4 min
Exploits
My First Week at Metasploit
Hi all. I would like to take a minute to share some of my feelings about my
first week here as a full-time Metasploit exploit developer, and share some
exploit modules.
First of all, I would like to thank everyone on the the Metasploit team for
being so nice to me from the first week, and for helping me with anything I
need. They are definitely going easy on me during my first days! Their support
allowed me to build two exploits for the team during my first week here:
* batic_svg_java exploit
4 min
Metasploit
Top 10 Most Searched Metasploit Exploit and Auxiliary Modules
At Rapid7, we often get asked what the top 10 Metasploit modules are. This is a
hard question to answer: What does "top" mean anyway? Is it a personal opinion,
or what is being used in the industry? Because many Metasploit users work in
highly sensitive environments, and because we respect our users' privacy, the
product doesn't report any usage reports back to us.
We may have found a way to answer your questions: We looked at our
metasploit.com web server stats, specifically the Metasploit A
1 min
PCI
PCI Compliance Dashboard - New version including SANS Top20 Critical Security Controls
Hi,
According to what we are hearing from the field, there are quite a big number
out there of active users of this PCI Compliance Dashboard. Encouraged by your
feedback and your assitance we worked on this new release. Among other great
enhancements it encompasses references to the SANS Top 20 Critical Security
Controls. A deeper analysis paper on PCI-SANS matching and deviation areas will
follow but for now on, enjoy this new version of the PCI Compliance Dashboard.
What's New?
* Add a tabl
2 min
Metasploit
Weekly Metasploit Update: CCTV, SCADA, and More!
This week's update highlights Metasploit modules for embedded operating systems
(as opposed to the usual client or server targets), so let's hop to it.
Security Camera Hackers
On Tuesday, guest blogger Justin Cacak of Gotham Digital Science talked about
his module, cctv_dvr_login. The latest update for Metasploit has it now, so if
you happen to run into some of these devices, you can show off all your
Hollywood hacking skills by panning and zooming the security camera in the
executive washroom.
3 min
Metasploit
Hacking CCTV Security Video Surveillance Systems with Metasploit
From our guest blogger and Metasploit community contributor Justin Cacak at
Gotham Digital Science.
A new module for the Metasploit Framework, cctv_dvr_login
, discovers
and tests the security of standalone CCTV (Closed Circuit Television) video
surveillance systems. Such systems are frequently deployed in retail stores,
living communities, personal residences, and business environments as part of
their physical security pro
2 min
Your PCI Logbook - What is required in terms of log management?
P>D R is a well-known principle in security.
It's a principle that means that the Protective measures in place must be strong
enough to resist longer than the time required to Detect something wrong is
happening and then React.
For example, your door must be strong enough to prevent a malicious individual
from getting in for at least the amount time required to detect the incident,
alert the police, and have them arrive on site.
In this context, log management
1 min
Metasploit
Weekly Metasploit Update: Armitage, Psnuffle, and More
This week's update features a great big pile of Java source code, a makeover for
a perennial favorite feature, and a handful of new exploits. Read on, or just
skip all the yadda yadda and download Metasploit here.
Armitage Source
This week's biggest change in terms of LOC (lines of code) is the inclusion of
the Armitage source code, in external/source/armitage. For a while now, we've
been distributing Raphael Mudge's Armitage front-end for the Metasploit
Framework, but the source has been over
2 min
Getting the Most From Customizable CSV Exports - Part 9
What's up Security Street! My name is Ethan Goldstein and I am a Security
Consultant here at Rapid7. As you've seen over the past few weeks, we have been
demonstrating how data, when placed into proper context, can tell a story. It's
also important to note how powerful visualization can be. With our new custom
CSV export, we have made it easier to massage the data collected by Nexpose to
tell a variety of types of stories. These are mine *Law and Order sound*
Report 1 – Security is NOT Complian
1 min
Getting the Most From Customizable CSV Exports - Part 8
Good Day! I am Eric Pattenden, a Sales Engineer with Rapid7.
Today I bring you two additional use cases
for
the recently improved CSV data export capability featured in Nexpose
.
The Nexpose CSV Export
can
now be customized to show only desired data for discovered vulnerabilities and
t
3 min
Metasploit
Weekly Metasploit Update: Back to Work!
Hey, it's the first post-Metasploit 4.3.0 update, which means that I'm back in
the blogging business. Huzzah!
We've all been heads-down for a while getting this bad boy
out the door, so while there's not a ton
of new functionality to talk about this week, we do have some neat new modules,
and one API change for module developers.
Wake On LAN
"The most secure computer is the one that's not turned on," is an old computer
security adage, speaking to the compl
3 min
Getting the Most From Customizable CSV Exports - Part 5
Coming to you, live from Rapid7, my name is Chris Godoy and I work on the
Security Solutions team here in Boston. My colleagues and I have been posting
creative ways to take advantage of Nexpose's new and improved CSV export options
. It allows you to easily extract vital pieces of metadata from your
vulnerability scans that may not be clearly depicted in our out of the box (or
customizable) reports.
Now you can decide exactly what data fields you would like to have at your
fingertips to manipu
3 min
Getting the Most from Customizable CSV Exports - Part 4
Hi SecurityStreet, let me introduce myself. I've been an Enterprise Security
Engineer at Rapid7 for almost two years now, and have seen fads come and go.
Think 0-day Flash updates (ok – maybe not; to Adobe's credit – they've
significantly decreased their bugs as time goes on), but one theme has been
consistent – how the @#$% do I go about analyzing risk?
Analyzing risk is one of the most difficult aspects of any good risk assessment
program: risk can be broken down by device, asset classificat
1 min
Getting the Most from Customizable CSV Exports - Part 3
Hello Community! As part of the Security Solutions team here at Rapid7, I get to
work day in and day out with Nexpose users, helping them address the challenges
they face.
Nexpose can generate a tremendous amount of great, actionable risk data. On
Monday my colleague, Sean Blanton, posted a blog on the new CSV export
capabilities
in Nexpose. Throughout this week and next, the Security Solutions team is
posting examples of how
2 min
Nexpose
Getting the Most from Customizable CSV Exports - Part 2
Hi there SecurityStreet! As a Technical Proposal Writer for Rapid7, I get to do
technical deep dives of Nexpose with our Engineering and Security Solutions
teams. Lately I've had a lot of chances to describe the enhanced CSV exports
we've added in Nexpose 5.2, but up until now I haven't gotten the chance to
really show off their capabilities.
As Sean Blanton said in our first demonstration
of the new
CSV export capabilities, us
1 min
Networking
A Penetration Test is Quality Assurance for Your Security Controls
“We've spent all this money on IT security and you're still telling me that you
don't know whether our systems are secure?” your CEO might say. In addition,
they may challenge that you should know your systems well enough to know their
weaknesses? Not really.
Let's say you're a manufacturer of widgets. Even if you have the best machine
and the brightest people working for you, you'll still want to ensure that the
widgets that leave the factory will work as expected to ensure high customer
sat