2 min
Metasploit
Metasploit Pro 3.7: Better, Faster, Stronger
Over the last two months the Rapid7 team has been hard at work rewiring the
database and session management components of the Metasploit Framework,
Metasploit Express, and Metasploit Pro products. These changes make the
Metasploit platform faster, more reliable, and able to scale to hundreds of
concurrent sessions and thousands of target hosts. We are excited to announce
the immediate availability of version 3.7 of Metasploit Pro and Metasploit
Express!
Existing customers can apply the latest s
1 min
Metasploit
Metasploit Framework 3.7.0 Released!
Originally Posted by egypt
The Metasploit team has spent the last two months focused on one of the
least-visible, but most important pieces of the Metasploit Framework; the
session backend. Metasploit 3.7 represents a complete overhaul of how sessions
are tracked within the framework and associated with the backend database. This
release also significantly improves the staging process for the reverse_tcp
stager and Meterpreter session initialization. Shell sessions now hold their
output in a ri
1 min
Metasploit
Metasploit T-Shirt Design Contest: And the Winner is...
You have voted in large numbers – and the results are out: design #36
[/servlet/JiveServlet/downloadImage/38-5353-1228/36.png] is the winner of the
Metasploit T-shirt design contest. Danny Chrastil submitted the winning design,
featuring the Metasploit logo consisting of code from the payload
osx/ppc/shell_reverse_tcp. The back shows the Metasploit splash screen cow, our
legendary creature of mystery and superstition.
A few words about the winner: Danny Chrastil aka @DisK0nn3cT is a web
appl
2 min
Microsoft
April Patch Tuesday Round-Up
LOTS of patches from Microsoft this week...
This week's Patch Tuesday was pretty significant, with a record-tying 17
bulletins that patch a record 64 vulnerabilities, 15 more than the previous
largest-ever set in October 2010. As usual, the Rapid7 team was all over it,
monitoring the threat and trying to help out where possible.
This month's bulletin addresses vulnerabilities across Microsoft Windows,
Microsoft Office, Internet Explorer, Visual Studio, .NET Framework and GDI .
There are seve
4 min
Who Will You Be Wearing? Vote for the New Metasploit T-Shirt!
Wow – 87 entries for our T-Shirt competition in one week. We were very impressed
with both quantity and quality of the entries we received for designing the new
Metasploit T-shirt, which will be featured in the new Metasploit store.
Now, it's your turn (again): We need you to vote for your favorite shirt.
Starting with 87 entries, we conducted a quick office poll produce a shortlist
of 15 for you to pick from. (Go here
[http://99designs.com/t-shirt-design/contests/t-shirt-design-wanted-metasplo
1 min
Metasploit
Be a Superhero: Design the New Metasploit Swag
Originally Posted by Chris Kirsch
Don't know what to wear for the next BlackHat conference? Afraid of going naked
to B-Sides? We are too, so we decided to do something about it. We're getting
ready to launch our own Metasploit designer clothes – and you're the designer!
To start off our Metasploit swag store, we'd like you to design a T-shirt. You
must submit your own, original design. To enter, add your design to our
99designs competition
[https://99designs.com/t-shirt-design/contests/t-s
2 min
Metasploit
Learn, Download & Contribute: The New Metasploit Website
Today, we relaunched the Metasploit.com site. We hope you'll find it as awesome
as we do. The new site not only has updated looks, we've also rewritten much of
its content and put it on a shiny new server to make it faster.
We mainly focused on three aspects: learn, download & contribute:
Learn – Many Metasploit newbies told us they found it hard to get started with
the Metasploit Framework, so we took a fresh look at our website to design it so
that new Metasploit Framework users would fin
4 min
Adobe Flash CVE-2011-0609
Originally Posted by bannedit
Recently, I spent about a week and a half working on the latest 0-day Flash
vulnerability. I released a working exploit on March 22nd 2011. The original
exploit was just an attempt to get something working out the door for all of our
users. The first attempt left a lot to be desired. To understand the crux of
this vulnerability and what needed to be done to improve the first attempt at
exploiting it I had to dig in deep into ActionScript.
ActionScript is a languag
2 min
Vulnerability Disclosure
March Patch Tuesday Roundup
Since Microsoft is on this new staggered pattern of releases, we can expect a
feast or famine every other month...so get used to it. Depending on what side of
the desk you sit on you can adjust the context. With that being said, this
month's release brought us 3 patches addressing 4 vulnerabilities. I think we
were all expecting to see the MHTML
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0096] protocol
handler issue resolved, however it didn't make the cut. Make sure IE is in
r
2 min
Metasploit
Metasploit Version 3.6 Delivers Enhanced Command-Line Options and PCI Peports
Originally Posted by Chris Kirsch
All Metasploit editions are seeing an update to version 3.6 today, including an
enhanced command-line feature set for increased proficiency and detailed PCI
reports with pass/fail information for a comprehensive view of compliance
posture with PCI regulations.
Here's an overview of what's new:
The new Metasploit Pro Console offers powerful new features that help
professional penetration testers complete their job more efficiently in their
preferred environmen
2 min
Metasploit Framework 3.6.0 Released!
In coordination with Metasploit Express and Metasploit Pro
[https://www.rapid7.com/products/metasploit/download/], version 3.6 of the
Metasploit Framework is now available. Hot on the heels of 3.5.2, this release
comes with 8 new exploits and 12 new auxiliaries. A whopping 10 of those new
auxiliary modules are Chris John Riley's foray into SAP, giving you the ability
to extract a range of information from servers' management consoles via the SOAP
interface. This release fixes an annoying inst
1 min
Dual Core's Metasploit Track: Free Download!
We got a ton of requests to let you know when the new Dual Core Metasploit track
"msf mastering success & failure" would be available for download. Dual Core
had given the track a debut at the Rapid7 Skye High party at Ruby Skye in San
Francisco as part of the RSA Conference
I'm excited to let you know that we've now received the final copy. Even better:
Dual Core has made the song available free of charge - woot! Big thanks on
behalf of the community!
We all appreciate getting thing
2 min
IT Ops
Stronger Passwords for Django
One of our main concerns is data security. While we can do our best to protect
our service against external threats, a weak account password posses the easiest
attack vector. We are all human and sometimes we don’t even realize how
vulnerable our (supposedly strong) password is to a dictionary-based attack.
We use Django [http://www.djangoproject.com/] internally. Let us share with you
how we hard-ended our account registration process to automatically check for
weak passwords and give our user
1 min
Events
Rapid7's high flying RSA party
Thanks to all of you who attended our party at Ruby Skye on Wednesday. We were
overwhelmed by how many RSA delegates showed up: The club holds close to a
thousand people, and we were operating at capacity for most of the night.
Apologies if you had to wait in line for a few minutes!
Have a great weekend and sleep off the RSA Conference buzz!
Update: Just received this great picture taken by Travis Arnold at the party –
thought you'd enjoy it!
1 min
Metasploit Training at CanSecWest
The Metasploit Framework is more than a pile of exploits; it is a collection of
tools for gaining access where none is provided and a scaffolding for building
new tools. In a few weeks I will be teaching two, one-day dojos at CanSecWest
[https://www.secwest.net/] focusing on using and extending the framework. Some
of the topics we will cover are: post-exploitation automation including
meterpreter and cmd/sh shell sessions, no-exploit pwnage using stolen
credentials of various types, and buildi