2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: Nov. 17, 2017
This is a time of year when many folks in the U.S. reflect on things in their
lives that they are thankful for. There’s also usually a turkey involved, but we
figured we’d pardon the bird
this
wrapup and just focus on things we Metasploit folks here at Rapid7 are thankful
for.
Community Contributors
We are SUPER THANKFUL for our community contributors
an
2 min
Public Policy
Welcome transparency on US government's process for disclosing vulnerabilities
The White House recently released details on the US government's process for disclosing - or retaining - zero-day vulnerabilities. The new VEP charter provides answers to several key questions, but it remains to be seen how it will operate in practice.
3 min
Deploying CSP Properly
Browser makers began implementing the Content Security Policy, or CSP
specification back in 2011. Since then, many development teams and organizations
have adopted CSP wholeheartedly to try and thwart XSS attacks, but it seems the
effort may have been wasted for the majority.
To analyze recent CSP adoption, Google performed an Internet-wide analysis
on a search engine corpus of approximately 100 billion pages from over 1 billion
hostnames; the result covers CSP deployments on 1,680,867 hos
4 min
Threat Intel
Simplicity, Harmony, and Opportunity: Rapid7 Threat Report Q3 2017
John Archibald Wheeler, the theoretical physicist who first coined the term
“wormhole” (and therefore brought us Deep Space 9) once listed Albert Einstein’s
Three Rules of Work:
> Out of clutter find simplicity; from discord find harmony; in the middle of
difficulty lies opportunity.
These rules seemed fitting for our third quarter threat report
. Q3 brought
us plenty of clutter, discord, and difficulty, but in this threat repo
1 min
Patch Tuesday
Patch Tuesday - November 2017
Web browser issues account for two thirds of this month's patched
vulnerabilities
, with 24 CVEs for Edge and 12 for Internet Explorer being fixed. Many of these
are classified as Critical (allowing code execution without user interaction).
This is no surprise, as browser bugs are typically well represented on Patch
Tuesdays. On top of this are five Adobe Flash Player vulnerabilitie
2 min
Application Security
Takeaways from 2017 SANS State of Application Security Survey
The training and research organization SANS recently released their 2017 State
of Application Security survey results. The new report proves that now, more
than ever, organizations need to invest in solutions that automate application
security testing in
order to reap benefits like:
* Identifying security vulnerabilities earlier in the development cycle, when
they’re cheaper to fix.
* Reduced friction between Security and Development
3 min
GDPR
GDPR Preparation: November – Form & Storm
With just over six months to go until the General Data Protection Regulation (
GDPR ) comes into force,
organizations that handle the personal data of EU citizens are preparing for
this new compliance regulation. If you’ve not gotten started yet, or your plans
are still in their infancy, we’re creating a series of helpful blog posts to see
you through to May 25th 2018.
With holiday season fast approaching in many parts of the world, getting you
4 min
Penetration Testing
Metasploit MinRID Option
We’ve added a new option to the smb_lookupsid Metasploit module
. You can
now specify your starting RID.
Wait, What Does This Module Do Again?
As a penetration tester, one of the first things I try to do on an internal
network is enumerate all of the domain users so that I can perform login attacks
against them. It would be a noteworthy risk if we could do that anonymously,
because that means that any malicious actor who can
2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: Nov. 11, 2017
Metasploit kicked November off to a roaring start with a wholesome dose of RCE,
LPE, command injection, DoS, and more fixes/improvements.
So many file choosers…but which one to choose?
Big ups to @RootUP for the DoS module
targeting a
vulnerability in IBM’s Lotus Notes
client (CVE-2017-1130). The DoS module targets the web interface via malicious
JavaScript (😱). An enterprising ‘sploiter can s
3 min
Stopping Command Injection Attacks by Instrumenting Application Runtimes
Command injection (CMDi) attacks are suspected to be behind several high-profile
data breaches recently.
Command Injection Attacks – A Clear and Present Danger
The massive data breach at Equifax
was due to a
vulnerability
in a popular web framework that allowed attackers to penetrate their systems
t
4 min
Automation and Orchestration
How to Securely Handle a Lost or Stolen Device: A Practical Workflow
It’s 10pm and you receive an email from a teammate that their laptop was stolen
at a local networking event. You learn that not only was their computer
unlocked, but they were logged into their company email and Salesforce accounts
at the time the device was stolen.
Devices like laptops and phones hold a lot more value than the technology
itself. Everything from customer data to company files and account logins are
stored and easily accessible on these devices, making them easy targets for data
3 min
Cybersecurity
NCSAM Security Crash Diet: Wrap-up
Wow, it’s November 7 already, and I still have all my National Cyber Security
Awareness Month
decorations up! I really need to take care of those. But, before I get to taking
down all my 2FA authentication token lawn decorations, I figured it’d be a good
time to chat it up with Olivia, and see how her NCSAM crash diet went.
Tod: So, over the course of the month, what’s the one task you performed that
benefited you the most?
Olivia:
5 min
Metasploit
Testing Developer Security with Metasploit Pro Task Chains
In this modern age, technology continues to make inroads into all sorts of
industries. Everything from smartphones to late-model automobiles to
internet-connected toasters requires software to operate, and this proliferation
of software has brought along gaggles of software developers with their
tools-of-the-trade. All this technology —not to mention the people utilizing it—
can result in an increased attack surface for organizations doing software
development.
In this blog post, we’ll explore
2 min
InsightIDR
Faster Investigations, Closer Teamwork: InsightIDR Enhancements
Incident investigations aren’t easy. Imagine investigation as a 100-piece jigsaw puzzle, except there are a million unarranged pieces to build from. Top analysts need to know what “bad” looks like and how to find it, and they must bring a sharp Excel game to stitch everything together...
2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: Nov. 3, 2017
What’s New?
This week’s release sees multiple improvements and corrections, some years in
the making! We fixed an interesting bug in the initial handshake with
meterpreter that caused some payload callbacks to fail, improved error and
information reporting in other modules, and then @h00die ran spellcheck
!
New (and Improved!) Modules (2 New):
After three years, @wvu’s tnftp aux module grew up to become a strong,
well-rounded explo