25 min
Haxmas
The Ghost of Exploits Past: A Deep Dive into the Morris Worm
In this post, we will dive into the exploit development process for the three modules we created in honor of the 30th anniversary of the Morris worm.
4 min
Haxmas
Once a Haxer, Always a Haxor
Like most hackers, I liked to take apart my holiday gifts as a kid. In this blog, I take apart Amazon's voice-controlled microwave oven to see how it works.
13 min
Research
Rsunk your Battleship: An Ocean of Data Exposed through Rsync
Rapid7 Labs recently decided to take a fresh look at rsync, this time focusing on exposure of rsync globally on the public internet.
2 min
Research
Charting the Forthcoming PHPocalypse in 2019
This experiment began when Josh Frantz remarked that he would be curious about the potential exposure from the just-reached EOL date for PHP Version 7.0 and the forthcoming EOL date for PHP 5.6.
4 min
Research
This One Time on a Pen Test, Part 5: From Physical Security Weakness to Strength
During a physical social engineering penetration test, I easily got into the office with the help of a copied badge and polite employees. But would the company learn its lesson?
4 min
Research
Password Tips from a Pen Tester: Are 12-Character Passwords Really Stronger, or Just a Dime a Dozen?
On penetration tests, the three most common passwords are a variation of company name, the season/year, and a variation of “password.” But what happens if we lengthen the password requirement?
2 min
Penetration Testing
This One Time on a Pen Test, Part 4: From Zero to Web Application Admin through Open-Source Intelligence Gathering
Open source intelligence gathering (OSINT) can sometimes take a backseat to more glamorous parts of pen tests—but in this case, it saved us.
3 min
IoT
Enhancing IoT Security Through Research Partnerships
Securing IoT devices requires a proactive security approach to test both devices and the IoT product ecosystem. To accomplish this, consider setting up a research partnership.
5 min
IoT
Security Impact of Easily Accessible
UART on IoT Technology
When it comes to securing IoT devices, it’s important to know that Universal
Asynchronous Receiver Transmitter (UART) ports are often the keys to the kingdom
for device analysis when you have physical access. For example, as part of
ongoing security research and testing projects on embedded technology we own, I
have opened up a number of devices and discovered a majority of them having UART
enabled. Those with UART enabled have—in every case—provided a path to full root
access and allowed me to
3 min
Penetration Testing
Password Tips From a Pen Tester: Common Patterns Exposed
When my colleagues and I are out on penetration tests, we have a fixed amount of
time to complete the test. Efficiency is important. Analyzing password data like
we’re doing here helps pen testers better understand the likelihood of password
patterns and choices, and we use that knowledge to our advantage when we perform
penetration testing [https://www.rapid7.com/fundamentals/penetration-testing/]
service engagements at Rapid7.
In my experience, most password complexity policies require at l
2 min
InsightIDR
Rapid7 Quarterly Threat Report: 2018 Q1
Spring is here, and along with the flowers and the birds, the pollen and the
never-ending allergies, we bring you 2018’s first Quarterly Threat Report
[https://www.rapid7.com/info/threat-report/2018-q1-threat-report/]! For the
year’s inaugural report, we pulled an additional data set: significant events.
While we like to look at trends in alerts over time, there is almost never a
one-alert-per-incident correlation. Adversary actions involve multiple steps,
which generate multiple alerts, and aft
11 min
Research
Building a Backpack Hypervisor
Researcher, engineer, and Metasploit contributor Brendan Watters shares his experience building a backpack-size hypervisor.
8 min
Vulnerability Disclosure
Multiple vulnerabilities in Wink and Insteon smart home systems
Today we are announcing four issues affecting two popular home automation
solutions: Wink's Hub 2 and Insteon's Hub. Neither vendor stored sensitive
credentials securely on their associated Android apps. In addition, the Wink
cloud-based management API does not properly expire and revoke authentication
tokens, and the Insteon Hub uses an unencrypted radio transmission protocol for
potentially sensitive security controls such as garage door locks.
As most of these issues have not yet been addres
7 min
Research
Cisco Smart Install Exposure
Cisco Smart Install (SMI) provides configuration and image management
capabilities for Cisco switches. Cisco’s SMI documentation
[http://www.cisco.com/c/en/us/td/docs/switches/lan/smart_install/configuration/guide/smart_install/concepts.html]
goes into more detail than we’ll be touching on in this post, but the short
version is that SMI leverages a combination of DHCP, TFTP and a proprietary TCP
protocol to allow organizations to deploy and manage Cisco switches. Using SMI
yields a number of be
5 min
Authentication
R7-2017-07: Multiple Fuze TPN Handset Portal vulnerabilities (FIXED)
This post describes three security vulnerabilities related to access controls
and authentication in the TPN Handset Portal, part of the Fuze platform. Fuze
fixed all three issues by May 6, 2017, and user action is not required to
remediate. Rapid7 thanks Fuze for their quick and thoughtful response to these
vulnerabilities:
* R7-2017-07.1, CWE-284 (Improper Access Control)
[https://cwe.mitre.org/data/definitions/284.html]: An unauthenticated remote
attacker can enumerate through MAC addr