1 min
Metasploit
Current User psexec
At DEF CON this year I talked about some of the post exploitation capabilities
within Metasploit and demo'd a cool technique I developed with Jabra on a
pentest a year or so ago (I later found out that Mubix had come up with
basically the same idea - great minds think alike). It is essentially this: use
a session's current token to create a remote service on a victim machine.
It takes advantage of a feature in Windows that most people take completely for
granted. Given that you are already logg
3 min
Networking
Weekly Metasploit Update: SAP, MSSQL, DNS, and More!
Zone Transfers for All
This week, Metasploit community contributor bonsaiviking
fixed up the DNS library that Metasploit uses
so we won't choke on some types of zone transfer responses. Turns out, this is a
two-year old bug, but DNS servers that actually offer zone transfers are so rare
any more that this this bug didn't manifest enough to get squashed.
This brings me to a larger point -- with older vulnerabilities like these,
sometimes the hardest part for us
3 min
Metasploit
Mobile Pwning: Using Metasploit on iOS
Have you ever wanted to run an exploit but found yourself away from your desk?
Wouldn't it be awesome if you could launch a full version of the Metasploit
Framework from your phone or tablet? As you might have guessed, now you can.
With an adventurous spirit and a few commands, you can be running the Metasploit
Framework on your iPad or iPhone in just a few short minutes.
Warning: To install Metasploit, you'll need root access to your device – which
is accomplished by following your favorite ja
7 min
Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit
Edit: Aug 26 2012.
Recently, a new Adobe Flash vulnerability (CVE-2012-1535
) was being
exploited in the wild as a zero-day in limited targeted attacks, in the form of
a Word document. The Metasploit team managed to get our hands on the malware
sample, and began our voodoo ritual in order to make this exploit available in
the Metasploit Framework. Although Adobe officially has already released a
patch (APSB12-18
3 min
Metasploit
Weekly Metasploit Update: Trusted Path Switcheroo, Stack Cookie Bypass, and More
Another week, another fifteen new modules for Metasploit. I continue to be
amazed by the productivity of our open source exploit developer community.
Thanks so much for your hard work and effort, folks!
New Module for Trusted Path Switcheroo
As I was going over this week's new modules, one that jumped out at me was Wei
"sinn3r" Chen's implementation of a general Trusted Path insertion attack,
Windows Service Trusted Path Privilege Escalation. I don't recall running into
this attack scenario bef
5 min
The Stack Cookies Bypass on CVE-2012-0549
In this blog post we would like to share some details about the Oracle AutoVue
exploit for CVE-2012-0549 which we've recently added to the Metasploit
Framework. This module exploits a buffer overflow flaw, discovered by Brian
Gorenc.
The problem arises when you call the SetMarkupMode function from the AutoVue
control (clsid B6FCC215-D303-11D1-BC6C-0000C078797F) with a long sMarkup
parameter. The buffer overflow, even when triggered through an API from the
AutoVue control, happens in AvMarkupX
4 min
Product Updates
Weekly Metasploit Update: Two Dozen New Modules
The Vegas and vacation season is behind us, so it's time to release our first
post-4.4.0 update. Here we go!
Exploit Tsunami
A few factors conspired to make this update more module-heavy than usual. We
released Metasploit 4.4 in mid-July. Historically, a dot version release of
Metasploit means that we spend a little post-release time closing out bugs,
performing some internal housekeeping that we'd been putting off, and other
boring software engineering tasks. Right after this exercise, it was
13 min
Malware
Analysis of the FinFisher Lawful Interception Malware
It's all over the news once again: lawful interception malware discovered in the
wild being used by government organizations for intelligence and surveillance
activities. We saw it last year when the Chaos Computer Club unveiled a trojan
being used by the federal government in Germany, WikiLeaks released a collection
of related documents in the Spy Files, we read about an alleged offer from Gamma
Group to provide the toolkit FinFisher to the Egyptian government, and we are
reading once again now
4 min
Malware
Cuckoo Sandbox 0.4 Simplifies Malware Analysis with KVM support, Signatures and Extended Modularity
That's right, the much anticipated and long awaited 0.4 release is finally here!
Just like divas arrive late at the gala, we took some more time than expected,
but are now worthy of a triumphant entrance.
If you're not familiar with Cuckoo Sandbox, it's an open source solution for
automating malware analysis.
What does that mean? Simply that you can throw any suspicious file at it and
after a few seconds it will give you back detailed information on what that file
does when executed inside a
1 min
Tutorial: Using web command injection vulnerability to gain administrative shell on Windows web server
In this video, a Windows web server is hosting Mutillidae web application which
contains a command injection vulnerability.
Using command injection to exploit the Mutillidae web application, we gain a
root shell (Administrative Windows cmd shell). The server is fully patched with
anti-virus running and a firewall blocking port 23. Additionally the telnet
service is disabled. With the command injection vulnerability, this video
demonstrates how misconfiguring web services can have serious conseq
1 min
Video: Introduction to basic host and service discovery scanning
During the early portion of the scanning phase of pen testing, locating active
hosts and identifying the services on open ports is critical in order to
determine exposed systems.
The video was recorded at the May ISSA Kentuckiana monthly workshop in
Louisville and covers basic host discovery scanning. Port scanning and service
discovery are covered as well as reporting results. Some of the tools used are
nmap, xprobe2, hping3, tcpdump and amap.
The speaker is Jeremy Druin (@webpwnized) and was
3 min
Metasploit
Weekly Metasploit Update: RATs, WPAD, and More!
Just a quick update this week for some new Metasploit modules. We're holding off
on the usual Framework and Pro enhancements as we button up the next point
release for Metasploit Pro, Express, and Community Editions. That said, we do
have a few neat new modules that I wanted to hilight, so let's take a look.
Hacking the Hackers
This week's haul includes something a little unusual -- an exploit for Poison
Ivy, a blackhat-favored Remote Administration Tool (RAT). Community contributor
Gal Badishi
4 min
Exploits
Exploit Trends: New Microsoft and MySQL Exploits Make the Top 10
The new Metasploit exploit trends are out, where we give you a list of the top
10 most searched Metasploit exploit and auxiliary modules from our exploit
database (DB) . These stats are collected by
analyzing searches on metasploit.com in our webserver logs, not through usage of
Metasploit, which we do not track for privacy reasons.
In June 2012, we also have three new entries on the list, and seven existing
contenders. Here they are, annotated with Tod Beardley's ex
2 min
Tutorial: How to Scan Exploit Metasploitable-2 using Metasploit, Nexpose, nessus, Nmap, and John-the-Ripper
This video tutorial covers exploiting Metasploitable-2 to get a root shell and
eventually a terminal via a valid "sudo-able" login over SSH.
Two machines; a test host (Backtrack 5-R2) and a target host (Metasploitable-2)
are set up on a VirtualBox host-only network. With this lab network set up, the
demonstration walks through a practice pen-test using the phases of recon,
scanning, exploitation, post-exploitation, and maintaining access. (Covering
tracks and reporting are not covered. Recon is
2 min
Metasploit
Weekly Metasploit Update: Sniffing with Meterpreter, Egg Hunting, and More!
This week's udpate has seven new modules, a much-anticipated Meterpreter
enhancement, and more, so let's jump into it.
Egg Hunting and Stack Smashing
This week's update features a spiffy new module for HP Data Protector from Juan
Vazquez and Wei 'sinn3r' Chen. It uises an egg hunting technique to reconstruct
the exploit's payload -- and both Wei and Juan have a detailed blog posts in the
works that go into detail on the whys and wherefores of egghunter shellcode and
troubleshooting payload de