Solved

Metasploit - test layer 7 firewall

Posted on 2013-01-27
4
816 Views
Last Modified: 2013-01-30
Hello Backtrack experts,

I'm a network guy but not necessarily strong with pen or vulnurability scanners.
As i'm writing this, i'm downloading Backtrack 5 r3 to make into a bootable CD (6 hours to go).

I have an IIS web server setup behind an F5 proxy. I'm also securing this F5 virtual IP with F5's built in layer 7 firewall. I have it set to block any hits on any of the signatures for IIS. Onced blocked, it will redirect to a custom block page that I created.
In front of this F5 is my ASA which is only allowing HTTPS from outside to come into the F5 proxy vip. Actually, it's only allowing connection sourcing from my home DSL public static IP as I have not exposed it to the the world yet until I run this test.

Now the question. I want to use metasploit to trigger against any of the signatures and see if I can get the blocked redirect page. Which payload would you recommend that I use for this? Note, i've never used metasploit before and only watched some tutorial videos yesterday. I would be conducting this "test" through the Internet.   I would appreciate any suggestions.
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
ID: 38825745
do your mean F5's ASM when talking about "layer 7 firewall"?
if so, I doubt that metasploit is the right tool to test against web application security/vulnerabilities
you better go with a specialised scanner there, free one is w3af, you may find more at
https://owasp.org/index.php/Phoenix/Tools
most WAS scanners, wether commercial or free, should have a proper blacklist which fits your requirement

hope you're aware that most web app vulnerabilities are found in the application and not the web server ...
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 38826794
In the same light of thoughts, F5 LTM (Network FW) but never a WAF which is more of F5 ASM, of course that can be a module added on top of LTM. Typical HTTP traffic protocol checks is still enforced but when you wanted to have OWASP attacks, you really need iRule to close it but not easy to use just based on LTM. Devcentral has a matrix depicting even L7 DDoS that shows which module and extend the F5 basic proxy can support.

https://devcentral.f5.com/blogs/us/mitigating-nuclear-ddoser-r-u-dead-yet-dirt-jumper-keep-dead-and-tor-hammer-with-f5

Then again F5 DPI can be done if you have the appl signature module (heard it is more for telco customer and VIPRION). That will be doing appl classification and throttling (or action) to better filter it. But since you are into HTTP, better to make sure F5 ASM is inside ...before testing ...(note they have APM for access control)

As for testing, I think Nexpose might be better catch, it work in hand with Metasploit which is exploiting while the former s vulnerability scanner. I was thinking more of OWASP vulnerability A10 which we have client to be redirected (unless the proxy enforced certain whitelist check for server response etc).. Also maybe pointing to other site via vulnerability such as LFI or RFI (local/remote file inclusion)

https://community.rapid7.com/thread/2101
A3: Broken authentication and session management
A8: Failure to restrict URL access
A9: Insufficient transport layer protection
A10: Unvalidated redirects and forwards

Or probably BEEF in Backtrack
http://scx010c075.blogspot.sg/2012/02/exploit-combo-beef-metasploit.html
0
 

Author Comment

by:trojan81
ID: 38829663
Thanks, everyone. I appreciate the suggestions. Yes i'm takling about the F5 ASM.

Ahoffman, why do you say Metasploit is not the right tool?

I will look into nexpose and w3af
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38832932
> why do you say Metasploit is not the right tool?
a complete answer will fill books ...
in short: metasplot is a framework for various security checks, including some on application layer, it's based on tempates for specific vulnerabilities; w3af is a framework for web application security and does only that, it's based on generic patterns and rules to check for vulnerabilities in any parameter without knowing the name and use of it
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Fine Tune your automatic Updates for Ubuntu / Debian

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question