1 min
Nexpose
Nexpose Java API
We are really excited to see the Nexpose community coming up with all sorts of
cool and useful ways to automate Nexpose via our APIs. Since we have published
our Ruby [https://github.com/rapid7/nexpose-client] and .Net
[https://github.com/brandonprry/nexpose-sharp] API client libraries, we have had
some requests for a Java library as well. And now we have open sourced a Java
[https://github.com/clee-r7/nexpose_java_api] based library for accessing the
Nexpose API. This library is BSD licensed s
3 min
Metasploit
The Art of Keylogging with Metasploit & Javascript
Rarely does a week go by without a friend or family member getting their login
credentials compromised, then reused for malicious purposes. My wife is always
on the lookout on Facebook, warning relatives and friends to change their
passwords. Many people don't understand how their credentials get compromised.
Password reuse on several websites is usually the culprit. Password reuse is a
problem even if the website encrypts the passwords in their databases. An
attacker only needs to insert some
3 min
Release Notes
Exploit for critical Java vulnerability added to Metasploit
@_sinn3r [http://twitter.com/_sinn3r] and Juan Vasquez
[https://twitter.com/#!/_juan_vazquez_] recently released a module which
exploits the Java vulnerability detailed here
[http://schierlm.users.sourceforge.net/CVE-2011-3544.html] by mihi and by Brian
Krebs here
[http://krebsonsecurity.com/2011/11/new-java-attack-rolled-into-exploit-kits].
This is a big one. To quote Krebs: "A new exploit that takes advantage of a
recently-patched critical security flaw in Java is making the rounds in the
cri
4 min
Exploits
Recent Developments in Java Signed Applets
The best exploits are often not exploits at all -- they are code execution by
design. One of my favorite examples of this is a signed java applet. If an
applet is signed, the jvm allows it to run outside the normal security sandbox,
giving it full access to do anything the user can do.
Metasploit has supported using signed applets as a browser exploit for quite
awhile, but over the last week there have been a couple of improvements that
might help you get more shells. The first of these improve