Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Metasploit - test layer 7 firewall

Posted on 2013-01-27
4
Medium Priority
?
851 Views
Last Modified: 2013-01-30
Hello Backtrack experts,

I'm a network guy but not necessarily strong with pen or vulnurability scanners.
As i'm writing this, i'm downloading Backtrack 5 r3 to make into a bootable CD (6 hours to go).

I have an IIS web server setup behind an F5 proxy. I'm also securing this F5 virtual IP with F5's built in layer 7 firewall. I have it set to block any hits on any of the signatures for IIS. Onced blocked, it will redirect to a custom block page that I created.
In front of this F5 is my ASA which is only allowing HTTPS from outside to come into the F5 proxy vip. Actually, it's only allowing connection sourcing from my home DSL public static IP as I have not exposed it to the the world yet until I run this test.

Now the question. I want to use metasploit to trigger against any of the signatures and see if I can get the blocked redirect page. Which payload would you recommend that I use for this? Note, i've never used metasploit before and only watched some tutorial videos yesterday. I would be conducting this "test" through the Internet.   I would appreciate any suggestions.
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1000 total points
ID: 38825745
do your mean F5's ASM when talking about "layer 7 firewall"?
if so, I doubt that metasploit is the right tool to test against web application security/vulnerabilities
you better go with a specialised scanner there, free one is w3af, you may find more at
https://owasp.org/index.php/Phoenix/Tools
most WAS scanners, wether commercial or free, should have a proper blacklist which fits your requirement

hope you're aware that most web app vulnerabilities are found in the application and not the web server ...
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1000 total points
ID: 38826794
In the same light of thoughts, F5 LTM (Network FW) but never a WAF which is more of F5 ASM, of course that can be a module added on top of LTM. Typical HTTP traffic protocol checks is still enforced but when you wanted to have OWASP attacks, you really need iRule to close it but not easy to use just based on LTM. Devcentral has a matrix depicting even L7 DDoS that shows which module and extend the F5 basic proxy can support.

https://devcentral.f5.com/blogs/us/mitigating-nuclear-ddoser-r-u-dead-yet-dirt-jumper-keep-dead-and-tor-hammer-with-f5

Then again F5 DPI can be done if you have the appl signature module (heard it is more for telco customer and VIPRION). That will be doing appl classification and throttling (or action) to better filter it. But since you are into HTTP, better to make sure F5 ASM is inside ...before testing ...(note they have APM for access control)

As for testing, I think Nexpose might be better catch, it work in hand with Metasploit which is exploiting while the former s vulnerability scanner. I was thinking more of OWASP vulnerability A10 which we have client to be redirected (unless the proxy enforced certain whitelist check for server response etc).. Also maybe pointing to other site via vulnerability such as LFI or RFI (local/remote file inclusion)

https://community.rapid7.com/thread/2101
A3: Broken authentication and session management
A8: Failure to restrict URL access
A9: Insufficient transport layer protection
A10: Unvalidated redirects and forwards

Or probably BEEF in Backtrack
http://scx010c075.blogspot.sg/2012/02/exploit-combo-beef-metasploit.html
0
 

Author Comment

by:trojan81
ID: 38829663
Thanks, everyone. I appreciate the suggestions. Yes i'm takling about the F5 ASM.

Ahoffman, why do you say Metasploit is not the right tool?

I will look into nexpose and w3af
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 38832932
> why do you say Metasploit is not the right tool?
a complete answer will fill books ...
in short: metasplot is a framework for various security checks, including some on application layer, it's based on tempates for specific vulnerabilities; w3af is a framework for web application security and does only that, it's based on generic patterns and rules to check for vulnerabilities in any parameter without knowing the name and use of it
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Fine Tune your automatic Updates for Ubuntu / Debian
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question