Metasploit 支持IoT安全测试

metasploit

Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。

2003年,H.D. Moore发布Metasploit后,对目标进行“渗透测试”的似乎变得容易多了。2016年面对物联网领域的安全威胁,Metasploit似乎一直“束手无策”,弄得小伙伴们十分失望。

snip20170208_2

近日,Rapid7 公布已更新 Metasploit 框架,支持物联网硬件的安全测试啦~~~~

本周,Rapid7博客宣布包括现代汽车控制器局域网CAN、物联网IoT设备以及工业控制系统在内的硬件,都可以通过Metasploit进行渗透测试。

这个名为“Hardware Bridge API”的扩展,让Metasploit成为首个“通杀”软件与硬件的渗透测试神器。它使用无线通讯并通过突破了之前用于阻止渗透测试的网络限制、直接控制硬件,同时它还解决了开发者需要为不同硬件打造定制工具的麻烦。

Rapid7的安全研究人员 Craig Smith称:设备制造者可以通过两种方式与Metasploit进行连接。一种是将Metasploit直接接入固件;另一种则是创建一个中继服务,特别是当设备无法使用以太网,例如软件定义无线电的设备只能通过USB端口连接。

HWBridge API的核心功能包括收集设备性能信息、版本化数据或电量相关信息,以及用于测试不同物理设备的独立扩展。例如测试汽车控制器局域网络时,它能够支持CAN并提供几种用于进行渗透测试的相关指令。

应用举例:

新发布的版本支持SocketCAN。如果你有Linux系统和支持SocketCAN的CAN总线嗅探器就可以进行测试了。local_hwbridge模块就是个简易中继服务的示例,你可以在本地或者远程服务器运行。

msf > use auxiliary/server/local_hwbridge
msf auxiliary(local_hwbridge) > run
[*] Auxiliary module execution completed
[*] Using URL: http://0.0.0.0:8080/6xOv7GqFs3YTeIE
[*] Local IP: http://10.1.10.21:8080/6xOv7GqFs3YTeIE
[*] Server started.
msf auxiliary(local_hwbridge) >

local_hwbridge模块默认会检测任何SocketCAN数据,不需要输入任何选项。中继服务无需在Metasploit中运行。如果硬件本身支持REST API的话就可以跳过这步。

msf > use auxiliary/client/hwbridge/connect
msf auxiliary(connect) > set rhost 10.1.10.21
rhost => 10.1.10.21
msf auxiliary(connect) > set targeturi 6xOv7GqFs3YTeIE
targeturi => 6xOv7GqFs3YTeIE
msf auxiliary(connect) > run
[*] Attempting to connect to 10.1.10.21...
[*] Hardware bridge interface session 1 opened (127.0.0.1 -> 127.0.0.1) at 2017-01-17 11:02:34 -0800
[+] HWBridge session established
[*] HW Specialty: {"automotive"=>true}  Capabilities: {"can"=>true, "custom_methods"=>true}
[!] NOTICE:  You are about to leave the matrix.  All actions performed on this hardware bridge
[!]          could have real world consequences.  Use this module in a controlled testing
[!]          environment and with equipment you are authorized to perform testing on.
[*] Auxiliary module execution completed
msf auxiliary(connect) > sessions
 
Active sessions
===============
 
  Id  Type                   Information  Connection
  --  ----                   -----------  ----------
  1   hwbridge cmd/hardware  automotive   127.0.0.1 -> 127.0.0.1 (10.1.10.21)

设备连接后,就会建立一个HWBridge会话。如果你比较熟悉meterpreter的话,你就会习惯使用hwbridge。你可以输入help获取命令列表,或者运行指定模块如getvinfo(获取汽车信息)。

msf auxiliary(connect) > sess 1
[*] Starting interaction with 1...
hwbridge > supported_buses
Available buses
 
can0, can1, can2
 
hwbridge > run post/hardware/automotive/getvinfo CANBUS=can2
[*] Available PIDS for pulling realtime data: 46 pids
[*]   [1, 3, 4, 5, 6, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 24, 25, 28, 31, 32, 32, 33, 44, 45, 46, 47, 48, 49, 50, 51, 60, 61, 64, 65, 66, 67, 68, 69, 70, 71, 73, 74, 76]
[*]   MIL (Engine Light) : OFF
[*]   Number of DTCs: 0
[*]   Engine Temp: 48 °C / 118 °F
[*]   RPMS: 0
[*]   Speed: 0 km/h  /  0.0 mph
[*] Supported OBD Standards: OBD and OBD-II
[*] Mode $09 Vehicle Info Supported PIDS: [2, 4, 6, 8]
[*] VIN: 1G1ZT53826F109149
[*] Calibration ID: UDS ERR: {"RCRRP"=>"Request Correctly Received, but Response is Pending"}
[*] PID 6 Response: ["00", "00", "C4", "E9", "00", "00", "17", "33", "00", "00", "00", "00"]
[*] PID 8 Response: ["00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00", "00"]

即将加入更多硬件模式

据悉,Metasploit 开源社区迄今已包含 1,600 漏洞和 3,300 模块,管理Metasploit工具的Rapid7公司表示,之后还会加入其他功能。

logo

详细信息请查阅:

http://opengarages.org/hwbridge/#get-a-list-of-methods

https://www.rapid7.com/about/press-releases/rapid7-enables-iot-hardware-security-testing-with-metasploit/

https://community.rapid7.com/community/transpo-security/blog/2017/02/02/exiting-the-matrix

http://www.darkreading.com/vulnerabilities—threats/metasploit-can-now-be-directly-linked-to-hardware-for-vulnerability-testing/d/d-id/1328047

按捺不住了吧,试试?O(∩_∩)O~

转自:

微信公众号:开源恶意代码基准测试

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s