I can't seem to be able to reach the site. Does this run on the root display like VNC and PCAnywhere normally do under Windows or does it create a new display. It doesn't seem as useful except for as a prank if the user sees you take over the machine. So if this is able to create a new display then this is what I've been looking for. It would potentially allow me to run multiple sessions under Windows which is something I've been wanting to do but couldn't afford. Citrix or the server edition of Win4Li
    • by Anonymous Coward
      There is a limitation in the Win32 desktop API that only allows one desktop to be the 'input desktop'. While many services create a hidden desktop/windowstation to run in, it is not possible to read the 'screen' of this desktop or send input to it. Presumably this was a concious decision to prevent competition in the terminal services licensing department...
  • by Anonymous Coward
    Tools like this are GREAT at demonstrating the need for greater security at board meetingings, or initial consultations as a security consultant. Nothing opens peoples eyes to the need for mass patching of workstations or servers like breaking into a machine using a tool that a 4yo could use.

    Also tools like this are good for exploit developers becuase they can stop spending their time creating a vaguely usable interface for their proof of concepts and find more holes to get fixed.
  • Is this the end as we know it for simple remote command shell exploits?

    No, it's not. First there is the issue of bandwidth, but even more compelling is the "leetness" of the options. The CLI will always appeal to the more dangerous crackers - and those that immitate them.
  • This kit allows quick remote access to windows system, without the need to preconfigure anything on the far side before hand.
    The best thing is that it allows you to use SYSTEM, which is has higher privilege than ADMINISTRATOR.

    Windows admin are gonna love this damn thing.
  • by maximilln ( 654768 ) on Thursday August 12, 2004 @01:27PM (#9950778) Homepage Journal
    Has the /. community been hiding in a dark cave someplace? Back Orifice, Netbus, and Sub7 were all available YEARS ago. All three offered graphical user interfaces which allowed the exploiter to launch programs, change text, take screenshots, and many other wonderful functions (in the case of Back Orifice there was even a plugin system called Butt-Plugs). As time has passed Netbus has even become a commercial remote administration tool. The only thing that was required was a little knowledge of a network exploit which allowed the execution of remote code. In many cases it wasn't that difficult to come by. In other cases it was easy enough, especially in the early years, to send an e-card to someone. In the beginning, if any of you remember, e-cards were often self-contained .exe files and it wasn't that uncommon to receive an .exe e-card. Additionally many people who were studying computer science would write cute nifty little programs for their girl/boyfriends/family members.

    So what's so bad about metasploit? It does little more than automate the installer for a concept which isn't new. If anything the public may start to see the real value of those of us who have been labeled as paranoid freaks for the last 10 years. This is the dawn of an age when the computer security expert may begin to receive the respect that we deserve. Previously we had been pooh-poohed by the general public aided in their derision by self-important sysadmins with the personality characteristics of the Simpsons' comic [doheth.co.uk] book [billbam.com] guy [freshmeat.net].
    • by Anonymous Coward
      yeah but obviously u haven't RTFA'ed cause then you would know how much better VNC server as A PAYLOAD is than some of these other tools that you've meantioned...the metasploit VNC payload WILL NOT create a new process and WILL NOT touch the disk at all, it doesn't simply "automate the installer".

      If you own a box and put Netbus on it any forensics monkey can figure out what was going on. With metasploit framework they'll be totally useless...time to find a new job forensics guys!

      Oh and if people think you
  • by maximilln ( 654768 ) on Thursday August 12, 2004 @01:45PM (#9951038) Homepage Journal
    Will the -devel branch of metasploit become the central hub for 0-day exploits?

    Metasploit stable : This branch has only been tested to work on unpatched machines.

    Metasploit -dev ($49.95 membership and password required): This branch has been tested to work against fully up to date and patched machines.

    That'd be | |_|63r-|337
  • by Fuzzums ( 250400 ) on Thursday August 12, 2004 @01:46PM (#9951053) Homepage
    I think I'll incorporate this project in my spam-filter to execute a remote shut-down after receiving the first spam. After a 2nd spam I'll think of a more permanent way to opt-out. ;)
  • I'm a bit confused here... this is my first time seeing this and I'm very interested, but looking at the docs, there's only 34 exploits?

    Where are all of the windows and old linux kernel exploits? What exactly is this program going after? I'd think there'd be tons of other exploits, like how the Sasser virus gets into Win2k/XP and stuff.

    Or is this really a more childish project that finds one hole, inserts VNC, and lets you do whatever you want to it without testing all of those holes...?

  • All? "This release includes the DLL injection payloads (VNC)" isn't very helpful and the documentation doesn't seem to mention anything. Anyone? Bueller?
  • what we need now is a root kit which installs a remote shell on the machine of the person rooting, and then send off a snippet of information to a central authority (FBI? vigilante forces?) who would then use the information to take these fools out.

    or, i could see a rootkit maker integrate something like this and then use it to gain access to all the zombied machines of the people that employed the rootkit... that would likely be bad.

Someday somebody has got to decide whether the typewriter is the machine, or the person who operates it.

Working...