5 min
Exploits
Security Death Match: Open Source vs. Pay-for-Play Exploit Packs
In the blue corner: an open-source exploit pack. In the red corner: a
pay-for-play incumbent. As a security professional trying to defend your
enterprise against attacks, which corner do you bet on for your penetration
tests?
What's the goal of the game?
Okay, this is a loaded question, because it really depends on what your goal is.
If you are like 99% of enterprises, you'll want to protect against the biggest
and most likely risks. If you are the 1% that comprise defense contractors and
the
3 min
Metasploit
How Metasploit's 3-Step Quality Assurance Process Gives You Peace Of Mind
Metasploit exploits undergo a rigorous 3-step quality assurance process so you
have the peace of mind that exploits will work correctly and not affect
production systems on your next assignment.
Step 1: Rapid7 Code Review
Many of the Metasploit exploits are contributed by Metasploit's community of
over 175,000 users, making Metasploit the de-facto standard for exploit
development. This is a unique ecosystem that benefits all members of the
community because every Metasploit user is a “sensor
3 min
Exploits
5 Tips to Ensure Safe Penetration Tests with Metasploit
Experienced penetration testers know what to look out for when testing
production systems so they don't disrupt operations. Here's our guide to ensure
smooth sailing.
Vulnerabilities are unintentional APIs
In my warped view of the world, vulnerabilities are APIs that weren't entirely
intended by the developer. They hey are also undocumented and unsupported. Some
of these vulnerabilities are exploited more reliably than others, and there are
essentially three vectors to rank them:
* Exploit s
4 min
Exploits
November Exploit Trends: Apache Killer Exploit New to List
This month was a quiet one on the Metasploit Top Ten List. Each month we compile
a list of the most searched exploit and auxiliary modules from our exploit
database [http://www.metasploit.com/modules/]. To protect user's privacy, the
statistics come from analyzing webserver logs of searches, not from monitoring
Metasploit usage.
The only new addition to the list this month is an old Apache Killer exploit.
Read on for the rest of November's exploit and auxiliary modules with commentary
by Meta
4 min
Metasploit
New Metasploit 4.5: Manage Your Organization's Phishing Exposure
You can now get a better handle on your organization's exposure to phishing
attacks [http://www.rapid7.com/solutions/need/manage-phishing-exposure.jsp]:
Metasploit Pro now gives you quick insight on risks and advice on how to reduce
them. With today's new release version 4.5, Metasploit Pro's social engineering
features are no longer just for penetration testers but add a lot of value for
more generalist security professionals. A handful of our customers already
tested these new capabilities i
5 min
Metasploit
Exploit Trends: Top 10 Searches for Metasploit Modules in October
Time for your monthly dose of Metasploit exploit trends! Each month we gather
this list of the most searched exploit and auxiliary modules from the Metasploit
database. To protect users' privacy, the statistics come from analyzing
webserver logs of searches, not from monitoring Metasploit usage.
October was a quiet month for exploit headlines, so not a whole lot of action on
the list. The high traffic to Java and IE modules from their respective 0-days
settled down, so you'll see some shuffli
1 min
Penetration Testing
How to Justify Your Penetration Testing Budget - Whiteboard Wednesdays
Is penetration testing a good idea to you, but your managers don't seem to get
it? Don't worry, you're not alone, and there is a solution. This Whiteboard
Wednesday
[http://www.rapid7.com/resources/videos/justifying-penetration-testing-budget.jsp]
video walks you through some steps to achieve your goal - and to get your budget
approved.
Areas I'll touch on are:
* How do I explain penetration testing to my boss?
* Why do we need penetration testing if we have all these security controls in
5 min
Metasploit
Exploit Trends: Java and IE 0days
Each month we report the top ten searched exploit and auxiliary modules on
metasploit.com. The statistics are drawn from our exploit database by analyzing
webserver logs of searches, not through Metasploit usage which is not tracked to
preserve privacy.
With the Java and Internet Explorer 0-days in August and September, this month's
exploit trends from Metasploit really shook-up the status quo. And, just to make
things more interesting, there are a couple exploits from April that came back
fo
1 min
Penetration Testing
What is Penetration Testing? - Whiteboard Wednesdays
Are you wondering "What is penetration testing?" Need a quick primer on the
topic? In this first video of our Whiteboard Wednesdays series, we're explaining
what a penetration test is as well as some typical reasons why people conduct
so-called "pen tests". l'll also introduce you to the typical steps of a
penetration test, including:
* Reconaissance
* Discovery
* Exploitation
* Bruteforcing
* Social engineering
* Taking control
* Pivoting
* Collecting evidence
* Reporting
* Remediati
2 min
Authentication
Free Scanner for MySQL Authentication Bypass CVE-2012-2122
The MySQL authentication bypass vulnerability (CVE-2012-2122) - explained in
detail in HD Moore's blog post
[/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql] - was
the cause for much concern when it was first discovered. In response, we've
created a new vulnerability scanner for CVE-2012-2122 called ScanNow
[http://www.rapid7.com/free-security-software-downloads/MySQL-vulnerability-scanner-CVE-2012-2122.jsp]
, which enables you to check your network for vulnerability to thi
1 min
Metasploit
Webcast: Decrease Your Risk of a Data Breach - Effective Security Programs with Metasploit
Thanks for the many CISOs and security engineers who attended our recent
webcast, in which I presented some practical advice on how to leverage
Metasploit to conduct regular security reviews that address current attack
vectors. While Metasploit is often used for penetration testing projects, this
presentation focuses on leveraging Metasploit for ongoing security assessments
that can be achieved with a small security team to reduce the risk of a data
breach.
This webcast is now available for on-
4 min
Exploits
Exploit Trends: August Java 0-day
Coming from August's Java 0-day release, there are three new Java exploits among
the top 10 most searched Metasploit exploits and auxiliary modules in this
month's trend list. The monthly statistics are drawn from our exploit database
[http://www.metasploit.com/modules/] by analyzing webserver logs of searches on
metasploit.com, not through Metasploit usage which is not tracked for privacy.
Check out the top searched exploits and modules below, annotated with Tod
Beardley's excellent comments
1 min
Open Source
Webcast: Playing in the Sandbox - Open Source Tools for Threat Intelligence
If you missed last week's webcast in the Life's a Breach series, I have good
news for you: The recording is now available
[http://information.rapid7.com/open-source-tools-for-threat-intelligence-on-demand.html?LS=1315242&CS=web]
. In this webcast, Claudio Guarnieri, security researcher with Rapid7 and
creator of Cuckoo Sandbox, shows what we can learn from analyzing malware that
have been caught with honeypots.
By watching this webcast you will learn:
* How to actively collect and analyze thr
4 min
Exploits
Exploit Trends: Java Signed Applet Social Engineering and Joomla Exploit
Each month we use the exploit database (DB) [http://www.metasploit.com/modules/]
to compile a list of the top 10 most searched exploit and auxiliary modules from
Metasploit. The data base analyzes searches conducted on Metasploit.com from the
webserver's logs. (We do not track actual Metasploit usage to preserve users'
privacy.)
This month's list has the top 5 hanging strong from last month, with three new
additions coming in at numbers 8, 9, and 10. Tod Beardsley broke down the top 10
to gi
5 min
Metasploit
New Metasploit 4.4: Risk Validation for Vulnerability Management with Nexpose, Improved AV Evasion, and Faster UI
Fresh out of the oven and in time for Black Hat Las Vegas, we present to you the
new Metasploit 4.4 with these great new features:
Focus Your Remediation Efforts: Metasploit Risk Validation for Nexpose
Vulnerability Management
You may have been in this situation: your vulnerability scanning report is so
long you don't know where to start. You don't have time to address all
vulnerabilities, and you don't know which ones are important. If this sounds
familiar, you may get very excited about Met