trojan81
asked on
Metasploit - test layer 7 firewall
Hello Backtrack experts,
I'm a network guy but not necessarily strong with pen or vulnurability scanners.
As i'm writing this, i'm downloading Backtrack 5 r3 to make into a bootable CD (6 hours to go).
I have an IIS web server setup behind an F5 proxy. I'm also securing this F5 virtual IP with F5's built in layer 7 firewall. I have it set to block any hits on any of the signatures for IIS. Onced blocked, it will redirect to a custom block page that I created.
In front of this F5 is my ASA which is only allowing HTTPS from outside to come into the F5 proxy vip. Actually, it's only allowing connection sourcing from my home DSL public static IP as I have not exposed it to the the world yet until I run this test.
Now the question. I want to use metasploit to trigger against any of the signatures and see if I can get the blocked redirect page. Which payload would you recommend that I use for this? Note, i've never used metasploit before and only watched some tutorial videos yesterday. I would be conducting this "test" through the Internet. I would appreciate any suggestions.
I'm a network guy but not necessarily strong with pen or vulnurability scanners.
As i'm writing this, i'm downloading Backtrack 5 r3 to make into a bootable CD (6 hours to go).
I have an IIS web server setup behind an F5 proxy. I'm also securing this F5 virtual IP with F5's built in layer 7 firewall. I have it set to block any hits on any of the signatures for IIS. Onced blocked, it will redirect to a custom block page that I created.
In front of this F5 is my ASA which is only allowing HTTPS from outside to come into the F5 proxy vip. Actually, it's only allowing connection sourcing from my home DSL public static IP as I have not exposed it to the the world yet until I run this test.
Now the question. I want to use metasploit to trigger against any of the signatures and see if I can get the blocked redirect page. Which payload would you recommend that I use for this? Note, i've never used metasploit before and only watched some tutorial videos yesterday. I would be conducting this "test" through the Internet. I would appreciate any suggestions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> why do you say Metasploit is not the right tool?
a complete answer will fill books ...
in short: metasplot is a framework for various security checks, including some on application layer, it's based on tempates for specific vulnerabilities; w3af is a framework for web application security and does only that, it's based on generic patterns and rules to check for vulnerabilities in any parameter without knowing the name and use of it
a complete answer will fill books ...
in short: metasplot is a framework for various security checks, including some on application layer, it's based on tempates for specific vulnerabilities; w3af is a framework for web application security and does only that, it's based on generic patterns and rules to check for vulnerabilities in any parameter without knowing the name and use of it
ASKER
Ahoffman, why do you say Metasploit is not the right tool?
I will look into nexpose and w3af