Posts tagged Open Source

3 min Research

Open-Source Security: Getting to the Root of the Problem

The past few weeks have shown us the importance and wide reach of open-source security.

4 min Open Source

Security at Scale in the Open-Source Supply Chain

Securing supply chains based on open-source software requires scalable vulnerability management and vigilant monitoring.

13 min Vulnerability Disclosure

Multiple Open Source Web App Vulnerabilities Fixed

While it's never great to learn of new vulnerabilities in your own product, all three project maintainers accepted, validated, and provided fixes for these vulnerabilities within one day, which is amazing when it comes to vulnerability disclosure.

3 min Open Source

Rapid7 and Velociraptor Join Forces

Rapid7 has acquired a digital forensics and incident response (DFIR) framework called Velociraptor.

3 min Risk Management

Meet AttackerKB

Meet AttackerKB: a new community-driven resource that highlights diverse perspectives on which vulnerabilities make the most appealing targets for attackers.

2 min Metasploit Weekly Wrapup

Metasploit Wrap-Up: 3/27/20

Three new modules, including a post module to automate the installation of an embeddable Python interpreter on a target, and a new exploit for Microsoft SharePoint Workflows.

22 min Research

DOUBLEPULSAR RCE 2: An RDP Story

In this sequel, wvu [https://github.com/wvu-r7] recounts the R&D (in all its imperfect glory) behind creating a Metasploit module for the DOUBLEPULSAR implant's lesser-known RDP variant. If you're unfamiliar with the more common SMB variant, you can read our blog post [/2019/10/02/open-source-command-and-control-of-the-doublepulsar-implant/] detailing how we achieved RCE with it. Table of Contents 0. Background 1. Extracting the implant 2. Installing the implant 3. Pinging the implant 4.

2 min Windows

Metasploit Framework Open Source Installers

Rapid7 has long supplied universal Metasploit installers for Linux and Windows. These installers contain both the open source Metasploit Framework as well as commercial extensions, which include a graphical user interface, metamodules, wizards, social engineering tools and integration with other Rapid7 tools. While these features are very useful, we recognized that they are not for everyone. According to our recent survey of Metasploit Community users, most only used it for the open source comp

3 min Metasploit

12 Days of HaXmas: Metasploit, Nexpose, Sonar, and Recog

This post is the tenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. The Metasploit Framework [https://www.metasploit.com/download/] uses operating system and service fingerprints for automatic target selection and asset identification. This blog post describes a major overhaul of the fingerprinting backend within Metasploit and how you can extend it by submitting new fingerprints. Histo

3 min Open Source

Metasploit Weekly Update: On Breaking (and Fixing!) Security Software

Attacking Security Infrastructure This week, one module stands out for me: the Symantec Endpoint Protection Manager Remote Command Execution by xistence [https://github.com/xistence], who built on the proof-of-concept code from Chris Graham [http://www.exploit-db.com/exploits/31853/], who turned that out after Stefan Viehbock's disclosure from last week. You can read the full disclosure text from SEC Consult Vulnerability Lab [https://sec-consult.com/vulnerability-lab/], and get an idea of the s

0 min Metasploit

SecureNinjaTV Interview: Tod Beardsley About Metasploit 10th Anniversary

At Black Hat 2013 in Vegas this year, our very own Tod Beardsley was cornered by SecureNinja TV and social engineered into giving an interview. Here is the result - captured for eternity: [http://www.youtube.com/watch?v=yFHA5F2crFE&feature=youtu.be] Click here to download Metasploit Pro [https://www.rapid7.com/products/metasploit/download/]

5 min Exploits

Security Death Match: Open Source vs. Pay-for-Play Exploit Packs

In the blue corner: an open-source exploit pack. In the red corner: a pay-for-play incumbent. As a security professional trying to defend your enterprise against attacks, which corner do you bet on for your penetration tests? What's the goal of the game? Okay, this is a loaded question, because it really depends on what your goal is. If you are like 99% of enterprises, you'll want to protect against the biggest and most likely risks. If you are the 1% that comprise defense contractors and the