LAS VEGAS — A pair of separate security researchers at the Black Hat security conference demonstrated new tools to automate penetration testing of Mac OS X and Oracle databases — shedding new light on potential vulnerabilities in each.
The tools are new modules to the open source Metasploit Vulnerability testing framework and are intended to help penetration tools harden their environments and become more secure.
To date, Metasploit has focused on Windows, with its in-memory exploitation engine called meterpreter. That is now set to change, with Mac and Unix/Linux versions that will enable security researchers to execute code on those platforms as well.
One researcher, Dino Dai Zovi, told the audience that most of the code for Macterpreter is already in Metasploit. One of the key difference in how the Mac version works is that it requires a staged bundle injection, which is why Zovi demonstrated an injectable bundle skeleton with the capability to insert any payload an attacker wanted into a system.
Zovi highlighted one payload in particular, which he called “Take a Pic of the Vic.” That exploit could enable a remote attacker to use a Mac’s built-in camera to take a picture of its user. Zovi noted that the user would notice that the green light on their camera would be on, but otherwise, wouldn’t know that they were being exploited.
Zovi also gave credit to security researcher Charlie Miller for helping to develop the code. Miller is well known for his public exploits of Apple products, winning the PWN2OWN contest multiple times. Zovi noted that the same exploits that Miller used to win that contest will be part of the Mac framework for Metasploit.
An Apple spokesperson was not immediately available to comment.
Security researcher Chris Gates told the Black Hat audience that his motivation in building a new tool for automating Oracle exploit testing was that there were no free open source tools available.
Gates noted that none of the issues that his tool supports are new — rather he’s just automating the process.
One of the key aspects of his tools set is Oracle Mixin, which can support Oracle’s Transparent Network Substrate (TNS). The technology provides a uniform application interface to enable network applications to access the underlying network protocols transparently.
Gates explained that Oracle database are vulnerable if an attacker knows four key items. The researcher needs to know the IP address, the port number, the service ID (SID) and a username/password to access the database.
Gates said he wrote a listening module to help determine the SID and Oracle database version numbers, and wrote a login script that would do what is known as a Brute Force attack — trying to get access using known default username and password combinations.
He added that putting all that together inside of Metasploit provides researchers doing penetration testing with the ability to do all kinds of things to an Oracle database, include SQL command injections.
An Oracle spokesperson was not immediately available for comment.
While Gates and Zovi are busy trying to expand the capabilities of Metasploit, other security researcher at Black Hat are working on defensive aspects.
A pair of researchers from Mandiant today are releasing the Metasploit Forensic Framework, a tool to help identify what an attacker may have done to a target machine.