ISSN (Print) : 2319 – 2526, Volume-1, Issue-1, 2012
81
Performance Evaluation of Meterpreter's Penetration Power on Various Operating Systems
Monika Pangaria, Vivek Shrivastava & Archita Bhatnagar Dept. of I.T., I.T.M. College, Bhilwara, Rajasthan, India
E-mail: [email protected], [email protected], [email protected]
Abstract – Meterpreter stands for meta interpreter is a powerful post exploitation tool. It is leveraged as an ideal payload in penetration testing.
Penetration Testing is a way to imitate all the possible ways to bypass system security in a way the hacker do.
The main objective of this paper is to evaluate the penetration power of meterpreter on operating systems - windows xp, windows vista, windows 7 and ubuntu. It is said to be an ideal payload as it provides encrypted communication between client and server as well as additional functionality can be added at run time and after execution it smoothly wiped out of memory. It works well with variety of operating systems and occupy 80 % compatibility with large number of exploits.
Keywords – Penetration testing, meterpreter, exploits, payload, metasploit framework(MSF).
I. INTRODUCTION
Penetration Testing is a major act done for an organization's security point of view. It proceeds with using huge range of exploits followed by variety of payloads.
There are certain shortcomings in using specific payloads for accompishing a particular task. First and foremost is they can only perform individual tasks like
"bind shell to a port" will only bind shell to a port with couple of shell commands on command interpreter.
Moreover, these payloads actually trigger an alarm on target machine which is strongly undesirable and even execution of command interpreter may not be possible for chrooted applications..
So an ideal payload is required which
- is compatible with variety of operating systems.
- avoid creation of new process and a file on a disk.
- is stable, flexible and extensible.
- faciliates addition of functionalities on basis of run time when required.
In short all we need is METERPRETER as it fulfill all the criteria for being an ideal payload.[1]
II. CONCEPT
The Fig.1shows an actual concept behind the whole process revolving around exploits and payload.
Fig. 1 : Concept
Here, A is supposed to be a victim of B. First a combo of exploit + payload is injected into a victim vicinity. [2]Then exploit comes into work, payloads starts its execution process only if an exploit succeeds.
After the success, a reverse connection is established.
Now its a time for action, we can do multiple tasks like data uploading and downloading, registry read/write operations, taking snapshots, process migration and much more. Once the desired tasks are achieved we can aim high for privelege escalation.
III. WORKING
To achieve the task of pen testing, we need a platform to do this. In era wide range of tools are available in market. The most powerful and popular tool is 'METASPLOIT FRAMEWORK'. After entering into 'msfconsole' by simply writing msfconsole, we can proceed with our next steps.
International Journal on Advanced Computer Theory and Engineering (IJACTE)
ISSN (Print) : 2319 – 2526, Volume-1, Issue-1, 2012
82 Steps involved are :
1. use exploit_name 2. show options
3. set LHOST (i.e. local machine ip) 4. set RHOST(i.e.remote mahine ip) 5 set PAYLOAD payload name 6. exploit
Once an exploit succeed, we can do variety of tasks discussed later.
IV. COMPATIBILITY WITH DIFFERENT EXPLOITS ON VARIETY OF OPERATING SYSTEMS
An experiment was done to test the power of meterpreter payload on variety of operating systems and result was successfully achieved. Table below shows the machine on which the test was run with the different exploits.[5]
1. Windows xp
Exploit ms08_067_netapi
Payload windows/meterpreter/bind_tcp Table 1
2. Windows vista
Exploit ms08_067_netapi
Payload windows/meterpreter/bind_tcp Table 2
3. Windows 7
Exploit ms11_003_ie_css_import Payload windows/meterpreter/bind_tcp
Table 3 4. Ubuntu 9.04
Exploit Linux/samba/lsa_transnames_he ap
Payload windows/meterpreter/bind_tcp Table 4
V. ADVANCED FEATURES
Meterpreter consist of variety of commands that can be categorized as Core commands, System commands, File system commands, Networking Commands, Elevate commands, Password database commands, Timestomp commands.
The breath taking tasks that can be achieved with meterpreter are :
1. migrating to an another process to a server to make long lasting existence.
2. can get password hashes.
3. getting all the list of processes in action on target machine.
4. uploading a file or a directory on target.
5. can forward a local port to a remote service.
6. Recording all the keystrokes might be helpful in getting a password and much more
VI. PERFORMANCE
Meterpreter's performance could be judged on the basis of perks it facliate a pen tester.[6]
1. It avoid creation of new process.
2. It runs in exploited process scenario.
3. It wiped out of memory after task achieved so no logs are made at target machine.
4. It allows writing our own scripts.
5. It allow addition of desired functionality at run time when required.
6. It faciliates anti-virus kiling so as to make it undetectable.
7. Moreover it provides encrypted communication between client and server.
So overall Meterpreter is an ideal payload that is stable , flexible and extensible.
VII. CONCLUSION
After going through numerous experiments done on variety of operating systems. It can be concluded that meterpreter works well on variety of operating system in addition with 80% compatibility with huge number of exploits. It overcomes maximum limitations with specific payload foe aspecific task.
On a serious note, Meterpreter resides completely in the memory of the remote host and leaves no logs on the hard drive, making it damn tough to detect with ordinary forensic approaches.
VIII. FUTURE SCOPE
In future meterpreter can be actively used with number of exploits and operating system to achieve pentesting on various servers like Windows Multipoint Server 2011, Windows Home server2011 ,Windows server 2012 can be pentested by this.
International Journal on Advanced Computer Theory and Engineering (IJACTE)
ISSN (Print) : 2319 – 2526, Volume-1, Issue-1, 2012
83 We can penetrate into network by attacking the Server by sending a vulnerable link/file to one of the client. If not succeeded in attacking the server then attack one of the client and use it to be a part of the network and capture the data packets that are roaming in the network & get information about the network. We should keep in mind that to be a part of the network you should be registered with the server, to do so just spoof your Mac Id with the attacked client id and can crash that client machine.
IX. REFERENCES
[1] "Meatsploit The pentester's Guide." by David kennedy, Jim O'Gorman, Davin Kearns, Mati Aharoni Foreword by HD Moore, ISBN-10: 1- 59327-288-X
[2] R. Budiarti, S. Ramadass, A. Samsudin, S. Noor, Network Research group school of computer sciences. “Development of Penetration Testing Model for Increasing Network Security”. , Malaysia, 0-7803-8482-2104, 2004 IEEE [5] P.
Asadoorian, GCIA, GCIH, Pauldotcom enterprises, LLC, “Introduction to Penetration Testing”. 2009.
[3] D. Geer, J. Harthorne, “Penetration Testing: A Duet”, Proceedings of the 18 Annual Computer Security Applications Conference (ACSAC.02), 1063- 9527/02, 2002 IEEE.
[4] N. Y. Hamisi, Student MIEEE, N. H. Mvungi, MIEEE, D. A. Mfinanga, B. M.M. Mwinyiwiwa, Member, MIEEE. “Intrusion detection by penetration test in an organization network”. 978- 1-4244-3523-4/09, 2009 IEEE.
[5] S. Northcutt, J. Shenk, D. Shackleford, T.
Rosenberg, R. Siles, and S. Mancini. “Penetration Testing: Assessing your overall security before attackers do”. Sponsored by Core Impact, SANS Analyst Programme. June, 2006.
[6] A white Paper by Insight Technologies provided by SIEMENS, “Penetration testing, Why Methodical and Proven Approach to Penetration Testing is essential in formulating an effective Security Testing Strategy”
[7] B. Skaggs, B. Blackburn, S. Shenoi,
“NETWORK VULNERABILITY ANALYSIS”.
Centre for Information Security Department of Computer Science, Keplinger Hall University of Tulsa, Tulsa, Oklahoma 74104 USA, 0-7803- 7523-8/02/$17.00 82002 IEEE.
