Quick Cookie Notification

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.

View Cookie Policy for full details

Rapid7 Blog




Video Tutorial: Introduction to XML External Entity Injection

Title: Video Tutorial: Introduction to XML External Entity InjectionAuthor: webpwnizedFrom: ISSA KY Sept 2013 Workshop (Louisville, KY)Twitter: @webpwnizedThis video introduces XML injection to achieve XML external entity injection (XXE) and XML based cross site scripting (XSS). Please find notes used/mentioned in video posted…

Video Tutorial - Installing Kali Linux on Bootable, Persistent USB

Author: Jeremy Druin (webpwnized)Twitter: @webpwnizedTitle: Installing Persistent Kali Linux on Bootable USB Flash DriveFrom: ISSA KY June 2013 WorkshopRecorded By: Adrian Crenshaw (@irongeek_adc)This video covers the installation of Kali Linux on a USB drive. Additionally, setting up persistence on a separate partition…

Video Tutorial: Introduction to Web Application Pen-Testing

Instructors: Jeremy Druin (webpwnized), Conrad Reynolds, Adrian Crenshaw (Irongeek)Twitter: @webpwnizedTitle: ISSA KY Web Application Pen Testing WorkshopTools Used: Mutillidae 2.5.7 (hxxp://sourceforge.net/projects/mutillidae/), Burp Suite 1.5 Free EditionRecorded By: Adrian Crenshaw of irongeek.comThe KY ISSA hosted a one-day…

Video Tutorial: Installing Kali Linux on Virtual Box

Author: Jeremy DruinVideo Release Announcements: Twitter @webpwnizedTitle: Installing Kali Linux on Virtual Box with Nessus and MetasploitLink: Installing Kali Linux on Virtual Box with Nessus and Metasploit - YouTubeThis video is from the April 2013 workshop of the KY ISSA covering the installation of Kali…

Video Tutorial: Introduction to Pen Testing Simple Network Management Protocol (SNMP)

Title: ISSA KY March 2013 Workshop: Introduction to Pen Testing Simple Network Management Protocol (SNMP)Updates/Video Postings/etc.: Twitter: @webpwnizedSoftware Required: Backtrack 5 R3, Metasploit, snmpset, snmpget, snmpwalk, tcpdump, nmapURL: Introduction to Pen Testing Simple Network Management Protocol (SNMP) - YouTubeNotes: Please see belowAuthor:…

Video Tutorial: Basics of using sqlmap automated sql injection audit tool

Author: Jeremy DruinTwitter: @webpwnizedYouTube Channel: http://www.youtube.com/user/webpwnizedSoftware required: Backtrack 5 R3 with sqlmap, Mutillidae Web Pen Test Training Environment (hxxp://sourceforge.net/projects/mutillidae/files/mutillidae-project/) Recorded at the ISSA Kentuckiana February 2013 Workshop, this video review the use of sqlmap;…

Video Tutorial: Introduction to Burp-Suite 1.5 Web Pen Testing Proxy

Author: webpwnized (Twitter: @webpwnized)Tool: Burp-Suite 1.5 Free EditionLength: ~1 hourAfter installing Burp-Suite, this video covers how to configure the proxy to intercept, pause, alter, and test requests and responses between a web browser and a web server (web site).Much of the basic…

Video Tutorial: Introduction to custom exploits for buffer overflows (local privilege escalation)

Summary: Video demonstration of discovering a buffer overflow vulnerability in a SUID-root program, determining attributes of the bof, and writing a custom exploit for local privilege escalation on Ubuntu 12.04 by webpwnized (@webpwnized). While modern operating systems have long been patched against exploits which…

Video: Pen Testing HTML 5 Web Storage

Recorded at the 2012 AIDE conference, this video covers a presentation given by Jeremy Druin; a professional web application and network pen-tester. The topic is pen-testing html5 web storage which is a client-side storage technology available in html5-aware browsers. Web storage is discussed from two…

Tutorial: Using web command injection vulnerability to gain administrative shell on Windows web server

In this video, a Windows web server is hosting Mutillidae web application which contains a command injection vulnerability.Using command injection to exploit the Mutillidae web application, we gain a root shell (Administrative Windows cmd shell). The server is fully patched with anti-virus running and…

Video: Introduction to basic host and service discovery scanning

During the early portion of the scanning phase of pen testing, locating active hosts and identifying the services on open ports is critical in order to determine exposed systems.The video was recorded at the May ISSA Kentuckiana monthly workshop in Louisville and covers basic…

Tutorial: How to scan exploit Metasploitable-2 using Metasploit, Nexpose, nessus, Nmap, and John-the-Ripper

This video tutorial covers exploiting Metasploitable-2 to get a root shell and eventually a terminal via a valid "sudo-able" login over SSH.Two machines; a test host (Backtrack 5-R2) and a target host (Metasploitable-2) are set up on a VirtualBox host-only network. With this lab…

Tutorial: Using SQL injection to generate cross site scripts

This video discusses a somewhat advanced SQL injection technique in which the SQL injection is not the primary attack. The SQL injection is used to generate cross site scripting. This is useful when cross site scripts cannot be injected into a webpage from a client…

Tutorial: How to discover hosts using Metasploit Community Edition

This video shows Metasploit Community Edition being used to run an nmap scan on a Virtual Box network in order to discover hosts.…

Tutorial: Basics of launching exploits from Metasploit Community Edition

This video covers the basics of launching exploits from Metasploit Community Edition. The exploits were discovered in a previous step both with Nexpose and Nessus. In the case of Nessus the results were exported as a .Nessus file then imported into Metasploit Community Edition. This…

Featured Research

National Exposure Index 2018

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More


Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Featured Research

Quarterly Threat Report

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.

Learn More