Posts by Jon Hart

4 min IoT

The Internet of Gas Station Tank Gauges -- Take #2

In January 2015, Rapid7 worked with Jack Chadowitz and published research [/2015/01/22/the-internet-of-gas-station-tank-gauges] related to Automated Tank Gauges (ATGs) and their exposure on the public Internet.  This past September, Jack reached out to us again, this time with a slightly different request.  The goal was to reassess the exposure of these devices and see if the exposure had changed, and if so, how and why, but also to see if there were other ways of identifying potentially exposed

4 min

The Pudding is in the Proof: The Importance of Proofs in Vulnerability Management

In vulnerability management and practices like it, including simple vulnerability assessment, down and dirty penetration testing, and compliance driven auditing, when a target is tested for the presence of a particular vulnerability, in addition to the binary answer for "Is it vulnerable or not?" oftentimes additional data will be provided that adds some confidence to that conclusion by explaining how it was reached. At Rapid7, for Nexpose, we typically refer to this data as the proof for a par

5 min Haxmas

12 Days of HaXmas: Exploiting CVE-2014-9390 in Git and Mercurial

This post is the eighth in a series, 12 Days of HaXmas__, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. A week or two back, Mercurial inventor Matt Mackall found what ended up being filed as CVE-2014-9390.  While the folks behind CVE are still publishing the final details, Git clients (before versions, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial clients (before version 3.2.3) contained three vulnerabilities tha

2 min

Amp Up and Defy Amplification Attacks -- Detecting Traffic Amplification Vulnerabilities with Nexpose

Approximately a year ago, the Internet saw the beginnings of what would become the largest distributed denial of service (DDoS) attacks ever seen.  Peaking at nearly 400Gbs in early 2014, these attacks started when a previously undisclosed vulnerability that would ultimately become CVE-2013-5211 [] was discovered.  While these attacks were devastating and they received plenty of press, the style of attack was not new.  In fact, it had

17 min Project Sonar

R7-2014-17: NAT-PMP Implementation and Configuration Vulnerabilities

Overview In the summer of 2014, Rapid7 Labs started scanning the public Internet for NAT-PMP as part of Project Sonar [].  NAT-PMP is a protocol implemented by many SOHO-class routers and networking devices that allows firewall and routing rules to be manipulated to enable internal, assumed trusted users behind a NAT device to allow external users to access internal TCP and UDP services for things like Apple's Back to My Mac and file/media shar

8 min

Adventures in Empty UDP Scanning

One of the interesting things about security research, and I guess research in general, is that all too often the only research that is publicized is research that proves something or shows something especially amazing.  Research that is incomplete, where the original hypothesis or idea ends up being incorrect, or that ends up at non-spectacular conclusions rarely ends up getting published.  I feel that this trend is doing a disservice to the research community because the paths that the authors

1 min

BSidesLA 2014 - Trial by Research: Security Research v. Law

Last month I had the pleasure of speaking at BSides Los Angeles []. My role at Rapid7, much like many others who dabble in security research, frequently puts me in a position where I need to be aware of and careful regarding U.S. law. The talk I gave, titled "Trial by Research: Security Research v. Law", describes how current U.S. laws like the CFAA, ECPA and DMCA, while enacted with the best of intentions, oftentimes end up stifling

9 min Vulnerability Disclosure

R7-2014-12: More Amplification Vulnerabilities in NTP Allow Even More DRDoS Attacks

Overview As part of Rapid7 Labs' Project Sonar [], among other things, we scan the entire public IPv4 space (minus those who have opted out) looking for listening NTP servers.  During this research we discovered some unknown NTP servers responding to our probes with messages that were entirely unexpected.  This lead to the writing of an NTP fuzzer in Metasploit [

1 min Vulnerability Disclosure

A Place for Everything and Everything in its Place -- Custom Vulnerability Content

In all of our documentation related to authoring custom vulnerability content, not once is it clear where you put this content.  Sometimes no guidance is given at all.  Other times there is this hand-wavy, "just put the content in this random directory" response.  When working directly with customers on custom vulnerability content, it just felt wrong to me dropping custom vulnerability content willy nilly all over the file system.  For one, this makes your job more difficult if/when you need to

4 min

In case of emergency, break glass -- Unable to update past Nexpose version 5.8.0

With the release of Nexpose 5.8.0 on 12/04/2013, a bug was introduced that would hinder Nexpose's ability to update any further in some uncommon network conditions.  You can rest assured that we have updated our processes to prevent situations like this from happening again, and the bug has been fixed in subsequent releases, however assurances alone won't help you if you can't actually update.  Fortunately, we have a solution.  Nexpose installers support the concept of a repair installation, whi

5 min

Vulnerability Management And Expert Systems

Overview An unique feature of the Nexpose vulnerability management (VM) solution is that the core of the underlying scanner uses an expert system.  Many years and several careers ago, I had been tasked with selecting an appropriate VM solution at my employer.  Among the possible solutions was Nexpose, and I am somewhat embarrassed to admit that I shrugged off the "expert system" as a marketing term.  I soon came to learn that it was a real thing and started to realize the true power of such a te

4 min

Custom Vulnerability Checks using Nexpose's Vulnerability Schemas

Over the years, several documents have been written about how to write custom vulnerability checks in Nexpose.  The most important of these include one about the various components of a vulnerability check [], one that gives examples of common vulnerability checking techniques [], and another about converting NASL checks to something compatible with Nexpo

1 min

Vulnerability Correlation -- Enabled by Default

Vulnerability correlation is a feature of Nexpose where a vulnerable result from one vulnerability can be overridden by an invulnerable result from another.  As an example of how this works and why it is a useful option to have enabled, take CVE-2011-3192 [], a fun DoS vulnerability that affected Apache HTTPD back in 2011.  Nexpose has one unauthenticated vulnerability check (lets call it V1) that will run against all discovered Apac