4 min
Vulnerability and Threat Data Export Leveraging "XML Export 2.0" format
A vulnerability management solution like Nexpose is often used by organizations
to provide risk-based insight for potential and real threats. Nexpose provides
product reporting capabilities that help organizations clearly prioritize their
risk based on such aspects as exploitability, availability of malware kits and
weighted and temporal risk scores. Frequently, organizations leverage this rich
threat data in XML format in conjunction with other enterprise security tools
such as SIEM, GRC, IPS,
3 min
Metasploit
Weekly Metasploit Update: Spiceworks, AFP, RDP, and a New HTTP Downloader
After a couple of relatively light weeks (blame SXSW, I guess), this week's
update has quite a few neat new additions. As always, if you don't already have
Metasploit, what are you waiting for
? For the rest of us,
here's what's new.
Importapalooza
This week's update has support for importing asset lists exported from
Spiceworks, courtesy of Rapid7's Brandon Perry. Spiceworks is a free asset
management application used by tons of IT pros and
1 min
Release Notes
SOC Monkey - FREE and in the App Store Now!
The name's Monkey. SOC Monkey.
I'm here to provide you with a new free app for the iPhone/iPad/iPod Touch that
will search through infosec topics that are trending on the social web. I'll
also rank them based on what the biggest news items and hottest topics are, so
you can make sure to get your banana's worth.
Now, I'm not going to just barrage you with links. I'm going to use my
incredibly advanced simian brain to curate these news items, so you can focus
more on what you need to get don
3 min
Metasploit
Weekly Metasploit Update: Session Smarts and GitHub
It's another Metasploit update, and it's headed straight for us!
Session Smarts
This week, Metasploit session management got a whole lot smarter. Here's the
scenario: As a penetration tester, you rook a bunch of people into clicking on
your browser-embedded Flash exploit , sit back, and
watch the sessions rolling in. However, they're all behind a single NAT point,
so all your sessions appear to be terminating at a single IP address, and you
quickly lose track of who's
4 min
Javascript
Java API Client - How to Augment It and Share with the Community
The prerequisite is that you get the client: clee-r7/nexpose_java_api · GitHub
This blog post will show you how to augment the java api client and use it in 4
easy steps.
The Java API client uses XML templates to generate requests. Browse to the
src/org/rapid7/nexpose/api folder within the API source code, you will see the
templates for the currently supported API client requests. i.e:
AssetGroupSaveRequest.xml.
There are currently 2 versions of
1 min
Nexpose
How to Check for Remote Desktop Protocol (RDP) Services
There are many organizations concerned with the critical Microsoft Security
Bulletin MS12-020
Remote Desktop
Protocol (RDP) vulnerability. Here is a quick way to check if you have Remote
Desktop Protocol running on your system or network. I used NMAP
to check my home network.
In the highlighted text below you can see that NMAP can check for the RDP
service running. If you can't patch, this is important because at
3 min
Metasploit
New Metasploit Swag Store Is Online
You may remember the awesome Metasploit T-shirt contest we ran in April of last
year .
We received a ton of submissions at the time and selected a winning T-shirt,
designed by Danny Chrastil.
It was a long and arduous journey for us to get the T-shirts printed and to get
the back-end systems up and running for the Metasploit Swag Store
...but it's finally here. Yes, you'll
notice tha
3 min
URI Parsing: It's harder than you think... or is it?
I have to admit, parsing a URI is tricky. Most Metasploit modules try to do it
with some kind of crazy custom regex-fu, but unfortunately most of them are kind
of buggy. Because of this, I've committed a new patch to HttpClient -- a
target_uri function that can automatically parse the URI for you. It's only a
4-line change, but should change the way we code HTTP-related modules.
Before I demonstrate how you can take advantage of target_uri, I should briefly
explain why you should avoid doing
2 min
Metasploit
Weekly Metasploit Update: Wmap, Console Search, and More!
In addition to the nuclear-powered exploit, we've got a new slew of updates,
fixes and modules this week for Metasploit, so let's jump right into the
highlights for this update.
Updated WMAP Plugin
Longtime community contributor Efrain Torres provided a much-anticipated update
to the Wmap plugin. Wmap automates up a bunch of web-based Metasploit modules
via the Metasploit console, from HTTP version scanning to file path bruteforcing
to blind SQL injection testing. If you're not already familiar
2 min
Metasploit
Weekly Metasploit Update: POSIX Meterpreter and New Exploits
This is a pretty modest update, since it's the first after our successful 4.2
release last week. Now
that 4.2 is out the door, we've been picking up on core framework development,
and of course, have a few new modules shipping out.
Meterpreter Updates
James "egyp7" Lee and community contributor mm__ have been banging on the POSIX
side of Meterpreter development this week, and have a couple of significant
enhancements to Linux Meterpreter. T
2 min
Microsoft
Information Disclosure: Out of Office Auto Replies
Out of office replies are a blessing and a curse for organizations from an
operational security perspective. Many of the out of office auto replies I
receive contain too much information. Since many security professionals are at
the RSA Conference this week I've had plenty hit my inbox. This is nothing
compared to December around the holiday season. Like anything the information in
the replies can be used for good and bad. Good people are trying to ensure that
work continues while they are away
2 min
Nexpose
Rapid7 Wins Coveted SC Magazine Award for Best Vulnerability Management Tool
Thorsten George, VP of Worldwide of Marketing and
Products for Agiliance on the left and
Bernd Leger, VP of Marketing, Products &
Solutions at Rapid7 on the right
Sitting in a room of hundreds of industry leaders and security vendors, it was
extremely gratifying to hear our name called and being asked on stage to receive
one of the coveted SC Magazine Awards last night in San Francisco. Rapid7 won
the prestigious “Best Vulnerability Management Tool” Award in the Reader's Trust
Award Category.
2 min
Quality Security: People, Process, and Products
Here at Rapid7 we have tons of talented people across the board, sometimes it's
scary. One of the people who I've interacted with a lot is Jennifer Benson, our
VP of Customer Experience. Through Jen I have found that three tenants of
People, Process, and Products (the 3Ps) are very handy when it comes down to
delivering just about anything. We use the 3Ps here at Rapid7 to deliver quality
customer experiences. Jen is very smart and she breaks many things down by using
the 3Ps. There is a reason
1 min
Metasploit
Free Microsoft Virtual Machines for Testing
I am often asked how security professionals and students can safely test
security software. My usual response is, they should create a virtual lab with
diverse operating systems for testing. The problem that many encounter is they
don't have licenses available to install the operating systems.
During my creating and testing the Metasploit Javascript Keylogger, I came
across free virtual machines from Microsoft that are sure to be useful to
security professionals, web designers, and web programm
1 min
Nexpose
Nexpose Java API
We are really excited to see the Nexpose community coming up with all sorts of
cool and useful ways to automate Nexpose via our APIs. Since we have published
our Ruby and .Net
API client libraries, we have had
some requests for a Java library as well. And now we have open sourced a Java
based library for accessing the
Nexpose API. This library is BSD licensed s