Metasploit - test layer 7 firewall

Hello Backtrack experts,

I'm a network guy but not necessarily strong with pen or vulnurability scanners.
As i'm writing this, i'm downloading Backtrack 5 r3 to make into a bootable CD (6 hours to go).

I have an IIS web server setup behind an F5 proxy. I'm also securing this F5 virtual IP with F5's built in layer 7 firewall. I have it set to block any hits on any of the signatures for IIS. Onced blocked, it will redirect to a custom block page that I created.
In front of this F5 is my ASA which is only allowing HTTPS from outside to come into the F5 proxy vip. Actually, it's only allowing connection sourcing from my home DSL public static IP as I have not exposed it to the the world yet until I run this test.

Now the question. I want to use metasploit to trigger against any of the signatures and see if I can get the blocked redirect page. Which payload would you recommend that I use for this? Note, i've never used metasploit before and only watched some tutorial videos yesterday. I would be conducting this "test" through the Internet.   I would appreciate any suggestions.
trojan81Asked:
Who is Participating?
 
ahoffmannConnect With a Mentor Commented:
do your mean F5's ASM when talking about "layer 7 firewall"?
if so, I doubt that metasploit is the right tool to test against web application security/vulnerabilities
you better go with a specialised scanner there, free one is w3af, you may find more at
https://owasp.org/index.php/Phoenix/Tools
most WAS scanners, wether commercial or free, should have a proper blacklist which fits your requirement

hope you're aware that most web app vulnerabilities are found in the application and not the web server ...
0
 
btanConnect With a Mentor Exec ConsultantCommented:
In the same light of thoughts, F5 LTM (Network FW) but never a WAF which is more of F5 ASM, of course that can be a module added on top of LTM. Typical HTTP traffic protocol checks is still enforced but when you wanted to have OWASP attacks, you really need iRule to close it but not easy to use just based on LTM. Devcentral has a matrix depicting even L7 DDoS that shows which module and extend the F5 basic proxy can support.

https://devcentral.f5.com/blogs/us/mitigating-nuclear-ddoser-r-u-dead-yet-dirt-jumper-keep-dead-and-tor-hammer-with-f5

Then again F5 DPI can be done if you have the appl signature module (heard it is more for telco customer and VIPRION). That will be doing appl classification and throttling (or action) to better filter it. But since you are into HTTP, better to make sure F5 ASM is inside ...before testing ...(note they have APM for access control)

As for testing, I think Nexpose might be better catch, it work in hand with Metasploit which is exploiting while the former s vulnerability scanner. I was thinking more of OWASP vulnerability A10 which we have client to be redirected (unless the proxy enforced certain whitelist check for server response etc).. Also maybe pointing to other site via vulnerability such as LFI or RFI (local/remote file inclusion)

https://community.rapid7.com/thread/2101
A3: Broken authentication and session management
A8: Failure to restrict URL access
A9: Insufficient transport layer protection
A10: Unvalidated redirects and forwards

Or probably BEEF in Backtrack
http://scx010c075.blogspot.sg/2012/02/exploit-combo-beef-metasploit.html
0
 
trojan81Author Commented:
Thanks, everyone. I appreciate the suggestions. Yes i'm takling about the F5 ASM.

Ahoffman, why do you say Metasploit is not the right tool?

I will look into nexpose and w3af
0
 
ahoffmannCommented:
> why do you say Metasploit is not the right tool?
a complete answer will fill books ...
in short: metasplot is a framework for various security checks, including some on application layer, it's based on tempates for specific vulnerabilities; w3af is a framework for web application security and does only that, it's based on generic patterns and rules to check for vulnerabilities in any parameter without knowing the name and use of it
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.