Posts by Patrick Laverty

4 min Penetration Testing

Lessons Learned from an Unlikely Path to My OSCP Certification

In this blog, our own Patrick Laverty discusses lessons learned from his path to a Offensive Security Certified Professional (OSCP) certification.

4 min Phishing

Tips for a Successful Phishing Engagement

Many factors can go into making a phishing engagement a success, so in this blog, we will share some tips for making sure your organization gets the most out of its upcoming engagement.

4 min Haxmas

The Layer 8(th) Day of Christmas: Rapid7 Pen Testers Reveal Social Engineering Insights at Recent Conference

Four Rapid7 pen testers recently gathered at the brand-new Layer 8 conference in Rhode Island to present on social engineering and open source intelligence (OSINT) gathering.

4 min Research

Password Tips from a Pen Tester: Are 12-Character Passwords Really Stronger, or Just a Dime a Dozen?

On penetration tests, the three most common passwords are a variation of company name, the season/year, and a variation of “password.” But what happens if we lengthen the password requirement?

5 min Penetration Testing

Password Tips from a Pen Tester: Taking the Predictability Out of Common Password Patterns

Humans are predictable. As unique as we like to think we all are, our actions tend to be similar—and our choices when creating a password are no different.

2 min Penetration Testing

Password Tips from a Pen Tester: What is Your Company’s Default Password?

Welcome back to Password Tips From a Pen Tester. The first day on the job: We fill out all the requisite paperwork for Human Resources and get a computer and our network password. That password is often something easy to remember, and is often the same for every new employee. It might be Welcome1, ChangeMe! or one of our old favorites, the SeasonYear (ie. Summer2018). If a new employee is having trouble signing in for the first time and they call the help desk, they can easily get the help they

3 min Penetration Testing

Password Tips From a Pen Tester: Common Patterns Exposed

When my colleagues and I are out on penetration tests, we have a fixed amount of time to complete the test. Efficiency is important. Analyzing password data like we’re doing here helps pen testers better understand the likelihood of password patterns and choices, and we use that knowledge to our advantage when we perform penetration testing [] service engagements at Rapid7. In my experience, most password complexity policies require at l

3 min Penetration Testing

Password Tips From a Pen Tester: 3 Passwords to Eliminate

Every week, Rapid7 conducts penetration testing services for organizations that cracks hundreds—and sometimes thousands—of passwords. Our current password trove has more than 500,000 unique passwords that have been collected over the past two years. Where do these come from? Some of them come from Windows domain controllers and databases such as MySQL or Oracle; some of them are caught on the wire using Responder [], and some are pulled out of memory wi

4 min Application Security

What Is User Enumeration?

User enumeration is when a malicious actor can use brute-force to either guess or confirm valid users in a system.

5 min Metasploit

Pentesting in the Real World: Gathering the Right Intel

This is the first in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at [] So