Posts by Christian Kirsch

2 min

Bad Change Control Is The Biggest Enemy of Network Segmentation

In the section about Point-of-Sale Intrusions, the Verizon 2014 Data Breach Investigations Report recommends to "Debunk the flat network theory" to protect POS devices. Here's what it says on page 19: Debunk the flat network theory Review the interconnectivity between stores and central locations and treat them as semi-trusted connections. Segment the POS environment from the corporate network This struck me as a little odd since network segmentation is a well-known and common best practice o

2 min Verizon DBIR

Finding Weak Remote Access Passwords on POS Devices

One of my key take-aways in the Verizon Data Breach Incident Report was that credentials are a major attack vector in 2013. Especially within the POS Intrusions, brute forcing and use of stolen creds was a major problem. These techniques were primarily leveraged against two targets: Shared passwords on 3rd-party provided POS systems were the biggest problem, followed directly by weak passwords on remote access solutions that enable the help desk to quickly provide help to employees working on

2 min Antivirus

Anti-Virus Evasion Makes Vulnerability Validation More Accurate

When think talk about anti-virus evasion, we mostly do so in the context of a penetration test: If the "bad guys" can evade AV solutions because they write custom payloads, then a penetration tester must do the same to simulate an attack. However, AV evasion is also critical to vulnerability validation []. While a full-scale penetration test looks for any way into the network, vulnerability validation surgically examines one vulner

2 min Metasploit

Hacker's Dome: An Online Capture-the-Flag (CTF) Competition on May 17

Many folks ask me how you can get started as a penetration tester. Save for a real-life penetration test, capture-the-flag (CTF) competitions are probably the most effective ways for you to hone your offensive security skills. What's best: they're a ton of fun, even for experienced pentesters. The folks over at [] have put together a one-off CTF called Hacker's Dome, which will start on May 17th and run for 48 hours, so save the date. Hacker's Dome - First Bloo

4 min Metasploit

Security Advisory: OpenSSL Heartbleed Vulnerability (CVE-2014-0160) in Metasploit (Updated 4/11/14 2:20pm EDT)

Metasploit 4.9.0 and earlier vulnerable to Heartbleed, update 4.9.1 addresses critical cases The Metasploit editions Metasploit Pro, Metasploit Express, and Metasploit Community in versions 4.9.0 or earlier are vulnerable to the OpenSSL Heartbleed Vulnerability (CVE-2014-0160). Please update to version 4.9.1 to remediate critical vulnerabilities. See below for remediation instructions. Metasploit Framework itself is not affected, but it has dependencies on other components that may need to be u

4 min Penetration Testing

7 Tips for Booking Your PCI 3.0 Penetration Testing Service (And Why Consultants Will Book Out Early This Year)

PCI DSS Compliance is driving about 35% of all penetration tests, according to a Rapid7 Metasploit User Survey with more than 2,200 respondents earlier this year. With the changes introduced in PCI DSS version 3.0, penetration tests will become more complex and longer in duration, and more companies will feel the need to run penetration tests in the first place. Given that it takes a lot of time and money to train new penetration testers, this will cause consultants to book out early, and probab

2 min

Like msfvenom? Here's A Faster Way to Generate Stand-alone Metasploit Payloads

Part of the Metasploit Framework, msfvenom is a command-line tool that helps penetration testers to generate stand-alone payloads to run on compromised machines to get remote access to the system. Msfvenom is a combination of two other Metasploit Framework tools: Msfpayload and Msfencode, which generate and encode payloads respectively. Even if you have used Msfvenom before, chances are that you need to look up the tool's documentation every time you want to generate a payload. Msfvenom is a

11 min Metasploit

New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers

Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately. Generate AV-evading Dynamic Payloads Malicious attackers u

1 min Networking

Don't Be An Easy Target: Testing Your Network Segmentation

Network segmentation is the act of splitting a computer network into subnetworks, each being a network segment, which increases security and can also boost performance. It is a security best practice that is recommended (but not required) by PCI DSS and it makes the top 20 list of critical security controls suggested by SANS. Due to the ongoing investigation, the world doesn't have the full details on the Target breach yet, but there are strong indications that network segmentation could have

1 min Metasploit

Free Webcast: From Framework to Pro - Using Metasploit Pro in Penetration Tests

Metasploit Pro is more than just a pretty web interface for Metasploit; it contains many little known features that simplify large scale network penetration tests. In this technical webinar for penetration testers who are familiar with Metasploit Framework [] , David Maloney shows which features he finds most useful in Metasploit Pro. Watch this webcast to learn how to: * Quickly scan a network

1 min Metasploit

Make Your Voice Heard & Make Metasploit More Awesome

We've sharpened our pencils and put up a drawing board to decide where we want to take Metasploit in 2014 and beyond. Metasploit is built on collaboration with the community, both through the contributions of security researchers in building the open source Metasploit Framework, and through a continuous feedback loop with our customers that enables us to keep driving the solution to meet their needs. As part of our continued commitment to the latter, we're asking you to let us know how you use M

3 min Metasploit

Rapid7 Webcasts: A Great Week to Learn About Pentesting SAP Infrastructures

SAP applications contain a ton of juicy information, making them a great target for malicious attackers who are after intellectual property, financial statements, credit card data, PII and PHI. Breaching SAP systems opens the door for fraud, sabotage, and industrial espionage. SAP systems have often organically grown and are hard to update, making them a soft target. What's worse, pentesters are often unfamiliar with SAP infrastructures and how to pentest SAP systems. To help with the latter, R

4 min Social Engineering

Social Engineering: Would You Fall For This Phone Call?

Cyber criminals don't always need a keyboard to hack into your bank account or company network. In fact, a lot of attacks start with a simple phone call. Typically, the attackers are either trying to get information out of you or to make you do something. This is a technique they call social engineering. I've read a lot about social engineering over the years, since it's a personal area of interest. It can be used by a bunch off different occupations, such as FBI interrogators, con artists, sal

16 min Metasploit

Don't Get Blindsided: Better Visibility Into User and Asset Risks with Metasploit 4.8

Not having visibility can be dangerous in many situations. The new Metasploit 4.8 gives you better visibility in four key areas: * View phishing exposure in the context of the overall user risk * See which vulnerabilities pose the biggest risk to your organization * Have all host information at your fingertips when doing a pentest * Discover the latest risks on your network with new exploits and other modules See Phishing Exposure as One Factor of User Risk Users are often a weak part of t

3 min Metasploit

Learn to Pentest SAP with Metasploit As ERP Attacks Go Mainstream

This month, a security researcher disclosed that a version of the old banking Trojan “Trojan.ibank” has been modified to look for SAP GUI installations, a concerning sign that SAP system hacking has gone into mainstream cybercrime.  Once a domain of a few isolated APT attacks, SAP appears to be in the cross hairs of hackers that know just how much sensitive data ERP systems house, including financial, customer, employee and production data.  With more than 248,500 customers in 188 countries, SAP