5 min
Metasploit
Meterpreter HTTP/HTTPS Communication
The Meterpreter payload within the Metasploit Framework (and used by Metasploit
Pro) is an amazing toolkit for penetration testing and security assessments.
Combined with the Ruby API on the Framework side and you have the simplicity of
a scripting language with the power of a remote native process. These are the
things that make scripts and Post modules great and what we showcase in the
advanced post-exploit automation available today. Metasploit as a platform has
always had a concept of an est
11 min
Metasploit
MS11-030: Exploitable or Not?
If you weren't already aware, Rapid7 is offering a bounty
[/2011/06/14/metasploit-exploit-bounty-30-exploits-500000-in-5-weeks] for
exploits that target a bunch of hand-selected, patched vulnerabilities. There
are two lists to choose from, the Top 5 and the Top 25
[https://community.rapid7.com/docs/DOC-1467] . An exploit for an issue in the
Top 5 list will receive a $500 bounty and one from the Top 25 list will fetch a
$100 bounty. In addition to a monetary reward, a successful participant also
1 min
Metasploit
Metasploit Framework Console Output Spooling
Sometimes little things can make a huge difference in usability -- the
Metasploit Framework Console is a great interface for getting things done
quickly, but so far, has been missing the capability to save command and module
output to a file. We have a lot of small hacks that makes this possible for
certain commands, such as the "-o" parameter to db_hosts and friends, but this
didn't solve the issue of module output or general console logs.
As of revision r13028 the console now supports the sp
1 min
Release Notes
Metasploit Framework 3.7.2 Released!
It's that time again! The Metasploit team is proud to announce the immediate
release of the latest version [http://metasploit.com/download/] of the
Metasploit Framework, 3.7.2. Today's release includes eleven new exploit modules
and fifteen post modules for your pwning pleasure. Adding to Metasploit's
well-known hashdump capabilities, now you can easily steal password hashes from
Linux, OSX, and Solaris. As an added bonus, if any of the passwords were hashed
with crypt_blowfish (which is the d
2 min
Metasploit
Emulating ZeuS DNS Traffic with Metasploit Framework
[UPDATE 6/28/2011] vSploit Modules will be released at DEFCON
This is a follow-up post for vSploit - Virtualizing Intrusion & Exploitation
Attributes with Metasploit Framework
[https://community.rapid7.com/blogs/rapid7/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework]
about using Metasploit as a way to test network infrastructure countermeasures
and coverage. I mentioned obtaining list of suspicious domains to use for
testing organization's networking intell
2 min
Metasploit
vSploit - Virtualizing Intrusion & Exploitation Attributes with Metasploit Framework
Many organizations are making significant investments in technologies in order
to tell if they have been compromised; however, frequently they find out when it
is too late. There are several network-based attributes that, when combined,
indicate possible compromises have taken place. Many pentesters are successful
at compromising hosts; however, commonly they are restricted in what they can
and can't do. There needs to be a way that they can sucessfully mimick threats
and scenarios, even when re
4 min
Metasploit
Introducing msfvenom
The Metasploit Framework has included the useful tools msfpayload and msfencode
for quite sometime. These tools are extremely useful for generating payloads in
various formats and encoding these payloads using various encoder modules. Now I
would like to introduce a new tool which I have been working on for the past
week, msfvenom. This tool combines all the functionality of msfpayload and
msfencode in a single tool.
Merging these two tools into a single tool just made sense. It standardizes
2 min
Metasploit
Metasploit-ation for the Nation
In a couple of weeks, our very own @Mubix (AKA Rob Fuller to those who don't
live their life with an @ sign permanently attached to their name!) will be
offering Metasploit-ation for the Nation. Unlike that phrase – which I just
made up – Mubix will actually be talking sense as he walks penetration testers
through the delightful world of Metasploit Pro in a 4-hour in-depth training
session.
Mubix took some time to answer a few questions below to give you a flavor of the
training. If you have
1 min
Metasploit
Metasploit Framework 3.7.1 Released!
Originally posted by HD Moore:
We are happy to announce the immediate availability of version 3.7.1 of the
Metasploit Framework, Metasploit Express, and Metasploit Pro. This is a
relatively small release focused on bug fixes and performance improvements.
Notable highlights include an improved IPv6 reverse_tcp stager from Stephen
Fewer, a performance improvement for HTTP services (client-side modules), a bug
fix to channel support in the PHP Meterpreter, an update to MSFGUI, and various
small
2 min
Metasploit
Metasploit Pro 3.7: Better, Faster, Stronger
Over the last two months the Rapid7 team has been hard at work rewiring the
database and session management components of the Metasploit Framework,
Metasploit Express, and Metasploit Pro products. These changes make the
Metasploit platform faster, more reliable, and able to scale to hundreds of
concurrent sessions and thousands of target hosts. We are excited to announce
the immediate availability of version 3.7 of Metasploit Pro and Metasploit
Express!
Existing customers can apply the latest s
1 min
Metasploit
Metasploit Framework 3.7.0 Released!
Originally Posted by egypt
The Metasploit team has spent the last two months focused on one of the
least-visible, but most important pieces of the Metasploit Framework; the
session backend. Metasploit 3.7 represents a complete overhaul of how sessions
are tracked within the framework and associated with the backend database. This
release also significantly improves the staging process for the reverse_tcp
stager and Meterpreter session initialization. Shell sessions now hold their
output in a ri
1 min
Metasploit
Metasploit T-Shirt Design Contest: And the Winner is...
You have voted in large numbers – and the results are out: design #36
[/servlet/JiveServlet/downloadImage/38-5353-1228/36.png] is the winner of the
Metasploit T-shirt design contest. Danny Chrastil submitted the winning design,
featuring the Metasploit logo consisting of code from the payload
osx/ppc/shell_reverse_tcp. The back shows the Metasploit splash screen cow, our
legendary creature of mystery and superstition.
A few words about the winner: Danny Chrastil aka @DisK0nn3cT is a web
appl
1 min
Metasploit
Be a Superhero: Design the New Metasploit Swag
Originally Posted by Chris Kirsch
Don't know what to wear for the next BlackHat conference? Afraid of going naked
to B-Sides? We are too, so we decided to do something about it. We're getting
ready to launch our own Metasploit designer clothes – and you're the designer!
To start off our Metasploit swag store, we'd like you to design a T-shirt. You
must submit your own, original design. To enter, add your design to our
99designs competition
[https://99designs.com/t-shirt-design/contests/t-s
2 min
Metasploit
Learn, Download & Contribute: The New Metasploit Website
Today, we relaunched the Metasploit.com site. We hope you'll find it as awesome
as we do. The new site not only has updated looks, we've also rewritten much of
its content and put it on a shiny new server to make it faster.
We mainly focused on three aspects: learn, download & contribute:
Learn – Many Metasploit newbies told us they found it hard to get started with
the Metasploit Framework, so we took a fresh look at our website to design it so
that new Metasploit Framework users would fin
2 min
Metasploit
Metasploit Version 3.6 Delivers Enhanced Command-Line Options and PCI Peports
Originally Posted by Chris Kirsch
All Metasploit editions are seeing an update to version 3.6 today, including an
enhanced command-line feature set for increased proficiency and detailed PCI
reports with pass/fail information for a comprehensive view of compliance
posture with PCI regulations.
Here's an overview of what's new:
The new Metasploit Pro Console offers powerful new features that help
professional penetration testers complete their job more efficiently in their
preferred environmen