It's your friendly neighborhood Community Manager again, this time reaching out to talk about something that should be of interest to all of you; Rapid7's suite of Free Security Tools.
If you're a one man shop, trying to make sure you're as buttoned up as possible, or a giant organization just looking to do some validation and double checking, I'm sure one or more of these tools would be an excellent addition to your existing security portfolio.
Here's a list of our own Portfolio. Click on the links to get some additional information, and to download the licenses.
Nexpose Community Edition: Our original tool - Nexpose is a vulnerability scanning software that is the best in the business. Don't take my word for it though. To see how excellent it is, download the community edition, and test it out for yourself, on your own networks. We're pretty sure that if you're looking for an enterprise tool, the taste-test available with the community edition will be more than enough to prove it's value.
Metasploit Community Edition: Metasploit, our penetration testing tool, is the perfect piece of software for both pen testing your networks, and validating the findings of your latest vulnerability scan. Also, if you're looking to teach yourself how to be a pen tester, the only way to learn, really is to do. Download our community edition, start your testing, and interact with other pen testers here on SecurityStreet to learn more.
Mobilisafe 14-day Trial: Are you looking to better understand the risks that you're facing with BYOD? Want to mitigate the risks associated with employees who keep forgetting to update or patch their own devices? Try out our free Mobilisafe 14 day trial, and learn how easy it is to keep the risk of the mobile devices on your network low.
RiskRater: Our newest free tool, RiskRater is a survey that will measure your mobile, endpoint, and user based risk, in comparison to industry benchmarks. We asked, and over 600 organizations answered our 18 question survey, to help us set up the benchmarks. You can use this tool to see how your own security stance and configurations compares. Also, each question you answer provides you with real and actionable follow up tasks that can help address the risk that you helped expose in your survey. We're not going to save or share your information, and there's nothing to download - just click to launch the tool, and get a good spot check on your real risk.
Metasploitable: If you're new to Penetration Testing, and you're just starting to learn Metasploit, you don't want to test something out on your production network. Having to explain to your boss why critical system # 1 is down is not an ideal conversation to have. To address this, the Metasploit team developed Metasploitable. This is a safe, and intentionally vulnerable virtual machine that you can run pen tests against to make sure you understand how to best use the exploits at your disposal. The Metasploit team calls it a, "pen test in a box," so if you'd like to try it out, please download our VMware virtual machine here and get started.
ScanNow - MySQL: The MySQL Vulnerability CVE-2012-2122, best described in HD Moore post here, is quite a risk, allowing every 256th login regardless of password. If you'd like to quicky and easily check to see if your MySQL servers are vulnerable, just click and download and run the test yourself.
ScanNow - UPnP: This free ScanNow scanner checks your network enabled devices to see if they are vulnerable to an attack via UPnP. This blog and whitepaper from Rapid7 and HD Moore estimates upwards of 50 Million network devices are at risk because of vulnerabilities found in this protocol. Click and download this free tool, to see if you're one of the millions of people affected by this, and what you can do to make sure you close this potential damaging security flaw.
UPnP Router Check: Want a quick router scan to check on the status of UPnP enabled devices? Click here and run a scan quickly and easily. This will only check your router exposure, so make sure to download the free ScanNow UPnP tool listed above to check your internal status.
And finally, BrowserScan: This free tool enables your organazation to check on the browsers currently in use, and allows you to identify the risk of out of date items, unpatched plug-ins, and can even restrict access to sensitive information until a fix or upgrade is secured. It's as simple as embedding a tracking code on your internal site, to look up all the browsers in use, and can even return analytics to show you how you're addressing your risk over time.
I also recommend that you check out Kali Linux - by Offensive Security, the same team that brought you Backtrack. Kali Linux, the upgraded Backtrack, is a debian derived Linux distrubition that was designed for both pen testing and digital forensics. Kali is full of open source tools that you can use to test your own networks including nmap, Wireshark, John the Ripper, and Aircrack-ng. Due to a partnership between Offensive Security and Rapid7, a specially designed license of Metasploit is available as an internal component to the download. Visit Offensive Security to learn more.
All of these tools, as I mentioned, are 100% free to download and use. Most of them are so user-friendly, it can take as little as 10 seconds in some cases to find at your level of risk regarding a specific vulnerability. My own philosophy on using these tools? If anything can make it harder for an attacker to gain access, then it's worth taking a shot, and if it's free, it's worth a small amount of your time, isn't it?
Now I know that's a lot to take in and review, so if you've got any questions about these products - or if you're currently using them, and you'd be willing to share some of your best practices or tips on how they've worked sucessfully in your own environments, please let us know! You can drop us a line here, and include some info on what you're working on, and we would love to discuss any findings or feedback you have.
Finally, if you've got a great idea for another free tool that we could develop, please let us know. Who knows? If we do design it, maybe we'll name it after you?
Thanks all, and feel free to drop me a line here if you'd like to discuss offline Patrick Hellen