Solved

Metasploit - test layer 7 firewall

Posted on 2013-01-27
4
744 Views
Last Modified: 2013-01-30
Hello Backtrack experts,

I'm a network guy but not necessarily strong with pen or vulnurability scanners.
As i'm writing this, i'm downloading Backtrack 5 r3 to make into a bootable CD (6 hours to go).

I have an IIS web server setup behind an F5 proxy. I'm also securing this F5 virtual IP with F5's built in layer 7 firewall. I have it set to block any hits on any of the signatures for IIS. Onced blocked, it will redirect to a custom block page that I created.
In front of this F5 is my ASA which is only allowing HTTPS from outside to come into the F5 proxy vip. Actually, it's only allowing connection sourcing from my home DSL public static IP as I have not exposed it to the the world yet until I run this test.

Now the question. I want to use metasploit to trigger against any of the signatures and see if I can get the blocked redirect page. Which payload would you recommend that I use for this? Note, i've never used metasploit before and only watched some tutorial videos yesterday. I would be conducting this "test" through the Internet.   I would appreciate any suggestions.
0
Comment
Question by:trojan81
  • 2
4 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 250 total points
Comment Utility
do your mean F5's ASM when talking about "layer 7 firewall"?
if so, I doubt that metasploit is the right tool to test against web application security/vulnerabilities
you better go with a specialised scanner there, free one is w3af, you may find more at
https://owasp.org/index.php/Phoenix/Tools
most WAS scanners, wether commercial or free, should have a proper blacklist which fits your requirement

hope you're aware that most web app vulnerabilities are found in the application and not the web server ...
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
Comment Utility
In the same light of thoughts, F5 LTM (Network FW) but never a WAF which is more of F5 ASM, of course that can be a module added on top of LTM. Typical HTTP traffic protocol checks is still enforced but when you wanted to have OWASP attacks, you really need iRule to close it but not easy to use just based on LTM. Devcentral has a matrix depicting even L7 DDoS that shows which module and extend the F5 basic proxy can support.

https://devcentral.f5.com/blogs/us/mitigating-nuclear-ddoser-r-u-dead-yet-dirt-jumper-keep-dead-and-tor-hammer-with-f5

Then again F5 DPI can be done if you have the appl signature module (heard it is more for telco customer and VIPRION). That will be doing appl classification and throttling (or action) to better filter it. But since you are into HTTP, better to make sure F5 ASM is inside ...before testing ...(note they have APM for access control)

As for testing, I think Nexpose might be better catch, it work in hand with Metasploit which is exploiting while the former s vulnerability scanner. I was thinking more of OWASP vulnerability A10 which we have client to be redirected (unless the proxy enforced certain whitelist check for server response etc).. Also maybe pointing to other site via vulnerability such as LFI or RFI (local/remote file inclusion)

https://community.rapid7.com/thread/2101
A3: Broken authentication and session management
A8: Failure to restrict URL access
A9: Insufficient transport layer protection
A10: Unvalidated redirects and forwards

Or probably BEEF in Backtrack
http://scx010c075.blogspot.sg/2012/02/exploit-combo-beef-metasploit.html
0
 

Author Comment

by:trojan81
Comment Utility
Thanks, everyone. I appreciate the suggestions. Yes i'm takling about the F5 ASM.

Ahoffman, why do you say Metasploit is not the right tool?

I will look into nexpose and w3af
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> why do you say Metasploit is not the right tool?
a complete answer will fill books ...
in short: metasplot is a framework for various security checks, including some on application layer, it's based on tempates for specific vulnerabilities; w3af is a framework for web application security and does only that, it's based on generic patterns and rules to check for vulnerabilities in any parameter without knowing the name and use of it
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
This video discusses moving either the default database or any database to a new volume.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now