3 min
Metasploit
Approaching Metasploit 3.4.0 and Metasploit Express
Since mid-December, the Metasploit team has been working non-stop towards
version 3.4.0 of the Metasploit Framework. The final release is still scheduled
for mid-May, but I wanted to share some of the upcoming features, available
today from the development tree. Version 3.4.0 includes major improvements to
the Meterpreter payload, the expansion of the framework's brute force
capabilities, and the complete overhaul of the backend database schema and event
subsystem. In addition, more than 60 exp
3 min
April Microsoft Patch Tuesday Roundup
Time for this month's summary of the latest Microsoft Security updates …
11 advisories, with 25 vulnerabilities covered. 5 Critical; 5 Important; 1
Moderate. This is the heaviest April update we've seen; we generally see 5-8
updates in April and 25 vulnerabilities breaks the 2009 April record of 21.
The SMB DoS issue is being addressed, rated Important and affecting Windows
& Exchange. 2 issues affecting Office, both of which are rated Important.
The other 8 affect Windows with 5 Crit
3 min
Persistent Meterpreter over Reverse HTTPS
Botnet agents and malware go through inordinate lengths to hide their command
and control traffic. From a penetration testing perspective, emulating these
types of communication channels is possible, but often requires a custom toolkit
to be deployed to the target. In this post I will walk through using the
standard Metasploit Meterpreter payload as a persistent encrypted remote control
tool.
First things first, grab the latest version
of Metasplo
2 min
March Microsoft Out-Of-Band Patch Tuesday Roundup
Brief summary of today's Out-Of-Band Microsoft Security update …
1 Cumulative IE update, with 10 vulnerabilities covered. While Out-Of-Band
updates are not unheard of (this is the second one so far this year), 10
vulnerabilities covered is a lot.
Here's the breakdown:
MS10-018: Rated Critical. Cumulative update for Internet Explorer, covering 10
vulnerabilities:
CVE-2010-0267 (Uninitialized Memory Corruption)
CVE-2010-0488 (Post Encoding Information Disclosure)
CVE-2010-0489 (Race C
3 min
Microsoft
Visualizing Microsoft Security Bulletin Supersedence
I've always been a very visual person. As a young child, I had an interesting
ability to be able to subconsciously scan the landscape and immediately pick out
things that were out of place. On my way to work or otherwise driving around
town, my eyes are scanning the passenger's, rear-view and driver's side mirrors
every few seconds looking for things that make driving around Los Angeles
perilous.
When it comes to complex problems related to security, or even just things that
may present obst
2 min
Automating the Metasploit Console
The Metasploit Console (msfconsole) has supported the concept of resource files
for quite some time. A resource file is essentially a batch script for
Metasploit; using these files you can automate common tasks. If you create a
resource script called ~/.msf3/msfconsole.rc, it will automatically load each
time you start the msfconsole interface. This is a great way to automatically
connect to a database and set common parameters (setg PAYLOAD, etc). Until this
morning, however, resource scripts w
3 min
March Microsoft Patch Tuesday Roundup
Time once again for this month's summary of the latest Microsoft Security
updates …
2 advisories, with 8 vulnerabilities covered. This is the lightest March update
since Microsoft skipped March altogether back in 2007.
Here's the breakdown:
MS10-016: Rated Important. Potential Remote Code Execution in Windows Movie
Maker, covering 1 vulnerability: CVE-2010-0265 (Buffer Overflow in Movie Maker
and Producer). A few things to note about this one ...
First, Microsoft chose not to patch the
2 min
The Story Behind NeXpose Community Edition
Hi, I'm the product manager here at Rapid7 and one of the many people behind the
Community Edition. I joined Rapid7 in July after spending my last eight years
with Red Hat. Before that, I worked at another open source software company.
Naturally, I have strong opinions on why open source and community-driven
software is a fundamentally better way to build and release software.
With that as a background, I thought I'd take some time and explain the
motivation and philosophy behind NeXpose commu
1 min
Reproducing the "Aurora" IE Exploit
Update: This module, just like the original exploit, only works on IE6 at this
time. IE7 requires a slightly different method to reuse the object pointer and
IE8 enables DEP by default.
Yesterday, a copy of the unpatched Internet Explorer exploit used in the Aurora
attacks
was uploaded to Wepawet
. Since the code is now public, we ported thi
1 min
January Microsoft Patch Tuesday Roundup
A new year, a new decade, and time once again for this month's summary of the
latest Microsoft Security updates … actually, that's *update*.
1 update, with 1 vulnerability covered. Here's the breakdown:
MS10-001 :
Rated Critical. Potential Remote Code Execution via integer overflow in LZCOMP
Decompressor of the Embedded OpenType (EOT) Font Engine, covering 1
vulnerability: CVE-2010-0018
2 min
Safe, Reliable, Hash Dumping
The Metasploit Meterpreter has supported the "hashdump" command (through the
Priv extension) since before version 3.0. The "hashdump" command is an in-memory
version of the pwdump tool, but instead of loading a DLL into LSASS.exe, it
allocates memory inside the process, injects raw assembly code, executes its via
CreateRemoteThread, and then reads the captured hashes back out of memory. This
avoids writing files to the drive and by the same token avoids being flagged by
antivirus (AV) and intrus
3 min
Exporting the Registry for Fun and Profit
Over the last few days, I have been playing with WinScanX
, a free command-line tool for querying Windows
service information over SMB. WinScanX combines many of the essential tools used
during a penetration test into a single utility. One of the more interesting
features
is the "-y" flag, which instructs WinScanX to save a copy of the remote registry
hives for SAM, SECURITY, and SYSTEM.
2 min
Exploiting Microsoft IIS with Metasploit
As of this afternoon, the msfencode command has the ability to emit ASP scripts
that execute Metasploit payloads. This can be used to exploit the
currently-unpatched file name parsing bug feature in Microsoft IIS. This flaw
allows a user who can upload a "safe" file extension (jpg, png, etc) to upload
an ASP script and force it to execute on the web server. The bug occurs when a
file name is specified in the form of "evil.asp;.jpg" – the application checks
the file extension and sees "jpg", but
3 min
Metasploit
Metasploit Framework 3.3.3 Exploit Rankings
This morning we released version 3.3.3
of the Metasploit Framework -
this release focuses on exploit rankings
, session automation, and bug fixes.
The exploit rank indicates how reliable the exploit is and how likely it is for
the exploit to have a negative impact on the target system. This ranking can be
used to prevent exploits below a certain rank from being used and limit the
impact to a particular t
1 min
Metasploit PSEXEC Scanner (via Perl)
Metasploit's pexec module is one of my favorite modules. It does exactly what I
need and it does it really well. One thing I wish that Metasploit had, is a
scanner version of the psexec exploit module. So I decided to build my own with
Perl.
Okay, assume we have the following networks: 192.168.1.0/24, 192.168.2.0/24 etc
etc... We know the local admin account is Administrator and the hash for the
account is ADMINISTRATOR:HASH.
First, we build a small Perl script to generate a configuration file