6 min
Nexpose
Integrating Nexpose Community and Metasploit Community in Backtrack 5 R2
I recently packaged up the new Nexpose release so that Backtrack users can have
an up-to-date version of Nexpose, straight from the Backtrack repos. This seemed
like a great time to also go over installing Nexpose Community and integrating
it with the already-installed Metasploit Community.
1. Getting Started
Before we get started, I would recommend grabbing a copy of Backtrack 5 R2
64-bit. The machine you want to use will need to have at a minimum 2GB of RAM
and at least 5GB space on the hard
4 min
Release Notes
Configuration assessment and policy management in Nexpose 5.2
We love our policy Dashboards. They are new, hot, intuitive, robust and really
useful. In our latest release of Nexpose, version 5.2, we've made two major
enhancements to our configuration assessment capabilities:
* A policy overview dashboard: To understand the current status of compliance
of configurations delivering a summary of the policy itself.A policy rule
dashboard: To provide further details for a particular rule and the current
compliance status for that rule.
What makes th
4 min
Log Management
Nexpose log files - What's changed in v5.2
Introduction
Nexpose logs messages for tasks that the system has performed as well as events
that occurred as a result of those tasks. The messages vary with respect to the
features in the product such as users logging into Nexpose successfully,
launching a scan for a site, or generating a report. The log files are helpful
in understanding what Nexpose has already done. In the latest release, Nexpose
5.2, we have introduced a number of enhancements to the log files such as
reducing disk usage an
4 min
Vulnerability and Threat Data Export Leveraging "XML Export 2.0" format
A vulnerability management solution like Nexpose is often used by organizations
to provide risk-based insight for potential and real threats. Nexpose provides
product reporting capabilities that help organizations clearly prioritize their
risk based on such aspects as exploitability, availability of malware kits and
weighted and temporal risk scores. Frequently, organizations leverage this rich
threat data in XML format in conjunction with other enterprise security tools
such as SIEM, GRC, IPS,
3 min
Metasploit
Weekly Metasploit Update: Spiceworks, AFP, RDP, and a New HTTP Downloader
After a couple of relatively light weeks (blame SXSW, I guess), this week's
update has quite a few neat new additions. As always, if you don't already have
Metasploit, what are you waiting for
? For the rest of us,
here's what's new.
Importapalooza
This week's update has support for importing asset lists exported from
Spiceworks, courtesy of Rapid7's Brandon Perry. Spiceworks is a free asset
management application used by tons of IT pros and
1 min
Release Notes
SOC Monkey - FREE and in the App Store now!
The name's Monkey. SOC Monkey.
I'm here to provide you with a new free app for the iPhone/iPad/iPod Touch that
will search through infosec topics that are trending on the social web. I'll
also rank them based on what the biggest news items and hottest topics are, so
you can make sure to get your banana's worth.
Now, I'm not going to just barrage you with links. I'm going to use my
incredibly advanced simian brain to curate these news items, so you can focus
more on what you need to get don
3 min
Metasploit
Weekly Metasploit Update: Session Smarts and GitHub
It's another Metasploit update, and it's headed straight for us!
Session Smarts
This week, Metasploit session management got a whole lot smarter. Here's the
scenario: As a penetration tester, you rook a bunch of people into clicking on
your browser-embedded Flash exploit , sit back, and
watch the sessions rolling in. However, they're all behind a single NAT point,
so all your sessions appear to be terminating at a single IP address, and you
quickly lose track of who's
4 min
Javascript
Java API client - How to augment it and share with the community
The prerequisite is that you get the client: clee-r7/nexpose_java_api · GitHub
This blog post will show you how to augment the java api client and use it in 4
easy steps.
The Java API client uses XML templates to generate requests. Browse to the
src/org/rapid7/nexpose/api folder within the API source code, you will see the
templates for the currently supported API client requests. i.e:
AssetGroupSaveRequest.xml.
There are currently 2 versions of
1 min
Nexpose
How to Check for Remote Desktop Protocol (RDP) Services
There are many organizations concerned with the critical Microsoft Security
Bulletin MS12-020
Remote Desktop
Protocol (RDP) vulnerability. Here is a quick way to check if you have Remote
Desktop Protocol running on your system or network. I used NMAP
to check my home network.
In the highlighted text below you can see that NMAP can check for the RDP
service running. If you can't patch, this is important because at
3 min
Metasploit
New Metasploit Swag Store Is Online
You may remember the awesome Metasploit T-shirt contest we ran in April of last
year .
We received a ton of submissions at the time and selected a winning T-shirt,
designed by Danny Chrastil.
It was a long and arduous journey for us to get the T-shirts printed and to get
the back-end systems up and running for the Metasploit Swag Store
...but it's finally here. Yes, you'll
notice tha
3 min
URI Parsing: It's harder than you think... or is it?
I have to admit, parsing a URI is tricky. Most Metasploit modules try to do it
with some kind of crazy custom regex-fu, but unfortunately most of them are kind
of buggy. Because of this, I've committed a new patch to HttpClient -- a
target_uri function that can automatically parse the URI for you. It's only a
4-line change, but should change the way we code HTTP-related modules.
Before I demonstrate how you can take advantage of target_uri, I should briefly
explain why you should avoid doing
2 min
Metasploit
Weekly Metasploit Update: Wmap, Console Search, and More!
In addition to the nuclear-powered exploit, we've got a new slew of updates,
fixes and modules this week for Metasploit, so let's jump right into the
highlights for this update.
Updated WMAP Plugin
Longtime community contributor Efrain Torres provided a much-anticipated update
to the Wmap plugin. Wmap automates up a bunch of web-based Metasploit modules
via the Metasploit console, from HTTP version scanning to file path bruteforcing
to blind SQL injection testing. If you're not already familiar
2 min
Metasploit
Weekly Metasploit Update: POSIX Meterpreter and New Exploits
This is a pretty modest update, since it's the first after our successful 4.2
release last week. Now
that 4.2 is out the door, we've been picking up on core framework development,
and of course, have a few new modules shipping out.
Meterpreter Updates
James "egyp7" Lee and community contributor mm__ have been banging on the POSIX
side of Meterpreter development this week, and have a couple of significant
enhancements to Linux Meterpreter. T
2 min
Microsoft
Information Disclosure: Out of Office Auto Replies
Out of office replies are a blessing and a curse for organizations from an
operational security perspective. Many of the out of office auto replies I
receive contain too much information. Since many security professionals are at
the RSA Conference this week I've had plenty hit my inbox. This is nothing
compared to December around the holiday season. Like anything the information in
the replies can be used for good and bad. Good people are trying to ensure that
work continues while they are away
2 min
Nexpose
Rapid7 Wins Coveted SC Magazine Award for Best Vulnerability Management Tool
Thorsten George, VP of Worldwide of Marketing and
Products for Agiliance on the left and
Bernd Leger, VP of Marketing, Products &
Solutions at Rapid7 on the right
Sitting in a room of hundreds of industry leaders and security vendors, it was
extremely gratifying to hear our name called and being asked on stage to receive
one of the coveted SC Magazine Awards last night in San Francisco. Rapid7 won
the prestigious “Best Vulnerability Management Tool” Award in the Reader's Trust
Award Categor