Posts tagged Penetration Testing

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Spilling the (Gi)tea We have two modules coming in from cdelafuente-r7 [https://github.com/cdelafuente-r7] targeting CVE-2020-14144 [https://attackerkb.com/topics/ZTlYBaSclN/cve-2020-14144?referrer=blog] for both the Gitea and Gogs self-hosted Git services. Both modules are similar: they take advantage of a user’s ability to create Git hooks by authenticating with the web interface, creating a dummy repository with the aforementioned git hook, and triggering it—which will execute the payload! A

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Six new modules targeting F5, SaltStack, Exchange Server, and more, plus some significant performance improvements and fixes.

4 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

A local exploit for a Windows Server 2012 DLL hijacking vulnerability, plus a slew of fixes and improvements.

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Commemorating the 2020 December Metasploit community CTF A new commemorative banner has been added to the Metasploit console to celebrate the teams that participated in the 2020 December Metasploit community CTF [/2020/12/07/congrats-to-the-winners-of-the-2020-december-metasploit-community-ctf/] and achieved 100 or more points: If you missed out on participating in this most recent event, be sure to follow the Metasploit Twitter [https://twitter.com/metasploit] and Metasploit blog posts [/ta

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Exploits for Oracle Solaris CVE-2020-14871 and Windows 7 CVE-2020-1054, plus enhancements and bug fixes for Railgun and msfdb init. Happy HaXmas!

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

It's CTF week(end)! Plus, steal files from Apache Tomcat servers thanks to a new Ghostcat exploit, and dump process memory with a new post module that leverages Avast AV's built-in AvDump utility.

2 min This One Time on a Pen Test

This One Time on a Pen Test: CSRF to Password Reset Phishing

In the latest edition of our "This One Time On a Pen Test" series, we take a look at an engagement featuring Cross-site request forgery attacks.

1 min Under the Hoodie

Behind the Scenes: Under the Hoodie 2020 Video Series

In this blog, we take you on a behind-the-scenes look at the making of our 2020 Under the Hoodie video series.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Four new modules, including an exploit for SaltStack Salt and an exploit for a now-patched vuln in Metasploit, plus new enhancements and fixes.

2 min This One Time on a Pen Test

This One Time on a Pen Test: How I Hacked a Self-Driving Car

In our latest edition of "This One Time on a Pen Test," we take a deeper look at an engagement involving a self-driving car.

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

A bug fix for EternalBlue on Metasploit 6, four new modules, and a bunch of enhancements.

2 min This One Time on a Pen Test

This One Time on a Pen Test: Thanks for Sharing Your Wi-Fi

In this iteration of our "This One Time on a Pen Test" series, our client was a private equity company, and the task was to do an onsite wireless pen test from the lobby outside their office.

3 min This One Time on a Pen Test

This One Time on a Pen Test: Doing Well With XML

In the latest edition of "This One Time on a Pen Test," we discuss a classic web application engagement involving XML.

2 min This One Time on a Pen Test

This One Time on a Pen Test: I Know...Everything

In the latest edition of "This One Time on a Pen Test," we follow a Rapid7 penetration tester as they perform an internal network engagement.

2 min This One Time on a Pen Test

This One Time on a Pen Test: Ain’t No Fence High Enough

In this edition of "This One Time on a Pen Test," we discuss an engagement with for an energy company with a high-fence compound.

2 min Penetration Testing

This One Time on a Pen Test: How I Outwitted the Vexing VPN

In this edition of "This One Time on a Pen Test," we discuss outwitting the vexing VPN.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Three new modules, including a Pwn2Own addition for OS X, plus proxy support for Python Meterpreter, new search improvements, and a reminder of how to report security issues in Metasploit.

2 min Penetration Testing

This One Time on a Pen Test: I’m Calling My Lawyer!

In this engagement, Rapid7 pen testers were tasked to identify sensitive information, harvest credentials, and obtain a reverse shell on their machines.

2 min Penetration Testing

This One Time on a Pen Test: Playing Social Security Slots

This post is part of an ongoing series featuring testimonials of what goes on beneath the hoodie during Rapid7 penetration testing engagements.

2 min Penetration Testing

Ask a Pen Tester, Part 2: A Q&A With Rapid7 Pen Testers Gisela Hinojosa and Carlota Bindner

Rapid7 pen testers Gisela Hinojosa and Carlota Bindner are back to answer another round of questions about the mysterious art of penetration testing

2 min Research

Rapid7 Releases 2020 Under the Hoodie Report: Lessons Learned from a Year of Penetration Tests

Rapid7 recently released its 2020 Under the Hoodie report, detailing the ins and outs of penetration testing.

3 min Penetration Testing

Ask a Pen Tester, Part 1: A Q&A With Rapid7 Pen Testers Gisela Hinojosa and Carlota Bindner

Rapid7 pen testers Gisela Hinojosa and Carlota Bindner break-down a number of popular questions related to the mysterious art of penetration testing.

5 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Metasploit 6 initial features and active development, the 2020 open-source security meetup (OSSM), four new modules, and the longest list of enhancements and fixes we've ever written in one sitting.

3 min Penetration Testing

Understanding Security as an Investment: The Importance of Pen Testing for Startups

Recently, we sat down with Intenseye's Sercan Esen and Serhat Cillidag to discuss developing robust security programs for startup environments.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

vBulletin, WordPress, and WebLogic exploits, along with some enhancements and fixes.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Hello, World! This week’s wrapup features six new modules, including a double-dose of Synology and everyone’s favorite, Pi-Hole. Little NAS, featuring RCE Synology stations are small(ish) NAS devices, but as Steve Kaun, Nigusu Kassahun, and h00die have shown, they are not invulnerable. In the first module, a command injection exists in a scanning function that allows for an authenticated RCE, and in the second, a coding feature leaks whether a user exists on the system, allowing for brute-forc

3 min Vulnerability Risk Management

Meet AttackerKB

Meet AttackerKB: a new community-driven resource that highlights diverse perspectives on which vulnerabilities make the most appealing targets for attackers.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

Meterpreter bug fixes and five new modules, including an LPE exploit for SMBghost (CVE-2020-0796) and a BloodHound post module that gathers information (sessions, local admin, domain trusts, etc.) and stores it as a BloodHound-consumable ZIP file in Framework loot.

3 min Metasploit Weekly Wrapup

Metasploit Wrap-Up

This week's release includes a local privilege escalation exploit for VMware Fusion through 11.5.3 on OS X, as well as RCE on Apache Solr and DNN cookie deserialization.

4 min OSCP

Lessons Learned from an Unlikely Path to My OSCP Certification

In this blog, our own Patrick Laverty discusses lessons learned from his path to a Offensive Security Certified Professional (OSCP) certification.

5 min Penetration Testing

Ask a Pen Tester Q&A, Part 2: Everything You Need to Know About the Art of Penetration Testing

We sat down with our own penetration testers to answer some of your questions about what exactly pen testing entails.

3 min Penetration Testing

What You Need to Know to Get Started in the Penetration Testing Field

In this blog, we sat down with our own penetration testers to answer some of your questions to help get you started in the field.

7 min Penetration Testing

This One Time on a Pen Test, Halloween Edition: An Ode to Our Favorite Pen Tester Disguises

In honor of Halloween, we wanted to celebrate by sharing a few of our Rapid7 pen testers’ costumed crusades.

3 min Penetration Testing

This One Time on a Pen Test: “Let Me Get That for You”

In this blog, we discuss how our team successfully gained access to a client's physical building in an unlikely way.

1 min Penetration Testing

This One Time on a Pen Test: Our Accidental Win

In this blog, we recall one pen test where a placeholder password we put in actually worked with one login account.

2 min Penetration Testing

This One Time on a Pen Test: What’s in the Box?

Here is the story of how one of our penetration testers exploited ExternalBlue on a rogue access point.

2 min Penetration Testing

This One Time on a Pen Test: The Pizza of Doom

Here is the story of how I bypassed physical security controls by posing as a pizza delivery guy and showing up to my client site with a pizza pie.

2 min Penetration Testing

This One Time on a Pen Test: Your Mouse Is My Keyboard

In one engagement, we were tasked with compromising the internal network of a facility that was used for medical trials. Here's what happened.

2 min Penetration Testing

This One Time on a Pen Test: Nerds in the NERC

Here is the story of how we gained access to a NERC CIP control room in a power plant as part of a penetration testing engagement.

3 min Penetration Testing

This One Time on a Pen Test: Missed a Spot

In this penetration testing story, Ted Raffle discusses how even strong security controls and threat mitigation can miss the mark when only one or two systems fall through the cracks.

13 min Penetration Testing

Ask a Pen Tester: Q&A with Rapid7 Penetration Tester Aaron Herndon

Recently, we gave our customers the opportunity to ask members of our penetration testing services team any burning questions they have.

2 min Penetration Testing

This One Time on a Pen Test: How I Compromised a Healthcare Portal Before My Hot Cocoa Went Cold

Here is the story of how I used a simple SQL injection attack to compromise a healthcare portal.

2 min Under the Hoodie

This One Time on a Pen Test: Paging Doctor Hackerman

In this blog, one of our penetration testers tells the story of how he hacked X-ray machine and got the keys to the entire network.

2 min Research

[Research] Under the Hoodie, 2019 Edition: Lessons Learned from 180 Penetration Tests

Our 2019 Under the Hoodie report covers the measurable results of about 180 penetration tests conducted by Rapid7. Find out what we learned.

3 min Rapid7 Perspective

How to Start a Career in Cybersecurity: From Stay-at-Home Mom to Security Pro-in-Training

My name is Carlota Bindner, and here is my story on how I went from being a stay-at-home mom and community volunteer to participating in Rapid7's Security Consultant Development Program.

3 min Phishing

Lessons from a Pen Test: The Power of a Well-Researched and Well-Timed Phishing Email

On a recent pen test, Steve Laura saw just how effective phishing emails can be with the right research and timing.

3 min Penetration Testing

No DA? No Problem! How Attackers Can Access Sensitive Data without Escalated Privileges

When pen testers look at your network, one of their main goals is privilege escalation. However, there is still plenty of ways to access sensitive data without this access.

4 min Penetration Testing

Why a 17-Year Veteran Pen Tester Took the OSCP

Why would a 17-year veteran penetration tester undergo the somewhat costly, time-consuming, and challenging ordeal to obtain what may be considered an entry-level certification?

4 min Haxmas

The Return of Snapid Kevin to the North Pole

Santa has once again enlisted the help of his security consultant, Snapid Kevin, to evaluate his physical security. What will Snapid turn up?

3 min Penetration Testing

7 Funny and Punny Halloween Costume Ideas for Tech and Cybersecurity Pros

Stuck on what to be this year? Here are some of our favorite Halloween costume ideas for tech and cybersecurity professionals.

4 min Research

This One Time on a Pen Test, Part 5: From Physical Security Weakness to Strength

During a physical social engineering penetration test, I easily got into the office with the help of a copied badge and polite employees. But would the company learn its lesson?

4 min Research

Password Tips from a Pen Tester: Are 12-Character Passwords Really Stronger, or Just a Dime a Dozen?

On penetration tests, the three most common passwords are a variation of company name, the season/year, and a variation of “password.” But what happens if we lengthen the password requirement?

4 min Penetration Testing

Putting Pen (Tests) to Paper: Lessons and Learnings from Rapid7’s Annual Mega-Hackathon

Rapid7's Mega-Hackathon offers a unique chance to go beyond the data and get a feel for what pen testers are like in their natural habitat.

3 min Penetration Testing

This One Time on a Pen Test, Part 4: From Zero to Web Application Admin through Open-Source Intelligence Gathering

Open source intelligence gathering (OSINT) can sometimes take a backseat to more glamorous parts of pen tests—but in this case, it saved us.

3 min Research

This One Time on a Pen Test, Part 3: How Jumping a Fence and Donning a Disguise Helped Me Steal an Energy Company

Here is the story of how I jumped a fence and broke into a construction vehicle to take control of an energy company's network.

4 min Penetration Testing

How to Identify and Prioritize Gaps with the Cybersecurity Maturity Assessment, Post-2018 'Under the Hoodie'

At Rapid7, we believe that cybersecurity within a company is not just a function with many stakeholders, but rather a shared responsibility among all employees, regardless of role.

6 min InsightAppSec

Faster Prod at the Expense of Security? 2018 ‘Under the Hoodie’ Reveals Gaps in Applications

As part of this year's "Under the Hoodie" report, we identified the latest web application security risks companies are facing today.

3 min Penetration Testing

This One Time on a Pen Test, Part 2: How Just One Flaw Helped Us Beat the Unbeatable Network

During one pen testing engagement, we were pitted against a well-hardened, locked-down, and mature environment. However, all it took was one slip-up to give us the keys to the kingdom.

4 min Penetration Testing

This One Time on a Pen Test, Part 1: Curiosity Didn’t Kill the Cat—Honesty Did

As part of a penetration test, I worked with the client to craft an engagement that would evaluate their employee and technology preparedness against a sophisticated, targeted phishing and vishing attack.

5 min InsightVM

Under the Hoodie: Which Vulns Are Being Exploited by Attackers (and Our Pen Testers) in 2018?

Software vulnerabilities are at the core of pen testing—and our "Under the Hoodie" report provides insights and advice one can only get in the trenches.

3 min IoT

Enhancing IoT Security Through Research Partnerships

Securing IoT devices requires a proactive security approach to test both devices and the IoT product ecosystem. To accomplish this, consider setting up a research partnership.

5 min Research

Password Tips from a Pen Tester: Taking the Predictability Out of Common Password Patterns

Humans are predictable. As unique as we like to think we all are, our actions tend to be similar—and our choices when creating a password are no different.

4 min Penetration Testing

CIS Critical Security Control 20: Measure Your Security Standing with Penetration Tests and Red Team Exercises

Protecting yourself from threats requires consistently asking yourself whether your security program is working as designed. Critical Control 20 covers pen tests and Red Team exercises.

3 min Incident Detection

Detection Reflection: Analyzing 9 Months of Rapid7 Penetration Testing Engagements

In this post, we’ll review results and trends from Under the Hoodie 2018 as they relate to incident detection, including where our red team found success.

2 min Penetration Testing

Under the Hoodie 2018: Lessons from a Season of Penetration Testing

Today, I’m excited to announce the release of our 2018 edition of Under the Hoodie: Lessons from a Season of Penetration Testing by the Rapid7 Global Services team, along with me, Tod Beardsley and Kwan Lin.

3 min Research

Password Tips from a Pen Tester: What is Your Company’s Default Password?

Welcome back to Password Tips From a Pen Tester. Last time, I exposed common password patterns [/2018/06/12/password-tips-from-a-pen-tester-common-patterns-exposed/] we see when we perform penetration testing service engagements [https://www.rapid7.com/services/penetration-testing-services/] for our clients at Rapid7. This month, let’s dig into the amazingly weak default passwords that so many companies use. The first day on the job: We fill out all the requisite paperwork for Human Resources a

5 min Penetration Testing

How to Build Your Own Caller ID Spoofer: Part 2

In Part 1 [/2018/05/24/how-to-build-your-own-caller-id-spoofer-part-1/], we talked about the need for organizations to test their security programs by performing social-engineering campaigns with their employees so they can understand employee susceptibility to these kinds of tactics, the potential impact to the organization of this kind of attack, and develop methods of defending against a real attack. We spoke about the need for accurately simulating threat actors by setting up an Asterisk PBX

7 min Penetration Testing

How to Create a Secure and Portable Kali Installation

The following is a guest post from Rapid7 customer Bo Weaver. Hi, everyone. I’m Bo, a penetration tester at CompliancePoint (and also a customer of Rapid7). If you’re just getting started in penetration testing [https://www.rapid7.com/fundamentals/penetration-testing/], or are simply interested in the basics, this blog is for you. An Intro to Kali Kali Linux is an open source project that is maintained and funded by Offensive Security [https://www.offensive-security.com/], a provider of inform

3 min Penetration Testing

Password Tips From a Pen Tester: Common Patterns Exposed

Welcome back to Password Tips From a Pen Tester. Last time, I talked about what you can expect to learn from these posts and I also explained the three most common passwords that we see on penetration tests [/2018/05/10/password-tips-from-a-pen-tester-3-passwords-to-eliminate/]. This month, let’s take a look at how that kind of information is helpful on a penetration test [https://www.rapid7.com/fundamentals/penetration-testing/], and correlate what we know to actual data collected. When my co

6 min Penetration Testing

How to Build Your Own Caller ID Spoofer: Part 1

Purpose Organizations with mature security programs often test their own internal awareness programs by performing social engineering campaigns (e.g., telephone pretexting) on their personnel. These may include hiring third-party consulting companies as well as performing internal tests. These tests should strive to be as real-world as possible in order to accurately simulate a malicious actor and learn from employees’ reactions and ascertain the level of risk they pose to the organization. Spoo

4 min Penetration Testing

Password Tips From a Pen Tester: 3 Passwords to Eliminate

Every week, Rapid7 conducts penetration testing services [https://www.rapid7.com/services/penetration-testing-services/] for organizations that cracks hundreds—and sometimes thousands—of passwords. Our current password trove has more than 500,000 unique passwords that have been collected over the past two years. Where do these come from? Some of them come from Windows domain controllers and databases such as MySQL or Oracle; some of them are caught on the wire using Responder [https://github.com

4 min InsightIDR

Attacker Behavior Analytics: How InsightIDR Detects Unknown Threats

InsightIDR customers now have an ever-evolving library of attacker behavior detections automatically matched against their data. Read on to learn how Rapid7 SOC and threat intel teams investigate a constant rumbling of attacker behavior and transform it into actionable threat intelligence.

3 min Haxmas

Hohoho-wned: First Steps Toward a Pen Test Oriented Rootkit

Year after year it seems that Santa is intent on sending me coal, but little does he know that this year I already have access to one of his Linux machines and I'm going to make sure that I at least deserve to get my fair share of black rocks. I decided to dig into the world of Linux rootkits and long-term footholds with evasion techniques; this is an area where lots of previous research has been done, but in traditional bootstrapper fashion I decided to start writing a backdoor from scratch wit

4 min Penetration Testing

Metasploit MinRID Option

We’ve added a new option to the smb_lookupsid Metasploit module [https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_lookupsid]. You can now specify your starting RID. Wait, What Does This Module Do Again? As a penetration tester, one of the first things I try to do on an internal network is enumerate all of the domain users so that I can perform login attacks against them. It would be a noteworthy risk if we could do that anonymously, because that means that any malicious actor who can

2 min UNITED

Keeping it simple at UNITED

The following post is a guest blog by Bo Weaver, Senior Penetration Tester at CompliancePoint [http://www.compliancepoint.com/]. If you're attending UNITED, you can catch Bo's talk at 11:45 AM on Thursday, September 14 in the Phish, Pwn, and Pivot track. Hi! I’m Bo. I’ll be speaking at Rapid7’s UNITED Summit in Boston [https://unitedsummit.org/index.php] this week, and Rapid7's community manager [/author/caitlin-condon] asked me to write a little blog about my talk. I marvel how on the net we

4 min Penetration Testing

IoT Security Testing Methodology

By Deral Heiland IoT - IoT Research Lead Rapid7 Nathan Sevier - Senior Consultant Rapid7 Chris Littlebury  - Threat Assessment Manage Rapid7 End-to-end ecosystem methodology When examining IoT technology, the actionable testing focus and methodology is often applied solely to the embedded device. This is short sighted and incomplete. An effective assessment methodology should consider the entire IoT solution or as we refer to it, the IoT Product Ecosystem. Every interactive component that makes

3 min Metasploit

Exploiting Macros via Email with Metasploit Pro Social Engineering

Currently, phishing is seen as one of the largest infiltration points for businesses around the globe, but there is more to social engineering than just phishing. Attackers may use email and USB keys to deliver malicious files to users in the hopes of gaining access to an organization's network. Users that are likely unaware that unsolicited files, such as a Microsoft Word document with a macro, may be malicious and can be a major risk to an organization. Metasploit Pro [https://rapid7.com/prod

4 min Penetration Testing

Combining Responder and PsExec for Internal Penetration Tests

By Emilie St-Pierre, TJ Byrom, and Eric Sun Ask any pen tester what their top five penetration testing tools [https://rapid7.com/fundamentals/penetration-testing-tools/] are for internal engagements, and you will likely get a reply containing nmap, Metasploit, CrackMapExec, SMBRelay and Responder. An essential tool for any whitehat, Responder is a Python script that listens for Link-Local Multicast Name Resolution (LLMNR), Netbios Name Service (NBT-NS) and Multicast Domain Name System (mDNS)

6 min GDPR

Preparing for GDPR Compliance: 10 Actionable Recommendations

GDPR is coming….. If your organisation does business with Europe, or more specifically does anything with the Personal Data of EU Citizens who aren't dead (i.e. Natural Persons), then, just like us, you're going to be in the process of living the dream that is Preparing for the General Data Protection Regulation (GDPR compliance) [https://www.rapid7.com/solutions/compliance/gdpr/]. For many organisations, this is going to be a gigantic exercise, as even if you have implemented processes and tec

3 min Authentication

Under the Hoodie: Actionable Research from Penetration Testing Engagements

Today, we're excited to release Rapid7's latest research paper, Under the Hoodie: Actionable Research from Penetration Testing Engagements [https://www.rapid7.com/info/under-the-hoodie], by Bob Rudis [https://twitter.com/hrbrmstr], Andrew Whitaker [https://www.linkedin.com/in/drewwhitaker/], Tod Beardsley [https://twitter.com/todb], with loads of input and help from the entire Rapid7 pentesting team. This paper covers the often occult art of penetration testing, and seeks to demystify the proce

4 min Metasploit

Metasploitable3 Capture the Flag Competition

UPDATE: Leaderboard can be found on this new post [/2016/12/14/metasploitable3-ctf-competition-update]! Plus, some notes that may be helpful. Exciting news! Rapid7 is hosting a month-long, world-wide capture the flag(s) competition! Rapid7 recently released Metasploitable3 [https://github.com/rapid7/metasploitable3], the latest version of our attackable, vulnerable environment designed to help security professionals, students, and researchers alike hone their skills and practice their craft. I

4 min Honeypots

Deception Technology: Can It Detect Intruders Earlier in their Attack Chain?

Every infosec conference is chatting about the Attack Chain, a visual mapping of the steps an intruder must take to breach a network. If you can detect traces of an attack earlier, you not only have more time to respond, but can stop the unauthorized access to monetizable data and its exfiltration. Even as attackers and pen-testers continue to evolve their techniques, the Attack Chain continues to provide a great baseline framework to map out your security detection program. Many of today's

4 min Penetration Testing

Pentesting in the Real World: Local File Inclusion with Windows Server Files

This is the 5th in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] First

5 min Metasploit

Pentesting in the Real World: Going Bananas with MongoDB

This is the 4th in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] Prefa

6 min Metasploit

Pentesting in the Real World: Group Policy Pwnage

This is the third in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] Bac

3 min Metasploit

Pentesting in the Real World: Capturing Credentials on an Internal Network

This is the second in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] As

5 min Metasploit

Pentesting in the Real World: Gathering the Right Intel

This is the first in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. For more information, check out the training page at www.rapid7.com/services/training-certification/penetration-testing-training.jsp [http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp] So

4 min Penetration Testing

Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues

In a fight between pirates and ninjas, who would win? I know what you are thinking. “What in the world does this have to do with security?” Read on to find out but first, make a choice: Pirates or Ninjas? Before making that choice, we must know what the strengths and weaknesses are for each: Pirates Strengths Weaknesses StrongLoudBrute-Force AttackDrunk (Some say this could be a strength too)Great at PlunderingCan be CarelessLong-Range CombatNinjas Strengths Weaknesses FastNo ArmorStealthySmal

5 min Penetration Testing

SNMP Data Harvesting During Penetration Testing

A few months back I posted a blog entry, SNMP Best Practices [/2016/01/27/simple-network-management-protocol-snmp-best-practices], to give guidance on best methods to reduce security risks as they relate to SNMP. Now that everyone has had time to fix all those issues, I figured it's time to give some guidance to penetration testers and consultants on how to exploit exposed SNMP services by harvesting data and using it to expand their attack footprint. The first question when approaching SNMP is

2 min Penetration Testing

The path to a false sense of security: Leave your security controls enabled during testing

In my work performing vulnerability assessments and penetration tests, I'm often confronted with the dilemma of dealing with a pesky intrusion prevention system (IPS) or web application firewall (WAF). Sometimes we know they're there. Other times, they rear their ugly heads and force a days-long change management process for a whitelist request. Or, when testing web sites/applications, it's not uncommon to find out that I can just connect via SSL/TLS and carry out my tests that would've otherwis

2 min Penetration Testing

Top 3 Takeaways from the & Campfire Horror Stories: 5 Most Common Findings in Pen Tests & Webcast

Penetration Tests are a key part of assuring strong security, so naturally, security professionals are very curious about how this best practice goes down from the pen tester perspective. Jack Daniel, Director of Services at Rapid7 with 13 years of penetration testing under his belt, recently shared which flaws pen testers are regularly using to access sensitive data on the job in the webcast, “Campfire Horror Stories: 5 Most Common Findings in Pen Tests [https://information.rapid7.com/campfire-

2 min Penetration Testing

It can be dangerous assuming a vulnerability is not a vulnerability

I once worked on a project where an injection vulnerability was uncovered on a web application that allowed an attacker to create special HTTP requests that can enumerate directories and see the contents of most files on the system. Everything from autoexec.bat to digital certificate files were there for the taking. Interestingly, one person on the team did not see it as a problem. Perhaps it was in defense of his environment or perhaps it was just a general misunderstanding. Either way, file co

2 min Penetration Testing

Top 3 Takeaways: "7 Questions to Ask Your Penetration Testing Vendor" Webcast

Penetration testing is a security best practice for testing defenses and uncovering weaknesses in your infrastructure and applications, as well as a practice required by compliances such as PCI DSS. A penetration test doesn't stop at simply uncovering vulnerabilities: it goes the next step to actively exploit those vulnerabilities in order to prove (or disprove) real-world attack vectors against an organization's IT assets, data, and users. In a recent webcast, Jane Man, Wim Remes, and Matt Ride

7 min PCI

Webcast Followup: Escalate Your Efficiency

Last week, we had a live webcast to talk about how Metasploit Pro helps pentesters be more efficient and save time. There were so many attendees, which made it possible to have great conversation. First of all, I want to thank you folks who have taken the time from their busy schedules to watch us live. There were many questions our viewers asked us, and we were not able to answer all of them due to time limitations. In this post, you will find the answers for those questions. First things fir

2 min PCI

Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast

Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz [https://twitter.com/erayymz], Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood, Manager of Security Assurance at ATB Financial. They discussed how to take advantage of automation with Metasploit Pro to sim

4 min Penetration Testing

Weekly Metasploit Wrapup: SQL Server Privileges, Templating New Modules

Microsoft SQL Server Pen-Tester Pro Tip This week, we've landed a trio of fun and interesting modules from long-time Metasploit community contributor Scott nullbind [https://twitter.com/_nullbind] Sutherland which automate up a couple Pro Tips on what to do when you've scored a login on a Microsoft SQL Server during a penetration test. One of these is a method to escalate the privileges of a SQL Server user [http://www.rapid7.com/db/modules/auxiliary/admin/mssql/mssql_escalate_execute_as] . Oft

3 min PCI

PCI 30 Seconds newsletter #37 - And PCI said "Get Pen-Tested"!

This newsletter clarifies what is expected to comply with PCI DSS 11.3: Penetration testing. Why is Pen-test needed? In the same way that wellness checks support a doctor's diagnosis by determining what's wrong or not working as expected (a.k.a. an analysis) and establish the appropriate treatment (a.k.a. a remediation plan), penetration testing aims to: * Determine and validate a diagnosis by determining the genuineness and severity of identified vulnerabilities * Validate that defense m

2 min Penetration Testing

Rely on data center audits alone and you'll get hit eventually

A couple years ago I had a discussion with an acquaintance regarding the security of his company's Web application. The gentleman told me that quite often prospective customers would ask them whether they had done any penetration testing. His canned response was essentially: rather than go down that road, we moved our application to a Tier 3 data center that was SOC-audited. Apparently that “remedy” sufficed for prospects who are concerned about the security of this company's cloud application/e

2 min Penetration Testing

Top 3 Takeaways from the "Healthcare Insomnia: Get the Prescription to Secure Unique Devices, People, and Organizations" Webcast

This week we were lucky enough to hear from Jay Radcliffe [http://www.reuters.com/article/2014/05/29/us-rapid7-radcliffe-idUSKBN0E929K20140529] , senior security researcher at Rapid7, in the webcast, "Healthcare Insomnia: Get the Prescription to Secure Unique Devices, People, and Organizations [https://information.rapid7.com/healthcare-insomnia-webcast.html?CS=blog]". Healthcare environments are complex - they're combining devices and data that have been around for 20 years with the newest techn

1 min Metasploit

Federal Friday - 5.30.14 - Social Engineering from the Middle East

Happy Friday, Federal friends. You can tell it's almost Summah up here because it's been 50 and raining this week. So an interesting piece of news from an article on DarkReading [http://www.darkreading.com/attacks-breaches/iranian-cyberspies-pose-as-journalists-online-to-ensnare-their-targets/d/d-id/1269270] this week regarding an ongoing campaign targeting government officials and contractors of both the US and Israel. This is a mash-up of social engineering techniques from phishing to social

2 min Metasploit

Top 3 Takeaways from "7 Ways to Make Your Penetration Tests More Productive" Webcast

Earlier this week we heard from ckirsch [https://community.rapid7.com/people/ckirsch], Senior Product Marketing Manager for Metasploit at Rapid7, on the pressure penetration testers are facing. (Hint: it's a lot!). With the increase in high profile breaches and their costs, more and more emphasis is being put on the pen tester and security in general. Read on if you'd like to get the top takeaways from this week's webcast so that you aren't left in the dark about, "7 Ways to Make Your Penetratio

3 min Flash

Weekly Metasploit Update: Operation Snowman and LadyBoyle

Scary-Sounding Flash Exploits This week's update brings us two new exploits from Juan Vazquez, [https://twitter.com/_juan_vazquez_] Boris dukeBarman [https://github.com/dukebarman] Ryutin, Jean-Jamil Khalife, and a criminal conspiracy of superhackers. Yep, seriously. That last bit is why these exploits deserve a special mention. These modules implement the attacks wrought by "Operation Snowman," and "LadyBoyle," two of the cooler-sounding names I've heard in a while. They allow for penetration

4 min Penetration Testing

7 Tips for Booking Your PCI 3.0 Penetration Testing Service (And Why Consultants Will Book Out Early This Year)

PCI DSS Compliance is driving about 35% of all penetration tests, according to a Rapid7 Metasploit User Survey with more than 2,200 respondents earlier this year. With the changes introduced in PCI DSS version 3.0, penetration tests will become more complex and longer in duration, and more companies will feel the need to run penetration tests in the first place. Given that it takes a lot of time and money to train new penetration testers, this will cause consultants to book out early, and probab

1 min Penetration Testing

Your PenTest Tools Arsenal

When it comes to information security, one of the major problems is setting up your PenTest Tools Arsenal. The truth is, there are too many tools out there and it would take forever to try half of them to see if one fits your needs. Over the years, there have been some well established tools released that most of security professionals use currently, but that doesn't mean that are not unknown yet still very good pentesting tools that are not as popular. I wanted to make a list of the pentest to

3 min Metasploit

Rapid7 Webcasts: A Great Week to Learn About Pentesting SAP Infrastructures

SAP applications contain a ton of juicy information, making them a great target for malicious attackers who are after intellectual property, financial statements, credit card data, PII and PHI. Breaching SAP systems opens the door for fraud, sabotage, and industrial espionage. SAP systems have often organically grown and are hard to update, making them a soft target. What's worse, pentesters are often unfamiliar with SAP infrastructures and how to pentest SAP systems. To help with the latter, R

3 min Penetration Testing

#pwnSAP Tweet Chat Debrief

On December 3, Rapid7 security researcher Juan Vazquez hosted a panel of experts [/2013/11/25/pwnsap-join-us-for-a-tweet-chat-on-dec-3] for a tweet chat to discuss SAP system hacking. The #pwnSAP chat was a great discussion – here are some highlights. Juan's first question was, “Can you start by telling us a bit about how SAP system hacking has changed lately?” @todb called this research paper, SAP Penetration Testing Using Metasploit – How to Protect Sensitive ERP Data [http://information.rap

1 min Penetration Testing

#pwnSAP: Join Us for a Tweet Chat on Dec. 3

As Christian Kirsch wrote earlier this month [/2013/11/11/learn-to-pentest-sap-with-metasploit-as-erp-attacks-go-mainstream], SAP system hacking has gone mainstream. This isn't surprising, considering ERP systems are treasure troves of financial, customer, employee and production data – but how do you secure them against attackers? On December 3rd at 12pm ET Rapid7 security researcher Juan Vazquez will host a panel of experts for a tweet chat to discuss trends in SAP system hacking and how to

1 min Penetration Testing

Responsible for security assessments? You need to join me TODAY (Thursday, October 24)...

TechTarget's SearchSecurity.com [http://searchsecurity.techtarget.com/] is hosting a webcast that I'm presenting tomorrow (Oct. 24th) called What you need to know about security vulnerability assessments (that no one is willing to share) [http://searchsecurity.techtarget.com/October-24-live-webcast-Vulnerability-assessments-with-Kevin-Beaver] . I've love it if you could join me! Over the span of my entire career, I've worked in IT for 24 years, information security for the last 18 years, and I'

3 min Penetration Testing

Is it a pen test, an audit, or a vulnerability assessment?

Hi everyone, I'm glad to be here writing on SecurityStreet. Many thanks to Nate Crampton and Patrick Hellen at Rapid7 for helping me to get rolling! A while back I wrote a piece for TechTarget on the difference between pen tests, security audits and vulnerability assessment and I figured that this may be very relevant to Rapid7's community given Nexpose [http://www.rapid7.com/products/nexpose/] and Metasploit [http://www.rapid7.com/products/metasploit/]. Way back in the mid-1990s, at my first

4 min Metasploit

How To Do Internal Security Audits Remotely To Reduce Travel Costs

An internal penetration tests simulates an attack on the network from inside the network. It typically simulates a rogue employee with user-level credentials or a person with physical access to the network, such as cleaning staff, trying to access resources on the network they're not authorized for. Internal penetration tests typically require the auditor to be physically present in the location. If you are working as a consultant, then conducting internal penetration tests can mean a lot of tr

2 min PCI

Do You (Un)knowingly Exfiltrate?

A few weeks ago, Twitter was buzzing about new and interesting Google Hacks. If you're been visiting this community for more than one day, you'll probably know this already; a Google Hack is a search query that produces some type of unauthorized access to (supposedly) protected data. In this latest iteration, the query is used to disclose private SSH keys stored on Github [https://github.com/search?q=size:%3E1+path:.ssh/id_rsa&type=Code&ref=searchresults] . Of course, this problem isn't limited

2 min Compliance

Malicious SSIDs And Web Apps

On February 13th 2013, Cisco released a security notice related to CVE-2013-1131 [http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1131] . According to Cisco, the vulnerability is due to improper validation of the Service Set Identifier (SSID) when performing a "site survey" to discover other wireless networks. On the face of it, this vulnerability seems to be low-risk. Indeed, site surveys are not often performed and an adversary would need to either be incredibly luc

1 min Metasploit

Whiteboard Wednesday - Password Auditing with Metasploit

This week's Whiteboard Wednesday features our own http://www.rapid7.com/resources/videos/password-auditing-with-metasploit.jsp David Maloney [https://community.rapid7.com/people/thelightcosine], speaking about password auditing techniques with Metasploit. He details three quick and easy techniques for auditing in this clip including: * Brute forcing/online attacks * Hash Cracking/offline attacks * Password Recovery This clip aims to give you a good overview about just how much risk your'

1 min Metasploit

Evading Anti-Virus Detection - Whiteboard Wednesday

In today's Whiteboard Wednesday, David Maloney [https://community.rapid7.com/people/thelightcosine] explains anti-virus evasion techniques for Metasploit. In order to make the most of Metasploit pen testing techniques in delivering payloads, you need to be able to deliver those payloads without anti-virus flagging them. David walks us through a few examples on how to bypass anti-virus detection so you can easily pen test your systems. Watch the video here! [http://www.rapid7.com/resources/vid

4 min Penetration Testing

Free Metasploit Penetration Testing Lab In The Cloud

No matter whether you're taking your first steps with Metasploit or if you're already a pro, you need to practice, practice, practice your skillz. Setting up a penetration testing lab can be time-consuming and expensive (unless you have the hardware already), so I was very excited to learn about a new, free service called Hack A Server [http://www.hackaserver.com/], which offers vulnerable machines for you to pwn in the cloud. The service only required that I download and launch a VPN configurat

3 min Exploits

5 Tips to Ensure Safe Penetration Tests with Metasploit

Experienced penetration testers know what to look out for when testing production systems so they don't disrupt operations. Here's our guide to ensure smooth sailing. Vulnerabilities are unintentional APIs In my warped view of the world, vulnerabilities are APIs that weren't entirely intended by the developer. They hey are also undocumented and unsupported. Some of these vulnerabilities are exploited more reliably than others, and there are essentially three vectors to rank them: * Exploit s

2 min Metasploit

Introduction to Metasploit Hooks

Metasploit provides many ways to simplify your life as a module developer. One of the less well-known of these is the presence of various hooks you can use for processing things at important stages of the module's lifetime. The basic one that anyone who has written an exploit will be familiar with is exploit, which is called when the user types the exploit command. That method is common to all exploit modules. Aux and post modules have an analogous run method. Common to all the runnable modules

8 min Metasploit

The Odd Couple: Metasploit and Antivirus Solutions

I hear a lot of questions concerning antivirus evasion with Metasploit, so I'd like to share some the information critical to understanding this problem. This blog post is not designed to give you surefire antivirus (AV) evasion techniques, but rather to help you understand the fundamentals of the issue. A Quick Glossary Before we begin, let's define a few terms. This will be important for understanding some of the things we will discuss. Payload: A payload is the actual code that is being del

1 min Penetration Testing

How to Justify Your Penetration Testing Budget - Whiteboard Wednesdays

Is penetration testing a good idea to you, but your managers don't seem to get it? Don't worry, you're not alone, and there is a solution. This Whiteboard Wednesday [http://www.rapid7.com/resources/videos/justifying-penetration-testing-budget.jsp] video walks you through some steps to achieve your goal - and to get your budget approved. Areas I'll touch on are: * How do I explain penetration testing to my boss? * Why do we need penetration testing if we have all these security controls in

1 min Penetration Testing

What is Penetration Testing? - Whiteboard Wednesdays

Are you wondering "What is penetration testing?" Need a quick primer on the topic? In this first video of our Whiteboard Wednesdays series, we're explaining what a penetration test is as well as some typical reasons why people conduct so-called "pen tests". l'll also introduce you to the typical steps of a penetration test, including: * Reconaissance * Discovery * Exploitation * Bruteforcing * Social engineering * Taking control * Pivoting * Collecting evidence * Reporting * Remediati

1 min Metasploit

Webcast: Decrease Your Risk of a Data Breach - Effective Security Programs with Metasploit

Thanks for the many CISOs and security engineers who attended our recent webcast, in which I presented some practical advice on how to leverage Metasploit to conduct regular security reviews that address current attack vectors. While Metasploit is often used for penetration testing projects, this presentation focuses on leveraging Metasploit for ongoing security assessments that can be achieved with a small security team to reduce the risk of a data breach. This webcast is now available for on-

3 min Metasploit

SOC Monkey - Week in Review - 8.20.12

Monkeynauts, Welcome back to your weekly round up of the best bits from my App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8] that you should be downloading from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. This week, let's dive right into the most clicked story from last week with an update on how Mat Honan is dealing with life post hack: How I Got My Digital Life Back Again After An Epic Hacking. [http://www.wired.com/gadgetlab/2012/08/mat-h

3 min Nexpose

SOC Monkey - Week in Review - 7.9.12

Welcome back Monkeyminions, to the best content aggregation blog you read on Mondays that's written by a monkey. If you'd like to join in the content part, feel free to download my App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. It's July 9th, so for about 300,000 people, it's the end of the internet as they know it (yet I feel fine?): Still infected, 300,000 PCs to lose Internet access July

24 min Exploits

Metasploit exploit development - The series Part 1.

So you wanna be a Metasploit [http://www.exploit-db.com/author/?a=3211] exploit [http://www.exploit-db.com/author/?a=3211] developer huh? Well you are in luck because I have been working on an an "in-depth" exploit development tutorial series  that takes users behind the scenes on the process of exploit development and metasploit module creation. This series has been specifically designed with you "the community" in mind. It will cover step by step detail and explanation. This post is meant to

2 min Penetration Testing

SOC Monkey Week in Review - 6.1.12

Dearest Monkeynauts, As always, I'm back on Friday to give you the biggest news items the Pips have sent out this week via my free app [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], available in the Apple App store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. Download now! I'm sure none of you are surprised to see that our biggest topic is currently Flame [http://www.wired.com/threatlevel/2012/05/flame/]. My feeds started to explode earlier this week when Wire

2 min Networking

Are You in the Business of Selling Fear?

Let's be honest, security is primarily sold on the fear of something bad happening. If a breach occurs how will business continuity be affected? What will it cost? How bad could it be? These are the questions penetration testing seeks to answer for you. The end result is completion of a cost benefit analysis for purchasing security controls. The cost benefit analysis is calculated by totaling the cost of a single loss or breach, multiplied by breach likelihood, and comparing that to the price of

1 min Networking

How Data Breaches Affect Your Brand Value

A company's reputation, represented by its brand, can take a huge hit in a data breach, but it's also one of the hardest things to calculate in hard dollars. Imagine that all buildings of the Coca-Cola company burn down today. Someone is offering you to buy the rights to use the brand Coca-Cola in the future to sell beverages. What would this right be worth to you? Although the entire enterprise has ceased to exist, the brand still has a certain value. Many companies invest a lot of money for

3 min Penetration Testing

SOC Monkey Week in Review - 5.4.12

Monkey Minions!  I have returned!  For those of you who still have not done so, make sure to download my SOC Monkey App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], from the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. Still free, still fantastic. First up this week is the latest attempt of some type of legislation aimed at cybersecurity: Passage of CISPA in the U.S. House highlights need for viable cybersecurity legislation. [http://radar.oreil

2 min Compliance

SOC Monkey Week in Review - 4.26.12

Dearest Monkey Minions, It is once again your favorite Simian InfoSec curator, bringing you the most interesting bits and pieces from my App [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8], that is, as you know, free in the Apple App Store [http://itunes.apple.com/us/app/soc-monkey/id500480953?mt=8]. This week, I'm actually traveling out there in that big wide world, so I'm going to keep this relatively simple. Next week, my normal big monkey mouth will be back in force, with lots

1 min Networking

A Penetration Test is Quality Assurance for Your Security Controls

“We've spent all this money on IT security and you're still telling me that you don't know whether our systems are secure?” your CEO might say. In addition, they may challenge that you should know your systems well enough to know their weaknesses? Not really. Let's say you're a manufacturer of widgets. Even if you have the best machine and the brightest people working for you, you'll still want to ensure that the widgets that leave the factory will work as expected to ensure high customer sat

2 min Metasploit

Why Security Assessments Must Cover IPv6, Even In IPv4 Networks

What's your company doing to prepare for IPv6? Probably not an awful lot. While 10% of the world's top websites now offer IPv6 services, most companies haven't formulated an IPv6 strategy for the network. However, the issue is that most devices you have rolled out in the past 5 years have been IPv6-ready, if not IPv6-enabled. Windows 7 and Windows Server 2008 actually use IPv6 link-local addresses by default. Also think about all the other clients, servers, appliances, routers, and mobile device

1 min Penetration Testing

Is Your Data Too Sensitive For A Penetration Test?

If you are a security professional, you may have heard your executives say that their data is too sensitive for a penetration tester to read. If you're a consultant, this may be an objection you've heard from your customers. I was very surprised the first time I heard it, because the argument doesn't hold water up if you think it through. Your counterpart acknowledges two facts: 1. The data is highly sensitive. 2. There is a chance that a penetration tester could successfully access the

3 min Metasploit

How to Fly Under the Radar of AV and IPS with Metasploit's Stealth Features

When conducting a penetration testing assignment, one objective may be to get into the network without tripping any of the alarms, such as IDS/IPS or anti-virus. Enterprises typically add this to the requirements to test if their defenses are good enough to detect an advanced attacker. Here's how you can make sure you can sneak in and out without "getting caught". Scan speed First of all, bear in mind that you'll want to slow down your initial network scan so you don't raise suspicion by crea

2 min Penetration Testing

Remote Egress Scanning with Metasploit

Yesterday I asked a question on Twitter and got a lot of responses from the security community. I was finishing up a Metasploit module that I was coding last weekend. I posed the challenge to myself of scanning for egress port while not actually inside a network. I accomplished this task setting up multiple listeners, and embed HTTP tags in a webpage. This can easily be done with Metasploit Framework. I created a report page and a stealth page with no images. Metasploit keeps track of the co

1 min Penetration Testing

On-demand Webcast: How to Set Up a Penetration Testing Lab

The recording of the webinar "How to set up a penetration testing test lab" is now online [http://www.rapid7.com/resources/webcast-pentest-lab.jsp]. Big thanks to Matt for a great presentation, and huge thanks too all of the participants for the great questions and input, which I've included in the Q&A transcription. Webinar resources: * Webinar recording [http://www.rapid7.com/resources/webcast-pentest-lab.jsp] * Webinar slides [https://community.rapid7.com/docs/DOC-1625] Related blog po

1 min Penetration Testing

10 Places to Find Vulnerable Machines for Your Lab

It can sometimes be challenging to find vulnerable machines for your penetration testing or vulnerability management lab. Here's a list of vulnerable machines you should check out: 1. Metasploitable [http://information.rapid7.com/download-metasploitable.html?LS=1631875&CS=web] 2. UltimateLAMP [http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip] 3. Web Security Dojo [http://sourceforge.net/projects/websecuritydojo/files/] 4. OWASP Hackademics [https://code.google.com/p/owasp-ha

1 min Penetration Testing

Using the <base> tag to clone a web page for social engineering attacks

Social engineering campaigns can be a lot more effective if you can impersonate a well-known website that users trust. However, when you simply clone a website by cutting-and-pasting the page source and putting it on your own server, your links will stop working. Copying all links and images from the other site can be cumbersome, but there's an alternative: the HTML <base> tag. It specifies a default address/target for all links on a page; it is inserted into the head element. Let's say you've

1 min Penetration Testing

Getting Management Buy-In for Penetration Testing

I often hear from technical IT folks that communicating the benefit of a penetration test is difficult, especially to a business audience. "You want me to authorize you to break into my systems?" they ask. We are all afraid of things we don't understand. This is why you should first make your management comfortable with the concept of penetration testing. Why don't you try this example: We should all visit our doctor for regular medical check-ups, even when we feel healthy. This is the only way

2 min Metasploit

PCI DIY: How to do an internal penetration test to satisfy PCI DSS requirement 11.3

If you're accepting or processing credit cards and are therefore subject to PCI DSS, you'll likely be familiar with requirement 11.3, which demands that you "perform penetration testing at least once a year, and after any significant infrastructure or application upgrade or modification". What most companies don't know is that you don't have to hire an external penetration testing consultant - you can carry out the penetration test internally, providing you follow some simple rules: * Sufficie

3 min Nexpose

Introducing Metasploit Community Edition!

The two-year anniversary of the Metasploit acquisition is coming up this week. Over the last two years we added a ridiculous amount of new code to the open source project, shipped dozens of new releases, and launched two commercial products. We could not have done this without the full support of the security community. In return, we wanted to share some of our commercial work with the security community at large. As of version 4.1 [http://www.metasploit.com/], we now include the Metasploit

1 min Metasploit

How to update to Metasploit 4.0

If you're packing to go to Black Hat, Defcon or Security B-Sides in Las Vegas, make sure you also download Metasploit 4.0 to entertain you on the plane ride. If you missed the recent announcement, check out this blog post [/2011/07/26/metasploit-pro-40-brings-greater-enterprise-integration-cloud-deployment-options-and-penetration-testing-automation] for a list of new features. The new version is now available for all editions, and here's how you upgrade: * Metasploit Pro and Metasploit Expre

2 min Events

What happens in Vegas.... Jabra edition!

UPDATE: See slides here https://community.rapid7.com/docs/DOC-1504 and see whitepaper at https://community.rapid7.com/docs/DOC-1505 Greetings! For my first blog on the new community site, I want to let everyone know what I'm going to be doing next week in Las Vegas. First, I'm teaching a course at BlackHat on penetration testing with Perl. The purpose of the course it to teach security professionals and system administrators the techniques that can be used to automate several of the normal t

4 min Metasploit

Metasploit 4.0 is coming soon!

It'll only be days until you can download the new Metasploit version 4.0! The new version marks the inclusion of 36 new exploits, 27 new post-exploitation modules and 12 auxiliary modules, all added since the release of version 3.7.1 in May 2011. These additions include nine new SCADA exploits, improved 64-bit Linux payloads, exploits for Firefox and Internet Explorer, full-HTTPS and HTTP Meterpreter stagers, and post-exploitation modules for dumping passwords from Outlook, WSFTP, CoreFTP, Sma

1 min Metasploit

Consulting for Profit: Building a Business on Security Assessments

Are you looking to expand your security consulting practice? Many companies around the world have built a successful business by packaging vulnerability management and penetration testing into the following services: * Security assessments * Deployment services * Security awareness * PCI Compliance * 11.2 Vulnerability Management * 11.3 Penetration Testing * Compliance and governance * Managed security services * Trainings We've heard from a lot of the security consul

3 min Metasploit

Looking back: NCCDC 2011 Recap

The past month has gone so quickly as I've been helping Rapid7 open its new UK office,but I wanted to take some time to recap on National Collegiate Cyber Defense Competition [http://www.nationalccdc.org/] (NCCDC) which took place in April as it was a really awesome experience for all involved (even for the blue teams!). When I think back on NCCDC, the term “stacked deck” comes to mind. Let me set the stage: 9 college teams with ages ranging from 18 to 22 vs 15 of the best consultants the info

2 min Metasploit

Metasploit-ation for the Nation

In a couple of weeks, our very own @Mubix (AKA Rob Fuller to those who don't live their life with an @ sign permanently attached to their name!) will be offering Metasploit-ation for the Nation.  Unlike that phrase – which I just made up – Mubix will actually be talking sense as he walks penetration testers through the delightful world of Metasploit Pro in a 4-hour in-depth training session. Mubix took some time to answer a few questions below to give you a flavor of the training.  If you have

2 min Metasploit

Metasploit Pro 3.7: Better, Faster, Stronger

Over the last two months the Rapid7 team has been hard at work rewiring the database and session management components of the Metasploit Framework, Metasploit Express, and Metasploit Pro products. These changes make the Metasploit platform faster, more reliable, and able to scale to hundreds of concurrent sessions and thousands of target hosts. We are excited to announce the immediate availability of version 3.7 of Metasploit Pro and Metasploit Express! Existing customers can apply the latest s

1 min Metasploit

Metasploit T-shirt design contest: And the winner is...

You have voted in large numbers – and the results are out: design #36 [/servlet/JiveServlet/downloadImage/38-5353-1228/36.png] is the winner of the Metasploit T-shirt design contest. Danny Chrastil submitted the winning design, featuring the Metasploit logo consisting of code from the payload osx/ppc/shell_reverse_tcp. The back shows the Metasploit splash screen cow, our legendary creature of mystery and superstition. A few words about the winner: Danny Chrastil aka @DisK0nn3cT is a web appl

2 min Metasploit

Learn, download & contribute: the new Metasploit website

Today, we relaunched the Metasploit.com site. We hope you'll find it as awesome as we do. The new site not only has updated looks, we've also rewritten much of its content and put it on a shiny new server to make it faster. We mainly focused on three aspects: learn, download & contribute: Learn – Many Metasploit newbies told us they found it hard to get started with the Metasploit Framework, so we took a fresh look at our website to design it so that new Metasploit Framework users would fin

2 min Metasploit

Metasploit version 3.6 delivers enhanced command-line options and PCI reports

Originally Posted by Chris Kirsch All Metasploit editions are seeing an update to version 3.6 today, including an enhanced command-line feature set for increased proficiency and detailed PCI reports with pass/fail information for a comprehensive view of compliance posture with PCI regulations. Here's an overview of what's new: The new Metasploit Pro Console offers powerful new features that help professional penetration testers complete their job more efficiently in their preferred environmen

1 min Networking

w3af: Better, Stronger, Faster

Since our latest release back in November, the w3af team has focused on making the framework better, stronger and faster. By downloading this release you'll be able to enjoy new vulnerability checks, more stable code and a about 15% performance boost in the overall speed of your scan. Here's what's new: * Now using bloom filters [http://en.wikipedia.org/wiki/Bloom_filter] instead of sqlite3 databases, which are persistent on disk, effectively increasing scan performance by about 15%!

1 min Antivirus

Become invisible to anti-virus protection

Wouldn't it be fantastic to be invisible for a day? Walk straight into a bank vault in the morning, be a fly on the wall in the Oval Office for lunch, and spend an evening in your favorite movie star's house. Well, now you can - with Metasploit! We tested our Metasploit invisibility cloak on a field day recently. Our venue of choice: an anti-virus test lab. The goal was to test how well Metasploit's anti-virus protection would hold up against the most recent versions of the world's top ten a

6 min Metasploit

How to set up a pentesting lab

One of my biggest challenges in learning how to pentest was finding systems to test against. I heard that using your   neighbors network is "frowned upon", and hanging out in a   Starbucks and pwning your fellow coffee drinkers on the public wifi raises the occasional eyebrow. So what do I do? Build a test environment. The concept itself isn't difficult, but there are easy and hard ways to do it. I wanted two machines: one with my vulnerable VMs,  the  other with Metasploit and NeXpose . This i

2 min Networking

Chinese agencies double cyber attacks on Germany

"Prost Neujahr!" That's what we say for "Happy New Year" in Germany, where I just spent a few days with my family to relax and get away from work. A futile attempt, since the Bundesamt für Verfassungsschutz (Federal Office for the Protection of the Constitution, or BfV for short) decided to publish new statistics about cyber attacks. (And, yes, Germans love long words.) According to the BfV's department for counter-espionage [http://www.verfassungsschutz.de/de/arbeitsfelder/af_spionageabwehr_

1 min Metasploit

Rapid7 scam busters: Using social engineering to train your users about phishing attacks

With the holidays approaching, many people are looking for gift ideas and deals. Holiday season is also hunting season for malicious hackers who send out gift idea and deal phishing emails. How do you protect your employees from divulging their personal and even corporate passwords to an attacker? It's hard to combat phishing with technology. Training employees to spot phishing scams is the most effective, but training is time intensive and may impact productivity. What if you could find a w

6 min Metasploit

Cisco IOS Penetration Testing with Metasploit

The Metasploit Framework and the commercial Metasploit products have always provided features for assessing the security of network devices. With the latest release, we took this a step further and focused on accelerating the penetration testing process for Cisco IOS devices. While the individual modules and supporting libraries were added to the open source framework, the commercial products can now chain these modules together to quickly compromise all vulnerable devices on the network. The sc

2 min Linux

Offensive Security = Backtrack Linux + Metasploit Pro

This week the guys over at Offensive Security [http://www.offensive-security.com/] officially added Metasploit Pro [http://www.rapid7.com/products/metasploit-pro.jsp] to their curriculum for the class Pentration Testing with Backtrack [http://www.offensive-security.com/online-information-security-training/penetration-testing-backtrack/] . For those not familiar with it, BackTrack [http://www.backtrack-linux.org/] is a Linux distribution that includes a lot of tools for penetration testing. Since

2 min Exploits

Sesame open: Auditing password security with Metasploit 3.5.1

Secret passwords don't only get you into Aladdin's cave or the tree house, but also into corporate networks and bank accounts. Yet, they are one of the weakest ways to protect access. Sure, there are better ways to secure access, such as smart cards or one-time password tokens, but these are still far from being deployed everywhere although the technology has matured considerably over the past years. Passwords are still the easiest way into a network. The new Metasploit version 3.5.1 adds a l

2 min Events

Mubix and Carnal0wnage join the Rapid7 family

We're happy to welcome two new rock stars to our family: Rob Fuller aka mubix [http://twitter.com/mubix] and Chris Gates aka carnal0wnage [http://twitter.com/carnal0wnage] are joining our professional services team to conduct penetration tests for Rapid7 customers. Rob has joins us from Applied Security, where he worked as a Network Attack Operator, a Penetration Tester for the Department of Defense, a Senior Incident Response Analyst for the Department of State and multiple Information S

4 min Exploits

Setting up a test environment for VPN Pivoting with Metasploit Pro

Penetration testing software only shows its true capabilities on actual engagements. However, you cannot race a car before you've ever sat in the driver's seat. That's why in this article I'd like to show you how to set up a test environment for VPN pivoting, a Metasploit Pro [http://www.rapid7.com/products/metasploit-pro.jsp] feature for intermediate and advanced users recently described in this post [https://community.rapid7.com/blogs/rapid7/2010/11/08/how-vpn-pivoting-creates-an-undetectable-

1 min Metasploit

Turning your world upside down: Metasploit ambigram tattoos

Bill Swearingen aka hevnsnt blew us away by designing a Metasploit ambigram for the Metasploit Pro tattoo contest You may remember Roy's Metasploit tattoo [https://community.rapid7.com/blogs/rapid7/2010/11/01/we-weren-t-joking-when-we-said-tattoos] a few weeks ago, which prompted our Metasploit Pro [http://www.rapid7.com/products/metasploit-pro.jsp] tattoo competition. We thought it was a cute idea, expecting a few fun pictures with felt pen tattoos or tattoo photo montages of of the Metas

1 min Metasploit

Help your new sweethearts call home to Metasploit

Setting listener host and ports for payloads in Metasploit Pro Life is full of disappointments: You spend a lot of time flirting with a cute new machine, convince it to accept your payload, and never get a call back – just because the big bad NAT is not letting your new sweetheart phone home. That's why many of you broken hearted pentesters have asked us to make the listener port and IP address for payloads configurable to ports that are usually accessible, such as ports 80 and 443. This week'

2 min Metasploit

How VPN pivoting creates an undetectable local network tap

Let's assume your goal for an external penetration test is to pwn the domain controller. Of course, the domain controller's IP address is not directly accessible from the Web, so how do you go about it? Seasoned pentesters already know the answer: they compromise a publicly accessible host and pivot to other machines and network segments until they reach the domain controller. It's the same concept as a frog trying to cross a pond by jumping from lily pad to lily pad. If you have already

2 min Awards

We weren't joking when we said "tattoos"!

Be careful what we wish for: In 2006, HD Moore wrote a blog post [/2006/08/27/metasploit-framework-30-beta-2] about a redesign of the Metasploit Project, announcing that the new graphics “will be featured on tee shirts, posters, and tattoos over the coming year.” Well, you guys took a little longer than we thought but we now have our first Metasploit tattoo! Initially, we thought Roy Morris (aka @soundwave1234 [http://twitter.com/soundwave1234]) was joking when he tweeted to @hdmoore [htt

2 min Exploits

Take an earlier flight home with the new Metasploit Pro

We love it, our beta testers loved it, and we trust you will as well: today we're introducing Metasploit Pro [http://www.rapid7.com/products/metasploit-pro.jsp], our newest addition to the Metasploit family, made for penetration testers who need a bigger, and better, bag of tricks. Metasploit Pro provides advanced penetration testing capabilities, including web application exploitation and social engineering. The feedback from our beta testers has been fantastic, most people loved how easily