Slashdot Mirror
Son of SATAN? Weighing Security Software's Risks
ryanr writes "Rob Lemos put out an article on the new metasploit relese. The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.
I've always thought the comparison of security tools to invasion tools like the idea of security through obscurity.
Simply because there's not an automated tool which allows you to properly determine the security of your own systems, doesn't mean somebody else couldn't do it manually, or create their own tools.
"If we let things terrify us, life will not be worth living."
- Seneca
This could be a good tool if admins actually used it (or some tool to look for holes) and patched the holes and watched their security. But, I have only worked at one place that has done this and the others were under the impression they didn't have to do it very often.
Those hacking into systems will love this tool though. I'm gonna go home tonight and check my network out. Although, I don't have a thing someone would want to hack.
Evolution or ID?
The common wisdom in the security world is that easy-to-use scripts to circumvent security--called "exploits"--are a threat to the Internet.
The Metasploit Project and its founder, HD Moore, hope to change that perception.
I thought changing the name from SATAN to SAINT, fixed that perception. I mean, how many attackers wanna use a tool called "SAINT", no matter how good it is.
Consensus is good, but informed dictatorship is better
Its too bad we can't moderate editors as being -1 Redundant
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool?
I don't care who has what exploit^H^H^H^H^H^H^Htesting tool, or what knowledge about hacking. It's a better "real-world" way to test your security anyway.
Keep your stuff patched, because you never know where, when, how or by whom the next attack is going to come from.
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
This is nothing more than a API for hackers. It could be used as a security tool but the vast, overwhelming, majority of people who download this will be using it to hack people.
Please read my comments which I posted here. Thanks! :)
Lets look back a couple days at the same story
Evolution or ID?
There's no substitute for a secure box. But what's lost on a lot of people is that security through obscurity is only bad if it's your only security method. True security doesn't mean that you paint a bull's eye on your forehead and taunt the crackers to come after you.
If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.
Toronto-area transit rider? Rate your ride.
When was Bill Gates Arrested?
There are commercial tools that allow you to run exploits and install shellcode or deliver payloads?
I couldn't find this quote anywhere in the article...
Please help metamoderate.
A quick glance through my log files shows that someone is scanning my boxes. Not distributing scanning tools just makes it a one sided battle (with us admins on the loosing side). Not knowing about a hole does not mean that the hole doesn't exist. So, I think that it's far better to make a level playing field, and let hackers and admins have equal opporunity for knowing the status of a box. Sure, some people won't check their systems, but that's a lost cause no matter what.
Companies that create software to exploit security vulnerabilities in common software in order to get commandline access to any system don't kill systems. Script kiddies do.
Linux: Free if your time is worthless.
Having tools to help in identification of weaknesses is not a bad idea (one side) - OTOH - the same tools can also help a hacker use that information to exploit your system (other side). Not that they couldn't do it anyway -- but hey -- this is faster. It was stated in the article that "The problem today is that many organizations do not patch systems until a working exploit is released". How true this as well as the comment that "The bottom line is that exploits are not only useful but are (also) required for many types of legitimate work." Brings to mind some of the restrictions that are placed on useful processes such as the remote commands, snmp, and other features built into the OS. Nice to know where problems are so that they can be locked down ... but what if you really need them ...
i think the point made in the article that "this toold allows admins to play on the same level as the attackers" is a very valid point and should be paraded out in front of anyone who says "but this will only cause more attacks by making the attackes easier for the attackers to execute"
newsflash; even the l4m0r-est script kiddie has a plethora of tools like this (most of which are usually loaded with trojan's and the like).
giving admins legit, supported and just plain better tools means that admins have the ability to check their systems' vulnerability easily. and an admin equipped with a tool for automating exploits has a better chance of stumbling across an exploit no one has found yet, because he hasn't spent all night checking for vulnerabilities earlier.
If guns are outlawed, only outlaws will have guns...
If security scanning tools are outlawed, only outlaws will have security scanning tools...
Blaming the author of this tool because it might be used by hackers is like blaming a gun manufacturer because the gun they make might kill someone.
Lets just assume that most 'bad' hackers have more knowledge of security flaws and holes than most system administrators.
I this scenario, a set of 'hacking' tools made availble to those administrators can help them find vulnerabilities, fix them, and then test if their solution is working properly.
If these tools were only available to people with the intention to abuse them, it would be much harder to secure a system.
Personally, I believe that currently the knowlegde of security flaws is greater among the hackers, since they specialize in exploiting them. Most administrators have many tasks besides system security. With a set of proper tools to diagnose their systems, security could be maintained with less effort.
I thought us Mac users were the "religious zelots", and Bill Gates was the devil. Now you are telling me Windows is the blessed OS, and I'm a tool of SATAN? I'm going to have to take a course on the theology of computing to keep this all straight.
Yeah, I guess I'm funny like that.
Windows is much purer than the *nix OS's.
I tried to cast the daemons out of my Linux machine, but it didn't work so well afterward...
Hmmmmm....
Berto
Some sleepy thoughts before I crash...
This is the time-old argument of gun's dont kill people, people kill people. Except, it is now being applied against electronic "tools". Another saying comes to mind "if you outlaw xyz, then only outlaws will have xyz".
A decade ago, black-hat hackers and security administrators did not have the same access to information and tools that we have today. Crackers are no longer working in the dark, reverse engineering operating systems and applications/services from scratch. Operating system source code is readily available for both the open-source systems (Linux/BSD), along with most of the commercial variants (HP/Solaris/etc) in the black-hat community. With access to this information, they're able to literally scan the code for bad programming practice (grep sprintf) to quickly identify vulnerabilities.
This open-source transparency has been both a blessing and a curse for the open OS's - in that vulnerabilities can quickly be found by an enterprising auditor, but likewise can be quickly closed by any decent programmer. This is not the case however with the closed platforms, because the source is not available.
Likewise with penetration tools. When a vulnerability comes out, such as the infamous PHF bug, a cracker can within a few minutes put together a crude scanner to identify these systems for exploitation. Likewise a security administrator can and needs to use a similar tool to audit his network for any sign of the vulnerability.
However, there should be some industry self-policing going on regarding the public release of certain tools. For example, if a vulnerability emerges and you want to scan and actively "test" whether you are vulnerable (instead of soley checking a service banner - you try to exploit the vulnerability), the test does not need to grant you uid 0. Instead, you can release a binary tool which simply created a root-owned file on the server, in / , called "YOU_ARE_VULN_TO_X". Both tools will confirm whether or not you are vulnerable - but one is significantly less vulnerable to abuse (by the average script kiddy) than the other.
However, in the long run, the security industry is a very profitable one, and one way to get a head start is to be prolific and vocal in releasing high-quality exploits (and hoping to get noticed by a security company). This is as much about ego as it is about getting a cool job, and while that attraction is there, you're going to keep seeing security tools with no restrictions emerge.
This headline apparently written by the Church Lady
"Open the pod by doors, Hal" > "I'm afraid I can't do that, Dave" sudo "Open the pod bay doors, Hal" > alright
A hole scanner just finds holes. It's a hacking tool if used by a hacker, a security tool if used by an admin... the only diffence is what the user intends on doing after the hole is discovered.
I've known about and been exploiting the ms-its vulnerability for a full week and then some now. I had a Proof-of-Concept within the first 2 hours of the original post by a concerned IRC user on bugtraq.
While this tool doesn't test for IE vulnerabilities like the one I have been exploiting, it covers a lot of commonly used attacks that have already been done by script kiddies for (in some cases like the apache chunked vulnerability) upwards of two years!
It also tests a lot of "duh" kinds of exploits that any serious web, mail, and NT/2000/2003 administrator would want to test. Admins and security consultants have been using Nessus for the last three years or so and people don't question that anymore.
I think the issue here with Metasploit's Framework is that it's modular, so script-kiddies like me can sit back and develop and trade exploits. My response to that is: get over it.
I've been trading exploits for so long now with my *own* PERL code that the only thing this program does is maybe cut my time down in half. And why would I want to release a module for Metasploit when I can make my own EXE's using perlcc and Cygwin?
If anything, perlcc and Cygwin contribute more to proliferation. And I kind of doubt they are going the way of the dodo anytime soon.
Its too bad we can't moderate editors as being -1 Redundant
And what exactly would that accomplish?
This is some sort of convoluted question - 'do security tools make things worse'. Rather than explaining word for word why I feel its worse, I'll offer an analogy.
Should brightly lit streets at night be banned because they allow muggers to see us more clearly? Surely not.
Knowledge is power, and I'd much rather have as much knowledge available to me as possible, rather than have none and some an attacker has none either. The fact is, exploiters will always try to develop their own ways to get in, their own tools, so it would be incredibly stupid for us to decide the less we know about network security, the better.
Security testing is a GOOD thing, before anyone puts a server online, they should try to hack it on a closed network first - and then they should have their smartest friends try to hack it, with any tools available. This sort of introspection would mean a whole lot more security on the net in general.
how is this post any better than The original story posted a couple of days back?
sheesh! you guys are seriously losing it when an AC like myself can come along and whoop your sorry posting asses!
maybe Slashdot can have a new points system where proven dupes can get points taken from their posters!
Another site I visit frequently, Slashdot, covered this a few days back. You can view their coverage on the same article here.
Oh, wait...
________________________________________________
suwain_2
Anytime anyone says you don't need security information/tools they're making money and you're getting the shaft. The argument "hackers could use this" translates to "our product is insecure and our admins are lazy". Security auditing is necessary in any network you'd like to be reasonably secure.
Religion is a gateway psychosis. -- Dave Foley
Of course, any time you release a tool that can be used for good or evil, there will be people that use it for good and those who use it for evil. I would much rather at least have the tools exist than be stuck when some evil person creates a supervirus using a tool they stole because we can't get that tool publicly.
Graeme (except the ae should be an umlaut a) means approximately "regretfulness". Nothing embarassing.
Way to mismoderate, moderators. This is not redundant, as the first posting of this article has a real discussion on the topic.
Is it possible this will create a new breed of mega elite hackers that don't need to know much about the inner workings of computers to hack, they can just run automated tools to do it for them? Maybe we can call them script-kiddies or something? What's that you say, they already have these? OH!
Of course these tools are good, the script kiddies already have k-rad tools from CodC and what-nots. News flash: many admins already use actually HACKER tools to try and find 'sploits on their pwn machines!
I remember when I was a youngin and to be classified at all as a hacker you had to have at least _some_ knowledge of machine code. Ahh, those were the days..
Mod +5 Drunk
WTF is a "relese"?
Where are Click and Clack with that dopeslap?
Well they merely turned zombies.
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
I disagree. If those tools are available to whitehats then security professionals can run them in lab environments and develop countermeasures like Layer 7 firewall filters and IDS rules. Furthermore, if I'm aware of an exploit that's serious enough of a risk, I have the option of killing a port on the firewalls until the risk has been mitigated. But I can't do any of those things if I'm not aware of the vulnerability andif don't know how the tool works. Not only that, but if these cats have made good on their promise to communicate with IDS vendors about ways to detect metasploit in action, then I honestly don't see how someone could make a more benign tool. I haven't seen anything on snort.org yet, but then again I'd imagine many of the exploits run by metasploit already have signatures available.
Security professionals are inherently disadvantaged compared to blakhats. They have more time on their hands, and they have more numbers. At the end of the day, if security professionals don't have access to tools like this, then we're at even more of a disadvantage.
Yes, my only tool is a hammer. And you're starting to look like a nail.
The original SATAN was introduced by Dan Farmer back in 1995.
The article reminds me of the furor over the original SATAN being released. H.D. Moore, who wrote it, rightly points out that there are commercial tools that do it better, and it's known that the kiddies have copies of those. Why pick on the open-source tool? I think Rob is being a bit provocative." Despite the headline ("Security tool more harmful than helpful?"), the article is actually pretty balanced.
Is this sig nificant?
Your analogy of software security to (presumably) physical world "invasion" tools (e.g., lock picks, etc.) causes me to make a prediction. The prediction is that, like lock picks, the use and possession of software security tools may in the future be licensed and regulated.
Last I heard, the possession of lockpicks was generally NOT regulated - no matter what the locksmithing industry would like you to believe.
Like crowbars, the crime is possession with intent to use illegally. (Unlike crowbars, it's a lot easier to show intent to use a lock pick as a burglary tool.)
However IANAL and have not studied this issue closely. (Also it's state level issue, so both the laws and precedents vary.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I haven't really used nessus or metasploit, but what is the difference between the two?
Also, binoculars should be banned because they just help terrorists look for physical security vulnerabilities.
We need strong laws to protect people who are too lazy and incompetent to protect themselves. Security through court-ordered obscurity is the only way to freedom.
I have not used your Canvas exploitation environment, but have been impressed by the competitive tool CORE Impact. It is too bad these are so expensive. IMHO it is better to have these capabilities available to all for free (as with the Metasploit framework) than to have them limited to rich folks. Having money doesn't always correlate with good intentions. Metasploit is certainly not up to the level of Core Impact yet, and probably not Canvas either. But it has improved rapidly over the last ~6 months. Give it time.
Hang out on the IRC channels where hackers congregate. Get to know them. Gain their trust. See what kinds of tools they use.
Admittedly, most of these script-kiddies can't write the tools they use. But when they find a good tool they spread it around quickly. They ARE using commercial tools that have been hacked. If this particular tool seems better for their hacking than what they have, they'll use it too. Does that mean we have to take the tool out of white hats' hands because the black hats might get it and use it?
This reminds me too much of the old gun argument: if security tools are outlawed, then only outlaws will have security tools.
I understand that security by obscurity isn't the same as good security; however, there is a need to eliminate software identification information commonly seen in the bottom of the page of web applications. It makes googling for an exploit trivial.
If cracking tools are widely available, they will be used to more quickly exploit whatever vulnerabilities exist, giving the author less time to patch. It's better for everyone if these tools are hard to come by.
Cracking tools are and will be widely available. How effective were the courts at stopping the spread of DeCSS? Tools already exist. They will either be written or pirated, and passed around on IRC. You can't stop them from existing. You can use them yourself, for your own benefit.
Attempting to get rid of widely available free tools that white hats could use to their benefit so that black hats won't have them isn't Security through Obscurity. It's Secruity through Wishful Thinking.
The only reasonable way to go forward with security is that your machine must be secure in spite of the existence of cracking tools. The best way to do this is to use the tools yourself, not to try to prevent them from existing. "Outlaw cracking tools, and only outlaws will have cracking tools" may be cliche, but poor prose can still be true.
The enemies of Democracy are
The story really was toned to stir the pot. the tool is a great help to those of us in the infosec community whose jobs it is to SECURE networks. Other tools like CANVAS (and a host of others I can't think of right now) do the same thing and most aren't even open source. Any one can run Nessus but the biggest issue with any vuln Scanner is *false positives*. This tool allows verification of vulnerability.
Rob I want you to apologize to HD Moore and go sit in the corner and think about what you've done.
(crap there goes my karma)
- Its too bad we can't moderate editors as being -1 Redundant
And what exactly would that accomplish?Just as you can filter by comments, you should be able to filter by articles. Allowing users to mark entire articles as redundant, flamebait, etc. would allow for this.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Keep your stuff patched, because you never know where, when, how or by whom the next attack is going to come from.
For people whose livelihood doesn't directly involve keeping said stuff patched, or people whose aspirations in life aren't affixed solely to notions of uptime, this is easier said than done.
I'm sick and tired of people claiming that patching their system's software is a negligible task.
I'm also tired of people saying "I'm sick and tired of [insert unspeakably minor issue here]", but that's a whole other story.
To be fair, the Metasploit Framework was written by two people, H D and Spoonm. Spoonm actually has more than a 50% share in the code (according to the comments, etc), it seems a bit unfair to just mention Mr. Moore.
Looks like had a critical failure on your FP roll.
How is this different from Nessus?
"I think that all right-thinking people in this country are sick and tired of being told that ordinary, decent people are fed up in this country with being sick and tired. I'm certainly not! But I'm sick and tired of being told that I am!" -- Monty Python's Flying Circus
tasks(723) drafts(105) languages(484) examples(29106)
Take my car for example - it allows me to drive dangerously fast, and do burnouts, and ram-raid shops, and other cool, antisocial stuff. Should we ban cars?
...by night are white hat "system administrators" by day? Or even better, how many white hat system administrators have NEVER engaged in a little "sport"? And where is the line crossed exactly between harmless sport and looking and maybe a little... whatever?
Remember when back orifice was released? All the people I knew personally who were running it were employed in the IT world in some manner, ie, they were societally assumed to be "whitehats".
Personally, I think "the industry" is a lot more an over-all "gray" color than they want to admit to publically...
I remember in highschool back in 94. He was an SGI programer then. I had a friend who had a SCO box( shudder) and hacked the perl script so it could run.
He released it to help Irix system admins secure their networks. SGI having their heads up there butts, fired him believing security through obscurity was the most effective measure. After all he now made Irix insecure??
Irix remained the most unsecure Unix for many years untill managment made a recent change.
Nmap is hell of alot more powerfull now and there are many clones.
Satan is a relic of old and I just looked at some of the screenshots via a search on google. I thought it was really awesome in 94, but its quite primptive today.
http://saveie6.com/
How do you evalulate "intent" as a law enforcement officer?
With narcotics, "intent to sell" is defined by posessing more than some arbitrary quantity defined by law.
Conformity is the jailer of freedom and enemy of growth. -JFK
I just saw a banner ad on /. where MS is handing out free security management tools on their website. I have a strong suspicion that, if one could reverse engineer the code, much of it has been translated, probably illegally verbatim, from commonly available open source security management code like Nmap, Satan, ethereal, tcpdump, etc.
But who could afford to challenge them about it?
+++ATHZ 99:5:80
I believe that would be called the "Anti-Christ"