1 min
Metasploit
Six Wonderful Years
Rapid7 has been my home for the last six years, growing from 98 people when I
joined to over 700 today. Keeping up with the growth has been both exhilarating
and terrifying. I am really proud of our Austin team, the Metasploit ecosystem,
and our leadership in security research. We care about our customers, our
employees, and our impact in the industry. Working at Rapid7 has simply been the
best job I have ever had.
We have surpassed every goal that I set when I joined in 2009. Metasploit is
thr
5 min
Vulnerability Disclosure
CVE-2015-7755: Juniper ScreenOS Authentication Backdoor
On December 18th, 2015 Juniper issued an advisory
[https://supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756?language=en_US]
indicating that they had discovered unauthorized code in the ScreenOS software
that powers their Netscreen firewalls. This advisory covered two distinct
issues; a backdoor in the VPN implementation that allows a passive eavesdropper
to decrypt traffic and a second backdoor
8 min
Metasploit
Meterpreter Survey 2015: You spoke, we listened, then wrote a bunch of code.
The Survey
One month ago we asked the community for feedback about how they use Metasploit
and what they want to see in the Meterpreter payload suite going forward. Over
the course of a week we received over 400 responses and over 200 write-in
suggestions for new features. We have spent the last month parsing through your
responses, identifying dependencies, and actively delivering new features based
on your requests. These requests covered 20 different categories:
General Feedback Metasploit F
4 min
The Internet of Gas Station Tank Gauges
Introduction
Automated tank gauges (ATGs) are used to monitor fuel tank inventory levels,
track deliveries, raise alarms that indicate problems with the tank or gauge
(such as a fuel spill), and to perform leak tests in accordance with
environmental regulatory compliance. ATGs are used by nearly every fueling
station in the United States and tens of thousands of systems internationally.
Many ATGs can be programmed and monitored through a built-in serial port, a
plug-in serial port, a fax/modem,
3 min
Metasploit
12 Days of HaXmas: Metasploit, Nexpose, Sonar, and Recog
This post is the tenth in a series, 12 Days of HaXmas, where we take a look at
some of more notable advancements and events in the Metasploit Framework over
the course of 2014.
The Metasploit Framework [https://www.metasploit.com/download/] uses operating
system and service fingerprints for automatic target selection and asset
identification. This blog post describes a major overhaul of the fingerprinting
backend within Metasploit and how you can extend it by submitting new
fingerprints.
Histo
3 min
Vulnerability Disclosure
R7-2014-15: GNU Wget FTP Symlink Arbitrary Filesystem Access
Introduction
GNU Wget is a command-line utility designed to download files via HTTP, HTTPS,
and FTP. Wget versions prior to 1.16 are vulnerable a symlink attack
(CVE-2014-4877) when running in recursive mode with a FTP target. This
vulnerability allows an attacker operating a malicious FTP server to create
arbitrary files, directories, and symlinks on the user's filesystem. The symlink
attack allows file contents to be overwritten, including binary files, and
access to the entire filesystem wit
1 min
Windows
Mitigating Service Account Credential Theft
I am excited to announce a new whitepaper, Mitigating Service Account
Credential
Theft
[https://hdm.io/writing/Mitigating%20Service%20Account%20Credential%20Theft%20on%20Windows.pdf]
on Windows. This paper was a collaboration between myself, Joe Bialek of
Microsoft, and Ashwath Murthy of Palo Alto Networks. The executive summary is
shown below,
Over the last 15 years, the Microsoft Windows ecosystem has expanded with the
meteoric rise of the internet, business technology, and computing in gene
2 min
Goodnight, BrowserScan
The BrowserScan [https://browserscan.rapid7.com/] concept emerged during the
heyday of Java zero-day exploits in 2012. The risk posed by out-of-date browser
addons, especially Java and Flash, was a critical issue for our customers and
the greater security community. The process of scanning each desktop for
outdated plugins was something that many firms couldn't do easily. BrowserScan
helped these firms gather macro-level exposure data about their desktop systems,
providing a quick health-check o
4 min
Vulnerability Disclosure
Supermicro IPMI Firmware Vulnerabilities
Introduction
This post summarizes the results of a limited security analysis of the
Supermicro IPMI firmware. This firmware is used in the baseboard management
controller (BMC) of many Supermicro motherboards.
The majority of our findings relate to firmware version SMT_X9_226. The
information in this post was provided to Supermicro on August 22nd, 2013 in
accordance with the Rapid7 vulnerability disclosure policy.
Although we have a number of Metasploit modules in development to test these
iss
0 min
Welcome to Project Sonar!
Project Sonar is a community effort to improve security through the active
analysis of public networks. This includes running scans across public
internet-facing systems, organizing the results, and sharing the data with the
information security community. The three components to this project are tools,
datasets, and research.
Please visit the Sonar Wiki [https://github.com/rapid7/sonar/wiki] for more
information.
13 min
Metasploit
A Penetration Tester's Guide to IPMI and BMCs
Introduction
Dan Farmer is known for his groundbreaking work [http://fish2.com/security/] on
security tools and processes. Over the last year, Dan has identified some
serious security issues [http://fish2.com/ipmi/] with the Intelligent Platform
Management Interface (IPMI) protocol and the Baseboard Management Controllers
(BMCs) that speak it. This post goes into detail on how to identify and test for
each of the issues that Dan identified, using a handful of free security tools.
If you are lo
3 min
Metasploit
Security Flaws in Universal Plug and Play: Unplug, Don't Play
This morning we released a whitepaper entitled Security Flaws in Universal Plug
and Play
[https://information.rapid7.com/rs/411-NAK-970/images/SecurityFlawsUPnP%20%281%29.pdf]
. This paper is the result of a research project spanning the second half of
2012 that measured the global exposure of UPnP-enabled network devices. The
results were shocking to the say the least. Over 80 million unique IPs were
identified that responded to UPnP discovery requests from the internet.
Somewhere between 40 a
3 min
Exploits
Ray Sharp CCTV DVR Password Retrieval & Remote Root
On January 22, 2013, a researcher going by the name someLuser detailed a number
of security flaws in the Ray Sharp DVR platform. These DVRs are often used for
closed-circuit TV (CCTV) systems and security cameras. In addition to Ray Sharp,
the exposures seem to affect rebranded DVR products by Swann, Lorex, URMET,
KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis,
Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000. The vulnerabilities allow
for unauthenticated acce
1 min
Metasploit
Hacking like it's 1985: Rooting the Cisco Prime LAN Management Solution
On January 9th Cisco released advisory cisco-sa-20130109
[http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms]
to address a vulnerability in the "rsh" service running on their Cisco Prime LAN
Management Solution virtual appliance. The bug is as bad as it gets - anyone who
can access the rsh service can execute commands as the root user account without
authentication. The example below demonstrates how to exploit this flaw using
Metasploit ( free download [
5 min
Exploits
Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)
Background
Earlier this week, a critical security flaw
[https://www.rapid7.com/blog/post/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156/]
in Ruby on Rails (RoR) was identified that could expose an application to remote
code execution, SQL injection
[https://www.rapid7.com/fundamentals/sql-injection-attacks/], and denial of
service attacks. Ruby on Rails is a popular web application framework that is
used by both web sites and web-enabled products and this flaw is by far the
worst