Posts by Rapid7

2 min Metasploit

Metasploit Pro 3.7: Better, Faster, Stronger

Over the last two months the Rapid7 team has been hard at work rewiring the database and session management components of the Metasploit Framework, Metasploit Express, and Metasploit Pro products. These changes make the Metasploit platform faster, more reliable, and able to scale to hundreds of concurrent sessions and thousands of target hosts. We are excited to announce the immediate availability of version 3.7 of Metasploit Pro and Metasploit Express! Existing customers can apply the latest s

1 min Metasploit

Metasploit Framework 3.7.0 Released!

Originally Posted by egypt The Metasploit team has spent the last two months focused on one of the least-visible, but most important pieces of the Metasploit Framework; the session backend. Metasploit 3.7 represents a complete overhaul of how sessions are tracked within the framework and associated with the backend database. This release also significantly improves the staging process for the reverse_tcp stager and Meterpreter session initialization. Shell sessions now hold their output in a ri

1 min Metasploit

Metasploit T-Shirt Design Contest: And the Winner is...

You have voted in large numbers – and the results are out: design #36 [/servlet/JiveServlet/downloadImage/38-5353-1228/36.png] is the winner of the Metasploit T-shirt design contest. Danny Chrastil submitted the winning design, featuring the Metasploit logo consisting of code from the payload osx/ppc/shell_reverse_tcp. The back shows the Metasploit splash screen cow, our legendary creature of mystery and superstition. A few words about the winner: Danny Chrastil aka @DisK0nn3cT is a web appl

2 min Microsoft

April Patch Tuesday Round-Up

LOTS of patches from Microsoft this week... This week's Patch Tuesday was pretty significant, with a record-tying 17 bulletins that patch a record 64 vulnerabilities, 15 more than the previous largest-ever set in October 2010.  As usual, the Rapid7 team was all over it, monitoring the threat and trying to help out where possible. This month's bulletin addresses vulnerabilities across Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework and GDI . There are seve

4 min

Who Will You Be Wearing? Vote for the New Metasploit T-Shirt!

Wow – 87 entries for our T-Shirt competition in one week. We were very impressed with both quantity and quality of the entries we received for designing the new Metasploit T-shirt, which will be featured in the new Metasploit store. Now, it's your turn (again): We need you to vote for your favorite shirt. Starting with 87 entries, we conducted a quick office poll produce a shortlist of 15 for you to pick from. (Go here [http://99designs.com/t-shirt-design/contests/t-shirt-design-wanted-metasplo

1 min Metasploit

Be a Superhero: Design the New Metasploit Swag

Originally Posted  by Chris Kirsch Don't know what to wear for the next BlackHat conference? Afraid of going naked to B-Sides? We are too, so we decided to do something about it. We're getting ready to launch our own Metasploit designer clothes – and you're the designer! To start off our Metasploit swag store, we'd like you to design a T-shirt. You must submit your own, original design. To enter, add your design to our 99designs competition [https://99designs.com/t-shirt-design/contests/t-s

2 min Metasploit

Learn, Download & Contribute: The New Metasploit Website

Today, we relaunched the Metasploit.com site. We hope you'll find it as awesome as we do. The new site not only has updated looks, we've also rewritten much of its content and put it on a shiny new server to make it faster. We mainly focused on three aspects: learn, download & contribute: Learn – Many Metasploit newbies told us they found it hard to get started with the Metasploit Framework, so we took a fresh look at our website to design it so that new Metasploit Framework users would fin

4 min

Adobe Flash CVE-2011-0609

Originally Posted by bannedit Recently, I spent about a week and a half working on the latest 0-day Flash vulnerability. I released a working exploit on March 22nd 2011. The original exploit was just an attempt to get something working out the door for all of our users. The first attempt left a lot to be desired. To understand the crux of this vulnerability and what needed to be done to improve the first attempt at exploiting it I had to dig in deep into ActionScript. ActionScript is a languag

2 min Vulnerability Disclosure

March Patch Tuesday Roundup

Since Microsoft is on this new staggered pattern of releases, we can expect a feast or famine every other month...so get used to it. Depending on what side of the desk you sit on you can adjust the context. With that being said, this month's release brought us 3 patches addressing  4 vulnerabilities. I think we were all expecting to see the MHTML [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0096] protocol handler issue resolved, however it didn't make the cut. Make sure IE is in r

2 min Metasploit

Metasploit Version 3.6 Delivers Enhanced Command-Line Options and PCI Peports

Originally Posted by Chris Kirsch All Metasploit editions are seeing an update to version 3.6 today, including an enhanced command-line feature set for increased proficiency and detailed PCI reports with pass/fail information for a comprehensive view of compliance posture with PCI regulations. Here's an overview of what's new: The new Metasploit Pro Console offers powerful new features that help professional penetration testers complete their job more efficiently in their preferred environmen

2 min

Metasploit Framework 3.6.0 Released!

In coordination with Metasploit Express and Metasploit Pro [https://www.rapid7.com/products/metasploit/download/], version 3.6 of the Metasploit Framework is now available.  Hot on the heels of 3.5.2, this release comes with 8 new exploits and 12 new auxiliaries.  A whopping 10 of those new auxiliary modules are Chris John Riley's foray into SAP, giving you the ability to extract a range of information from servers' management consoles via the SOAP interface.  This release fixes an annoying inst

1 min

Dual Core's Metasploit Track: Free Download!

We got a ton of requests to let you know when the new Dual Core Metasploit track "msf mastering success & failure" would be available for download. Dual Core had given the track a debut at the Rapid7 Skye High party at Ruby Skye in San Francisco as part of the RSA Conference I'm excited to let you know that we've now received the final copy. Even better: Dual Core has made the song available free of charge - woot! Big thanks on behalf of the community! We all appreciate getting thing

2 min IT Ops

Stronger Passwords for Django

One of our main concerns is data security. While we can do our best to protect our service against external threats, a weak account password posses the easiest attack vector. We are all human and sometimes we don’t even realize how vulnerable our (supposedly strong) password is to a dictionary-based attack. We use Django [http://www.djangoproject.com/] internally. Let us share with you how we hard-ended our account registration process to automatically check for weak passwords and give our user

1 min Events

Rapid7's high flying RSA party

Thanks to all of you who attended our party at Ruby Skye on Wednesday. We were overwhelmed by how many RSA delegates showed up: The club holds close to a thousand people, and we were operating at capacity for most of the night. Apologies if you had to wait in line for a few minutes! Have a great weekend and sleep off the RSA Conference buzz! Update: Just received this great picture taken by Travis Arnold at the party – thought you'd enjoy it!

1 min

Metasploit Training at CanSecWest

The Metasploit Framework is more than a pile of exploits; it is a collection of tools for gaining access where none is provided and a scaffolding for building new tools.  In a few weeks I will be teaching two, one-day dojos at CanSecWest [https://www.secwest.net/] focusing on using and extending the framework.  Some of the topics we will cover are: post-exploitation automation including meterpreter and cmd/sh shell sessions, no-exploit pwnage using stolen credentials of various types, and buildi