2 min
Nexpose
How to Exploit A Single Vulnerability with Metasploit Pro
Metasploit Pro's smart exploitation function is great if you want to get a
session quickly and don't care about being "noisy" on the network, but there are
certain situations where you may want to use just one exploit:
* You're conducting a penetration test and want to exploit just one
vulnerability so you don't draw too much attention (i.e. you want to use a
sniper rifle, not a machine gun)
* You're a vulnerability manager and want to validate just one vulnerability to
know whether
2 min
Metasploit
Remote-Controlling Metasploit Through APIs
Metasploit offers some great ways to automate its functionality through a
programming interface. Metasploit users have built custom tools and processes
based on this functionality, saving them time to conduct repetitive tasks, or
enabling them to schedule automated tasks. Our most advanced customers have even
intgrated Metasploit Pro into their enterprise security infrastructure to
automatically verify the exploitability of vulnerabilities to make their
vulnerability management program more ef
2 min
Metasploit
Weekly Metasploit Update: Subverting NATs, 64-bit LoadLibrary Support, and More!
NAT-PMP'ing is now easy
This week, we have three new modules and an accompanying Rex protocol parser for
the NAT Port-Mapping Protocol (NAT-PMP
[https://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol]), the ad-hoc router
management protocol favored by Apple. Over the weekend, Rapid7 Lead Security
Engineer and confessed protocol nerd Jon Hart forgot the password to a
little-used Airport base station, so rather than merely resetting the device, he
instead busted out a trio of Metasploit modules t
4 min
Metasploit
Metasploit Updated: Forensics, SCADA, SSH Public Keys, and More
Been a busy week here at Metasploit, so let's get to it.
Forensics-Centric Updates
New this week is Brandon Perry's offline Windows registry enhancements.
Featuring a pile of extensions to Rex (Metasploit's general purpose parsing
library) and the tools/reg.rb utility, this update builds on TheLightCosine's
ShadowCopy library and makes life a lot easier for the forensics investigator
looking to parse through Windows registry hives. Brandon goes into the technical
details over here
[https://com
5 min
Metasploit
Adventures in the Windows NT Registry: A step into the world of Forensics and Information Gathering
As of a few days ago [https://github.com/rapid7/metasploit-framework/pull/98],
the Metasploit Framework has full read-only access to offline registry hives.
Within Rex you will now find a Rex::Registry namespace that will allow you to
load and parse offline NT registry hives (includes Windows 2000 and up),
implemented in pure Ruby. This is a great addition to the framework because it
allows you to be sneakier and more stealthy while gathering information on a
remote computer. You no longer need
2 min
Metasploit
Metasploit Framework Updated: Railgun, AIX, and More
Time for another Metasploit Update - this week we've got some new goodies for
Meterpreter's Railgun, SSH, AIX, and a few new exploit modules. Enjoy!
Railgun Updates
Metasploit open source contributors Chao-Mu and kernelsmith have been busy over
the last month or so, cranking out a pile of commits to Railgun in order to
facilitate Windows API error message handling. For you non-post module
developers, Railgun is a super-handy Meterpreter extension that "turns Ruby into
a weapon," and you can get
1 min
Nexpose
Three Ways to Integrate Metasploit With Nexpose
Metasploit has three ways to integrate with Nexpose vulnerability scanner. I've
heard some confusion about what the different options are, so I'd like to
summarize them here briefly:
1. Importing Nexpose reports: This is a simple, manual file import. Apart from
Nexpose, Metasploit can import about 13 different third-party reports from
vulnerability management solutions and web application scanners. This
feature works in all Metasploit editions.
2. Initiate a Nexpose scan from M
2 min
Metasploit
Metasploit Updated: Year in Review
Turns out, the week between Christmas and New Years was pretty slow, at least as
far as Metasploit Framework development was concerned. This release has a few
small spot fixes on Framework, and a handful of new modules.
ShadowCopy
The most significant addition to the framework was TheLightCosine's work on the
appropriately scary-sounding ShadowCopy library. Based on the research published
by Tim Tomes and Mark Baggett [https://www.scmagazine.com/security-weekly], the
modules implementing this l
1 min
Metasploit
Creating a FISMA Report in Metasploit Pro
If you're working in IT security in U.S. federal government, chances are that
you have to comply with the Federal Information Security Management Act of 2002
(FISMA). With Metasploit Pro
[https://www.rapid7.com/products/metasploit/download/], you can generate FISMA
compliance reports that map penetration testing findings to controls, as
recommended by Special Publication 800-53a (Appendix G) published by the
National Institute of Standards and Technology (NIST) and by Consensus Audit
Guidelines
3 min
Metasploit
How to Leverage the Command Line in Metasploit Pro
"I'm more comfortable with the Metasploit command line," is an objection I often
hear from long-time Metasploit Framework users who are thinking about purchasing
a copy of Metasploit Pro or Metasploit Express. What many penetration testers
don't know is that you can use the command line in the commercial Metasploit
editions, and leverage their advantages at the same time.
Reporting: The commercial Metasploit editions include one-click reporting that
includes any work you have completed on the
1 min
Metasploit
Jumping to another network with VPN pivoting
VPN Pivoting is one of the best but also most elusive features in Metasploit
Pro, so the best way is to see it. That's why I've decided to post a snippet of
a recent webinar, where HD Moore shows this feature in action.
VPN pivoting enables users to route any network traffic through an exploited
host with two NICs to a different network. For example, you could run nmap,
Metasploit network discovery, or Nexpose vulnerability scans through the VPN
pivot. Using a TUN/TAP adaptor on the Metasploit
2 min
Exploits
Metasploit Updated: Telnet Exploits, MSF Lab, and More
It's Wednesday, and while many of you are enjoying the week off between
Christmas and New Years, we've been cranking out another Metasploit Update.
Telnet Encrypt Option Scanner and Exploits
I won't rehash this subject too much since HD already covered these modules in
depth here
[https://community.rapid7.com/community/solutions/metasploit/blog/2011/12/27/bsd-telnet-daemon-encrypt-key-id-overflow]
and here
[https://community.rapid7.com/community/solutions/metasploit/blog/2011/12/28/more-fun-wi
2 min
Metasploit
More Fun with BSD-derived Telnet Daemons
In my last post [/2011/12/28/bsd-telnet-daemon-encrypt-key-id-overflow], I
discussed the recent BSD telnetd vulnerability and demonstrated the scanner
module added to the Metasploit Framework. Since then, two new exploit modules
have been released; one for FreeBSD versions 5.3 - 8.2
[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb]
and another for Red Hat Enterprise Linux 3
[https://github.com/rapid7/metasploit-framework/blob/ma
3 min
Metasploit
Fun with BSD-Derived Telnet Daemons
On December 23rd, the FreeBSD security team published an advisory
[http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc] stating
that a previously unknown vulnerability in the Telnet daemon was being exploited
in the wild and that a patch had been issued. This vulnerability was interesting
for three major reasons:
1. The code in question may be over 20 years old and affects most BSD-derived
telnetd services
2. The overflow occurs in a structure with a function pointer store
2 min
Metasploit
Metasploit Updated: Trivial Access to TFTP
The Metasploit Update is out, and it's a little smaller than you might expect.
We've recently rejiggered our development to QA to release workflow here at
Rapid7, and that means that this week, we cut the release a couple days earlier
than usual in order to ensure the work flow all makes sense and that the
releases get the post-commit QA attention that they deserve. The end result is
that we'll have a pretty light release this week (due to the shortened
development cycle), but going forward, wee