6 min
Metasploit
Abusing Windows Remote Management (WinRM) with Metasploit
Late one night at Derbycon [https://www.derbycon.com/], Mubix
[https://twitter.com/mubix] and I were discussing various techniques of mass
ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we
have any Metasploit modules for this yet?" After I got back , I began digging.
WinRM/WinRS
WinRM is a remote management service for Windows that is installed but not
enabled by default in Windows XP and higher versions, but you can install it on
older operating systems as well. Win
3 min
Metasploit
Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit, and More!
WinRM Exploit Library
For the last couple weeks, Metasploit core contributor David @TheLightCosine
[http://twitter.com/thelightcosine] Maloney has been diving into Microsoft's
WinRM services with @mubix [http://twitter.com/mubix] and @_sinn3r
[http://twitter.com/_sinn3r]. Until these guys started talking about it, I'd
never heard WinRM. If you're also not in the Windows support world day-to-day,
you can read up on it at Microsoft
[http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(
2 min
Metasploit
Weekly Metasploit Update: Microsoft Windows and SQL, TurboFTP, and More!
AppSecUSA 2012
Last week was AppSecUSA 2012 here in Austin, which may explain the curious
absence of a weekly Metasploit Update blog post. The hilights of Appsec for me,
were (in no particular order): Meeting Raphael @ArmitageHacker
[https://twitter.com/armitagehacker] Mudge in person for the first time, meeting
Scott @_nullbind [https://twitter.com/_nullbind]Sutherland, author of a bunch of
recent Microsoft SQL post modules, and both of whom happened to contribute to
last week's Metasploit upda
3 min
Metasploit
Weekly Metasploit Update: Reasonable Disclosure, PHP EXE Wrappers, and More!
ZENWorks' Accidental Backdoor
This week, we saw the release of Metasploit exploit developer Juan Vazquez's
freshly discovered vulnerability in Novell ZENWorks. You can read all about it
in Juan's great technical blog post, but the short version for the
attention-deprived is: Novell ZENWorks ships with hard-coded credentials, which
allow for SYSTEM-level file system read access.
That seems like kind of a big deal for ZENWorks users -- namely because there's
no reasonable way to change these cred
4 min
Metasploit
Weekly Metasploit Update: RopDB, Local Exploits, Better Samples, and More!
Introducing RopDB
This week, Metasploit exploit devs Wei "sinn3r" Chen
[https://github.com/wchen-r7] and Juan Vazquez [https://github.com/jvazquez-r7]
finished up Metasploit RopDB
[/2012/10/03/defeat-the-hard-and-strong-with-the-soft-and-gentle-metasploit-ropdb]
. This advancement allows for drop-in ROP chains in new exploits, without all
that mucking around with copying and pasting mysterious binary blobs from one
exploit to the next. For the details on how to use it and what to expect in the
3 min
Metasploit
Weekly Metasploit Update: Stealing Print Jobs, Exploiting Samba, and More!
This update has something for everyone -- new exploits, new auxiliary modules,
new post modules, and even new payloads. If quadfecta is a word, we totally hit
it this week!
More Mac OSX 64-Bit Payloads
The parade of OSX 64-bit payloads continues, with five new 64-bit payloads added
this week:
* modules/payloads/singles/osx/x64/say.rb
* modules/payloads/singles/osx/x64/shell_find_tag.rb
* modules/payloads/stagers/osx/x64/bind_tcp.rb
* modules/payloads/stagers/osx/x64/reverse_tcp.rb
* modul
1 min
Metasploit
Webcast: Decrease Your Risk of a Data Breach - Effective Security Programs with Metasploit
Thanks for the many CISOs and security engineers who attended our recent
webcast, in which I presented some practical advice on how to leverage
Metasploit to conduct regular security reviews that address current attack
vectors. While Metasploit is often used for penetration testing projects, this
presentation focuses on leveraging Metasploit for ongoing security assessments
that can be achieved with a small security team to reduce the risk of a data
breach.
This webcast is now available for o
2 min
Metasploit
Weekly Metasploit Update: HP, PHP, and More!
Stupid PHP Tricks
This week's Metasloit update is a cautionary tale about running unaudited PHP
applications as part of your infrastructure. Metasploit community contributor
Brendan Coles [https://github.com/bcoles] has discovered and written Metasploit
modules for two similar root-level vulnerabilities one for OpenFiler
[http://www.metasploit.com/modules/exploit/linux/http/openfiler_networkcard_exec]
and one for WAN Emulator
[http://www.metasploit.com/modules/exploit/linux/http/wanem_exec] (a
1 min
Metasploit
Current User psexec
At DEF CON this year I talked about some of the post exploitation capabilities
within Metasploit and demo'd a cool technique I developed with Jabra on a
pentest a year or so ago (I later found out that Mubix had come up with
basically the same idea - great minds think alike). It is essentially this: use
a session's current token to create a remote service on a victim machine.
It takes advantage of a feature in Windows that most people take completely for
granted. Given that you are already logg
3 min
Networking
Weekly Metasploit Update: SAP, MSSQL, DNS, and More!
Zone Transfers for All
This week, Metasploit community contributor bonsaiviking
[https://github.com/bonsaiviking] fixed up the DNS library that Metasploit uses
so we won't choke on some types of zone transfer responses. Turns out, this is a
two-year old bug, but DNS servers that actually offer zone transfers are so rare
any more that this this bug didn't manifest enough to get squashed.
This brings me to a larger point -- with older vulnerabilities like these,
sometimes the hardest part for us
3 min
Metasploit
Mobile Pwning: Using Metasploit on iOS
Have you ever wanted to run an exploit but found yourself away from your desk?
Wouldn't it be awesome if you could launch a full version of the Metasploit
Framework from your phone or tablet? As you might have guessed, now you can.
With an adventurous spirit and a few commands, you can be running the Metasploit
Framework on your iPad or iPhone in just a few short minutes.
Warning: To install Metasploit, you'll need root access to your device – which
is accomplished by following your favorite ja
3 min
Metasploit
Weekly Metasploit Update: Trusted Path Switcheroo, Stack Cookie Bypass, and More!
Another week, another fifteen new modules for Metasploit. I continue to be
amazed by the productivity of our open source exploit developer community.
Thanks so much for your hard work and effort, folks!
New Module for Trusted Path Switcheroo
As I was going over this week's new modules, one that jumped out at me was Wei
"sinn3r" Chen's implementation of a general Trusted Path insertion attack,
Windows Service Trusted Path Privilege Escalation
[http://www.metasploit.com/modules/exploit/windows/l
4 min
Product Updates
Weekly Metasploit Update: Two Dozen New Modules
The Vegas and vacation season is behind us, so it's time to release our first
post-4.4.0 update. Here we go!
Exploit Tsunami
A few factors conspired to make this update more module-heavy than usual. We
released Metasploit 4.4 in mid-July. Historically, a dot version release of
Metasploit means that we spend a little post-release time closing out bugs,
performing some internal housekeeping that we'd been putting off, and other
boring software engineering tasks. Right after this exercise, it was
3 min
Metasploit
Weekly Metasploit Update: RATs, WPAD, and More!
Just a quick update this week for some new Metasploit modules. We're holding off
on the usual Framework and Pro enhancements as we button up the next point
release for Metasploit Pro, Express, and Community Editions. That said, we do
have a few neat new modules that I wanted to hilight, so let's take a look.
Hacking the Hackers
This week's haul includes something a little unusual -- an exploit for Poison
Ivy, a blackhat-favored Remote Administration Tool (RAT). Community contributor
Gal Badishi
2 min
Metasploit
Weekly Metasploit Update: Sniffing with Meterpreter, Egg Hunting, and More!
This week's udpate has seven new modules, a much-anticipated Meterpreter
enhancement, and more, so let's jump into it.
Egg Hunting and Stack Smashing
This week's update features a spiffy new module for HP Data Protector from Juan
Vazquez and Wei 'sinn3r' Chen. It uises an egg hunting technique to reconstruct
the exploit's payload -- and both Wei and Juan have a detailed blog posts in the
works that go into detail on the whys and wherefores of egghunter shellcode and
troubleshooting payload de