2 min
Metasploit
How VPN pivoting creates an undetectable local network tap
Let's assume your goal for an external penetration test is to pwn the domain
controller. Of course, the domain controller's IP address is not directly
accessible from the Web, so how do you go about it? Seasoned pentesters already
know the answer: they compromise a publicly accessible host and pivot to other
machines and network segments until they reach the domain controller. It's the
same concept as a frog trying to cross a pond by jumping from lily pad to lily
pad.
If you have already
1 min
Metasploit Framework 3.5.0 - Win32 respin
The 3.5.0 release a couple of weeks ago ran into a few minor problems in the new
Windows installer. First, Console2, our new terminal emulator, wouldn't work
correctly with our setup if you already had a copy installed. Second,
installing into a directory with a space in its name would prevent Console from
starting. Lastly, and probably more important for most users, is that the new
msfgui didn't work out of the box due to some incorrect paths in various
places. All of these issues have been
2 min
Awards
We weren't joking when we said "tattoos"!
Be careful what we wish for: In 2006, HD Moore wrote a blog post
[/2006/08/27/metasploit-framework-30-beta-2] about a redesign of the Metasploit
Project, announcing that the new graphics “will be featured on tee shirts,
posters, and tattoos over the coming year.” Well, you guys took a little longer
than we thought but we now have our first Metasploit tattoo!
Initially, we thought Roy Morris (aka @soundwave1234
[http://twitter.com/soundwave1234]) was joking when he tweeted to @hdmoore
[htt
2 min
Metasploit Anniversary Marks World's Most Successful Open Source Acquisition
Exactly one year ago, Rapid7 acquired the Metasploit Project
[http://www.metasploit.com]. Many community members feared that this would be
the end of Metasploit's open source era. After all, many open source projects
had been turned into commercial offerings at the cost of the community. Most
prominently our space, a widely used vulnerability scanner is no longer open
source.
To the surprise of many skeptics, Metasploit is arguably the most successful
collaboration between an open source pro
3 min
One Year Later: Metasploit Framework 3.5.0 Released!
On this first anniversary of Rapid7's acquisition of The Metasploit Project, we
are proud to announce the release of the newest version of the Metasploit
Framework, 3.5.0 [https://information.rapid7.com/metasploit-framework.html],
with over 600 exploits and tons of bug fixes.
A lot has happened in the last year. Twelve months ago, lots of folks were
asking whether the acquisition was going to mean the end of Metasploit. To
address some of those questions a year ago, I promised several things.
2 min
Exploits
Take an Earlier Flight Home with the New Metasploit Pro
We love it, our beta testers loved it, and we trust you will as well: today
we're introducing Metasploit Pro
[http://www.rapid7.com/products/metasploit-pro.jsp], our newest addition to the
Metasploit family, made for penetration testers who need a bigger, and better,
bag of tricks.
Metasploit Pro provides advanced penetration testing
capabilities, including web application exploitation and social
engineering.
The feedback from our beta testers has been fantastic, most people loved how
easily
1 min
Patch Tuesday
October Patch Tuesday Roundup
Although Microsoft's October patch covers 39 vulnerabilities, there are only 4
critical bulletins. One of the vulnerabilities, covered by bulletin MS10-083,
was reported to Microsoft by HD Moore back in 2006. Unfortunately, according
to HD Moore, despite the long wait, the fix “does not completely solve the
underlying vulnerability, but it does block the easiest routes to exploitation.”
In addition, Josh Abraham, one of Rapid7's vulnerability research experts,
recommend paying attention to
2 min
Patch Tuesday
September Patch Tuesday Roundup
Microsoft's patch for September includes 4 Critical Bulletins and 5 Important
Bulletins covering 11 vulnerabilities.
A couple vulnerabilities are worth noting including:
MS10-064 a vulnerability in Microsoft Outlook allows for Remote Code Execution.
This is the classic drive-by malware in which the attacker sends a malicious
email message to the victim. Simply by opening the contents of an email, the
attacker can gain full control of the victim's machine. Organizations should
conduct user aw
3 min
Impersonating the Windows Print Spooler for Relayed RPC
On Friday night, I committed our exploit module which takes advantage of the
vulnerability [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2729]
fixed in MS10-061
[http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx]. If you
haven't seen it yet, you can find it here
[http://www.metasploit.com/modules/exploit/windows/smb/ms10_061_spoolss].
In its most egregious form, this bug allowed a guest user with print access to
write arbitrary content to arbitrary files with SYSTEM p
2 min
Patch Tuesday
August Patch Tuesday Roundup
Microsoft's patch this month, which consists of 14 bulletins that address 34
vulnerabilities, is the largest since October 2009. With the massive amount of
work that lies ahead, it may help to prioritize your work.
Josh Abraham, Rapid7 Security Researcher, recommends that you pay particular
attention to MS10-054. This vulnerability in the SMB protocol “is potentially
the most dangerous vulnerability as it allows unauthenticated attackers to
execute arbitrary codes on remote machines.” Abrah
2 min
Black Hat Race To Root Results
We had a good number of folks compete for prizes in the Race to Root competition
at this year's Black Hat, so thanks to everyone who came by. Three competitors
came out on top. Anders Hansen took first place! He'll be receiving both a
ProxMark3 (http://proxmark3.com/) and a MAKInterface Magstripe Reader/Writer,
Haikon Krohn took second place and will pick up a ProxMark3, and our third place
finalist (JT Taylor) will also be receiving a MAKInterface.
I was surprised by the number of folks who h
5 min
Shiny Old VxWorks Vulnerabilities
Back in June, I decided to spend some time looking at the VxWorks
[https://secure.wikimedia.org/wikipedia/en/wiki/VxWorks] operating system.
Specifically, I kept finding references to VxWorks-based devices running
firmware images with the debug service (WDB Agent) enabled, but I could not find
a description of the protocol or any estimates as to how prevalent this service
was. After a couple days of digging around and a couple more days of scanning, I
became aware of just how extensive this issu
2 min
W3AF: An Open Source Success Story
Today, as Rapid7 announced the sponsorship
[http://www.rapid7.com/news-events/press-releases/2010/2010-w3af.jsp] of a
second open source project with its support of w3af
[http://w3af.sourceforge.net/], I reflect back on my experience with Rapid7 over
the last 9 months. When I agreed to the acquisition of the Metasploit project by
Rapid7 in October last year it was with a lot of excitement but also with a
small leap of faith. In my initial blog post [/2009/10/21/metasploit-rising]
from October 2
3 min
July Patch Tuesday Roundup
The highlight of Microsoft's security bulletins is the fix for Microsoft's
online help vulnerability (MS10-042) identified by Google security researcher,
Tavis Ormandy, which could allow an attacker to take control of a computer by
luring a computer user to a malicious Web site.
Also as Microsoft's July security bulletins also address vulnerabilities in
Windows XP, Josh Abraham, Rapid7 Security Researcher recommends that “customers
should keep in-mind that Windows XP SP2 is now end-of-life. Th
1 min
Metasploit
Metasploit Framework 3.4.1 Released!
The Metasploit Project is proud to announce the release of the Metasploit
Framework version 3.4.1. As always, you can get it from our downloads page
[http://www.metasploit.com/framework/download/], for Windows or Linux. This
release sees the first official non-Windows Meterpreter payload, in PHP as
discussed last month [/2010/06/14/meterpreter-for-pwned-home-pages]. Rest
assured that more is in store for Meterpreter on other platforms. A new
extension called Railgun
[http://mail.metasploit.c