Automation of Post-exploitation
Pentesting is becoming an important activity even for smaller companies. One of the most important economic pressures is the cost of such tests. In order to automate pentests, tools such as Metasploit can be used. Post-exploitation activities can, however, not be automated easily. Our contribution is to extend Meterpreter-scripts so that post-exploitation can be scripted. Moreover, using a multi-step approach (pivoting), we can automatically exploit machines that are not directly routable: Once the first machine is exploited, the script continues to then automatically launch an attack on the next machine, etc.
KeywordsPentesting security exploits
Unable to display preview. Download preview PDF.
- [Bag08] Bagget, M.: Effectiveness of antivirus in detecting metasploit payloads. SANS Institute (2008)Google Scholar
- [EPW04] Essmayr, W., Probst, S., Weippl, E.: Role-based access controls: Status, dissemination, and prospects for generic security mechanisms. Electronic Commerce Research (2004)Google Scholar
- [Met] Metasploit, http://www.metasploit.com/
- [MMC+07] Maynor, D., Mookhey, K.K., Cervini, J., Roslan, F., Beaver, K.: Metasploit Toolkit For Penetration Testing. SYNGRESS Press (2007)Google Scholar