3 min
Project Sonar
Attack Surface Monitoring with Project Sonar
Attack Surface Monitoring with Project Sonar can help you reduce and monitor your attack surface.
8 min
Vulnerability Management
Understanding Ubiquiti Discovery Service Exposures
On Jan. 29, the Rapid7 Labs team was informed of a tweet by Jim Troutman indicating that Ubiquiti devices were being exploited and used to conduct denial-of-service attacks using a service on 10001/UDP.
13 min
Research
Rsunk your Battleship: An Ocean of Data Exposed through Rsync
Rapid7 Labs recently decided to take a fresh look at rsync, this time focusing on exposure of rsync globally on the public internet.
7 min
Research
Cisco Smart Install Exposure
Cisco Smart Install (SMI) provides configuration and image management
capabilities for Cisco switches. Cisco’s SMI documentation
[http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html]
goes into more detail than we’ll be touching on in this post, but the short
version is that SMI leverages a combination of DHCP, TFTP and a proprietary TCP
protocol to allow organizations to deploy and manage Cisco switches. Using SMI
yields a number of be
7 min
Research
Remote Desktop Protocol (RDP) Exposure
The Remote Desktop Protocol, commonly referred to as RDP, is a proprietary
protocol developed by Microsoft that is used to provide a graphical means of
connecting to a network-connected computer. RDP client and server support has
been present in varying capacities in most every Windows version since NT
[https://en.wikipedia.org/wiki/Windows_NT]. Outside of Microsoft's offerings,
there are RDP clients available for most other operating systems. If the nitty
gritty of protocols is your thing, Wiki
3 min
Project Sonar
Signal to Noise in Internet Scanning Research
We live in an interesting time for research related to Internet scanning.
There is a wealth of data and services to aid in research. Scanning related
initiatives like Rapid7's Project Sonar [https://sonar.labs.rapid7.com/], Censys
[https://censys.io/], Shodan [https://www.shodan.io/], Shadowserver
[https://www.shadowserver.org/] or any number of other public/semi-public
projects have been around for years, collecting massive troves of data. The
data and services built around it has been used f
3 min
Project Sonar
The Internet of Gas Station Tank Gauges -- Final Take?
In early 2015, HD Moore performed one of the first publicly accessible research
related to Internet-connected gas station tank gauges, The Internet of Gas
Station Tank Gauges [/2015/01/22/the-internet-of-gas-station-tank-gauges].
Later that same year, I did a follow-up study that probed a little deeper in
The
Internet of Gas Station Tank Gauges — Take #2
[/2015/11/18/the-internet-of-gas-station-tank-gauges-take-2]. As part of that
study, we were attempting to see if the exposure of these devic
8 min
Vulnerability Management
ScanNow DLL Search Order Hijacking Vulnerability and Deprecation
Overview
On November 27, 2015, Stefan Kanthak contacted Rapid7 to report a vulnerability
in Rapid7's ScanNow tool. Rapid7 takes security issues seriously and this was
no exception. In combination with a preexisting compromise or other
vulnerabilities, and in the absence of sufficient mitigating measures, a system
with ScanNow can allow a malicious party to execute code of their choosing
leading to varying levels of additional compromise. In order to protect the
small community of users who ma
4 min
IoT
The Internet of Gas Station Tank Gauges -- Take #2
In January 2015, Rapid7 worked with Jack Chadowitz and published research
[/2015/01/22/the-internet-of-gas-station-tank-gauges] related to Automated Tank
Gauges (ATGs) and their exposure on the public Internet. This past September,
Jack reached out to us again, this time with a slightly different request. The
goal was to reassess the exposure of these devices and see if the exposure had
changed, and if so, how and why, but also to see if there were other ways of
identifying potentially exposed
2 min
Amp Up and Defy Amplification Attacks -- Detecting Traffic Amplification Vulnerabilities with Nexpose
Approximately a year ago, the Internet saw the beginnings of what would become
the largest distributed denial of service (DDoS) attacks ever seen. Peaking at
nearly 400Gbs in early 2014, these attacks started when a previously undisclosed
vulnerability that would ultimately become CVE-2013-5211
[https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211] was
discovered. While these attacks were devastating and they received plenty of
press, the style of attack was not new. In fact, it had
17 min
Project Sonar
R7-2014-17: NAT-PMP Implementation and Configuration Vulnerabilities
Overview
In the summer of 2014, Rapid7 Labs started scanning the public Internet for
NAT-PMP as part of Project Sonar
[https://community.rapid7.com/community/infosec/sonar]. NAT-PMP is a protocol
implemented by many SOHO-class routers and networking devices that allows
firewall and routing rules to be manipulated to enable internal, assumed trusted
users behind a NAT device to allow external users to access internal TCP and UDP
services for things like Apple's Back to My Mac and file/media shar
8 min
Adventures in Empty UDP Scanning
One of the interesting things about security research, and I guess research in
general, is that all too often the only research that is publicized is research
that proves something or shows something especially amazing. Research that is
incomplete, where the original hypothesis or idea ends up being incorrect, or
that ends up at non-spectacular conclusions rarely ends up getting published. I
feel that this trend is doing a disservice to the research community because the
paths that the authors
1 min
BSidesLA 2014 - Trial by Research: Security Research v. Law
Last month I had the pleasure of speaking at BSides Los Angeles
[http://www.securitybsides.com/w/page/36552449/BSidesLosAngeles].
My role at Rapid7, much like many others who dabble in security research,
frequently puts me in a position where I need to be aware of and careful
regarding U.S. law. The talk I gave, titled "Trial by Research: Security
Research v. Law", describes how current U.S. laws like the CFAA, ECPA and DMCA,
while enacted with the best of intentions, oftentimes end up stifling
9 min
Vulnerability Disclosure
R7-2014-12: More Amplification Vulnerabilities in NTP Allow Even More DRDoS Attacks
Overview
As part of Rapid7 Labs' Project Sonar [https://sonar.labs.rapid7.com/], among
other things, we scan the entire public IPv4 space (minus those who have opted
out) looking for listening NTP servers. During this research we discovered some
unknown NTP servers responding to our probes with messages that were entirely
unexpected. This lead to the writing of an NTP fuzzer in Metasploit
[https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuz
1 min
Vulnerability Disclosure
A Place for Everything and Everything in its Place -- Custom Vulnerability Content
In all of our documentation related to authoring custom vulnerability content,
not once is it clear where you put this content. Sometimes no guidance is given
at all. Other times there is this hand-wavy, "just put the content in this
random directory" response. When working directly with customers on custom
vulnerability content, it just felt wrong to me dropping custom vulnerability
content willy nilly all over the file system. For one, this makes your job more
difficult if/when you need to