2 min
Introducing Metasploitable
One of the questions that we often hear is "What systems can i use to test
against?" Based on this, we thought it would be a good idea throw together an
exploitable VM that you can use for testing purposes.
Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number
of vulnerable packages are included, including an install of tomcat 5.5 (with
weak credentials), distcc, tikiwiki, twiki, and an older mysql.
You can use most VMware products [http://www.vmware.com/products/play
2 min
Metasploit Framework 3.4.0 Released!
After five months of development, version 3.4.0 of the Metasploit Framework
[http://www.metasploit.com/framework/download/] has been released. Since the
last major release (3.3) over 100 new exploits have been added and over 200 bugs
have been fixed.
This release includes massive improvements to the Meterpreter payload; both in
terms of stability and features, thanks in large part to Stephen Fewer of
Harmony Security. The Meterpreter payload can now capture screenshots without
migrating, inc
2 min
May Patch Tuesday Roundup
Time for the May 2010 summary of the upcoming Microsoft Security Updates….
2 Advisories, with 2 Vulnerabilities covered. Both are rated as Critical.
The first one covering Outlook Express, Microsoft Mail, and Microsoft Live Mail
on all Windows Operating Systems (sans Server Core and Server Core for Windows
Server 2008 R2) and the second covering Microsoft Visual Basic for Applications.
Both Vulnerabilities allow for Remote Code Execution.
Heres a breakdown:
MS10-030 – Mail Server Integ
3 min
Metasploit
Approaching Metasploit 3.4.0 and Metasploit Express
Since mid-December, the Metasploit team has been working non-stop towards
version 3.4.0 of the Metasploit Framework. The final release is still scheduled
for mid-May, but I wanted to share some of the upcoming features, available
today from the development tree. Version 3.4.0 includes major improvements to
the Meterpreter payload, the expansion of the framework's brute force
capabilities, and the complete overhaul of the backend database schema and event
subsystem. In addition, more than 60 exp
3 min
April Microsoft Patch Tuesday Roundup
Time for this month's summary of the latest Microsoft Security updates …
11 advisories, with 25 vulnerabilities covered. 5 Critical; 5 Important; 1
Moderate. This is the heaviest April update we've seen; we generally see 5-8
updates in April and 25 vulnerabilities breaks the 2009 April record of 21.
The SMB DoS issue is being addressed, rated Important and affecting Windows
& Exchange. 2 issues affecting Office, both of which are rated Important.
The other 8 affect Windows with 5 Crit
3 min
Persistent Meterpreter over Reverse HTTPS
Botnet agents and malware go through inordinate lengths to hide their command
and control traffic. From a penetration testing perspective, emulating these
types of communication channels is possible, but often requires a custom toolkit
to be deployed to the target. In this post I will walk through using the
standard Metasploit Meterpreter payload as a persistent encrypted remote control
tool.
First things first, grab the latest version
[http://www.metasploit.com/framework/download/] of Metasplo
2 min
March Microsoft Out-Of-Band Patch Tuesday Roundup
Brief summary of today's Out-Of-Band Microsoft Security update …
1 Cumulative IE update, with 10 vulnerabilities covered. While Out-Of-Band
updates are not unheard of (this is the second one so far this year), 10
vulnerabilities covered is a lot.
Here's the breakdown:
MS10-018: Rated Critical. Cumulative update for Internet Explorer, covering 10
vulnerabilities:
CVE-2010-0267 (Uninitialized Memory Corruption)
CVE-2010-0488 (Post Encoding Information Disclosure)
CVE-2010-0489 (Race C
3 min
Microsoft
Visualizing Microsoft Security Bulletin Supersedence
I've always been a very visual person. As a young child, I had an interesting
ability to be able to subconsciously scan the landscape and immediately pick out
things that were out of place. On my way to work or otherwise driving around
town, my eyes are scanning the passenger's, rear-view and driver's side mirrors
every few seconds looking for things that make driving around Los Angeles
perilous.
When it comes to complex problems related to security, or even just things that
may present obst
2 min
Automating the Metasploit Console
The Metasploit Console (msfconsole) has supported the concept of resource files
for quite some time. A resource file is essentially a batch script for
Metasploit; using these files you can automate common tasks. If you create a
resource script called ~/.msf3/msfconsole.rc, it will automatically load each
time you start the msfconsole interface. This is a great way to automatically
connect to a database and set common parameters (setg PAYLOAD, etc). Until this
morning, however, resource scripts w
3 min
March Microsoft Patch Tuesday Roundup
Time once again for this month's summary of the latest Microsoft Security
updates …
2 advisories, with 8 vulnerabilities covered. This is the lightest March update
since Microsoft skipped March altogether back in 2007.
Here's the breakdown:
MS10-016: Rated Important. Potential Remote Code Execution in Windows Movie
Maker, covering 1 vulnerability: CVE-2010-0265 (Buffer Overflow in Movie Maker
and Producer). A few things to note about this one ...
First, Microsoft chose not to patch the
2 min
The Story Behind NeXpose Community Edition
Hi, I'm the product manager here at Rapid7 and one of the many people behind the
Community Edition. I joined Rapid7 in July after spending my last eight years
with Red Hat. Before that, I worked at another open source software company.
Naturally, I have strong opinions on why open source and community-driven
software is a fundamentally better way to build and release software.
With that as a background, I thought I'd take some time and explain the
motivation and philosophy behind NeXpose commu
1 min
Reproducing the "Aurora" IE Exploit
Update: This module, just like the original exploit, only works on IE6 at this
time. IE7 requires a slightly different method to reuse the object pointer and
IE8 enables DEP by default.
Yesterday, a copy of the unpatched Internet Explorer exploit used in the Aurora
[http://www.wired.com/threatlevel/2010/01/hack-of-adob/comment-page-1/] attacks
was uploaded to Wepawet
[http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js]
. Since the code is now public, we ported thi
1 min
January Microsoft Patch Tuesday Roundup
A new year, a new decade, and time once again for this month's summary of the
latest Microsoft Security updates … actually, that's *update*.
1 update, with 1 vulnerability covered. Here's the breakdown:
MS10-001 [http://www.microsoft.com/technet/security/Bulletin/MS10-001.mspx]:
Rated Critical. Potential Remote Code Execution via integer overflow in LZCOMP
Decompressor of the Embedded OpenType (EOT) Font Engine, covering 1
vulnerability: CVE-2010-0018
[http://www.cve.mitre.org/cgi-bin/cvenam
2 min
Safe, Reliable, Hash Dumping
The Metasploit Meterpreter has supported the "hashdump" command (through the
Priv extension) since before version 3.0. The "hashdump" command is an in-memory
version of the pwdump tool, but instead of loading a DLL into LSASS.exe, it
allocates memory inside the process, injects raw assembly code, executes its via
CreateRemoteThread, and then reads the captured hashes back out of memory. This
avoids writing files to the drive and by the same token avoids being flagged by
antivirus (AV) and intrus
3 min
Exporting the Registry for Fun and Profit
Over the last few days, I have been playing with WinScanX
[http://www.windowsaudit.com/], a free command-line tool for querying Windows
service information over SMB. WinScanX combines many of the essential tools used
during a penetration test into a single utility. One of the more interesting
features
[http://windowsaudit.com/winscanx/retrieving-password-hashes-with-winscanx-y/]
is the "-y" flag, which instructs WinScanX to save a copy of the remote registry
hives for SAM, SECURITY, and SYSTEM.