Posts tagged Penetration Testing

4 min Penetration Testing

Free Metasploit Penetration Testing Lab in the Cloud

No matter whether you're taking your first steps with Metasploit or if you're already a pro, you need to practice, practice, practice your skillz. Setting up a penetration testing lab can be time-consuming and expensive (unless you have the hardware already), so I was very excited to learn about a new, free service called Hack A Server, which offers vulnerable machines for you to pwn in the cloud. The service only required that I download and launch a VPN configuration to connect to the vulnerab
3 min Exploits

5 Tips to Ensure Safe Penetration Tests with Metasploit

Experienced penetration testers know what to look out for when testing production systems so they don't disrupt operations. Here's our guide to ensure smooth sailing. Vulnerabilities are unintentional APIs In my warped view of the world, vulnerabilities are APIs that weren't entirely intended by the developer. They hey are also undocumented and unsupported. Some of these vulnerabilities are exploited more reliably than others, and there are essentially three vectors to rank them: * Exploit s
2 min Metasploit

Introduction to Metasploit Hooks

Metasploit provides many ways to simplify your life as a module developer. One of the less well-known of these is the presence of various hooks you can use for processing things at important stages of the module's lifetime. The basic one that anyone who has written an exploit will be familiar with is exploit, which is called when the user types the exploit command. That method is common to all exploit modules. Aux and post modules have an analogous run method. Common to all the runnable modules

8 min Metasploit

The Odd Couple: Metasploit and Antivirus Solutions

I hear a lot of questions concerning antivirus evasion with Metasploit, so I'd like to share some the information critical to understanding this problem. This blog post is not designed to give you surefire antivirus (AV) evasion techniques, but rather to help you understand the fundamentals of the issue. A Quick Glossary Before we begin, let's define a few terms. This will be important for understanding some of the things we will discuss. Payload: A payload is the actual code that is being del
1 min Networking

A Penetration Test is Quality Assurance for Your Security Controls

“We've spent all this money on IT security and you're still telling me that you don't know whether our systems are secure?” your CEO might say. In addition, they may challenge that you should know your systems well enough to know their weaknesses? Not really. Let's say you're a manufacturer of widgets. Even if you have the best machine and the brightest people working for you, you'll still want to ensure that the widgets that leave the factory will work as expected to ensure high customer sat
0 min Penetration Testing

10 Places to Find Vulnerable Machines for Your Pentesting Lab

It can sometimes be challenging to find vulnerable machines for your penetration testing or vulnerability management lab. Here's a list of vulnerable machines you should check out: 1. Metasploit [https://www.rapid7.com/products/metasploit/] 2. UltimateLAMP [https://ronaldbradford.com/blog/tag/ultimatelamp/] 3. Web Security Dojo [https://sourceforge.net/projects/websecuritydojo/files/] 4. OWASP Hackademics [https://code.google.com/archive/p/owasp-hackademic-challenges/downloads]

2 min Metasploit

PCI DIY: How to do an internal penetration test to satisfy PCI DSS requirement 11.3

If you're accepting or processing credit cards and are therefore subject to PCI DSS, you'll likely be familiar with requirement 11.3, which demands that you "perform penetration testing at least once a year, and after any significant infrastructure or application upgrade or modification". What most companies don't know is that you don't have to hire an external penetration testing consultant - you can carry out the penetration test internally, providing you follow some simple rules: * Sufficie
3 min Nexpose

Introducing Metasploit Community Edition!

The two-year anniversary of the Metasploit acquisition is coming up this week. Over the last two years we added a ridiculous amount of new code to the open source project, shipped dozens of new releases, and launched two commercial products. We could not have done this without the full support of the security community. In return, we wanted to share some of our commercial work with the security community at large. As of version 4.1 [http://www.metasploit.com/], we now include the Metasploit
1 min Metasploit

How to Update to Metasploit 4.0

If you're packing to go to Black Hat, Defcon or Security B-Sides in Las Vegas, make sure you also download Metasploit 4.0 to entertain you on the plane ride. The new version is now available for all editions, and here's how you upgrade: * Metasploit Pro and Metasploit Express 4.0: For fresh installs, download version 4.0 of Metasploit Pro [https://www.rapid7.com/products/metasploit/download/] and install. If you already have Metasploit Pro or Metasploit Express installed, simply go t
4 min Metasploit

Metasploit 4.0 is Coming Soon!

It'll only be days until you can download the new Metasploit version 4.0! The new version marks the inclusion of 36 new exploits, 27 new post-exploitation modules and 12 auxiliary modules, all added since the release of version 3.7.1 in May 2011. These additions include nine new SCADA exploits, improved 64-bit Linux payloads, exploits for Firefox and Internet Explorer, full-HTTPS and HTTP Meterpreter stagers, and post-exploitation modules for dumping passwords from Outlook, WSFTP, CoreFTP, S
2 min Metasploit

Metasploit-ation for the Nation

In a couple of weeks, our very own @Mubix (AKA Rob Fuller to those who don't live their life with an @ sign permanently attached to their name!) will be offering Metasploit-ation for the Nation.  Unlike that phrase – which I just made up – Mubix will actually be talking sense as he walks penetration testers through the delightful world of Metasploit Pro in a 4-hour in-depth training session. Mubix took some time to answer a few questions below to give you a flavor of the training.  If you have

2 min Metasploit

Metasploit Pro 3.7: Better, Faster, Stronger

Over the last two months the Rapid7 team has been hard at work rewiring the database and session management components of the Metasploit Framework, Metasploit Express, and Metasploit Pro products. These changes make the Metasploit platform faster, more reliable, and able to scale to hundreds of concurrent sessions and thousands of target hosts. We are excited to announce the immediate availability of version 3.7 of Metasploit Pro and Metasploit Express! Existing customers can apply the latest s
1 min Metasploit

Metasploit T-Shirt Design Contest: And the Winner is...

You have voted in large numbers – and the results are out: design #36 [/servlet/JiveServlet/downloadImage/38-5353-1228/36.png] is the winner of the Metasploit T-shirt design contest. Danny Chrastil submitted the winning design, featuring the Metasploit logo consisting of code from the payload osx/ppc/shell_reverse_tcp. The back shows the Metasploit splash screen cow, our legendary creature of mystery and superstition. A few words about the winner: Danny Chrastil aka @DisK0nn3cT is a web appl
2 min Metasploit

Learn, Download & Contribute: The New Metasploit Website

Today, we relaunched the Metasploit.com site. We hope you'll find it as awesome as we do. The new site not only has updated looks, we've also rewritten much of its content and put it on a shiny new server to make it faster. We mainly focused on three aspects: learn, download & contribute: Learn – Many Metasploit newbies told us they found it hard to get started with the Metasploit Framework, so we took a fresh look at our website to design it so that new Metasploit Framework users would fin
2 min Metasploit

Metasploit Version 3.6 Delivers Enhanced Command-Line Options and PCI Peports

Originally Posted by Chris Kirsch All Metasploit editions are seeing an update to version 3.6 today, including an enhanced command-line feature set for increased proficiency and detailed PCI reports with pass/fail information for a comprehensive view of compliance posture with PCI regulations. Here's an overview of what's new: The new Metasploit Pro Console offers powerful new features that help professional penetration testers complete their job more efficiently in their preferred environmen

Popular Topics

Tags