3 min
Metasploit
Weekly Metasploit Update: Talking PJL With Printers
Abusing Printers with PJL
This week's release features a half dozen new modules that seek out printers
that talk the Print Job Language (PJL) for use and abuse. Huge thanks to our
newest full time Metasploit trouble maker, William Vu
[https://twitter.com/wvuuuuuuuuuuuuu].
As a penetration tester, you probably already know that office printers
represent tasty targets. Like most hardware with embedded systems, they rarely,
if ever, get patches. They don't often have very serious security controls
2 min
API
SQL Export Report using the API
This morning we published the release of the new SQL Query Export
[/2013/12/18/give-me-access-to-my-data] report. Simultaneously the Nexpose Gem
[http://rubygems.org/gems/nexpose] has released version 0.6.0
[https://github.com/rapid7/nexpose-client/wiki/Changes-to-the-Nexpose-Gem-in-Version-0.6.0]
to support this new report format in all the reporting API calls (you must
update to this latest version to run the report). When the SQL Query Export is
paired with adhoc-report generation, you are a
2 min
Nexpose
Calculating Your Average Scan Time
If you are looking to balance out your scan schedule or add new scans to the
mix, it can be helpful to get some direct insight into how much time a new scan
is going to take. One way to estimate that is based upon how long your current
scans are already taking.
To that end, I threw together a script that looks at current scan history and
calculates average scan time per asset. To keep some balance, I only look at
Full audit scans and their live assets. I then calculate the average number of
min
1 min
Nexpose
Making the Nexpose Gem Easier to Use
In an effort to make API access to Nexpose easier, some efforts are underway to
make the Nexpose Gem [http://rubygems.org/gems/nexpose] easier to use. For those
unfamiliar with the gem, it is a Ruby library that allows for easier scripting
against a Nexpose security console.
Changes to Site
Making changes to a site configuration through the gem used to be a little
complex. The attributes on the configuration were locked down from editing, and
sometimes buried deep in structures that mirrored th
2 min
Nexpose
Multi-tenant User Provisioning
Introduction
Performing bulk operations can be time consuming in Nexpose. A good example is
user provisioning, which can take a long time. To save time, using the Nexpose
APIs is an effective way to save you time and eliminate the error-prone process
of doing everything manually. For this blog post, I want to demonstrate how you
can manage users using the Nexpose API. I will be using an open source Java API
client, which is available on clee-r7/nexpose_java_api · GitHub
[https://github.com/clee-
2 min
API
How to generate reports through the API
Nexpose provides a number of api methods for report management. Through the API
you can create/update a report configuration, generate a report on the fly, and
view the status of the generation requests.
A report configuration, in particular, is a configuration for a type of report.
With a configuration, a user can specify the template, format, and content for a
report. In order to create a configuration via the API a user must generate a
ReportSaveRequest.
ReportSaveRequest - The report save
0 min
Nexpose
Nexpose Reporting with the Java API Client
Nexpose reporting just got easier!
Now you can manage and generate Nexpose reports though an interactive
application that leverages the Nexpose Java API client.
Here is a list of the options that are currently supported.
1. List Reports
2. Generate Reports
3. Delete Reports
4. Delete Report Configurations (and all associated reports)
5. View Report Configuration
6. View Report History
Attached is a copy of the application and the source code so you can easily
modify and extend its func
5 min
Javascript
Creating a bunch of users at once using the Nexpose API
I would like to take the time to share an example of how you can use the Nexpose
API to create a batch of users at one time with the use of a CSV file. Sounds
too good to be true right?
I swear to you that this is not a mirage. In fact I am prepared to put my money
where my mouth is and post a code example with Rapid7's very own Open Source
Java API client. This will allow you to do the following:
* Interactively specify a CSV file to Create Update and even remove existing
users * Please s
2 min
Nexpose
Automating Nexpose Discovery Connections through the Java API
Nexpose has long offered APIs allowing for automated workflow operations. The
following examples are intended to help Nexpose users automate the discovery
mechanisms feature through the API. The following code shows how to leverage the
Java API client [https://github.com/clee-r7/nexpose_java_api] to create, list,
update and delete discovery mechanisms in Nexpose.
Nexpose supports Discovery connection API starting on version 5.2. The
supported operations on the API with regards to discovery ar
4 min
Javascript
Java API Client - How to Augment It and Share with the Community
The prerequisite is that you get the client: clee-r7/nexpose_java_api · GitHub
[https://github.com/clee-r7/nexpose_java_api]
This blog post will show you how to augment the java api client and use it in 4
easy steps.
The Java API client uses XML templates to generate requests. Browse to the
src/org/rapid7/nexpose/api folder within the API source code, you will see the
templates for the currently supported API client requests. i.e:
AssetGroupSaveRequest.xml.
There are currently 2 versions of
1 min
Nexpose
Nexpose Java API
We are really excited to see the Nexpose community coming up with all sorts of
cool and useful ways to automate Nexpose via our APIs. Since we have published
our Ruby [https://github.com/rapid7/nexpose-client] and .Net
[https://github.com/brandonprry/nexpose-sharp] API client libraries, we have had
some requests for a Java library as well. And now we have open sourced a Java
[https://github.com/clee-r7/nexpose_java_api] based library for accessing the
Nexpose API. This library is BSD licensed s
2 min
Metasploit
Remote-Controlling Metasploit Through APIs
Metasploit offers some great ways to automate its functionality through a
programming interface. Metasploit users have built custom tools and processes
based on this functionality, saving them time to conduct repetitive tasks, or
enabling them to schedule automated tasks. Our most advanced customers have even
intgrated Metasploit Pro into their enterprise security infrastructure to
automatically verify the exploitability of vulnerabilities to make their
vulnerability management program more ef