Posts by HD Moore

1 min Metasploit

Six Wonderful Years

Rapid7 has been my home for the last six years, growing from 98 people when I joined to over 700 today. Keeping up with the growth has been both exhilarating and terrifying. I am really proud of our Austin team, the Metasploit ecosystem, and our leadership in security research. We care about our customers, our employees, and our impact in the industry. Working at Rapid7 has simply been the best job I have ever had. We have surpassed every goal that I set when I joined in 2009. Metasploit is thr

5 min Vulnerability Disclosure

CVE-2015-7755: Juniper ScreenOS Authentication Backdoor

On December 18th, 2015 Juniper issued an advisory [] indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor that allows an attacker to bypass authentication in the SSH and Telnet daemons. Shortly

8 min Metasploit

Meterpreter Survey 2015: You spoke, we listened, then wrote a bunch of code.

The Survey One month ago we asked the community for feedback about how they use Metasploit and what they want to see in the Meterpreter payload suite going forward. Over the course of a week we received over 400 responses and over 200 write-in suggestions for new features. We have spent the last month parsing through your responses, identifying dependencies, and actively delivering new features based on your requests. These requests covered 20 different categories: General Feedback Metasploit F

4 min

The Internet of Gas Station Tank Gauges

Introduction Automated tank gauges (ATGs) are used to monitor fuel tank inventory levels, track deliveries, raise alarms that indicate problems with the tank or gauge (such as a fuel spill), and to perform leak tests in accordance with environmental regulatory compliance. ATGs are used by nearly every fueling station in the United States and tens of thousands of systems internationally. Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem,

3 min Metasploit

12 Days of HaXmas: Metasploit, Nexpose, Sonar, and Recog

This post is the tenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. The Metasploit Framework uses operating system and service fingerprints for automatic target selection and asset identification. This blog post describes a major overhaul of the fingerprinting backend within Metasploit and how you can extend it by submitting new fingerprints. Historically, Metasploit wasn't great at fin

2 min Project Sonar

2015: Project Sonar Wiki & UDP Scan Data

Project Sonar started in September of 2013 with the goal of improving security through the active analysis of public networks. For the first few months, we focused almost entirely on SSL, DNS, and HTTP enumeration. This uncovered all sorts of interesting security issues and contributed to a number of advisories and research papers. The SSL and DNS datasets were especially good at identifying assets for a given organization, often finding systems that the IT team had no inkling of. At this point,

3 min Vulnerability Disclosure

R7-2014-15: GNU Wget FTP Symlink Arbitrary Filesystem Access

Introduction GNU Wget is a command-line utility designed to download files via HTTP, HTTPS, and FTP.  Wget versions prior to 1.16 are vulnerable a symlink attack (CVE-2014-4877) when running in recursive mode with a FTP target. This vulnerability allows an attacker operating a malicious FTP server to create arbitrary files, directories, and symlinks on the user's filesystem. The symlink attack allows file contents to be overwritten, including binary files, and access to the entire filesystem wit

2 min Project Sonar

R7-2014-16: Palo Alto Networks User-ID Credential Exposure

Project Sonar [] tends to identify unexpected issues, especially with regards to network security products. In July of this year, we began to notice a flood of incoming SMB connections every time we launched the VxWorks WDBRPC [/2010/08/02/shiny-old-vxworks-vulnerabilities] scan. To diagnose the issue, we ran the Metasploit SMB Capture [] module on one of our scanning nodes and collec

2 min Windows

Mitigating Service Account Credential Theft

I am excited to announce a new whitepaper, Mitigating Service Account Credential Theft [] on Windows. This paper was a collaboration between myself, Joe Bialek of Microsoft, and Ashwath Murthy of Palo Alto Networks. The executive summary is shown below, Over the last 15 years, the Microsoft Windows ecosystem has expanded with the meteoric rise of the internet, business technology, and computing in gene

2 min

Goodnight, BrowserScan

The BrowserScan [] concept emerged during the heyday of Java zero-day exploits in 2012. The risk posed by out-of-date browser addons, especially Java and Flash, was a critical issue for our customers and the greater security community. The process of scanning each desktop for outdated plugins was something that many firms couldn't do easily. BrowserScan helped these firms gather macro-level exposure data about their desktop systems, providing a quick health-check o

4 min Vulnerability Disclosure

Supermicro IPMI Firmware Vulnerabilities

Introduction This post summarizes the results of a limited security analysis of the Supermicro IPMI firmware. This firmware is used in the baseboard management controller (BMC) of many Supermicro motherboards. The majority of our findings relate to firmware version SMT_X9_226. The information in this post was provided to Supermicro on August 22nd, 2013 in accordance with the Rapid7 vulnerability disclosure policy. More information on this policy can be found online at

1 min

Project Sonar: One Month Later

It has been a full month since we launched Project Sonar and I wanted to provide quick update about where things are, the feedback we have received, and where we are going from here. We have received a ton of questions from interested contributors about the legal risk of internet-wide scanning. These risks are real, but differ widely by region, country, and type of scan. We can't provide legal advice, but we have obtained help from the illustrious Marcia Hofmann [], who

3 min Exploits

Estimating ReadyNAS Exposure with Internet Scans

I wanted share a brief example of using a full scan of IPv4 to estimate the exposure level of a vulnerability. Last week, Craig Young [], a security researcher at Tripwire, wrote a blog post [] about a vulnerability in the ReadyNAS network storage appliance. In an interview with Threatpost [

4 min Project Sonar

The Security Space Age

I was fortunate enough to present as the keynote speaker for HouSecCon 4 []. The first part of my presentation focused on the parallels between information security today and the dawn of the space age in the late 1950s. The second section dove into internet-wide measurement and details about Project Sonar. Since it may be a while before the video of the presentation is online, I wanted to share the content for those who may be interested and could not attend the event. A

0 min

Welcome to Project Sonar!

Project Sonar is a community effort to improve security through the active analysis of public networks. This includes running scans across public internet-facing systems, organizing the results, and sharing the data with the information security community. The three components to this project are tools, datasets, and research. Please visit the Sonar Wiki [] for more information.