1 min
MsfPayload and MsfEncode are Being Removed from Metasploit
Oh hi folks,
Last year on December 9th
, we made an official announcement about deprecating MsfPayload and MsfEncode.
They are being replaced by msfvenom. Well, today is the day we pull the plug. We
are currently in the process
of removing these two
utilities, and in a day or two you will never see them from upstream again.
If you are still not so familiar
2 min
Metasploit
Metasploit Framework Rails 4.0 Upgrade
It is always a running battle to keep an application's backend up to date with
various technologies. Today, we are excited to announce that Metasploit
Framework now ships with Rails 4.0.
Upgrades like this are sometimes hard to get excited about because if everything
goes well, users should see no difference. There are many reasons to upgrade to
Rails 4, though.
Why Upgrade
Here are the important reasons to upgrade from our perspective:
* Security is a b
2 min
Vulnerability Disclosure
Remote Coverage for MS15-034 HTTP.sys Vulnerability (CVE-2015-1635)
Patch Tuesday last week saw the release of Microsoft security bulletin MS15-034,
which addresses CVE-2015-1635, a remote code execution vulnerability in
Microsoft Internet Information Services (IIS) running on Windows 7 / Server 2008
R2 and later. This vulnerability can be trivially exploited as a denial of
service attack by causing the infamous Blue Screen of Death (BSoD) with a
simple
HTTP request .
In order to provide better assessment of your ass
2 min
Vulnerability Disclosure
Breaking down the Logjam (vulnerability)
What is it
Disclosed on May 19, 2015, the Logjam vulnerability
(CVE-2015-4000
) is a flaw in
common TLS implementations that can be used to intercept secure communications.
This TLS protocol vulnerability would allow an active man-in-the-middle (MITM)
attacker to silently downgrade a TLS session to export-level Diffie-Hellman
keys. The attacker could hijack this downgraded session b
1 min
Metasploit
2015 Metasploit T-Shirt Design Contest: It's On!
Hacker-designers! We need you! Show us your graphic skills, design an epic
Metasploit t-shirt, and win Eternal Fame and Glory!
Ahem, er, rather, we're looking for someone to design this year's Metasploit
t-shirt.
And if you are this year's winning Metasploit t-shirt designer, you will get
$230USD and the notoriety and/or immense personal satisfaction in knowing that
you're the 2015 Metasploit t-shi
3 min
Vulnerability Disclosure
How Poisonous is VENOM (CVE-2015-3456) to your Virtual Environments?
Today CrowdStrike disclosed VENOM (Virtualized
Environment Neglected Operations Manipulation) or CVE-2015-3456
, a vulnerability
that could allow an attacker with access to one virtual machine to compromise
the host system and access the data of other virtual machines. It's been a few
months since we've seen a branded and logo'd vulnerability disclosure, and the
main question everyone wants to know is wh
2 min
Availability of Metasploit Community & Metasploit Pro Trials Outside US & Canada
Due to changes in regulatory requirements that are applicable to Metasploit (Pro
and Community) and similar products, as of Sunday, April 19, 2015, individuals
outside of the US and Canada who would like to use Metasploit Pro
or the Metasploit
Community Edition will need to request a
license and provide additional information regarding themselves or their
organization designation. In accordance with the
2 min
Compliance
Top 3 Takeaways from the "PCI DSS 3.0 Update"
In this week's webcast, Jane Man and Guillaume Ross
revisited the latest PCI DSS 3.0 requirements. Security
professionals need to be diligent to remain compliant and secure. Jane and
Guillaume discussed some key results from the Verizon 2015 PCI Compliance
Report, tips and tricks for complying with requirements 7, 8, and 10, and
touched upon upcoming changes in v3.0 and v3.1. Read on for the top 3 takeaways
from the “PCI DSS 3.0 Update: How to Restrict
5 min
Metasploit
Unicode Support in Meterpreter
A short, mostly-accurate history of character encodings
In the beginning, when you wanted to use a computer to store text, there were
not many options - you inherited something from punchcards like EBCDIC or
invented something convenient and unique to your system. Computers did not need
to talk to each other, so there was not much point in standardizing between
vendors. Things were pretty simple.
Then, there came the need for computers and vendors to interoperate and
communicate. Thus, ASCII an
8 min
Metasploit
Meterpreter Survey 2015: You spoke, we listened, then wrote a bunch of code.
The Survey
One month ago we asked the community for feedback about how they use Metasploit
and what they want to see in the Meterpreter payload suite going forward. Over
the course of a week we received over 400 responses and over 200 write-in
suggestions for new features. We have spent the last month parsing through your
responses, identifying dependencies, and actively delivering new features based
on your requests. These requests covered 20 different categories:
General Feedback Metasploit F
6 min
Incident Detection
Let's talk about metrics...
Today I read an article on metrics and it was interesting. Here's the link to
the original article.
I am kind of a metrics geek. When done well, a metrics program can be of extreme
value to a security program. However, when done badly, they can cloud your
vision and make it difficult to notice that your radar is off by a few degrees.
The article addressed severa
10 min
Deep Dive Into Stageless Meterpreter Payloads
Metasploit has long supported a mixture of staged and stageless payloads within
its toolset. The mixture of payloads gives penetration testers a huge collection
of options to choose from when performing exploitation. However, one option has
been missing from this collection, and that is the notion of a stageless
Meterpreter payload. In this post, I'd like to explain what this means, why you
should care, and show how the latest update to Metasploit and Meterpreter
provides this funky new feature
5 min
Using Host Tagging in Metasploit for Penetration Testing
Hello my fellow hackers! Tag, you're it!
For today's blog post, I'd like to talk about host tagging a little bit in
Metasploit. If you are a penetration tester, a CTF player, or you just pop a lot
of shells like a rock star, then perhaps this will interest you. If you have
never used this kind of feature, then hopefully this blog post will bring you a
new idea on how to approach host management.
So what is host tagging? Well, the idea is simple really. It's a way to label
your targets and make
7 min
Logentries
The Flexbox Paradigm: CSS3 Layout for Today’s Applications
Introduction
Controlling the layout of web pages and applications has always been a little
tricky. In the beginning, there were almost no mechanisms for page layout, other
than some basic formatting of html tags. We could apply some font styling, add
background colors, and with the use of paragraph’s and line breaks could achieve
some block spacing.
With the introduction and evolution of CSS, it gave us further control, but more
importantly, control over the elements box model. We could now f
3 min
Events
The Return of Rapid7 Rapid Fire: A spirited infosec debate, round 3
The topics: Controversial. The answers: Unfiltered. The alcohol: Plentiful.
I'm talking about Rapid7 Rapid Fire -- it's happening for a third time this June
in Boston. Bonus: This year, It's totally free and open to the public, so please
join us!
What is it?
It's a panel debate where we ask some big names in infosec to argue for or
against a number of controversial topics in our field. To make things
interesting, the panelists are often asked to debate a side of the argument they
might not ev