1 min
Metasploit DDoS Redux
The good news is that the DDoS against the Metasploit web servers has stopped,
the bad is that I won't have time to go into the details of the attack and the
mitigation methods until next week. All Metasploit services should be
operational again, please let me know if you find something broken. I would like
to thank everyone who offered us assistance during the attack, without their
help this would have been much more frustrating.
The bandwidth graph for the affected period can be seen below.
0 min
Pathetic DDoS vs Metasploit (Round 3)
The incoming connection rate has exceeded 15Mbps of just SYN packets, so we
decided to point www.metasploit.com and metasploit.com back to 127.0.0.1 for a
little while. This is more to keep our ISP happy than any fear of bandwidth
charges. We ran a packet capture of the incoming SYN traffic for about 8 hours;
it takes up approximately 60Gb of disk space. In the meantime, if you want to
access the Metasploit web site, please use:
https://www.metasploit.com/
Thanks!
-HD
0 min
Pathetic DDoS vs Metasploit (Round 2)
It looks like our little DDoS buddy got sent home from school early today --
the flood started up again, this time ignoring the DNS name for the
metasploit.com web site and instead targeting both IP addresses configured on
the server. While SSL service is still unaffected (including Online Update over
SVN), folks who wish to visit the Metasploit web site will need to do so using
an alternate port until we roll out the next countermeasure.
<We also host the main web server for Attack Research.
1 min
Metasploit Decloak v2 (UnAnonymizer)
The Metasploit Decloak Engine [http://metasploit.com/data/decloak/] is now back
online with a handful of new updates and bug fixes. Decloak identifies the real
IP address of a web user, regardless of proxy settings, using a combination of
client-side technologies and custom services. The first version was announced in
June of 2006
[http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0695.html] and
was eventually made obsolete by changes to the Flash plugin and improvements in
the Tor
4 min
MS08-068: Metasploit and SMB Relay
Today, Microsoft released bulletin MS08-068, which addresses a well-known flaw
in the SMB authentication protocol. This attack was first publicly documented by
Sir Dystic during @tlantacon in 2001 and implemented in Metasploit 3 in July of
2007. The attack abuses a design flaw in how SMB/NTLM authentication is
implemented and works as follows.
The SMB client tries to access a remote SMB service on an attacker's machine. A
user can be forced to access the SMB resource if they are running Intern
3 min
Metasploit 3.2 BSD Licensing
The slides from the talk egypt and I gave at SecTOR 2008 are now online
[http://metasploit.com/research/conferences/]. One of the highlights was a
change in licensing -- instead of the existing EULA-like license, the 3.2
release will be provided under the 3-clause BSD license. The text below is an
extended version of a rant I shared with Kelly Jackson Higgins over at Dark
Reading [http://www.darkreading.com/document.asp?doc_id=165636&WT.svl=news1_2].
The original version of Metasploit (1.0 and
1 min
Metasploit (2**5/10.0)
Silence can mean one of two things - the project is dead, or we are working on
some really big things and aren't quite ready to announce them. Well, the
project is not dead In the next two weeks, some major changes will be announced
that cover the source code, development team, and licensing of the Metasploit
Framework. Folks who have been following the development tree may not be
suprised, but we are taking some giant steps forward from the 3.1 release.
In the meantime, users should stay away
1 min
Improved WinDBG opcode searching
Goaded by some coworkers about the opcode searching functionality of windbg
prompted me to add a new option to jutsu today: searchOpcode
You can search for sets of instructions in conjunction, it will assemble them,
providing you the machine code, then search for the instructions in executable
memory. Instructions are delimited by pipes. I plan to add some limited wildcard
functionality in the near future as well.
0:000> !jutsu searchOpcode pop ecx | pop ecx | ret
[J] Searching for:
> pop e
1 min
Byakugan WinDBG Plugin Released!
Today, HD merged in an amalgamation of windbg tools and plugins with a funny
name into the main metasploit tree. We've been working on this collection for
awhile now, and currently it represents (I think) a good step towards turning
windbg from simply a good debugger into a powerful platform for exploit
development.
The work that's currently released includes:
tenketsu - the vista heap emulator/visualizer which allows you to track how
input to a program effects the heap in real time.
jutsu
1 min
Karmetasploit Wireless Fun
I just posted the first public documentation on Karmetasploit. This project is
a combination of Dino Dai Zovi and Shane Macaulay's KARMA
[http://www.theta44.org/karma/index.html] and the Metasploit Framework. The
result is an extremely effective way to absorb information and remote shells
from the wireless-enabled machines around you. This first version is still a
proof-of-concept, but it already has an impressive feature list:
- Capture POP3 and IMAP4 passwords (clear-text and SSL)
- Accept
4 min
DNS Attacks in the Wild
In a recent conversation with Robert McMillan (IDG), I described a in-the-wild
attack against one of AT&T's DNS cache servers, specifically one that was
configured as an upstream forwarder for an internal DNS machine at BreakingPoint
Systems. The attackers had replaced the cache entry for www.google.com with a
web page that loaded advertisements hidden inside an iframe. This attack
affected anyone in the Austin, Texas region using that AT&T Internet Services
(previously SBC) DNS server. The att
1 min
Evilgrade Will Destroy Us All
Francisco Amato of Infobyte Security Research [http://www.infobyte.com.ar] just
announced ISR-evilgrade v1.0.0 [http://www.infobyte.com.ar/developments.html], a
toolkit for exploiting products which perform online updates in an insecure
fashion. This tool works in conjunction with man-in-the-middle techniques (DNS,
ARP, DHCP, etc) to exploit a wide variety applications. The demonstration video
[http://www.infobyte.com.ar/demo/evilgrade.htm] uses the CAU/Metasploit DNS
exploit [/2008/07/24/baili
3 min
BailiWicked
If you haven't already noticed by now, we've recently published two modules
which exploit Kaminsky's DNS cache poisoning flaw. I'll get to those in a
second, but first a word about disclosure.
In the short time that these modules have been available, I've received personal
responses from a LOT of people, spanning the spectrum from "OMG how could you do
this to the Internet users???" to "Great work, now I know what I'm up
against... We need more open researchers like you guys." In all honest
3 min
METASPLOIT UNLEASHES VERSION 3.1
Austin, Texas, January 28th, 2008 -- The Metasploit Project announced today the
free, world-wide availability of version 3.1 of their exploit development and
attack framework. The latest version features a graphical user interface, full
support for the Windows platform, and over 450 modules, including 265 remote
exploits. "Metasploit 3.1 consolidates a year of research and development,
integrating ideas and code from some of the sharpest and most innovative folks
in the security research comm
14 min
Cracking the iPhone (part 2)
In part one of "Cracking the iPhone", I described the libtiff vulnerability,
its impact on iPhone users, and released the first version of my hacked up
debugger. In this post, I will walk through the process of actually writing the
exploit.
First off, a new version of weasel (hdm-0.02
[http://metasploit.com/users/hdm/tools/weasel-hdm-0.02.tar.gz]) has been
released. This version includes an entirely new disassembly backend, courtesy of
libopcodes, and supports thumb-mode instructions. Thumb is