Posts by HD Moore

1 min Metasploit

Six Wonderful Years

Rapid7 has been my home for the last six years, growing from 98 people when I joined to over 700 today. Keeping up with the growth has been both exhilarating and terrifying. I am really proud of our Austin team, the Metasploit ecosystem, and our leadership in security research. We care about our customers, our employees, and our impact in the industry. Working at Rapid7 has simply been the best job I have ever had. We have surpassed every goal that I set when I joined in 2009. Metasploit is thr

5 min Vulnerability Disclosure

CVE-2015-7755: Juniper ScreenOS Authentication Backdoor

On December 18th, 2015 Juniper issued an advisory [https://supportportal.juniper.net/s/article/2015-12-Out-of-Cycle-Security-Bulletin-ScreenOS-Multiple-Security-issues-with-ScreenOS-CVE-2015-7755-CVE-2015-7756?language=en_US] indicating that they had discovered unauthorized code in the ScreenOS software that powers their Netscreen firewalls. This advisory covered two distinct issues; a backdoor in the VPN implementation that allows a passive eavesdropper to decrypt traffic and a second backdoor

8 min Metasploit

Meterpreter Survey 2015: You spoke, we listened, then wrote a bunch of code.

The Survey One month ago we asked the community for feedback about how they use Metasploit and what they want to see in the Meterpreter payload suite going forward. Over the course of a week we received over 400 responses and over 200 write-in suggestions for new features. We have spent the last month parsing through your responses, identifying dependencies, and actively delivering new features based on your requests. These requests covered 20 different categories: General Feedback Metasploit F

4 min

The Internet of Gas Station Tank Gauges

Introduction Automated tank gauges (ATGs) are used to monitor fuel tank inventory levels, track deliveries, raise alarms that indicate problems with the tank or gauge (such as a fuel spill), and to perform leak tests in accordance with environmental regulatory compliance. ATGs are used by nearly every fueling station in the United States and tens of thousands of systems internationally. Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem,

3 min Metasploit

12 Days of HaXmas: Metasploit, Nexpose, Sonar, and Recog

This post is the tenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. The Metasploit Framework [https://www.metasploit.com/download/] uses operating system and service fingerprints for automatic target selection and asset identification. This blog post describes a major overhaul of the fingerprinting backend within Metasploit and how you can extend it by submitting new fingerprints. Histo

3 min Vulnerability Disclosure

R7-2014-15: GNU Wget FTP Symlink Arbitrary Filesystem Access

Introduction GNU Wget is a command-line utility designed to download files via HTTP, HTTPS, and FTP.  Wget versions prior to 1.16 are vulnerable a symlink attack (CVE-2014-4877) when running in recursive mode with a FTP target. This vulnerability allows an attacker operating a malicious FTP server to create arbitrary files, directories, and symlinks on the user's filesystem. The symlink attack allows file contents to be overwritten, including binary files, and access to the entire filesystem wit

1 min Windows

Mitigating Service Account Credential Theft

I am excited to announce a new whitepaper, Mitigating Service Account Credential Theft [https://hdm.io/writing/Mitigating%20Service%20Account%20Credential%20Theft%20on%20Windows.pdf] on Windows. This paper was a collaboration between myself, Joe Bialek of Microsoft, and Ashwath Murthy of Palo Alto Networks. The executive summary is shown below, Over the last 15 years, the Microsoft Windows ecosystem has expanded with the meteoric rise of the internet, business technology, and computing in gene

2 min

Goodnight, BrowserScan

The BrowserScan [https://browserscan.rapid7.com/] concept emerged during the heyday of Java zero-day exploits in 2012. The risk posed by out-of-date browser addons, especially Java and Flash, was a critical issue for our customers and the greater security community. The process of scanning each desktop for outdated plugins was something that many firms couldn't do easily. BrowserScan helped these firms gather macro-level exposure data about their desktop systems, providing a quick health-check o

4 min Vulnerability Disclosure

Supermicro IPMI Firmware Vulnerabilities

Introduction This post summarizes the results of a limited security analysis of the Supermicro IPMI firmware. This firmware is used in the baseboard management controller (BMC) of many Supermicro motherboards. The majority of our findings relate to firmware version SMT_X9_226. The information in this post was provided to Supermicro on August 22nd, 2013 in accordance with the Rapid7 vulnerability disclosure policy. Although we have a number of Metasploit modules in development to test these iss

0 min

Welcome to Project Sonar!

Project Sonar is a community effort to improve security through the active analysis of public networks. This includes running scans across public internet-facing systems, organizing the results, and sharing the data with the information security community. The three components to this project are tools, datasets, and research. Please visit the Sonar Wiki [https://github.com/rapid7/sonar/wiki] for more information.

13 min Metasploit

A Penetration Tester's Guide to IPMI and BMCs

Introduction Dan Farmer is known for his groundbreaking work [http://fish2.com/security/] on security tools and processes. Over the last year, Dan has identified some serious security issues [http://fish2.com/ipmi/] with the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMCs) that speak it. This post goes into detail on how to identify and test for each of the issues that Dan identified, using a handful of free security tools.  If you are lo

3 min Metasploit

Security Flaws in Universal Plug and Play: Unplug, Don't Play

This morning we released a whitepaper entitled Security Flaws in Universal Plug and Play [https://information.rapid7.com/rs/411-NAK-970/images/SecurityFlawsUPnP%20%281%29.pdf] . This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices. The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 a

3 min Exploits

Ray Sharp CCTV DVR Password Retrieval & Remote Root

On January 22, 2013, a researcher going by the name someLuser detailed a number of security flaws in the Ray Sharp DVR platform. These DVRs are often used for closed-circuit TV (CCTV) systems and security cameras. In addition to Ray Sharp, the exposures seem to affect rebranded DVR products by Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000. The vulnerabilities allow for unauthenticated acce

1 min Metasploit

Hacking like it's 1985: Rooting the Cisco Prime LAN Management Solution

On January 9th Cisco released advisory cisco-sa-20130109 [http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms] to address a vulnerability in the "rsh" service running on their Cisco Prime LAN Management Solution virtual appliance. The bug is as bad as it gets - anyone who can access the rsh service can execute commands as the root user account without authentication. The example below demonstrates how to exploit this flaw using Metasploit ( free download [

5 min Exploits

Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)

Background Earlier this week, a critical security flaw [https://www.rapid7.com/blog/post/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156/] in Ruby on Rails (RoR) was identified that could expose an application to remote code execution, SQL injection [https://www.rapid7.com/fundamentals/sql-injection-attacks/], and denial of service attacks. Ruby on Rails is a popular web application framework that is used by both web sites and web-enabled products and this flaw is by far the worst