3 min
Microsoft
Visualizing Microsoft Security Bulletin Supersedence
I've always been a very visual person. As a young child, I had an interesting
ability to be able to subconsciously scan the landscape and immediately pick out
things that were out of place. On my way to work or otherwise driving around
town, my eyes are scanning the passenger's, rear-view and driver's side mirrors
every few seconds looking for things that make driving around Los Angeles
perilous.
When it comes to complex problems related to security, or even just things that
may present obst
2 min
Automating the Metasploit Console
The Metasploit Console (msfconsole) has supported the concept of resource files
for quite some time. A resource file is essentially a batch script for
Metasploit; using these files you can automate common tasks. If you create a
resource script called ~/.msf3/msfconsole.rc, it will automatically load each
time you start the msfconsole interface. This is a great way to automatically
connect to a database and set common parameters (setg PAYLOAD, etc). Until this
morning, however, resource scripts w
3 min
March Microsoft Patch Tuesday Roundup
Time once again for this month's summary of the latest Microsoft Security
updates …
2 advisories, with 8 vulnerabilities covered. This is the lightest March update
since Microsoft skipped March altogether back in 2007.
Here's the breakdown:
MS10-016: Rated Important. Potential Remote Code Execution in Windows Movie
Maker, covering 1 vulnerability: CVE-2010-0265 (Buffer Overflow in Movie Maker
and Producer). A few things to note about this one ...
First, Microsoft chose not to patch the
2 min
The Story Behind NeXpose Community Edition
Hi, I'm the product manager here at Rapid7 and one of the many people behind the
Community Edition. I joined Rapid7 in July after spending my last eight years
with Red Hat. Before that, I worked at another open source software company.
Naturally, I have strong opinions on why open source and community-driven
software is a fundamentally better way to build and release software.
With that as a background, I thought I'd take some time and explain the
motivation and philosophy behind NeXpose commu
1 min
Reproducing the "Aurora" IE Exploit
Update: This module, just like the original exploit, only works on IE6 at this
time. IE7 requires a slightly different method to reuse the object pointer and
IE8 enables DEP by default.
Yesterday, a copy of the unpatched Internet Explorer exploit used in the Aurora
[http://www.wired.com/threatlevel/2010/01/hack-of-adob/comment-page-1/] attacks
was uploaded to Wepawet
[http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js]
. Since the code is now public, we ported thi
1 min
January Microsoft Patch Tuesday Roundup
A new year, a new decade, and time once again for this month's summary of the
latest Microsoft Security updates … actually, that's *update*.
1 update, with 1 vulnerability covered. Here's the breakdown:
MS10-001 [http://www.microsoft.com/technet/security/Bulletin/MS10-001.mspx]:
Rated Critical. Potential Remote Code Execution via integer overflow in LZCOMP
Decompressor of the Embedded OpenType (EOT) Font Engine, covering 1
vulnerability: CVE-2010-0018
[http://www.cve.mitre.org/cgi-bin/cvenam
2 min
Safe, Reliable, Hash Dumping
The Metasploit Meterpreter has supported the "hashdump" command (through the
Priv extension) since before version 3.0. The "hashdump" command is an in-memory
version of the pwdump tool, but instead of loading a DLL into LSASS.exe, it
allocates memory inside the process, injects raw assembly code, executes its via
CreateRemoteThread, and then reads the captured hashes back out of memory. This
avoids writing files to the drive and by the same token avoids being flagged by
antivirus (AV) and intrus
3 min
Exporting the Registry for Fun and Profit
Over the last few days, I have been playing with WinScanX
[http://www.windowsaudit.com/], a free command-line tool for querying Windows
service information over SMB. WinScanX combines many of the essential tools used
during a penetration test into a single utility. One of the more interesting
features
[http://windowsaudit.com/winscanx/retrieving-password-hashes-with-winscanx-y/]
is the "-y" flag, which instructs WinScanX to save a copy of the remote registry
hives for SAM, SECURITY, and SYSTEM.
2 min
Exploiting Microsoft IIS with Metasploit
As of this afternoon, the msfencode command has the ability to emit ASP scripts
that execute Metasploit payloads. This can be used to exploit the
currently-unpatched file name parsing bug feature in Microsoft IIS. This flaw
allows a user who can upload a "safe" file extension (jpg, png, etc) to upload
an ASP script and force it to execute on the web server. The bug occurs when a
file name is specified in the form of "evil.asp;.jpg" – the application checks
the file extension and sees "jpg", but
3 min
Metasploit
Metasploit Framework 3.3.3 Exploit Rankings
This morning we released version 3.3.3
[http://www.metasploit.com/framework/download/] of the Metasploit Framework -
this release focuses on exploit rankings
[https://community.rapid7.com/docs/DOC-1034], session automation, and bug fixes.
The exploit rank indicates how reliable the exploit is and how likely it is for
the exploit to have a negative impact on the target system. This ranking can be
used to prevent exploits below a certain rank from being used and limit the
impact to a particular t
1 min
Metasploit PSEXEC Scanner (via Perl)
Metasploit's pexec module is one of my favorite modules. It does exactly what I
need and it does it really well. One thing I wish that Metasploit had, is a
scanner version of the psexec exploit module. So I decided to build my own with
Perl.
Okay, assume we have the following networks: 192.168.1.0/24, 192.168.2.0/24 etc
etc... We know the local admin account is Administrator and the hash for the
account is ADMINISTRATOR:HASH.
First, we build a small Perl script to generate a configuration file
4 min
Patch Tuesday
December Microsoft Patch Tuesday Roundup
Time once again for this month's summary of the latest Microsoft Security
updates. NeXpose (including the free NeXpose Community Edition) users will have
coverage within 24 hours or less. Metasploit already had a module for the IE
exposure. Here's the breakdown ...
6 updates, with 12 vulnerabilities covered. Here's the breakdown:
MS09-069: Rated Critical. Potential Denial of Service via ISAKMP through IPsec
affecting LSASS, covering 1 vulnerability: CVE-2009-3675. Important to note that
W
2 min
Patch Tuesday
December Microsoft Patch Tuesday Preview
Sheldon here with a preview of what's coming out in next week's Microsoft Patch
Tuesday …
6 updates in total, covering 12 vulnerabilities. Windows, IE, and Office are
affected.
Bulletin 1: Remote Code Execution affects all supported Windows versions, rated
Important on most, Moderate on XP, and Critical on Server 2008. This will be
the second highest priority out of the Critical updates – particularly if you
have deployed Windows Server 2008.
Bulletin 2: Remote Code Execution doesn't aff
2 min
NeXpose Community Edition/Metasploit Integration: Responding to the Needs of Users
When we released NeXpose Community Edition and Metasploit 3.3.1 two days ago, we
received a lot of interest from members of the community. As people have
downloaded the new releases and started using them, we've had a lot of great
feedback. Your response has been exceptionally positive and people are finding a
lot of value in the NeXpose/Metasploit integration. Sincere thanks to everyone
who has provided feedback so far.
As with any free product version, there are some enterprise features that
0 min
Metasploit v3.3 Released!
HD Moore and the entire Metasploit team have released Metasploit v3.3! I'm
really excited to start using this new release as it provides tons of new
features including: 123 new exploits, 117 new auxiliary modules, support for
Vista and Windows 7, improved stability of Meterpreter, all applicable exploits
now have OSVDB references, Meterpreter with colors and much much more! More
details be be found within the Release Notes. [https://metasploit.com/]
Download Metasploit v3.3 here [https://githu