1 min
Metasploit
Six Wonderful Years
Rapid7 has been my home for the last six years, growing from 98 people when I
joined to over 700 today. Keeping up with the growth has been both exhilarating
and terrifying. I am really proud of our Austin team, the Metasploit ecosystem,
and our leadership in security research. We care about our customers, our
employees, and our impact in the industry. Working at Rapid7 has simply been the
best job I have ever had.
We have surpassed every goal that I set when I joined in 2009. Metasploit is
thr
5 min
Vulnerability Disclosure
CVE-2015-7755: Juniper ScreenOS Authentication Backdoor
On December 18th, 2015 Juniper issued an advisory
[https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST]
indicating that they had discovered unauthorized code in the ScreenOS software
that powers their Netscreen firewalls. This advisory covered two distinct
issues; a backdoor in the VPN implementation that allows a passive eavesdropper
to decrypt traffic and a second backdoor that allows an attacker to bypass
authentication in the SSH and Telnet daemons. Shortly
8 min
Metasploit
Meterpreter Survey 2015: You spoke, we listened, then wrote a bunch of code.
The Survey
One month ago we asked the community for feedback about how they use Metasploit
and what they want to see in the Meterpreter payload suite going forward. Over
the course of a week we received over 400 responses and over 200 write-in
suggestions for new features. We have spent the last month parsing through your
responses, identifying dependencies, and actively delivering new features based
on your requests. These requests covered 20 different categories:
General Feedback Metasploit F
4 min
The Internet of Gas Station Tank Gauges
Introduction
Automated tank gauges (ATGs) are used to monitor fuel tank inventory levels,
track deliveries, raise alarms that indicate problems with the tank or gauge
(such as a fuel spill), and to perform leak tests in accordance with
environmental regulatory compliance. ATGs are used by nearly every fueling
station in the United States and tens of thousands of systems internationally.
Many ATGs can be programmed and monitored through a built-in serial port, a
plug-in serial port, a fax/modem,
3 min
Metasploit
12 Days of HaXmas: Metasploit, Nexpose, Sonar, and Recog
This post is the tenth in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements and events in the Metasploit Framework over
the course of 2014.
The Metasploit Framework uses operating system and service fingerprints for
automatic target selection and asset identification. This blog post describes a
major overhaul of the fingerprinting backend within Metasploit and how you can
extend it by submitting new fingerprints.
Historically, Metasploit wasn't great at fin
2 min
Project Sonar
2015: Project Sonar Wiki & UDP Scan Data
Project Sonar started in September of 2013 with the goal of improving security
through the active analysis of public networks. For the first few months, we
focused almost entirely on SSL, DNS, and HTTP enumeration. This uncovered all
sorts of interesting security issues and contributed to a number of advisories
and research papers. The SSL and DNS datasets were especially good at
identifying assets for a given organization, often finding systems that the IT
team had no inkling of. At this point,
3 min
Vulnerability Disclosure
R7-2014-15: GNU Wget FTP Symlink Arbitrary Filesystem Access
Introduction
GNU Wget is a command-line utility designed to download files via HTTP, HTTPS,
and FTP. Wget versions prior to 1.16 are vulnerable a symlink attack
(CVE-2014-4877) when running in recursive mode with a FTP target. This
vulnerability allows an attacker operating a malicious FTP server to create
arbitrary files, directories, and symlinks on the user's filesystem. The symlink
attack allows file contents to be overwritten, including binary files, and
access to the entire filesystem wit
2 min
Project Sonar
R7-2014-16: Palo Alto Networks User-ID Credential Exposure
Project Sonar [https://community.rapid7.com/community/infosec/sonar] tends to
identify unexpected issues, especially with regards to network security
products. In July of this year, we began to notice a flood of incoming SMB
connections every time we launched the VxWorks WDBRPC
[/2010/08/02/shiny-old-vxworks-vulnerabilities] scan. To diagnose the issue, we
ran the Metasploit SMB Capture
[http://www.rapid7.com/db/modules/auxiliary/server/capture/smb] module on one of
our scanning nodes and collec
2 min
Windows
Mitigating Service Account Credential Theft
I am excited to announce a new whitepaper, Mitigating Service Account
Credential
Theft
[https://hdm.io/writing/Mitigating%20Service%20Account%20Credential%20Theft%20on%20Windows.pdf]
on Windows. This paper was a collaboration between myself, Joe Bialek of
Microsoft, and Ashwath Murthy of Palo Alto Networks. The executive summary is
shown below,
Over the last 15 years, the Microsoft Windows ecosystem has expanded with the
meteoric rise of the internet, business technology, and computing in gene
2 min
Goodnight, BrowserScan
The BrowserScan [https://browserscan.rapid7.com/] concept emerged during the
heyday of Java zero-day exploits in 2012. The risk posed by out-of-date browser
addons, especially Java and Flash, was a critical issue for our customers and
the greater security community. The process of scanning each desktop for
outdated plugins was something that many firms couldn't do easily. BrowserScan
helped these firms gather macro-level exposure data about their desktop systems,
providing a quick health-check o
4 min
Vulnerability Disclosure
Supermicro IPMI Firmware Vulnerabilities
Introduction
This post summarizes the results of a limited security analysis of the
Supermicro IPMI firmware. This firmware is used in the baseboard management
controller (BMC) of many Supermicro motherboards.
The majority of our findings relate to firmware version SMT_X9_226. The
information in this post was provided to Supermicro on August 22nd, 2013 in
accordance with the Rapid7 vulnerability disclosure policy. More information on
this policy can be found online at http://www.rapid7.com/disc
1 min
Project Sonar: One Month Later
It has been a full month since we launched Project Sonar and I wanted to provide
quick update about where things are, the feedback we have received, and where we
are going from here.
We have received a ton of questions from interested contributors about the legal
risk of internet-wide scanning. These risks are real, but differ widely by
region, country, and type of scan. We can't provide legal advice, but we have
obtained help from the illustrious Marcia Hofmann [http://marciahofmann.com/],
who
3 min
Exploits
Estimating ReadyNAS Exposure with Internet Scans
I wanted share a brief example of using a full scan of IPv4 to estimate the
exposure level of a vulnerability. Last week, Craig Young
[https://twitter.com/craigtweets], a security researcher at Tripwire, wrote a
blog post
[http://www.tripwire.com/state-of-security/vulnerability-management/readynas-flaw-allows-root-access-unauthenticated-http-request/]
about a vulnerability in the ReadyNAS network storage appliance. In an
interview
with Threatpost
[http://threatpost.com/netgear-readynas-storag
4 min
Project Sonar
The Security Space Age
I was fortunate enough to present as the keynote speaker for HouSecCon 4
[http://houstonseccon.com/]. The first part of my presentation focused on the
parallels between information security today and the dawn of the space age in
the late 1950s. The second section dove into internet-wide measurement and
details about Project Sonar. Since it may be a while before the video of the
presentation is online, I wanted to share the content for those who may be
interested and could not attend the event. A
0 min
Welcome to Project Sonar!
Project Sonar is a community effort to improve security through the active
analysis of public networks. This includes running scans across public
internet-facing systems, organizing the results, and sharing the data with the
information security community. The three components to this project are tools,
datasets, and research.
Please visit the Sonar Wiki [https://github.com/rapid7/sonar/wiki] for more
information.