4 min
Linux
Patching CVE-2017-7494 in Samba: It's the Circle of Life
With the scent of scorched internet still lingering in the air from the
WannaCry
Ransomworm
[http://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained]
, today we see a new scary-and-potentially-incendiary bug hitting the twitter
news. The vulnerability - CVE-2017-7494
[https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2017-7494] -
affects versions 3.5 (released March 1, 2010) and onwards of Samba, the defacto
standard for providing Wind
3 min
Endpoints
Live Vulnerability Monitoring with Agents for Linux...and more
A few months ago, I shared news of the release of the macOS Insight Agent
[/2016/12/29/macos-agent-in-nexpose-now]. Today, I'm pleased to announce the
availability of the the Linux Agent within Rapid7's vulnerability management
solutions [https://rapid7.com/solutions/vulnerability-management/]. The arrival
of the Linux Agent completes the trilogy that Windows and macOS began in late
2016. For Rapid7 customers, all that really matters is you've got new
capabilities to add to your kit.
Introducin
2 min
Metasploit
Now Officially Supporting Kali Linux 2.0
In August, we were getting a lot of questions about Kali 2. I have answered some
questions in Metasploit on Kali Linux 2.0
[/2015/08/12/metasploit-on-kali-linux-20] blog post in the past. Today, I am
pleased to announce that we extend our official platform support to three new
operating systems which are now listed in Metasploit System Requirements
[http://www.rapid7.com/products/metasploit/system-requirements.jsp] page:
* Kali Linux 2.0
* Red Hat Enterprise Server 7.1 or later
* Microsoft W
2 min
Windows
Metasploit Framework Open Source Installers
Rapid7 has long supplied universal Metasploit installers for Linux and Windows.
These installers contain both the open source Metasploit Framework as well as
commercial extensions, which include a graphical user interface, metamodules,
wizards, social engineering tools and integration with other Rapid7 tools. While
these features are very useful, we recognized that they are not for everyone.
According to our recent survey of Metasploit Community users, most only used it
for the open source comp
2 min
Metasploit
Metasploit on Kali Linux 2.0
As you are aware, Kali 2.0
[https://www.kali.org/releases/kali-linux-20-released/] has been released this
week and getting quite a bit of attention, as it should. Folks behind Kali have
worked really hard to bring you the new version of Kali Linux that everyone is
excited about. If you have already started to play with the new version, you
probably have realized that something is different, that is; Metasploit
Community / Pro is no longer installed by default.
Where is Metasploit Community / Pr
3 min
Linux
Weekly Metasploit Wrapup: Tons of Blogs, Kali Dev, and Nothing Suspicious Here
Blogsplosion!
If you've been following along, you'll have noticed that we published just about
a post a day here this week, which makes my job of bringing the weekly update to
you, dear reader, that much easier. So, I'll keep this week's update pretty
short. Here's a link farm covering what was discussed from Joe
[https://twitter.com/joevennix], OJ [https://twitter.com/TheColonial], sinn3r
[https://twitter.com/_sinn3r], and HD [https://twitter.com/hdmoore]. They're all
really fun and informative
4 min
Nexpose
GHOSTbuster: How to scan just for CVE-2015-0235 and keep your historical site data
A recently discovered severe vulnerability, nicknamed GHOST, can result in
remote code execution exploits on vulnerable systems. Affected systems should be
patched and rebooted immediately. Learn more about
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed]
CVE-2015-0235 and its risks
[/2015/01/27/ghost-in-the-machine-is-cve-2015-0235-another-heartbleed].
The Nexpose 5.12.0 content update provides coverage for the GHOST vulnerability.
Once the Nexpose 5.12.0 content update
3 min
Linux
GHOST in the Machine - Is CVE-2015-0235 another Heartbleed?
CVE-2015-0235 is a remote code execution vulnerability affecting Linux systems
using older versions of the GNU C Library (glibc versions less than 2.18). The
bug was discovered by researchers at Qualys and named GHOST in reference to the
_gethostbyname function (and possibly because it makes for some nice puns).
To be clear, this is NOT the end of the Internet as we know, nor is it further
evidence (after Stormaggedon) that the end of the world is nigh. It's also not
another Heartbleed. But it
6 min
Linux
12 Days of HaXmas: Meterpreter migration for Linux!
This post is the eleventh in a series, 12 Days of HaXmas, where we take a look
at some of more notable advancements and events in the Metasploit Framework over
the course of 2014.
Hello everyone and Happy HaXmas (again) and New Year! On this HaXmas I would
like to share with all you a new feature which I'm personally very happy with.
It's nothing super new and has limitations, but it's the first meterpreter
feature where I've been collaborating I feel really happy of sharing it with all
you: su
6 min
Linux
Bash-ing Into Your Network & Investigating CVE-2014-6271
[UPDATE September 29, 2014: Since our last update on this blog post, four new
CVEs that track ShellShock/bash bug-related issues have been announced. A new
patch
[http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html]
was released on Saturday September 27 that addressed the more critical CVEs
(CVE-2014-6277 and CVE-2014-6278). In sum: If you applied the ShellShock-related
patches before Saturday September 27, you likely need to apply this new patch
[http://lcamtuf.blogspo
2 min
Metasploit
msfconsole failing to start? Try 'msfconsole -n'
As part of the last release, the Metasploit Engineering team here at Rapid7 has
been on a path of refactoring in the Metasploit open source code in order to
make it more performant and to get toward a larger goal of eventually breaking
up the framework into a multitude of libraries that can be used and tested in a
standalone way.
This effort will make it easier to deliver features and respond to issues more
quickly, as well as ensure that regressions and bugs can get diagnosed, triaged,
and fix
4 min
Metasploit
Rapid7 Free Tools - Download Today!
Hello all,
It's your friendly neighborhood Community Manager again, this time reaching out
to talk about something that should be of interest to all of you; Rapid7's
suite
of Free Security Tools [http://www.rapid7.com/resources/free-tools.jsp].
If you're a one man shop, trying to make sure you're as buttoned up as possible,
or a giant organization just looking to do some validation and double checking,
I'm sure one or more of these tools would be an excellent addition to your
existing security
3 min
Product Updates
Weekly Update: Metasploit Pro on Chromebook, Galaxy Tab, and a Batch of New ZDI Exploits
Vegas Time!
Like the rest of the information security industry, we're buttoning down for the
annual pilgramage to Vegas next week. This means collecting up all our new
community-sourced swag [/2013/07/16/metasploit-design-contest-winners],
finishing up training and presentation material, figuring out what the heck to
do with our phones to avoid casual ownage, and test driving our new Chromebook
builds of Metasploit Pro. They're pretty sweet. The latest update for ARM-arch
Kali should run withou
2 min
Nexpose
Nexpose 5.6 - CIS RHEL Certified!
Nexpose 5.6, released last week, builds on our USGCB, FDCC, and CIS Windows
certifications by adding CIS certified assessment of Red Hat Enterprise Linux
systems. Nexpose 5.6 includes the CIS "Level I" and "Level II" policies for RHEL
4, 5, & 6. This means you can now use Rapid7's integrated vulnerability and
configuration management [http://www.rapid7.com/products/nexpose/] solution to
assess the configuration of your RHEL desktops and servers.
The CIS RHEL policies are included by default in
5 min
Release Notes
Simplify Vulnerability Management with Nexpose 5.6
We are pleased to announce the next major release of Nexpose, version 5.6. This
release focuses on providing you the most impactful remediation steps to reduce
risk to your organization and extends our current configuration assessment
functionality.
New Look and Feel
The most visible change in Nexpose 5.6 is the new look and feel of the user
interface. The action header is now smaller to maximize screen space and
usability, and the new colour scheme makes it easier to focus on important areas