All Posts

2 min Metasploit

vSploit - Virtualizing Intrusion & Exploitation Attributes with Metasploit Framework

Many organizations are making significant investments in technologies in order to tell if they have been compromised; however, frequently they find out when it is too late. There are several network-based attributes that, when combined, indicate possible compromises have taken place. Many pentesters are successful at compromising hosts; however, commonly they are restricted in what they can and can't do. There needs to be a way that they can sucessfully mimick threats and scenarios, even when re

4 min Exploits

Recent Developments in Java Signed Applets

The best exploits are often not exploits at all -- they are code execution by design. One of my favorite examples of this is a signed java applet. If an applet is signed, the jvm allows it to run outside the normal security sandbox, giving it full access to do anything the user can do. Metasploit has supported using signed applets as a browser exploit for quite awhile, but over the last week there have been a couple of improvements that might help you get more shells. The first of these improve

2 min Release Notes

w3af - And now, with a stable core

Since our latest w3af release in mid January , and our new windows installer release a couple of months ago, we've got lots of encouraging words telling us we are going in the right direction. The objective was near and we could almost taste it. Having a stable code-base is no joke, it requires countless hours of writing unit-tests, running w3af scripts and most importantly: fixing bugs. Now, finally we're here! In this latest release, we bring y

4 min Metasploit

Introducing msfvenom

The Metasploit Framework has included the useful tools msfpayload and msfencode for quite sometime. These tools are extremely useful for generating payloads in various formats and encoding these payloads using various encoder modules. Now I would like to introduce a new tool which I have been working on for the past week, msfvenom. This tool combines all the functionality of msfpayload and msfencode in a single tool. Merging these two tools into a single tool just made sense. It standardizes

2 min Metasploit

Metasploit-ation for the Nation

In a couple of weeks, our very own @Mubix (AKA Rob Fuller to those who don't live their life with an @ sign permanently attached to their name!) will be offering Metasploit-ation for the Nation.  Unlike that phrase – which I just made up – Mubix will actually be talking sense as he walks penetration testers through the delightful world of Metasploit Pro in a 4-hour in-depth training session. Mubix took some time to answer a few questions below to give you a flavor of the training.  If you have

1 min Metasploit

Metasploit Framework 3.7.1 Released!

Originally posted by HD Moore: We are happy to announce the immediate availability of version 3.7.1 of the Metasploit Framework, Metasploit Express, and Metasploit Pro. This is a relatively small release focused on bug fixes and performance improvements. Notable highlights include an improved IPv6 reverse_tcp stager from Stephen Fewer, a performance improvement for HTTP services (client-side modules), a bug fix to channel support in the PHP Meterpreter, an update to MSFGUI, and various small

2 min PCI

PCI Newsletter #2 - Payment Processing Terminology and Workflow

Hi Everyone, This is our second PCI 30 sec newsletter. One cannot move through the PCI ecosystem without basic understandings of the payment processing terminology and workflow. So let's have a look behind the scene. The payment processing terminology In a nutshell, the payment transaction could be depicted as follow: We have cardholders that make payment card purchases from merchants, merchants that send payment transaction data to their acquirers, and acquirers that send payment transacti

1 min Patch Tuesday

May Patch Tuesday

So yesterday was Patch Tuesday, and following a mammoth April , it was a pretty quiet one, with only 2 vulnerabilities reported , and only one of those given the most severe rating of “critical”.  That said, of course any vulnerability reported should be investigated and understood, and particularly those rated critical. This month the critical

2 min Metasploit

Metasploit Pro 3.7: Better, Faster, Stronger

Over the last two months the Rapid7 team has been hard at work rewiring the database and session management components of the Metasploit Framework, Metasploit Express, and Metasploit Pro products. These changes make the Metasploit platform faster, more reliable, and able to scale to hundreds of concurrent sessions and thousands of target hosts. We are excited to announce the immediate availability of version 3.7 of Metasploit Pro and Metasploit Express! Existing customers can apply the latest s

1 min Metasploit

Metasploit Framework 3.7.0 Released!

Originally Posted by egypt The Metasploit team has spent the last two months focused on one of the least-visible, but most important pieces of the Metasploit Framework; the session backend. Metasploit 3.7 represents a complete overhaul of how sessions are tracked within the framework and associated with the backend database. This release also significantly improves the staging process for the reverse_tcp stager and Meterpreter session initialization. Shell sessions now hold their output in a ri

1 min Metasploit

Metasploit T-Shirt Design Contest: And the Winner is...

You have voted in large numbers – and the results are out: design #36 is the winner of the Metasploit T-shirt design contest. Danny Chrastil submitted the winning design, featuring the Metasploit logo consisting of code from the payload osx/ppc/shell_reverse_tcp. The back shows the Metasploit splash screen cow, our legendary creature of mystery and superstition. A few words about the winner: Danny Chrastil aka @DisK0nn3cT is a web appl

2 min Microsoft

April Patch Tuesday Round-Up

LOTS of patches from Microsoft this week... This week's Patch Tuesday was pretty significant, with a record-tying 17 bulletins that patch a record 64 vulnerabilities, 15 more than the previous largest-ever set in October 2010.  As usual, the Rapid7 team was all over it, monitoring the threat and trying to help out where possible. This month's bulletin addresses vulnerabilities across Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework and GDI . There are seve

4 min

Who Will You Be Wearing? Vote for the New Metasploit T-Shirt!

Wow – 87 entries for our T-Shirt competition in one week. We were very impressed with both quantity and quality of the entries we received for designing the new Metasploit T-shirt, which will be featured in the new Metasploit store. Now, it's your turn (again): We need you to vote for your favorite shirt. Starting with 87 entries, we conducted a quick office poll produce a shortlist of 15 for you to pick from. (Go here

1 min Metasploit

Be a Superhero: Design the New Metasploit Swag

Originally Posted  by Chris Kirsch Don't know what to wear for the next BlackHat conference? Afraid of going naked to B-Sides? We are too, so we decided to do something about it. We're getting ready to launch our own Metasploit designer clothes – and you're the designer! To start off our Metasploit swag store, we'd like you to design a T-shirt. You must submit your own, original design. To enter, add your design to our 99designs competition

1 min Metasploit

Learn, Download & Contribute: The New Metasploit Website

Today, we relaunched the Metasploit.com site. We hope you'll find it as awesome as we do. The new site not only has updated looks, we've also rewritten much of its content and put it on a shiny new server to make it faster. We mainly focused on three aspects: learn, download & contribute: Learn – Many Metasploit newbies told us they found it hard to get started with the Metasploit Framework, so we took a fresh look at our website to design it so that new Metasploit Framework users would find i