1 min
Metasploit
Emulating ZeuS DNS Traffic with Metasploit Framework
[UPDATE 6/28/2011] vSploit Modules will be released at DEFCON
This is a follow-up post for vSploit - Virtualizing Intrusion & Exploitation
Attributes with Metasploit Framework
[https://community.rapid7.com/blogs/rapid7/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework]
about using Metasploit as a way to test network infrastructure countermeasures
and coverage. I mentioned obtaining list of suspicious domains to use for
testing organization's networking intellig
2 min
Metasploit
vSploit - Virtualizing Intrusion & Exploitation Attributes with Metasploit Framework
Many organizations are making significant investments in technologies in order
to tell if they have been compromised; however, frequently they find out when it
is too late. There are several network-based attributes that, when combined,
indicate possible compromises have taken place. Many pentesters are successful
at compromising hosts; however, commonly they are restricted in what they can
and can't do. There needs to be a way that they can sucessfully mimick threats
and scenarios, even when re
4 min
Metasploit
Introducing msfvenom
The Metasploit Framework has included the useful tools msfpayload and msfencode
for quite sometime. These tools are extremely useful for generating payloads in
various formats and encoding these payloads using various encoder modules. Now I
would like to introduce a new tool which I have been working on for the past
week, msfvenom. This tool combines all the functionality of msfpayload and
msfencode in a single tool.
Merging these two tools into a single tool just made sense. It standardizes
2 min
Metasploit
Metasploit-ation for the Nation
In a couple of weeks, our very own @Mubix (AKA Rob Fuller to those who don't
live their life with an @ sign permanently attached to their name!) will be
offering Metasploit-ation for the Nation. Unlike that phrase – which I just
made up – Mubix will actually be talking sense as he walks penetration testers
through the delightful world of Metasploit Pro in a 4-hour in-depth training
session.
Mubix took some time to answer a few questions below to give you a flavor of the
training. If you have
1 min
Metasploit
Metasploit Framework 3.7.1 Released!
Originally posted by HD Moore:
We are happy to announce the immediate availability of version 3.7.1 of the
Metasploit Framework, Metasploit Express, and Metasploit Pro. This is a
relatively small release focused on bug fixes and performance improvements.
Notable highlights include an improved IPv6 reverse_tcp stager from Stephen
Fewer, a performance improvement for HTTP services (client-side modules), a bug
fix to channel support in the PHP Meterpreter, an update to MSFGUI, and various
small
2 min
Metasploit
Metasploit Pro 3.7: Better, Faster, Stronger
Over the last two months the Rapid7 team has been hard at work rewiring the
database and session management components of the Metasploit Framework,
Metasploit Express, and Metasploit Pro products. These changes make the
Metasploit platform faster, more reliable, and able to scale to hundreds of
concurrent sessions and thousands of target hosts. We are excited to announce
the immediate availability of version 3.7 of Metasploit Pro and Metasploit
Express!
Existing customers can apply the latest s
1 min
Metasploit
Metasploit Framework 3.7.0 Released!
Originally Posted by egypt
The Metasploit team has spent the last two months focused on one of the
least-visible, but most important pieces of the Metasploit Framework; the
session backend. Metasploit 3.7 represents a complete overhaul of how sessions
are tracked within the framework and associated with the backend database. This
release also significantly improves the staging process for the reverse_tcp
stager and Meterpreter session initialization. Shell sessions now hold their
output in a ri
1 min
Metasploit
Metasploit T-Shirt Design Contest: And the Winner is...
You have voted in large numbers – and the results are out: design #36
[/servlet/JiveServlet/downloadImage/38-5353-1228/36.png] is the winner of the
Metasploit T-shirt design contest. Danny Chrastil submitted the winning design,
featuring the Metasploit logo consisting of code from the payload
osx/ppc/shell_reverse_tcp. The back shows the Metasploit splash screen cow, our
legendary creature of mystery and superstition.
A few words about the winner: Danny Chrastil aka @DisK0nn3cT is a web
appl
1 min
Metasploit
Be a Superhero: Design the New Metasploit Swag
Originally Posted by Chris Kirsch
Don't know what to wear for the next BlackHat conference? Afraid of going naked
to B-Sides? We are too, so we decided to do something about it. We're getting
ready to launch our own Metasploit designer clothes – and you're the designer!
To start off our Metasploit swag store, we'd like you to design a T-shirt. You
must submit your own, original design. To enter, add your design to our
99designs competition
[https://99designs.com/t-shirt-design/contests/t-s
1 min
Metasploit
Learn, Download & Contribute: The New Metasploit Website
Today, we relaunched the Metasploit.com site. We hope you'll find it as awesome
as we do. The new site not only has updated looks, we've also rewritten much of
its content and put it on a shiny new server to make it faster.
We mainly focused on three aspects: learn, download & contribute:
Learn – Many Metasploit newbies told us they found it hard to get started with
the Metasploit Framework, so we took a fresh look at our website to design it so
that new Metasploit Framework users would find i
2 min
Metasploit
Metasploit Version 3.6 Delivers Enhanced Command-Line Options and PCI Peports
Originally Posted by Chris Kirsch
All Metasploit editions are seeing an update to version 3.6 today, including an
enhanced command-line feature set for increased proficiency and detailed PCI
reports with pass/fail information for a comprehensive view of compliance
posture with PCI regulations.
Here's an overview of what's new:
The new Metasploit Pro Console offers powerful new features that help
professional penetration testers complete their job more efficiently in their
preferred environmen
6 min
Metasploit
Cisco IOS Penetration Testing with Metasploit
The Metasploit Framework and the commercial Metasploit products have always
provided features for assessing the security of network devices. With the latest
release, we took this a step further and focused on accelerating the penetration
testing process for Cisco IOS devices. While the individual modules and
supporting libraries were added to the open source framework, the commercial
products can now chain these modules together to quickly compromise all
vulnerable devices on the network. The sc
2 min
Metasploit
Sesame Open: Auditing Password Security with Metasploit 3.5.1
Secret passwords don't only get you into Aladdin's cave or the tree house, but
also into corporate networks and bank accounts. Yet, they are one of the weakest
ways to protect access. Sure, there are better ways to secure access, such as
smart cards or one-time password tokens, but these are still far from being
deployed everywhere although the technology has matured considerably over the
past years. Passwords are still the easiest way into a network.
The new Metasploit version 3.5.1 adds a l
1 min
Metasploit
Turning Your World Upside Down: Metasploit Ambigram Tattoos
Bill Swearingen aka hevnsnt blew us away by designing
a Metasploit ambigram for the Metasploit Pro tattoo
contest
You may remember Roy's Metasploit tattoo
[https://community.rapid7.com/blogs/rapid7/2010/11/01/we-weren-t-joking-when-we-said-tattoos/]
a few weeks ago, which prompted our Metasploit
[https://www.rapid7.com/products/metasploit/] tattoo competition. We thought it
was a cute idea, expecting a few fun pictures with felt pen tattoos or tattoo
photo montages of of the Metasploit logo.
2 min
Metasploit
How VPN pivoting creates an undetectable local network tap
Let's assume your goal for an external penetration test is to pwn the domain
controller. Of course, the domain controller's IP address is not directly
accessible from the Web, so how do you go about it? Seasoned pentesters already
know the answer: they compromise a publicly accessible host and pivot to other
machines and network segments until they reach the domain controller. It's the
same concept as a frog trying to cross a pond by jumping from lily pad to lily
pad.
If you have already us