Posts tagged Labs

3 min Project Sonar

The Internet of Gas Station Tank Gauges -- Final Take?

In early 2015, HD Moore performed one of the first publicly accessible research related to Internet-connected gas station tank gauges, The Internet of Gas Station Tank Gauges [/2015/01/22/the-internet-of-gas-station-tank-gauges]. Later that same year, I did a follow-up study that probed a little deeper in The Internet of Gas Station Tank Gauges — Take #2 [/2015/11/18/the-internet-of-gas-station-tank-gauges-take-2]. As part of that study, we were attempting to see if the exposure of these devic

9 min Project Sonar

Project Sonar Study of LDAP on the Internet

The topic of today's post is a Rapid7 Project Sonar [https://sonar.labs.rapid7.com/] study of publicly accessible LDAP services on the Internet. This research effort was started in July of this year and various portions of it continue today.  In light of the Shadowserver Foundations's recent announcement [https://ldapscan.shadowserver.org/] regarding the availability relevant reports we thought it would be a good time to make some of our results public. The study was originally intended to be a

2 min Cloud Infrastructure

[Cloud Security Research] Cross-Cloud Adversary Analytics

Introducing Project Heisenberg Cloud Project Heisenberg Cloud is a Rapid7 Labs research project with a singular purpose: understand what attackers, researchers and organizations are doing in, across and against cloud environments. This research is based on data collected from a new, Rapid7-developed honeypot framework called Heisenberg along with internet reconnaissance data from Rapid7's Project Sonar [https://sonar.labs.rapid7.com/?CS=blog]. Internet-scale reconnaissance with cloud-inspired a

11 min Metasploit

NCSAM: Understanding UDP Amplification Vulnerabilities Through Rapid7 Research

October is National Cyber Security Awareness month and Rapid7 is taking this time to celebrate security research. This year, NCSAM coincides with new legal protections for security research under the DMCA [/2016/10/03/cybersecurity-awareness-month-2016-this-ones-for-the-researchers] and the 30th anniversary of the CFAA - a problematic law that hinders beneficial security research. Throughout the month, we will be sharing content that enhances understanding of what independent security research

6 min Project Sonar

Sonar NetBIOS Name Service Study

For the past several years, Rapid7's Project Sonar [https://sonar.labs.rapid7.com/] has been performing studies that explore the exposure of the NetBIOS name service on the public IPv4 Internet.  This post serves to describe the particulars behind the study and provide tools and data for future research in this area. Protocol Overview Originally conceived in the early 1980s, NetBIOS is a collection of services that allows applications running on different nodes to communicate over a network.  O

7 min Exploits

Bringing Home The EXTRABACON [Exploit]

by Derek Abdine & Bob Rudis [/author/bob-rudis/] (photo CC-BY-SA Kalle Gustafsson) Astute readers will no doubt remember the Shadow Brokers leak of the Equation Group exploit kits and hacking tools back in mid-August. More recently, security researchers at SilentSignal noted [https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/] that it was possible to modify the EXTRABACON exploit from the initial dump to work on newer Cisco ASA (Adaptive Security Appliance) devices, meaning that

6 min Project Sonar

Digging for Clam[AV]s with Project Sonar

A little over a week ago some keen-eyed folks discovered a feature/configuration weakness [http://seclists.org/nmap-dev/2016/q2/198] in the popular ClamAV malware scanner that makes it possible to issue administrative commands such as SCAN or SHUTDOWN remotely—and without authentication—if the daemon happens to be running on an accessible TCP port. Shortly thereafter, Robert Graham unholstered his masscan [https://github.com/robertdavidgraham/masscan] tool and did a s ummary blog post [http://bl

2 min Research

Rapid7 Releases New Research: The National Exposure Index

Today, I'm happy to announce the latest research paper from Rapid7, National Exposure Index: Inferring Internet Security Posture by Country through Port Scanning [https://information.rapid7.com/national-exposure-index.html], by Bob Rudis, Jon Hart, and me, Tod Beardsley. This research takes a look at one of the most foundational components of the internet: the millions and millions of individual services that live on the public IP network. When people think about "the internet," they tend to

6 min Research

The Attacker's Dictionary

Rapid7 is publishing a report about the passwords attackers use when they scan the internet indiscriminately. You can pick up a copy at booth #4215 at the RSA Conference this week, or online right here [https://information.rapid7.com/attackers-dictionary.html]. The following post describes some of what is investigated in the report. Announcing the Attacker's Dictionary Rapid7's Project Sonar [https://sonar.labs.rapid7.com/] periodically scans the internet across a variety of ports and protocols

5 min Project Sonar

Rapid7 Labs' Project Sonar - Nexpose Integration

With the release of Nexpose 5.17, customers were enabled to easily gain an outsider's view of their internet-facing assets.  This capability was made possible through integration with Rapid7 Labs' Project Sonar [/2013/09/26/welcome-to-project-sonar]. What is Project Sonar? Project Sonar is a community effort to improve security through the active analysis of public networks. This includes running scans across public internet-facing systems, organizing the results, and sharing the data with the

2 min AWS

The real challenge behind asset inventory

As the IT landscape evolves, and as companies diversify the assets they bring to their networks - including on premise, cloud and personal assets - one of the biggest challenges becomes maintaining an accurate picture of which assets are present on your network. Furthermore, while the accurate picture is the end goal, the real challenge becomes optimizing the means to obtain and maintain that picture current. The traditional discovery paradigm of continuous discovery sweeps of your whole network

3 min Metasploit

12 Days of HaXmas: Metasploit, Nexpose, Sonar, and Recog

This post is the tenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. The Metasploit Framework uses operating system and service fingerprints for automatic target selection and asset identification. This blog post describes a major overhaul of the fingerprinting backend within Metasploit and how you can extend it by submitting new fingerprints. Historically, Metasploit wasn't great at fin

2 min Project Sonar

2015: Project Sonar Wiki & UDP Scan Data

Project Sonar started in September of 2013 with the goal of improving security through the active analysis of public networks. For the first few months, we focused almost entirely on SSL, DNS, and HTTP enumeration. This uncovered all sorts of interesting security issues and contributed to a number of advisories and research papers. The SSL and DNS datasets were especially good at identifying assets for a given organization, often finding systems that the IT team had no inkling of. At this point,

17 min Project Sonar

R7-2014-17: NAT-PMP Implementation and Configuration Vulnerabilities

Overview In the summer of 2014, Rapid7 Labs started scanning the public Internet for NAT-PMP as part of Project Sonar [https://community.rapid7.com/community/infosec/sonar].  NAT-PMP is a protocol implemented by many SOHO-class routers and networking devices that allows firewall and routing rules to be manipulated to enable internal, assumed trusted users behind a NAT device to allow external users to access internal TCP and UDP services for things like Apple's Back to My Mac and file/media shar

2 min Project Sonar

R7-2014-16: Palo Alto Networks User-ID Credential Exposure

Project Sonar [https://community.rapid7.com/community/infosec/sonar] tends to identify unexpected issues, especially with regards to network security products. In July of this year, we began to notice a flood of incoming SMB connections every time we launched the VxWorks WDBRPC [/2010/08/02/shiny-old-vxworks-vulnerabilities] scan. To diagnose the issue, we ran the Metasploit SMB Capture [http://www.rapid7.com/db/modules/auxiliary/server/capture/smb] module on one of our scanning nodes and collec