Ruby Symbolic Execution Based Network Attack Traffic Extraction From Metasploit

Metasploit is the most popular penetration testing framework today.It carries thousands of attack scripts,and it also supports rapid development of new exploit scripts.The scripting and framing trend of exploit code brings new challenges to network security.Traditional analysis methods are difficult to keep up with the speed of new exploit scripts.Software vulnerabilities have their own life cycle,and the emergence of exploit script does not mean that the vulnerabilities are no longer useful.The training and testing of network intrusion detection systems requires real and effective attack traffic.This paper proposes a method for extracting attack traffic from Metasploit framework using symbolic execution.The exploit script needs to interact with the target through the network.And the script expects the target to return a specific feedback.If the target doesn't not return the expected feedback,the script will assume that the target is not attackable and exits.Therefore,the exploit script requires a suitable target environment to run.Symbolic execution is a program testing technique.Symbolic execution uses symbols as program input,and it can explore different execution paths of the program.This paper divides Metasploit's API into four categories: target detection API,state transition API,attack traffic construction API and traffic sending API.This paper uses the symbolic execution to expand Metasploit.By symbolizing the target detection API and state transition API,we simulate the feedback of attack targets with symbols,so the exploit script can run without a target.Further,by symbolizing the attack traffic construction API,symbolic values are used to represent binary bytes in the attack traffic.Because of the abstraction of symbols,you can clarify the function of each part of the attack traffic.We call the traffic that contains symbolic values traffic template.Traffic templates can be used to extract attack traffic signatures and generate attack traffic on demand.We tested the modified Metasploit by extracting attack traffic from scripts.And we compared the traffic template with the real attack traffic.