2 min
Metasploit
Metasploit Now Supports Kali Linux, the Evolution of BackTrack
Today, our friends at Offensive Security announced Kali Linux
, which is based
on the philosophy of an offensive approach to security. While defensive
solutions are important to protect your network, it is critical to step into the
shoes of an attacker to see if they're working. Kali Linux is a security
auditing toolkit that enables you just that: test the security of your network
defenses before others do.
Kali is a free, open sour
4 min
Exploits
Exploit for new Vulnerability on Honeywell EBI ActiveX (CVE-2013-0108)
Today, we present to you a new vulnerability, CVE-2013-0108
, discovered in
Honeywell Enterprise Buildings Integrator (EBI)
R310 - R410.2. This platform is used to integrate different systems and devices
such as heating, ventilation, and air conditioning (HVAC) controls; security;
access control; life sa
4 min
New Heap Spray Technique for Metasploit Browser Exploitation
!(/content/images/post-images/14831/Screen shot 2013-03-01 at 10.33.14
AM.png#img-half-right)
Browser vulnerabilities have always been serious threats in today's security
trends. It's almost becoming too common to see people dropping browser 0days to
beef up botnets, or deploying them for "sophisticated" APT-level attacks, etc.
Although browser 0days surface more frequently than ever, some of the techniques
don't seem to change much. The most common trick you'll see is a heap spray
2 min
Compliance
Malicious SSIDs And Web Apps
On February 13th 2013, Cisco released a security notice related to CVE-2013-1131
. According to Cisco, the vulnerability is due to improper validation of the
Service Set Identifier (SSID) when performing a "site survey" to discover other
wireless networks. On the face of it, this vulnerability seems to be low-risk.
Indeed, site surveys are not often performed and an adversary would need to
either be incredibly luc
1 min
Nexpose
Making the Nexpose Gem Easier to Use
In an effort to make API access to Nexpose easier, some efforts are underway to
make the Nexpose Gem easier to use. For those
unfamiliar with the gem, it is a Ruby library that allows for easier scripting
against a Nexpose security console.
Changes to Site
Making changes to a site configuration through the gem used to be a little
complex. The attributes on the configuration were locked down from editing, and
sometimes buried deep in structures that mirrored th
3 min
Metasploit
Weekly Update: Splitting DNS Modules and a D-Link Auth Bypass
DNS Module Split up
This week, we appear to have a whole bunch of new DNS-based enumeration and
information gathering modules. In fact, this was actually more of a housekeeping
chore, largely by longtime Metasploit contributor Carlos @darkoperator Perez.
Darkoperator wrote most of the original enum_dns module as well.
enum_dns became a bit of a junk drawer of DNS functionality -- it did a whole
bunch of everything for DNS. So, instead of just tacking on more and more over
time, it's been split
1 min
IT Ops
Per-log retention period
Typically, you would like to keep logs from development environment (with all
debugging messages enabled) for only a limited amount of time, while production
logs far longer. Up to now you had to set the retention period for the whole
account, keeping development logs longer than needed. We are happy to announce
per-log retention configuration! It gives you the option to fine-tune your
retention policy in a more fine-grained manner than with a default per-account
setting. To set a new log retent
1 min
Vulnerability Correlation -- Enabled by Default
Vulnerability correlation is a feature of Nexpose where a vulnerable result from
one vulnerability can be overridden by an invulnerable result from another. As
an example of how this works and why it is a useful option to have enabled, take
CVE-2011-3192 , a
fun DoS vulnerability that affected Apache HTTPD back in 2011. Nexpose has one
unauthenticated vulnerability check (lets call it V1) that will run against all
discovered Apac
2 min
Metasploit
Weekly Update: Corelan, MSFTidy, and UNC Path Injection
28 Hours Later
This week, much of the Metasploit Framework and Metasploit Pro teams here at
Rapid7 had the opportunity to get some intense, in-person training on exploit
development from long-time Metapsloit contributor, Peter corelanc0d3r
Van Eeckhoutte and local Corelan Teammates
@_sinn3r and TheLightCosine
. I'm the first to admit that my memory
corruption skills are pretty light (I hang arou
2 min
Metasploit
How to Verify that the Payload Can Connect Back to Metasploit on a NATed Network
If you are running an external penetration test and are working from a NATed
network behind a wireless router, for example from home, you will need to adjust
your router's port forwarding settings so the payload can connect back to
Metasploit. The best option would be to eliminate the router and connect
directly to the Internet, but that would make me unpopular with the other folks
sharing the Internet connection, so it wasn't an option in my case. Setting up
the port forwarding is not too diffi
3 min
Patch Tuesday - February 2013 Edition!
It's another busy month of patching for Microsoft administrators with a number
of high priority fixes getting out. On the plus side, none of the issues
patched this month are known to be actively being exploited "in the wild".
The highest risk vulnerabilities, and thus the most important to patch are
MS13-009, MS13-010, MS13-011, & MS13-020.
MS13-009 is a cumulative patch addressing 12 CVEs for Internet Explorer.
MS13-010 was indicated as an Internet Explorer patch in the advance
notificati
6 min
Getting Started with the Nexpose Virtual Appliance
Rapid7 now offers a Virtual Appliance to get started quickly with Nexpose. You
can get started with the Nexpose Enterprise Virtual Appliance
or the
Nexpose Community Virtual Appliance
. If you
are an existing customer please contact Support for more
information.
The Nexpose Virtual Appliance is pre-configured with the following h
3 min
Metasploit
Security Flaws in Universal Plug and Play: Unplug, Don't Play
This morning we released a whitepaper entitled Security Flaws in Universal Plug
and Play. This paper is the result of a research project spanning the second
half of 2012 that measured the global exposure of UPnP-enabled network devices.
The results were shocking to the say the least. Over 80 million unique IPs were
identified that responded to UPnP discovery requests from the internet.
Somewhere between 40 and 50 million IPs are vulnerable to at least one of three
attacks outlined in this paper.
3 min
Exploits
Ray Sharp CCTV DVR Password Retrieval & Remote Root
On January 22, 2013, a researcher going by the name someLuser detailed a number
of security flaws in the Ray Sharp DVR platform. These DVRs are often used for
closed-circuit TV (CCTV) systems and security cameras. In addition to Ray Sharp,
the exposures seem to affect rebranded DVR products by Swann, Lorex, URMET,
KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis,
Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000. The vulnerabilities allow
for unauthenticated acce
2 min
New VMware ESX/ESXi coverage is elegant in its simplicity
The Nexpose coverage team is dedicated to providing weekly updates to the
Nexpose vulnerability database so that you can have the assurance that your
assets are protected against the latest security vulnerabilities. For this
week's release, the coverage team is proud to present a complete overhaul for
our VMware ESX/ESXi content.
Why? You may ask
In our old coverage model, we connected to the ESX or ESXi server via an
authenticated SSH session to retrieve a list of installed patches on the serv