Posts by HD Moore

13 min Metasploit

A Penetration Tester's Guide to IPMI and BMCs

Introduction Dan Farmer is known for his groundbreaking work [http://fish2.com/security/] on security tools and processes. Over the last year, Dan has identified some serious security issues [http://fish2.com/ipmi/] with the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMCs) that speak it. This post goes into detail on how to identify and test for each of the issues that Dan identified, using a handful of free security tools.  If you are lo

7 min Metasploit

Serial Offenders: Widespread Flaws in Serial Port Servers

Introduction At the InfoSec Southwest 2013 [http://2013.infosecsouthwest.com/] conference I gave a presentation [https://speakerdeck.com/hdm/aisa-may-2013-serial-offenders] on serial port servers. This presentation was drawn from research that tried to determine how prevalent and exposed internet-connected serial port servers are. The results were pretty scary - authentication was rarely implemented and the types of devices exposed ranged from corporate VPN servers to traffic signal monitors. T

3 min Metasploit

Security Flaws in Universal Plug and Play: Unplug, Don't Play

This morning we released a whitepaper entitled Security Flaws in Universal Plug and Play [https://information.rapid7.com/rs/411-NAK-970/images/SecurityFlawsUPnP%20%281%29.pdf] . This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices. The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 an

4 min Exploits

Ray Sharp CCTV DVR Password Retrieval & Remote Root

On January 22, 2013, a researcher going by the name someLuser [http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html] detailed a number of security flaws in the Ray Sharp DVR platform [http://www.raysharp.cn/en/prodNetWork.aspx?Id=62]. These DVRs are often used for closed-circuit TV (CCTV) systems and security cameras. In addition to Ray Sharp, the exposures seem to affect rebranded DVR products by Swann [http://www.swann.com/s/products/swannview], Lorex, URMET, KGuard, Def

1 min Metasploit

Hacking like it's 1985: Rooting the Cisco Prime LAN Management Solution

On January 9th Cisco released advisory cisco-sa-20130109 [http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms] to address a vulnerability in the "rsh" service running on their Cisco Prime LAN Management Solution virtual appliance. The bug is as bad as it gets - anyone who can access the rsh service can execute commands as the root user account without authentication. The example below demonstrates how to exploit this flaw using Metasploit ( free download [

5 min Exploits

Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)

Background Earlier this week, a critical security flaw [/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156] in Ruby on Rails (RoR) was identified that could expose an application to remote code execution, SQL injection, and denial of service attacks. Ruby on Rails is a popular web application framework that is used by both web sites and web-enabled products and this flaw is by far the worst security problem to surface in this framework to date. If you are interested in the details of

4 min Metasploit

Serialization Mischief in Ruby Land (CVE-2013-0156)

This afternoon a particularly scary advisory [https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion] was posted to the Ruby on Rails (RoR) security discussion list. The summary is that the XML processor in RoR can be tricked into decoding the request as a YAML document or as a Ruby Symbol, both of which can expose the application to remote code execution or SQL injection. A gentleman by the name of Felix Wilhelm went into detail [http://www.insinuator.net/2013/01/r

1 min Metasploit

Introducing Metasploitable 2!

Some folks may already be aware of Metasploitable, an intentionally vulnerable virtual machine designed for training, exploit testing, and general target practice. Unlike other vulnerable virtual machines, Metasploitable focuses on vulnerabilities at the operating system and network services layer instead of custom, vulnerable applications. I am happy to announce the release of Metasploitable 2, an even better punching bag for security tools like Metasploit [http://metasploit.com/downloads/], an

2 min Metasploit

Scanning for Vulnerable F5 BigIPs with Metasploit

This morning Matta Consulting posted an advisory [https://www.trustmatta.com/advisories/MATTA-2012-002.txt] for the F5 BigIP equipment. The advisory states that certain BigIP devices contain a SSH private key on its filesystem that is trusted for remote root access on every other BigIP appliance. Although Matta did not provide the private key, they did provide the public key itself: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/OB13hjPqrskogkYFrcW8OK4VJ T+5+Fx7wd4sQCnVn8rNqahw/x

5 min Metasploit

CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL

UPDATE: Want to know if your MySQL Server is vulnerable? Download the free vulnerability scanner ScanNow for MySQL Authentication Bypass [http://www.rapid7.com/free-security-software-downloads/MySQL-vulnerability-scanner-CVE-2012-2122.jsp] (CVE-2012-2122)! [http://www.rapid7.com/free-security-software-downloads/MySQL-vulnerability-scanner-CVE-2012-2122.jsp] Introduction On Saturday afternoon Sergei Golubchik posted to the oss-sec [http://seclists.org/oss-sec/2012/q2/493] mailing list about a

1 min Metasploit

Identifying IPv6 Security Risks in IPv4 Networks: Tools

This post details some of the tools used in my recent IPv6 security testing webcast [http://information.rapid7.com/WebcastOnDemand_IPv6.html] If you have any specific questions, please open a Discussion [https://community.rapid7.com/community/metasploit/content?filterID=content~objecttype~objecttype%5Bthread%5D] thread. A minimal IPv6 toolbox: * A Linux-based operating system [http://www.ubuntu.com/] with IPv6 support (BSD variants are great too) * The IPv6 Attack Toolkit [http://www.thc

15 min

Mythical Videoconferencing Hackers

Open and frank debate is one of the great things about the security community and the recent press [/2012/01/23/video-conferencing-and-self-selecting-targets] about our H.323 research has set off a firestorm in some circles. In one extensively written post [http://www.telepresenceoptions.com/2012/01/how_to_defend_your_boardroom_a/], David Maldow of Human Productivity Lab downplays the risk to video conferencing systems and makes a few claims about the security of these systems that were hard t

7 min

Board Room Spying for Fun and Profit

Update: David Maldow of Human Productivity Lab wrote a response to the NYT article [http://www.telepresenceoptions.com/2012/01/how_to_defend_your_boardroom_a/] that presented an industry perspective on our findings. Mythical Videoconferencing Hackers [/2012/01/25/mythical-videoconferencing-hackers] and why we stand behind our claims. Additionally, the archive of Tuesday's webcast on the same topic [http://www.rapid7.com/resources/webcast-boardroom.jsp] (with live demos) is now available. Thank

2 min Phishing

Simple Outlook Web Access Phishing

This blog post describes a simple phishing attack covered in today's webcast [http://www.rapid7.com/resources/webcasts.jsp]. The goal is to create a fake front-end to an organization's Outlook Web Access portal and convince users to login through this portal. In the course of an authorized security assessment this type of attack provides an initial foot in the door to the target organization and takes few resources to setup. This technique relies on the following steps: * Clone the target's e

2 min Metasploit

More Fun with BSD-derived Telnet Daemons

In my last post [/2011/12/28/bsd-telnet-daemon-encrypt-key-id-overflow], I discussed the recent BSD telnetd vulnerability and demonstrated the scanner module added to the Metasploit Framework. Since then, two new exploit modules have been released; one for FreeBSD versions 5.3 - 8.2 [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb] and another for Red Hat Enterprise Linux 3 [https://github.com/rapid7/metasploit-framework/blob/ma