3 min
Nexpose
"Informational" Vulnerabilities vs. True Vulnerabilities
A question that often comes up when looking at vulnerability management
tools is, “how many vulnerability checks do you have?” It makes sense on the
surface; after all, less vulnerability checks = less coverage = missed
vulnerabilities during a scan right?
As vulnerability researchers would tell you, it's not that simple: Just as not
all vulnerabilities are created equal, neither are vulnerability checks.
How “True”
5 min
Automation and Orchestration
Inspecting Network Traffic with tcpdump
Synopsis
Tcpdump, as the name suggests, captures and dumps(writes) the network
traffic passing through a given server’s or node’s network interfaces . It is a
classic command line tool written in 1987 and remains one of the most
powerful tools for analyzing network traffic. Many options and filters available
in the tool makes it easier to slice and dice the data. The data then can be
used by network administrators and enthusiasts for many purposes such as,
security & forensic analyses, trouble s
5 min
Automation and Orchestration
How to Install OpenVPN on Windows
Synopsis
With the growth of online privacy and security concerns, as well as people
wanting to work around geo-restrictions, VPNs are becoming much more mainstream.
They no longer rest in the realm of security professionals and the overly
paranoid. OpenVPN is the most secure VPN protocol you can use and this guide
will teach you what it is, as well as how to install it on Windows.
If you are looking to install OpenVPN on another operating system, visit their
website
4 min
Incident Detection
Web Shells 101: Detection and Prevention
2016 has been a big year for information security, as we've seen attacks by both
cybercriminals and state actors increase in size and public awareness, and the
Internet of Things comes into its own as a field of study. But today we'd like
to talk about a very old (but no less dangerous) type of attacker tool – web
shells – and new techniques Rapid7 is developing for identifying them quickly
and accurately.
What is a Web Shell?
Web shells are web-based applications that provide a threat actor wi
2 min
Metasploit
Metasploitable3 CTF Competition: Update and Leaderboard!
The Metasploitable3
Capture The
Flag Competition has
been underway for about a week now and the submissions have been pouring in!
We're very excited to see so many great submissions. We're reviewing as fast as
we can so if you don't hear back from us right away, don't worry, you will. For
all valid submissions we will update this blog post and subsequent ones with the
le
5 min
IT Ops
The Generosity of Thought: Caring and Sharing in the Open Source Community
I want to share something with you that is pretty amazing. But, before I do,
allow me to provide the backstory.
The Backstory
I’ve been using Open Source Software (OSS) for a while now. I started with the
big ones, Apache , Maven , MySQL
, etc…. But, as time went on and my work became more
specialized, I started using smaller projects. When you use the big projects
such as Maven and Apache, there’s a boatload of books, video
3 min
Komand
3 Steps for Effective Information Security Event Triage [Infographic]
Before you jump into action when a security alrm sounds, you need to first
assess what happened. Pulling together the details of the event will help you
determine if there is a real security incident, and if so, how you will need to
respond.
But often in the frenzy of security alerts, we get caught up in processes or
start jumping to conclusions without enough info. This can lead to a haphazard
incident response.
From my experience, there's a simpler way; one that is efficienct, not bogged
dow
4 min
Automation and Orchestration
Burp Series: Intercepting and modifying made easy
Synopsis
As a penetration tester I have many tools that I use to help with web
application testing, but the one tool that never lets me down is Burp suite by
portswigger. Burp suite is an intercepting proxy that allows you to modify and
inspect web traffic, it comes in two flavors, free and paid. The free version
is powerful enough to assist any pen test engineer, whereas the paid version
will add extra features to make your tests go smoother and faster.
I am going to walk you through the beg
2 min
Metasploit Wrapup 12/9/16
Finding stuff
For a very long time, msfconsole's search command has used a union of the
results of all search terms. This means that if you do something like search
linux firefox, you'll get a list of all modules that mention linux, regardless
of the application they target, and all modules that mention firefox, regardless
of their platform. Most people are probably expecting the intersection, i.e. you
probably wanted to see only the modules that target Firefox on Linux. So now
that's what happe
7 min
Komand
How to Render Components Outside the Main ReactJS App
We use React here at Komand as one of our core libraries in our front-end
applications and while it does a great job of abstracting away the code for
managing the DOM, sometimes that can be problematic. With React, you have JSX
which is just XML sugar for declaring what DOM elements you want React to
render. React just renders the elements where they are defined within the JSX.
For example, this JSX…
<div className=“content”>
Content
<Modal>
I’m a modal
</Modal>
</div>
... would res
3 min
Nexpose
Nexpose Dimensional Data Warehouse and Reporting Data Model: What's the Difference?
The Data Warehouse Export recently
added
support for a Dimensional Model for its export schema. This provides a much more
comprehensive, accessible, and scalable model of data than the previous (now
referred to as "Legacy") model. The foundation for this dimensional model is the
same as the Reporting Data Model, which backs the built-in reporting for SQL
Query Export. So what exactly is the difference between the Reporting Data
5 min
IT Ops
Solving the expression problem
If you look at any OO-based codebase of a nontrivial size, you’ll
find well understood behavior formalized and encapsulated through the effective
use of polymorphism- either via interfaces which decouple calling code from a
types’ implementation, or via sub typing to share code common to multiple types.
To take an example from a statically typed language like Java, let’s look at the
Map interface and a few of its implementations in the standard library:
A receiving method which
3 min
IoT
IoT Security vs Usability
Recently we all have found ourselves talking about the risk and impact of poorly
secured IoT technology and who is responsible. Fact is there is enough blame to
go around for everyone, but let's not go there. Let us start focusing on
solutions that can help secure IoT technology.
Usability has been an issue that has plagued us since the beginning of time. As
an example, just going back to my youth and seeing my parents VCR flashing 12:00
all the time. We laugh at that, because it showed us thei
4 min
Metasploit
Metasploitable3 Capture the Flag Competition
UPDATE: Leaderboard can be found on this new post
! Plus, some notes that may
be helpful.
Exciting news! Rapid7 is hosting a month-long, world-wide capture the flag(s)
competition!
Rapid7 recently released Metasploitable3
, the latest version of our
attackable, vulnerable environment designed to help security professionals,
students, and researchers alike hone their skills and practice their craft. I
6 min
Honeypots
Introduction to Honeypots
Synopsis
With an ever-increasing number of methods and tactics used to attack networks,
the goal of securing a network must also continually expand in scope. While
traditional methods such as IDS/IPS systems, DMZ’s, penetration testing and
various other tools can create a very secure network, it is best to assume
vulnerabilities will always exist, and sooner or later, they will be exploited.
Thus, we need to continuously find innovative ways of countering the threats,
and one such way is to depl