Posts by Jon Hart

3 min Project Sonar

Attack Surface Monitoring with Project Sonar

Attack Surface Monitoring with Project Sonar can help you reduce and monitor your attack surface.

8 min Vulnerability Management

Understanding Ubiquiti Discovery Service Exposures

On Jan. 29, the Rapid7 Labs team was informed of a tweet by Jim Troutman indicating that Ubiquiti devices were being exploited and used to conduct denial-of-service attacks using a service on 10001/UDP.

6 min Haxmas

Happy HaXmas! Year-End Internet Scanning Observations

As we wrap up 2018 and forge ahead into 2019, let's reflect on some of the key observations we made through our internet scanning with Project Sonar.

13 min Research

Rsunk your Battleship: An Ocean of Data Exposed through Rsync

Rapid7 Labs recently decided to take a fresh look at rsync, this time focusing on exposure of rsync globally on the public internet.

7 min Research

Cisco Smart Install Exposure

Cisco Smart Install (SMI) provides configuration and image management capabilities for Cisco switches. Cisco’s SMI documentation [http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html] goes into more detail than we’ll be touching on in this post, but the short version is that SMI leverages a combination of DHCP, TFTP and a proprietary TCP protocol to allow organizations to deploy and manage Cisco switches. Using SMI yields a number of be

7 min Research

Remote Desktop Protocol (RDP) Exposure

The Remote Desktop Protocol, commonly referred to as RDP, is a proprietary protocol developed by Microsoft that is used to provide a graphical means of connecting to a network-connected computer. RDP client and server support has been present in varying capacities in most every Windows version since NT [https://en.wikipedia.org/wiki/Windows_NT]. Outside of Microsoft's offerings, there are RDP clients available for most other operating systems. If the nitty gritty of protocols is your thing, Wiki

3 min Project Sonar

Signal to Noise in Internet Scanning Research

We live in an interesting time for research related to Internet scanning. There is a wealth of data and services to aid in research. Scanning related initiatives like Rapid7's Project Sonar [https://sonar.labs.rapid7.com/], Censys [https://censys.io/], Shodan [https://www.shodan.io/], Shadowserver [https://www.shadowserver.org/] or any number of other public/semi-public projects have been around for years, collecting massive troves of data.  The data and services built around it has been used f

3 min Project Sonar

The Internet of Gas Station Tank Gauges -- Final Take?

In early 2015, HD Moore performed one of the first publicly accessible research related to Internet-connected gas station tank gauges, The Internet of Gas Station Tank Gauges [/2015/01/22/the-internet-of-gas-station-tank-gauges]. Later that same year, I did a follow-up study that probed a little deeper in The Internet of Gas Station Tank Gauges — Take #2 [/2015/11/18/the-internet-of-gas-station-tank-gauges-take-2]. As part of that study, we were attempting to see if the exposure of these devic

8 min Vulnerability Management

ScanNow DLL Search Order Hijacking Vulnerability and Deprecation

Overview On November 27, 2015, Stefan Kanthak contacted Rapid7 to report a vulnerability in Rapid7's ScanNow tool.  Rapid7 takes security issues seriously and this was no exception.  In combination with a preexisting compromise or other vulnerabilities, and in the absence of sufficient mitigating measures, a system with ScanNow can allow a malicious party to execute code of their choosing leading to varying levels of additional compromise.  In order to protect the small community of users who ma

4 min IoT

The Internet of Gas Station Tank Gauges -- Take #2

In January 2015, Rapid7 worked with Jack Chadowitz and published research [/2015/01/22/the-internet-of-gas-station-tank-gauges] related to Automated Tank Gauges (ATGs) and their exposure on the public Internet.  This past September, Jack reached out to us again, this time with a slightly different request.  The goal was to reassess the exposure of these devices and see if the exposure had changed, and if so, how and why, but also to see if there were other ways of identifying potentially exposed

2 min

Amp Up and Defy Amplification Attacks -- Detecting Traffic Amplification Vulnerabilities with Nexpose

Approximately a year ago, the Internet saw the beginnings of what would become the largest distributed denial of service (DDoS) attacks ever seen.  Peaking at nearly 400Gbs in early 2014, these attacks started when a previously undisclosed vulnerability that would ultimately become CVE-2013-5211 [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211] was discovered.  While these attacks were devastating and they received plenty of press, the style of attack was not new.  In fact, it had

17 min Project Sonar

R7-2014-17: NAT-PMP Implementation and Configuration Vulnerabilities

Overview In the summer of 2014, Rapid7 Labs started scanning the public Internet for NAT-PMP as part of Project Sonar [https://community.rapid7.com/community/infosec/sonar].  NAT-PMP is a protocol implemented by many SOHO-class routers and networking devices that allows firewall and routing rules to be manipulated to enable internal, assumed trusted users behind a NAT device to allow external users to access internal TCP and UDP services for things like Apple's Back to My Mac and file/media shar

8 min

Adventures in Empty UDP Scanning

One of the interesting things about security research, and I guess research in general, is that all too often the only research that is publicized is research that proves something or shows something especially amazing.  Research that is incomplete, where the original hypothesis or idea ends up being incorrect, or that ends up at non-spectacular conclusions rarely ends up getting published.  I feel that this trend is doing a disservice to the research community because the paths that the authors

9 min Vulnerability Disclosure

R7-2014-12: More Amplification Vulnerabilities in NTP Allow Even More DRDoS Attacks

Overview As part of Rapid7 Labs' Project Sonar [https://sonar.labs.rapid7.com/], among other things, we scan the entire public IPv4 space (minus those who have opted out) looking for listening NTP servers.  During this research we discovered some unknown NTP servers responding to our probes with messages that were entirely unexpected.  This lead to the writing of an NTP fuzzer in Metasploit [https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuz

5 min

Vulnerability Management And Expert Systems

Overview An unique feature of the Nexpose vulnerability management (VM) solution is that the core of the underlying scanner uses an expert system.  Many years and several careers ago, I had been tasked with selecting an appropriate VM solution at my employer.  Among the possible solutions was Nexpose, and I am somewhat embarrassed to admit that I shrugged off the "expert system" as a marketing term.  I soon came to learn that it was a real thing and started to realize the true power of such a te