Metasploit/Armitage vs. WinXP

Kali Linux 1.0.5 x86-64 with Metasploit and Armitage

vs.

Windows XP SP2, no additional updates, various firewall and antivirus software setups plus the latest Firefox

Attacks are via the LNK and Aurora exploits.

---

Panda Cloud AV
- Blocks the LNK attack. Does it the cheap way though, by recognizing the DLL as a known bad one.
- Doesn't block the Aurora exploit (go figure).
- Panda GUI can be killed. Fortunately that doesn't prevent it from working; however...
- It doesn't prevent migration to other processes, including migration to Panda's own service! Ouch. I don't think I should even be able to do that, since Panda runs as the SYSTEM user; but there is the evidence right in front of me.
- Keystrokes can easily be recorded, screenshots captures, etc.
- I can inject code into the AV's services. It doesn't see anything at all.

Conclusion: this product isn't worth it for free, and wouldn't be worth it if you were being payed to use it. Avoid.

PrivateFirewall:
- Very good against network attacks. Noticed all manner of scans, and prevented any from getting useful info (even OS version).
- Works against EXE payloads; my unsigned EXE was unable to run.
- Bad against everything else. Screenshots can be grabbed, files and processes tampered with, and keystrokes can be logged.[/url]
- As with Panda, code can be injected directly into the firewall service.

Conclusion: does what it says on the box, but that that doesn't count for much. Don't try this on a public wifi network, folks.

---

More coming soon!

 

Online Armor 7
- Blocks unknown EXEs, for whatever that is worth
- Fails to block the MS08-067 network attack the first time around. Instant admin privileges, yay. Does seem to block the attack subsequently but by then it's too late.
- Does not prevent migration and injection of code into OA processes.
- Does not prevent keylogging. Boo, hiss!
- Does not prevent code injection into any privileged process.

Edit: I've been informed below that OA requires at least SP3 to function properly. I will do further testing once I've upgraded the VM.

 

Sandboxie
- Blocks keylogging by sandboxed programs
- Blocks code injection into itself and into privileged processes
- Seems to block code injection into anything, actually
- Doesn't even allow screenshots to be taken

Conclusion: So far, Sandboxie is the only security software that can actually be said to work in any reasonable sense. It does what it says and does it well. Major kudos to Tzuk for being honest, and for writing something that isn't slopware.

 

Thank you for all this testing and posting the results, Gullible!

Are these products you're testing running on an administrative account or limited?

 

All the tests are run as an admin. I may do some later as a limited user, but privilege elevation vulnerabilities are plentiful in XP - I doubt it will make much difference.

 

Thanks for the tests Gullible!
Are you planning to test this with latest OS like 7 or 8.1. If, so can you include ESS 7 to the mix.

Thanks,Harsha

 

Not really, I was basically trying to answer some of my questions about XP security in practice vs. theory.

(It's looking to me like practice and theory aren't too different, unfortunately.)

 

Very good, thanks!

 

GJ, could you also test Avast and Forticlient and let us know how they faired? TY

 

You are aware that Online Armor requires SP3 to run properly, right?

 

I wasn't; thanks, and my apologies. I will update my post to reflect that.

 

Also as a side note:

If you are using a virtual network with a private IP range (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) make sure you actually disable the "Trusted" option for the network interface under Firewall/Interfaces. Otherwise Online Armor will assume the traffic comes from a private network and is allowed to pass through without any actual filtering taking place.

 

Fabian: that must have been the problem. D'oh.

In retrospect, it strikes me that my methodology might not be very rigorous if there were large OS changes between SP2 and SP3. I think I will update to SP3 and then rerun all of my tests.

OTOH, I will point out that Sandboxie blocked everything on SP2, so it looks like some level of security is possible with SP2 if done right. The difference between Sandboxie and the other products is pretty stark.

Also I realize some of my statements are a bit inflamatory, considering that these tests apply only to security on XP (which we already know is a joke). Again, apologies for that. I'll try to maintain a more professional tone from here on.

 

That may be the best approach, I agree.

The approaches are different. You didn't explain your methodology very well, so I can't say anything for sure, but it seems you just run Metasploit, start an exploit module, hook it up to a payload and then use an application vulnerable to that exploit to access it and get exploited.

With sandboxes this will work fine because the basic threat model for a sandbox is that everything running inside the sandbox is untrusted, everything outside the sandbox however is trusted. For a HIPS it usually is the other way around. Everything is untrusted and is being monitored except the processes that the user marked as trusted. The problem arises when exploits come into play. If the application that is being exploited is trusted, it is essentially allowed to do anything it wants. This doesn't change when hostile code takes over control of the application through a vulnerability inside the application. So as long as you use a payload that is purely in-memory and doesn't involve executables that are dropped to the disk, it is unlikely that any HIPS or firewall would beep unless it has some kind of exploit prevention on board (most of them are extremely unreliable, you are better off with EMET in almost all cases).

That is also the reason why every firewall and HIPS vendor out there will stress the importance of updates to all his users, because once you trusted an application and the bad guys somehow gain control of such a trusted application, it is pretty much game over for you.

 

Can you test Comodo, AppGuard and DefenseWall, please?

 

Alright, here we go again with SP3...

Online Armor
- Gaining access through the Aurora exploit still works.
- Migrating to or injecting into processes running as the same user works, unless those processes belong to OA.
- Injecting into SYSTEM processes works, unless they belong to OA. Same with the getsystem function.
- Attempts to kill OA services do not work.
- Interestingly the Stuxnet kernel exploit does not work; it causes the VM to crash before it can complete.
- Keystrokes can be logged without any complaint from OA.
- Screenshots can be captured likewise.
- Once SYSTEM access is acquired, any executable can be launched without complaint from OA.

Since going from admin to SYSTEM is trivial, relying on OA with an admin account is probably not a good idea.

 

Hi, can you explain you methodology esp how you know that malware is able to take screenshots successfully, able to keylog and getting system control?

Thanks

 

Did you have to allow an .EXE installation to check keylogging and tamper protection? If so, what alerts, if any, did you get?

 

Methodology is to exploit IE, gain access to its memory space, and do most stuff from there. Keylogging uses Windows Explorer. Not sure about screenshots, that seems be doable from the compromised IE process.

This is all done through Metasploit, using the Armitage frontend. It is extremely simple to use. Metasploit comes preinstalled on Kali Linux.

No, I didn't allow anything to install, nor did I get any alerts. The only process that needs to spawn is Windows Explorer (for keylogging).

Metasploit basically does all this stuff automagically; the Armitage GUI requires only the most basic kind of skills to use. And keep in mind Metasploit is a (free) pentesting tool. Crooks and blackhats probably have access to more advanced stuff with better automation.

Edit: also remember I'm an amateur at this stuff. On the one hand, my methodology could probably be a lot more thorough... On the other hand, if I can do this stuff, so can any script kiddy.

 

Comodo Internet Security
- First off, this thing is totally unusable in paranoid mode. It spams popups on almost every mouse click. Safe mode is more usable, but doesn't give a peep when IE gets compromised.
- Keystrokes are recorded without complaint, screenshots likewise
- SYSTEM access is gotten easily, as with OA
- However, unlike OA, Comodo can deny launch of SYSTEM processes.
- In general Comodo is hard to disable. Even with SYSTEM privileges it refuses to die, or to permit injection or migration into privileged processes.

Overall much better, though still NG against keyloggers. Will look into this more later...

Edit: I really have to commend the Comodo devs... Whatever else can be said about CIS, so far it has resisted every attempt to run an EXE payload. I can log user activity, tamper with files, inject code into services, and generally wreak havoc, but the HIPS still refuses to let me run a single unidentified EXE without getting a popup. That's pretty impressive IMO.

I can't say I'd trust this software to protect my OS, but does take its job seriously. I think I'll quite while I'm ahead.

Next up: Geswall.

 

can you test webroot secureanywhere and novirusthanks?

 

Probably, at some point. I do have other things that need to be done.

 

thanks for your test it is a treaure man

 

Great work, buddy! Thanks!
Keep it coming!

 

Very interesting tests
Btw, it would be interesting to see if Outpost scores the same as on Win2k.