3 min
Market SIEMplification or More of the SEIM?
Last week was a busy M&A week for SIEM, with IBM announcing the acquisition of
Q1 Labs and McAfee acquiring Nitro Security. We've been watching this unfold
with interest as both SIEM companies are Rapid7 technology partners. We've had
SIEM integration for our vulnerability management solution Nexpose for some
time, and back in August we introduced APIs for integrating SIEM solutions in
version 4.0 of our professional penetration testing solution, Metasploit Pro.
Nitro Security was the first to
1 min
Metasploit
Metasploit, Scanners, and DNS
One of the awesome things about the Metasploit Framework (and Ruby in general)
is that there is a strong focus on avoiding code duplication. This underlying
philosophy is why we can manage a million-plus line code base with a relatively
small team. In this post, I want to share a recent change which affects how
hostnames with multiple A records are processed by modules using the Scanner
mixin.
Quite of a few of the web's "major" properties, such as google.com, return
multiple IP addresses when
2 min
In Memory of Jeff Berger
Last Thursday morning when I got to work I was devastated to learn that Jeff
Berger, our EVP of Engineering, had passed away unexpectedly the evening
before. It caught everyone who knew him by surprise: he had seemed perfectly
healthy until then. Just the day before, Jeff and I had been working together
and joking around about my new laptop like any other day in the office. I had
no idea that those hours together would be the last time I spent with Jeff. And
later that day and Friday, as I
1 min
Can I use compensating controls to resolve vulnerabilities found during a scan?
Resolving vulnerabilities found during a scan before a passing scan result can
be issued is not always immediately possible, and sometimes the only possible
solution is the use of a Compensating Control.
Compensating controls are not meant to be the de facto response to an identified
vulnerability. Compensating controls may only be employed if a true technical
limitation or business need prevents a vulnerability from being corrected. This
is most commonly the case for zero-day vulnerabiliti
1 min
PCI
What to do if your organization can't demonstrate four passing PCI internal or external scans
Two cases:
1) Your company is assessed for the first time:
Entities participating in their first ever PCI DSS assessment are only required
to demonstrate that the most recent scan result meets the criteria for a passing
scan, and there are policies and procedures in place for future quarterly scans,
to meet the intent of this requirement. So to be compliant with 11.2 the first
time you are assessed, you only need to demonstrate that the most recent scan is
a PASS.
2) Reassessment (from th
2 min
Microsoft
Microsoft September 2011 Patch Tuesday
This month, Microsoft issued five bulletins to address 15 vulnerabilities. All
of these bulletins are rated “important”; however, while there are no “critical”
bulletins this month, organizations should not downplay the vulnerabilities
being addressed. It's easy for organizations to gain a false sense of security
during a light patch month and sometimes an attitude of complacency towards
non-critical vulnerabilities is evident.
“Important” vulnerabilities may not give attackers the full roo
2 min
Morto: Another reason to secure local user accounts
A worm abusing the Remote Desktop service is making the rounds, currently named
Morto . This worm gains
access by trying a small number of weak passwords for the local Administrator
account. After compromising the server, the worm propogates using mapped shares
and provides remote access to the worm's creator. Most public reports involve
Morto gaining access to internet-facing servers, however it is likely that once
Morto is behind a firewa
2 min
Loyalty Cards vs. Privacy Concerns
Recently, I found a pile of loyalty cards from Staples, Office Depot, Best Buy,
Ralphs, Albertson's, Von's, CVS Pharmacy, Rite-Aid, Cost Plus World Market, Van
Heusen, and Panera Bakery. I had to ask myself, how often have these allegedly
“free” cards provided discounted merchandise or free stuff? Since I have yet to
receive a free big-screen TV from BestBuy, I wonder, as an information security
professional, why do I continue to accept the idea that I'm getting something
for nothing?
When stor
1 min
Microsoft
August Patch Tuesday
Yesterday was Microsoft Patch Tuesday, with 13 bulletins issued to address 22
vulnerabilities. Of these, only two are rated “critical”; the first of which –
MS11-057 – is the latest Internet Explorer cumulative patch. Until this one is
patched, we'd recommend limiting your use of Internet Explorer to only visiting
trusted sites and remember that it's never a good idea to click on suspect or
unknown links. If users are still concerned, they may want to consider using one
of the alternate browser
1 min
Metasploit
How to Update to Metasploit 4.0
If you're packing to go to Black Hat, Defcon or Security B-Sides in Las Vegas,
make sure you also download Metasploit 4.0 to entertain you on the plane ride.
The new version is now available for all editions, and here's how you upgrade:
* Metasploit Pro and Metasploit Express 4.0: For fresh installs, download
version 4.0 of Metasploit Pro
and install. If you
already have Metasploit Pro or Metasploit Express installed, simply go t
3 min
Release Notes
Metasploit Framework 4.0 Released!
It's been a long road to 4.0. The first 3.0 release was almost 5 years ago and
the first release under the Rapid7 banner was almost 2 years ago. Since then,
Metasploit has really spread its wings. When 3.0 was released, it was under a
EULA-like license with specific restrictions against using it in commercial
products. Over time, the reasons for that decision became less important and the
need for more flexibility came to the fore; in 2008, we released Metasploit 3.2
under a 3-clause BSD licen
2 min
Metasploit
Password Cracking in Metasploit with John the Ripper
HDM recently added password cracking functionality to Metasploit through the
inclusion of John-the-Ripper in the Framework
. The 'auxiliary/analyze/jtr_crack_fast
' module was created to facilitate JtR's usage in Framework and directly into
Express/Pro's automated collection routine. The module works
3 min
Metasploit
Metasploit 4.0 is Coming Soon!
It'll only be days until you can download the new Metasploit version 4.0!
The new version marks the inclusion of 36 new exploits, 27 new post-exploitation
modules and 12 auxiliary modules, all added since the release of version 3.7.1
in May 2011. These additions include nine new SCADA exploits, improved 64-bit
Linux payloads, exploits for Firefox and Internet Explorer, full-HTTPS and HTTP
Meterpreter stagers, and post-exploitation modules for dumping passwords from
Outlook, WSFTP, CoreFTP, Sma
2 min
ASCII Artists of the World UNITE!
Are you an artist? Do you possess mad ASCII art skills? Do you like the idea
of having your artwork on the face of an open source project that's one of the
world's largest, de-facto standard for penetration testing with more than one
million unique downloads per year? Then read on!
One of the first things many people likely noticed when updating to the
Metasploit Framework version 4.0-testing was the new ASCII art. In addition to
all the new awesome features we have been adding to Metasploit
4 min
Metasploit 4.0: The Database as a Core Feature
Early in the 3.x days, metasploit had support for using databases through
plugins. As the project grew, it became clear that tighter database integration
was necessary for keeping track of the large amount of information a pentester
might encounter during an engagement. To support that, we moved database
functionality into the core, to be available whenever a database was connected
and later added postgres to the installer so that functionality could be used
out of the box. Still, the command