3 min
Metasploit
Exploiting Macros via Email with Metasploit Pro Social Engineering
Currently, phishing is seen as one of the largest infiltration points for
businesses around the globe, but there is more to social engineering than just
phishing. Attackers may use email and USB keys to deliver malicious files to
users in the hopes of gaining access to an organization's network. Users that
are likely unaware that unsolicited files, such as a Microsoft Word document
with a macro, may be malicious and can be a major risk to an organization.
Metasploit Pro [https://www.rapid7.com/
4 min
Metasploit
Metasploit's RF Transceiver Capabilities
The rise of the Internet of Things
We spend a lot of time monitoring our corporate networks. We have many tools to
detect strange behaviors. We scan for vulnerabilities. We measure our exposure
constantly. However, we often fail to recognize the small (and sometimes big)
Internet of Things (IoT) devices that are all around our network, employees, and
employees' homes. Somewhat alarmingly – considering their pervasiveness — these
devices aren't always the easiest to test.
Though often difficult,
2 min
Metasploit
Metasploit, Google Summer of Code, and You!
Spend the summer with Metasploit
I'm proud to announce that the Metasploit Project has been accepted as a mentor
organization in the Google Summer of Code! For those unfamiliar with the
program, their about page [https://summerofcode.withgoogle.com/about/] sums it
up nicely:
> Google Summer of Code is a global program focused on introducing students to
open source software development. Students work on a 3 month programming project
with an open source organization during their break from univer
9 min
Metasploit
Pen Testing Cars with Metasploit and Particle.io Photon Boards
TL;DR
This post details how to use the MSFRelay library for Photon boards to write
your own Metasploit [https://rapid7.com/products/metasploit/] compatible
firmware. Specifically for an add-on called Carloop. If you have a Carloop and
just want it to work with Metasploit without having to write any code (or read
this) then I've also provided the full code as a library example in the Particle
library and can be found here
[https://build.particle.io/libs/spark-msf-relay/0.0.1/tab/example/msf-carlo
3 min
Metasploit
Metasploit Weekly Wrapup: March 10, 2017
The last couple of weeks in the infosec world have appeared busier, and buzzier,
than most others. It seems almost futile to pry everyone away from the current
drama--that being the bombshell revelation that intelligence agencies collect
intelligence--long enough to have them read our dev blog. Regardless, we've
been busy ourselves. And if you're the least bit like me, you could probably
use a quick respite from the cacophony. Keeping up with all the noise is enough
to make anyone feel lik
2 min
Metasploit Weekly Wrapup
Weekly Metasploit Wrapup: 2/23/17
I gave at the office
The office can be a popular place when it comes to giving. From selling kids'
cookies/candy to raising awareness for a charity, the opportunity to 'give at
the office' is definitely a thing. And now, thanks to Office macros, Metasploit
offers a new way to give (and receive!) at 'the Office'.
These days, using malicious macros in office productivity programs is still a
common attack vector. Designed with a handful of word-processing programs in
mind (including some open sour
2 min
Metasploit
Metasploitable3 CTF Results and Wrap-Up
The Metasploitable3 CTF competition
[https://www.rapid7.com/blog/post/2016/12/07/metasploitable3-capture-the-flags-competition/]
has wrapped up and we have our winners! We had almost 300 flag submissions from
more than 50 fine folks. There were some really great right-ups submitted with
great details on how flags were found. Thanks to everyone who took time to
submit a finding! ON TO THE RESULTS!
When we announced the competition, we didn't specify if team submissions were
allowed or not.
2 min
Metasploit
Metasploitable3 CTF Competition: Update and Leaderboard!
The Metasploitable3
[/2016/11/15/test-your-might-with-the-shiny-new-metasploitable3] Capture The
Flag Competition [/2016/12/07/metasploitable3-capture-the-flags-competition] has
been underway for about a week now and the submissions have been pouring in!
We're very excited to see so many great submissions. We're reviewing as fast as
we can so if you don't hear back from us right away, don't worry, you will. For
all valid submissions we will update this blog post and subsequent ones with the
le
4 min
Metasploit
Metasploitable3 Capture the Flag Competition
UPDATE: Leaderboard can be found on this new post
[/2016/12/14/metasploitable3-ctf-competition-update]! Plus, some notes that may
be helpful.
Exciting news! Rapid7 is hosting a month-long, world-wide capture the flag(s)
competition!
Rapid7 recently released Metasploitable3
[https://github.com/rapid7/metasploitable3], the latest version of our
attackable, vulnerable environment designed to help security professionals,
students, and researchers alike hone their skills and practice their craft. I
4 min
Metasploit
Metasploitable3: An Intentionally Vulnerable Machine for Exploit Testing
Test Your Might With The Shiny New Metasploitable3
Today I am excited to announce the debut of our shiny new toy - Metasploitable3
[https://github.com/rapid7/metasploitable3].
Metasploitable3 is a free virtual machine that allows you to simulate attacks
largely using Metasploit [https://www.rapid7.com/products/metasploit/?CS=blog].
It has been used by people in the security industry for a variety of reasons:
such as training for network exploitation, exploit development, software
testing, techn
2 min
Metasploit
Important Security Fixes in Metasploit 4.12.0-2016091401
A number of important security issues were resolved in Metasploit (Pro, Express,
and Community editions) this week. Please update
[https://community.rapid7.com/docs/DOC-3521] as soon as possible.
Issue 1: Localhost restriction bypass
(affects versions 4.12.0-2016061501 through 4.12.0-2016083001)
On initial install, the Metasploit web interface displays a page for setting up
an initial administrative user. After this initial user is configured, you can
login and use the Metasploit web UI for th
3 min
Metasploit
Metasploit Weekly Wrapup: Aug. 12, 2016
Las Vegas 2016 is in The Books
This week's wrap-up actually covers two weeks thanks in large part to the yearly
pilgrimage to Las Vegas. I myself elected not to attend, but I'm told everyone
had a great time. Many on the team are still recuperating, but I'd wager that
they all enjoyed seeing you there as well. Here's to everyone's speedy
recovery.
Centreon Web UserAlias Command Execution
Our first new module this go-around exploits a remote command execution
vulnerability in Centreon Web via
5 min
Metasploit
Pentesting in the Real World: Going Bananas with MongoDB
This is the 4th in a series of blog topics by penetration testers, for
penetration testers, highlighting some of the advanced pentesting techniques
they'll be teaching in our new Network Assault and Application Assault
certifications, opening for registration this week. For more information, check
out the training page at
www.rapid7.com/services/training-certification/penetration-testing-training.jsp
[http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp]
Prefa
5 min
Metasploit
Pentesting in the Real World: Gathering the Right Intel
This is the first in a series of blog topics by penetration testers, for
penetration testers, highlighting some of the advanced pentesting techniques
they'll be teaching in our new Network Assault and Application Assault
certifications, opening for registration this week. For more information, check
out the training page at
www.rapid7.com/services/training-certification/penetration-testing-training.jsp
[http://www.rapid7.com/services/training-certification/penetration-testing-training.jsp]
So
1 min
Metasploit
Announcement: End-of-Life Metasploit 32-Bit Versions
UPDATE: With the release of version 4.15 on July 19, 2017, commercial Metasploit
32-bit platforms (Metasploit Pro, Metasploit Express, and Metasploit Community)
no longer receive future product or content updates. These platforms are now
obsolete and are no longer supported.
Rapid7 announced the end of life of Metasploit Pro 32-bit versions for both
Windows and Linux operating systems on July 5th, 2017. This announcement
applies to all editions: Metasploit Pro, Metasploit Express and Metasploi