2 min
Product Updates
Weekly Update: Smaller is Better
In this week's episode, the role of Tod Beardsley will be played by egypt.
Smaller is better
Perhaps the most prominent addition to the framework this week is not an
addition at all, but rather a deletion. We've been working toward a slimmer,
more manageable source tree for a while now, and as part of that effort, we
recently removed a pile of old-and-busted unit tests. This update goes a bit
further, moving source code for some compiled payloads into seperate
repositories. Metasploit's version
3 min
Product Updates
Weekly Update: The Nginx Exploit and Continuous Testing
Nginx Exploit for CVE-2013-2028
The most exciting element of this week's update is the new exploit for Nginx
which exercises the vulnerability described by CVE-2013-2028
[http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html]. The
Metasploit module was written by Metasploit community contributors hal and
saelo, and exploits Greg McManus's bug across a bunch of versions on a few
pre-compiled Linux targets. We don't often come across remote, server-side stack
buffer overflows in popul
3 min
Metasploit
Weekly Update: 4.6.1, ColdFusion Exploit, and SVN Lockdown
Metasploit 4.6.1 Released
This week's update bumps the patch version of Metasploit to 4.6.1 (for installed
versions of Metasploit). The major change here is the ability to install
Metasploit on Windows 8 and Windows Server 2012. That meant we had to fiddle
with the installer and a few of Metasploit Pro's dependencies to get that all
working correctly, and that led to skipping last week's release so we could be
sure all the moving parts lined up correctly.
This release also fixes a few minor iss
3 min
Metasploit
Git Clone Metasploit; Don't SVN Checkout
TL;DR: Please stop using SVN with
svn co https://www.metasploit.com/svn/framework3/trunk
and start using the GitHub repo with
git clone git://github.com/rapid7/metasploit-framework
As of today, a few of you may notice that an attempt to update Metasploit
Framework over SVN (instead of git or msfupdate) results in an authentication
request. If you try to SVN checkout on Windows, using TortoiseSVN, you will see
a pop up much like this:
For command line people, if you try to 'svn co' or 'svn
1 min
Metasploit
Metasploit's 10th Anniversary: Laptop Decal Design Competition
When I wrote up the Metasploit Hits 1000 Exploits post back in December, I had
to perform a little open source forensic work to get something resembling an
accurate history of the Metasploit project -- after all, it's difficult for me
to remember a time on the Internet without Metasploit. I traced the first
mention of 1.0 back to this mailing list post
[http://marc.info/?l=pen-test&m=106548308908767&w=2] in 2003. You know what that
means, right? This year marks the 10th year of the Metasploit Fr
4 min
Metasploit
How To Do Internal Security Audits Remotely To Reduce Travel Costs
An internal penetration tests simulates an attack on the network from inside the
network. It typically simulates a rogue employee with user-level credentials or
a person with physical access to the network, such as cleaning staff, trying to
access resources on the network they're not authorized for.
Internal penetration tests typically require the auditor to be physically
present in the location. If you are working as a consultant, then conducting
internal penetration tests can mean a lot of
2 min
Metasploit
Metasploit Now Supports Kali Linux, the Evolution of BackTrack
Today, our friends at Offensive Security announced Kali Linux
[http://www.kali.org/offensive-security-introduces-kali-linux/], which is based
on the philosophy of an offensive approach to security. While defensive
solutions are important to protect your network, it is critical to step into the
shoes of an attacker to see if they're working. Kali Linux is a security
auditing toolkit that enables you just that: test the security of your network
defenses before others do.
Kali is a free, open sour
3 min
Metasploit
Weekly Update: Splitting DNS Modules and a D-Link Auth Bypass
DNS Module Split up
This week, we appear to have a whole bunch of new DNS-based enumeration and
information gathering modules. In fact, this was actually more of a housekeeping
chore, largely by longtime Metasploit contributor Carlos @darkoperator Perez.
Darkoperator wrote most of the original enum_dns module as well.
enum_dns became a bit of a junk drawer of DNS functionality -- it did a whole
bunch of everything for DNS. So, instead of just tacking on more and more over
time, it's been split
2 min
Metasploit
Weekly Update: Corelan, MSFTidy, and UNC Path Injection
28 Hours Later
This week, much of the Metasploit Framework and Metasploit Pro teams here at
Rapid7 had the opportunity to get some intense, in-person training on exploit
development from long-time Metapsloit contributor, Peter corelanc0d3r
[https://twitter.com/corelanc0d3r] Van Eeckhoutte and local Corelan Teammates
@_sinn3r [https://twitter.com/_sinn3r] and TheLightCosine
[https://twitter.com/thelightcosine]. I'm the first to admit that my memory
corruption skills are pretty light (I hang arou
2 min
Metasploit
How to Verify that the Payload Can Connect Back to Metasploit on a NATed Network
If you are running an external penetration test and are working from a NATed
network behind a wireless router, for example from home, you will need to adjust
your router's port forwarding settings so the payload can connect back to
Metasploit. The best option would be to eliminate the router and connect
directly to the Internet, but that would make me unpopular with the other folks
sharing the Internet connection, so it wasn't an option in my case. Setting up
the port forwarding is not too diffi
3 min
Metasploit
Security Flaws in Universal Plug and Play: Unplug, Don't Play
This morning we released a whitepaper entitled Security Flaws in Universal Plug
and Play. This paper is the result of a research project spanning the second
half of 2012 that measured the global exposure of UPnP-enabled network devices.
The results were shocking to the say the least. Over 80 million unique IPs were
identified that responded to UPnP discovery requests from the internet.
Somewhere between 40 and 50 million IPs are vulnerable to at least one of three
attacks outlined in this paper.
3 min
Metasploit
The Forgotten Spying Feature: Metasploit's Mic Recording Command
About two years ago, Metasploit implemented
[https://github.com/rapid7/metasploit-framework/commit/2e72926638b0fb972a26b2c1a3b040cf4cc224f2]
the microphone recording feature to stdapi thanks to Matthew Weeks
[https://twitter.com/scriptjunkie1]. And then almost a year ago, we actually
lost that command
[https://github.com/rapid7/metasploit-framework/commit/42719ab34bb9ca51d2cd623777662fc2253857f1]
due to a typo. We, and apparently everyone else, never noticed that until I was
looking at th
5 min
Product Updates
Update to the Metasploit Updates and msfupdate
The Short Story
In order to use the binary installer's msfupdate, you need to first register
your Metasploit installation. In nearly all cases, this means visiting
https://localhost:3790 [https://localhost:3790/] and filling out the form. No
money, no dense acceptable use policy, just register and go. Want more detail
and alternatives? Read on.
Background
A little over a year ago, Metasploit primary development switched to Git as a
source control platform and GitHub as our primary source hos
1 min
Metasploit
Hacking like it's 1985: Rooting the Cisco Prime LAN Management Solution
On January 9th Cisco released advisory cisco-sa-20130109
[https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms]
to address a vulnerability in the "rsh" service running on their Cisco Prime LAN
Management Solution virtual appliance. The bug is as bad as it gets - anyone who
can access the rsh service can execute commands as the root user account without
authentication. The example below demonstrates how to exploit this flaw using
Metasploit.
First off, the
2 min
Metasploit
Weekly Metasploit Update: Rails Scanning, ZDI, and Exploit Dev
Rails Injection Bug
The big news this week turned out to be the new Rails injection bug, aka,
CVE-2013-0156, which you can read about in detail over on HD Moore's blog post.
Soon after the vulnerability was disclosed, @hdmoore had a functional auxiliary
scanner module put together, so as of this moment, you're encouraged to scan the
heck out of your environment, repeatedly, for vulnerable Rails apps. Every Rails
application developed and deployed is vulnerable to this (absent a fix or
workaround