Metasploit Exploit Testing

Metasploit offers an exploit testing option that can be used to verify suspected vulnerabilities. By utilizing ZeroNorth’s integration with various SAST & SCA scanners and with Metasploit, you can easily orchestrate the following test scenario:

  1. Run a SAST/SCA scanner against a web application code or build.
  2. Detect CVEs.
  3. Run a Metasploit “Dynamic-by-CVE” scan to confirm exploitability of the CVEs.

This article assumes that you are familiar with:

  • General use of the ZeroNorth platform
  • Using ZeroNorth to configure and run SAST/SCA scans of your code or build artifacts
  • Using ZeroNorth to configure and run DAST scans of your deployed web applications
  • General concepts of vulnerabilities, exploits, and CVEs

Overview of the Set Up Procedure

  1. Identify a Target (a code repository or a build artifact) that you want to scan using a SAST or SCA scanning tool.
  2. Add a Target definition in ZeroNorth for the above.
  3. Create a ZeroNorth policy to perform the SAST/SCA against the above Target.
  4. Identify a Target (a web application) that is based on the above code/build.
  5. Add a Target definition in ZeroNorth for the above.
  6. Add the Targets from step 1 and step 3 into a Application.
  7. Create a ZeroNorth policy to perform the Metasploit scan. This step is explain in detail below.

Creating a Metasploit Exploit Scan

Creating a Metasploit exploit scan is similar to creating any DAST scan in ZeroNorth.

1) Activate the Scenario for Metasploit Exploit Scan

  1. Go to znADM > Scenarios .
  2. Locate the Metasploit product and then click +Add Scenario .
  3. Enter a Name (e.g. “Metasploit Dynamic (by CVE)”).
  4. Select the Product Configuration “dynamic-by-cve”.
  5. Optionally, enter a Description .
  6. Click Save .

2) Add the Target that points to the Desired Web Application

Follow the instructions in this article to create a Target that points to the web application you want to scan. Be aware that the Metasploit exploit testing can cause harm to your application. Therefore consider scanning in a non-PROD environment or scanning a replica of the PROD environment.

3) Create the Metasploit Policy

Combine the Target from step 2 and the Scenario from step 1 into a Metasploit exploit Policy. The result should look something like this:

4) Define an Application that Include your Targets

Go to znOPS > Applications , and then click +Add Application . Create a new Application definition to include your Targets. Be sure to include both your static (code/buid) Target and your dynamic (web app a.k.a “Direct” or “Custom”) Target similar to the below example:

Including both the SAST/SCA scan Target and the DAST scan Target into the Application definition that is a key element of the Metasploit exploit scan, because ZeroNorth relies on the CVEs discovered by the SAST/SCA scans in order to dynamically configure the Metasploit exploit scan.

5) Expected Scan Outcomes

Run the Metasploit Policy when ready. Again, keep in mind that the scan could cause harm to your application as a part of the exploit test.

When run, one of the following can happen:

  1. No SAST/SCA scan is included in the Application definition that the Metasploit scan is a part of - the Metasploit scan will fail.
  2. The SAST/SCA scan(s) did not find any CVEs - the Metasploit scan will run, but not perform any exploits.
  3. The SAST/SCA scan(s) found CVEs but none of the CVEs have matching Metasploit modules - the Metasploit scan will run, but not perform any exploits.
  4. The SAST/SCA scan(s) found CVEs that have matching Metasploit modules - the Metasploit scan will run the available exploits and produce an issues report.

An Example Metasploit Exploit

Below series of screenshots illustrates a successful Metasploit exploit test.

In this example, a Whitesource scan was run against the “tiny-goat” project repo, which resulted in detection of a CVE:

A link in the ZeroNorth Issue detail points to a source of further details about the CVE:

The CVE detail page includes a reference to an available exploit:

Details about the exploit:

After running the ZeroNorth-orchestrated dynamic Metasploit exploit scan:

And in ZeroNorth’s Application Dashboard for this dashboard, we also see the correlation between the exploitable vulnerability and the related Issues found by the Whitesource scan: