2 min
Metasploit
Weekly Metasploit Update: Web Libs, SAP, ZDI, and More!
Fresh Web Libs
As we head into the holiday season here in the U.S., Metasploit core developers
Tasos @Zap0tek [https://twitter.com/Zap0tek] Laskos and James @Egyp7
[https://twitter.com/egyp7] Lee finished up a refresh of the Metasploit fork of
the Anemone libraries, which is what we use for basic web spidering. You can
read up on it here [http://anemone.rubyforge.org/]. The Metasploit fork isn't
too far off of Chris Kite's mainline distribution, but does account for
Metasploit's Rex sockets, ad
4 min
Metasploit
Weekly Metasploit Update: WinRM x2, ADDP, RealPort, CI and BDD
WinRM, Part Two
In the last Metasploit update blog post, we talked about the work from
Metasploit core contributors @TheLightCosine [http://twitter.com/thelightcosine]
, @mubix [http://twitter.com/mubix] and @_sinn3r [http://twitter.com/_sinn3r] on
leveraging WinRM / WinRS. As of this update, Metasploit users can now execute
WQL queries
[http://www.metasploit.com/modules/auxiliary/scanner/winrm/winrm_wql], execute
commands [http://www.metasploit.com/modules/auxiliary/scanner/winrm/winrm_cmd],
an
6 min
Metasploit
Abusing Windows Remote Management (WinRM) with Metasploit
Late one night at Derbycon [https://www.derbycon.com/], Mubix
[https://twitter.com/mubix] and I were discussing various techniques of mass
ownage. When Mubix told me about the WinRM service, I wondered: "Why don't we
have any Metasploit modules for this yet?" After I got back , I began digging.
WinRM/WinRS
WinRM is a remote management service for Windows that is installed but not
enabled by default in Windows XP and higher versions, but you can install it on
older operating systems as well. Win
3 min
Metasploit
Weekly Metasploit Update: WinRM Part One, Exploiting Metasploit, and More!
WinRM Exploit Library
For the last couple weeks, Metasploit core contributor David @TheLightCosine
[http://twitter.com/thelightcosine] Maloney has been diving into Microsoft's
WinRM services with @mubix [http://twitter.com/mubix] and @_sinn3r
[http://twitter.com/_sinn3r]. Until these guys started talking about it, I'd
never heard WinRM. If you're also not in the Windows support world day-to-day,
you can read up on it at Microsoft
[http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(
2 min
Metasploit
Weekly Metasploit Update: Microsoft Windows and SQL, TurboFTP, and More!
AppSecUSA 2012
Last week was AppSecUSA 2012 here in Austin, which may explain the curious
absence of a weekly Metasploit Update blog post. The hilights of Appsec for me,
were (in no particular order): Meeting Raphael @ArmitageHacker
[https://twitter.com/armitagehacker] Mudge in person for the first time, meeting
Scott @_nullbind [https://twitter.com/_nullbind]Sutherland, author of a bunch of
recent Microsoft SQL post modules, and both of whom happened to contribute to
last week's Metasploit upda
3 min
Metasploit
Weekly Metasploit Update: Reasonable Disclosure, PHP EXE Wrappers, and More!
ZENWorks' Accidental Backdoor
This week, we saw the release of Metasploit exploit developer Juan Vazquez's
freshly discovered vulnerability in Novell ZENWorks. You can read all about it
in Juan's great technical blog post, but the short version for the
attention-deprived is: Novell ZENWorks ships with hard-coded credentials, which
allow for SYSTEM-level file system read access.
That seems like kind of a big deal for ZENWorks users -- namely because there's
no reasonable way to change these cred
3 min
Metasploit
Weekly Metasploit Update: RopDB, Local Exploits, Better Samples, and More
Introducing RopDB
This week, Metasploit exploit devs Wei "sinn3r" Chen and Juan Vazquez finished
up Metasploit RopDB. This advancement allows for drop-in ROP chains in new
exploits, without all that mucking around with copying and pasting mysterious
binary blobs from one exploit to the next. For the details on how to use it and
what to expect in the API, see sinn3r's most excellent blog post. What all this
does is bottle up ROP wisdom in a central repository, so chains can be added and
modified
3 min
Metasploit
Weekly Metasploit Update: Stealing Print Jobs, Exploiting Samba, and More
This update has something for everyone -- new exploits, new auxiliary modules,
new post modules, and even new payloads. If quadfecta is a word, we totally hit
it this week!
More Mac OSX 64-Bit Payloads
The parade of OSX 64-bit payloads continues, with five new 64-bit payloads added
this week:
* modules/payloads/singles/osx/x64/say.rb
* modules/payloads/singles/osx/x64/shell_find_tag.rb
* modules/payloads/stagers/osx/x64/bind_tcp.rb
* modules/payloads/stagers/osx/x64/reverse_tcp.rb
* modul
1 min
Metasploit
Webcast: Decrease Your Risk of a Data Breach - Effective Security Programs with Metasploit
Thanks for the many CISOs and security engineers who attended our recent
webcast, in which I presented some practical advice on how to leverage
Metasploit to conduct regular security reviews that address current attack
vectors. While Metasploit is often used for penetration testing projects, this
presentation focuses on leveraging Metasploit for ongoing security assessments
that can be achieved with a small security team to reduce the risk of a data
breach.
This webcast is now available for o
2 min
Metasploit
Weekly Metasploit Update: HP, PHP, and More!
Stupid PHP Tricks
This week's Metasloit update is a cautionary tale about running unaudited PHP
applications as part of your infrastructure. Metasploit community contributor
Brendan Coles [https://github.com/bcoles] has discovered and written Metasploit
modules for two similar root-level vulnerabilities one for OpenFiler
[http://www.metasploit.com/modules/exploit/linux/http/openfiler_networkcard_exec]
and one for WAN Emulator
[http://www.metasploit.com/modules/exploit/linux/http/wanem_exec] (a
1 min
Metasploit
Current User psexec
At DEF CON this year I talked about some of the post exploitation capabilities
within Metasploit and demo'd a cool technique I developed with Jabra on a
pentest a year or so ago (I later found out that Mubix had come up with
basically the same idea - great minds think alike). It is essentially this: use
a session's current token to create a remote service on a victim machine.
It takes advantage of a feature in Windows that most people take completely for
granted. Given that you are already logg
3 min
Networking
Weekly Metasploit Update: SAP, MSSQL, DNS, and More!
Zone Transfers for All
This week, Metasploit community contributor bonsaiviking
[https://github.com/bonsaiviking] fixed up the DNS library that Metasploit uses
so we won't choke on some types of zone transfer responses. Turns out, this is a
two-year old bug, but DNS servers that actually offer zone transfers are so rare
any more that this this bug didn't manifest enough to get squashed.
This brings me to a larger point -- with older vulnerabilities like these,
sometimes the hardest part for us
3 min
Metasploit
Mobile Pwning: Using Metasploit on iOS
Have you ever wanted to run an exploit but found yourself away from your desk?
Wouldn't it be awesome if you could launch a full version of the Metasploit
Framework from your phone or tablet? As you might have guessed, now you can.
With an adventurous spirit and a few commands, you can be running the Metasploit
Framework on your iPad or iPhone in just a few short minutes.
Warning: To install Metasploit, you'll need root access to your device – which
is accomplished by following your favorite ja
3 min
Metasploit
Weekly Metasploit Update: Trusted Path Switcheroo, Stack Cookie Bypass, and More
Another week, another fifteen new modules for Metasploit. I continue to be
amazed by the productivity of our open source exploit developer community.
Thanks so much for your hard work and effort, folks!
New Module for Trusted Path Switcheroo
As I was going over this week's new modules, one that jumped out at me was Wei
"sinn3r" Chen's implementation of a general Trusted Path insertion attack,
Windows Service Trusted Path Privilege Escalation. I don't recall running into
this attack scenario bef
4 min
Product Updates
Weekly Metasploit Update: Two Dozen New Modules
The Vegas and vacation season is behind us, so it's time to release our first
post-4.4.0 update. Here we go!
Exploit Tsunami
A few factors conspired to make this update more module-heavy than usual. We
released Metasploit 4.4 in mid-July. Historically, a dot version release of
Metasploit means that we spend a little post-release time closing out bugs,
performing some internal housekeeping that we'd been putting off, and other
boring software engineering tasks. Right after this exercise, it was