2 min
Metasploit
Introduction to Metasploit Hooks
Metasploit provides many ways to simplify your life as a module developer. One
of the less well-known of these is the presence of various hooks you can use for
processing things at important stages of the module's lifetime. The basic one
that anyone who has written an exploit will be familiar with is exploit, which
is called when the user types the exploit command. That method is common to all
exploit modules. Aux and post modules have an analogous run method. Common to
all the runnable modules
8 min
Metasploit
The Odd Couple: Metasploit and Antivirus Solutions
I hear a lot of questions concerning antivirus evasion with Metasploit, so I'd
like to share some the information critical to understanding this problem. This
blog post is not designed to give you surefire antivirus (AV) evasion
techniques, but rather to help you understand the fundamentals of the issue.
A Quick Glossary
Before we begin, let's define a few terms. This will be important for
understanding some of the things we will discuss.
Payload: A payload is the actual code that is being del
3 min
Metasploit
Weekly Metasploit Update: Exploit Dev How-to and InfoSec Targets
Metasploit 4.5 has been out for a few days, so it's high time for an update.
Let's hop to it!
1000th Exploit: Freefloat FTP WMI
I often hear the question, "How do I get started on writing exploits?" Well, I'd
like to point you to Metasploit's 1000th exploit (future Hacker Jeopardy
contestants, take note): On December 7, 2012, Wei "sinn3r" Chen and Juan Vazquez
committed FreeFloat FTP Server Arbitrary File Upload
[http://www.metasploit.com/modules/exploit/windows/ftp/freefloatftp_wbem]. Now,
as
2 min
Metasploit
Weekly Metasploit Update: OpenVAS, SAP, NetIQ, and More!
Now that I've consumed a significant percentage of my own weight in turkey
(seriously, it was something like five percent), it's time to shake off the
tryptophan and get this week's update out the door.
Attacking Security Infrastructure: OpenVAS
This week's update features three new module for bruteforcing three different
OpenVAS authentication mechanisms, all provided by community contributor Vlatko
@k0st [https://twitter.com/k0st] Kosturjak. OpenVAS is an open source security
management stac
2 min
Metasploit
Weekly Metasploit Update: Web Libs, SAP, ZDI, and More!
Fresh Web Libs
As we head into the holiday season here in the U.S., Metasploit core developers
Tasos @Zap0tek [https://twitter.com/Zap0tek] Laskos and James @Egyp7
[https://twitter.com/egyp7] Lee finished up a refresh of the Metasploit fork of
the Anemone libraries, which is what we use for basic web spidering. You can
read up on it here [http://anemone.rubyforge.org/]. The Metasploit fork isn't
too far off of Chris Kite's mainline distribution, but does account for
Metasploit's Rex sockets, ad
4 min
Metasploit
Weekly Metasploit Update: WinRM x2, ADDP, RealPort, CI and BDD
WinRM, Part Two
In the last Metasploit update blog post, we talked about the work from
Metasploit core contributors @TheLightCosine [http://twitter.com/thelightcosine]
, @mubix [http://twitter.com/mubix] and @_sinn3r [http://twitter.com/_sinn3r] on
leveraging WinRM / WinRS. As of this update, Metasploit users can now execute
WQL queries
[http://www.metasploit.com/modules/auxiliary/scanner/winrm/winrm_wql], execute
commands [http://www.metasploit.com/modules/auxiliary/scanner/winrm/winrm_cmd],
an
6 min
Metasploit
Abusing Windows Remote Management (WinRM) with Metasploit
Late one night at Derbycon [https://www.derbycon.com/], Mubix
[https://twitter.com/mubix] and I were discussing various techniques of mass
ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we
have any Metasploit modules for this yet?" After I got back , I began digging.
WinRM/WinRS
WinRM is a remote management service for Windows that is installed but not
enabled by default in Windows XP and higher versions, but you can install it on
older operating systems as well. Win
3 min
Metasploit
Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit, and More!
WinRM Exploit Library
For the last couple weeks, Metasploit core contributor David @TheLightCosine
[http://twitter.com/thelightcosine] Maloney has been diving into Microsoft's
WinRM services with @mubix [http://twitter.com/mubix] and @_sinn3r
[http://twitter.com/_sinn3r]. Until these guys started talking about it, I'd
never heard WinRM. If you're also not in the Windows support world day-to-day,
you can read up on it at Microsoft
[http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(
2 min
Metasploit
Weekly Metasploit Update: Microsoft Windows and SQL, TurboFTP, and More!
AppSecUSA 2012
Last week was AppSecUSA 2012 here in Austin, which may explain the curious
absence of a weekly Metasploit Update blog post. The hilights of Appsec for me,
were (in no particular order): Meeting Raphael @ArmitageHacker
[https://twitter.com/armitagehacker] Mudge in person for the first time, meeting
Scott @_nullbind [https://twitter.com/_nullbind]Sutherland, author of a bunch of
recent Microsoft SQL post modules, and both of whom happened to contribute to
last week's Metasploit upda
3 min
Metasploit
Weekly Metasploit Update: Reasonable Disclosure, PHP EXE Wrappers, and More!
ZENWorks' Accidental Backdoor
This week, we saw the release of Metasploit exploit developer Juan Vazquez's
freshly discovered vulnerability in Novell ZENWorks. You can read all about it
in Juan's great technical blog post, but the short version for the
attention-deprived is: Novell ZENWorks ships with hard-coded credentials, which
allow for SYSTEM-level file system read access.
That seems like kind of a big deal for ZENWorks users -- namely because there's
no reasonable way to change these cred
4 min
Metasploit
Weekly Metasploit Update: RopDB, Local Exploits, Better Samples, and More!
Introducing RopDB
This week, Metasploit exploit devs Wei "sinn3r" Chen
[https://github.com/wchen-r7] and Juan Vazquez [https://github.com/jvazquez-r7]
finished up Metasploit RopDB
[/2012/10/03/defeat-the-hard-and-strong-with-the-soft-and-gentle-metasploit-ropdb]
. This advancement allows for drop-in ROP chains in new exploits, without all
that mucking around with copying and pasting mysterious binary blobs from one
exploit to the next. For the details on how to use it and what to expect in the
3 min
Metasploit
Weekly Metasploit Update: Stealing Print Jobs, Exploiting Samba, and More!
This update has something for everyone -- new exploits, new auxiliary modules,
new post modules, and even new payloads. If quadfecta is a word, we totally hit
it this week!
More Mac OSX 64-Bit Payloads
The parade of OSX 64-bit payloads continues, with five new 64-bit payloads added
this week:
* modules/payloads/singles/osx/x64/say.rb
* modules/payloads/singles/osx/x64/shell_find_tag.rb
* modules/payloads/stagers/osx/x64/bind_tcp.rb
* modules/payloads/stagers/osx/x64/reverse_tcp.rb
* modul
1 min
Metasploit
Webcast: Decrease Your Risk of a Data Breach - Effective Security Programs with Metasploit
Thanks for the many CISOs and security engineers who attended our recent
webcast, in which I presented some practical advice on how to leverage
Metasploit to conduct regular security reviews that address current attack
vectors. While Metasploit is often used for penetration testing projects, this
presentation focuses on leveraging Metasploit for ongoing security assessments
that can be achieved with a small security team to reduce the risk of a data
breach.
This webcast is now available for o
2 min
Metasploit
Weekly Metasploit Update: HP, PHP, and More!
Stupid PHP Tricks
This week's Metasloit update is a cautionary tale about running unaudited PHP
applications as part of your infrastructure. Metasploit community contributor
Brendan Coles [https://github.com/bcoles] has discovered and written Metasploit
modules for two similar root-level vulnerabilities one for OpenFiler
[http://www.metasploit.com/modules/exploit/linux/http/openfiler_networkcard_exec]
and one for WAN Emulator
[http://www.metasploit.com/modules/exploit/linux/http/wanem_exec] (a
1 min
Metasploit
Current User psexec
At DEF CON this year I talked about some of the post exploitation capabilities
within Metasploit and demo'd a cool technique I developed with Jabra on a
pentest a year or so ago (I later found out that Mubix had come up with
basically the same idea - great minds think alike). It is essentially this: use
a session's current token to create a remote service on a victim machine.
It takes advantage of a feature in Windows that most people take completely for
granted. Given that you are already logg