Welcome to 2014!
It's a brand new and shiny year, filled with resolutions and promises, and things you'll pretty much abandon by mid February. We here at Rapid7 figured that we might try to impart some helpful knowledge on items you WILL use and adopt throughout 2014. So, since we love free and open source tools, we are presenting an ongoing series of posts about the free information security tools that the team at Rapid7 love and use. This post will cover a few of the best freebies released last year, and how they are used by our team members, to make their day-to-day lives easier.
- SoapUI. "While SoapUI has been around for a while (2005 or so) and has always been the de facto tool for testing REST and SOAP API's, this year they released a set of security scans which, while automation can't be solely relied upon it's a great start to any API testing to get some quick visibility into flaws such as SQLi, XPATH injection, etc. This also provides the ability for many organizations without the bandwidth or skill sets in house to perform manual testing to get some insight into the security of their SOAP and REST API's." Jack Daniel, Rapid7 Professional Services.
- WPScan. "WPScan is a vulnerability scanner that specializes in analyzing WordPress installations. Companies use WordPress to publish content ranging from proprietary formulae to marketing messages. It is amazing software that is highly extensible and incredibly easy to use. This set of features also makes it attractive to adversaries. For this reason, understanding the unique security expectations of an average WordPress install is incredibly important and WPScan is a useful tool towards that goal." Michael Belton, network security consultant/pen tester.
- Zmap. "Researchers at the University of Michigan released the fast network scanner "ZMap" that is able to scan the internet within 45 minutes on commodity hardware with a gigabit link. While we had good network scanners before with nmap and others - they did not come close to the performance of this purpose built internet-wide survey research tool. The accompanying research paper from the research group sheds light on some issues in our current SSL certificate / server landscape and discusses potential research opportunities made possible by the new tool. Even though there are some similar tools with similar or better performance characteristics, the clean implementation and ethical research practices shown by the ZMap developers are important guidelines for future research on the state of the Internet." rep, security researcher, Rapid7 Labs. If you're interested in widescale internet scanning, you may also want to take a look at Masscan.
- Python Meterpreter. "I'm biased here. On September 5, 2013, the Metasploit Framework landed Python Meterpreter, written primarily by Spencer McIntyre. While this may seem a little inside baseball, a Python implementation of Meterpreter, Metasploit's native post-exploitation payload, is actually kind of a big deal in the security research community. This brings Meterpreter session functionality to a wider variety of exploit targets. While Meterpreter has had a POSIX Meterpreter for the various *nixes forever, it's not traditionally the most stable implementation. Python Meterpreter brings several advantages for penetration testers. For one, Python is now part of the Linux Standard Base, which means that basically any modern Linux system is going to have Python installed. You cannot reasonably perform system administration /without/ Python these days, so good luck finding a production system without it. So, in other words, for most targets where POSIX Meterpreter would have been a good choice, Python Meterpreter is just as serviceable. By implementing in Python, rather than a compiled language like POSIX Meterpreter, the open source Metasploit community can attract more active development on this particular flavor of Meterpreter, both by the usual brand of hacker types (who all know Python anyway) and the largely untapped larger Python community. Everyone knows Metasploit is written in Ruby, but there are far more Python developers and hackers out in the world, so bridging this language gap can only be good news for Metasploit. Python Meterpreter was announced here. It's a little bit of a sleeper, since it's buried away in Metasploit Framework's churn, but I predict that in 2014 Python Meterpreter will likely be the number two payload that Metasploit deploys on popped hosts, after good old reliable Windows Meterpreter." Tod Beardsley, Metasploit engineering manager.
The tools listed above are four of our favorites from 2013. What are yours? Drop us a line, or comment below, and stay tuned for some additional discussion around excellent free information security tools coming soon.