Posts tagged Metasploit

Metasploit Wrap-Up

Spilling the (Gi)tea We have two modules coming in from cdelafuente-r7 [https://github.com/cdelafuente-r7] targeting CVE-2020-14144 [https://attackerkb.com/topics/ZTlYBaSclN/cve-2020-14144?referrer=blog] for both the Gitea and Gogs self-hosted Git services. Both modules are similar: they take advantage of a user’s ability to create Git hooks by authenticating with the web interface, creating a dummy repository with the aforementioned git hook, and triggering it—which will execute the payload! A

Metasploit Wrap-Up

Six new modules targeting F5, SaltStack, Exchange Server, and more, plus some significant performance improvements and fixes.

Metasploit Wrap-Up

New Exchange ProxyLogon modules, VMWare View Planner RCE, Advantech iView RCE, and more!

Metasploit Wrap-Up

A local exploit for a Windows Server 2012 DLL hijacking vulnerability, plus a slew of fixes and improvements.

Metasploit Wrap-Up

Three new modules for achieving code execution, a new way to play favorites, and more! Plus a Google Summer of Code announcement!

Metasploit Wrap-Up

A new exploit for FortiOS and some module target updates.

Metasploit Wrap-Up

Flink targeting, process herpaderping, and more in this week's Metasploit wrap-up!

Metasploit Wrap-Up

GSoC Rocks! In a rare double whammy, one of our 2020 Google Summer of Code (GSoC) participants has authored a PR containing both enhancements & a new module [https://github.com/rapid7/metasploit-framework/pull/14067]! Improvements to our SQL injection library now allow PostgreSQL injection, and this new functionality has been verified with both a test module AND a fully functioning module exploiting CVE-2019-13375 [https://attackerkb.com/topics/n3vokFNBje/cve-2019-13375?referrer=blog], a (Postgr

Metasploit Wrap-Up

This installment includes a new MicroFocus RCE module, an updated Microsoft Exchange patch bypass, and items without 'Micro' in the title, too!

Metasploit Wrap-Up

This week's edition: Baron Samedit 'sudo' exploit module, OneDrive sync enumeration, and WP credential gathering via Abandoned Cart plugin.

Vulnerability Scanning With the Metasploit Remote Check Service (Beta Release)

InsightVM and Nexpose customers can now harness the power of the Metasploit community to assess their exposure to the latest threats.

Metasploit Wrap-Up

Five new modules, including RCEs, arbitrary file write, and a Windows Registry check if the DementiaWheel/fanny.bmp malware exists on a target.

Metasploit Wrap-Up

A new Microsoft Windows Spooler privesc module, along with some fixes and improvements!

Metasploit Wrap-Up

Commemorating the 2020 December Metasploit community CTF A new commemorative banner has been added to the Metasploit console to celebrate the teams that participated in the 2020 December Metasploit community CTF [/2020/12/07/congrats-to-the-winners-of-the-2020-december-metasploit-community-ctf/] and achieved 100 or more points: If you missed out on participating in this most recent event, be sure to follow the Metasploit Twitter [https://twitter.com/metasploit] and Metasploit blog posts [/ta

Metasploit Wrap-Up

Eight new Metasploit modules for various targets (and outcomes!), with a good set of improvements and fixes!

Metasploit 2020 Wrap-Up

2020 was certainly an interesting year - let’s take a look at what it meant for Metasploit.

Metasploit Tips and Tricks for HaXmas 2020

For this year's HaXmas, we're giving the gift of Metasploit knowledge!

Metasploit Wrap-Up

Exploits for Oracle Solaris CVE-2020-14871 and Windows 7 CVE-2020-1054, plus enhancements and bug fixes for Railgun and msfdb init. Happy HaXmas!

Metasploit Wrap-Up

This week's wrap-up covers five new modules (including scanner, execution, and disclosure modules), some good fixes and enhancements, and more!

Congrats to the winners of the 2020 December Metasploit community CTF

Thank you all that participated in the 2020 December Metasploit community CTF [/2020/11/19/announcing-the-2020-december-metasploit-community-ctf/]! The four day CTF was well received by the community, with 874 teams and 1903 users registered! We’ve included the high-level stats and the competition winners below. If you played the CTF and want to let the Metasploit team know which challenges you found exhilarating, interesting, or infuriating (in a good way, of course), we have a feedback survey

Metasploit Wrap-Up

It's CTF week(end)! Plus, steal files from Apache Tomcat servers thanks to a new Ghostcat exploit, and dump process memory with a new post module that leverages Avast AV's built-in AvDump utility.

Metasploit Wrap-Up

Five new modules, and a reminder for the upcoming CTF

Metasploit Wrap-Up

Two new RCE-capable modules and some good fixes and enhancements!

Announcing the 2020 December Metasploit community CTF

It’s time for another Metasploit community CTF! This time around we’re doing a few things differently. Read on for details.

Metasploit Wrap-Up

Four new modules, including an exploit for SaltStack Salt and an exploit for a now-patched vuln in Metasploit, plus new enhancements and fixes.

Metasploit Wrap-Up

Insert 'What Year Is It' meme h00die [https://github.com/h00die] contributed the Mikrotik unauthenticated directory traversal file read [https://github.com/rapid7/metasploit-framework/pull/14280] auxiliary gather module, largely a port of the PoC by Ali Mosajjal [https://github.com/mosajjal]. The vulnerability CVE-2018-14847 [https://attackerkb.com/topics/oOoUGd0y46/cve-2018-14847?referrer=blog] allows any file from the router to be read through the Winbox server in RouterOS due to a lack of val

Metasploit Wrap-Up

Support for gathering ProxyUsername and ProxyPassword for saved PuTTY sessions, usability improvements for PsExec modules, and another CTF coming soon.

Metasploit Wrap-Up

A bug fix for EternalBlue on Metasploit 6, four new modules, and a bunch of enhancements.

Metasploit Wrap-Up

Hacktoberfest 2020 and wisdom from around the Metasploit water cooler. Keep an eye out for more info on the next Metasploit community CTF (coming soon).

Metasploit Wrap-Up

Enhancements, bug fixes, and a new SAP IGS module!

Metasploit Wrap-Up

Windows secrets dump, an 'in' with Safari, and more!

Exploitability Analysis: Smash the Ref Bug Class

Two Metasploit researchers evaluate the "Smash the Ref" win32k bug class for exploitability and practical exploitation use cases for pen testers and red teams looking to obtain an initial foothold in the context of a standard user account.

Metasploit Wrap-up

Nine new modules, including a module for Zerologon, a new SOCKS module, some privilege escalations, and another Java deserialization exploit.

Metasploit Wrap-Up

Six new modules this week, and a good group of enhancements and fixes!

Metasploit Wrap-Up

Three new modules, including a Pwn2Own addition for OS X, plus proxy support for Python Meterpreter, new search improvements, and a reminder of how to report security issues in Metasploit.

Metasploit Wrap-Up

New reflective PE file loader, a new module, new search improvements, and updates on Google Summer of Code projects.

Metasploit Wrap-Up

Give me your hash This week, community contributor HynekPetrak [https://github.com/HynekPetrak] added a new module [https://github.com/rapid7/metasploit-framework/pull/13906] for dumping passwords and hashes stored as attributes in LDAP servers. It uses an LDAP connection to retrieve data from an LDAP server and then harvests user credentials in specific attributes. This module can be used against any kind of LDAP server with either anonymous or authenticated bind. Particularly, it can be used

Metasploit Wrap-Up

Setting module options just got easier! Rapid7's own Dean Welch [https://github.com/dwelch-r7] added a new option [https://github.com/rapid7/metasploit-framework/pull/13961] to framework called RHOST_HTTP_URL, which allows users to set values for multiple URL components, such as RHOSTS, RPORT, and SSL, by specifying a single option value. For example, instead of typing set RHOSTS example.com, set RPORT 5678, set SSL true, you can now accomplish the same thing with the command set RHOST_HTTP_URL

Metasploit Wrap-Up

vBulletin strikes again This week saw another vBulletin exploit released by returning community member Zenofex. This exploit module allows an unauthenticated attacker to run arbitrary PHP code or operating system commands on affected versions of the vBulletin web application. The vulnerability, which was also discovered by Zenofex, is identified as CVE-2020-7373 [https://attackerkb.com/topics/aIL9b0uOYc/cve-2020-7373?referrer=blog] and is effectively a bypass for a previously patched vulnerabili

Metasploit Wrap-Up

Metasploit 6 initial features and active development, the 2020 open-source security meetup (OSSM), four new modules, and the longest list of enhancements and fixes we've ever written in one sitting.

Metasploit 6 Now Under Active Development

The Metasploit team announces active development of Metasploit Framework 6. Initial features include end-to-end encryption of Meterpreter communications, SMBv3 client support, and a new polymorphic payload generation routine for Windows shellcode.

Metasploit Wrap-Up

SharePoint DataSet/DataTable deserialization First up we have an exploit from Spencer McIntyre (@zeroSteiner) for CVE-2020-1147 [https://attackerkb.com/topics/HgtakVczYd/cve-2020-1147?referrer=blog], a deserialization vulnerability in SharePoint instances that was patched by Microsoft on July 14th 2020 and which has been getting quite a bit of attention in the news lately. This module [https://github.com/rapid7/metasploit-framework/pull/13920] utilizes Steven Seeley (@stevenseeley)'s writeup al

Open Source Security Meetup (OSSM): Virtual Edition

The Rapid7 Metasploit team will be hosting our annual Open Source Security Meetup (OSSM) as a virtual event Thursday, August 6th!

Metasploit Wrap-Up

Yes, it’s a huge enterprise vulnerability week (again) For our 100th release since the release of 5.0 [/2019/01/10/metasploit-framework-5-0-released/] 18 months ago, our own zeroSteiner [https://github.com/zeroSteiner] got us a nifty module for the SAP "RECON" vulnerability [https://attackerkb.com/topics/JubO1RiVBP/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-as-java] affecting NetWeaver version 7.30 to 7.50. It turns out those versions will allow anyone to create a

Metasploit Wrap-Up

Plex unpickling The exploit/windows/http/plex_unpickle_dict_rce module [https://github.com/rapid7/metasploit-framework/pull/13741] by h00die [https://github.com/h00die] exploits an authenticated Python deserialization vulnerability in Plex Media Server. The module exploits the vulnerability by creating a photo library and uploading a Dict file containing a Python payload to the library’s path. Code execution is then achieved by triggering the plugin loading functionality, which unpickles the Dic

Metasploit Wrap-Up

Intensity not on the Fujita scale SOC folks may have been feeling increased pressure as word spread of CVE-2020-5902 [https://attackerkb.com/topics/evLpPlZf0i/cve-2020-5902?referrer=blog#rapid7-analysis] being exploited in the wild. Vulnerabilities in networking equipment always pose a unique set of constraints for IT operations when it comes to mitigations and patches given their role in connecting users to servers, services or applications. Yet from an attacker’s perspective this vulnerabili

Metasploit Wrap-Up

Shifting (NET)GEARs Community contributor rdomanski [https://github.com/rdomanski] added a module for Netgear R6700v3 routers [https://github.com/rapid7/metasploit-framework/pull/13768] that allows unauthenticated attackers on the same network to reset the password for the admin user back to the factory default of password. Attackers can then manually change the admin user's password and log into it after enabling telnet via the exploit/linux/telnet/netgear_telnetenable module, which will gran

Metasploit Wrap-Up

Who watches the watchers? If you are checking up on an organization using Trend Micro Web Security, it might be you. A new module this week takes advantage of a chain of vulnerabilities to give everyone (read unauthenticated users) a chance to decide what threats the network might let slip through. Following the trend, what about watchers that are not supposed to be there? Agent Tesla Panel is a fun little trojan (not to be found zipping around on our highways and byways) which now offers, agai

Metasploit Wrap-Up

Arista Shell Escape Exploit Community contributor SecurityBytesMe [https://github.com/SecurityBytesMe] added an exploit module [https://github.com/rapid7/metasploit-framework/pull/13303] for various Arista switches. With credentials, an attacker can SSH into a vulnerable device and leverage a TACACS+ shell configuration to bypass restrictions. The configuration allows the pipe character to be used only if the pipe is preceded by a grep command. This configuration ultimately allows the chaining

Metasploit Wrap-Up

Windows BITS CVE-2020-0787 LPE in the Metasploit tree! This week, Grant Willcox [https://github.com/gwillcox-r7] presents his first Metasploit module contribution [https://github.com/rapid7/metasploit-framework/pull/13554] as part of our team. Research [https://itm4n.github.io/cve-2020-0787-windows-bits-eop/] from itm4n [https://github.com/itm4n] yielded CVE-2020-0787 [https://nvd.nist.gov/vuln/detail/CVE-2020-0787], describing a vulnerability in the Windows Background Intelligent Transfer Serv

Metasploit Wrap-Up

vBulletin, WordPress, and WebLogic exploits, along with some enhancements and fixes.

Metasploit Wrap-Up

Hello, World! This week’s wrapup features six new modules, including a double-dose of Synology and everyone’s favorite, Pi-Hole. Little NAS, featuring RCE Synology stations are small(ish) NAS devices, but as Steve Kaun, Nigusu Kassahun, and h00die have shown, they are not invulnerable. In the first module, a command injection exists in a scanning function that allows for an authenticated RCE, and in the second, a coding feature leaks whether a user exists on the system, allowing for brute-forc

Metasploit Wrap-Up

Bad WebLogic Our own Shelby Pace [https://github.com/space-r7] authored an exploit taking advantage of a Java object deserialization vulnerability in multiple different versions of WebLogic. The new module has been tested with versions v12.1.3.0.0, v12.2.1.3.0, and v12.2.1.4.0 of WebLogic and allows remote code execution through the of sending a serialized BadAttributeValueExpException object over the T3 protocol to vulnerable WebLogic servers. Cram it in your Pi-Hole As the incredibly origina

Metasploit Wrap-Up

Five new modules, including SaltStack Salt Master root key disclosure and unauthenticated RCE on Salt master and minion. A new Meterpreter fix also ensures correct handling of out-of-order packets in pivoted sessions.

Metasploit Wrap-Up

Nine new modules, including three IBM Data Risk Manager exploits, a couple Windows privilege elevation modules, and a .NET deserialization exploit for Veeam ONE Agent. Plus, a new .NET deserialization tool that allows users to generate serialized payloads in the vein of YSoSerial.NET.

Metasploit Wrap-up

Windows Meterpreter payload improvements Community contributor OJ [https://github.com/OJ] has made improvements to Windows Meterpreter payloads. Specifically reducing complexity around extension building and loading. This change comes with the benefit of removing some fingerprint artifacts, as well reducing the payload size as a side-effect. Note that Windows meterpreter sessions that are open prior to this bump will not be able to load new extensions after the bump if they connect with a new in

Metasploit Wrap-up

Security fix for the libnotify plugin (CVE-2020-7350) If you use the libnotify plugin to keep track of when file imports complete, the interaction between it and db_import allows a maliciously crafted XML file [https://github.com/rapid7/metasploit-framework/pull/13049] to execute arbitrary commands on your system. In proper Metasploit fashion, pastaoficial [https://github.com/pastaoficial] PR'd a file format exploit to go along with the fix, and our own smcintyre-r7 [https://github.com/smcintyre

Metasploit Wrap-up

Nexus Repository Manager RCE This week our very own Will Vu [https://github.com/wvu-r7] wrote a module for CVE-2020-10199 which targets a remote code execution vulnerability within the Nexus Repository Manager. The vulnerability allows Java Expression Language (JavaEL) code to be executed. While the flaw requires authentication information to leverage it, any account is sufficient. This would allow any registered user to compromise the target server. Unquoted Service Path LPE Community contribu

Meet AttackerKB

Meet AttackerKB: a new community-driven resource that highlights diverse perspectives on which vulnerabilities make the most appealing targets for attackers.

Metasploit Wrap-Up

Meterpreter bug fixes and five new modules, including an LPE exploit for SMBghost (CVE-2020-0796) and a BloodHound post module that gathers information (sessions, local admin, domain trusts, etc.) and stores it as a BloodHound-consumable ZIP file in Framework loot.

Metasploit Wrap-Up

This week's release includes a local privilege escalation exploit for VMware Fusion through 11.5.3 on OS X, as well as RCE on Apache Solr and DNN cookie deserialization.

Metasploit Wrap-Up

Three new modules, including a post module to automate the installation of an embeddable Python interpreter on a target, and a new exploit for Microsoft SharePoint Workflows.

How to Participate in Our Metasploit Pro Customer Survey

As a Metasploit Pro customer, we want to know what your priorities are, what challenges you’re facing, and how Metasploit Pro addresses those needs.

Metasploit Wrap-Up

Five new modules plus fixes and enhancements. Exploits for ManageEngine, rConfig, and SQL Server Reporting Services, among others.

Metasploit Wrap-Up

Four new modules and lots of productivity enhancements. You can now run `rubocop -a` to automatically fix most formatting issues when developing modules. Plus, try the new `tip` command in MSF for Framework usage tips!

Metasploit Wrap-Up

Gift exchange If you're looking for remote code execution against Microsoft Exchange, Spencer McIntyre [https://github.com/zeroSteiner] crafted up a cool new module [https://github.com/rapid7/metasploit-framework/pull/13014] targeting a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. Vulnerable versions of Exchange don't randomize keys on a per-installation basis, resulting in reuse of the same validationKey and decryptionKey values. With knowledge of these, an at

Metasploit Wrap-Up

Android Binder UAF, OpenNetAdmin RCE, and a slew of improvements, including colorized HttpTrace output and a better debugging experience for developers.

Metasploit Wrap-Up

Long live copy and paste Adam Galway [https://github.com/adamgalway-r7] enhanced the set PAYLOAD command to strip the /payload/, payload/, and / prefixes from a payload name in an effort to improve the user experience while configuring an exploit's payload. You can see the new behavior [https://github.com/rapid7/metasploit-framework/pull/12946] below! msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload /payload/windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reve

Metasploit Wrap-Up

Ricoh Privilege Escalation No ink? No problem. Here’s some SYSTEM access. A new module [https://github.com/rapid7/metasploit-framework/pull/12906] by our own space-r7 [https://github.com/space-r7] has been added to Metasploit Framework this week that adds a privilege escalation exploit for various [https://www.ricoh.com/info/2020/0122_1/list] Ricoh printer drivers on Windows systems. This module takes advantage of CVE-2019-19363 [https://nvd.nist.gov/vuln/detail/CVE-2019-19363] by overwriting th

Metasploit Wrap-up

In the week after our CTF, we hope the players had a good time and got back to their loved ones, jobs, lives, studies, and most importantly, back to their beds (and you can find out who the winners were here [/2020/02/03/congrats-to-the-winners-of-the-2020-metasploit-community-ctf/]!). For the Metasploit team, we went back to baking up fresh, hot modules and improvements that remind us in this flu season to not just wash your hands, but also, sanitize your inputs! SOHOwabout a Shell? Several [h

DOUBLEPULSAR over RDP: Baselining Badness on the Internet

How many internet-accessible RDP services have the DOPU implant installed? How much DOPU-over-RDP traffic do we see being sprayed across the internet?

DOUBLEPULSAR RCE 2: An RDP Story

In this sequel, wvu [https://github.com/wvu-r7] recounts the R&D (in all its imperfect glory) behind creating a Metasploit module for the DOUBLEPULSAR implant's lesser-known RDP variant. If you're unfamiliar with the more common SMB variant, you can read our blog post [/2019/10/02/open-source-command-and-control-of-the-doublepulsar-implant/] detailing how we achieved RCE with it. Table of Contents 0. Background 1. Extracting the implant 2. Installing the implant 3. Pinging the implant 4.

Congrats to the winners of the 2020 Metasploit community CTF

After four days of competition and a whole lot of “trying harder,” we have the winners of this year's Metasploit community CTF [/2020/01/15/announcing-the-2020-metasploit-community-ctf/]. We've included some high-level stats from the game below; check out the scoreboard here [https://metasploitctf.com/scoreboard]. If you played the CTF and want to let the Metasploit team know which challenges you found exhilarating, interesting, or infuriating (in a good way, of course), we have a feedback surve

Metasploit Team Announces Beta Sign-Up for AttackerKB

AttackerKB is a knowledge base of vulnerabilities and informed opinions on what makes them valuable (or not) targets for exploitation.

Metasploit Wrap-Up

Happy CTF week, folks! If you haven't already been following along with (or competing in) Metasploit's global community CTF [/2020/01/15/announcing-the-2020-metasploit-community-ctf/], it started yesterday and runs through Monday morning U.S. Eastern Time. Registration has been full for a while, but you can join the #metasploit-ctf channel on Slack [https://metasploit.com/slack] to participate in the joy and frustration vicariously. This week's Metasploit wrap-up takes a look back at work done

Metasploit Wrap-up

Transgressive Traversal Contributor Dhiraj Mishra [https://github.com/RootUp] authored a neat Directory Traversal module [https://github.com/rapid7/metasploit-framework/pull/12773] targeted at NVMS-1000 Network Surveillance Management Software developed by TVT Digital Technology. Permitting the arbitrary downloading of files stored on a machine running compromised software [https://www.exploit-db.com/exploits/47774] , this module becomes all the more attractive when you consider it's providing

Active Exploitation of Citrix NetScaler (CVE-2019-19781): What You Need to Know

A a directory traversal vulnerability was announced in the Citrix Application Discovery Controller and Citrix Gateway, which would allow a remote, unauthenticated user to write a file to a location on disk.

Metasploit Wrap-Up

Silly admin, Citrix is for script kiddies A hot, new module [https://github.com/rapid7/metasploit-framework/pull/12816] has landed in Metasploit Framework this week. It takes advantage of CVE-2019-19781 which is a directory traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway. This exploit takes advantage of unsanitized input within the URL structure of one of the API endpoints to access specified directories. Conveniently there is a directory available that house

Announcing the 2020 Metasploit community CTF

Metasploit's community CTF is back! Starting January 30, players will have four days to find flags and win points and glory. Teams welcome.

Metasploit Wrap-Up

A new OpenBSD local exploit Community contributor bcoles [http://github.com/bcoles] brings us a new exploit module for CVE-2019-19726, a vulnerability originally discovered by Qualys [https://blog.qualys.com/laws-of-vulnerabilities/2019/12/11/openbsd-local-privilege-escalation-vulnerability-cve-2019-19726] in OpenBSD. This vulnerability is pretty interesting in the sense that it leverages a bug in the _dl_getenv function that can be triggered to load libutil.so from an attacker controlled loca

Memorable Metasploit Moments of 2019

Here’s a smattering of the year’s Metasploit Framework highlights from 2019. As ever, we’re grateful to and for the community that keeps us going strong.

Metasploit Wrap-Up

With 2019 almost wrapped up, we’ve been left wondering where the time went! It’s been a busy year for Metasploit, and we’re going out on a reptile-themed note this wrap-up... Python gets compatible With the clock quickly ticking down on Python 2 support [https://pythonclock.org/], contributor xmunoz [https://github.com/xmunoz] came through with some changes [https://github.com/rapid7/metasploit-framework/pull/12524] to help ensure most of Framework works with Python 3. While Python 3’s adoption

A Visit from the Spirits of HaXmas Past

In this blog, Brent Cook takes a walk down memory lane of blogs of HaXmas past.

Metasploit Wrap-Up

It’s beginning to look a lot like HaXmas [/tag/haxmas/], everywhere you go! We have a great selection of gift-wrapped modules this holiday season, sure to have you entertained from one to eight nights, depending on your preference! On a personal note, we here at the Metasploit workshop would like to welcome our newest elf, Spencer McIntyre [https://github.com/smcintyre-r7]. Spencer has been a long-time contributor to the project, and we’re thrilled to have him on the team! In the spirit of givi

Metasploit Wrap-Up

Powershell Express Delivery The web_delivery module [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/script/web_delivery.rb] is often used to deliver a payload during post exploitation by quickly firing up a local web server. Since it does not write anything on target’s disk, payloads are less likely to be caught by anti-virus protections. However, since Microsoft added Antimalware Scan Interface (AMSI) [https://docs.microsoft.com/en-us/windows/win32/amsi/antim

Metasploit Wrap-Up

Management delegation of shells Onur ER [https://github.com/onurer] contributed the Ajenti auth username command injection [https://github.com/rapid7/metasploit-framework/pull/12503] exploit module for the vulnerability Jeremy Brown discovered and published a PoC for on 2019-10-13 (EDB 47497) against Ajenti version 2.1.31. Ajenti is an open-source web-based server admin panel written in Python and JS. The application allows admins to remotely perform a variety of server management tasks. The ex

Discovering a New Path in Asset Discovery: A Q&A with Metasploit Founder HD Moore

In honor of the 10-year anniversary of Rapid7’s acquisition of Metasploit, our latest episode of Security Nation features an interview with its founder, HD Moore.

Metasploit Wrap-Up

Payload payday As we blogged about yesterday [/2019/11/21/metasploit-shellcode-grows-up-encrypted-and-authenticated-c-shells/] , a new form of payload that is compiled directly from C when generated was added by space-7 [https://github.com/space-r7]. We hope this is only the first step in a journey of applying the myriad tools that obfuscate C programs to our core payloads, so be sure to check out all the nifty workings of the code! If that wasn't enough, we also got a pair of payloads written f

Metasploit Shellcode Grows Up: Encrypted and Authenticated C Shells

Introducing encrypted, compiled payloads in Metasploit Framework 5

Metasploit Wrap-Up

Pulse Secure VPN exploit modules, a notable BlueKeep exploit reliability improvement, and an overhaul of MSF's password cracking integration, including new support for hashcat.

Metasploit Wrap-Up

Config R Us Many versions of network management tool rConfig are vulnerable to unauthenticated command injection, and contributor bcoles [https://github.com/bcoles] added a new exploit module [https://github.com/rapid7/metasploit-framework/pull/12507] for targeting those versions. Present in v3.9.2 and prior, this vulnerability centers around the install directory not being automatically cleaned up following software installation, leaving behind a PHP file that can be utilized to execute arbitr

Metasploit Wrap-Up

This week's Metasploit wrap-up ships a new exploit module against Nostromo, a directory traversal vulnerability that allows system commands to be executed remotely. Also, improvements have been made for the grub_creds module for better post exploitation experience against Unix-like machines. Plus a few bugs that have been addressed, including the -s option for NOPs generation, the meterpreter prompt, and reverse_tcp hanging due to newer Ruby versions. New modules (1) * Nostromo Directory Trave

Metasploit Wrap-Up

Is URGENT/11 urgent to your world? Metasploit now has a scanner module to help find the systems that need URGENT attention. Be sure to check the options on this one; RPORTS is a list to test multiple services on each target. Thanks Ben Seri [https://twitter.com/benseri87] for the PoC that lead off this work. Everyone likes creds, a new post module [https://github.com/rapid7/metasploit-framework/pull/12462] landed this week from Taeber Rapczak [https://github.com/taeber] that brings back credent

Metasploit Wrap-up

Nagios XI post module Nagios XI may store the credentials of the hosts it monitors, and with the new post module [https://github.com/rapid7/metasploit-framework/pull/12136] by Cale Smith [https://github.com/caleBot], we're now able to extract the Nagios database content along with its SSH keys and dump them into the MSF database. With the addition of this new post module, we can conveniently increase the opportunities for lateral movement. Environment-based API token authentication Our own ekel

Metasploit Wrap-up

Exploiting Windows tools There are two new Windows modules this week, both brought to you by the Metasploit team. The Windows Silent Process Exit Persistence module [https://github.com/rapid7/metasploit-framework/pull/12375], from our own bwatters-r7 [https://github.com/bwatters-r7], exploits a Windows tool that allows for debugging a specified process on exit. With escalated privileges, an attacker can configure the debug process and then use the module to upload a payload which will launch e

Metasploit Wrap-Up

Command and Control with DOUBLEPULSAR We now have a DOUBLEPULSAR exploit module [https://github.com/rapid7/metasploit-framework/pull/12374] thanks to some amazing work by our own wvu [https://github.com/wvu-r7], Jacob Robles, and some significant contributions from the wider community. The module allows you to check for the DOUBLEPULSAR implant, disable it, or even load your own payloads as well; it really deserves its own blog post… [/2019/10/02/open-source-command-and-control-of-the-doublepuls

Open-Source Command and Control of the DOUBLEPULSAR Implant

Metasploit researcher William Vu shares technical analysis behind a recent addition to Framework: a module that executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB and allows users to remotely disable the implant.

Metasploit Wrap-Up

BlueKeep is Here The BlueKeep exploit module [https://github.com/rapid7/metasploit-framework/pull/12283] is now officially a part of Metasploit Framework. This module reached merged status thanks to lots of collaboration between Rapid7 and the MSF community members. The module requires some manual configuration per target, and targets include both virtualized and non-virtualized versions of Windows 7 and Windows Server 2008. For a full overview of the exploit’s development and notes on use and d

Metasploit Wrap-Up

On the correct list AppLocker and Software Restriction Policies control the applications and files that users are able to run on Windows Operating Systems. These two protections have been available to the blue team for years. AppLocker is supported on Windows 7 and above, and Software Restriction Policies is supported on Windows XP and above. Encountering either during an engagement could slow you down; however, look no further than the evasion modules for assistance. Nick Tyrer [https://github.

Metasploit Wrap-Up

Fall is in the air, October is on the way, and it is Friday the 13th. We have a lot of updates and features that landed this week, though none are particularly spooky, and unfortunately, none are json-related…1 We recently updated our digital signing keys, and some users may have seen warnings that their Metasploit packages were not signed. We’ve fixed this as of this week—apologies for any confusion. If you are still experiencing signing issues, you may need to re-download Metasploit installer

How Rapid7 Industry Research Strengthens InsightVM

Rapid7’s vulnerability scanner, InsightVM is backed by multiple large-scale research projects that keep it on the leading edge of vulnerability risk management.

Metasploit Wrap-Up

At our (final!) DerbyCon Town Hall today, the Metasploit team announced the release of an initial exploit module PR for CVE-2019-0708, aka BlueKeep.

Initial Metasploit Exploit Module for BlueKeep (CVE-2019-0708)

Today, Metasploit is releasing an initial public exploit module for CVE-2019-0708, also known as BlueKeep, as a pull request on Metasploit Framework.

Metasploit Wrap-Up

Back to school blues Summer is winding down and while our for contributions haven't dropped off (thanks y'all!), we've been tied up with events and a heap of research. Don't despair, though: our own Brent Cook [https://github.com/busterb], Pearce Barry, Jeffrey Martin [https://github.com/jmartin-r7], and Matthew Kienow [https://github.com/mkienow-r7] will be at DerbyCon 9 running the Metasploit Town Hall at noon Friday. They'll be delivering a community update and answering questions, so be sur

Metasploit Wrap-Up

A LibreOffice file format exploit, plus improvements to TLS and CredSSP-based fingerprinting.

Metasploit Wrap-Up

Hacker Summer Camp Last week, the Metasploit team flew out to sunny, hot, and dry Las Vegas for Hacker Summer Camp (Black Hat, BSidesLV, and DEF CON). It was a full week of epic hacks, good conversation, and even a little business! If you managed to catch us at our Open Source Office Hours [https://blog.rapid7.com/2019/07/15/metasploit-open-source-office-hours-in-vegas/] (previously OSSM, the Open Source Security Meetup) in Bally's, we just wanted to say thanks for making the trek through the

Metasploit Wrap-Up

Keep on Bluekeepin’ on TomSellers [https://github.com/TomSellers] added a new option to the increasingly useful Bluekeep Scanner module [https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb] that allows execution of a DoS attack when running the module. This adds a new level of effectiveness in proving the severity of this vulnerability. As part of this update, TomSellers [https://github.com/TomSellers] moved and refactored a lot of

Metasploit Wrap-Up

A new feature, better `set payload` options, and new modules. Plus, open-source office hours in Vegas during hacker summer camp.

Introducing Pingback Payloads

The Metasploit team added a new feature to Framework that improves safety and offers another avenue in MSF for novel evasion techniques: pingback payloads.

Metasploit Wrap-Up

First!! Congrats to Nick Tyrer [https://github.com/NickTyrer] for the first community contibuted evasion module to land in master. Nick's evasion/windows/applocker_evasion_install_util module [https://github.com/rapid7/metasploit-framework/pull/11795] leverages the trusted InstallUtil.exe binary to execute user supplied code and evade application whitelisting. New modules (4) * WP Database Backup RCE [https://github.com/rapid7/metasploit-framework/pull/12010] by Mikey Veenstra / Wordf

[Research] Under the Hoodie, 2019 Edition: Lessons Learned from 180 Penetration Tests

Our 2019 Under the Hoodie report covers the measurable results of about 180 penetration tests conducted by Rapid7. Find out what we learned.

Metasploit Wrap-Up

RCE with a Key An exploit module [https://github.com/rapid7/metasploit-framework/pull/12062] for Laravel Framework was submitted by community contributor aushack [https://github.com/aushack]. The module targets an insecure unserialize call with the X-XSRF-TOKEN HTTP request header, which was discovered by Ståle Pettersen. Since the exploit requires the Laravel APP_KEY to reach the vulnerable unserialize call, aushack included information leak [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-

End of Sale Announced for Metasploit Community

Today we are announcing end of sale for Metasploit Community Edition, effective immediately.

Metasploit Open Source Office Hours: Vegas 2019

The Metasploit crew at Rapid7 is headed out to Las Vegas for DEF CON 27, bringing a new incarnation of the Open Source Security Meetup (OSSM) with us! We will have a Metasploit Suite at Bally’s this year, where we’ll be hosting “Open Source Office Hours” (OSOH). If you’ll be out in Vegas for DEF CON 27, take a moment and ask yourself: * Are you currently working on a Metasploit module/payload and could use some guidance? * Are you modifying Framework and you’d like to discuss? * Are you w

Metasploit Wrap-Up

We hope our American friends had a wonderful Fourth of July weekend! There are no new modules this week, so instead we're featuring two enhancements that fix some long outstanding Framework bugs. Check out last week’s holiday wrap-up [/2019/07/05/metasploit-wrap-up-24/] for a list of the modules that landed while the U.S. was watching fireworks. GatherProof (or don't) Using ssh_login* on certain non-standard devices such as Brocade switches [https://github.com/rapid7/metasploit-framework/issues

Metasploit Wrap-Up

Injecting the Time Machine From contributor timwr [https://github.com/timwr] comes a new module targeting Time Machine on macOS 10.14.3 and earlier. Specifically, the tmdiagnose binary for these vulnerable versions suffers from a command injection vulnerability that can be exploited via a specially crafted disk label. This new module uses an existing session for exploitation on the target, allowing the Framework user to run a payload as root. What’s on TV? If you are nearby to a vulnerable Supr

Metasploit Wrap-Up

I am Root An exploit module [https://github.com/rapid7/metasploit-framework/pull/11987] for Nagios XI v5.5.6 was added by community contributor yaumn [https://github.com/yaumn]. This module includes two exploits chained together to achieve code execution with root privileges, and it all happens without authentication. A single unsanitized parameter in magpie_debug.php enables the ability to write arbitrary PHP code to a publicly accessible directory and get code execution. Privilege escalation

Metasploit Development Diaries: Q2 2019

Hey folks, it's towards the end of the second quarter, which means it's high time for another Metasploit Dev Diary! If you already know what this series is about, feel free to just click on over here [https://www.rapid7.com/research/report/metasploit-development-diaries-q2-2019] and read away. If you need more convincing, here's the skinny. Once a quarter, the indomitable Metasploit [https://www.rapid7.com/products/metasploit/] engineering team is going to pull you, dear reader, behind the cur

Metasploit Wrap-Up

TLS support and expanded options for the BlueKeep scanner module, two new modules for Cisco Prime Infrastructure, and more.

Metasploit Hackathon Wrap-Up: What We Worked On

As part of the Metasploit project's second hackathon, Metasploit contributors and committers got together to discuss ideas, write some code, and have some fun.

Metasploit Wrap-Up

It’s Summertime, and the Hackin’ is Easy It is still early in the season, but there’s a whole lot of fixes that are already shipping. Straight off a week of intellectual synergy from the world-wide hackathon, we started to fix a lot of things we noticed while we coded over street tacos and Austin-famous beverages. All told, this week we made Metasploit more inclusive, transparent, and configurable! Inclusive @wvu-r7 has been on a roll trying to make Metasploit play well with others. He teamed u

Heap Overflow Exploitation on Windows 10 Explained

Heap corruption can be a scary topic. In this post, we go through a basic example of a heap overflow on Windows 10.

Metasploit Wrap-Up

Read up on how the recent community hackathon in Austin went, three new modules, and the usual long list of fixes and enhancements.

Metasploit Wrap-Up

Unauthenticated scanner for BlueKeep, community hackathon in Austin, and the usual long list of fixes and enhancements.

Metasploit Wrap-Up

BSD love Outside of macOS, not many people run (or run into) a BSD-flavored system very often. Even still, bcoles [https://github.com/bcoles] and space-r7 [https://github.com/space-r7] teamed up for a pair of BSD enhancements. The first, a privilege escalation, affects FreeBSD's runtime linker dealing with LD_PRELOAD in FreeBSD 7.1, 7.2, and 8.0. The next enhancement adds BSD targets to our known-credential ssh executor which now allows BSD-specific payloads. Not wanting macOS to be left out ti

Metasploit Wrap-Up

Take a moment from this week's barrage of vulnerabilities in seemingly everything to see the cool stuff happening with the Metasploit team of contributors: a video interview between two greats, a new exploit module in GetSimple CMS, and a whole host of improvements.

Metasploit Wrap-Up

A new Chrome browser exploit, some WebLogic RCE, and an exploit for PostgreSQL. Also announcing the return of our annual Open-Source Security Meetup in Vegas!

WebLogic Deserialization Remote Code Execution Vulnerability (CVE-2019-2725): What You Need to Know

Oracle has released an out-of-band security advisory and set of patches for Oracle WebLogic Server versions 10.3.6.0 and 12.1.3.0.

Metasploit Wrap-Up

Better persistence options thanks to two new modules for Yum and APT package managers. Plus, new exploits for Rails DoubleTap and Spring Cloud Config.

Metasploit Wrap-Up

Faster tab completion for `set PAYLOAD` and faster output for `show payloads`. Plus, four new exploits, including unauthenticated template injection for Atlassian Confluence and Ruby on Rails DoubleTap directory traversal.

Metasploit Wrap-Up

A more useful use command From among the many musings of longtime contributor/team member Brent Cook [https://github.com/busterb], in a combined effort with the ever-present wvu [https://github.com/wvu-r7], the use command has become so much more useful. PR 11724 [https://github.com/rapid7/metasploit-framework/pull/11724] takes new functionality [https://github.com/rapid7/metasploit-framework/pull/11652] from search -u one step further by automatically appying it when use is called with a uniq

Metasploit Wrap-Up

WordPress RCE tiyeuse [https://github.com/tiyeuse] submitted a Metasploit module [https://github.com/rapid7/metasploit-framework/pull/11587] for an authenticated remote code execution vulnerability in WordPress, which was described in a blog post by RIPS Technology [https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/]. After authenticating as a user with at least author privileges, the module starts by uploading an image file with PHP code that will be used later. Then the imag

Metasploit Wrap-Up

Your workflow just got easier Are you tired of copy/pasting module names from the search results before you can use them? Thanks to this enhancement (PR #11652) [https://github.com/rapid7/metasploit-framework/pull/11652] by Brent Cook [https://github.com/busterb], you can now run search with the -u flag to automatically use a module if there is only one result. Now you're one step closer to popping a shell! A pair of new JSO modules Metasploit published research a few weeks ago on Java Serializ

Metasploit Wrap-Up

Introducing Metasploit Development Diaries We are happy to introduce a new quarterly series, the Metasploit Development Diaries [/2019/03/26/introducing-the-metasploit-development-diaries/]. The dev diaries walk users and developers through some example exploits and give detailed analysis of how the exploits operate and how Metasploit evaluates vulnerabilities for inclusion in Framework. The first in the dev diaries series features technical analysis by sinn3r [https://twitter.com/_sinn3r?lang=e

Introducing the Metasploit Development Diaries

In our new Metasploit Development Diaries series, we will share stories of how exploitable conditions become stable, seasoned Metasploit Framework modules.

Metasploit Wrap-Up

Spring is here: Four new modules and metashell improvements.

A Serial Problem: Exploitation and Exposure of Java Serialized Objects

In our new research report, we take a look at Java Serialized Objects (JSOs), which are a reliable threat vector and present a rising threat to enterprise networks.

Metasploit Wrap-Up

elFinder remote command injection elFinder [https://github.com/Studio-42/elFinder] is a client-side open-source file manager tool written for web applications. In a browser it has the look and feel of a native file manager application. It ships with a PHP connector [https://github.com/Studio-42/elFinder/tree/master/php], which integrates the client side with the back end server. The connector provides the ability for unauthenticated users to upload an image and resize it. It does so by shelling

Metasploit Wrap-Up

The Payload UUID and paranoid mode Meterpreter payload and listener features were first introduced and added to many HTTP and TCP Metasploit payloads in mid-2015.

Metasploit Wrap-Up

An improvement to HTTP command stagers allows exploits to write on-disk stagers to the location of your choosing.

Metasploit Wrap-up

Document ALL THE THINGS! This release sees quite a bit of documentation added with a module doc from bcoles and four new module docs from newer docs contributor Yashvendra [https://github.com/Yashvendra]. Module docs can be viewed with info -d and are extremely helpful for getting acquainted with a modules capabilities and limitations. We greatly value these contributions because, while not cool h4x0r features by themselves, each one means that fewer people have to read the code to understand ho

Metasploit Wrap-Up

Crock-Pot cooking with Metasploit Belkin's Wemo [https://en.wikipedia.org/wiki/Belkin_Wemo] line of smart home devices offers users a variety of internet-connected gadgets and gizmos they can control around the home. One of those happens to be a Crock-Pot [https://www.crock-pot.com/wemo-landing-page.html]. We went ahead and bought one. Naturally, it made sense for us to write a module [https://github.com/rapid7/metasploit-framework/pull/10731] to control our new slow cooker via the UPnP [https:

Metasploit Wrap-Up

Ubiquitous Devices Our Rapid7 Labs team pulled the thread [/2019/02/01/ubiquiti-discovery-service-exposures/] on some recent buzz around exploitable Ubiquiti devices, which led to a new scanner module [https://github.com/rapid7/metasploit-framework/pull/11338] ( auxiliary/scanner/ubiquiti/ubiquiti_discover.rb) from jhart-r7 [https://github.com/jhart-r7]. This module uses a simple UDP protocol to identify potentially exploitable Ubiquiti devices on your network, and can return details like MAC an

Metasploit Wrapup

Hi everyone! For those in the US, hope you all had a great MLK weekend. We have a pretty light release due to the holiday, but we still have some cool stuff in the house. Check it out!

Metasploit Wrapup

This week, phra offers up a new potato dish to make privilege escalation in Windows just a bit tastier.

Metasploit Wrap-up

MSF 5 in the wild We announced the release [/2019/01/10/metasploit-framework-5-0-released/] of Metasploit Framework 5.0 this week. It’s Metasploit’s first major version release since 2011, and it includes lots of good stuff the team has been working on for the past year-plus. It will be packaged and integrated into your favorite software distributions over the next few months; until then, you can get MSF 5 by checking out the 5.0.0 tag [https://github.com/rapid7/metasploit-framework/releases/tag

Metasploit Framework 5.0 Released!

We are happy to announce the release of Metasploit 5.0, the culmination of work by the Metasploit team over the past year.

Metasploit Wrap-up

Happy New Year to the Metasploit community! As we kick off 2019, we're excited to see all the modules, enhancements, and discussions the new year will bring. Ring In 2019 With SSL There is a new datastore option [https://github.com/rapid7/metasploit-framework/pull/11160] courtesy of wvu [https://github.com/wvu-r7] called CMDSTAGER::SSL. This exposes the ability to enable SSL/TLS command stagers with set cmdstager::ssl true. Auld Erlang Syne Good news if you're a fan of the multi/misc/erlang_co

The Ghost of Exploits Past: A Deep Dive into the Morris Worm

In this post, we will dive into the exploit development process for the three modules we created in honor of the 30th anniversary of the Morris worm.

The New Shiny: Memorable Metasploit Moments of 2018

Happy HaXmas, friends. Metasploit turned 15 this year, and by all accounts, 2018 was pretty epic.

Metasploit Wrapup

Safari Proxy Object Type Confusion Metasploit committer timwr [https://github.com/timwr] recently added a macOS Safari RCE exploit module [https://github.com/rapid7/metasploit-framework/pull/10944] based on a solution [https://github.com/saelo/pwn2own2018] that saelo [https://github.com/saelo] developed and used successfully at Pwn2Own 2018 [https://www.thezdi.com/blog/2018/3/14/welcome-to-pwn2own-2018-the-schedule]. saelo's exploit is a three-bug chain: a Safari RCE (CVE-2018-4233), a sandbox

Metasploit Wrapup

Backups that Cause Problems hypn0s [https://github.com/hypn0s] contributed a module [https://github.com/rapid7/metasploit-framework/pull/10960] that exploits Snap Creek’s Duplicator plugin for WordPress. Duplicator is a plugin that eases the backup and migration of WordPress installations. For versions 1.2.40 and below, Duplicator leaves behind a number of sensitive files, including one that gives access to controlling the WordPress restoration process. Sending a POST request to the now accessib

Metasploit Wrapup

If you are tired of all the snake memes and images we pushed out as we stood up support for python external modules over the last year or so, I have terrific news for you!

Congrats to the 2018 Metasploit community CTF winners

After three days of fierce competition, we have the winners of this year's Metasploit community CTF [/2018/11/05/announcing-the-2018-metasploit-community-ctf/]. We've included some high-level stats from the game below; check out the scoreboard here [https://metasploitctf.com/scoreboard]. If you played the CTF this weekend and want to let the Metasploit team know which challenges you found exhilarating, interesting, or infuriating (in a good way, of course), we have a survey up here: https://r-7

Metasploit Wrapup

Why can't I hold all these Pull Requests? It has been a busy month here in Metasploit-land, with the holidays, the holiday community contributions, and our community CTF [/2018/11/05/announcing-the-2018-metasploit-community-ctf/]. It doesn't help that the last few months have seen our open pull request count keep climbing as well, reaching over 90 at times. Our fearless leader, busterb [https://github.com/busterb], decided to take on the challenge and landed over 20 PRs by himself in the last tw

Metasploit Wrapup

The Malicious Git HTTP Server For CVE-2018-17456 module by timwr exploits a vulnerability in Git that can cause arbitrary code execution when a user clones a malicious repository using commands such as git clone --recurse-submodules and git submodule update.

Metasploit Wrapup

Now in Framework: Exploit for jQuery File Upload plugin vuln, two new post modules to exfil images and texts from compromised iOS devices. Plus, this year's community CTF.

Announcing the 2018 Metasploit Community CTF

Two targets, three days, and a thousand teams: Put your skills to the test for a chance to win prizes and bragging rights in Metasploit’s 2018 community CTF.

Metasploit Wrapup

Today marks the 30th anniversary of the Morris worm. We were hit by a wave of nostalgia, so here's a little history and a module-trip down memory lane courtesy of wvu.

Metasploit Wrapup

We got to hit the build button three times this week. It's not something that we normally do, since the Metasploit release each week triggers automatically. But it's been such a week of surprise vulnerabilities and improvements that it made sense to get a few extra builds out the door. So, Metasploit this week jumps from 4.14.18 to 4.17.21. Look for it during your next Metasploit romp. Exploit wrapup While the excitement around libssl CVE-2018-10933 [https://github.com/rapid7/metasploit-framewo

Metasploit Wrapup

A brand new Solaris module, improved Struts module, and the latest improvements.

Metasploit Wrapup

New evasion modules in Metasploit Framework, highlights from our Town Hall at DerbyCon VIII, and the last week's improvements and module additions.

Introducing Metasploit’s First Evasion Modules

Rapid7's Metasploit team is proud to announce we have released the first-ever antivirus evasion module in Metasploit Framework.

Metasploit Wrapup

Metasploit’s Brent Cook, Adam Cammack, Aaron Soto, and Cody Pierce are offering themselves up to the crowds at this year’s fourth annual Metasploit Town Hall at Derbycon.

Metasploit Wrapup

Trevor Forget: Metasploit Town Hall @ Derbycon Metasploit’s Brent Cook [/author/brent-cook], Adam Cammack [/author/adam-cammack], Aaron Soto [/author/aaron], and Cody Pierce are offering themselves up to the crowds at this year’s fourth annual Metasploit Town Hall at Derbycon [https://www.derbycon.com/]. Heading to bourbon country next weekend? Block off your 5 PM hour on Saturday, October 6 to join the team as they unveil some new hotness in Metasploit Framework and take questions and requests

Putting Pen (Tests) to Paper: Lessons and Learnings from Rapid7’s Annual Mega-Hackathon

Rapid7's Mega-Hackathon offers a unique chance to go beyond the data and get a feel for what pen testers are like in their natural habitat.

Metasploit Wrapup

Tomorrow brings the fall equinox, and that means (as we are almost contractually obligated to say at this point) winter is coming.

Metasploit Wrapup

Your weekly run-down of the modules and improvements that landed in Metasploit Framework.

Summertime and the Coding Is (Sometimes) Easy: What I Learned During GSoC for Metasploit

My name is Eliott Teissonniere, and I was selected as a Google Summer of Code (GSoC) student for Metasploit this summer! Today, I am excited to tell you more about what we did and what’s next.

Metasploit Wrapup

Ghost(script) in the shell There has been a lot of buzz the last couple weeks about Google Project Zero's Tavis Ormandy's new Ghostscript -dSAFER bypass, now complete with a Metasploit module. With some valiant work by wvu [https://github.com/wvu-r7] and taviso [https://github.com/taviso] himself, the latest way to break out of a PDF is now at your fingertips. If you pulled an advanced copy from the PR [https://github.com/rapid7/metasploit-framework/pull/10564], make sure to use the refined vers

External Metasploit Modules: The Gift that Keeps on Slithering

For HaXmas last December, I wrote about the introduction of Python modules to Metasploit Framework. As our module count keeps on growing, we thought that it would be a good time to update the community on where we are at.

Metasploit Wrapup

VPN to root The Network Manager VPNC Username Privilege Escalation [https://github.com/rapid7/metasploit-framework/pull/10482] module by bcoles [https://github.com/bcoles] exploits a privilege escalation attack in the Network Manager VPNC plugin configuration data (CVE-2018-10900) to gain root privileges. Network Manager VPNC versions prior to 1.2.6 are vulnerable and the module has been successfully tested against 1.2.4-4 on Debian 9.0.0 (x64) and 1.1.93-1 on Ubuntu Linux 16.04.4 (x64). The e

Metasploit Wrapup

ssh_enumusers Gets An Update wvu [https://github.com/wvu-r7] integrated the malformed packet technique [https://nvd.nist.gov/vuln/detail/CVE-2018-15473] into the ssh_enumusers module originally written by kenkeiras [https://github.com/kenkeiras]. This module allows an attacker to guess the user accounts on an OpenSSH server on versions up to 7.7, allowing the module to work on more versions than before. GSoC Wraps Up As Google Summer of Code finished up, Framework received an array of new and e

Metasploit Wrapup

We had a great time meeting everyone at the various Metasploit events at hacker summer camp last week, including two popup capture the flag events with Metasploitable3, the Open Source Security Meetup and selling Metasploit 0xf Anniversary Tour.

Metasploit Wrapup

Check Yourself Before You Wreck Yourself Even if you're a pro sleuth who can sniff out a vulnerability on even the most hardened of networks, it's always nice to be have some added validation that your attack is going to be successful. That's why it's always valuable to have a solid "check" method available to verify that you're barking up the right tree. This week bcoles [https://github.com/bcoles] upgraded the UAC check for Windows [https://github.com/rapid7/metasploit-framework/pull/10419] to

Metasploit Wrapup

Meterpreter on Axis Everyone loves shells, but Meterpreter sessions are always better. Thanks to William Vu, the axis_srv_parhand_rce [https://github.com/rapid7/metasploit-framework/pull/10409] module is now capable of giving you a Meterpreter session instead of a regular shell with netcat. DLL Injection for POP/MOV SS Another awesome improvement is Brendan Watters' work on the POP/MOV SS exploit [https://github.com/rapid7/metasploit-framework/pull/10387] against Windows (CVE-2018-8897), also k

Metasploit Wrapup

CMS Exploitation Made Simple "CMS Made Simple" is an open-source Content Management System. Mustafa Hasen discovered and reported [http://dev.cmsmadesimple.org/bug/view/11741] that versions 2.2.5 and 2.2.7 include a vulnerability in file uploads that permit an authenticated attacker to gain execution of arbitrary PHP scripts. The multi/http/cmsms_upload_rename_rce [https://www.rapid7.com/db/modules/exploit/multi/http/cmsms_upload_rename_rce] exploit module uses our PHP Meterpreter to gain full

Metasploit Wrapup

Privilege Escalation Linux BPF CVE-2017-16995 [https://nvd.nist.gov/vuln/detail/CVE-2017-16995] is a Linux kernel vulnerability in the way that a Berkeley Packet Filter (BPF) is verified. Multiple sign extension bugs allows memory corruption by unprivileged users, which could be used for a local privilege escalation attack by overwriting a credential structure in memory to gain root access to a compromised host. The bpf_sign_extension_priv_esc module [https://github.com/rapid7/metasploit-framew

Open Source Security Meetup (OSSM): Vegas 2018

Want to chat with members of the Metasploit Framework core dev team about open source security in Vegas this year? Come to the fourth annual OSSM (Open Source Security Meetup) August 9.

Metasploit Wrapup

Committing to some shells in GitList Shelby [https://github.com/space-r7] has been killing it with new exploit and aux modules by the day. In this iteration, she's produced an exploit [https://github.com/rapid7/metasploit-framework/pull/10262] for GitList 0.6.0 and likely older versions. The software is built on PHP and allows users to view a Git repo on the web. Through an argument injection, a fake pager [https://en.wikipedia.org/wiki/Terminal_pager] can be executed... that is really our shell

Metasploit Wrapup

New Modules Exploit modules (3 new) * Nagios XI Chained Remote Code Execution [https://www.rapid7.com/db/modules/exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo] by Benny Husted [https://github.com/BennyHusted], Cale Smith [https://github.com/caleBot], and Jared Arave [https://www.exploit-db.com/author/?a=9106], which exploits CVE-2018-8736. Monitor this series of unfortunate events all the way to magical shells. * Boxoft WAV to MP3 Converter v1.1 Buffer Overflow

Metasploit Wrapup

Moar Power OJ Reeves [https://github.com/OJ] added [https://github.com/rapid7/metasploit-framework/pull/10206] two new PowerShell transport functions to Metasploit payloads and made modifications to the PowerShell transport binding functionality. The aptly-named Add-TcpTransport function adds an active TCP transport to the current session and the Add-WebTransport function adds an HTTP/S transport to the current session. These functions are fully documented, allowing the user to leverage the Ge

Metasploit Wrapup

Welcome to another installment of the week! This installment features a new ETERNALBLUE module in everyone's favorite reptile-brain language, Python! Sporting support for Windows 8 and 10, it has everything you need, including immutable strings and enforced whitespace. In other Windows 10 news, chervalierly [https://github.com/chervaliery] fixed an annoying bug in rex-powershell that prevented PsExec from working on later versions of Windows 10. Now, you can PsExec to your heart’s content. Go

Metasploit Wrapup

New Privilege Escalation Exploit The glibc 'realpath()' module [https://github.com/rapid7/metasploit-framework/pull/10101] was added by bcoles [https://github.com/bcoles]. It attempts to gain root privileges on Debian-based Linux systems by exploiting a vulnerability in GNU C Library (glibc) version <= 2.26. This exploit uses halfdog's [https://github.com/halfdog] RationalLove exploit to expose a buffer underflow error in glibc realpath() and create a SUID root shell. The module includes offset

Metasploit Wrapup

Just Let Me Grab My Popcorn First This week, rmdavy [https://github.com/rmdavy] contributed a pair of modules designed to fool Windows into authenticating to you so you can capture sweet, sweet NetNTLM hashes. BadODT [https://github.com/rapid7/metasploit-framework/pull/10067] targets LibreOffice/Apache OpenOffice by providing a link to an image on a network share, and the new Multi Dropper [https://github.com/rapid7/metasploit-framework/pull/10115] creates all sorts of files Windows itself lov

Announcement: End of Life for Metasploit Express Edition

Today, June 4th, 2018, Rapid7 announced that Metasploit Express edition will see end of life on June 4th, 2019. This is being done to focus efforts on Metasploit Pro [https://www.rapid7.com/products/metasploit/], which continues to be a major investment for Rapid7 and will consistently see new innovations. Milestone Description Date End of life announcement date The date that the end of life date has been announced to the general public. June 4th, 2018 Last date of support The last date to rec

Metasploit Wrapup

Upgrade Your SOCKS Thanks to zeroSteiner [https://github.com/zeroSteiner], we have some very nice additions to the SOCKS5 library this week. His changes enabled BIND connections through the SOCKS5 proxy [https://github.com/rapid7/metasploit-framework/pull/9990], improved automated testing around the code, and broke it up into more manageable, targeted submodules. Now that Trevor’s dying wish [https://twitter.com/Bandrel/status/912312568055771137] has been fulfilled, the team can finally leave

Metasploit Wrapup

Bonjour! Que désirez-vous? We want to know what you'd like to see out of our latest Metasploit improvements. Please take a moment to fill out our community survey to help shape Metasploit's new backend data service. Tell us how you use the Metasploit database, which Metasploit data you use with other tools, how you need to store data from modules you've written, and so on. Please take our survey! [https://docs.google.com/forms/d/e/1FAIpQLSckVYKP9qVg_VSQcYPoFaYperYFBfmjfZXwi6jIxDokdext6Q/viewfor

Metasploit Wrapup

You Compile Me Our very own wchen-r7 [https://github.com/wchen-r7] added the ability to compile C code in metasploit, including (select) dependencies by creating a wrapper for metasm. Right now, support for windows.h is the first salvo in custom compiling tools within the metasploit interface! Hack all the things! For a long time, people have asked us to support RHOSTS in exploits just like we do in AUX modules. We listened, and now framework exploits support RHOSTS! Set your exploit, your

Metasploit Wrapup

Chaining Vulnerabilities Philip Pettersson discovered vulnerabilities in certain PAN OS versions [http://seclists.org/fulldisclosure/2017/Dec/38] that could lead to remote code execution and hdm wrote a Metasploit module for the exploit chain [https://github.com/rapid7/metasploit-framework/pull/9980]. The exploit chain starts off with an authentication bypass, which allows the module to access a page that is vulnerable to an XML injection. This page is then used to create a directory where a pay

Metasploit Wrapup

May the fourth be with you… Get comfortable, put on your headphones or turn up your speaker volume, and enjoy this guitar rendition [https://www.youtube.com/watch?v=CBZgLM5HUzU] of the Ewok Celebration, commonly known as Yub Nub [http://starwars.wikia.com/wiki/Ewok_Celebration] while catching up on Metasploit updates for the week. PHP Debugging Xdebug [https://xdebug.org/] is an extension for PHP to facilitate development by providing interactive debugging capabilities and much more. On an en

Hiding Metasploit Shellcode to Evade Windows Defender

Being on the offensive side in the security field, I personally have a lot of respect for the researchers and engineers in the antivirus industry, and the companies dedicated to investing so much in them. If malware development is a cat-and-mouse game, then I would say that the industry creates some of the most terrifying hunters. Penetration testers and red teamers suffer the most from this while using Metasploit [https://www.rapid7.com/products/metasploit/], which forced me to look into how to

Metasploit Wrapup

After last week's seriously serious write-up [/2018/04/20/metasploit-wrapup-36/] , this week we will return to our norml normal, lighthearted (and Metasploit-hearted) wrap-ups, though we remain fans of terrible 80s movies. Drupalgeddon 2: Webdev Boogaloo After last month's Drupal exploit came to light, nearly a dozen developers have been hard at work to add a module targeting CVE-2018-7600 [https://www.rapid7.com/db/vulnerabilities/drupal-cve-2018-7600]. You can read more about that exploit an

Drupalgeddon Vulnerability: What is it? Are You Impacted?

First up: many thanks to Brent Cook [/author/brent-cook/], William Vu [/author/william-vu/] and Matt Hand for their massive assistance in both the Rapid7 research into “Drupalgeddon” and their contributions to this post. Background on the Drupalgeddon vulnerability The Drupalgeddon 2 vulnerability announcement came out in late March (2018-03-28 ) as SA-CORE-2018-002 [https://www.drupal.org/sa-core-2018-002]. The advisory was released with a patch and CVE (CVE-2018-7600) [https://www.rapid7.com/

Getting Started in Ethical Hacking

A while back, a Twitter user [https://twitter.com/Astilexgaming/status/966342745097998337] asked us the following question: > I have a friend who is looking into ethical hacking. She is also a broke college student so do you know of any free for affordable resources she can use? Ethical hackers use their knowledge of vulnerabilities to help defend against criminals, hacktivists, and nation-state attackers (and sometimes, mischievous pranksters). They need a solid background in writing softwar

Metasploit Wrapup

You may have noticed that our weekly wrapups [/tag/metasploit-weekly-wrapup/] tend to be very light-hearted. A few might say our blog is humourous. Some might even argue that they incorporate low-brow internet jokes and an excessive quantity of memes. Well, I'm here to say we've turned over a new leaf. No longer will cheap comedy cover the pages of this professional publication. In honor of April 20th, this blog post will remain serious. Seriously. Google Summer of Code finalists, stay tune

Metasploit Wrapup

What's Your Favorite Security Site? When you are browsing sites on the Internet, you may notice some sites [http://www.irongeek.com/] will include your public IP address on their pages. But what if you came across a site that also showed your IP address from your private network range [https://media.giphy.com/media/3otPoDVeyxTT1jIKqc/giphy.gif]? This might be a little worrying [https://media.giphy.com/media/xhaHU2l56OSYM/giphy.gif], but before you run off you check to make sure the coast is cle

Metasploit Wrapup

Mobile Moose This week marked the beginning of our time in the new office. Everything got packed up and moved: computers, chairs, Rudy’s cups, and odd soy sauce packets in the back of the drawers. One consequence of moving to downtown Austin is that the lunch debates take longer, with flame wars about both the best tacos and the best barbecue. Metasploit: Now With More Snakes! @shellfail [https://twitter.com/shellfail] doubled down this wrapup; way back in March, he wrote a guide to writing

Metasploit Wrapup

Spring has come again to Austin, TX, home of the Rapid7 Metasploit team. While the season here brings pollen and allergies, it also brings fields full of bluebonnets and folks taking pictures before they all disappear. Let's celebrate by looking at what's popped up in Metasploit this week. New Data Model Last week, we landed the beginning of a new backend service for Metasploit, dubbed 'Goliath', which creates a new abstraction between Metasploit Framework and how it interacts with the databa

Metasploit Wrapup

Adding some named pipes to everyone's favorite series of tubes UserExistsError already added 64-bit named pipe payloads, and this week, we got an extra-special upgrade: now Metasploit has 32-bit named pipe payloads! It may feel wrong not setting a port, but connecting to existing network resources feels so right! It is the Final Countdown for GSoC! The final deadline for Google Summer of Code applicants is March 27th, so get your applications in now! We are honored to be a part of the progra

The Taste of Our Dog Food (aka, Red Team OPSEC)

This is a guest post from a long-time Metasploit contributor and community member [https://www.sempervictus.com/]. Over the next few months, Rapid7 will be publishing a series of guest posts featuring unique perspectives on Metasploit Framework and highlighting some of our community’s favorite functionality, hidden gems, and backstories. Want to contribute an idea or a post? Reach out to community[at]rapid7.com. Red team exercises have been around in military contexts for a long time: the idea

Metasploit Wrapup

Return of the GSoC! The Metasploit project is proud to return to Google Summer of Code this year. Student applications are open until March 27th, so there's still time to get in! Coding begins on May 14th, and we're eager to hear what you'd like to see added to Metasploit. Not only do you get to work on a cool project, but you'll get paid too [https://developers.google.com/open-source/gsoc/help/student-stipends]! Need some inspiration? Check out our list of project ideas [https://github.com/rapi

Metasploit Wrapup

With the Northeast U.S. getting hit with back-to-back nor’easters this week, it’s probably a good idea to head back inside and wait it out until spring arrives. So toss another log on the fire, grab a hot drink, raise a toast to all the folks making Metasploit awesome [https://github.com/rapid7/metasploit-framework/graphs/contributors], and catch up on the latest! It Goes to 11 While amplification attacks are nothing new, the memcached amplification attack vector (reffered to as “memcrashed”

Guest post: Lurking in /lib

This is a guest post from a long-time Metasploit contributor and community member. Over the next few months, Rapid7 will be publishing a series of guest posts featuring unique perspectives on Metasploit Framework and highlighting some of our community’s favorite functionality, hidden gems, and backstories. Want to contribute an idea or a post? Reach out to community[at]rapid7.com. Back in my day, you could get dinner, dessert, and ride the trolley home all for a nickel. Oh, and we used SVN for

Metasploit Wrapup

More Servers Please A new module [https://github.com/rapid7/metasploit-framework/pull/9441] by Pedro Ribeiro combines vulnerabilities for certain firmware versions of AsusWRT, which allows an unauthenticated user to enable a special command mode on the device. When the command mode is enabled, the device spins up infosvr on UDP port 9999. The great thing about infosvr is that you can construct UDP packets to have it execute commands on your behalf…. as root. Back in Windows Land In case your

Metasploit Wrapup

Wintertime can be a drag. Folks get tired of shoveling snow, scraping ice from windshields, dealing with busted water pipes, etc.. Thoughts of “fun in the sun” activities start to seep in, as people begin wistfully daydreaming about summertime. And for this coming summer, Metasploit has some hotness to daydream about! Google Summer of Code: We’re In! The Metasploit team is SUPER EXCITED to have been recently selected by Google [https://summerofcode.withgoogle.com/organizations/666336840069939

Metasploit Wrapup

Teenage ROBOT Returns Imagine the joy robot parents must feel when their infant leaves home and returns as a teenager. ROBOT (Return of Bleichenbacher Oracle Threat) [/2017/12/13/attention-humans-the-robot-attack/] is a 19-year-old vulnerability that allows RSA decryption and signing with the private key of a TLS server. It allows for an adaptive-chosen ciphertext attack. It is still very much relevant today as some modern HTTPS hosts are vulnerable to ROBOT [https://robotattack.org]. Metasploit

Metasploit Wrapup

It’s a special day here in the U.S.. This morning, media folks were hovering over a specific rodent [https://en.wikipedia.org/wiki/Punxsutawney_Phil] living in an eastern state to discover that we are in for six more weeks of winter [https://www.reuters.com/article/us-usa-groundhogday/groundhog-phil-predicts-more-cold-weather-chuck-says-spring-is-coming-idUSKBN1FM14L] , apparently. ¯\_(ツ)_/¯ Guess we’ll stay inside and work on Metasploit… EternalSunshine of the Security Minded If you’re still

Metasploit Wrapup

In last week’s wrap-up post [/2018/01/19/metasploit-wrapup-24/], we raised awareness of the new Metasploit 5 work we’re ramping up on. This week, please GoAhead [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17562] and enjoy some new Metasploit goodies! Get Up, GoAhead Based on research from danielhodson [https://github.com/danielhodson], hdm [https://github.com/hdm] and h00die [https://github.com/h00die] put together a new module [https://www.elttam.com.au/blog/goahead/] which targ

Metasploit Wrapup

Metasploit 5 Development Has Begun It's 2018, the ice is melting in Austin, and as we hinted last October [/2017/10/13/metasploit-wrapup-metasploit-5-or-bust/], Metasploit 5 development efforts have begun in earnest. We have a laundry list [https://github.com/rapid7/metasploit-framework/pull/9259] of features that we are working on for it. The first feature merged in Metasploit 5 [https://github.com/rapid7/metasploit-framework/pull/9220] replaces the module cache, which decreases the memory used

Metasploit Wrapup

'Sploits! Get yer 'sploits heeere! Lots of fresh modules this week with six shiny new exploits to showcase—but first, a blast from the past: 1992 Called Solaris wants to help you get password hashes and they've invented the NIS [https://en.wikipedia.org/wiki/Network_Information_Service] protocol. The next time you find a Solaris box, locked in a closet, that three generations of sysadmins have been afraid to touch, you can dump hashes straight to your Metasploit loot [https://github.com/rapi

Metasploit Wrapup

2018: a new year, new vulns, and endless opportunities to exploit them. The Metasploit community is kicking off the year with a variety of new content, functionality, research, and coordinated vulnerability disclosure. New Year, New Vulns After a couple months of coordinated disclosure work, long-time Metasploit contributor Karn Ganeshen [https://twitter.com/juushya] offered up a handful of modules and a couple mixins for testing wireless routers from Cambium Networks [https://www.cambiumnetwor

A Visit From a Printer PoC

The story of a group effort to perform a successful holiday printer hack...translated into rhymed verse for your HaXmas entertainment.

12 Memorable Metasploit Moments of 2017

This HaXmas, we delve into 12 Memorable Metasploit Moments from 2017 that inspired us, impressed us, and made us feel more connected to our global community of contributors, users, and friends.

Regifting Python in Metasploit

Metasploit has been taking random Python scripts off the internet and passing them off as modules! Well, not exactly. Read on to see how we're extending the module system's scalability and what Python has to do with that.

HaXmas: The True Meaning(s) of Metasploit

Rapid7 Research Director Tod Beardsley kicks off our storied "12 Days of HaXmas" series with a thrilling tale of browser 0day, exploit module development, and the true meaning(s) of Metasploit.

Metasploit Wrapup

Even with the year winding down to a close, activity around Metasploit has been decidedly “hustle and bustle”. Some cool new things to talk about this week, so sit back and dig in! For Your iOS Only If you’ve been wanting to run Meterpreter under iOS, then this bit is for you! While Mettle has technically worked on iOS [https://github.com/rapid7/mettle/pull/54] since February, @timwr [https://github.com/timwr] has added official Metasploit Framework support [https://github.com/rapid7/metasploit

Metasploit Wrapup

I Read the News Today, Oh Boy As we near the end of the year we must express appreciation for the Metasploit community as a whole. Each contribution is valuable, be it an exploit for the latest vulnerability, documentation, spelling corrections, or anything in between. Together we shape the future of Metasploit. The Metasploit community really surprised us this time around, as the latest release brings five new exploit and two new auxiliary modules. Hey! You! Get Off of My Cloud Zenofex [https:

Congrats to the 2017 Community CTF Winners

It’s official: The 2017 Metasploitable3 community CTF [/2017/11/30/announcing-the-metasploitable3-community-ctf/] has come to a close. Congrats to our winners! Each of the top three teams submitted all 14 flags in under 24 hours. Who needs sleep when you can live on shells? StandingTeamFirst placerot26 [https://metasploitable3ctf.com/team/45]Second placemubix [https://metasploitable3ctf.com/team/75]Third placesnadoteam [https://metasploitable3ctf.com/team/118]Bravo, all. We'll be in touch with

Metasploit Wrapup

Have you ever been on a conference call where you really wished you could take command of the situation? With Metasploit Framework and the new Polycom HDX exploit, you can (if given permission by the owner of the device, that is)! If teleconferencing isn't your target's style, you can also pwn correspondence the old-fashioned way: through a Microsoft Office exploit. Be it written or video, we here at Rapid7 know you value other people's communication! After another Python module and the Mac r

Metasploit Wrapup

Here in the U.S., we just celebrated Thanksgiving, which involves being thankful [/2017/11/17/metasploit-wrapup-17/], seeing friends and family, and eating entirely too much (I know that last one is not uncommon here). After a large meal and vacation, we figured that it would be a nice, slow week for security research in the States. Then we opened Twitter and were suddenly happy we had procrastinated and most of us had put off upgrading to High Sierra. Community CTF In case you missed yesterd

Announcing the Metasploitable3 Community CTF

Been waiting for the Linux version of Metasploitable3 to drop? We’ll do you one better: Metasploit is giving the community a week to rain shells on a penguin-shaped Metasploitable3 instance—and to win prizes at the end of it. Play starts December 4; see below for full competition details. TL;DR: Sign up, drop shells, win stuff. Not into capturing flags but jonesing for a look at the code? We’ll release the Linux Metasploitable3 source code to the community soon after the competition ends. Happ

Metasploit Wrapup

This is a time of year when many folks in the U.S. reflect on things in their lives that they are thankful for. There’s also usually a turkey involved, but we figured we’d pardon the bird [https://en.wikipedia.org/wiki/National_Thanksgiving_Turkey_Presentation] this wrapup and just focus on things we Metasploit folks here at Rapid7 are thankful for. Community Contributors We are SUPER THANKFUL for our community contributors [https://github.com/rapid7/metasploit-framework/graphs/contributors] an

Metasploit MinRID Option

We’ve added a new option to the smb_lookupsid Metasploit module [https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_lookupsid]. You can now specify your starting RID. Wait, What Does This Module Do Again? As a penetration tester, one of the first things I try to do on an internal network is enumerate all of the domain users so that I can perform login attacks against them. It would be a noteworthy risk if we could do that anonymously, because that means that any malicious actor who can

Metasploit Wrapup

Metasploit kicked November off to a roaring start with a wholesome dose of RCE, LPE, command injection, DoS, and more fixes/improvements. So many file choosers…but which one to choose? Big ups to @RootUP for the DoS module [https://github.com/rapid7/metasploit-framework/pull/9060] targeting a vulnerability in IBM’s Lotus Notes [https://en.wikipedia.org/wiki/IBM_Notes] client (CVE-2017-1130). The DoS module targets the web interface via malicious JavaScript (😱). An enterprising ‘sploiter can s

Testing Developer Security with Metasploit Pro Task Chains

In this modern age, technology continues to make inroads into all sorts of industries. Everything from smartphones to late-model automobiles to internet-connected toasters requires software to operate, and this proliferation of software has brought along gaggles of software developers with their tools-of-the-trade. All this technology —not to mention the people utilizing it— can result in an increased attack surface for organizations doing software development. In this blog post, we’ll explore

Metasploit Wrapup

What’s New? This week’s release sees multiple improvements and corrections, some years in the making! We fixed an interesting bug in the initial handshake with meterpreter that caused some payload callbacks to fail, improved error and information reporting in other modules, and then @h00die ran spellcheck [https://github.com/rapid7/metasploit-framework/pull/9144/files]! New (and Improved!) Modules (2 New): After three years, @wvu’s tnftp aux module grew up to become a strong, well-rounded explo

Testing SMB Security with Metasploit Pro Task Chains: Part 2

This is part two of our blog series on testing SMB security with Metasploit Pro. In the previous post, we explained how to use Metasploit Pro’s Task Chains feature to audit SMB passwords automatically. Read it here [/2017/10/31/testing-smb-server-security-with-metasploit-pro-task-chains-part-1/] if you haven’t already. In today’s blog post, we will talk about how to use a custom resource script in a Task Chain to automatically find some publicly-known high-profile vulnerabilities in SMB. Publi

Testing SMB Server Security with Metasploit Pro Task Chains: Part 1

A step-by-step guide to testing SMB server security using Metasploit Pro Task Chains.

Metasploit Wrapup

Would you like to help Metasploit Framework and get a free t-shirt? There is still a bit of October left, which means you can totally still sign up for Hacktoberfest [http://hacktoberfest.digitalocean.com/]: a fun annual project to encourage open source software contributions! Make four pull requests on any open source GitHub project by Oct 31, and you might find yourself some joy and fulfilment—but at least a free t-shirt. Check out the Contribute section on the refreshed metasploit.com [https

Metasploit Wrapup

Exploits for hours. Gather 'round with a pocket full of shells.

Metasploit Wrapup

What's coming down the pipeline for Metasploit? Brent Cook brings you October's first Metasploit wrap-up.

Metasploit Wrapup

To celebrate this first day of Autumn[1], we've got a potpourri of "things Metasploit" for you this week. And it might smell a bit like "pumpkin spice"... Or it might not. Who knows? Winter is Coming If you're looking to finish filling your storehouse before the cold sets in, we've got a couple of new gatherer modules to help. This new Linux post module [https://www.rapid7.com/db/modules/post/linux/gather/tor_hiddenservices] can locate and pull TOR hostname and private key files for TOR hidden

Metasploit Wrapup

It's been a hot minute since the last Metasploit Wrapup. So why not take in our snazzy new Rapid7 blog makeover and catch up on what's been goin' down! You can't spell 'Struts' without 'trust' Or perhaps you can! With the all the current news coverage around an Apache Struts vulnerability from earlier this year [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638] (thanks to its involvement in a consumer credit reporting agency data breach), there's a new Struts vuln [https://lgtm.com/

Metasploit: The New Shiny

It's been a while since I've written a blog post about new stuff in Metasploit [https://www.rapid7.com/products/metasploit/download/] (and I'm not sure if the editors will let me top the innuendo of the last one [/2017/02/09/metasploit-framework-valentines-update/]). But I'm privileged to announce that I'm speaking about Metasploit twice next month: once at the FSec 17 Conference [http://fsec.foi.hr/] in Varaždīn, Croatia September 7-8, and a second time at UNITED 2017 [https://unitedsummit.org/

Metasploit Wrapup

Slowloris: SMB edition Taking a page from the Slowloris HTTP DoS attack [https://web.archive.org/web/20090822001255/http://ha.ckers.org/slowloris/], the aptly named SMBLoris DoS attack [/2017/08/03/smbloris-what-you-need-to-know] exploits a vuln contained in many Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections to a target's SMB port, an attacker can exhaust all available memory on the target by sendi

Hack with Metasploit: Announcing the UNITED 2017 CTF

Got mad skillz? Want mad skillz? This year at Rapid7's annual UNITED Summit [https://unitedsummit.org/index.php], we're hosting a first-of-its-kind Capture the Flag (CTF) competition. Whether you're a noob to hacking or a grizzled pro, you'll emerge from our 25-hour CTF with more knowledge and serious bragging rights. Show off your 1337 abilities by competing for top prizes, or learn how to capture your first ever flag. Read on for details, and if you haven't already done so, register for UNITED

Virtual Machine Automation (vm-automation) repository released

Rapid7 just released a new public repo called vm-automation. The vm-automation repository is a Python library that encapsulates existing methodologies for virtual machine and hypervisor automation and provides a platform-agnostic Python API. Currently, only ESXi and VMWare workstation are supported, but I have high hopes we will support other hypervisors in time, and we would love to see contributors come forward and assist in supporting them! That's awesome. I want to get started now! Great! I

Metasploit Wrapup

A fresh, new UAC bypass module for Windows 10! Leveraging the behavior of fodhelper.exe and a writable registry key as a normal user, you too can be admin! Unpatched as of last week, this bypass module [https://github.com/rapid7/metasploit-framework/pull/8434] works on Windows 10 only, but it works like a charm! Reach out and allocate something This release offers up a fresh denial/degradation of services exploit against hosts running a vulnerable version of rpcbind. Specifically, you can repea

R7-2017-16 | CVE-2017-5244: Lack of CSRF protection for stopping tasks in Metasploit Pro, Express, and Community editions (FIXED)

Summary A vulnerability in Metasploit Pro, Express, and Community was patched in Metasploit v4.14.0 (Update 2017061301) [https://help.rapid7.com/metasploit/release-notes/archive/2017/06/#20170613]. Routes used to stop running tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenti

Metasploit Wrapup

It has only been one week since the last wrapup, so it's not like much could have happened, right? Wrong! Misery Loves Company After last week's excitement with Metasploit's version of ETERNALBLUE (AKA the Wannacry vulnerability) [https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue], this week SAMBA had its own "Hold My Beer" moment with the disclosure that an authenticated (or anonymous) client can upload a shared library to a SAMBA server, and that server will happily e

Metasploit Wrapup

It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update. Hacking like No Such Agency I'll admit I was wrong. For several years, I've been saying we'll never see another bug like MS08-067 [https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi], a full remote hole in a default Windows service. While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067 did, EternalBlue [https://www.rapi

EternalBlue: Metasploit Module for MS17-010

This week's release of Metasploit [https://www.rapid7.com/products/metasploit] includes a scanner and exploit module for the EternalBlue vulnerability, which made headlines a couple of weeks ago when hacking group, the Shadow Brokers, disclosed a trove of alleged NSA exploits [/2017/04/18/the-shadow-brokers-leaked-exploits-faq]. Included among them, EternalBlue, exploits MS17-010 [https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue], a Windows SMB vulnerability. This week

Recent Python Meterpreter Improvements

The Python Meterpreter [https://github.com/rapid7/metasploit-framework/wiki/Meterpreter] has received quite a few improvements this year. In order to generate consistent results, we now use the same technique to determine the Windows version in both the Windows and Python instances of Meterpreter. Additionally, the native system language is now populated in the output of the sysinfo command. This makes it easier to identify and work with international systems. The largest change to the Python M

Exploitable Vulnerabilities: A Metasploit-Vulnerability Management Love Story

Integrating InsightVM [https://www.rapid7.com/products/insightvm/] or Nexpose [https://www.rapid7.com/products/nexpose/] (Rapid7's vulnerability management solutions [https://www.rapid7.com/solutions/vulnerability-management/]) with Metasploit [https://www.rapid7.com/products/metasploit/] (our penetration testing solution [https://www.rapid7.com/solutions/penetration-testing/]) is a lot like Cupid playing “matchmaker” with vulnerabilities and exploit modules [https://www.rapid7.com/fundamentals

Metasploit Weekly Wrapup

Ghost...what??? hdm [https://github.com/hdm] recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy logo which also contains the exploit [https://twitter.com/hdmoore/status/858093464663326721]: (spoiler alert: it's called GhostButt) Forever and a day From mr_me [https://github.com/stevenseeley] comes a one-two punch

Metasploit Wrapup, 4.14.4 through 4.14.11

Editor's Note: While this edition of the Metasploit Wrapup is a little late (my fault, sorry), we're super excited that it's our first ever Metasploit Wrapup to be authored by an non-Rapid7 contributor. We'd like to thank claudijd [https://github.com/claudijd] -long-time Metasploit contributor, Mozilla security wrangler, and overall nice guy - for writing this post. If other Metasploit contributors want to get involved with spreading the word, we want to hear from you! We should be back on trac

The Shadow Brokers Leaked Exploits Explained

The Rapid7 team has been busy evaluating the threats posed by last Friday's Shadow Broker exploit and tool release [https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/] and answering questions from colleagues, customers, and family members about the release. We know that many people have questions about exactly what was released, the threat it poses, and how to respond, so we have decided to compile a list of frequently asked question

Rapid7: Supporting the Community at BSides Boston

One of the things I love about working at Rapid7 is how deeply this company embodies the concept of giving back to the Security Community. Whether it be discussing research on adversary analytics, attack methods for breaking out of sandboxes, or simply breaking into the industry - Rapid7 encourages its employees to actively participate in community events, both large and small. As a proponent of engaging with the Security Community, I'm very excited that my fellow employees continue to embrace g

Introducing RubySMB: The Protocol Library Nobody Else Wanted To Write

The Server Message Block (SMB) protocol family is arguably one of the most important network protocols to be conversant in as a security professional. It carries the capability for File and Print Sharing, remote process execution, and an entire system of Named Pipes that serve as access points to any number of services running on a machine, such as Microsoft SQL Server. For users of Metasploit [https://rapid7.com/products/metasploit/], they will know SMB as the protocol used for PSExec [https:/

Metasploit, [REDACTED] Edition

Why should [REDACTED] have all the fun with spiffy codenames for their exploits? As of today [https://github.com/rapid7/metasploit-framework/commit/b5771b0f727dabfa4df4216a799a8611469b01ba] , Metasploit is taking a page from [REDACTED], and equipping all Metasploit modules with equally fear-and-awe-inspiring codenames. Sure, there are catchy names for vulnerabilities -- we remember you fondly, Badblock [/2016/04/12/on-badlock-cve-2016-2118-for-samba-and-windows] -- but clearly, unique names for

Metasploit Wrapup

Faster, Meterpreter, KILL! KILL! You can now search for and kill processes by name in Meterpreter with the new pgrep and pkill commands. They both have flags similar to the older ps command, allowing you to filter by architecture (-a), user (-u), or to show only child processes of the current session's process (-c). We've also added a -x flag to find processes with an exact match instead of a regex, if you're into that. Fun with radiation Craig Smith has been killing it lately with all his h

Exploiting Macros via Email with Metasploit Pro Social Engineering

Currently, phishing is seen as one of the largest infiltration points for businesses around the globe, but there is more to social engineering than just phishing. Attackers may use email and USB keys to deliver malicious files to users in the hopes of gaining access to an organization's network. Users that are likely unaware that unsolicited files, such as a Microsoft Word document with a macro, may be malicious and can be a major risk to an organization. Metasploit Pro [https://rapid7.com/prod

Metasploit's RF Transceiver Capabilities

The rise of the Internet of Things We spend a lot of time monitoring our corporate networks. We have many tools to detect strange behaviors. We scan for vulnerabilities. We measure our exposure constantly. However, we often fail to recognize the small (and sometimes big) Internet of Things (IoT) devices that are all around our network, employees, and employees' homes. Somewhat alarmingly – considering their pervasiveness — these devices aren't always the easiest to test. Though often difficult,

Metasploit, Google Summer of Code, and You!

Spend the summer with Metasploit I'm proud to announce that the Metasploit Project has been accepted as a mentor organization in the Google Summer of Code! For those unfamiliar with the program, their about page [https://summerofcode.withgoogle.com/about/] sums it up nicely: > Google Summer of Code is a global program focused on introducing students to open source software development. Students work on a 3 month programming project with an open source organization during their break from univer

Pen Testing Cars with Metasploit and Particle.io Photon Boards

TL;DR This post details how to use the MSFRelay library for Photon boards to write your own Metasploit [https://rapid7.com/products/metasploit/] compatible firmware. Specifically for an add-on called Carloop. If you have a Carloop and just want it to work with Metasploit without having to write any code (or read this) then I've also provided the full code as a library example in the Particle library and can be found here [https://build.particle.io/libs/spark-msf-relay/0.0.1/tab/example/msf-carlo

Metasploit Weekly Wrapup

The last couple of weeks in the infosec world have appeared busier, and buzzier, than most others.  It seems almost futile to pry everyone away from the current drama--that being the bombshell revelation that intelligence agencies collect intelligence--long enough to have them read our dev blog.  Regardless, we've been busy ourselves.  And if you're the least bit like me, you could probably use a quick respite from the cacophony.  Keeping up with all the noise is enough to make anyone feel lik

Protecting Your Web Apps with AppSpider Defend Until They Can Be Patched

AppSpider [https://rapid7.com/products/appspider/] scans can detect exploitable vulnerabilities in your applications, but once these vulnerabilities are detected how long does it take your development teams to create code fixes for them?  In some cases it could take several days to weeks before a fix/patch to resolve the vulnerability can be deployed, and during this time someone could be actively exploiting this issue in your application.  AppSpider Defend, which is now integrated into AppSpide

Introducing the Metasploit Vulnerable Service Emulator

Penetration testing with Metasploit made easy. Millions of IT professionals all over the world want to get into the hot field of security, and Metasploit [https://rapid7.com/products/metasploit/] is a great place to start. Metasploit Framework is free, used by more penetration testers than any other tool, and helps you understand security from the attackers perspective. There's one problem: it's hard to use Metasploit without vulnerable services to play against. To help, the Metasploit team has

Multiple Vulnerabilities Affecting Four Rapid7 Products

Today, we'd like to announce eight vulnerabilities that affect four Rapid7 products, as described in the table below. While all of these issues are relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks. If you are a Rapid7 customer who has any questions about these issues, please don't hesitate to contact your customer success manager (CSM), our support team, or leave a comment below. For

Weekly Metasploit Wrapup

I gave at the office The office can be a popular place when it comes to giving. From selling kids' cookies/candy to raising awareness for a charity, the opportunity to 'give at the office' is definitely a thing. And now, thanks to Office macros, Metasploit offers a new way to give (and receive!) at 'the Office'. These days, using malicious macros in office productivity programs is still a common attack vector. Designed with a handful of word-processing programs in mind (including some open sour

Preparing for GDPR Compliance: 10 Actionable Recommendations

GDPR is coming….. If your organisation does business with Europe, or more specifically does anything with the Personal Data of EU Citizens who aren't dead (i.e. Natural Persons), then, just like us, you're going to be in the process of living the dream that is Preparing for the General Data Protection Regulation (GDPR compliance) [https://www.rapid7.com/solutions/compliance/gdpr/]. For many organisations, this is going to be a gigantic exercise, as even if you have implemented processes and tec

Metasploit Framework Valentines Update

Valentines day is just around the corner! What could be a nicer gift for your sweetie than a bundle of new Metasploit Framework updates? The community has been as busy as ever delivering a sweet crop of sexy exploits, bug fixes, and interesting new features. Everyone Deserves a Second Chance Meterpreter Scripts have been deprecated for years [https://github.com/rapid7/metasploit-framework/pull/3812] in favor of Post Exploitation modules, which are much more flexible and easy to debug. Unfortuna

Car Hacking on the Cheap

Metasploit's HWBrige comes with an automotive extension. This works out of the box if you happen to have a SocketCAN compatible CAN sniffer hanging around. However, if you don't have one, there is a decent chance you have a cheap sub $10 vehicle dongle in a drawer somewhere. If not you can probably pick one up on ebay super cheap. Metasploit supports the ELM327 and STN1100 chipsets that are very popular in these dongles. Metasploit comes with a tool to connect these devices provided your device

Exiting the Matrix: Introducing Metasploit's Hardware Bridge

Follow the white rabbit... Metasploit is an amazing tool. You can use it to maneuver through vast networks, pivoting through servers and even embedded OSes.  Having a single interface for your team and yourself to control a web of servers and networks is extremely powerful.  But sometimes you want to do more than control the virtual world. You want to control the physical world. You need to exit the Matrix. We recently announced a new addition to Metasploit to help you do exactly that: the H

Weekly Metasploit Wrapup

Welcome back to the Metasploit Weekly Wrapup! It's been a while since the last one, so quite a bit has happened in that time including 75 Pull Requests. Stageless mettle The rewrite of meterpreter for POSIX systems, mettle, now supports a stageless mode. You can now build standalone static executables for almost a dozen architectures and run them on everything from small home routers to cell phones to servers and mainframes. It can also take its configuration from the command line, so you don't

Breaking Metasploitable3: The King of Clubs

Metasploitable3 is a free virtual machine that we have recently created to allow people to simulate attacks using Metasploit. In it, we have planted multiple flags throughout the whole system; they are basically collectable poker card images of some of the Rapid7/Metasploit developers. Some are straight-forward and easy to open, some are hidden, or obfuscated, etc. Today, we would like to share the secret to unlocking one of these cards: the King of Clubs. The King of Clubs is one of the fun fl

12 Days of HaXmas: Meterpreter's new Shiny for 2016

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas [/tag/haxmas/] with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. Editor's Note: Yes, this is technically an extra post to celebrate the 12th day of HaXmas. We said we liked gifts! Happy new year! It is once again time to reflect on Metasploit's n

Metasploitable3 CTF Results and Wrap-Up

The Metasploitable3 CTF competition [/2016/12/07/metasploitable3-capture-the-flags-competition] has wrapped up and we have our winners!  We had almost 300 flag submissions from more than 50 fine folks.  There were some really great right-ups submitted with great details on how flags were found.  Thanks to everyone who took time to submit a finding!  ON TO THE RESULTS! When we announced the competition, we didn't specify if team submissions were allowed or not.  Well, it turns out that  a team w

12 Days of HaXmas: Metasploit Framework 2016 Overview

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas [/tag/haxmas] with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. Breaking Records and Breaking Business 2016 brought plenty of turmoil, and InfoSec was no exception: * Largest data breach: Largest breach ever, affecting more than 1 billion Yahoo

Weekly Metasploit Wrapup

Taking Care of Universal Business: the Handler's Tale With a few exceptions, payloads have to have a handler. That's the guy who waits with the car while your exploit runs into the liquor store. To run an exploit module, we have to select and configure a payload first. In some cases, Metasploit can do this for you automatically, by just guessing that you probably wanted the best payload for the target platform and architecture. Once the payload is set up, we have to have a way to talk to it --

Metasploitable3 CTF Competition: Update and Leaderboard!

The Metasploitable3 [/2016/11/15/test-your-might-with-the-shiny-new-metasploitable3] Capture The Flag Competition [/2016/12/07/metasploitable3-capture-the-flags-competition] has been underway for about a week now and the submissions have been pouring in!  We're very excited to see so many great submissions. We're reviewing as fast as we can so if you don't hear back from us right away, don't worry, you will.  For all valid submissions we will update this blog post and subsequent ones with the le

Metasploit Wrapup

Finding stuff For a very long time, msfconsole's search command has used a union of the results of all search terms. This means that if you do something like search linux firefox, you'll get a list of all modules that mention linux, regardless of the application they target, and all modules that mention firefox, regardless of their platform. Most people are probably expecting the intersection, i.e. you probably wanted to see only the modules that target Firefox on Linux. So now that's what happe

Metasploitable3 Capture the Flag Competition

UPDATE: Leaderboard can be found on this new post [/2016/12/14/metasploitable3-ctf-competition-update]! Plus, some notes that may be helpful. Exciting news! Rapid7 is hosting a month-long, world-wide capture the flag(s) competition! Rapid7 recently released Metasploitable3 [https://github.com/rapid7/metasploitable3], the latest version of our attackable, vulnerable environment designed to help security professionals, students, and researchers alike hone their skills and practice their craft. I

Metasploit Weekly Wrapup

Terminal velocity The terminal/shell interface has been around for decades and has a rich and storied history. Readline is the main library for shells like msfconsole to deal with that interface, but it's also possible for commandline tools to print ANSI escape sequences that the terminal treats specially. When a shell like msfconsole has asynchronous output going to the terminal at unpredictable times, such as when a new session connects, that output can clobber the current prompt. That makes

Metasploit Wrapup

Everything old is new again As you probably already know, hardware manufacturers are not always great at security. Today we'll be picking on Netgear, who produce a WiFi router called the WNR2200 [http://www.netgear.com/home/products/networking/wifi-routers/wnr2200.aspx]. This cute little device, brand new out of the box on store shelves today, runs Linux 2.6.15 with Samba 3.0.24. For those of you keeping score at home, those versions were released in 2007. Way back in 2007, Samba had a pre-auth

Metasploitable3: An Intentionally Vulnerable Machine for Exploit Testing

Test Your Might With The Shiny New Metasploitable3 Today I am excited to announce the debut of our shiny new toy - Metasploitable3 [https://github.com/rapid7/metasploitable3]. Metasploitable3 is a free virtual machine that allows you to simulate attacks largely using Metasploit [https://www.rapid7.com/products/metasploit/?CS=blog]. It has been used by people in the security industry for a variety of reasons: such as training for network exploitation, exploit development, software testing, techn

NCSAM: Understanding UDP Amplification Vulnerabilities Through Rapid7 Research

October is National Cyber Security Awareness month and Rapid7 is taking this time to celebrate security research. This year, NCSAM coincides with new legal protections for security research under the DMCA [/2016/10/03/cybersecurity-awareness-month-2016-this-ones-for-the-researchers] and the 30th anniversary of the CFAA - a problematic law that hinders beneficial security research. Throughout the month, we will be sharing content that enhances understanding of what independent security research

Weekly Metasploit Wrapup

What time is it? If you want to run some scheduled task, either with schtasks or cron, you have to decide when to run that task. In both cases, the schedule is based on what time it is according to the victim system, so when you make that decision, it's super helpful to know what the victim thinks the current time is. As of #7435 [https://github.com/rapid7/metasploit-framework/pull/7435], Meterpreter has a localtime command that gives you that information and then it's peanut butter jelly time.

Establishing an Insider Threat Program for Your Organization

Whether employees realize it or not, they can wreak havoc on internal and external security protocols. Employees' daily activities (both work and personal) on their work devices (computers, smartphone, and tablets) or on their company's network can inflict damage. Often called “insider threats, [/2016/05/05/insider-threat-or-intruder-effective-detection-doesnt-care]” employees' actions, both unintentional or intentional, are worth paying heed to whenever possible. Gartner's Avivah Litan reported

Weekly Metasploit Wrapup

Silence is golden Taking screenshots of compromised systems can give you a lot of information that might otherwise not be readily available. Screenshots can also add a bit of extra spice to what might be an otherwise dry report. For better or worse, showing people that you have a shell on their system often doesn't have much impact. Showing people screenshots of their desktop can evoke a visceral reaction that can't be ignored. Plus, it's always hilarious seeing Microsoft Outlook open to the phi

Weekly Metasploit Wrapup

Extra Usability Commandline tools in general are powerful, but come with a learning curve. When you've been using a tool for a long time, that curve becomes a status quo that embeds itself in your fingers. That isn't always a good thing because it tends to make you blind to how things can be better and it takes an effort of introspection to notice inefficiencies. Even then, you weigh those inefficiencies against the effort required to improve. An example of that is msfconsole's route command, w

Important security fixes in Metasploit 4.12.0-2016091401

A number of important security issues were resolved in Metasploit (Pro, Express, and Community editions) this week. Please update [https://community.rapid7.com/docs/DOC-3521] as soon as possible. Issue 1: Localhost restriction bypass (affects versions 4.12.0-2016061501 through 4.12.0-2016083001) On initial install, the Metasploit web interface displays a page for setting up an initial administrative user. After this initial user is configured, you can login and use the Metasploit web UI for th

Weekly Metasploit Wrapup

Security is hard I usually focus exclusively on the Metasploit Framework here on these wrapups, but this week is a little special. This week the Metasploit commercial products (Pro, Express, and Community) come with a fix for a couple of vulnerabilities. You heard that right, remotely exploitable vulns in Metasploit. Our lovely engineering manager, Brent Cook, helpfully wrote up the details [/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401] yesterday. TL;DR - Three bugs, two o

Sonar NetBIOS Name Service Study

For the past several years, Rapid7's Project Sonar [https://sonar.labs.rapid7.com/] has been performing studies that explore the exposure of the NetBIOS name service on the public IPv4 Internet.  This post serves to describe the particulars behind the study and provide tools and data for future research in this area. Protocol Overview Originally conceived in the early 1980s, NetBIOS is a collection of services that allows applications running on different nodes to communicate over a network.  O

Weekly Metasploit Wrapup

PHP Shells Rising from the Flames Phoenix Exploit Kit is your standard run-of-the-mill crimeware system, written in PHP, whose creator apparently got popped by the FSB earlier this year [http://krebsonsecurity.com/tag/phoenix-exploit-kit/]. Like many exploit kits, it has a back door, this one allowing you to eval whatever PHP code you like by sending it in a GET parameter (subtly named 'bdr'). Of course running arbitrary PHP allows us control of the underlying operating system to various degrees

Metasploit Weekly Wrapup

Las Vegas 2016 is in The Books This week's wrap-up actually covers two weeks thanks in large part to the yearly pilgrimage to Las Vegas.  I myself elected not to attend, but I'm told everyone had a great time.  Many on the team are still recuperating, but I'd wager that they all enjoyed seeing you there as well.  Here's to everyone's speedy recovery. Centreon Web UserAlias Command Execution Our first new module this go-around exploits a remote command execution vulnerability in Centreon Web via

Pentesting in the Real World: Going Bananas with MongoDB

This is the 4th in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] Prefa

Pentesting in the Real World: Group Policy Pwnage

This is the third in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] Bac

Pentesting in the Real World: Capturing Credentials on an Internal Network

This is the second in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] As

Pentesting in the Real World: Gathering the Right Intel

This is the first in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] So

Weekly Metasploit Wrapup

Windows Privilege Escalation In the long long ago, Windows users pretty much universally had local Administrator accounts. While that's still true in less mature environments, I think we have done a pretty good job as an industry of convincing folks to reduce users' privileges. Back in those days, privilege escalation exploits weren't all that useful because every exploit, executable, and Word macro already gave you the highest privileges. Today that's less true. Even worse for the enterprising

Weekly Metasploit Wrapup

House keeping Since the last Wrapup, we've been continuing our long-running project of breaking up some of the old cobweb-encrusted parts of the framework codebase into smaller pieces that are easier to deal with. A few things, lib/sshkey and lib/bit-struct in particular, that for historical reasons were just slightly modified copies of a gem, have been pulled out entirely in favor of the upstream release. A bunch of other things have been pulled out into their own repositories, making the whole

Announcement: End-of-life Metasploit 32-bit versions

UPDATE: With the release of version 4.15 on July 19, 2017, commercial Metasploit 32-bit platforms (Metasploit Pro, Metasploit Express, and Metasploit Community) no longer receive future product or content updates. These platforms are now obsolete and are no longer supported. Rapid7 announced the end of life of Metasploit Pro 32-bit versions for both Windows and Linux operating systems on July 5th, 2017.  This announcement applies to all editions: Metasploit Pro, Metasploit Express and Metasploi

Weekly Metasploit Wrapup

Steal all the passwords I talk a lot about Authenticated Code Execution, but of course that's not the only thing that authenticated access can get you. This week's update comes with a couple of modules for using known credentials to extract more credentials. The first is for Symantec Brightmail, an email filtering gateway that comes with a management interface for administrators. Any account with read access is allowed to look at the encrypted LDAP credentials stored in Brightmail. Fortunately f

A Short Approach: The Cisco ASA 5505 as a Stepping Stone Into Embedded Reverse Engineering

Back in February, Exodus Intelligence released their blog entry titled "Execute My Packet", which detailed their discovery and exploitation of CVE-2016-1287.  Since then, I've fielded numerous requests for modules and witnessed much discussion generated from it.  From this discussion, I've gathered that many researchers seem to consider the Cisco ASA as an unruly beast, difficult to approach, even harder to tame.  I feel that this is far from the truth, and this article is a response to such not

Weekly Metasploit Wrapup

New Modules First up this week, we have a new module from rastating which exploits an unauthenticated file upload vulnerability in the popular WordPress plugin, Ninja Forms.  Versions affected include those within the range of v2.9.36 to 2.9.42, and the vulnerability can be leveraged into a shell running within the security context of the web server process in a fairly silent manner.  With over 2.5 million downloads and 500k active installs, according to the developer and the Wordpress plugin re

Weekly Metasploit Wrapup

Check the computer, the mainframe computer This week's update comes with our first ever exploit module for z/OS, the operating system used by mainframes, from our friend Bigendian Smalls [https://twitter.com/bigendiansmalls] who also built the payloads. The module in question is an example of authenticated code execution by design [/2016/01/03/12-days-of-haxmas-authenticated-code-execution-by-design], which takes advantage of a design feature allowing users to submit jobs via uploading files to

Rapid7 Sponsors Tech For Troops Hacking Convention

This is a guest blog by Eliza May Austin, a student at Sheffield Hallam University in the United Kingdom. We commend Eliza for her involvement in and commitment to Tech for Troops and we're honored to be able to participate. In March of 2016, Rapid7 sponsored the first ever Tech For Troops hacking convention (TFTcon), hosted at Sheffield Hallam University. TFTcon is a hacking convention specific to ex-military people and its purpose is to bridge the gap in the information security industry with

Weekly Metasploit Wrapup

Resolve, v. transitive Sometimes the biggest things that make working with a tool fun are the small things. One of those things is the recent addition of a resolve command for Meterpreter. It does what it sounds like: it resolves a hostname to an IP address on the victim system, taking advantage of the local DNS. Of course, that's not a huge thing, but it is pretty convenient. Strut, v. intransitive This update also comes with a fun exploit for Apache Struts, a web framework for webby things. I

Metasploit T-Shirt Design Contest 2016

Every year amidst the writhing throng surging through the maze that is the Black Hat expo hall, we aim to give our customers, fans, and queue-jockeys something they'll covet – or at least save space for in their carry-on. In other words, the best damn t-shirt out there – one to rule them all, if you will. We need people of intelligence on this sort of mission…quest…thing. The open-source t-shirt contest is one of our favorite ways to celebrate the community – designs by the community, for the

Weekly Metasploit Wrapup

I did some security research on industrial control systems for a while. It was a fun and rewarding experience in which I found tons of usually very simple bugs. Security in that sector was nascent, with the technology being brought forward from the dark ages of everything being on serial. Things are a bit different today, in no small part due to the fine work of many security researchers convincing vendors to step up their game and buyers learning how to ask the right questions before a purchase

Weekly Metasploit Wrapup

(In)security Appliances IT management is a tough job with lots of moving parts. To deal with that reality, IT administrators use a lot of tools and automation to help keep an eye on all the devices they are responsible for, some custom, some off the shelf, and some big-box enterprisy stuff. What the sales rep won't tell you, though, is that every line of code you add to your network is more complexity. And as complexity increases, so does the risk of bugs. I made you a handy graph to illustrate

Weekly Metasploit Wrapup

Meterpreter Unicode Improvements Pentesting in places where English is not the primary language can sometimes be troublesome. With this week's update, it's a little bit easier. After Brent's work making Meterpreter's registry system support UTF-8, you can now do things like use the venerable post/windows/gather/hashdump to steal hashes and other attributes of local users whose username contains non-ascii characters, e.g.: msf > use post/windows/gather/hashdump msf post(hashdump) > setg sessio

Securing Your Metasploit Logs

Metasploit, backed by a community of 200,000 users and contributors is the most impactful penetration testing solution on the planet. With it, uncover weaknesses in your defenses, focus on the highest risks, and improve your security outcomes. Your Metasploit Pro console produces a lot of important logs. It is essential to be able to review these logs, alert on them, and keep them secure. Why should I monitor these logs? The logs produced by your Metasploit Pro console are helpful when troubl

The Foam Goes Straight to Your Brain

Yesterday, we announced the availability of a PowerShell extension for Meterpreter [/2016/03/31/weekly-metasploit-wrapup], primarily as a toy for laughs because no one would seriously consider using it for anything important. But today? Today we've got a real treat for you. For serious programmers and serious pentesters, what you really want is a serious language. Something with the power of a Turing Machine and the readability of raw bytecode. Something beautiful and subtle, like a chainsaw. S

Weekly Metasploit Wrapup

Powershell? In my Meterpreter? It's more likely than you think! Hot on the heels of his fantastic Python extension, the legendary OJ Reeves has once again busted out an awesome new ability for post-exploitation, this time by putting a fully functional powershell inside your native Windows Meterpreter sessions. Unlike the Python extension, which uploads an embedded interpreter, the new powershell extension loads the .NET runtime from the victim system. There's a lot of polish and more work to b

Weekly Metasploit Wrapup

Scanning for the Fortinet backdoor with Metasploit Written by wvu Metasploit now implements a scanner for the Fortinet backdoor. Curious to see how to use it? Check this out! wvu@kharak:~/metasploit-framework:master$ ./msfconsole -qL msf > use auxiliary/scanner/ssh/fortinet_backdoor msf auxiliary(fortinet_backdoor) > set rhosts 417.216.55.0/24 rhosts => 417.216.55.0/24 msf auxiliary(fortinet_backdoor) > set threads 100 threads => 100 msf auxiliary(fortinet_backdoor) > run [*]

Weekly Metasploit Wrapup

A little entropy goes a long way Meterpreter can communicate via straight TCP or over HTTP(S), but whatever the transport, the protocol is pretty much the same. It uses what is called a TLV protocol, for Type-Length-Value [https://en.wikipedia.org/wiki/Type-length-value]. In truth, meterpreter actually does it in a different order: Length, Type, Value. Each meterpreter packet is a collection of TLVs and is itself a TLV. That makes it so you can skip over a type or even a whole packet without hav

Weekly Metasploit Wrapup

I'm not your mother, clean up after yourself. An old friend of mine, axis2deployer [https://www.rapid7.com/db/modules/exploit/multi/http/axis2_deployer], is a fun authenticated code execution [/2016/01/03/12-days-of-haxmas-authenticated-code-execution-by-design] module that takes advantage of Axis2's ability to deploy new applications on a web server. It used to be a messy friend, leaving its files all over the living room floor for you to clean up manually. As of #6457 [https://github.com/rapi

Six Wonderful Years

Rapid7 has been my home for the last six years, growing from 98 people when I joined to over 700 today. Keeping up with the growth has been both exhilarating and terrifying. I am really proud of our Austin team, the Metasploit ecosystem, and our leadership in security research. We care about our customers, our employees, and our impact in the industry. Working at Rapid7 has simply been the best job I have ever had. We have surpassed every goal that I set when I joined in 2009. Metasploit is thr

Weekly Metasploit Wrapup

Aaaaaand we're back! Last week was the first weekly update of the year and it comes with a super fun stuff. Tunneling The latest update allows you to tunnel reverse_tcp sessions over a compromised machine in a slightly less painful way. There is now a new datastore option, ReverseListenerComm, which lets you tell a meterpreter session tunnel connections back to your payload handler. Here's an example run to give you the idea: msf exploit(payload_inject) > show options Module options (e

12 Days of HaXmas: Making a New Years Resolution You Can Keep

This post is the eighth in the series, "12 Days of HaXmas." It's that time of year again; when we all look to making resolutions to make changes in our lives. For some, it is eating healthy or exercising. Others decide to spend their time differently or change spending habits. Often these resolutions work for a few weeks, but then we quickly fall back into the old habits and break those resolutions. Me, I am resolving to write more Metasploit modules. You see, back in October, Rapid7 publicly (

12 Days of HaXmas: Metasploit End of Year Wrapup

This is the seventh post in the series, "The 12 Days of HaXmas." It's the last day of the year, which means that it's time to take a moment to reflect on the ongoing development of the Metasploit Framework, that de facto standard in penetration testing, and my favorite open source project around. While the acquisition of Metasploit way back in 2009 was met with some healthy skepticism, I think this year, it's easy to say that Rapid7's involvement with Metasploit has been an enormously positive

512 Days of HaXmas: Metasploit's IoT WebApp Login Support

This is the sixth post in the series, "The Twelve Days of HaXmas." Well, the year is coming to a close, and it's just about time for the annual breakdown of Metasploit commit action. But before we get to that, I wanted to take a moment to highlight the excellent work we landed in 2015 in adding new web application login support to Metasploit. After all, who needs exploits when your password is "public" or "admin" or "password" or any other of the very few well-known default passwords? Maybe it'

How to avoid common mistakes in your Metasploit Community/Pro license key request

As a result of export restrictions placed on Metasploit Community and Pro trials, this year we have introduced some new systems to help process license requests. We have received a lot of questions about this, and this post will hopefully answer some of them for you. If you haven't read the original blog post about the export controls [/2015/06/05/availability-of-metasploit-community-metasploit-pro-trials-outside-us-canada] , please take a moment to review the information there on the updates an

Weekly Metasploit Wrapup

Welcome to the last Metasploit update of the year! Since January 1st, 2015, we've had 6364 commits from 176 unique authors, closed 1119 Pull Requests, and added 323 modules. Thank you all for a great year! We couldn't have done it without you. Sounds The sounds plugin has been around for a long time, notifying hackers of new shells via their speakers since 2010. Recently, Wei sinn3r Chen gave it a makeover, replacing the old robotic voice with that of Offensive Security founder, Kali Linux Core

Weekly Metasploit Wrapup

Payloads New in the latest Metasploit release are stageless HTTP and HTTPS payloads for Python for those times when you would rather have the whole thing in one file instead of having to stage it. For more on the advantages and quirks of stageless payloads, check out @OJ [https://twitter.com/thecolonial]'s post on the subject [/2015/03/25/stageless-meterpreter-payloads] from when support was first added for Windows. Exploit Modules Does anybody remember that bash(1) bug from a little over a yea

Weekly Metasploit Wrapup

Python extension for Windows Meterpreter Meterpreter offers some pretty powerful post-exploitation capabilities, from filesystem manipulation to direct Windows API calls with railgun, and everything in between. One thing that's been missing for a long time is on-victim scripting. With this update comes an experimental Python extension to remedy that. It's still in its infancy, so expect some kinks to be worked out over the next few weeks, but it is functional. OJ [https://twitter.com/thecolonia

Community Member Spotlight: Q&A with void_in

It's our honor to kick off our Member Spotlight with a Q&A with void_in [https://twitter.com/voidin], one of the most prolific contributors to the Metasploit project and an extremely active member of the Community. You'll frequently find him answering your Metasploit questions or helping you troubleshoot issues, no matter how simple or complex. void_in truly helps make our Community the vibrant and helpful place it is today, and is highly respected and admired for his expertise and his willingne

Now Officially Supporting Kali Linux 2.0

In August, we were getting a lot of questions about Kali 2. I have answered some questions in Metasploit on Kali Linux 2.0 [/2015/08/12/metasploit-on-kali-linux-20] blog post in the past. Today, I am pleased to announce that we extend our official platform support to three new operating systems which are now listed in Metasploit System Requirements [http://www.rapid7.com/products/metasploit/system-requirements.jsp] page: * Kali Linux 2.0 * Red Hat Enterprise Server 7.1 or later * Microsoft W

Metasploit Framework Tools Reorg

There are a wide variety of interesting and useful tools in the Metasploit Framework. Many of these are available from the top-level of Metasploit in the form of modules and library code. You can find countless tutorials and blogs about how to put msfconsole, msfvenom and other top-level commands to good use. However, not many people know about the 'tools' directory, which contains many useful, single-purpose scripts, with topics spanning from exploit development to statistics. One of the probl

New Metasploit Tools to Collect Microsoft Patches

Patch testing and analysis are important parts in vulnerability research and exploit development. One popular reason is people would try this technique to rediscover patched bugs, or find ways to keep an 0day alive in case the fix in place is inadequate. The same process is also used to find the range of builds affected by a vulnerability, which tends to be useful to predict the value of the exploit, improving target coverage and reliability. Going through Microsoft patches is no easy task, tho

Metasploit Framework Open Source Installers

Rapid7 has long supplied universal Metasploit installers for Linux and Windows. These installers contain both the open source Metasploit Framework as well as commercial extensions, which include a graphical user interface, metamodules, wizards, social engineering tools and integration with other Rapid7 tools. While these features are very useful, we recognized that they are not for everyone. According to our recent survey of Metasploit Community users, most only used it for the open source comp

Flipping bits in the Windows Kernel

Recently, the MS15-061 bulletin has received some attention. This security bulletin includes patches for several Windows Kernel vulnerabilities, mainly related to win32k.sys. Details of one of them, discovered by Udi Yavo, have been very well covered. First, the same Udi Yavo published details about the Use After Free on a blog entry [http://breakingmalware.com/vulnerabilities/class-dismissed-4-use-after-free-vulnerabilities-in-windows/] . Later, Dominic Wang [https://twitter.com/d0mzw] wrote a

A debugging session in the kernel

Last week, an awesome paper [https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/] about the MS15-078 vulnerability and it's exploitation was published by Cedric Halbronn [https://twitter.com/saidelike]. This vulnerability, originally found and exploited by Eugene Ching [https://twitter.com/eugeii], already has a work-in-progress module in Metasploit, which you can follow on github [https://

Using Reflective DLL Injection to exploit IE Elevation Policies

As you are probably aware, sandbox bypasses are becoming a MUST when exploiting desktop applications such as Internet Explorer. One interesting class of sandbox bypasses abuse IE's Elevation Policies. An example of this type of sandbox bypass is CVE-2015-0016 [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0016]. The vulnerability has already been analyzed by Henry Li, who published a complete description in this blog entry [http://blog.trendmicro.com/trendlabs-security-intelligence/

Workspace in your prompt

This is the simple prompt that msfconsole gives you by default: The second part, "exploit(psexec)" shows your current context is the exploit module named psexec. You can't change that because it's an important indicator of where you are. The first part, though, is just a default string to tell you you're in msfconsole. It can be controlled with the global Prompt option; you can set it to whatever you want: setg Prompt lolhax But that's not too exciting. To make it more interesting, there a

Metasploit on Kali Linux 2.0

As you are aware, Kali 2.0 [https://www.kali.org/releases/kali-linux-20-released/] has been released this week and getting quite a bit of attention, as it should. Folks behind Kali have worked really hard to bring you the new version of Kali Linux that everyone is excited about. If you have already started to play with the new version, you probably have realized that something is different, that is; Metasploit Community / Pro is no longer installed by default. Where is Metasploit Community / Pr

Metasploit Local Exploit Suggester: Do Less, Get More!

Meet Lester, the Exploit Suggester Hey there, my name is Mo ( Mohamed Sadek [https://github.com/MSadek-r7] ). I am currently an intern at Rapid7, working with the Metasploit team in Austin. After some research, testing, and more than a few energy drinks, sinn3r (sinn3r [https://twitter.com/_sinn3r] ) and I have authored the first version of the Metasploit Local Exploit Suggester, or Lester for short. Lester is a post module that you can use to check a system for local vulnerabilities, using the

Interning at Rapid7: A "git push" in the Right Direction

How I Got Here Hey there! My name is Mo. I'm currently an intern here at Rapid7 working in the Austin office as part of the Metasploit team. If you came here expecting a deep understanding of Metasploit, this blog post isn't the right place. If you ARE interested in knowing what it's like to being a small town college student working at a leading firm in security engineering, then keep reading! Everyone used to tell me that every mistake and failure was a push in the right direction, but that

Weekly Metasploit Wrapup: Meterpretersauce

When You Wish Upon A Shell Back in February we ran a survey [/2015/03/26/meterpreter-2015-you-spoke-we-listened] to figure out where you, the savvy penetration tester, would like to see Meterpreter go. As a result, we now have the Meterpreter Wishlist [https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Wishlist], and have been working steadily off of that for the last few months. As of this week, we have a pile of accomplishments taken off the wishlist and committed as working cod

Safely Dumping Domain Hashes, with Meterpreter

UPDATE: It has been pointed out that there is prior work worth noting. This blog post [http://www.dcortesi.com/blog/2005/03/22/using-shadow-copies-to-steal-the-sam/] by Damon Cortesi [https://twitter.com/dacort] talked about using Volume Shadow Copy to get the SAM file back in 2005. As with all things in our Industry, we stand on the shoulders of those who came before us. We would certainly not want to take away from anyone else's previous work and accomplishments. Dumping the stored password

Wassenaar Arrangement - Frequently Asked Questions

The purpose of this post is to help answer questions about the Wassenaar Arrangement.  You can find the US proposal for implementing the Arrangement here [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf], and an accompanying FAQ from the Bureau of Industry and Security (BIS) here [http://www.bis.doc.gov/index.php/policy-guidance/faqs#subcat200]. For Rapid7's take on Wassenaar, and information on the comments we intend to submit to BIS, please read this companion pie

Response to the US Proposal for Implementing the Wassenaar Arrangement Export Controls for Intrusion Software

On May 20th 2015, the Bureau of Industry and Security (BIS) published its proposal [https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf] for implementing new export controls under the Wassenaar Arrangement. These controls would apply to: * systems, equipment or components specially designed for the generation, operation or delivery of, or communication with, intrusion software; * software specially designed or modified for the development or production of suc

Weekly Metasploit Wrapup: Advanced Persistence in Meterpreter

Multi-Transport Meterpreter Over the last couple weeks, OJ TheColonial [https://twitter.com/TheColonial] Reeves has been fleshing out some new documentation on how Meterpreter's multiple transport system has been coming along. You can read up on it all at the GitHub wiki [https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Transport-Control] , but here's the tl,dr: 1. Meterpreter sessions now have the ability to cycle between several transport protocols. This means that if a

Metasploit Framework Rails 4.0 Upgrade

It is always a running battle to keep an application's backend up to date with various technologies. Today, we are excited to announce that Metasploit Framework now ships with Rails 4.0. Upgrades like this are sometimes hard to get excited about because if everything goes well, users should see no difference. There are many reasons to upgrade to Rails 4, though. Why Upgrade Here are the important reasons to upgrade from our perspective: * Security is a big part of why we have to keep our code

Weekly Metasploit Wrapup: SOHO Routers. Again.

SSDP Attacks are Suddenly Huge Like most of you, I love nothing more than kicking up my feet, donning my smoking jacket, and whiling away my work hours by reading security industry reports, such as Akamai's State of the Internet [Security] [http://www.akamai.com/stateoftheinternet/]. They're dozens of pages long, and tend to reinforce my own personal biases, so it's a great way to pretend to work. That said, the most surprising takeaway I got from the Akamai report is the huge criminal buy-in o

Weekly Metasploit Wrapup: So Many Repos!

Greetings, fellow citizens of the Internet. It's time for your favorite blog post and mine, the Metasploit Weekly Wrapup. So Many Repos If you've been following along with Metasploit Framework development, you may have noticed that we have more than a couple repositories for committing code. I wanted to take a moment today to outline which of the 84 public repos [https://github.com/orgs/rapid7/dashboard] under the Rapid7 GitHub account you, the intrepid open source, are most likely to care abou

2015 Metasploit t-shirt design contest: It's on!

Hacker-designers! We need you! Show us your graphic skills, design an epic Metasploit t-shirt, and win Eternal Fame and Glory! [https://99designs.com/t-shirt-design/contests/metasploit-t-shirt-design-contest-489841/brief] Ahem, er, rather, we're looking for someone to design this year's Metasploit t-shirt. And if you are this year's winning Metasploit t-shirt designer, you will get $230USD and the notoriety and/or immense personal satisfaction in knowing that you're the 2015 Metasploit t-shi

Weekly Metasploit Wrapup: And We're Back!

Hi folks. It's been a little while. I know, I know. Things have been a little wonky around here lately, as you no doubt have noticed. So, while this is nominally the Weekly Metasploit Wrapup, it's been a little more than a month since the Community Cutover on April 1st. That said, our blog platform now seems stable enough to resume writing these missives, so let's cover the highlights of what's been going on in the People's Republic of Metasploit since the last post [/2015/03/27/weekly-metasploi

Availability of Metasploit Community & Metasploit Pro trials outside US & Canada

Due to changes in regulatory requirements that are applicable to Metasploit (Pro and Community) and similar products, as of Sunday, April 19, 2015, individuals outside of the US and Canada who would like to use Metasploit Pro or the Metasploit Community Edition will need to request a license and provide additional information regarding themselves or their organization designation. In accordance with the new requirements, the request will be reviewed by Rapid7 and, unless the user is a non-US or

Unicode Support in Meterpreter

A short, mostly-accurate history of character encodings In the beginning, when you wanted to use a computer to store text, there were not many options - you inherited something from punchcards like EBCDIC or invented something convenient and unique to your system. Computers did not need to talk to each other, so there was not much point in standardizing between vendors. Things were pretty simple. Then, there came the need for computers and vendors to interoperate and communicate. Thus, ASCII an

Meterpreter Survey 2015: You spoke, we listened, then wrote a bunch of code.

The Survey One month ago we asked the community for feedback about how they use Metasploit and what they want to see in the Meterpreter payload suite going forward. Over the course of a week we received over 400 responses and over 200 write-in suggestions for new features. We have spent the last month parsing through your responses, identifying dependencies, and actively delivering new features based on your requests. These requests covered 20 different categories: General Feedback Metasploit F

Webcast Followup: Escalate Your Efficiency

Last week, we had a live webcast to talk about how Metasploit Pro helps pentesters be more efficient and save time. There were so many attendees, which made it possible to have great conversation. First of all, I want to thank you folks who have taken the time from their busy schedules to watch us live. There were many questions our viewers asked us, and we were not able to answer all of them due to time limitations. In this post, you will find the answers for those questions. First things fir

Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast

Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz [https://twitter.com/erayymz], Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood, Manager of Security Assurance at ATB Financial. They discussed how to take advantage of automation with Metasploit Pro to sim

Nexpose and Metasploit Training and Certification Courses Filling Up Fast!

Looking to amp-up or fine-tune your security prowess? UNITED conference attendees get the chance to do just that by registering for additional small group training and certification courses (Nexpose Basic, Metasploit Basic, and Nexpose Advanced). Since we're keeping the sessions intimate, spots are filling up quickly! Save your spot now for two days of formalized, curriculum-based training with Rapid7 experts [http://www.unitedsummit.org/new-registration.jsp]. You'll get to: * Share best p

Credentials --> Compromises | Rinse and Repeat

1 Attack Vector: Credentials According to the Verizon Data Breach Investigations Report [http://www.verizonenterprise.com/DBIR/2014/], credentials are the number #1 attack vector used to compromise networks. This news comes with no surprises. Credentials have been and most likely will continue to be one of the top attack vectors for years to come. With credentials-based attacks becoming exponentially more topical, it's become more critical than ever to focus on credentials management and reuse.

Being Product Manager of Metasploit

Hello World My name is Eray Yilmaz, and I am the new Product Manager of Metasploit. It has been three months since I have joined Rapid7, and I wanted to share my experiences with you so far. Before we get to that, here is tiny bit about myself: I am a 28, married, and fairly new father. I went to UTSA where I majored in Information Assurance and Information Systems, and received my B.B.A. Like anyone else in our industry, I have done my fair share of IT work, from helpdesk to managing networks

Give the people what they want! #MOARCHECKS

I've been working in the exposure management space for almost 9 years now and if there is one thing that has not changed in that time, it's the demand for more coverage.  People always want more because there always *is* more.  More software, more platforms, more protocols, more compliance and configuration standards, and always, always, always, more vulnerabilities.  By "people" I mean customers, prospects, community users, really anybody who cares about what an exposure management product, suc

HOTFIX: Metasploit Startup Issues After Upgrading to 4.11.0 (Update 2014122301)

Overview The Update (2014122301) which was released on December, 23th 2014, failed to include necessary files for the application to update to version 4.11.0 for the first time. Issue The application will not start, therefore browser will provide generic "The page can't be displayed" message when trying to load the web UI. Additionally, various log messages may appear in respective log files. Windows: C:\metasploit\apps\pro\engine\prosvc.log Linux: /opt/metasploit/apps/pro/engine/prosvc_stder

12 Days of HaXmas: Maxing Meterpreter's Mettle

This post is the twelfth in a series, 12 Days of HaXmas, where we usually take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. As this is the last in the series, let's peek forward, to the unknowable future. Happy new year, it's time to make some resolutions. There is nothing like a fresh new year get ones optimism at its highest. Meterpreter is a pretty nifty piece of engineering, and full of useful functionality. The various extensi

12 Days of HaXmas: Metasploit, Nexpose, Sonar, and Recog

This post is the tenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. The Metasploit Framework uses operating system and service fingerprints for automatic target selection and asset identification. This blog post describes a major overhaul of the fingerprinting backend within Metasploit and how you can extend it by submitting new fingerprints. Historically, Metasploit wasn't great at fin

12 Days of HaXmas: Buffer Overflows Come and Go, Bad Passwords are Forever

This post is the fourth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. This summer, the Metasploit team began the large undertaking of reworking credentials throughout the project. Metasploit, as you already know, began as a collection of traditional exploits. Over the years it has grown into much more than that. Credentials were first introduced into Metasploit in the form of Auxiliary Sc

Weekly Metasploit Wrapup: Cleanup on Aisle CLI!

News from the Command Line As you no doubt saw, earlier this week we started the Doom Clock [/2014/12/09/good-bye-msfpayload-and-msfencode] on two utilities that ship with the Metasploit Framework, msfencode and msfpayload. I won't rehash Wei sinn3r [http://twitter.com/_sinn3r] Chen's most excellent blog post too hard here, of course. However, I do want to make extra sure that the Metasploit trainers, teachers, users, and developers have plenty of warning on this change. Time marches on, and whi

Good-bye msfpayload and msfencode

Greetings all, On behalf of the Metasploit's development teams, I'd like to officially announce the decision of deprecating msfpayload and msfencode. Also starting today, we no longer support or accept patches for these two utilities. On June 8th 2015, the elderly msfpayload and msfencode will retire from the Metasploit repository, and replaced by their successor msfvenom. The tool msfvenom is the combination of msfpayload and msfencode, and has been in testing for more than 3.5 years. msfpayl

Giving back on #GivingTuesday: #MSF4MSF

With so much emphasis on shopping this time of year, there's also been a growing movement to encourage giving to charitable causes. This movement, started in part by the United Nations Foundation, is called Giving Tuesday—and this year it's December 2 [http://www.givingtuesday.org/about/]. To participate, people take a photo of themselves holding a sign saying why they give to charity as a way to encourage others to do the same (these photos are called "UNselfies"... get it?) Why are we partici

Weekly Metasploit Wrapup: Exploiting Mobile Security Software

Exploiting Security Software: Android Edition It's hard not to sound gleeful when you've exploited security software. After all, this is software by and for Our People, people who are nominally In The Know about security. Security software is special, in that it's not merely supposed to be "secure," but is intended to enhance security for the user when installed and running. So, getting a working exploit together that targets this kind of software tends to feel more rewarding -- the security res

R7-2014-18: Hikvision DVR Devices - Multiple Vulnerabilities

Rapid7 Labs has found multiple vulnerabilities in Hikvision [http://www.hikvision.com/] DVR (Digital Video Recorder) devices such as the DS-7204 [http://www.hikvision.com/en/Products_show.asp?id=7318] and other models in the same product series that allow a remote attacker to gain full control of the device. More specifically, three typical buffer overflow vulnerabilities were discovered in Hikvision's RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. This blog post s

Federal Friday - 11.7.14 - Up in the Clouds...

Happy Friday, Federal friends! I hope everyone had a festive Halloween! According to the commercials I've been seeing on starting on 11/1 I guess we're skipping Thanksgiving this year and jumping right into the Holiday Season [http://www.idigitaltimes.com/black-friday-sales-2014-store-hours-and-start-time-target-walmart-best-buy-kmart-393775] ... So the time has finally come, Fed is starting to embrace the cloud (slowly). Within the last week we've seen NIST push out a road map for Cloud Infra

Metasploit Weekly Wrapup: New Rubies!

Upgrading to Ruby 2.1.5 As you probably know, Metasploit is a fairly complex set of programs written in my favorite language, Ruby. Specifically, we've been on Ruby version 1.9.3 for a long while now. Well, time marches on, and the 1.9.3 branch has been in maintenance mode for most of 2014, and will reach end of life by February of 2015 [https://www.ruby-lang.org/en/news/2014/01/10/ruby-1-9-3-will-end-on-2015/] . So, we need to get moving on the upgrade to version 2.1. This is a welcome upgrade

Federal Friday - 10.24.14 - NCSAM Week 4

Happy Friday, Federal friends! Can anyone else believe next week is Halloween? Feels like only yesterday I was talking about the start of the MLB season and now we're through 2 games of the World Series... So this week is the 4th week of National Cybersecurity Awareness Month [http://www.dhs.gov/national-cyber-security-awareness-month-2014-week-four]. To me this is one of the more important weeks as the campaign centers around Cybersecurity for Small/Medium sized businesses and Entrepreneurs. T

Metasploit Weekly Wrapup: POODLE Mitigations

A Post-POODLE World Well, it's another week, and another infosec community panic attack. If you're reading this blog, you're almost certainly the sort of person who already heard about the POODLE attack on SSLv3 from Google [http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html] , or saw our own Jen Ellis's writeup over on Rapid7's Information Security blog [/2014/10/14/poodle-unleashed-understanding-the-ssl-30-vulnerability]. This week's Metasploit release ad

Federal Friday - 10.17.14 - Cybersecurity Awareness Month

Happy Friday, Federal friends. I hope the 2nd full week of FY15 is going well for you. Feels like we have the last 2 warm days of the year coming up this weekend thanks in part to this little graphic from NOAA. October, one of the nicer month's out of the year is also known as Cybersecurity Awareness month. We talked about it earlier this month in another blog post [/2014/10/06/cyber-security-awareness-month-taking-it-to-the-c-level-and-beyond] , but I wanted to highlight it here as well. While

Federal Friday - 10.3.14 - Happy (Fiscal) New Year

Happy Friday, Federal Friends! Something seems a little different this year than last year, can't quite put my finger on it though... [/2013/10/04/federal-friday--10413--shutdown-edition] So, being that we all just made it through another roller coaster of a FY I wanted to keep today fairly light. Just as we've seen the frequency of attacks increase we have also seen a dramatic rise in cyber related plot lines and references in mainstream media. The latest being a CBS show called Scorpion, ahem

Federal Friday - 9.26.14 - Shell Shocked and Bashed

Happy Friday, Federal Friends! Having a relatively quiet week? Just looking forward to a quiet end to FY14? Riiiiiiiiight, same here.... Most of you probably had an interesting 2nd half of the week just as we are. Like a judge at the Olympics, DHS [http://www.huffingtonpost.com/2014/09/24/new-bash-software-bug-m_n_5878398.html?ir=Technology] has scored this little diddy a 10 out of 10 both in impact and how easy it is to use this vuln to run an exploit. While this doesn't have the "world-is-end

New "show missing" Command in msfconsole

Hello, Metasploiters! Just wanted to update y'all on a new feature in msfconsole that *hopefully* should make vgrepping [https://en.wikipedia.org/wiki/Visual_inspection#Humorous_terminology] through module options a little easier. Show empty required options The new command is show missing, and all it does is show empty required options. Instead of looking through a long list of options and picking out the required ones that haven't been set, just run show missing, and a list of unset required

Detecting the Use of Stolen Passwords

Rarely in life will software vendors let you in on some of their secret sauce. Rapid7 obviously believes in information sharing and the open source community, so in that same vein, the UserInsight team decided to write a guide to gathering the right data to fully understand how stolen passwords are being (mis)used in your organization. The result is a Technical Paper [https://information.rapid7.com/Incident-Response-Detect-More-than-Pass-the-Hash.html] called "Why You Need to Detect More Than

Federal Friday - 9.19.14 - Talk Like A Pirate Day Edition

Arrrrrg! Happy Friday, Federal Mateys!  Th' air be crisp 'n th' leaves be turnin' in New England, which means ‘tis almost the hour to strap on me skis! Another week has gone by 'n another breach be bein' reported by FireEye [http://www.fireeye.com/blog/technical/2014/09/putting-transcom-in-perspective.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityBloggersNetwork+%28Security+Bloggers+Network%29] . Arrrgh mateys, 'tis one involves a foreign government penetratin' th' net

Federal Friday - 9.5.14 - Keeping 3rd Parties Honest

Happy Friday, Federal friends! I hope all of you enjoyed the nice long Labor Day weekend, and the short week to follow. I happily took last week off as well, maximizing the effect of the "long" weekend effect. Additionally, a group of 25 Rapid7 Moose took on the "Great Northeast" Tough Mudder event back on 8/23. I'm happy to say all of the "Dirty Moose" made it through the mud and obstacles, for the 2nd year in a row, and we helped generate funds for the Wounded Warrior Project [http://www.wound

Switching Sides: Goodbye Metasploit, Hello UserInsight

Like a double agent who's been turned, I switched from the offensive to the defensive side this week. After four years of working on Metasploit simulating attackers, I'll now be hunting them with UserInsight, Rapid7's new incident detection and response solution [http://www.rapid7.com/products/user-insight/] that helps organizations detect intruders on their network. Working on Metasploit for the past four years definitely taught me a lot about attacker methodologies and the attacker mindset. I

Not Reinventing The Wheel: The Metasploit Rails::Application in 4.10

In Metasploit 4.10, we converted Metasploit Framework (and prosvc in Metasploit Commercial Editions) to be a full-fledged Rails::Application.  You may be wondering why Metasploit Framework and prosvc, should be Rails applications when they aren't serving up web pages.  It all has to do with not reinventing the wheel and very useful parts of Rails, Rails::Railtie and Rails::Engine. Rails 3.0 infrastructure Since Rails 3.0, Rails has been broken into multiple gems that didn't require each other a

Federal Friday - 8.22.14 - A Sensitive Cloud and Some Additional Strategy

Happy Friday, Federal Friends! Do you hear that? That sound you're hearing is the collective high-five every adult with children just gave each other in celebration of "Back to School [http://giphy.com/gifs/WKdPOVCG5LPaM]." For those of you who's summah is coming to a close, I hope it has been a great couple of months. For those of you that don't have to worry about that, I'll see ya at the empty beach in September. I read a great article this week about another take on cyber strategy. Piggy--b

Top 2 Takeaways from the "Credentials are the New Exploits: How to Effectively Use Credentials in Penetration Tests" Webcast

This week, Christian Kirsch [https://community.rapid7.com/people/ckirsch] enlightened us about the latest trend in attacker methodologies: Credentials. In the webcast, "Credentials are the New Exploits: How to Effectively Use Credentials in Penetration Tests [https://information.rapid7.com/creds-are-the-new-exploits-registration.html?CS=blog] ", we learned why credential abuse is in vogue, and what penetration testers can do to tackle this head on with as much efficiency and proficiency as poss

Feedback on Rapid7's Tech Preview Process and Metasploit Pro 4.10

By guest blogger Sean Duffy, IS Team Lead, TriNet Rapid7 invited me to participate in pre-release testing of Metasploit 4.10, a process they call Tech Preview. They asked me to openly share my thoughts with the community. Preparation and Logistics I always enjoy working with Rapid7. Preparatory meetings and documentation made the installation and testing process a breeze. Rapid7 was also kind enough to extend my testing and feedback sessions when work so rudely intruded on the fun. Zero compla

msfconsole failing to start? Try 'msfconsole -n'

As part of the last release, the Metasploit Engineering team here at Rapid7 has been on a path of refactoring in the Metasploit open source code in order to make it more performant and to get toward a larger goal of eventually breaking up the framework into a multitude of libraries that can be used and tested in a standalone way. This effort will make it easier to deliver features and respond to issues more quickly, as well as ensure that regressions and bugs can get diagnosed, triaged, and fix

Hunting for Credentials: How Metasploit Pro Beat Me on the Command Line

By guest blogger Robert Jones, Information Security Manager, City of Corpus Christi I had the opportunity to participate in a tech preview of Metasploit Pro's new credentials features. In our shop, we use Metasploit Pro, Nexpose, UserInsight and ControlsInsight, all by Rapid7. I certainly wish I could spend the majority of my time pentesting, but instead I often times I find myself using Metasploit to educate users by showing them how I can compromise their machines. It is incredibly compelling

Metasploit Pro's New Credentials Features Save Us Time in Workflows

By guest blogger Dustin Heywood, Manager, Security Assurance, ATB Financial Recently I was invited to participate in Metasploit Pro's Tech Preview Program, where customers are given early access to new product releases.  I've taken part in this program before and I have always loved the experience. For those of you who haven't been involved in a Rapid7 Tech Preview program: It starts out with a call with the customer engagement manager and the product management team, who gave me an overview o

New Metasploit 4.10: Credentials Are the New Exploits

We've given credentials a new boost with Metasploit 4.10. It's now easier to manage, reuse and report on credentials as part of a penetration test. Pentesters are shifting from exploits to credentials There was one common theme that we heard from a lot of penetration testers we talked to over the past few months: You're using more and more credentials on penetration tests. We even surveyed the Metasploit user base to make sure we didn't ask a biased sample: 59% of you said that you use credenti

Federal Friday - 8.8.14 - Military Strategy in Cybersecurity

Happy Friday, Federal friends! I hope that you folks out in the desert are having a blast at BlackHat, B-Sides and DEFCON. It sounds like it's been a great week out there, mostly because it's been so quiet back here in HQ. Speaking of BlackHat; there was a session this week being hosted by Tom Cross, director of security research at Lancope. He, and two other industry experts, were going to be discussing utilizing a variety of militaristic approaches to cybersecurity. In particular, having orga

Federal Friday - 8.1.14 - Threat Sharing and Cybersecurity Myths

Happy Friday, Federal friends! After a brief hiatus, due to an epic travel day last Friday, I'm baaaaaack. Welcome to the dog-days of summer everyone. School is around the corner, and better yet we're only 62 days away from the unofficial start to ski season. Don't believe me? Check out the guys at Ski The East [https://twitter.com/SKITHEEAST], they're keeping watch for us. There was some potential, positive, traction regarding threat sharing in the Senate this week. Sen. Gillibrand introduced

Federal Friday - 7.18.14 - Mobile Movement

Happy Friday, Federal friends! The Midsummer classic is behind us which means we're heading into the dog-days of summer. I hope you all have some nice quality time planned with your families so you can get out and enjoy the weather, especially with the Winter and "Spring" we just went through. There was a big announcement [http://fcw.com/articles/2014/07/16/apple-ibm-deal.aspx] earlier this week regarding two titans of the tech industry that will have direct impact on several verticals, includi

Weekly Metasploit Update: Embedded Device Attacks and Automated Syntax Analysis

D-Link Embedded Device Shells This week, esteemed Metasploit contributor @m-1-k-3 [https://github.com/m-1-k-3] has been at it again with his valiant personal crusade against insecure SOHO (small office/home office) embedded devices with known vulnerabilities. We have a new trio of modules that target D-Link gear, based on the research released by Craig Heffner and Zachary Cutlip, which exploit two bugs present in the DSP-W215 Smart Plug, and one UPnP command injection bug found in the DIR-815.

Federal Friday - 7.11.14 - Buying Agile

Happy Friday, Federal friends! Due to the heavy amount of CDM paperwork I've had to do this week I'm going to keep today's blog very short. As we forge ahead into the spending spree [http://fcw.com/articles/2014/07/11/snapshot-fy-2014-q4-spending.aspx] that is Q4 of FY14, it's important to know how to navigate the buying process on the federal side of the house. FCW has a great article [http://fcw.com/articles/2014/06/26/buying-agile-without-jumping-through-hoops.aspx] this week offering a hos

Federal Friday - 7.4.14 - A Special Thursday Edition

Breaking News: HAPPY FOURTH OF JULY! I hope all of you out there enjoy the long weekend with your friends, family fireworks and some delicious BBQ. See you again next week!

Federal Friday - 6.27.14 - A Clash of Cultures

Happy Friday, Federal Friends! Welcome to the weekend, and for those of you who are out next week, happy Fourth of July. There was a great, short, read from the Washington Post [http://www.washingtonpost.com/business/on-it/cias-cio-working-with-private-sector-can-be-a-clash-of-cultures/2014/06/24/42213114-fbad-11e3-b1f4-8e77c632c07b_story.html] this week about a talk given given by CIA CIO Doug Wolfe at a recent symposium. He was talking about the Agency's coming deployment into AWS but went i

Federal Friday - 6.20.14 - Winter is Coming

Happy Friday, Federal friends. The World Cup (soccer tournament) is underway, and while futbol is fun to watch for a few weeks, we are really waiting for the start of football training camp. Sorry about the title, especially for those in the Northeast. It's more of a play on Game of Thrones ominous tag line, and about how one should be prepared. In this case I'm using it in reference to the pending changes coming to NIST 800-53 [http://www.informationweek.com/government/cybersecurity/nist-secur

Federal Friday - 6.13.14 - New Group, Same Story

Happy Friday, Federal friends! It's another lovely Fall day here in Beantown but I hope each of you are enjoying your early Summer weather. Some exciting news as Rapid7 was named one of the Top Places to Work by the Boston Business Journal (#11 Mid-size company)! I'm going to keep it short and sweet today considering this is a topic I've covered before. Given the news stemming from a new CrowdStrike [http://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_T

Top 4 Takeaways from the "Live Bait: How to Prevent, Detect, and Respond to Phishing Emails" Webcast

In this week's webcast,Lital Asher - Dotan [https://community.rapid7.com/people/lasherdotan] and ckirsch [https://community.rapid7.com/people/ckirsch] tackled the hot topic, “Live Bait: How to Prevent, Detect, and Respond to Phishing Emails [https://information.rapid7.com/prevent-detect-and-respond-to-phishing-emails.html?CS=blog] ”. Phishing has risen from #9 to #3 in the Verizon Data Breach Investigations Report on the most common attack vectors. Phishing attacks are often successful because i

Federal Friday - 6.6.14 - 70 Years Later

Happy Friday, Federal friends! As we all know today marks the 70th anniversary that our forbearers forever changed the course of history, my grandfather among them. By securing a foothold on the beaches of Normandy, the Allied Expeditionary Force was able to penetrate the steel teeth that was Fortress Europe. While times have changed, Gen. Eisenhower's words still ring loudly today. Not just in terms of the sacrifices made that day, but also in the trenches that we find ourselves in today. Take

Security Advisory: OpenSSL Vulnerabilities CVE-2014-0224 and CVE-2014-0221 in Metasploit (Updated 6/6/14, 2pm EST)

Metasploit 4.9.2 and earlier vulnerable to OpenSSL vulnerabilities The OpenSSL team today published a security advisory [http://www.openssl.org/news/secadv_20140605.txt] containing several critical vulnerabilities. The Metasploit editions Metasploit Pro, Metasploit Express, Metasploit Community and Metasploit Framework in versions 4.9.2 or earlier are vulnerable to these OpenSSL vulnerabilities, most notably CVE-2014-0224 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224] and CVE-2014

Federal Friday - 5.30.14 - Social Engineering from the Middle East

Happy Friday, Federal friends. You can tell it's almost Summah up here because it's been 50 and raining this week. So an interesting piece of news from an article on DarkReading [http://www.darkreading.com/attacks-breaches/iranian-cyberspies-pose-as-journalists-online-to-ensnare-their-targets/d/d-id/1269270] this week regarding an ongoing campaign targeting government officials and contractors of both the US and Israel. This is a mash-up of social engineering techniques from phishing to social

Top 3 Takeaways from "7 Ways to Make Your Penetration Tests More Productive" Webcast

Earlier this week we heard from ckirsch [https://community.rapid7.com/people/ckirsch], Senior Product Marketing Manager for Metasploit at Rapid7, on the pressure penetration testers are facing. (Hint: it's a lot!). With the increase in high profile breaches and their costs, more and more emphasis is being put on the pen tester and security in general. Read on if you'd like to get the top takeaways from this week's webcast so that you aren't left in the dark about, "7 Ways to Make Your Penetratio

Federal Friday - 5.16.14 - Cloudy with a Chance of Insider Threats

To quote the multi-dimensional, world-renowned lyricist Rebecca Black: "Yesterday was Thursday, Thursday. Today i-is Friday, Friday." With that being said -- welcome to the weekend, Federal friends. I wanted to start this week off with an article from GCN [http://gcn.com/articles/2014/05/09/insight-hybrid-cloud-security.aspx?admgarea=TC_SecCybersSec] around government and the cloud. While the cloud trend has steadily increased over the past few years, the demand to bring it on board within the

Federal Friday - 5.9.13 - Renewed Push for Threat Sharing

Happy Friday Federal friends! We're creeping closer and closer to summer, which means Boston will have about 2 weeks of Spring to look forward to. For those of you that were able to join our webcast yesterday I want to thank you for attending and please let me know if you have any questions, I'm here to help. Piggy-backing on the recent M-Trends report, and the latest DBIR [http://www.verizonenterprise.com/DBIR/], an article on DarkReading [http://www.darkreading.com/vulnerabilities---threats/

Federal Friday - 5.2.14 - Alphaville: Cybersecurity's Westeros

Happy Friday, federal friends! I blinked on Monday and the next thing I know I'm typing up this blog. Where has the week gone? For those of you that have been impacted by the wild and dangerous weather around the country this week, I wish you all the best and a speedy recovery. So did my title about Westeros get you? I love Game of Thrones as much as the next fan, although I do have to admit I'm holding off on the books until HBO wraps their version, but the reality is that it takes place in th

2014 Metasploit T-Shirt Design Contest

Hey Hacker-Designers! Remember about this time last year, we kicked off the Metasploit T-Shirt design contest [/2013/05/03/metasploits-10th-anniversary-laptop-decal-design-competition]to commemorate our shipping of 1,000 exploits and Metasploit's 10th Anniversary? Turns out, we had so many good designs [/2013/07/16/metasploit-design-contest-winners] and so much fun with that that we're doing it again this year. So let's see, what reason can we contrive this year... We have 1,294 exploits now,

Federal Friday - 4.25.14 - A Whole Lot of Oops

Happy Friday, Federal friends! I hope all of you enjoyed some nice family time over the respective holidays last week. After a successful Marathon Monday here in Boston we're blessed with chirping birds and blooming flowers (finally)! As you all probably know by now, Verizon released their latest DBIR [http://www.verizonenterprise.com/DBIR/2014/reports/rp_dbir-2014-executive-summary_en_xg.pdf] report earlier this week. While this report covered a wide range of topics in regards to breaches, I

Hacker's Dome: An Online Capture-the-Flag (CTF) Competition on May 17

Many folks ask me how you can get started as a penetration tester. Save for a real-life penetration test, capture-the-flag (CTF) competitions are probably the most effective ways for you to hone your offensive security skills. What's best: they're a ton of fun, even for experienced pentesters. The folks over at CTF365.com [http://www.ctf365.com/] have put together a one-off CTF called Hacker's Dome, which will start on May 17th and run for 48 hours, so save the date. Hacker's Dome - First Bloo

Federal Friday - 4.18.14 - Mandiant Trends and the Federal Cyber Brain Drain

Happy Friday, Federal friends. Hopefully all of you are though the post-Heartbleed hangover [http://i.huffpost.com/gen/284555/thumbs/r-HANGOVER-3-large570.jpg] with very few scars to show for it. I don't know about y'all folks further south than Beantown, but I FINALLY get to do my finest Payne Stewart [http://i.cdn.turner.com/dr/golf/www/release/sites/default/files/article_images/payne_stewart_299x247_1.jpg] impersonation as I hit the local links for the first time this season tomorrow mornin

Federal Friday - 4.11.14 - Another Quiet Week...

Can you believe how quiet it was this week? Nothing going on, everyday slowly dragging on, the tick, tick tick of the clock getting louder and louder by the second. Reminds me of the late-night drip from your faucet but more annoying because you're stuck at work. Oh wait, totally forgot this was a cybersecurity blog and mistook it for my crochet blog. You, much like us here at R7, were probably pretty busy this week. In that case let me officially say, happy freaking Friday, Federal friends! I'

Security Advisory: OpenSSL Heartbleed Vulnerability (CVE-2014-0160) in Metasploit (Updated 4/11/14 2:20pm EDT)

Metasploit 4.9.0 and earlier vulnerable to Heartbleed, update 4.9.1 addresses critical cases The Metasploit editions Metasploit Pro, Metasploit Express, and Metasploit Community in versions 4.9.0 or earlier are vulnerable to the OpenSSL Heartbleed Vulnerability (CVE-2014-0160). Please update to version 4.9.1 to remediate critical vulnerabilities. See below for remediation instructions. Metasploit Framework itself is not affected, but it has dependencies on other components that may need to be u

How to Save 140 Hours a Month on Vulnerability Management

Welcome back, Whiteboard Wednesday Fans! Were you able to check out our Whiteboard Wednesday last week [http://www.rapid7.com/resources/videos/how-to-save-time-on-vulnerability-management.jsp] ? Our very own Bill Bradley discusses how you can significantly cut down on the time spent on vulnerability management every month. Specifically, he discusses the various technologies that exist today that will help you, as a user, cut down on the amount of time needed to properly scan and remediate the v

Federal Friday - 4.4.14 - DOD Embraces NIST and Increases Cyberwarfare Force

Friday, oh sweet Friday, it's good to see you again. Hello Federal friends, welcome to another edition of Federal Friday. Over the last two weeks there has been a significant change in the way DOD approaches cybersecurity. On March 12th, the DOD made a major move by taking a risk based and holistic approach to cybersecurity by aligning with NIST's Risk Management Framework [http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf] and phasing out DOD Information Assurance

R7-2014-05 Vulnerability in Metasploit Modules (Fixed)

Metasploit Pro, Community, and Express users are urged to update to the latest version of Metasploit to receive the patch for the described vulnerability. Kali Linux users should use the normal 'apt-get update' method of updating, while other Metasploit Pro, Community, and Express users can use the in-application Administration : Software Updates button. A remote privilege escalation vulnerability has been discovered by Ben Campbell of MWR InfoSecurity [https://labs.mwrinfosecurity.com/advisori

Federal Friday - 3.28.14 - History Repeats in Current Phishing Campaigns

Happy Friday, federal friends! Spring has Sprung! While some of us had a touch of winter this week, we avoided the big hit and it looks like nothing but sunshine on the horizon which means summah is around the corner! Speaking of summer, who's going to Vegas for BackHat, B-Sides and Defcon? Drop me a line here if you are! Attackers, being the solid humans they are, have decided to pile on the recent tragedy around Malaysian Flight MH 370 [http://threatpost.com/mh-370-related-phishing-attacks-sp

New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers

Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately. Generate AV-evading Dynamic Payloads Malicious attackers u

Federal Friday - 3.21.14 - A Day of Reckoning

Friday at last... Hello federal friends! I'm pleased to announce that the sun is setting here in Boston at 6:58pm tonight and there is major League Baseball being played this weekend. Spring officially happened yesterday which should make those of you in DC put Monday's snow-day out of sight and out of mind. Did my ominous title catch your attention? Don't worry, this is not the end of times, or even the end of days [http://www.imdb.com/title/tt0146675/] for that matter (thank goodness) and mo

Metasploit Weekly Update: Keeping Things Tidy

Making Beautiful Exploits This week, most of our energy has been spent on making Metasploit modules more beautiful. If you're not aware, we have this long-standing bug, Couple hundred msftidy warnings [https://dev.metasploit.com/redmine/issues/8498], which deal mostly with the style and syntax of Metasploit modules. msftidy.rb [https://github.com/rapid7/metasploit-framework/blob/master/tools/msftidy.rb] is a little Ruby script that does some basic sanity checking on new Metasploit modules check

Federal Friday - 3.14.14 - New Beginnings and New Fed-focused Benchmarks

Happy Friday Federal friends! We're nestled comfortable in our new space in downtown Boston [https://www.google.com/maps/place/100 Summer St/@42.3537293,-71.057427,19z/data=!4m2!3m1!1s0x89e3708243c5aac5:0xa32a2abc907ec6c5] and it already feels like home. This is good news for everyone because we moved out of the Pru at 4pm on Friday and we were rockin' n' rolling in the new digs at 8am on Monday Enough about us though, let's get back to it... On the mobile front, NASA had a rough go of it du

Federal Friday - 3.7.14 - Rapid7 Moose are on the Move

Federal friends! Unfortunately we're in the process of undergoing a much needed move and today is the last day in the current office. The good news? We're moving to greener, and more importantly, much larger pastures as our herd has grown quite a bit in the last 12 months and our current space just can't fit us anymore. As of Monday we will be located a little further downtown at 100 Summer St. So, next time you're in Boston give us a jingle and we'll be happy to invite you into our new home. In

Federal Friday - 2.28.14 - Flash Zero Day Targets Foreign Policy Sites

Federal Friday has come again, which means another week has passed us by. It's been a busy week for the Moose of Rapid7 with an imminent move for our Boston HQ for on the horizon. We also had a great week at RSA with SC Magazine naming Nexpose the Best Vulerability Management Solution! The threat landscape has had a wild few days with a major security flaw for Apple desktops and iOS devices as well as another IE zero day being discovered. In addition, a detailed report from FireEye [http://www.

Weekly Metasploit Update: Encoding-Fu, New Powershell Payload, Bug Fixes

I Got 99 Problems but a Limited Charset Ain't One In this week's Metasploit weekly update, we begin with OJ TheColonial Reeves [https://twitter.com/TheColonial]' new optimized sub encoding module (opt_sub.rb ). As the name implies, this encoder takes advantage of the SUB assembly instruction to encode a payload with printable characters that are file path friendly. Encoders like this are incredibly useful for developing a memory corruption exploit that triggers a file path buffer overflow, where

Federal Friday - 2.21.14 - NATO praises NIST's Framework

Happy Friday, federal friends! I hope you all enjoyed your long weekend and short work-week. We're cruising through February here at the global HQ in Beantown, with a big office move scheduled for early March. I hope most of you have begun to thaw out and for those of you out there having a similar winter to New England, think warm thoughts (it helps). There was a nice article on Inside Security [http://insidecybersecurity.com/Cyber-General/Cyber-Public-Content/nato-cybersecurity-center-praises

Federal Friday - 2.7.14 - Third-Party Problems - Olympics Edition

Happy Friday, federal friends! Welcome to February, the funniest month of them all! In all seriousness though, I am looking forward to meeting a lot of you at our DC Roadshow next week! As you can guess from the title this week I am going to talk about some issues [http://news.cnet.com/8301-1009_3-57618407-83/sochi-visitors-entering-hacking-minefield-by-firing-up-electronics/] around the Olympics. Issues not involving water [http://norberthaupt.files.wordpress.com/2014/02/sochi-water.jpg] or t

Weekly Metasploit Update: ADSI support and MSFTidy for sanity

Meterpreter ADSI support We ended up skipping last week's update since upwards of 90% of Rapid7 folks were Shanghaied up to Boston, in the dead of winter, with only expense-reportable booze too keep us warm at night. So, with much fanfare comes this week's update, featuring the all new ADSI interface for Meterpreter, via OJ TheColonial [https://twitter.com/TheColonial] Reeves' Extended API. Lucky for us, and you, Carlos DarkOperator [https://twitter.com/DarkOperator] Perez was not ensconced i

Federal Friday - 1.31.14 - Positioning for a Holistic Cybersecurity Deployment

Hello federal friends, happy last Friday of January. Is the year flying by already for anyone else? I wanted to talk to you this week about how to position your organization to better prepare yourselves from a cybersecurity standpoint. Who better to help me do this than Jennifer Aniston? " "Yeah. Yeah. We do. Although I didn't actually choose these. I, um, I just sorta grabbed fifteen buttons and just...I don't even know what they say! Y'know, I don't really care. I don't really like talkin

Federal Friday - 1.24.14 - Threats From Afar

Friday, oh sweet Friday it's great to see you again my friend. I hope all of you are doing well with Polar Vortex 2014.2! Don't get me wrong I love Star Wars, and winter (for the most part), but I do not enjoy living on the set of Hoth this long. This week an interesting article from SC Magazine [http://www.scmagazineuk.com/cyber-security-failure-could-result-in-next-major-terrorism-attack/printarticle/330532/] highlighted the results of a discussion of industry leaders at a conference in Lill

Making Your Printer Say "Feed Me a Kitten" and Also Exfiltrate Sensitive Data

As of this last release, PJL [https://en.wikipedia.org/wiki/Printer_Job_Language] (HP's Printer Job Language) is now a grown-up Rex::Proto protocol! Since extending a protocol in Metasploit is beyond the scope of this post, we'll just be covering how to use the PoC modules included with the new protocol. Feel free to dig around in lib/rex/proto/pjl*, though! Okay, let's get started! printer_version_info First off, we have printer_version_info. This module lets us scan a range of hosts for pri

Weekly Metasploit Update: Talking PJL With Printers

Abusing Printers with PJL This week's release features a half dozen new modules that seek out printers that talk the Print Job Lanaguage (PJL) for use and abuse. Huge thanks to our newest full time Metasploit trouble maker, William Vu [https://twitter.com/wvuuuuuuuuuuuuu]. As a penetration tester, you probably already know that office printers represent tasty targets. Like most hardware with embedded systems, they rarely, if ever, get patches. They don't often have very serious security control

Free Information Security Tools: The Best Free Tools of 2013?

Welcome to 2014! It's a brand new and shiny year, filled with resolutions and promises, and things you'll pretty much abandon by mid February. We here at Rapid7 figured that we might try to impart some helpful knowledge on items you WILL use and adopt throughout 2014. So, since we love free and open source tools, we are presenting an ongoing series of posts about the free information security tools that the team at Rapid7 love and use. This post will cover a few of the best freebies released la

Federal Friday - 1.17.14 - Don't Forget to Wipe (Your Device)

Happy Friday, federal friends! I hope the post-holiday hangover has passed and your resolutions remain intact. It's been a busy start to the year so far in Rapid7-Land and we're only 2 weeks into '14. This week I read a great article on FederalTimes [http://www.federaltimes.com/article/20140115/MOB/301150005/Employee-owned-mobile-devices-put-agencies-risk] about how employee owned devices put agencies at risk, especially when it comes to wiping them. This is significant, especially with the ho

Weekly Metasploit Update: Firefox Payloads, VirusTotal Checks, and What To Do With Unstable Modules

Firefox Payloads Hey, remember last summer when it was reported that the FBI was allegedly targeting Firefox [/2013/08/07/heres-that-fbi-firefox-exploit-for-you-cve-2013-1690] with an 0day to nab criminals? Turns out, perhaps whoever was really behind it wasn't thinking far enough outside the box, because Firefox has some built-in functionality for some pretty nifty trickery which should make life significantly easier for the penetration tester and social engineer-er. As of this week, Metasplo

Free Webcast: From Framework to Pro - Using Metasploit Pro in Penetration Tests

Metasploit Pro is more than just a pretty web interface for Metasploit; it contains many little known features that simplify large scale network penetration tests. In this technical webinar for penetration testers who are familiar with Metasploit Framework [http://information.rapid7.com/how-to-use-metasploit-pro-in-penetration-tests.html?LS=2903674&CS=web] , David Maloney shows which features he finds most useful in Metasploit Pro. Watch this webcast to learn how to: * Quickly scan a network

Federal Friday - 1.10.14 - Welcome to 2014

Happy New Year federal friends! I hope each and every one of you have had a great holiday season with your families and friends. I know I had a nice quiet week off, until Hercules dropped some snow and most of us were slapped in the face with a nice Polar Vortex session. Now it's time to hop back on the horse and charge head first into 2014. In the wake of the massive Target breach that ended 2013, DHS has started 2014 off with a nice shot across the bow for anyone using POS systems and any org

Weekly Metasploit Update: Arbitrary Driver Loading & Win a WiFi Pineapple

Wow, I don't know about you, kind reader, but I'm just about blogged out after that 12 Days of HaXmas sprint. I'll try to keep this update short and sweet. Arbitrary Driver Loading This week's update include a delightful new post module for managing a compromised target, the Windows Manage Driver Loader [http://www.metasploit.com/modules/post/windows/manage/driver_loader] by longtime Metasploit community contributor, Borja Merino. If you, as a penetration tester, pops a box get gains administra

Make Your Voice Heard & Make Metasploit More Awesome

We've sharpened our pencils and put up a drawing board to decide where we want to take Metasploit in 2014 and beyond. Metasploit is built on collaboration with the community, both through the contributions of security researchers in building the open source Metasploit Framework, and through a continuous feedback loop with our customers that enables us to keep driving the solution to meet their needs. As part of our continued commitment to the latter, we're asking you to let us know how you use M

Security Guide - Evading Anti-Virus Detection

Here on SecurityStreet, we get a lot of questions regarding penetration testing and how to evade various Anti-Virus programs detecting the work you're doing. Still, if you can't actually run a fully functional test, then you can't mimic the real world conditions that an attacker would take to try to get into and exploit your networks. This guide: Security Guide: How to Evade Anti-Virus Detection [http://information.rapid7.com/Evading-AntiVirus-Security-Guide.html], will help with how to best av

12 Days of HaXmas: Finding shell_bind_tcp_random_port with Nmap and Ndiff

This post is the ninth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. A few months ago, contributor geyslan [https://github.com/geyslan] submitted a cool pull request [https://github.com/rapid7/metasploit-framework/pull/2350] for a random-port bind shell payload on x86 and x64 Linux systems. In this post, we'll explore how to use this payload with our friends Nmap [http://nmap.org/] and Ndiff [http:

12 Days of HaXmas: Metasploit closes out 2013

This post is the seventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013. Today is the last day of the year, so there's no better time to get all weepy and sentimental about Metasploit development over a glass or four of champagne. I continue to be amazed, honored, and humbled by the amount of talent, skill, and brute force labor that goes in to keeping the Metasploit juggernaut rolling. With that,

Bypassing Adobe Reader Sandbox with Methods Used In The Wild

Recently, FireEye identified and shared information [http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html] about two vulnerabilities used in the wild to exploit Adobe Reader on Windows XP SP3 systems. The vulnerabilities are: * CVE-2013-3346 [http://cvedetails.com/cve/CVE-2013-3346]: An Use After Free on Adobe Reader. Specifically in the handling of a ToolButton object, which can be exploited through document's Java

Rapid7 Webcasts: A Great Week to Learn About Pentesting SAP Infrastructures

SAP applications contain a ton of juicy information, making them a great target for malicious attackers who are after intellectual property, financial statements, credit card data, PII and PHI. Breaching SAP systems opens the door for fraud, sabotage, and industrial espionage. SAP systems have often organically grown and are hard to update, making them a soft target. What's worse, pentesters are often unfamiliar with SAP infrastructures and how to pentest SAP systems. To help with the latter, R

Weekly Metasploit Update: SAP and Silverlight

SAP SAPpy SAP SAP We've been all SAP all the time here in the Independent Nations of Metasploit, and expect to be for the rest of the week. You might recall that Metasploit exploit dev, Juan Vazquez [https://twitter.com/_juan_vazquez_] published his SAP survey paper [http://information.rapid7.com/sap-penetration-testing-using-metasploit.html] a little while back; on Tuesday, we did a moderated twitter chat on the hashtag #pwnSAP [https://twitter.com/search?q=%23pwnSAP&src=tyah] with the major S

Weekly Metasploit Update: Patching Ruby Float Conversion DoS (CVE-2013-4164)

Metasploit 4.8.1 Released Thanks to the revelations around the recent Ruby float conversion denial of service, aka CVE-2013-4164 [https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/] discovered and reported by Charlie Somerville, this week's release is pretty slim in terms of content; on Friday (the day of the first disclosure), we pretty much dropped everything and got to work on testing and packaging up new Metasploit installers that ship with R

Weekly Metasploit Update: BrowserExploitServer (BES), IPMI, and KiTrap0D

Browser Exploit Server This release includes the much vaunted and anticipated BrowserExploitServer (BES) mixin [https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/browser_exploit_server.rb] , the brainchild of Metasploit exploit developer Wei @_sinn3r [https://twitter.com/_sinn3r] Chen. Metasploit, at its core, is designed to be both an exploit delivery system and exploit development system, so this new mixin should help tremendously with the latter. BES, in a

Exploiting the Supermicro Onboard IPMI Controller

Last week @hdmoore [https://twitter.com/hdmoore] published the details about several vulnerabilities into the Supermicro IPMI firmware [/2013/11/06/supermicro-ipmi-firmware-vulnerabilities]. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities: Module Purpose smt_ipmi_static_cert_scanner [http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner] This module ca

Tech Preview Feedback: Vulnerability Validation in Metasploit Pro 4.8

By guest blogger and Rapid7 customer David Henning, Director Network Security, Hughes Network Systems A few weeks ago, Rapid7 asked me to participate in the Metasploit Tech Preview for 2013. I've participated in a couple of other product previews in the past. I like the interaction with the Rapid7 development teams.  This tech preview was smooth and it was easy to participate. Previous testing sessions required interactions over e-mail and there was some associated lag. This preview was managed

Don't Get Blindsided: Better Visibility Into User and Asset Risks with Metasploit 4.8

Not having visibility can be dangerous in many situations. The new Metasploit 4.8 gives you better visibility in four key areas: * View phishing exposure in the context of the overall user risk * See which vulnerabilities pose the biggest risk to your organization * Have all host information at your fingertips when doing a pentest * Discover the latest risks on your network with new exploits and other modules See Phishing Exposure as One Factor of User Risk Users are often a weak part of t

Learn to Pentest SAP with Metasploit As ERP Attacks Go Mainstream

This month, a security researcher disclosed that a version of the old banking Trojan “Trojan.ibank” has been modified to look for SAP GUI installations, a concerning sign that SAP system hacking has gone into mainstream cybercrime.  Once a domain of a few isolated APT attacks, SAP appears to be in the cross hairs of hackers that know just how much sensitive data ERP systems house, including financial, customer, employee and production data.  With more than 248,500 customers in 188 countries, SAP

SOHO Router Horror Stories: German Webcast with Mike Messner

This Thursday, it's my distinct pleasure to host Mike @s3cur1ty_de Messner for a German-language webcast about SOHO router security [http://information.rapid7.com/soho-router-horror-stories-webcast.html]. For those not familiar with him, Mike is the author of the most comprehensive German Metasploit book (published by dpunkt) [http://www.amazon.de/Metasploit-Das-Handbuch-zum-Penetration-Testing-Framework/dp/3898647722] and worked several years as a Metasploit trainer. His personal passion is p

Putting the Fax Straight: Rapid7.com and Metasploit.com Website Defacement

We want to share a short update regarding the defacement of Rapid7.com and Metasploit.com last week. A malicious 3rd party, claiming to be KDMS, changed the DNS settings with our domain registrar, Register.com. We have heard from Register.com that the attacker did NOT use a spoofed change request fax as originally and unintentionally communicated by Register.com. It's more likely the attackers used other social engineering techniques, resulting in compromised credentials of a Register.com emplo

Staying Stealthy: Passive Network Discovery with Metasploit

One of the first steps in your penetration test is to map out the network, which is usually done with an active scan. In situations where you need to be stealthy or where active scanning may cause instability in the target network, such as in SCADA environments, you can run a passive network scan to avoid detection and reduce disruptions. A passive network scan stealthily monitors broadcast traffic to identify the IP addresses of hosts on the network. By initially running a passive scan, you can

Change the Theme, Get a Shell: Remote Code Execution with MS13-071

Recently we've added an exploit for MS13-071 [https://www.rapid7.com/db/vulnerabilities/windows-hotfix-ms13-071] to Metasploit. Rated as "Important" by Microsoft, this remote code execution, found by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by handling specially crafted themes. In this blog post we would like to discuss the vulnerability and give some helpful tips for exploiting it from Metasploit. First of all, the bug occurs while handling the [boot] section on

Rapid7's New Contest - Hashtags and Headphones!

Hello Security people, You know how at every trade show you attend, you end up coming home with a metric ton of T-shirts? You also know how you need an excellent pair of headphones to drown out the constant hum of your server room, or the user who needs his keyboard rebooted? We here at Rapid7, have a contest specifically with you in mind. If you get one of our new 10th Anniversary Metasploit t-shirts [/2013/07/16/metasploit-design-contest-winners] at any of the events we're at this year (fo

Kvasir: Penetration Data Management for Metasploit and Nexpose

Data management is half the battle for penetration testing, especially when you're auditing large networks. As a penetration tester with Cisco's Advanced Services, I've created a new open source tool called Kvasir that integrates with Metasploit Pro, Nexpose, and a bunch of other tools I use regularly to aggregate and manage the data I need. In this blog post, I'd like to give you a quick intro what Kvasir does - and to invite you to use it with Metasploit Pro. Cisco's Advanced Services has bee

Weekly Update

Windows Meterpreter: Reloaded If you've been around Metasploit for any length of time, you know that Meterpreter is the preferred and de facto standard for manipulating a target computer after exploit. While Meterpreter and Metasploit go hand-in-hand, we did manage to get some code seperation between the two by breaking Windows Meterpreter out to its own open source respository on GitHub [https://github.com/rapid7/meterpreter]. As threatened in a previous blog post [/2013/09/05/weekly-update],

Weekly Update: MSIE, GE Proficy, and handling Metasploit merge conflicts

Exploiting Internet Explorer (MS13-055) This week, we open with a new IE exploit. This is a pretty recent patch (from July, 2013), and more notably, it appears it was silently patched without attribution to the original discoverer, Orange Tsai. So, if you're a desktop IT admin, you will certainly want to get your users revved up to the latest patch level. Thanks tons to Peter WTFuzz [https://twitter.com/WTFuzz] Vreugdenhil and of course Wei sinn3r [https://twitter.com/_sinn3r] Chen for knocking

Weekly Update: Meterpreter Updates, VMWare, the OSX spycam, Retabbing, and more!

Meterpreter Updates This is a big week for Meterpreter. For starters, we've landed a new Meterpreter Python payload [https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stages/python/meterpreter.rb] . Yes, yes, I know, you thought that Metasploit was all Ruby all the time, but this and the Python payloads for bind shells from Spencer McIntyre [https://github.com/zeroSteiner] should help out on advancing the state of Meterpreter by leaps and bounds. Despite Metasploit's m

Fun With VMware Utilities: vmware_mount Exploit (CVE-2013-1662)

On August 22, Tavis Ormandy dropped a bug in VMWare [http://blog.cmpxchg8b.com/2013/08/security-debianisms.html] that takes advantage of a build configuration in Linux distributions. Providing you have user-level access to a Debian or Ubuntu box with VMWare installed, this exploit gives you root access. It's a fun bug and I want to explain how the Metasploit module for it works: The background There's this thing called priv_mode in bash that means it will drop privs if euid != uid. Anyone who h

Rapid7 Free Tools - Download Today!

Hello all, It's your friendly neighborhood Community Manager again, this time reaching out to talk about something that should be of interest to all of you; Rapid7's suite of Free Security Tools [http://www.rapid7.com/resources/free-tools.jsp]. If you're a one man shop, trying to make sure you're as buttoned up as possible, or a giant organization just looking to do some validation and double checking, I'm sure one or more of these tools would be an excellent addition to your existing security

Weekly Update: Apple OSX Privilege Escalation

Sudo password bypass on OSX This week's update includes a nifty local exploit for OSX, the sudo bug described in CVE-2013-1775. We don't have nearly enough of these Apple desktop exploits, and it's always useful to disabuse the Apple-based cool-kids web app developer crowd of the notion that their computing platform of choice is bulletproof. Joe Vennix [https://github.com/jvennix-r7], the principle author of this module, is, in fact, of that very same Apple-based developer crowd, and usually bu

Firewall Egress Filtering: Why And How You Should Control What's Leaving Your Network

Most companies have firewall rules that restrict incoming traffic, but not everyone thinks to restrict data leaving the network. That's a shame, because a few easy configurations can save you a lot of headaches. Firewall egress filtering controls what traffic is allowed to leave the network, which can prevent leaks of internal data and stop infected hosts from contacting their command & control servers. NAT alone won't help you - you actually have to restrict the ports through which your intern

Weekly Update: Cooperative Disclosure and Assessing Joomla

Cooperative Disclosure I'm in attendance this year at Rapid7's UNITED Security Summit [http://www.unitedsummit.org/], and the conversations I'm finding myself in are tending to revolve around vulnerability disclosure. While Metasploit doesn't traffic in zero-day vulnerabilities every day, it happens often enough that we have a disclosure policy [https://rapid7.com/disclosure.jsp] that we stick to when we get a hold of newly uncovered vulnerabilities. What's not talked about in that disclosure p

Time To Patch Joomla

Joomla released earlier this month a security advisory [http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads] for unauthorized uploads affecting to Joomla! version 2.5.13 and earlier 2.5.x versions; and version 3.1.4 and earlier 3.x versions. Later, news has arisen announcing the vulnerability had been exploited in the wild. According to Versafe, who has reported and analyzed the attack in the wild [http://www.versafe-login.com/?q=whitepapers-and-online-threats-resea

Weekly Update: OpSec in Open Source Projects

The weekly Metasploit update is out, and I wanted to highlight three modules that landed in the last week, all of which target open source software. It's easy to drink the FOSS Kool-Aid, and talk about how it's more inherently secure than secret source software, but sadly, security is Hard Work, even in happy-hippie open source land. OpenX Backdoored First, a little background -- Heise Security reported that the OpenX open source ad server got itself backdoored [http://www.heise.de/security/mel

SecureNinjaTV Interview: Tod Beardsley About Metasploit 10th Anniversary

At Black Hat 2013 in Vegas this year, our very own Tod Beardsley was cornered by SecureNinja TV and social engineered into giving an interview. Here is the result - captured for eternity: [http://www.youtube.com/watch?v=yFHA5F2crFE&feature=youtu.be]

Here's that FBI Firefox Exploit for You (CVE-2013-1690)

Hello fellow hackers, I hope you guys had a blast at Defcon partying it up and hacking all the things, because ready or not, here's more work for you.  During the second day of the conference, I noticed a reddit post [http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/] regarding some Mozilla Firefox 0day possibly being used by the FBI in order to identify some users using Tor for crackdown on child pornography. The security community was amazing: withi

Weekly Update: Metasploit Pro on Chromebook, Galaxy Tab, and a Batch of New ZDI Exploits

Vegas Time! Like the rest of the information security industry, we're buttoning down for the annual pilgramage to Vegas next week. This means collecting up all our new community-sourced swag [/2013/07/16/metasploit-design-contest-winners], finishing up training and presentation material, figuring out what the heck to do with our phones to avoid casual ownage, and test driving our new Chromebook builds of Metasploit Pro. They're pretty sweet. The latest update for ARM-arch Kali should run withou

Metasploit 4.7's New MetaModules Simplify Security Testing

Even when offensive security techniques have been publicly discussed at conferences and proof of concept code or open source tools are available, using them in your projects can be very time consuming and may even require custom development. Metasploit Pro 4.7 now introduces MetaModules, a unique new way to simplify and operationalize security testing for IT security professionals. MetaModules automate common yet complicated security tests that provide under-resourced security departments a mor

Metasploit Design Contest: So Much Win!

You may recall that back in May, we announced a Metasploit design contest [/2013/05/03/metasploits-10th-anniversary-laptop-decal-design-competition] to commemorate 10 years of Metasploit -- and now, it's time to announce the (many) winners! Once again, the open source security community has blown me away with your creativity, dedication, and subversive humor. We had a total of 118 designs (most of which did not suck!) from 55 designers. Not bad for a nearly completely hashtag-driven contest! In

Federal Friday - Weekly Recap 7-11-2013

Welcome back to Federal Friday with a happy belated 4th of July. I hope all of you out there had a fantastic holiday and were able to spend some quality time with friends, family, and some fireworks. For this week's blog I wanted to focus on 3 topics that really grabbed my attention over the last two weeks. NIST needs your help. In a blog post on Federal Technology Insider [http://federaltechnologyinsider.com/calling-all-cybersecurity-experts-nist-seeks-public-input-on-protecting-national-cri

Good Exploits Never Die: Return of CVE-2012-1823

According to Parallels, "Plesk is the most widely used hosting control panel solution, providing everything needed for creating and offering rich hosting plans and managing customers and resellers, including an intuitive User Interface for setting up and managing websites, email, databases, and DNS." (source: Parallels [http://www.parallels.com/products/plesk/webhosters/]). On Jun 05 kingcope shocked Plesk world by announcing a new 0 day which could allow for remote command execution: Accordi

Metasploit Update: Those Sneaky IPMI Devices

IPMI, in my network? This week's update features a set of tools for auditing your IPMI infrastructure. "Phew, I'm glad I'm not one of those suckers," you might be thinking to yourself. Well, the thing about IPMI (aka, the Intelligent Platform Management Interface) is that it's just a skootch more esoteric than most protocols, and even experienced server administrators may not be aware of it. Do you use server hardware from IBM, Dell, or HP? Have you ever had to use IBM's Remote Supervisor adapte

Metasploit Update: Weaponizing Local Exploits

Weaponizing Local Exploits This week's update features an exploit for Tavis @taviso [https://twitter.com/tavsio] Ormandy's vulnerability in the EPATHOBJ::pprFlattenRec [http://seclists.org/fulldisclosure/2013/May/91] function, which lives in win32k.sys on pretty much any Windows machine you're likely to run into. A whole lot of people threw in on this module to make this exploit reliable in Metasploit -- Tavis and progmboy wrote the original C exploit, new contributor @Keebie4e [https://github

A Penetration Tester's Guide to IPMI and BMCs

Introduction Dan Farmer is known for his groundbreaking work [http://fish2.com/security/] on security tools and processes. Over the last year, Dan has identified some serious security issues [http://fish2.com/ipmi/] with the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMCs) that speak it. This post goes into detail on how to identify and test for each of the issues that Dan identified, using a handful of free security tools.  If you are lo

Weekly Update: Fun with ZPanel, MoinMoin, and FreeBSD

Chaining Zpanel Exploits for Remote Root ZPanel is a fun, open source web hosting control panel, written in code auditors' favorite language, PHP. For bonus points, ZPanel likes to do some things as root, so it installs a nifty little setuid binary called 'zsudo' that does pretty much what you might expect from a utility of that name -- without authentication. In the wake of some harsh words on reddit and elsewhere in regard to the character of ZPanel's development team, the project came to the

Federal Friday - 6.29.13 - Weekly Recap

As I prepare to dive into this week's Federal Friday post I can't help but notice that it's that time of the year again.  The days are longer, the mercury rising, a sweet smell of B.B.Q filling the air, and students around the country are heading out of the classroom and into their summer vacation. They leave their respective schools and previous grades behind, and for the next few months they will embark on numerous adventures, filling their heads with all types of stories that they'll be burst

From the Wild to Metasploit: Exploit for MoinMoin Wiki (CVE-2012-6081)

Recently we've added to Metasploit a module for CVE-2012-6081, [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6081] an arbitrary file upload vulnerability affecting to the version 1.9.5 (patched!) of the MoinMoin [http://moinmo.in/] Wiki software. In this blog entry we would like to share both the vulnerability details and how this one was converted in RCE (exploited in the wild!) because the exploitation is quite interesting, where several details must have into account to successful e

HackMiami Web Application PwnOff - Nexpose w/Metasploit Dominated

During the HackMiami 2013 Hacker Conference [http://hackmiami.org/]held in Miami Beach, a live Web Application Scanner PwnOff contest pitted common web scanning suites against each other. Participates included Acunetix, IBM Rational AppScan, NT OBJECTives NTOSpider, Portswigger Burp, and Rapid7 Nexpose [http://www.rapid7.com/products/nexpose/] with Metasploit [http://www.rapid7.com/products/metasploit/]. In a head-to-head battle each of the automated web application scanning suites went up agai

Federal Friday - Weekly Recap 6.21.13

Welcome to the brand new Federal Friday Blog here on Security Street! I tend to be an avid consumer of industry information, trends and general points of information within the InfoSec space. I want to use this blog to aggregate some of the information I find helpful and share that info with all of you on a weekly basis. Additionally we will be publishing federally-focused content from many of the great resources we have here at Rapid7. This content will highlight trends within the space and ho

Weekly Update: Smaller is Better

In this week's episode, the role of Tod Beardsley will be played by egypt. Smaller is better Perhaps the most prominent addition to the framework this week is not an addition at all, but rather a deletion. We've been working toward a slimmer, more manageable source tree for a while now, and as part of that effort, we recently removed a pile of old-and-busted unit tests. This update goes a bit further, moving source code for some compiled payloads into seperate repositories. Metasploit's version

Weekly Update: Adventures in Unstable, DoS'ing UPnP for Good, and Secret AWK Shells

Stable is for Suckers! Today on the Freenode IRC [https://www.freenode.net/] channel #metasploit, a user was asking about our old SVN repository for "unstable" Metasploit modules. He was lamenting its loss, since we recently shut down our SVN services (described in this blog post [/2013/05/22/weekly-update]on May 22, 2013). Fear not, danger-seekers! "Unstable" does live on in the form of a GitHub branch. You can check it out at https://github.com/rapid7/metasploit-framework/tree/unstable, and

Weekly Update: Apache Struts Exploit, Android Meterpreter, and New Payloads

Apache Struts Exploit This week's update includes an exploit for a pretty recent vulnerability in Apache Struts, thanks to community contributor Richard @Console [https://github.com/Console] Hicks. The struts_include_param module exercises the vulnerability described at OSVDB 93645 [http://www.osvdb.org/93645], disclosed on May 23, 2013, a bare two weeks ago, and originally discovered by Eric Kobrin and Douglad Rodrigues. The reason why I bring this up is not just because it's a solid exploit f

Weekly Update: The Nginx Exploit and Continuous Testing

Nginx Exploit for CVE-2013-2028 The most exciting element of this week's update is the new exploit for Nginx which exercises the vulnerability described by CVE-2013-2028 [http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html]. The Metasploit module was written by Metasploit community contributors hal and saelo, and exploits Greg McManus's bug across a bunch of versions on a few pre-compiled Linux targets. We don't often come across remote, server-side stack buffer overflows in popul

Weekly Update: 4.6.1, ColdFusion Exploit, and SVN Lockdown

Metasploit 4.6.1 Released This week's update bumps the patch version of Metasploit to 4.6.1 (for installed versions of Metasploit). The major change here is the ability to install Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle with the installer and a few of Metasploit Pro's dependencies to get that all working correctly, and that led to skipping last week's release so we could be sure all the moving parts lined up correctly. This release also fixes a few minor iss

Git Clone Metasploit; Don't SVN Checkout

TL;DR: Please stop using SVN with svn co https://www.metasploit.com/svn/framework3/trunk and start using the GitHub repo with git clone git://github.com/rapid7/metasploit-framework As of today, a few of you may notice that an attempt to update Metasploit Framework over SVN (instead of git or msfupdate) results in an authentication request. If you try to SVN checkout on Windows, using TortoiseSVN, you will see a pop up much like this: For command line people, if you try to 'svn co' or 'svn

New 1day Exploits: Mutiny Vulnerabilities

Metasploit's 10th Anniversary: Laptop Decal Design Competition

When I wrote up the Metasploit Hits 1000 Exploits [/2012/12/07/metasploit-hits-1000-exploits] post back in December, I had to perform a little open source forensic work to get something resembling an accurate history of the Metasploit project -- after all, it's difficult for me to remember a time on the Internet without Metasploit. I traced the first mention of 1.0 back to this mailing list post [http://marc.info/?l=pen-test&m=106548308908767&w=2] in 2003. You know what that means, right? This y

Weekly Update: WordPress Total Cache and Mimikatz

Attacking WordPress Plugins Someone [https://twitter.com/egyp7] once described PHP as a "web API for remote code execution," and it's true that PHP is definitely web programming without guardrails. This week's security news was dominated by a RCE vulnerability in a pair of wildly popular WordPress plugins, W3 Total Cache [http://www.w3-edge.com/wordpress-plugins/w3-total-cache/] and WP Super Cache [http://wordpress.org/extend/plugins/wp-super-cache/], which are written in (wait for it) PHP. Regu

Webcast Q&A: OWASP Top 10 and Web App Scanning Webcast

First of all, a big thank you to all of you who participated in our OWASP Top 10 and Web App Scanning webcast last week. (If you missed it, you can view a recording here. [http://information.rapid7.com/on-demand-webcast-owasp-top-10.html?LS=1949402&CS=web] ) Because of an issue with the webcast platform, I wasn't able to see all of the audience questions while we were online. However, my colleagues were able to recover the unanswered questions, so I created questions and answers for them in the

Weekly Update: Pull Request Wrangling

Pull Requests: Want to help? Metasploit has a first world problem: We get so much code from contributors out in the world, it gets hard to keep up. Most open source projects aren't popular enough to warrant more than three or four contributors, total. Metasploit has over two hundred, last I checked. We're no Rails (those guys have over 2,000 contributors), but for security software, that's not too bad. The problem is, our backlog of outstanding pull requests [https://github.com/rapid7/metasploi

Serial Offenders: Widespread Flaws in Serial Port Servers

Introduction At the InfoSec Southwest 2013 [http://2013.infosecsouthwest.com/] conference I gave a presentation [https://speakerdeck.com/hdm/aisa-may-2013-serial-offenders] on serial port servers. This presentation was drawn from research that tried to determine how prevalent and exposed internet-connected serial port servers are. The results were pretty scary - authentication was rarely implemented and the types of devices exposed ranged from corporate VPN servers to traffic signal monitors. T

Weekly Update: Sport Fishing for Exploits and Improved Java Hackery

Java Payload Cleanup If you've been watching the Metasploit source repository [https://github.com/rapid7/metasploit-framework/], you will have noticed some movement in Java Payload land -- specifically, PR#1217 [https://github.com/rapid7/metasploit-framework/pull/1217], which landed this week. Thanks to the refactoring efforts of Michael @mihi42 [https://twitter.com/mihi42] Schriel, testing by @Meatballs [https://github.com/Meatballs1], and integration from James @egyp7 [https://twitter.com/egyp

How To Do Internal Security Audits Remotely To Reduce Travel Costs

An internal penetration tests simulates an attack on the network from inside the network. It typically simulates a rogue employee with user-level credentials or a person with physical access to the network, such as cleaning staff, trying to access resources on the network they're not authorized for. Internal penetration tests typically require the auditor to be physically present in the location. If you are working as a consultant, then conducting internal penetration tests can mean a lot of tr

Metasploit Pro 4.6 Adds OWASP Top 10 2013 and Security Auditing Wizards

Today, we released Metasploit Pro 4.6, which brings you some awesome new features for your enterprise security program. Updated Web Application Security Testing with Support for OWASP Top 10 2013 Web applications are gaining more and more traction, both through internally developed applications and by adding SaaS-based solutions. These applications often contain some of the most confidential information in the organization, such as financial and customer data, credit card numbers, medical data,

Metasploit 4.6.0 Released!

We just released Metasploit 4.6.0, so applying this week's update will get you the brand new version. While Chris has a delightful blog post [/2013/04/10/metasploit-adds-owasp-top-10-2013-and-penetration-test-wizards] of what all is new in Metasploit Pro, let's take a look at what's exciting and new between Metasploit 4.5.0 and today's update to 4.6.0. 138 new modules First off, the hacker elves have been cranking out a ton of module content since we released 4.5.0 back in December, 2012. Betw

Weekly Update: Minecraft RAT Attacks, PHP Shell Games, and MongoDB

Minecraft-Vectored Malware Metasploit exploit developer Juan @_juan_vazquez_ [https://twitter.com/_juan_vazquez_], while trawling the Internet for the next hot exploit, came across this pastie [http://pastie.org/pastes/6581034] describing a Java exploit which takes advantage of a vulnerability in Java's Color Management classes. Turns out, this is also one of the vulns being exploited in McRat, a Trojan targeting Windows-based Minecraft players (that's what the "Mc" stands for). McRat is compe

Weekly Update: Consumer-Grade Hacking, Attribution and Testing, and Msfupdate updates

Consumer-Grade Hacking Last month [/2013/02/21/weekly-update], I talked about community contributor Michael @m-1-k-3 [https://github.com/m-1-k-3] Messner's nifty D-Link authentication bypass, and made the case that having Metasploit modules for consumer-grade access points is, in fact, useful and important. Well, this week's update has a pile of new modules from m-1-k-3, all of which are targeting these kinds of consumer-grade networked devices: We now have a Linksys E1500 / E2500 remote comman

Weekly Update: Introducing Metasploit 4.5.3

Version bump to Metasploit 4.5.3 This week, we've incremented the Metasploit version number by one trivial point to 4.5.3 -- this was mainly done to ensure that new users get the fixes for the four [https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8] most [https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI] recent [https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI] vulnerabilities [https

Metasploit Now Supports Kali Linux, the Evolution of BackTrack

Today, our friends at Offensive Security announced Kali Linux [http://www.kali.org/offensive-security-introduces-kali-linux/], which is based on the philosophy of an offensive approach to security. While defensive solutions are important to protect your network, it is critical to step into the shoes of an attacker to see if they're working. Kali Linux is a security auditing toolkit that enables you just that: test the security of your network defenses before others do. Kali is a free, open sour

PSExec Demystified

Multiple modules inside the Metasploit Framework bear the title PSExec, which may be confusing to some users. When someone simply refers to “the PSExec module”, they typically mean exploit/windows/smb/psexec, the original PSExec module. Other modules are more recent additions, and make use of the PSExec technique in other ways. Here's a quick overview of what these modules are for: Metasploit Module Purpose Comment exploit/windows/smb/psexec Evading anti-virus detection Service EXE

Weekly Update: Splitting DNS Modules and a D-Link Auth Bypass

DNS Module Split up This week, we appear to have a whole bunch of new DNS-based enumeration and information gathering modules. In fact, this was actually more of a housekeeping chore, largely by longtime Metasploit contributor Carlos @darkoperator [https://twitter.com/darkoperator] Perez. Darkoperator wrote most of the original enum_dns [https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/enum_dns.rb] module as well. enum_dns became a bit of a junk drawer of DNS

Whiteboard Wednesday - Password Auditing with Metasploit

This week's Whiteboard Wednesday features our own http://www.rapid7.com/resources/videos/password-auditing-with-metasploit.jsp David Maloney [https://community.rapid7.com/people/thelightcosine], speaking about password auditing techniques with Metasploit. He details three quick and easy techniques for auditing in this clip including: * Brute forcing/online attacks * Hash Cracking/offline attacks * Password Recovery This clip aims to give you a good overview about just how much risk your'

Weekly Update: Corelan, MSFTidy, and UNC Path Injection

28 Hours Later This week, much of the Metasploit Framework and Metasploit Pro teams here at Rapid7 had the opportunity to get some intense, in-person training on exploit development from long-time Metapsloit contributor, Peter corelanc0d3r [https://twitter.com/corelanc0d3r] Van Eeckhoutte and local Corelan Teammates @_sinn3r [https://twitter.com/_sinn3r] and TheLightCosine [https://twitter.com/thelightcosine]. I'm the first to admit that my memory corruption skills are pretty light (I hang arou

How to Verify that the Payload Can Connect Back to Metasploit on a NATed Network

If you are running an external penetration test and are working from a NATed network behind a wireless router, for example from home, you will need to adjust your router's port forwarding settings so the payload can connect back to Metasploit. The best option would be to eliminate the router and connect directly to the Internet, but that would make me unpopular with the other folks sharing the Internet connection, so it wasn't an option in my case. Setting up the port forwarding is not too diffi

Weekly Update: UPnP Exploit, DVRs Again, SSL Shells, Solving for Slashes

It's Raining Crypto This week's update brings a pile of new payloads to the Metasploit Framework -- namely, SSL versions of most of the Unix payloads we've all grown to love, courtesy of Metasploit community contributor Boris RageLtMan [https://community.rapid7.com/github.com/sempervictus] Lukashev. We've landed SSL versions of a bunch of reverse connectback payloads, including command shells from Perl, Python, Bash, PHP, Ruby, and Telnet, so now your shells will be a little more private from th

Twitter Hacked - 250,000 Passwords Exposed

In what's become a common headline of late, yet another incredibly popular web destination has admitted it's been compromised.  This time, it's our favorite 140 word limited blog - Twitter. [https://twitter.com/] On their blog [http://blog.twitter.com/2013/02/keeping-our-users-secure.html] posted this past Friday, the Tweeps had this advice to their users: "Though only a very small percentage of our users were potentially affected by this attack, we encourage all users to take this opportunit

Weekly Update: UPnP, Another Rails Exploit, and Auditing Joomla

UPnP Scanning The big news this week are the UPnP / SSDP vulnerability announcements [/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play] that we've been coordinating between CERT/CC, open source vendors, and device manufacturers over the last couple months. We have a pretty excellent white paper on the subject, written by Metasploit founder and international superhacker HD Moore [https://twitter.com/hdmoore], so I won't attempt to rehash that here, but the TL;DR of what you

Security Flaws in Universal Plug and Play: Unplug, Don't Play

This morning we released a whitepaper entitled Security Flaws in Universal Plug and Play [https://information.rapid7.com/rs/411-NAK-970/images/SecurityFlawsUPnP%20%281%29.pdf] . This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices. The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 an

Weekly Update: Hollywood Hacking and More Java Exploits

Hollywood Hacking: Tapping Webcams and Mics This week's update has two new post modules for Metasploit, which enables the creative pen-tester to hit that creeper vibe so often missing on a typical engagement, both by Metasploit exploit dev Wei @_sinn3r [https://twitter.com/_sinn3r] Chen. They're both post-exploitation modules, so they presume you already have a session on the target via some other exploit. First up is a webcam control module, which can take a snapshot using the target's webcam.

The forgotten spying feature: Metasploit's Mic Recording Command

About two years ago, Metasploit implemented [https://github.com/rapid7/metasploit-framework/commit/2e72926638b0fb972a26b2c1a3b040cf4cc224f2] the microphone recording feature to stdapi thanks to Matthew Weeks [https://twitter.com/scriptjunkie1].  And then almost a year ago, we actually lost that command [https://github.com/rapid7/metasploit-framework/commit/42719ab34bb9ca51d2cd623777662fc2253857f1] due to a typo.  We, and apparently everyone else, never noticed that until I was looking at the

New Java Modules in Metasploit... No 0 days this time

Last year Security Explorations published some awesome research [http://www.security-explorations.com/en/SE-2012-01.html], exploring the security state of the Java SE from Oracle, and disclosing different vulnerabilities and exploit vectors in this software. In fact, some of the last Java exploits found in the wild have been using techniques from the mentioned research. Today we're publishing two new modules exploiting some of the documented issues. In this blog post we would like to share somet

Update to the Metasploit Updates and msfupdate

The Short Story In order to use the binary installer's msfupdate, you need to first register your Metasploit installation. In nearly all cases, this means visiting https://localhost:3790 [https://localhost:3790/] and filling out the form. No money, no dense acceptable use policy, just register and go. Want more detail and alternatives? Read on. Background A little over a year ago, Metasploit primary development switched to Git [/2011/11/10/git-while-the-gitting-is-good] as a source control p

Evading Anti-Virus Detection - Whiteboard Wednesday

In today's Whiteboard Wednesday, David Maloney [https://community.rapid7.com/people/thelightcosine] explains anti-virus evasion techniques for Metasploit. In order to make the most of Metasploit pen testing techniques in delivering payloads, you need to be able to deliver those payloads without anti-virus flagging them. David walks us through a few examples on how to bypass anti-virus detection so you can easily pen test your systems. Watch the video here! [http://www.rapid7.com/resources/vid

Hacking like it's 1985: Rooting the Cisco Prime LAN Management Solution

On January 9th Cisco released advisory cisco-sa-20130109 [http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms] to address a vulnerability in the "rsh" service running on their Cisco Prime LAN Management Solution virtual appliance. The bug is as bad as it gets - anyone who can access the rsh service can execute commands as the root user account without authentication. The example below demonstrates how to exploit this flaw using Metasploit ( free download [

Weekly Metasploit Update: Rails Scanning, ZDI, and Exploit Dev

Rails Injection Bug The big news this week turned out to be the new Rails injection bug, aka, CVE-2013-0156, which you can read about in detail over on HD Moore's blog post. Soon after the vulnerability was disclosed, @hdmoore [https://twitter.com/hdmoore] had a functional auxiliary scanner module [http://www.metasploit.com/modules/auxiliary/scanner/http/rails_xml_yaml_scanner] put together, so as of this moment, you're encouraged to scan the heck out of your environment, repeatedly, for vulner

Serialization Mischief in Ruby Land (CVE-2013-0156)

This afternoon a particularly scary advisory [https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion] was posted to the Ruby on Rails (RoR) security discussion list. The summary is that the XML processor in RoR can be tricked into decoding the request as a YAML document or as a Ruby Symbol, both of which can expose the application to remote code execution or SQL injection. A gentleman by the name of Felix Wilhelm went into detail [http://www.insinuator.net/2013/01/r

Free Metasploit Penetration Testing Lab In The Cloud

No matter whether you're taking your first steps with Metasploit or if you're already a pro, you need to practice, practice, practice your skillz. Setting up a penetration testing lab can be time-consuming and expensive (unless you have the hardware already), so I was very excited to learn about a new, free service called Hack A Server [http://www.hackaserver.com/], which offers vulnerable machines for you to pwn in the cloud. The service only required that I download and launch a VPN configurat

Using BackTrack 5 R3 with Metasploit Community or Metasploit Pro

Update: Kali Linux now superseded BackTrack as a platform. We strongly recommend using Kali Linux over BackTrack if you are going to run Metasploit. More info here [/2013/03/13/metasploit-now-supports-kali-linux-the-evolution-of-backtrack] . As of version 5 R3, BackTrack comes pre-installed with Metasploit 4.4, so it's now easier to use Metasploit Community Edition or Metasploit Pro on BackTrack. Here is how it's done: * After BackTrack boots, enter startx to get into the UI. * Install Bac

How Metasploit's 3-Step Quality Assurance Process Gives You Peace Of Mind

Metasploit exploits undergo a rigorous 3-step quality assurance process so you have the peace of mind that exploits will work correctly and not affect production systems on your next assignment. Step 1: Rapid7 Code Review Many of the Metasploit exploits are contributed by Metasploit's community of over 175,000 users, making Metasploit the de-facto standard for exploit development. This is a unique ecosystem that benefits all members of the community because every Metasploit user is a “sensor

New Metasploit Exploit: Crystal Reports Viewer CVE-2010-2590

In this blog post we would like to share some details about the exploit for CVE-2010-2590 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2590], which we released in the last Metasploit update [/2012/12/19/weekly-metasploit-update]. This module exploits a heap-based buffer overflow, discovered by Dmitriy Pletnev, in the CrystalReports12.CrystalPrintControl.1 ActiveX control included in PrintControl.dll. This control is shipped with the Crystal Reports Viewer, as installed by default wi

Weekly Metasploit Update: CrystalReports and Testing Discipline

Dissecting CrystalPrintControl This week's update is, by all accounts, pretty light. This may be the first update we've shipped that has exactly one new module.  To make up for the lack of quantity, though, we've got some quality for you, oh boy. If it's snowy and blustery where you live, grab yourself a cup of hot cocoa, gather the kids, and watch their little eyes twinkle in the firelight as you regale them with the classic fable of how Metasploit Exploitation Elf Juan @_juan_vazquez [https:

How Can I Protect Against Phishing? - Whiteboard Wednesdays

Phishing is on the rise as an attack vector because it's often the fastest and easiest way to penetrate a network's defenses. You're doing security awareness training, but how do your users behave when faced with a real phishing e-mail?  So how can you train people to smell a phish and just say no?  In this Whiteboard Wednesday, I'll walk you through some telltale signs and techniques you can use to reduce the risk of falling for phish.  Topics covered in this video include: * What is phishin

Introduction to Metasploit Hooks

Metasploit provides many ways to simplify your life as a module developer. One of the less well-known of these is the presence of various hooks you can use for processing things at important stages of the module's lifetime. The basic one that anyone who has written an exploit will be familiar with is exploit, which is called when the user types the exploit command. That method is common to all exploit modules. Aux and post modules have an analogous run method. Common to all the runnable modules

The Odd Couple: Metasploit and Antivirus Solutions

I hear a lot of questions concerning antivirus evasion with Metasploit, so I'd like to share some the information critical to understanding this problem. This blog post is not designed to give you surefire antivirus (AV) evasion techniques, but rather to help you understand the fundamentals of the issue. A Quick Glossary Before we begin, let's define a few terms. This will be important for understanding some of the things we will discuss. Payload: A payload is the actual code that is being del

Weekly Metasploit Update: Exploit Dev How-to and InfoSec Targets

Metasploit 4.5 has been out for a few days, so it's high time for an update. Let's hop to it! 1000th Exploit: Freefloat FTP WMI I often hear the question, "How do I get started on writing exploits?" Well, I'd like to point you to Metasploit's 1000th exploit (future Hacker Jeopardy contestants, take note): On December 7, 2012, Wei "sinn3r" Chen and Juan Vazquez committed FreeFloat FTP Server Arbitrary File Upload [http://www.metasploit.com/modules/exploit/windows/ftp/freefloatftp_wbem]. Now, as

New Metasploit 4.5: Manage Your Organization's Phishing Exposure

You can now get a better handle on your organization's exposure to phishing attacks [http://www.rapid7.com/solutions/need/manage-phishing-exposure.jsp]: Metasploit Pro now gives you quick insight on risks and advice on how to reduce them. With today's new release version 4.5, Metasploit Pro's social engineering features are no longer just for penetration testers but add a lot of value for more generalist security professionals. A handful of our customers already tested these new capabilities i

Weekly Metasploit Update: OpenVAS, SAP, NetIQ, and More!

Now that I've consumed a significant percentage of my own weight in turkey (seriously, it was something like five percent), it's time to shake off the tryptophan and get this week's update out the door. Attacking Security Infrastructure: OpenVAS This week's update features three new module for bruteforcing three different OpenVAS authentication mechanisms, all provided by community contributor Vlatko @k0st [https://twitter.com/k0st] Kosturjak. OpenVAS is an open source security management stac

Weekly Metasploit Update: Web Libs, SAP, ZDI, and More!

Fresh Web Libs As we head into the holiday season here in the U.S., Metasploit core developers Tasos @Zap0tek [https://twitter.com/Zap0tek] Laskos and James @Egyp7 [https://twitter.com/egyp7] Lee finished up a refresh of the Metasploit fork of the Anemone libraries, which is what we use for basic web spidering. You can read up on it here [http://anemone.rubyforge.org/]. The Metasploit fork isn't too far off of Chris Kite's mainline distribution, but does account for Metasploit's Rex sockets, ad

Weekly Metasploit Update: WinRM x2, ADDP, RealPort, CI and BDD

WinRM, Part Two In the last Metasploit update blog post, we talked about the work from Metasploit core contributors @TheLightCosine [http://twitter.com/thelightcosine] , @mubix [http://twitter.com/mubix] and @_sinn3r [http://twitter.com/_sinn3r] on leveraging WinRM / WinRS. As of this update, Metasploit users can now execute WQL queries [http://www.metasploit.com/modules/auxiliary/scanner/winrm/winrm_wql], execute commands [http://www.metasploit.com/modules/auxiliary/scanner/winrm/winrm_cmd], an

Abusing Windows Remote Management (WinRM) with Metasploit

Late one night at Derbycon [https://www.derbycon.com/], Mubix [https://twitter.com/mubix] and I were discussing various techniques of mass ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we have any Metasploit modules for this yet?" After I got back , I began digging. WinRM/WinRS WinRM is a remote management service for Windows that is installed but not enabled by default in Windows XP and higher versions, but you can install it on older operating systems as well. Win

Exploit Trends: Top 10 Searches for Metasploit Modules in October

Time for your monthly dose of Metasploit exploit trends! Each month we gather this list of the most searched exploit and auxiliary modules from the Metasploit database. To protect users' privacy, the statistics come from analyzing webserver logs of searches, not from monitoring Metasploit usage. October was a quiet month for exploit headlines, so not a whole lot of action on the list. The high traffic to Java and IE modules from their respective 0-days settled down, so you'll see some shuffli

Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit, and More!

WinRM Exploit Library For the last couple weeks, Metasploit core contributor David @TheLightCosine [http://twitter.com/thelightcosine] Maloney has been diving into Microsoft's WinRM services with @mubix [http://twitter.com/mubix] and @_sinn3r [http://twitter.com/_sinn3r]. Until these guys started talking about it, I'd never heard WinRM. If you're also not in the Windows support world day-to-day, you can read up on it at Microsoft [http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(

Weekly Metasploit Update: Microsoft Windows and SQL, TurboFTP, and More!

AppSecUSA 2012 Last week was AppSecUSA 2012 here in Austin, which may explain the curious absence of a weekly Metasploit Update blog post. The hilights of Appsec for me, were (in no particular order): Meeting Raphael @ArmitageHacker [https://twitter.com/armitagehacker] Mudge in person for the first time, meeting Scott @_nullbind [https://twitter.com/_nullbind]Sutherland, author of a bunch of recent Microsoft SQL post modules, and both of whom happened to contribute to last week's Metasploit upda

Weekly Metasploit Update: Reasonable disclosure, PHP EXE wrappers, and more!

ZENWorks' Accidental Backdoor This week, we saw the release of Metasploit exploit developer Juan Vazquez's freshly discovered vulnerability in Novell ZENWorks. You can read all about it in Juan's great technical blog post [/2012/10/15/cve-2012-4933-novell-zenworks], but the short version for the attention-deprived is: Novell ZENWorks ships with hard-coded credentials, which allow for SYSTEM-level file system read access. That seems like kind of a big deal for ZENWorks users -- namely because th

Welcome to SecurityStreet

I wanted to take the time to welcome you to our online community, SecurityStreet. For most of you, you've been redirected here after finishing a survey we sent out to several of our customers. We hope you find what you're looking for, and you can reach out to me at any time for more information. We've established this Community for our customers, and the infosecurity world at large, to better educate about our products and to provide our own take on the important news and information that's aff

Weekly Metasploit Update: RopDB, Local Exploits, Better Samples, and More!

Introducing RopDB This week, Metasploit exploit devs Wei "sinn3r" Chen [https://github.com/wchen-r7] and Juan Vazquez [https://github.com/jvazquez-r7] finished up Metasploit RopDB [/2012/10/03/defeat-the-hard-and-strong-with-the-soft-and-gentle-metasploit-ropdb] . This advancement allows for drop-in ROP chains in new exploits, without all that mucking around with copying and pasting mysterious binary blobs from one exploit to the next. For the details on how to use it and what to expect in the

Exploit Trends: Java and IE 0days

Each month we report the top ten searched exploit and auxiliary modules on metasploit.com. The statistics are drawn from our exploit database by analyzing webserver logs of searches, not through Metasploit usage which is not tracked to preserve privacy. With the Java and Internet Explorer 0-days in August and September, this month's exploit trends from Metasploit really shook-up the status quo. And, just to make things more interesting, there are a couple exploits from April that came back fo

Weekly Metasploit Update: Stealing Print Jobs, Exploiting Samba, and More!

This update has something for everyone -- new exploits, new auxiliary modules, new post modules, and even new payloads. If quadfecta is a word, we totally hit it this week! More Mac OSX 64-Bit Payloads The parade of OSX 64-bit payloads continues, with five new 64-bit payloads added this week: * modules/payloads/singles/osx/x64/say.rb * modules/payloads/singles/osx/x64/shell_find_tag.rb * modules/payloads/stagers/osx/x64/bind_tcp.rb * modules/payloads/stagers/osx/x64/reverse_tcp.rb * modul

Weekly Metasploit Update: Mac OSX 64-Bit Payloads and More!

In addition to the frankly killer 0-day in RateMyPet, we have a couple other things going on in Metasploit land. Mac OSX 64-Bit Payloads Probably the most significant add this week is Metasploit community contributor Nemo's two new 64-bit payloads for Mac OSX targets. While OSX isn't the most popular target on the block, we do have a steadily growing collection of exploits targeting Apple platforms, so bringing 64-Bit platforms into the fold of assessable targets is kind of a big deal. Thanks N

Weekly Metasploit Update: MSIE and Poison Ivy Returns

Yo Dawg, I Heard You Like 0-Day As you may have heard, on Monday we rolled out a special update to Metasploit to include the new Internet Explorer use-after-free exploit, aka, CVE-2012-4969 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969]. Last night, while scrolling through my RSS feed for security news, I saw this NetworkWorld story [http://www.networkworld.com/community/node/81423] about how someone is using this vulnerability to install Poison Ivy, a RAT / backdoor. Of course,

Webcast: Decrease Your Risk of a Data Breach - Effective Security Programs with Metasploit

Thanks for the many CISOs and security engineers who attended our recent webcast, in which I presented some practical advice on how to leverage Metasploit to conduct regular security reviews that address current attack vectors. While Metasploit is often used for penetration testing projects, this presentation focuses on leveraging Metasploit for ongoing security assessments that can be achieved with a small security team to reduce the risk of a data breach. This webcast is now available for on-

Man on the SecurityStreet - Day 2 Continued.

It's your favorite reporter in the field, Patrick Hellen, reporting back with some more updates from our speaking tracks at the UNITED Summit. Dave Kennedy, the founder of TrustedSec, gave an entertaining presentation called Going on the Offensive - Proactive Measures in Security your Company. Just like HD's earlier presentation, we had our staff artist plot out the entire speech, which you can see attached below. When I say entertaining, the previous talk track was a debate session that Dave

Weekly Metasploit Update: HP, PHP, and More!

Stupid PHP Tricks This week's Metasloit update is a cautionary tale about running unaudited PHP applications as part of your infrastructure. Metasploit community contributor Brendan Coles [https://github.com/bcoles] has discovered and written Metasploit modules for two similar root-level vulnerabilities one for OpenFiler [http://www.metasploit.com/modules/exploit/linux/http/openfiler_networkcard_exec] and one for WAN Emulator [http://www.metasploit.com/modules/exploit/linux/http/wanem_exec] (a

Current User psexec

At DEF CON this year I talked about some of the post exploitation capabilities within Metasploit and demo'd a cool technique I developed with Jabra on a pentest a year or so ago (I later found out that Mubix had come up with basically the same idea - great minds think alike). It is essentially this: use a session's current token to create a remote service on a victim machine. It takes advantage of a feature in Windows that most people take completely for granted. Given that you are already logg

UNITED Security Summit - Your Man on the Street

Hello all, I'm Patrick Hellen, the Community Manager for SecurityStreet. This week, I'm going to be coming to you live from the San Francisco show floor of the UNITED Security Summit, giving my impressions of what's happening at the event over the next week. I'll be speaking about everything, from the topics in the various talk tracks, to the sheer amount of fun at the party. I'll also be hijacking the Rapid7 Twitter feed for the next few days - to make sure you're up to date on my random path

Weekly Metasploit Update: SAP, MSSQL, DNS, and More!

Zone Transfers for All This week, Metasploit community contributor bonsaiviking [https://github.com/bonsaiviking] fixed up the DNS library that Metasploit uses so we won't choke on some types of zone transfer responses. Turns out, this is a two-year old bug [https://dev.metasploit.com/redmine/issues/507], but DNS servers that actually offer zone transfers are so rare any more that this this bug didn't manifest enough to get squashed. This brings me to a larger point -- with older vulnerabilitie

New Metapsloit Exploit: SAP NetWeaver CVE-2012-2611

In this blog post we would like to share some details about the SAP NetWeaver exploit for CVE-2012-2611 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2611], which we've recently added to  Metasploit. This module exploits an unauthenticated buffer overflow, discovered by Martin Gallo, in the DiagTraceR3Info() function where tracing is enabled on SAP NetWeaver. It captured our attention due to the well documented technical details, and tools publicly available in order to trigger the vul

Weekly Metasploit Update: Java 0-Day, Meterpreter Network Commands, and More!

Time to chalk up one more victory for the forces of goodness and light in our struggle against secret 0-day. Java 0-Day Exploit Shipped If you pay any attention at all to the usual security news, you will have certainly already heard about how Accuvant's Josh "jduck" Drake and the Metasploit dev community pounced on the Java 0-Day [http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/], aka CVE-2012-4681, aka the Java 7 Applet RCE [http://metasploit.com/modules/exploit/m

Let's start the week with a new Java 0-day in Metasploit

On late Sunday night, the Metasploit Exploit team was looking for kicks, and heard the word on the street that someone was passing around a reliable Java 0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that PoC [https://twitter.com/jduck1337/status/239875285913317376], and then once again, started our voodoo ritual. Within a couple of hours, we have a working exploit. Download Metasploit here [http://www.rapid7.com/downloads/metasploit.jsp], and apply the latest update

Weekly Metasploit Update: New Flash Exploit, HTTP Client Trickery, and More!

After the last couple bumper crops of exploits, having merely six new modules this week is kind of a relief, at least from an editing standpoint. Of course, one of them is for a fresh Adobe Flash exploit, so let's jump into that. Flash Malware Module This week's update features an exploit for Adobe Flash, which Metasploit exploit developers Wei "sinn3r" Chen and Juan Vazquez wrote about last week [/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit] . Since that bl

Mobile Pwning: Using Metasploit on iOS

Have you ever wanted to run an exploit but found yourself away from your desk? Wouldn't it be awesome if you could launch a full version of the Metasploit Framework from your phone or tablet? As you might have guessed, now you can. With an adventurous spirit and a few commands, you can be running the Metasploit Framework on your iPad or iPhone in just a few short minutes. Warning: To install Metasploit, you'll need root access to your device – which is accomplished by following your favorite ja

SOC Monkey - Week in Review - 8.20.12

Monkeynauts, Welcome back to your weekly round up of the best bits from my App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] that you should be downloading from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. This week, let's dive right into the most clicked story from last week with an update on how Mat Honan is dealing with life post hack: How I Got My Digital Life Back Again After An Epic Hacking. [http://www.wired.com/gadgetlab/2012/08/mat-h

Weekly Metasploit Update: Trusted Path Switcheroo, Stack Cookie Bypass, and More!

Another week, another fifteen new modules for Metasploit. I continue to be amazed by the productivity of our open source exploit developer community. Thanks so much for your hard work and effort, folks! New Module for Trusted Path Switcheroo As I was going over this week's new modules, one that jumped out at me was Wei "sinn3r" Chen's implementation of a general Trusted Path insertion attack, Windows Service Trusted Path Privilege Escalation [http://www.metasploit.com/modules/exploit/windows/l

Weekly Metasploit Update: Two Dozen New Modules

The Vegas and vacation season is behind us, so it's time to release our first post-4.4.0 update. Here we go! Exploit Tsunami A few factors conspired to make this update more module-heavy than usual. We released Metasploit 4.4 [/2012/07/17/risk-validation-and-verification-in-vulnerability-management-with-metasploit] in mid-July. Historically, a dot version release of Metasploit means that we spend a little post-release time closing out bugs, performing some internal housekeeping that we'd been

SOC Monkey - Week In Review - 7.30.12

Fellow Monkeynauts! Welcome back to your work week after what I assume was a long Blackhat/Defcon adventure for many of you. Now that you can safely use your mobile devices again, feel free to download my App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. Twitter tops the charts this week, with a few stories about a new malware making the rounds: Twitter malware warning: It's you on photo? or I

New Metasploit 4.4: Risk Validation for Vulnerability Management with Nexpose, Improved AV Evasion, and Faster UI

Fresh out of the oven and in time for Black Hat Las Vegas, we present to you the new Metasploit 4.4 with these great new features: Focus Your Remediation Efforts: Metasploit Risk Validation for Nexpose Vulnerability Management You may have been in this situation: your vulnerability scanning report is so long you don't know where to start. You don't have time to address all vulnerabilities, and you don't know which ones are important. If this sounds familiar, you may get very excited about Met

Weekly Metasploit Update: RATs, WPAD, and more!

Just a quick update this week for some new Metasploit modules. We're holding off on the usual Framework and Pro enhancements as we button up the next point release for Metasploit Pro, Express, and Community Editions. That said, we do have a few neat new modules that I wanted to hilight, so let's take a look. Hacking the Hackers This week's haul includes something a little unusual -- an exploit for Poison Ivy, a blackhat-favored Remote Administration Tool (RAT). Community contributor Gal Badishi

An example of EggHunting to exploit CVE-2012-0124

Recently, we added [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb] a module for CVE-2012-0124 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0124] which exploits a stack buffer overflow flaw in the backup management component of HP Data Protector Express [http://h18006.www1.hp.com/products/storage/software/datapexp/index.html]. The overflow occurs during the creation of new folders, and allows an authenticated us

Weekly Metasploit Update: Sniffing with Meterpreter, Egg Hunting, and More!

This week's udpate has seven new modules, a much-anticipated Meterpreter enhancement, and more, so let's jump into it. Egg Hunting and Stack Smashing This week's update features a spiffy new module for HP Data Protector [http://www.metasploit.com/modules/exploit/windows/misc/hp_dataprotector_new_folder] from Juan Vazquez and Wei 'sinn3r' Chen. It uises an egg hunting technique to reconstruct the exploit's payload -- and both Wei and Juan have a detailed blog posts in the works that go into d

Metasploit exploit development - The series Part 1.

So you wanna be a Metasploit [http://www.exploit-db.com/author/?a=3211] exploit [http://www.exploit-db.com/author/?a=3211] developer huh? Well you are in luck because I have been working on an an "in-depth" exploit development tutorial series  that takes users behind the scenes on the process of exploit development and metasploit module creation. This series has been specifically designed with you "the community" in mind. It will cover step by step detail and explanation. This post is meant to

Weekly Metasploit Update: Meterpreter, GPP, and More!

We've been cooking along here in Stately Metasploit Manor, mostly heads-down prepping for BlackHat/Defcon season. (Yes, it's that time of year already). In the meantime, we've a grab bag of mostly post modules, a drive-by update to Meterpreter, and Juan's and sinn3r's most excellent new Flash module. Meterpreter for Visual Studio 2010 Meterpreter is the default payload that many of our Windows exploits drop on the target server, and allows for things like unified shell access, file access, etc.

Press F5 for root shell

As HD mentioned [/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploit], F5 has been inadvertently shipping a static ssh key that can be used to authenticate as root on many of their BigIP devices. Shortly after the advisory, an anonymous contributor hooked us up with the private key. Getting down to business, here it is in action:     18:42:35 0 exploit(f5_bigip_known_privkey) > exploit     [ ] Successful login     [*] Found shell.     [*] Command shell session 3 opened ([redacted]

Writing a Metasploit Exploit for the Adobe Flash Vulnerability CVE-2012-0779

Ever since the first sightings of a new zero-day attack (CVE-2012-0779 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0779]) on Adobe Flash last month, the exact path of exploitation has been somewhat of a mystery. The attacks were specifically targeted against defense contractors and other victims as part of a spear phishing attack, and included a Word document with a Flash (SWF) object. The infected machines were observed to contacting malicious servers in China, Korea, and the United

Weekly Metasploit Update: Zero Days, Deprecated Commands, and More!

This week's release sees a quiet vulnerability fix, an exploit against an unpatched vulnerability in Microsoft's XML Core Services, and some helpful new/old commands, as well as the usual pile of exploity goodness you've come to expect from the Metasploit kitchen. Vulnerabilities? In My Metasploit? It's more likely than you think. Like all reasonably complex software packages, Metasploit occasionally ships with security vulnerabilities. Lucky for us, our user base tends to be pretty sophisticat

Creating a PCI 11.3 Penetration Testing Report in Metasploit

PCI DSS Requirement 11.3 requires that you "perform penetration testing at least once a year, and after any significant infrastructure or application upgrade or modification". You can either conduct this PCI penetration test in-house [/2011/10/20/pci-diy-how-to-do-an-internal-pentest-to-satisfy-pci-dss-requirement-113] or hire a third-party security assessment. Metasploit Pro offers a PCI reporting template, which helps you in both of those cases. If you are conducting the penetration test in-h

New Critical Microsoft IE Zero-Day Exploits in Metasploit

We've been noticing a lot of exploit activities against Microsoft vulnerabilities lately. We decided to look into some of these attacks, and released two modules for CVE-2012-1889 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889] and CVE-2012-1875 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875] within a week of the vulnerabilities' publication for our users to test their systems. Please note that both are very important to any organization using Windows, because one of

Tutorial: How to discover hosts using Metasploit Community Edition

This video shows Metasploit Community Edition being used to run an nmap scan on a Virtual Box network in order to discover hosts.

Tutorial: Basics of launching exploits from Metasploit Community Edition

This video covers the basics of launching exploits from Metasploit Community Edition. The exploits were discovered in a previous step both with Nexpose and Nessus. In the case of Nessus the results were exported as a .Nessus file then imported into Metasploit Community Edition. This video picks up right after the vulnerabilities are discovered and imported.

Tutorial: Importing nmap XML into Metasploit Community Edition

nmap reporting is excellent with the XML option but this is not used in a lot of cases. The XML output from nmap can be imported into other tools such as the Metasploit Community Edition (Import button), metasploit DB, and other tools. Also, the XML format can be opened in a web browser to produce a well-formatted report suitible for attachment to a pen-test.

Tutorial: How to forward connection through meterpreter shell to reach internal web server

This video covers accessing a web site that is normally unreachable from our Backtrack 5 box. However, after gaining a session on a third box, we forward our web browser through the compromised host in order to browse the website. The port forwarding is done via a meterpreter session on the compromised host. After setting up the port forward, the browser is able to use the compromised host as a relay (almost like a web proxy) in order to browse to the "internal" web application.

Tutorial: Using Metasploit Community Edition built-in exploit analysis

In previous versions of Metasploit it was possible to run "db_autopwn -t -x" in the msfcomsole in order to have metasploit guess the best exploits for a given vulnerability. This video looks at alternative functionality for the depreciated "db_autopwn -t -x" option in older versions of Metasploit's msfconsole. Metasploit Community Edition has similar exploit analysis functionality accessible via the web based GUI.

Tutorial: How to use export "hashdumped" creds to jtr

This video shows how to have the hashdump post exploitation module automatically populate the creds table in the metasploit database, then export the credentials to a file suitible to pass to the john the ripper tool in order to audit the passwords. Hu

Tutorial: How to import Nessus scan into Metasploit Community Edition

This video covers importing the completed Nessus scan into Metasploit Community Edition.

Weekly Metasploit Update: Encrypted Java Meterpreter, MS98-004, and New Modules!

When it rains, it pours. We released Metasploitable Version 2 [/2012/06/13/introducing-metasploitable-2] , published a technique for scanning vulnerable F5 gear [/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploit] , and put out a module to exploit MySQL's tragically comic authentication bypass problem [/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql], all in addition to cooking up this week's update. So, kind of a busy week around here. You're welcome. (: Encryp

Introducing Metasploitable 2!

Some folks may already be aware of Metasploitable, an intentionally vulnerable virtual machine designed for training, exploit testing, and general target practice. Unlike other vulnerable virtual machines, Metasploitable focuses on vulnerabilities at the operating system and network services layer instead of custom, vulnerable applications. I am happy to announce the release of Metasploitable 2, an even better punching bag for security tools like Metasploit [http://metasploit.com/downloads/], an

How to Create Custom Reports in Metasploit

Metasploit Pro has a powerful reporting engine with many standard reports but also great ways to build your own reports. Custom reports can help you if in a couple of different ways: * Add your logo and corporate design to reports * Change the way reports display the information * Translate a reporting template to your local language * Create new reports for regional compliance needs A custom report is a report that you use template to generate. You can generate a custom report with a temp

Scanning for Vulnerable F5 BigIPs with Metasploit

This morning Matta Consulting posted an advisory [https://www.trustmatta.com/advisories/MATTA-2012-002.txt] for the F5 BigIP equipment. The advisory states that certain BigIP devices contain a SSH private key on its filesystem that is trusted for remote root access on every other BigIP appliance. Although Matta did not provide the private key, they did provide the public key itself: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvIhC5skTzxyHif/7iy3yhxuK6/OB13hjPqrskogkYFrcW8OK4VJ T+5+Fx7wd4sQCnVn8rNqahw/x

CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL

UPDATE: Want to know if your MySQL Server is vulnerable? Download the free vulnerability scanner ScanNow for MySQL Authentication Bypass [http://www.rapid7.com/free-security-software-downloads/MySQL-vulnerability-scanner-CVE-2012-2122.jsp] (CVE-2012-2122)! [http://www.rapid7.com/free-security-software-downloads/MySQL-vulnerability-scanner-CVE-2012-2122.jsp] Introduction On Saturday afternoon Sergei Golubchik posted to the oss-sec [http://seclists.org/oss-sec/2012/q2/493] mailing list about a

Weekly Metasploit Update: Citrix Opcodes, Hash Collisions, and More!

This week's update has a nice new asymmetric DoS condition module, a bunch of churn in Metasploit's Rails components, and some new Citrix attacks, so let's get right into it. Fuzzing for Citrix Opcodes This week's update includes three new exploits for Citrix Provisioning Services, the solution by Citrix "to stream a single desktop image to create multiple virtual desktops on one or more servers in a data center" (vendor quote [http://support.citrix.com/proddocs/topic/xendesktop-bdx/cds-msscvm-

Webcast: Don't Pick the Lock, Steal the Key - Password Auditing With Metasploit

David Maloney's webcast for for network administrators and security engineers is now available online. David discusses weaknesses in password-based authentication on clients and servers and how to audit these as part of a regular security program. What you'll learn in this webcast * Password storage systems and password obfuscation * Strengths and weaknesses of the various approaches * Real-life examples of badly implemented password authentication mechanisms * How to audit passwords on yo

Can't Exploit Machines? A Metasploit Troubleshooting How To

It can be very frustrating to try exploiting machines and not succeeding, especially if your vulnerability report is showing a lot of vulnerabilities on the hosts you are trying to exploit. This is usually due to one of the following reasons: 1. Not all reported vulnerabilities are exploitable. It may be because a firewall or IPS/IDS is successfully stopping the attack, or simply because your vulnerability scanner reported a false positive. 2. Your Metasploit machine or network connec

Weekly Metasploit Update: Dev Docs and More!

This week in the U.S. is the unofficial start of summer, so that probably explains why it's been a bit of a slow week in the Metasploit community, hacking-wise. We have a few new modules [http://www.rapid7.com/downloads/metasploit.jsp] for this week's update, but in addition to those, I'd like to mention a few new resources we've put together for the Metasploit development community. Docs and Videos Over the last few weeks, we've been working up some more comprehensive documentation on how to g

Using BackTrack 5 R2 with Metasploit Community or Metasploit Pro

As of version 5 R2, BackTrack comes pre-installed with Metasploit 4.1.4, so it's now easier to use Metasploit Community Edition or Metasploit Pro on BackTrack. Here is how it's done: * After BackTrack boots, enter startx to get into the UI. * Install BackTrack in a virtual machine using the Install BackTrack icon in the top left corner. This is recommended so that Metasploit remembers its product key; otherwise, you would have to register Metasploit each time. * Log in with user root,

My First Week at Metasploit

Hi all. I would like to take a minute to share some of my feelings about my first week here as a full-time Metasploit exploit developer, and share some exploit modules. First of all, I would like to thank everyone on the the Metasploit team for being so nice to me from the first week, and for helping me with anything I need. They are definitely going easy on me during my first days! Their support allowed me to build two exploits for the team during my first week here: * batic_svg_java [htt

Top 10 Most Searched Metasploit Exploit and Auxiliary Modules

At Rapid7, we often get asked what the top 10 Metasploit modules are. This is a hard question to answer: What does "top" mean anyway? Is it a personal opinion, or what is being used in the industry? Because many Metasploit users work in highly sensitive environments, and because we respect our users' privacy, the product doesn't report any usage reports back to us. We may have found a way to answer your questions: We looked at our metasploit.com web server stats, specifically the Metasploit Aux

Weekly Metasploit Update: CCTV, SCADA, and More!

This week's update highlights Metasploit modules for embedded operating systems (as opposed to the usual client or server targets), so let's hop to it. Security Camera Hackers On Tuesday, guest blogger Justin Cacak of Gotham Digital Science talked about his module, cctv_dvr_login [http://metasploit.com/modules/auxiliary/scanner/misc/cctv_dvr_login]. The latest update [http://www.rapid7.com/downloads/metasploit.jsp] for Metasploit has it now, so if you happen to run into some of these devices

Hacking CCTV Security Video Surveillance Systems with Metasploit

From our guest blogger and Metasploit community contributor Justin Cacak at Gotham Digital Science. A new module for the Metasploit Framework, cctv_dvr_login [http://metasploit.com/modules/auxiliary/scanner/misc/cctv_dvr_login], discovers and tests the security of standalone CCTV (Closed Circuit Television) video surveillance systems. Such systems are frequently deployed in retail stores, living communities, personal residences, and business environments as part of their physical security progr

Weekly Metasploit Update: Armitage, Psnuffle, and More!

This week's update features a great big pile of Java source code, a makeover for a perennial favorite feature, and a handful of new exploits. Read on, or just skip all the yadda yadda and download Metasploit [http://www.rapid7.com/downloads/metasploit.jsp] here. Armitage Source This week's biggest change in terms of LOC (lines of code) is the inclusion of the Armitage source code, in external/source/armitage. For a while now, we've been distributing Raphael Mudge's Armitage front-end for the Me

Weekly Metasploit Update: Back to Work!

Hey, it's the first post-Metasploit 4.3.0 update, which means that I'm back in the blogging business. Huzzah! We've all been heads-down for a while getting this bad boy [http://www.metasploit.com/download/] out the door, so while there's not a ton of new functionality to talk about this week, we do have some neat new modules, and one API change for module developers. Wake On LAN "The most secure computer is the one that's not turned on," is an old computer security adage, speaking to the compl

Automated Security Assessments Can Stop Untargeted Attacks

Nothing can replace a manual security assessment, especially if you are defending against highly targeted attacks or advanced persistent threats (APTs). However, the majority of attacks are untargeted, trying to exploit or brute force servers on a large scale with minimal effort and minimal risk. So why are penetration testers still mostly testing by hand, especially if they are overworked and companies are having trouble hiring skilled people? According to the Verizon business report, 67% of d

Metasploit 4.3 Released: Task Chains, Email Reports, Upgrades, and More Modules!

It's been a fun and challenging month for the Metasploit team, and we're happy to announce that Metasploit 4.3 is ready and available for you to download [http://www.rapid7.com/downloads/metasploit.jsp]. Metasploit 4.3 ships with 33 new exploits, 20 new auxiliary modules, 11 new post-exploitation modules, 4 new payloads, and some nifty new features on the Metasploit Pro side. That's a lot of new stuff, so let's just cover the highlights for this release. Task Chains A feature that makes it sup

New Metasploit Track for Nerdcore Fans

2Pac, Jay-Z, and Eminem - watch out for this year's new music star: Marco. I recently heard this track and wanted to share it with you. Great tune, and free for you to download for the weekend! Download: What You Need - Metasploit! [http://www.muziboo.com/marcofigueroa/music/what-you-need-metasploit/] If you would like to hear more Nercore music, also check out DualCore's 2011 Metasploit track [/2011/02/24/dual-cores-metasploit-track-free-download]!

Communicating and integrating with Metasploit from your Mono/.NET applications

I recently checked into github a C# library [https://github.com/brandonprry/metasploit-sharp/] that helps allow easy communication and integration from your Mono/.NET applications. The library follows the same Session/Manager pattern as the Nexpose library [https://github.com/brandonprry/nexpose-sharp] I mentioned [/2012/01/13/communicating-and-integrating-with-nexpose-from-your-netmono-applications] previously in the Nexpose blog. It has support for both the core Metasploit RPC and for the Me

Metasploit Sighting: Reboot Movie Trailer

Looks like there is another hacker movie coming out soon called "Reboot", as seen in the trailer and screen shots below. It's always cool to see Metasploit appear in movie and TV productions. If anyone out there has seen a screening of the film let us know. See Trailer -> Reboot Trailer - YouTube [http://www.youtube.com/watch?v=4qro5M6u99A&feature=player_embedded] Here's a couple of screen captures from the trailer with Metasploit cameos:

Rapid7 At the Movies - Recruitment Videos

As you may have already seen, Rapid7 is making a series of videos to highlight some of the attributes we value in our team and prospective candidates that may join the team.  We're doing this by paying tribute to some of our favorite movie scenes that we think represent these key attributes in some way.  We started with the head of engineering for Nexpose, Eric Reiners, mounting up on his trusty steed to demonstrate his leadership [http://www.youtube.com/watch?v=eGMH4dheSkE&feature=relmfu]skills

Weekly Metasploit Update: SCADA, Lab Gem, and Squid Pivoting

This week's update [http://www.metasploit.com/download/] is packed full of awesome, and I don't use that term lightly. SCADA Attacks, DigtialBond, and Metasploit This week sees the addition of six new SCADA modules, targeting a variety of PLC devices, including two new modules aimed at the Schneider Quantum programmable logic controller (PLC).  In order to give penetration testers the ability to accurately assess SCADA infrastructure, Tod Beardsley (from Rapid7) and K. Reid Wightman (from Digit

Myth Busted: Apple is Hacker Proof

Update 4/4/2012: Apple released a patch for Java last night. The first thing I'd like to say is that I am an Apple fanboy and can usually be found defending them vigorously like any loyal fanboy would. I hear time and time again from other Apple users that Apple products are "hacker proof", which is a total myth. My buddy Jayson Street says Apple products are perceived as shiny magical things, which I guess adds to the myth. Mac users are so use to hearing about exploits that only affect Win

Progress on the Internet

The Internet has made a lot of progress in the last few years. Censorship has been virtually eliminated. Youtube comments are universally insightful. The people owning networks and dropping docs are now only occasionally on the FBI payroll. Published breaches are at an all-time low. Everyone is running IPv6. In light of all this progress, it is with a heavy heart that we must announce the demise of IPv4 support in all Metasploit products. This decision has been in the offing for several years,

Is [Your] Java Exploitable?

There were too big news stories in the Java Exploitation landscape this week: 1. Blackhole Exploit Kit added an exploit for CVE-2012-0507 [http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/] 2. Metasploit added exploit for CVE-2012-0507 [/2012/03/29/cve-2012-0507-java-strikes-again] In order to help users and organization's do a quick field test to see if they are exploitable to these attacks, I crafted a Java version check now available at IsJavaExploitabl

SOC Monkey's Week in Review - 3.30.12

Welcome back to SOC Monkey's greatest hits! Here's a quick shot of what we've been seeing trend on my app, (SOC Monkey, available now, free in the Apple App Store), in the last several days: This week my monkeyfeed owes a great deal of credit to Brian Krebs of Krebs on Security [http://krebsonsecurity.com/], as the two main items listed here were both originally found on his blog. First up from Mr Krebs, and burning up the charts this morning, is the news that Visa and MasterCard have had a s

Weekly Metasploit Update: DNS payloads, Exploit-DB, and More

This week we've got a nifty new shellcode delivery scheme, we've normalized on Exploit-DB serial numbers, and a pile of new modules, so if you don't have Metasploit yet, you can snag it here [http://www.metasploit.com/download/]. DNS Payloads in TXT Records To quote RFC 1464 [http://tools.ietf.org/html/rfc1464] describing DNS TXT records, "it would be useful to take advantage of the widespread use and scalability of the DNS to store information that has not been previously defined." I don't kno

Identifying IPv6 Security Risks in IPv4 Networks: Tools

This post details some of the tools used in my recent IPv6 security testing webcast [http://information.rapid7.com/WebcastOnDemand_IPv6.html] If you have any specific questions, please open a Discussion [https://community.rapid7.com/community/metasploit/content?filterID=content~objecttype~objecttype%5Bthread%5D] thread. A minimal IPv6 toolbox: * A Linux-based operating system [http://www.ubuntu.com/] with IPv6 support (BSD variants are great too) * The IPv6 Attack Toolkit [http://www.thc

Weekly Metasploit Update: Spiceworks, AFP, RDP, and a New HTTP Downloader

After a couple of relatively light weeks (blame SXSW, I guess), this week's update has quite a few neat new additions. As always, if you don't already have Metasploit, what are you waiting for [http://www.metasploit.com/download/]? For the rest of us, here's what's new. Importapalooza This week's update has support for importing asset lists exported from Spiceworks, courtesy of Rapid7's Brandon Perry. Spiceworks is a free asset management application used by tons of IT pros and IT amateurs alik

Weekly Metasploit Update: Session Smarts and GitHub

It's another Metasploit update, and it's headed straight for us! Session Smarts This week, Metasploit session management got a whole lot smarter. Here's the scenario: As a penetration tester, you rook a bunch of people into clicking on your browser-embedded Flash exploit [/2012/03/08/cve-2012-0754], sit back, and watch the sessions rolling in. However, they're all behind a single NAT point, so all your sessions appear to be terminating at a single IP address, and you quickly lose track of who's

New Metasploit Swag Store Is Online

You may remember the awesome Metasploit T-shirt contest we ran in April of last year [/2011/04/13/who-will-you-be-wearing-vote-for-the-new-metasploit-t-shirt]. We received a ton of submissions at the time and selected a winning T-shirt, designed by Danny Chrastil. It was a long and arduous journey for us to get the T-shirts printed and to get the back-end systems up and running for the Metasploit Swag Store [http://www.metasploit.com/wear-swag/]...but it's finally here. Yes, you'll notice that

Weekly Metasploit Update: Wmap, Console Search, and More!

In addition to the nuclear-powered exploit [/2012/03/08/cve-2012-0754], we've got a new slew of updates, fixes and modules this week for Metasploit, so let's jump right into the highlights for this update. Updated WMAP Plugin Longtime community contributor Efrain Torres provided a much-anticipated update to the Wmap plugin [https://raw.github.com/rapid7/metasploit-framework/master/documentation/wmap.txt] . Wmap automates up a bunch of web-based Metasploit modules via the Metasploit console, fro

Adobe Flash and the Iranian Nuclear Program

Over the last couple days, Metasploit's own Wei "sinn3r" Chen and community contributor Juan Vazquez put together an exploit for CVE-2012-0754 [http://www.cvedetails.com/cve/CVE-2012-0754/], which targets a vulnerability in Adobe's Flash player: adobe_flash_mp4_cprt [http://metasploit.com/modules/exploit/windows/browser/adobe_flash_mp4_cprt]. This the same vulnerability exploited by the recent "Iran's Oil and Nuclear Situation.doc" e-mail attack campaign spotted by Contagio [http://contagiodump.

Why Security Assessments Must Cover IPv6, Even In IPv4 Networks

What's your company doing to prepare for IPv6? Probably not an awful lot. While 10% of the world's top websites now offer IPv6 services, most companies haven't formulated an IPv6 strategy for the network. However, the issue is that most devices you have rolled out in the past 5 years have been IPv6-ready, if not IPv6-enabled. Windows 7 and Windows Server 2008 actually use IPv6 link-local addresses by default. Also think about all the other clients, servers, appliances, routers, and mobile device

Testing the Security of Virtual Data Centers

If you are doing security assessments, you are probably running into virtual servers every day. According to analyst firm Gartner, 80% of companies now have a virtualization project or program. With the recent 4.2 release of Metasploit, your next penetration test should be much more fun. For example, Metasploit now flags ESX Servers as virtual hosts in the user interface: If you are managing virtual servers, you may have come across the VMware vSphere Web Services SDK. It's a powerful way to

Weekly Metasploit Update: POSIX Meterpreter and New Exploits

This is a pretty modest update, since it's the first after our successful 4.2 release [http://www.rapid7.com/downloads/metasploit.jsp] last week. Now that 4.2 is out the door, we've been picking up on core framework development, and of course, have a few new modules shipping out. Meterpreter Updates James "egyp7" Lee and community contributor mm__ have been banging on the POSIX side of Meterpreter development this week, and have a couple of significant enhancements to Linux Meterpreter. The mos

Free Microsoft Virtual Machines for Testing

I am often asked how security professionals and students can safely test security software. My usual response is, they should create a virtual lab with diverse operating systems for testing. The problem that many encounter is they don't have licenses available to install the operating systems. During my creating and testing the Metasploit Javascript Keylogger [/2012/02/21/metasploit-javascript-keylogger], I came across free virtual machines from Microsoft that are sure to be useful to securit

Metasploit 4.2 Released: IPv6, VMware, and Tons of Modules!

Since our last release in October, we've added 54 new exploits, 66 new auxiliary modules, 43 new post-exploitation modules, and 18 new payloads -- that clocks in at just about 1.5 new modules per day since version 4.1. Clearly, this kind of volume is way too much to detail in a single update blog post. Of course, you could just dive in and download the latest version [http://www.rapid7.com/downloads/metasploit.jsp] to get started. In the meantime, here are the highlights for this latest release

The Art of Keylogging with Metasploit & Javascript

Rarely does a week go by without a friend or family member getting their login credentials compromised, then reused for malicious purposes. My wife is always on the lookout on Facebook, warning relatives and friends to change their passwords. Many people don't understand how their credentials get compromised. Password reuse on several websites is usually the culprit. Password reuse is a problem even if the website encrypts the passwords in their databases. An attacker only needs to insert some

Weekly Metasploit Update: All Your Auth Are Belong To Us

This week, with RSA 2012 fast approaching and the final touches on Metasploit version 4.2 getting nailed down, we've been in a code freeze for core Metasploit functionality. However, that doesn't apply to the parade of modules, so here's what's in store for the next -- and quite likely last -- update for Metasploit 4.1 [http://www.metasploit.com/download/]. Authentication Credential Gathering and Testing Jon Hart (of Nexpose [http://www.rapid7.com/vulnerability-scanner.jsp] fame) has been on fi

Getting The Most Out of Metasploit: Pentesting, Password Auditing, and Vulnerability Validation

When we talk to Metasploit users, they usually use it for either penetration testing, password auditing or vulnerability validation, but few use it for more than one of these purposes. By leveraging your investment in Metasploit, you can triple-dip at the same price - no extra licenses needed. Penetration Testing With penetration testing, you can identify issues in your security infrastructure that could lead to a data breach. Weaknesses you can identify include exploitable vulnerabilities, we

How to Scan Your Network for Open H.323 Video Conferencing Systems

We've had a lot of people ask us how they can scan their own network to find out if they are vulnerable to the video conferencing issue described in HD's blog post Board Room Spying for Fun and Profit [https://community.rapid7.com/community/solutions/metasploit/blog/2012/01/23/video-conferencing-and-self-selecting-targets] and the various news coverage of the video conferencing story. Here's a quick how-to: 1. Download a free trial of Metasploit Pro [http://www.rapid7.com/downloads/meta

Weekly Metasploit Update: New Payloads, New Modules, and PCAnywhere, Anywhere

PCAnywhere, Anywhere The big news this week centered around Symantec's pcAnywhere. For starters, there's a new ZDI advisory [http://www.zerodayinitiative.com/advisories/ZDI-12-018/] for a buffer overflow in the username field. More notably, though, was the advice in a Symantec white paper [http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf] which advises customers to "disable or remove Access Server and use remote sessions via secure

How to Exploit A Single Vulnerability with Metasploit Pro

Metasploit Pro's smart exploitation function is great if you want to get a session quickly and don't care about being "noisy" on the network, but there are certain situations where you may want to use just one exploit: * You're conducting a penetration test and want to exploit just one vulnerability so you don't draw too much attention (i.e. you want to use a sniper rifle, not a machine gun) * You're a vulnerability manager and want to validate just one vulnerability to know whether

Remote-controlling Metasploit through APIs

Metasploit offers some great ways to automate its functionality through a programming interface. Metasploit users have built custom tools and processes based on this functionality, saving them time to conduct repetitive tasks, or enabling them to schedule automated tasks. Our most advanced customers have even intgrated Metasploit Pro into their enterprise security infrastructure to automatically verify the exploitability of vulnerabilities to make their vulnerability management program more effi

Weekly Metasploit Update: Subverting NATs, 64-bit LoadLibrary Support, and More!

NAT-PMP'ing is now easy This week, we have three new modules and an accompanying Rex protocol parser for the NAT Port-Mapping Protocol (NAT-PMP [https://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol]), the ad-hoc router management protocol favored by Apple. Over the weekend, Rapid7 Lead Security Engineer and confessed protocol nerd Jon Hart forgot the password to a little-used Airport base station, so rather than merely resetting the device, he instead busted out a trio of Metasploit modules t

Metasploit Updated: Forensics, SCADA, SSH Public Keys, and More

Been a busy week here at Metasploit, so let's get to it. Forensics-Centric Updates New this week is Brandon Perry's offline Windows registry enhancements. Featuring a pile of extensions to Rex (Metasploit's general purpose parsing library) and the tools/reg.rb utility, this update builds on TheLightCosine's ShadowCopy library and makes life a lot easier for the forensics investigator looking to parse through Windows registry hives. Brandon goes into the technical details over here [https://com

Adventures in the Windows NT Registry: A step into the world of Forensics and Information Gathering

As of a few days ago [https://github.com/rapid7/metasploit-framework/pull/98], the Metasploit Framework has full read-only access to offline registry hives. Within Rex you will now find a Rex::Registry namespace that will allow you to load and parse offline NT registry hives (includes Windows 2000 and up), implemented in pure Ruby. This is a great addition to the framework because it allows you to be sneakier and more stealthy while gathering information on a remote computer. You no longer need

Metasploit Framework Updated: Railgun, AIX, and more

Time for another Metasploit Update - this week we've got some new goodies for Meterpreter's Railgun, SSH, AIX, and a few new exploit modules. Enjoy! Railgun Updates Metasploit open source contributors Chao-Mu and kernelsmith have been busy over the last month or so, cranking out a pile of commits to Railgun in order to facilitate Windows API error message handling. For you non-post module developers, Railgun is a super-handy Meterpreter extension that "turns Ruby into a weapon," and you can get

Three Ways to Integrate Metasploit With Nexpose

Metasploit has three ways to integrate with Nexpose vulnerability scanner. I've heard some confusion about what the different options are, so I'd like to summarize them here briefly: 1. Importing Nexpose reports: This is a simple, manual file import. Apart from Nexpose, Metasploit can import about 13 different third-party reports from vulnerability management solutions and web application scanners. This feature works in all Metasploit editions. 2. Initiate a Nexpose scan from Met

How to Fly Under the Radar of AV and IPS with Metasploit's Stealth Features

When conducting a penetration testing assignment, one objective may be to get into the network without tripping any of the alarms, such as IDS/IPS or anti-virus. Enterprises typically add this to the requirements to test if their defenses are good enough to detect an advanced attacker. Here's how you can make sure you can sneak in and out without "getting caught". Scan speed First of all, bear in mind that you'll want to slow down your initial network scan so you don't raise suspicion by crea

Bait the hook: How to write good phishing emails for social engineering

What are the baits that make people click on a link or attachment in a social engineering email? I've looked at some common examples and tried to categorize them. Maybe this list will trigger some ideas next time you're writing social engineering emails. Habits: Think of this as exploiting the brain's auto-pilot - standard email triggers standard response of opening attachment or clicking on link: * LinkedIn connection requests * GoToMeeting invitations * Daily reports from a CRM/ERP sys

Metasploit Updated: Year in Review

Turns out, the week between Christmas and New Years was pretty slow, at least as far as Metasploit Framework development was concerned. This release has a few small spot fixes on Framework, and a handful of new modules. ShadowCopy The most significant addition to the framework was TheLightCosine's work on the appropriately scary-sounding ShadowCopy library. Based on the research published by Tim Tomes and Mark Baggett [http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html], the modu

Creating a FISMA report in Metasploit Pro

If you're working in IT security in U.S. federal government, chances are that you have to comply with the Federal Information Security Management Act of 2002 (FISMA). With Metasploit Pro, you can generate FISMA compliance reports that map penetration testing findings to controls, as recommended by Special Publication 800-53a (Appendix G) published by the National Institute of Standards and Technology (NIST) and by Consensus Audit Guidelines issued by a number of constituents including NIST and f

Pentest Web Servers You Didn't Know You Had

Most tools for web application security testing have the approach of going deep into an application to uncover issues inside a single web application. There's nothing wrong with this approach if you want to do a deep dive into one specific web application, especially if it is a major application exposed on the Web. The other approach is to see what web servers are running on a network and seeing if they can be exploited with quick and scalable testing. This is the approach Metasploit Pro takes.

How to leverage the command line in Metasploit Pro

"I'm more comfortable with the Metasploit command line," is an objection I often hear from long-time Metasploit Framework users who are thinking about purchasing a copy of Metasploit Pro or Metasploit Express. What many penetration testers don't know is that you can use the command line in the commercial Metasploit editions, and leverage their advantages at the same time. Reporting: The commercial Metasploit editions include one-click reporting that includes any work you have completed on the

Jumping to another network with VPN pivoting

VPN Pivoting is one of the best but also most elusive features in Metasploit Pro, so the best way is to see it. That's why I've decided to post a snippet of a recent webinar, where HD Moore shows this feature in action. VPN pivoting enables users to route any network traffic through an exploited host with two NICs to a different network. For example, you could run nmap, Metasploit network discovery, or Nexpose vulnerability scans through the VPN pivot. Using a TUN/TAP adaptor on the Metasploit

Metasploit Updated: Telnet Exploits, MSF Lab, and More

It's Wednesday, and while many of you are enjoying the week off between Christmas and New Years, we've been cranking out another Metasploit Update. Telnet Encrypt Option Scanner and Exploits I won't rehash this subject too much since HD already covered these modules in depth here [https://community.rapid7.com/community/solutions/metasploit/blog/2011/12/27/bsd-telnet-daemon-encrypt-key-id-overflow] and here [https://community.rapid7.com/community/solutions/metasploit/blog/2011/12/28/more-fun-wi

More Fun with BSD-derived Telnet Daemons

In my last post [/2011/12/28/bsd-telnet-daemon-encrypt-key-id-overflow], I discussed the recent BSD telnetd vulnerability and demonstrated the scanner module added to the Metasploit Framework. Since then, two new exploit modules have been released; one for FreeBSD versions 5.3 - 8.2 [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb] and another for Red Hat Enterprise Linux 3 [https://github.com/rapid7/metasploit-framework/blob/ma

Fun with BSD-derived Telnet Daemons

On December 23rd, the FreeBSD security team published an advisory [http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc] stating that a previously unknown vulnerability in the Telnet daemon was being exploited in the wild and that a patch had been issued. This vulnerability was interesting for three major reasons: 1. The code in question may be over 20 years old and affects most BSD-derived telnetd services 2. The overflow occurs in a structure with a function pointer store

Remote Egress Scanning with Metasploit

Yesterday I asked a question on Twitter and got a lot of responses from the security community. I was finishing up a Metasploit module that I was coding last weekend. I posed the challenge to myself of scanning for egress port while not actually inside a network. I accomplished this task setting up multiple listeners, and embed HTTP tags in a webpage. This can easily be done with Metasploit Framework. I created a report page and a stealth page with no images. Metasploit keeps track of the co

Using the <base> tag to clone a web page for social engineering attacks

Social engineering campaigns can be a lot more effective if you can impersonate a well-known website that users trust. However, when you simply clone a website by cutting-and-pasting the page source and putting it on your own server, your links will stop working. Copying all links and images from the other site can be cumbersome, but there's an alternative: the HTML <base> tag. It specifies a default address/target for all links on a page; it is inserted into the head element. Let's say you've

Metasploit Updated: Trivial Access to TFTP

The Metasploit Update is out, and it's a little smaller than you might expect. We've recently rejiggered our development to QA to release workflow here at Rapid7, and that means that this week, we cut the release a couple days earlier than usual in order to ensure the work flow all makes sense and that the releases get the post-commit QA attention that they deserve. The end result is that we'll have a pretty light release this week (due to the shortened development cycle), but going forward, wee

Metasploit Tutorial: An introduction to Metasploit Community

Marcus J. Carey put together some great Metasploit Tutorial videos about Metasploit Community that I want to share with you. Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose – for free. You can view these videos to get started with Metasploit Community, or to get a first impression of the product. If you don't have them already, download the free Metasploit Comm

Metasploit Moves from SVN to Git/GitHub

The Metasploit project recently switched from SVN to Git/GitHub for source code management. Since then, there have been a number of questions from the community about using Git -- both in general and in the context of the framework.  Let's try shining a little light. Why did we change? Git makes it easier to collaborate and to implement complex workflows among developers, which is ideal both for open-source projects and for Agile/Scrum/XP-oriented teams.  As a commercial open-source operation,

Installing Metasploit Community Edition on BackTrack 5 R1

Update: I just published a new blog post for using Metasploit on BackTrack 5 R2 [/2012/05/30/install-metasploit-on-backtrack]. BackTrack 5 R1 comes pre-installed with Metasploit Framework 4.0. Unfortunately, Metasploit Community, which brings a great new Web UI and other functionality, was introduced in version 4.1, so it's not included by default. Updating Metasploit Framework using the msfupdate command will not install the Web UI. In addition, BT5 only makes the development trunk available,

Metasploit Framework Updated: What's your Favorite Resource Script?

Sample Resource Scripts About a week ago, munky9001 posted on Reddit the headline, DB_Autopwn Deprecated! About time [http://redd.it/mzfp2]. Shortly after, HD wrote up a blog post, Six Ways to Automate Metasploit [/2011/12/08/six-ways-to-automate-metasploit], with the moral of the story being, "don't cry for db_autopwn, there are already much better methods to get your automated pwnage on." Of these, the easiest and most straightforward way to automate things is to write a resource script. Thi

Metasploit Framework Updated: FastLib and More

Metasploit development moves fast. Blindingly fast, fueled by tons of open source contributors -- which is one of the reasons why we moved away from our tried and true SVN repository and on to GitHub. Now that we're on a more modern, more social development platform, we have all new ways to get overwhelmed with the pace of change on the Framework, especially since contributor code is that much easier to integrate now. So, in order to ensure that the more notable week-over-week changes get their

Six Ways to Automate Metasploit

Onward Over the last few weeks the Metasploit team at Rapid7 has engaged in an overhaul of our development process. Our primary goals were to accelerate community collaboration and better define the scopes of our open source projects. The first step was to migrate all open source development to GitHub [/2011/11/10/git-while-the-gitting-is-good]. This has resulted in a flood of contributors [https://github.com/rapid7/metasploit-framework/contributors] and lots of great new features [/2011/12/05/

Recon, Wireless, and Password Cracking

The Metasploit Framework continues to grow and expand with the support of the community. There have been many new features added to the Metasploit Framework over the past month. I am very excited to be able to share some of these new developments with you. Mubix's Recon Modules Mubix's post-exploitation modules form his Derbycon talk are now in the repository. The resolve_hostname module, originally called 'Dig', will take a given hostname and resolve the IP address for that host from the windo

Adding custom wordlists in Metasploit for brute force password audits

In any penetration test that involves brute forcing passwords, you may want to increase your chances of a successful password audit by adding custom wordlists specific to the organization that hired you. Some examples: * If you are security testing a hospital, you may want to add a dictionary with medical terms. * If you're testing a German organization, users are likely to use German passwords, so you should add a German wordlist. * Another good idea is to build a custom wordlist b

Metasploit and PTES

One of our Metasploit contributers, Brandon Perry [http://twitter.com/#%21/brandonprry], has put together a document detailing the recently released Penetration Testing Execution Standard [http://www.pentest-standard.org/index.php/Main_Page](PTES) with the modules and functionality in the Framework. PTES is a push from a group of testers fed up with the lack of guidance and the disparate sources of basic penetration testing information. Brandon's document does a great job detailing disparate par

Exploit for critical Java vulnerability added to Metasploit

@_sinn3r [http://twitter.com/_sinn3r] and Juan Vasquez [https://twitter.com/#!/_juan_vazquez_] recently released a module which exploits the Java vulnerability detailed here [http://schierlm.users.sourceforge.net/CVE-2011-3544.html] by mihi and by Brian Krebs here [http://krebsonsecurity.com/2011/11/new-java-attack-rolled-into-exploit-kits]. This is a big one.  To quote Krebs: "A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the cri

Three Great New Metasploit Books

I've seen three great Metasploit books published lately. The one that most people are probably already familiar with is Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns and Mati Aharoni. The book is very comprehensive, and packed full of great advice. David Kennedy is Chief Information Security Officer at Diebold Incorporated and creator of the Social-Engineer Toolkit (SET), Fast-Track, and other open source tools, so he really knows his stuff. By the way,

Joshua Corman discovers HD Moore's Law

At Metricon6 and later on his blog Cognitive Dissidents [http://cognitivedissidents.wordpress.com/2011/11/01/intro-to-hdmoores-law/], Joshua Corman presented his latest discovery - HD Moore's Law: "Casual Attacker power grows at the rate of Metasploit" Which is basically a different way of saying that Metasploit is the minimum bar you need to test for if you want to keep your network secure. HD Moore created the Metasploit Project in 2003 to provide the security community with a public resou

Git while the gitting is good

The Metasploit Framework has grown in leaps and bounds: what used to be a small team of free-time developers is now an actual product team working for a real company. The community that contributes to the open source framework has continued to expand; instead of a few of active contributors, we now have over a dozen, not counting all of the drive-by-coders that submit patches and modules through the Redmine [https://dev.metasploit.com/redmine/projects/framework] tracking system. As the code bas

Metasploit Sighting: Exploiting iPhone

Many security researchers use the Metaploit Framework for security proof of concepts and demonstrations. The following video shows Charlie Miller, @0xcharlie [http://twitter.com/0xcharlie], using Metasploit's Meterpreter to handle a session from an exploited iPhone. In this video, Charlie navigates the iPhone's file system and downloads files to his local computer. Charlie found a flaw which allowed him to bypass Apple's coding signing requirements, which allowed him to run arbitrary code on th

New Sectools.org List is Out

Sectools.org, from our friends at the Nmap project, has updated its list of the best security tools [http://sectools.org/]. I'm proud to say Metasploit has come in second among an entire ecosystem of awesome tools. Many of our favorite tools that make use of Metasploit are represented as well, including BeEF, Nexpose, and Social Engineer Toolkit. John the Ripper and w3af, two open source projects that Rapid7 supports through sponsorship, also made the list. This is a great resource for people

Simulating APT Activity with vSploit Modules

I created a couple of new vSploit modules to allow organizations to test their abilities for APT-type activity detection. There are already a few vSploit modules in the Metasploit trunk and you should see several more modules added next year. I will keep coding vSploit modules in my spare time to fill critical needs when I see them. I have created a new DNS beaconing module and filestream module and posted them to my GitHub account (links below). DNS_Red There have been two really good sources

Metasploit Framework Featured on CNN: Phishing Made Simple

While browsing security related articles at CNN, I noticed this video of Eric Fiterman demonstrating a phishing attack and some post exploitation techniques with Metasploit Framework. Video courtesy of:

PCI DIY: How to do an internal penetration test to satisfy PCI DSS requirement 11.3

If you're accepting or processing credit cards and are therefore subject to PCI DSS, you'll likely be familiar with requirement 11.3, which demands that you "perform penetration testing at least once a year, and after any significant infrastructure or application upgrade or modification". What most companies don't know is that you don't have to hire an external penetration testing consultant - you can carry out the penetration test internally, providing you follow some simple rules: * Sufficie

Introducing Metasploit Community Edition!

The two-year anniversary of the Metasploit acquisition is coming up this week. Over the last two years we added a ridiculous amount of new code to the open source project, shipped dozens of new releases, and launched two commercial products. We could not have done this without the full support of the security community. In return, we wanted to share some of our commercial work with the security community at large. As of version 4.1 [http://www.metasploit.com/], we now include the Metasploit

MonaSploit

Introduction “Standalone exploits suck”. egyp7 [https://twitter.com/egyp7] and bannedit [https://twitter.com/msfbannedit] made this statement earlier this year at Bsides Vegas, and nullthreat [https://twitter.com/nullthreat] & yours truly [https://twitter.com/corelanc0d3r] elaborated on this even more during our talk at Derbycon 2011. I'm not going to repeat the reasoning behind it in this post, you can check out the video of our talk here [http://www.irongeek.com/i.php?page=videos/derbycon1/p

Client-Side Exploit Testing With Adobe_CoolType_SING

Over the weekend, there was a brief conversation between @Mr_Protocol [http://twitter.com/#!/Mr_Protocol/status/123031448478433280] and @Mubix [http://twitter.com/#!/mubix/status/123039978879057921] on Twitter about downloading the Metasploitable VM (which you can torrent here [http://updates.metasploit.com/data/Metasploitable.zip.torrent] by the way). While Metasploitable is a fine Linux target, it's not Windows -- due to licensing restrictions, we can't redistribute those particular bytes. The

Metasploit, Scanners, and DNS

One of the awesome things about the Metasploit Framework (and Ruby in general) is that there is a strong focus on avoiding code duplication. This underlying philosophy is why we can manage a million-plus line code base with a relatively small team. In this post, I want to share a recent change which affects how hostnames with multiple A records are processed by modules using the Scanner mixin. Quite of a few of the web's "major" properties, such as google.com, return multiple IP addresses when

Rapid7 Supports Open Source Projects with "Magnificent7" $100,000 Fund

We're very excited to announce that Rapid7 is dedicating $100,000 to support open source projects [http://www.rapid7.com/news-events/press-releases/2011/2011-magnificent7.jsp] in the security space in 2012 in a program we're calling the Magnificent7. Essentially we're looking for open source projects that bring value to the infosec ecosystem by taking an innovative approach to addressing security challenges, and will be supporting up to seven such projects with funding in 2012. Chosen project

How to update to Metasploit 4.0

If you're packing to go to Black Hat, Defcon or Security B-Sides in Las Vegas, make sure you also download Metasploit 4.0 to entertain you on the plane ride. If you missed the recent announcement, check out this blog post [/2011/07/26/metasploit-pro-40-brings-greater-enterprise-integration-cloud-deployment-options-and-penetration-testing-automation] for a list of new features. The new version is now available for all editions, and here's how you upgrade: * Metasploit Pro and Metasploit Expre

Metasploit Framework 4.0 Released!

It's been a long road to 4.0. The first 3.0 release was almost 5 years ago and the first release under the Rapid7 banner was almost 2 years ago. Since then, Metasploit has really spread its wings. When 3.0 was released, it was under a EULA-like license with specific restrictions against using it in commercial products. Over time, the reasons for that decision became less important and the need for more flexibility came to the fore; in 2008, we released Metasploit 3.2 under a 3-clause BSD licen

Password Cracking in Metasploit with John the Ripper

HDM recently added password cracking functionality to Metasploit through the inclusion of John-the-Ripper in the Framework [http://dev.metasploit.com/redmine/projects/framework/repository/revisions/13135] . The 'auxiliary/analyze/jtr_crack_fast [http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/auxiliary/analyze/jtr_crack_fast.rb] ' module was created to facilitate JtR's usage in Framework and directly into Express/Pro's automated collection routine. The module works

Metasploit 4.0 is coming soon!

It'll only be days until you can download the new Metasploit version 4.0! The new version marks the inclusion of 36 new exploits, 27 new post-exploitation modules and 12 auxiliary modules, all added since the release of version 3.7.1 in May 2011. These additions include nine new SCADA exploits, improved 64-bit Linux payloads, exploits for Firefox and Internet Explorer, full-HTTPS and HTTP Meterpreter stagers, and post-exploitation modules for dumping passwords from Outlook, WSFTP, CoreFTP, Sma

Metasploit Bounty: Code, Sweat, and Tears

After more than 30 days of hardcore and intense exploit hunting, the Metasploit Bounty program has finally come to an end. First off, we'd like to say that even though the Metasploit Framework has made exploit development much easier, the process is not always an easy task. We're absolutely amazed how hard our participants tried to make magic happen. Often, the challenge begins with finding the vulnerable software. If you're lucky, you can find what you need from 3rd-party websites that mirror

Unified, Unanimous, Converged, and UNITED...

As you may have seen, Rapid7 launched an updated version of our award-winning vulnerability management solution today: NeXpose2011 Summer Release [http://www.rapid7.com/news-events/press-releases/2011/2011-nexpose-summer-release.jsp] .  We feel that this is a pretty big deal: the new version offers all sorts of new features, with deployment flexibility and enhanced integration, scalability and administrative capabilities topping the list.  For us though, this is about more than just getting a ne

Testing Snort IDS with Metasploit vSploit Modules

One of my key objectives for developing the new vSploit modules [/2011/06/02/vsploit-virtualizing-exploitation-attributes-with-metasploit-framework] was to test network devices such as Snort [http://www.snort.org]. Snort or Sourcefire [http://www.sourcefire.com] enterprise products are widely deployed in enterprises, so Snort can safely be considered the de-facto standard when it comes to intrusion detection systems (IDS). So much that even third-party intrusion detection systems often import

Metasploit Exploit Bounty - Status Update

A few weeks ago the Metasploit team announced a bounty program [/2011/06/14/metasploit-exploit-bounty-30-exploits-500000-in-5-weeks] for a list of 30 vulnerabilities that were still missing Metasploit exploit modules. The results so far have been extremely positive and I wanted to take a minute to share some of the statistics. As of last night, there have been 27 participants in the bounty program resulting in 10 submissions, with 5 of those already comitted to the open source repository and t

Meterpreter HTTP/HTTPS Communication

The Meterpreter payload within the Metasploit Framework (and used by Metasploit Pro) is an amazing toolkit for penetration testing and security assessments. Combined with the Ruby API on the Framework side and you have the simplicity of a scripting language with the power of a remote native process. These are the things that make scripts and Post modules great and what we showcase in the advanced post-exploit automation available today. Metasploit as a platform has always had a concept of an est

MS11-030: Exploitable or Not?

If you weren't already aware, Rapid7 is offering a bounty [/2011/06/14/metasploit-exploit-bounty-30-exploits-500000-in-5-weeks] for exploits that target a bunch of hand-selected, patched vulnerabilities. There are two lists to choose from, the Top 5 and the Top 25 [https://community.rapid7.com/docs/DOC-1467] . An exploit for an issue in the Top 5 list will receive a $500 bounty and one from the Top 25  list will fetch a $100 bounty. In addition to a monetary reward, a successful participant also

Metasploit Framework Console Output Spooling

Sometimes little things can make a huge difference in usability -- the Metasploit Framework Console is a great interface for getting things done quickly, but so far, has been missing the capability to save command and module output to a file. We have a lot of small hacks that makes this possible for certain commands, such as the "-o" parameter to db_hosts and friends, but this didn't solve the issue of module output or general console logs. As of revision r13028 [http://dev.metasploit.com/redm

Metasploit Framework 3.7.2 Released!

It's that time again! The Metasploit team is proud to announce the immediate release of the latest version [http://metasploit.com/download/] of the Metasploit Framework, 3.7.2. Today's release includes eleven new exploit modules and fifteen post modules for your pwning pleasure. Adding to Metasploit's well-known hashdump capabilities, now you can easily steal password hashes from Linux, OSX, and Solaris. As an added bonus, if any of the passwords were hashed with crypt_blowfish (which is the d

Bounty: 30 Exploits, $5,000.00, in 5 weeks

The Metasploit team is excited to announce a new incentive for community exploit contributions: Cash! Running until July 20th, our Exploit Bounty program will pay out $5,000 in cash awards (in the form of American Express gift cards) to any community member that submits an accepted exploit module for an item from our Top 5 or Top 25 exploit lists [https://community.rapid7.com/docs/DOC-1467]. This is our way of saying thanks to the open source exploit development community and encouraging folks w

Emulating ZeuS DNS Traffic with Metasploit Framework

[UPDATE 6/28/2011] vSploit Modules will be released at DEFCON This is a follow-up post for vSploit - Virtualizing Intrusion & Exploitation Attributes with Metasploit Framework [https://community.rapid7.com/blogs/rapid7/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework] about using Metasploit as a way to test network infrastructure countermeasures and coverage. I mentioned obtaining list of suspicious domains to use for testing organization's networking intell

vSploit - Virtualizing Intrusion & Exploitation Attributes with Metasploit Framework

Many organizations are making significant investments in technologies in order to tell if they have been compromised; however, frequently they find out when it is too late. There are several network-based attributes that, when combined, indicate possible compromises have taken place. Many pentesters are successful at compromising hosts; however, commonly they are restricted in what they can and can't do. There needs to be a way that they can sucessfully mimick threats and scenarios, even when re

Consulting for Profit: Building a Business on Security Assessments

Are you looking to expand your security consulting practice? Many companies around the world have built a successful business by packaging vulnerability management and penetration testing into the following services: * Security assessments * Deployment services * Security awareness * PCI Compliance * 11.2 Vulnerability Management * 11.3 Penetration Testing * Compliance and governance * Managed security services * Trainings We've heard from a lot of the security consul

Introducing msfvenom

The Metasploit Framework has included the useful tools msfpayload and msfencode for quite sometime. These tools are extremely useful for generating payloads in various formats and encoding these payloads using various encoder modules. Now I would like to introduce a new tool which I have been working on for the past week, msfvenom. This tool combines all the functionality of msfpayload and msfencode in a single tool. Merging these two tools into a single tool just made sense. It standardizes

Looking back: NCCDC 2011 Recap

The past month has gone so quickly as I've been helping Rapid7 open its new UK office,but I wanted to take some time to recap on National Collegiate Cyber Defense Competition [http://www.nationalccdc.org/] (NCCDC) which took place in April as it was a really awesome experience for all involved (even for the blue teams!). When I think back on NCCDC, the term “stacked deck” comes to mind. Let me set the stage: 9 college teams with ages ranging from 18 to 22 vs 15 of the best consultants the info

Using Kernel.load to speed up exploit dev

When modifying Metasploit library code, you generally need to restart msfconsole to see the changes take effect. Although we've made some improvements in startup time, it's still not great, and waiting for the whole framework to load for a one-line change can be frustrating. Fortunately, Ruby has a simple way to reload a file: Kernel.load [http://www.ruby-doc.org/core/classes/Kernel.html#M001417]. Here's a simple example of how to use it: ## # $Id$ ## load "./lib/rex/proto/my_new_pr

Metasploit-ation for the Nation

In a couple of weeks, our very own @Mubix (AKA Rob Fuller to those who don't live their life with an @ sign permanently attached to their name!) will be offering Metasploit-ation for the Nation.  Unlike that phrase – which I just made up – Mubix will actually be talking sense as he walks penetration testers through the delightful world of Metasploit Pro in a 4-hour in-depth training session. Mubix took some time to answer a few questions below to give you a flavor of the training.  If you have

Metasploit Framework 3.7.1 Released!

Originally posted by HD Moore: We are happy to announce the immediate availability of version 3.7.1 of the Metasploit Framework, Metasploit Express, and Metasploit Pro. This is a relatively small release focused on bug fixes and performance improvements. Notable highlights include an improved IPv6 reverse_tcp stager from Stephen Fewer, a performance improvement for HTTP services (client-side modules), a bug fix to channel support in the PHP Meterpreter, an update to MSFGUI, and various small

Metasploit Pro 3.7: Better, Faster, Stronger

Over the last two months the Rapid7 team has been hard at work rewiring the database and session management components of the Metasploit Framework, Metasploit Express, and Metasploit Pro products. These changes make the Metasploit platform faster, more reliable, and able to scale to hundreds of concurrent sessions and thousands of target hosts. We are excited to announce the immediate availability of version 3.7 of Metasploit Pro and Metasploit Express! Existing customers can apply the latest s

Metasploit Framework 3.7.0 Released!

Originally Posted by egypt The Metasploit team has spent the last two months focused on one of the least-visible, but most important pieces of the Metasploit Framework; the session backend. Metasploit 3.7 represents a complete overhaul of how sessions are tracked within the framework and associated with the backend database. This release also significantly improves the staging process for the reverse_tcp stager and Meterpreter session initialization. Shell sessions now hold their output in a ri

Metasploit T-shirt design contest: And the winner is...

You have voted in large numbers – and the results are out: design #36 [/servlet/JiveServlet/downloadImage/38-5353-1228/36.png] is the winner of the Metasploit T-shirt design contest. Danny Chrastil submitted the winning design, featuring the Metasploit logo consisting of code from the payload osx/ppc/shell_reverse_tcp. The back shows the Metasploit splash screen cow, our legendary creature of mystery and superstition. A few words about the winner: Danny Chrastil aka @DisK0nn3cT is a web appl

Who will you be wearing? Vote for the new Metasploit T-shirt!

Wow – 87 entries for our T-Shirt competition in one week. We were very impressed with both quantity and quality of the entries we received for designing the new Metasploit T-shirt, which will be featured in the new Metasploit store. Now, it's your turn (again): We need you to vote for your favorite shirt. Starting with 87 entries, we conducted a quick office poll produce a shortlist of 15 for you to pick from. (Go here [http://99designs.com/t-shirt-design/contests/t-shirt-design-wanted-metasplo

Be a superhero: Design the new Metasploit swag

Originally Posted  by Chris Kirsch Don't know what to wear for the next BlackHat conference? Afraid of going naked to B-Sides? We are too, so we decided to do something about it. We're getting ready to launch our own Metasploit designer clothes – and you're the designer! To start off our Metasploit swag store, we'd like you to design a T-shirt. You must submit your own, original design. To enter, add your design to our 99designs competition [https://99designs.com/t-shirt-design/contests/t-s

Happy April Fools Day!

Originally Posted by hdm As some folks may have noticed, the startup process for the Metasploit Console (msfconsole) has changed this morning. Windows users are now greeted with a slightly different message than they are used to: By the same token, Unix users will notice that the console has become a little more aggressive in terms of choosing targets on startup: The April Fools code can be disabled by setting the 'NOFOOL' shell environment variable to any value. Unix users who want to se

Learn, download & contribute: the new Metasploit website

Today, we relaunched the Metasploit.com site. We hope you'll find it as awesome as we do. The new site not only has updated looks, we've also rewritten much of its content and put it on a shiny new server to make it faster. We mainly focused on three aspects: learn, download & contribute: Learn – Many Metasploit newbies told us they found it hard to get started with the Metasploit Framework, so we took a fresh look at our website to design it so that new Metasploit Framework users would fin

Empowering Security Professionals

Over the last few years I've been focused on empowering security professionals through my work with DojoSec and DojoCon. I've had the pleasure of serving tons of people with the success of many of my community efforts. To be honest, I'm surprise how many people have been informed and inspired by the projects I've been associated with. I have been able to establish relationships with both commercial and open source communities. I believe that my mission in life is to help as many people as poss

Metasploit version 3.6 delivers enhanced command-line options and PCI reports

Originally Posted by Chris Kirsch All Metasploit editions are seeing an update to version 3.6 today, including an enhanced command-line feature set for increased proficiency and detailed PCI reports with pass/fail information for a comprehensive view of compliance posture with PCI regulations. Here's an overview of what's new: The new Metasploit Pro Console offers powerful new features that help professional penetration testers complete their job more efficiently in their preferred environmen

Dual Core's Metasploit Track: Free Download!

We got a ton of requests to let you know when the new Dual Core [http://dualcoremusic.com/nerdcore/] Metasploit track "msf mastering success &#38; failure" would be available for download. Dual Core had given the track a debut at the Rapid7 Skye High party at Ruby Skye in San Francisco as part of the RSA Conference (view the live performance [https://community.rapid7.com/blogs/rapid7/2011/02/18/dual-core-puts-the-rap-back-into-rapid7] ) I'm exited to let you know that we've now received the

Dual Core puts the Rap back into Rapid7

As we're all recovering from the epic RSA Rapid7 party at Ruby Skye last night, I wanted to thank Dual Core [http://dualcoremusic.com/nerdcore/] for the debut performance of "mastering success and failure - msf" featuring the Metasploit Framework [http://www.metasploit.com/]. Awesome track - the room went nuts! lostinsecurity [http://twitter.com/lostinsecurity] asked us to publish the lyrics, so here they are: _you should meet this friend of mine, allow me if i may this guy is going places, be

Last year's journey and the road ahead

During the holiday season of the past weeks, I reflected a lot on the past with my loved ones. At the same time, I couldn't help thinking about the Rapid7 journey so far and the exciting path before us. I thought I'd share some of this with you. 2010 was an explosive year for Rapid7. By adding a full-time development team to the Metasploit Project [http://www.metasploit.com/], we grew the open source community more than five-fold, now reaching over a million unique downloads per year. We bro

Become invisible to anti-virus protection

Wouldn't it be fantastic to be invisible for a day? Walk straight into a bank vault in the morning, be a fly on the wall in the Oval Office for lunch, and spend an evening in your favorite movie star's house. Well, now you can - with Metasploit! We tested our Metasploit invisibility cloak on a field day recently. Our venue of choice: an anti-virus test lab. The goal was to test how well Metasploit's anti-virus protection would hold up against the most recent versions of the world's top ten a

How to set up a pentesting lab

One of my biggest challenges in learning how to pentest was finding systems to test against. I heard that using your   neighbors network is "frowned upon", and hanging out in a   Starbucks and pwning your fellow coffee drinkers on the public wifi raises the occasional eyebrow. So what do I do? Build a test environment. The concept itself isn't difficult, but there are easy and hard ways to do it. I wanted two machines: one with my vulnerable VMs,  the  other with Metasploit and NeXpose . This i

December Patch Tuesday Roundup

So what can I say that hasn't already been said about this month's Patch Tuesday release…Microsoft never ceases to amaze, finishing the year with another 17 bulletins for 40 vulnerabilities this release. This month marks the end of a record-breaking year for bulletins and another month of what appears to be an upward trajectory of bugs. Let's take a moment to reflect Microsoft has arguably one of the most advanced SDLC programs out there, however they still managed to double the amount of bu

Rapid7 scam busters: Using social engineering to train your users about phishing attacks

With the holidays approaching, many people are looking for gift ideas and deals. Holiday season is also hunting season for malicious hackers who send out gift idea and deal phishing emails. How do you protect your employees from divulging their personal and even corporate passwords to an attacker? It's hard to combat phishing with technology. Training employees to spot phishing scams is the most effective, but training is time intensive and may impact productivity. What if you could find a w

Cisco IOS Penetration Testing with Metasploit

The Metasploit Framework and the commercial Metasploit products have always provided features for assessing the security of network devices. With the latest release, we took this a step further and focused on accelerating the penetration testing process for Cisco IOS devices. While the individual modules and supporting libraries were added to the open source framework, the commercial products can now chain these modules together to quickly compromise all vulnerable devices on the network. The sc

Offensive Security = Backtrack Linux + Metasploit Pro

This week the guys over at Offensive Security [http://www.offensive-security.com/] officially added Metasploit Pro [http://www.rapid7.com/products/metasploit-pro.jsp] to their curriculum for the class Pentration Testing with Backtrack [http://www.offensive-security.com/online-information-security-training/penetration-testing-backtrack/] . For those not familiar with it, BackTrack [http://www.backtrack-linux.org/] is a Linux distribution that includes a lot of tools for penetration testing. Since

Sesame open: Auditing password security with Metasploit 3.5.1

Secret passwords don't only get you into Aladdin's cave or the tree house, but also into corporate networks and bank accounts. Yet, they are one of the weakest ways to protect access. Sure, there are better ways to secure access, such as smart cards or one-time password tokens, but these are still far from being deployed everywhere although the technology has matured considerably over the past years. Passwords are still the easiest way into a network. The new Metasploit version 3.5.1 adds a l

Shock and awe with gawker.com: How to test if you have been breached

Google Fusion table listing the MD5 hashes of breached email address from Gawker.com data breach This weekend, the Web and back-end database of Gawker.com was published on Pirate Bay. If you had a personal email account registered at Gawker or one of their associated web sites, such as Engaged, you may have been breached. This especially becomes a problem if you are using the same password across a number of sites because we expect that malicious hackers are already trying to use the same

Setting up a test environment for VPN Pivoting with Metasploit Pro

Penetration testing software only shows its true capabilities on actual engagements. However, you cannot race a car before you've ever sat in the driver's seat. That's why in this article I'd like to show you how to set up a test environment for VPN pivoting, a Metasploit Pro [http://www.rapid7.com/products/metasploit-pro.jsp] feature for intermediate and advanced users recently described in this post [https://community.rapid7.com/blogs/rapid7/2010/11/08/how-vpn-pivoting-creates-an-undetectable-

Turning your world upside down: Metasploit ambigram tattoos

Bill Swearingen aka hevnsnt blew us away by designing a Metasploit ambigram for the Metasploit Pro tattoo contest You may remember Roy's Metasploit tattoo [https://community.rapid7.com/blogs/rapid7/2010/11/01/we-weren-t-joking-when-we-said-tattoos] a few weeks ago, which prompted our Metasploit Pro [http://www.rapid7.com/products/metasploit-pro.jsp] tattoo competition. We thought it was a cute idea, expecting a few fun pictures with felt pen tattoos or tattoo photo montages of of the Metas

Help your new sweethearts call home to Metasploit

Setting listener host and ports for payloads in Metasploit Pro Life is full of disappointments: You spend a lot of time flirting with a cute new machine, convince it to accept your payload, and never get a call back – just because the big bad NAT is not letting your new sweetheart phone home. That's why many of you broken hearted pentesters have asked us to make the listener port and IP address for payloads configurable to ports that are usually accessible, such as ports 80 and 443. This week'

How VPN pivoting creates an undetectable local network tap

Let's assume your goal for an external penetration test is to pwn the domain controller. Of course, the domain controller's IP address is not directly accessible from the Web, so how do you go about it? Seasoned pentesters already know the answer: they compromise a publicly accessible host and pivot to other machines and network segments until they reach the domain controller. It's the same concept as a frog trying to cross a pond by jumping from lily pad to lily pad. If you have already

We weren't joking when we said "tattoos"!

Be careful what we wish for: In 2006, HD Moore wrote a blog post [/2006/08/27/metasploit-framework-30-beta-2] about a redesign of the Metasploit Project, announcing that the new graphics “will be featured on tee shirts, posters, and tattoos over the coming year.” Well, you guys took a little longer than we thought but we now have our first Metasploit tattoo! Initially, we thought Roy Morris (aka @soundwave1234 [http://twitter.com/soundwave1234]) was joking when he tweeted to @hdmoore [htt

Take an earlier flight home with the new Metasploit Pro

We love it, our beta testers loved it, and we trust you will as well: today we're introducing Metasploit Pro [http://www.rapid7.com/products/metasploit-pro.jsp], our newest addition to the Metasploit family, made for penetration testers who need a bigger, and better, bag of tricks. Metasploit Pro provides advanced penetration testing capabilities, including web application exploitation and social engineering. The feedback from our beta testers has been fantastic, most people loved how easily

Metasploit Express crucial to win in South Florida ISSA Hack the Flag

Last Saturday, our favorite South Florida hacker collective, HackMiami [http://www.hackmiami.org/], took first place at the South Florida ISSA [http://www.sfissa.org/] Hack the Flag contest in Fort Lauderdale, FL. Seven teams participated, defending systems running a variety of off-the-shelf services such as HTTP, SSH, FTP, while attempting to take control of other teams' systems. We think it's a useful case study, and wanted to share the results with you. HackMiami was the first team to enum

Cheer and Pwning in Las Vegas

Rapid7 and the entire core Metasploit  team are headed to Las Vegas next week for Black Hat USA [http://blackhat.com/html/bh-us-10/bh-us-10-home.html], Security B-Sides [http://www.securitybsides.com/BSidesLasVegas], and Defcon 18 [http://www.defcon.org/html/defcon-18/dc-18-index.html]. The full schedule of events is listed below, make sure you drop by Booth #64 at Black Hat to take a shot at the Race to Root contest, where the winners will receive hacker [http://proxmark3.com/] lust-worthy [ht

Metasploit Express v3.4.1 Released!

Metasploit Express 3.4.1 was released on July 15th, 2010. This release adds 16 new exploits, an overhauled module browser,  island-hopping support, brute force support for FTP and HTTPS, enhanced  import and export functionality, and improvements to the online update  system, including support for HTTP proxies. This release fixes over 100  bugs. Full details of this release can be found in the online release notes [http://www.metasploit.com/redmine/projects/pro/wiki/Release_Notes_341]. Existing

Metasploit Framework 3.4.1 Released!

The Metasploit Project is proud to announce the release of the Metasploit Framework version 3.4.1.  As always, you can get it from our downloads page [http://www.metasploit.com/framework/download/], for Windows or Linux.  This release sees the first official non-Windows Meterpreter payload, in PHP as discussed last month [/2010/06/14/meterpreter-for-pwned-home-pages].  Rest assured that more is in store for Meterpreter on other platforms.  A new extension called Railgun [http://mail.metasploit.c

Meterpreter for Pwned Home Pages

Background Meterpreter, as I'm sure most of our readers know, is an advanced in-memory payload with tons of useful post-exploitation features.  About a year ago, while looking through various buggy, backdoored PHP shells, I decided it might be useful to have some of Meterpreter's networking features in the web's most pwnable language.  I started to implement this idea prior to Blackhat last year but got caught up in other projects and let it languish.  Last week I dusted it off, cleaned it up a

Approaching Metasploit 3.4.0 and Metasploit Express

Since mid-December, the Metasploit team has been working non-stop towards version 3.4.0 of the Metasploit Framework. The final release is still scheduled for mid-May, but I wanted to share some of the upcoming features, available today from the development tree. Version 3.4.0 includes major improvements to the Meterpreter payload, the expansion of the framework's brute force capabilities, and the complete overhaul of the backend database schema and event subsystem. In addition, more than 60 exp

Locate and Exploit the Energizer Trojan

The newsophere was abuzz this morning with the discovery that Energizer's "DUO" USB Battery Charger included a malicious backdoor [http://www.kb.cert.org/vuls/id/154421] in the accompanying software. This backdoor was only discovered after the product was discontinued, leading some to believe that it went through its entire lifecycle undetected [http://www.symantec.com/connect/blogs/trojan-found-usb-battery-charger-software] . The good news is that the backdoor is relatively harmless; machines b

Metasploit Framework 3.3.3 Exploit Rankings

This morning we released version 3.3.3 [http://www.metasploit.com/framework/download/] of the Metasploit Framework - this release focuses on exploit rankings [https://community.rapid7.com/docs/DOC-1034], session automation, and bug fixes. The exploit rank indicates how reliable the exploit is and how likely it is for the exploit to have a negative impact on the target system. This ranking can be used to  prevent exploits below a certain rank from being used and limit the impact to a particular t

Meterpreter Pivoting, Web Scanning, Wireless, and More!

Last week we released Metasploit 3.3.2 [https://community.rapid7.com/docs/DOC-1318] following on the heels of Metasploit 3.3.1 [https://community.rapid7.com/docs/DOC-1317]. This release marked a major change to how the Meterpreter backend processed commands; instead of running each request serially, the Meterpreter now spawns a background thread for each request. This allows for multiple scripts to access the same Meterpreter instance at the same time and vastly improves the pivoting [https://

Metasploit 3.3.1 + NeXpose Community Edition

On December 1st, Rapid7 announced the Community Edition [http://www.rapid7.com/nexposecommunitydownload.jsp] of the NeXpose vulnerability management product. At the same time, we released version 3.3.1 [http://www.metasploit.com/framework/download/] of the Metasploit Framework, which contains the first step [https://community.rapid7.com/docs/DOC-1266] towards full integration between NeXpose and Metasploit. Since the release, we have made some major improvements based on community feedback and

Metasploit 3.0 Automated Exploitation

A recurring theme in my presentations about Metasploit 3.0 is the need for exploit automation. As of tonight, we finally have enough code to give a quick demonstration :-) Metasploit 3 uses the ActiveRecord [http://wiki.rubyonrails.org/rails/pages/ActiveRecord] module (part of RoR [http://rubyonrails.org/]) to provide an object-oriented interface to an arbitrary database service. Database support is enabled by installing RubyGems [http://www.rubygems.org/], ActiveRecord ("gem install activerec

Post-exploitation fun in Metasploit 3.0

So what does it mean when we talk about all the cool automation support that Metasploit 3.0 has? Well, the answer is fairly broad. It means you can implement plugins and other tools that can be used to extend and automate a number of features included in the framework. By virtue of this fact, it means that you can extend and automate one of the areas that I personally find the most interesting: post-exploitation payloads. Spoonm and I recently completed a tour of duty describing some of the coo