Metasploit/Armitage vs. WinXP

Discussion in 'other anti-malware software' started by Gullible Jones, Nov 7, 2013.

Thread Status:
Not open for further replies.
  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Kali Linux 1.0.5 x86-64 with Metasploit and Armitage

    vs.

    Windows XP SP2, no additional updates, various firewall and antivirus software setups plus the latest Firefox

    Attacks are via the LNK and Aurora exploits.

    ---

    Panda Cloud AV
    - Blocks the LNK attack. Does it the cheap way though, by recognizing the DLL as a known bad one.
    - Doesn't block the Aurora exploit (go figure).
    - Panda GUI can be killed. Fortunately that doesn't prevent it from working; however...
    - It doesn't prevent migration to other processes, including migration to Panda's own service! Ouch. I don't think I should even be able to do that, since Panda runs as the SYSTEM user; but there is the evidence right in front of me.
    - Keystrokes can easily be recorded, screenshots captures, etc.
    - I can inject code into the AV's services. It doesn't see anything at all.

    Conclusion: this product isn't worth it for free, and wouldn't be worth it if you were being payed to use it. Avoid.

    PrivateFirewall:
    - Very good against network attacks. Noticed all manner of scans, and prevented any from getting useful info (even OS version).
    - Works against EXE payloads; my unsigned EXE was unable to run.
    - Bad against everything else. Screenshots can be grabbed, files and processes tampered with, and keystrokes can be logged.[/url]
    - As with Panda, code can be injected directly into the firewall service.

    Conclusion: does what it says on the box, but that that doesn't count for much. Don't try this on a public wifi network, folks.

    ---

    More coming soon!
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Online Armor 7
    - Blocks unknown EXEs, for whatever that is worth
    - Fails to block the MS08-067 network attack the first time around. Instant admin privileges, yay. Does seem to block the attack subsequently but by then it's too late.
    - Does not prevent migration and injection of code into OA processes.
    - Does not prevent keylogging. Boo, hiss!
    - Does not prevent code injection into any privileged process.

    Edit: I've been informed below that OA requires at least SP3 to function properly. I will do further testing once I've upgraded the VM.
     
    Last edited: Nov 7, 2013
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Sandboxie
    - Blocks keylogging by sandboxed programs
    - Blocks code injection into itself and into privileged processes
    - Seems to block code injection into anything, actually
    - Doesn't even allow screenshots to be taken

    Conclusion: So far, Sandboxie is the only security software that can actually be said to work in any reasonable sense. It does what it says and does it well. Major kudos to Tzuk for being honest, and for writing something that isn't slopware.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Thank you for all this testing and posting the results, Gullible!

    Are these products you're testing running on an administrative account or limited?
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    All the tests are run as an admin. I may do some later as a limited user, but privilege elevation vulnerabilities are plentiful in XP - I doubt it will make much difference.
     
  6. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Thanks for the tests Gullible!
    Are you planning to test this with latest OS like 7 or 8.1. If, so can you include ESS 7 to the mix.

    Thanks,Harsha
     
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Not really, I was basically trying to answer some of my questions about XP security in practice vs. theory.

    (It's looking to me like practice and theory aren't too different, unfortunately.)
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Very good, thanks!
     
  9. aztony

    aztony Registered Member

    Joined:
    Sep 9, 2012
    Posts:
    547
    Location:
    USA Southwest
    GJ, could you also test Avast and Forticlient and let us know how they faired? TY
     
  10. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    You are aware that Online Armor requires SP3 to run properly, right? :)
     
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    I wasn't; thanks, and my apologies. I will update my post to reflect that.
     
  12. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Also as a side note:

    If you are using a virtual network with a private IP range (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) make sure you actually disable the "Trusted" option for the network interface under Firewall/Interfaces. Otherwise Online Armor will assume the traffic comes from a private network and is allowed to pass through without any actual filtering taking place.
     
  13. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Fabian: that must have been the problem. D'oh.

    In retrospect, it strikes me that my methodology might not be very rigorous if there were large OS changes between SP2 and SP3. I think I will update to SP3 and then rerun all of my tests.

    OTOH, I will point out that Sandboxie blocked everything on SP2, so it looks like some level of security is possible with SP2 if done right. The difference between Sandboxie and the other products is pretty stark.

    Also I realize some of my statements are a bit inflamatory, considering that these tests apply only to security on XP (which we already know is a joke). Again, apologies for that. I'll try to maintain a more professional tone from here on.
     
  14. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    That may be the best approach, I agree.

    The approaches are different. You didn't explain your methodology very well, so I can't say anything for sure, but it seems you just run Metasploit, start an exploit module, hook it up to a payload and then use an application vulnerable to that exploit to access it and get exploited.

    With sandboxes this will work fine because the basic threat model for a sandbox is that everything running inside the sandbox is untrusted, everything outside the sandbox however is trusted. For a HIPS it usually is the other way around. Everything is untrusted and is being monitored except the processes that the user marked as trusted. The problem arises when exploits come into play. If the application that is being exploited is trusted, it is essentially allowed to do anything it wants. This doesn't change when hostile code takes over control of the application through a vulnerability inside the application. So as long as you use a payload that is purely in-memory and doesn't involve executables that are dropped to the disk, it is unlikely that any HIPS or firewall would beep unless it has some kind of exploit prevention on board (most of them are extremely unreliable, you are better off with EMET in almost all cases).

    That is also the reason why every firewall and HIPS vendor out there will stress the importance of updates to all his users, because once you trusted an application and the bad guys somehow gain control of such a trusted application, it is pretty much game over for you.
     
  15. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Can you test Comodo, AppGuard and DefenseWall, please?
     
    Last edited: Nov 7, 2013
  16. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Alright, here we go again with SP3...

    Online Armor
    - Gaining access through the Aurora exploit still works.
    - Migrating to or injecting into processes running as the same user works, unless those processes belong to OA.
    - Injecting into SYSTEM processes works, unless they belong to OA. Same with the getsystem function.
    - Attempts to kill OA services do not work.
    - Interestingly the Stuxnet kernel exploit does not work; it causes the VM to crash before it can complete.
    - Keystrokes can be logged without any complaint from OA.
    - Screenshots can be captured likewise.
    - Once SYSTEM access is acquired, any executable can be launched without complaint from OA.

    Since going from admin to SYSTEM is trivial, relying on OA with an admin account is probably not a good idea.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, can you explain you methodology esp how you know that malware is able to take screenshots successfully, able to keylog and getting system control?

    Thanks
     
  18. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Did you have to allow an .EXE installation to check keylogging and tamper protection? If so, what alerts, if any, did you get?
     
  19. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Methodology is to exploit IE, gain access to its memory space, and do most stuff from there. Keylogging uses Windows Explorer. Not sure about screenshots, that seems be doable from the compromised IE process.

    This is all done through Metasploit, using the Armitage frontend. It is extremely simple to use. Metasploit comes preinstalled on Kali Linux.

    No, I didn't allow anything to install, nor did I get any alerts. The only process that needs to spawn is Windows Explorer (for keylogging).

    Metasploit basically does all this stuff automagically; the Armitage GUI requires only the most basic kind of skills to use. And keep in mind Metasploit is a (free) pentesting tool. Crooks and blackhats probably have access to more advanced stuff with better automation.

    Edit: also remember I'm an amateur at this stuff. On the one hand, my methodology could probably be a lot more thorough... On the other hand, if I can do this stuff, so can any script kiddy.
     
  20. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Comodo Internet Security
    - First off, this thing is totally unusable in paranoid mode. It spams popups on almost every mouse click. Safe mode is more usable, but doesn't give a peep when IE gets compromised.
    - Keystrokes are recorded without complaint, screenshots likewise
    - SYSTEM access is gotten easily, as with OA
    - However, unlike OA, Comodo can deny launch of SYSTEM processes.
    - In general Comodo is hard to disable. Even with SYSTEM privileges it refuses to die, or to permit injection or migration into privileged processes.

    Overall much better, though still NG against keyloggers. Will look into this more later...

    Edit: I really have to commend the Comodo devs... Whatever else can be said about CIS, so far it has resisted every attempt to run an EXE payload. I can log user activity, tamper with files, inject code into services, and generally wreak havoc, but the HIPS still refuses to let me run a single unidentified EXE without getting a popup. That's pretty impressive IMO.

    I can't say I'd trust this software to protect my OS, but does take its job seriously. I think I'll quite while I'm ahead.

    Next up: Geswall.
     
    Last edited: Nov 7, 2013
  21. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    can you test webroot secureanywhere and novirusthanks?
     
  22. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Probably, at some point. I do have other things that need to be done. :p
     
  23. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks for your test it is a treaure man:) :thumb:
     
  24. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Great work, buddy! Thanks!
    Keep it coming! :D
    :thumb:
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    Very interesting tests :thumb:
    Btw, it would be interesting to see if Outpost scores the same as on Win2k.
     
Loading...
Thread Status:
Not open for further replies.