2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: Sep. 22, 2017
To celebrate this first day of Autumn[1], we've got a potpourri of "things
Metasploit" for you this week. And it might smell a bit like "pumpkin spice"...
Or it might not. Who knows?
Winter is Coming
If you're looking to finish filling your storehouse before the cold sets in,
we've got a couple of new gatherer modules to help. This new Linux post module
[https://www.rapid7.com/db/modules/post/linux/gather/tor_hiddenservices] can
locate and pull TOR hostname and private key files for TOR hidden
2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: Sept. 15, 2017
It's been a hot minute since the last Metasploit Wrapup. So why not take in our
snazzy new Rapid7 blog makeover and catch up on what's been goin' down!
You can't spell 'Struts' without 'trust'
Or perhaps you can! With the all the current news coverage around an Apache
Struts vulnerability from earlier this year
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638] (thanks to its
involvement in a consumer credit reporting agency data breach), there's a new
Struts vuln [https://lgtm.com/
1 min
Metasploit
Metasploit: The New Shiny
It's been a while since I've written a blog post about new stuff in Metasploit
[https://www.rapid7.com/products/metasploit/download/] (and I'm not sure if the
editors will let me top the innuendo of the last one
[/2017/02/09/metasploit-framework-valentines-update/]). But I'm privileged to
announce that I'm speaking about Metasploit twice next month: once at the FSec
17 Conference [http://fsec.foi.hr/] in Varaždīn, Croatia September 7-8, and a
second time at UNITED 2017 [https://unitedsummit.org/
2 min
Metasploit Weekly Wrapup
Metasploit Wrapup: August 11, 2017
Slowloris: SMB edition
Taking a page from the Slowloris HTTP DoS attack
[https://web.archive.org/web/20090822001255/http://ha.ckers.org/slowloris/], the
aptly named SMBLoris DoS attack [/2017/08/03/smbloris-what-you-need-to-know]
exploits a vuln contained in many Windows releases (back to Windows 2000) and
also affects Samba (a popular open source SMB implementation). Through creation
of many connections to a target's SMB port, an attacker can exhaust all
available memory on the target by sendi
2 min
Metasploit
Hack with Metasploit: Announcing the UNITED 2017 CTF
Got mad skillz? Want mad skillz? This year at Rapid7's annual UNITED Summit
[https://unitedsummit.org/index.php], we're hosting a first-of-its-kind Capture
the Flag (CTF) competition. Whether you're a noob to hacking or a grizzled pro,
you'll emerge from our 25-hour CTF with more knowledge and serious bragging
rights. Show off your 1337 abilities by competing for top prizes, or learn how
to capture your first ever flag. Read on for details, and if you haven't already
done so, register for UNITED
4 min
Python
Virtual Machine Automation (vm-automation) repository released
Rapid7 just released a new public repo called vm-automation. The vm-automation
repository is a Python library that encapsulates existing methodologies for
virtual machine and hypervisor automation and provides a platform-agnostic
Python API. Currently, only ESXi and VMWare workstation are supported, but I
have high hopes we will support other hypervisors in time, and we would love to
see contributors come forward and assist in supporting them!
That's awesome. I want to get started now!
Great! I
2 min
Metasploit
Metasploit Wrapup: June 16, 2017
A fresh, new UAC bypass module for Windows 10!
Leveraging the behavior of fodhelper.exe and a writable registry key as a normal
user, you too can be admin! Unpatched as of last week, this bypass module
[https://github.com/rapid7/metasploit-framework/pull/8434] works on Windows 10
only, but it works like a charm!
Reach out and allocate something
This release offers up a fresh denial/degradation of services exploit against
hosts running a vulnerable version of rpcbind. Specifically, you can repea
2 min
Vulnerability Disclosure
R7-2017-16 | CVE-2017-5244: Lack of CSRF protection for stopping tasks in Metasploit Pro, Express, and Community editions (FIXED)
Summary
A vulnerability in Metasploit Pro, Express, and Community was patched in
Metasploit v4.14.0 (Update 2017061301)
[https://help.rapid7.com/metasploit/release-notes/archive/2017/06/#20170613].
Routes used to stop running tasks (either particular ones or all tasks) allowed
GET requests. Only POST requests should have been allowed, as the stop/stop_all
routes change the state of the service. This could have allowed an attacker to
stop currently-running Metasploit tasks by getting an authenti
2 min
Metasploit
Metasploit Wrapup 6/2/17
It has only been one week since the last wrapup, so it's not like much could
have happened, right? Wrong!
Misery Loves Company
After last week's excitement with Metasploit's version of ETERNALBLUE (AKA the
Wannacry vulnerability)
[https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue],
this week SAMBA had its own "Hold My Beer" moment with the disclosure that an
authenticated (or anonymous) client can upload a shared library to a SAMBA
server, and that server will happily e
4 min
Metasploit
EternalBlue: Metasploit Module for MS17-010
This week's release of Metasploit [https://www.rapid7.com/products/metasploit]
includes a scanner and exploit module for the EternalBlue vulnerability, which
made headlines a couple of weeks ago when hacking group, the Shadow Brokers,
disclosed a trove of alleged NSA exploits
[https://www.rapid7.com/blog/post/2017/04/18/the-shadow-brokers-leaked-exploits-faq/]
. Included among them, EternalBlue, exploits MS17-010
[https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue], a
Wi
1 min
Python
Recent Python Meterpreter Improvements
The Python Meterpreter
[https://github.com/rapid7/metasploit-framework/wiki/Meterpreter] has received
quite a few improvements this year. In order to generate consistent results, we
now use the same technique to determine the Windows version in both the Windows
and Python instances of Meterpreter. Additionally, the native system language is
now populated in the output of the sysinfo command. This makes it easier to
identify and work with international systems.
The largest change to the Python M
3 min
Metasploit
Exploitable Vulnerabilities: A Metasploit-Vulnerability Management Love Story
Integrating InsightVM [https://www.rapid7.com/products/insightvm/] or Nexpose
[https://www.rapid7.com/products/nexpose/] (Rapid7's vulnerability management
solutions [https://www.rapid7.com/solutions/vulnerability-management/]) with
Metasploit [https://www.rapid7.com/products/metasploit/] (our penetration
testing solution [https://www.rapid7.com/solutions/penetration-testing/]) is a
lot like Cupid playing “matchmaker” with vulnerabilities and exploit modules
[https://www.rapid7.com/fundamentals
2 min
Metasploit
Metasploit Weekly Wrapup
hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target.
3 min
Metasploit
Metasploit Wrapup: 4/20/17
Editor's Note: While this edition of the Metasploit Wrapup is a little late (my
fault, sorry), we're super excited that it's our first ever Metasploit Wrapup to
be authored by an non-Rapid7 contributor. We'd like to thank claudijd
[https://github.com/claudijd] -long-time Metasploit contributor, Mozilla
security wrangler, and overall nice guy - for writing this post. If other
Metasploit contributors want to get involved with spreading the word, we want to
hear from you!
We should be back on trac
5 min
Metasploit
The Shadow Brokers Leaked Exploits Explained
The Rapid7 team has been busy evaluating the threats posed by last Friday's
Shadow Broker exploit and tool release
[https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/]
and answering questions from colleagues, customers, and family members about the
release. We know that many people have questions about exactly what was
released, the threat it poses, and how to respond, so we have decided to compile
a list of frequently asked question