Rapid7 Blog

Metasploit  

Metasploit Wrapup

It's been a hot minute since the last Metasploit Wrapup. So why not take in our snazzy new Rapid7 blog makeover and catch up on what's been goin' down! You can't spell 'Struts' without 'trust' Or perhaps you can! With the all the current news…

It's been a hot minute since the last Metasploit Wrapup. So why not take in our snazzy new Rapid7 blog makeover and catch up on what's been goin' down! You can't spell 'Struts' without 'trust' Or perhaps you can! With the all the current news coverage around an Apache Struts vulnerability from earlier this year (thanks to its involvement in a consumer credit reporting agency data breach), there's a new Struts vuln getting attention. Due to how untrusted, user-provided data is handled during deserialization, it's possible to achieve remote code execution on vulnerable versions of Struts (which reportedly go back to 2008!). Struts devs were quick to release a patch to address the new vuln, while Metasploit dev @wvu was quick to create an exploit module for Framework. For additional details and musings, check out this blog post from R7's Tod Beardsley, Director of Research. Better living through Meterpreter There've been a number of substantial improvements to Meterpreter going on, some of which have been released since the last wrapup post. Transport-agnostic encryption (wat?) Colloquially referred to as CryptTLV (because, well, it encrypts the TLV message payloads between Framework and Meterpreter), this new mechanism has a couple of immediate benefits for MSF users: Doesn't require OpenSSL (reducing Meterpreter payload size by roughly 80%!) Operates at the packet payload level, allowing it work across various transports types (TCP, UDP, so on...) There's some more work coming along in this vein. Stay tuned. Playing a 'pivotal' role It's what you do once you have your foothold on a multi-homed system connected to a private network: you pivot. Which leads to further discovery, moving around, and sometimes more pivoting. We've recently upgraded this key Meterpreter feature with the following: Works over named pipes More performant than the existing tunnelling mechanism (and latency doesn't compound as you make additional pivots!) Traffic is encrypted with CryptTLV Definitely worth taking for a spin, so let us know what you think! And SO MANY NEW MODULES! Seriously, there's a bunch of neat stuff that's been added. Check out the New Modules list below, where you'll find stuff to help you with all the following: scanning credential gathering container detection privilege escalation remote code execution denial of service C2 server software exploitation (Tod gets the credit on this) New Modules Exploit modules (9 new) Docker Daemon - Unprotected TCP Socket Exploit by Martin Pizala QNAP Transcode Server Command Execution by 0x00string, Brendan Coles, and Zenofex VMware VDP Known SSH Key by phroxvs exploits CVE-2016-7456 Malicious Git HTTP Server For CVE-2017-1000117 by NOBODY exploits CVE-2017-1000117 IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution by Brendan Coles and SecuriTeam exploits CVE-2017-1092 Apache Struts 2 REST Plugin XStream RCE by wvu and Man Yue Mo exploits CVE-2017-9805 Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) by Matt Nelson, OJ Reeves, and b33f Gh0st Client buffer Overflow by Professor Plum PlugX Controller Stack Overflow by Professor Plum Auxiliary and post modules (6 new) BIND TKEY Query Denial of Service by Alejandro Parodi, Ezequiel Tavella, Infobyte Research Team, and Martin Rocha exploits CVE-2016-2776 Asterisk Gather Credentials by Brendan Coles TeamTalk Gather Credentials by Brendan Coles Identify Cisco Smart Install endpoints by Jon Hart Linux Gather Container Detection by James Otten Multi Gather Maven Credentials Collection by elenoir Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.15.6...4.16.6 Full diff 4.15.6...4.16.6 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Metasploit: The New Shiny

It's been a while since I've written a blog post about new stuff in Metasploit (and I'm not sure if the editors will let me top the innuendo of the last one). But I'm privileged to announce that I'm speaking about Metasploit twice next month:…

It's been a while since I've written a blog post about new stuff in Metasploit (and I'm not sure if the editors will let me top the innuendo of the last one). But I'm privileged to announce that I'm speaking about Metasploit twice next month: once at the FSec 17 Conference in Varaždīn, Croatia September 7-8, and a second time at UNITED 2017, Rapid7's annual security conference in Boston September 11-14. The talk should be a wild ride through some of the interesting new features that Metasploit has gained over the past year, as well as amazing stuff we have underway for the next major version of Metasploit. With a project so large and varied, it can be challenging keeping it fresh and relevant. Amazing new open-source security projects pop up almost as fast as CVE allocations. Metasploit is definitely seeing a generational shift, with new developers coming in and older ones moving to new projects. As a result, we have done a lot of work this year moving Metasploit Framework to the next level, while preserving the things people love about it the most. Our 2017 Roadmap was just the beginning—we have a lot of interesting work on the horizon that will change how you think about Metasploit. I'm also helping with the Metasploitable3 CTF at the UNITED conference and helping run some Metasploit training. So if you have any questions about Metasploit, past, present, or future, this is your chance to get expert advice, either from me or from the five other Metasploit developers who will also be attending. It should be fun and educational, if not a little exhausting! Hope to see you there! Haven't yet signed up to join us at UNITED this year? Register here, or read more about some of the talks and features of this year's summit.

Metasploit Wrapup

Slowloris: SMB edition Taking a page from the Slowloris HTTP DoS attack, the aptly named SMBLoris DoS attack exploits a vuln contained in many Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections…

Slowloris: SMB edition Taking a page from the Slowloris HTTP DoS attack, the aptly named SMBLoris DoS attack exploits a vuln contained in many Windows releases (back to Windows 2000) and also affects Samba (a popular open source SMB implementation). Through creation of many connections to a target's SMB port, an attacker can exhaust all available memory on the target by sending a specific NBSS length header value over those connections, rendering the system unusable or crashed (if desired). And systems with SMB disabled are vulnerable to this attack too. Word is that Microsoft currently has no plans to issue a fix. Following the SMBLoris reveal at DEF CON (hat tip to the researchers at RiskSense!), Metasploit Framework now contains an exploit module for fulfilling your SMBLoris needs. The Adventure of LNK Think Windows shortcut files are a convenient way to reference a file from multiple places? How about as an attack vector to get remote code execution on a target? Affecting a wide range of Windows releases, a recently-landed exploit module might be just what you're looking for to give this vector a go. Microsoft did release a patch this past June, but we're gonna guess a lot of systems still haven't picked that up yet. Would you like RCE with your PDF (reader)? If so, Nitro's PDF reader might be your hookup. Many versions of both Pro and regular flavors of the reader are vulnerable, providing JavaScript APIs which allow writing a payload to disk and then executing it. Check out the new exploit module and enjoy some of that tasty RCE. Jenkins, tell me your secrets... If you periodically happen upon a target running Jenkins, we've got a new post module you might find useful. jenkins_gather will locate where Jenkins is installed on a system and then proceed to look for creds, tokens, SSH keys, etc., decrypting what it finds and conveniently adding it to your loot. It's been tested on a number of versions and platforms and is ready for you to give it a try. And more! We've also: enabled ed25519 support with net-ssh added better error handing for the Eternal Blue exploit module when it encounters a system that has SMB1 disabled (thx, @multiplex3r!) New Modules Exploit modules (2 new) LNK Code Execution Vulnerability by Uncredited and Yorick Koster exploits CVE-2017-8464 Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution by sinn3r, Brendan Coles, and mr_me exploits CVE-2017-7442 Auxiliary and post modules (2 new) SMBLoris NBSS Denial of Service by thelightcosine Jenkins Credential Collector by thesubtlety Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.15.4...4.15.6 Full diff 4.15.4...4.15.6 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Hack with Metasploit: Announcing the UNITED 2017 CTF

Got mad skillz? Want mad skillz? This year at Rapid7's annual UNITED Summit, we're hosting a first-of-its-kind Capture the Flag (CTF) competition. Whether you're a noob to hacking or a grizzled pro, you'll emerge from our 25-hour CTF with more knowledge and serious bragging rights.…

Got mad skillz? Want mad skillz? This year at Rapid7's annual UNITED Summit, we're hosting a first-of-its-kind Capture the Flag (CTF) competition. Whether you're a noob to hacking or a grizzled pro, you'll emerge from our 25-hour CTF with more knowledge and serious bragging rights. Show off your 1337 abilities by competing for top prizes, or learn how to capture your first ever flag. Read on for details, and if you haven't already done so, register for UNITED! Our UNITED competition isn't your average CTF. Why? Because this CTF is designed and hosted by the Metasploit team. That means two things: First, if you need a hand learning the ropes or help reverse-engineering an exceptionally tricky flag, you'll have access to the foremost experts in the offensive security field. Second, you'll be the first members of the public to test out the brand new Metasploitable3 Linux vulnerable machine. The Metasploit team has been waiting to debut a Linux version of Metasploitable, and we can't think of a better opportunity than UNITED to do it. Details The competition will kick off September 13, 2017 at 1:15 PM EDT at the inaugural workshop in UNITED's Phish, Pwn, and Pivot track: A Hands-on Introduction to Capture the Flag (CTF) Competitions Using Metasploitable (aptly named). Flag-capturing will end at 2:15 PM September 14, when we'll present awards and host discussion on advanced tactics for all the future CTFs you'll be able to dominate. New to CTF competitions? Be sure to attend the hands-on introduction. Already captured, like, a million flags in your career? You don't need to attend sessions to participate—just connect to the competition infrastructure and get to work! Metasploit experts will be available to all participants during the conference, both in and outside of the sessions. OK, what can I win? Prizes will be awarded to the top three competitors. Top prize: Two complimentary passes to UNITED 2018, a HAK5 ESSENTIALS FIELD KIT, and a T-shirt. Second place: A HAK5 WIFI PINEAPPLE (NANO Basic) and a T-shirt Third place: A HAK5 USB RUBBER DUCKY and a T-shirt What do I need to participate? A desire to learn, perseverance, and a laptop with WiFi capabilities. You will need to generate an SSH key pair and connect to the competition infrastructure via SSH. To generate your keys, follow these tutorials: Windows: https://www.ssh.com/ssh/putty/windows/puttygen Ubuntu and OS X: https://www.ssh.com/ssh/keygen/ Never generated an SSH key pair before? We can help you when you arrive! If you are using Windows please download PuTTY and PuTTYgen in advance. We look forward to seeing you at UNITED 2017 for what's basically guaranteed to be the coolest CTF in the history of flags and competitions. Haven't yet registered for UNITED? Fix that here—or contact your Rapid7 Account Executive or Customer Success Manager. You can explore more of UNITED 2017's lineup of speakers, trainings, and track sessions here.

Virtual Machine Automation (vm-automation) repository released

Rapid7 just released a new public repo called vm-automation. The vm-automation repository is a Python library that encapsulates existing methodologies for virtual machine and hypervisor automation and provides a platform-agnostic Python API. Currently, only ESXi and VMWare workstation are supported, but I have high hopes…

Rapid7 just released a new public repo called vm-automation. The vm-automation repository is a Python library that encapsulates existing methodologies for virtual machine and hypervisor automation and provides a platform-agnostic Python API. Currently, only ESXi and VMWare workstation are supported, but I have high hopes we will support other hypervisors in time, and we would love to see contributors come forward and assist in supporting them! That's awesome. I want to get started now! Great! Instructions on how to use the library are here: https://github.com/rapid7/vm-automation Why? The Metasploit team has an embarrassment of riches when it comes to modules and payloads thanks to our amazing community and staff. To give some idea of the embarrassment of riches, feel free to launch msfconsole and check the output: =[ metasploit v4.15.0-dev-7e1b50a ] + -- --=[ 1665 exploits - 953 auxiliary - 294 post ] + -- --=[ 486 payloads - 40 encoders - 9 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] We have 486 payloads, 1,665 exploits, nearly 1,000 aux modules, and 294 post modules. Additionally, we have 443 super-awesome contributors across the globe sending us modules every single day. All this is impressive, and we are incredibly thankful for everyone's support. At the same time, this is a challenge to test—especially since Microsoft and Linux keep updating things to break our code without warning (don't they know who we are?!). One of the efforts that we are working on is some test automation to help us maintain our modules and payloads—or at least know when things break faster—and to streamline the PR landing process. To do that we made a testing infrastructure that uses virtual and physical machines as attackers and targets; then we launch payloads, scripts, and modules on the virtual machines and track the responses. As we are all lazy, it needed automation, so we looked for a clean, simple way to interact with different kinds of vms that was consistent across hypervisors. In a former life, I was also an instructor and CTF developer; as a result, I know that ability to script vm management tasks makes life much easier for a lot of people beyond the narrow case of module and payload testing in Metasploit, so we split the library for automating vm tasks into a separate repo for anyone to use (and contribute new ideas!). Aren't there already things that do this? Yes...sort of. There are multiple projects out there that exist and give varying amounts of control over vms using lots of different languages. Pyvmomi is one great example; it allows spectacular levels of customization and power over virtual machines that the average CTF-er or tester has absolutely no need to use, while simple tasks like getting a list of snapshots take ~40 lines of code. I certainly do not want to denigrate or disparage Pyvmomi: they provide an awesome API, and I know people who need that level of power over virtual machines, but it is just too powerful and complex for a lot of hobby-level hypervisor scripters. This library wraps a lot of Pyvmomi API calls into simple, comprehensible API calls to support the majority of what most hypervisor script users would need, while abstracting a lot of the complexities in Pyvmomi. Also, Pyvmomi only supports ESXi, and this library leverages Pyvmomi API calls to support ESXi, but then uses VMrun.exe to support VMware workstation. So while much of the underlying code is changing, the functions to interact with vms remain the same across hypervisors, supporting the main goal for this repo: one function call, multiple hypervisors. So what is it you say you do around here? The supported functions are currently limited to those you might want to automate a CTF or test-range: checkTools Returns the state of VMWare tools deleteSnapshot Deletes a given snapshot getArch Returns the vm architecture getFileFromGuest Pulls a file from the virtual machine getSnapshots Updates the vm object's snapshot list attribute getVmIp Updates the vm object's IP address to match the vm getUsername Returns the vm's username isPoweredOff Returns true or false isPoweredOn Returns true or false makeDirOnGuest Creates a directory on the specified vm powerOn Turns on the vm powerOff Turns off the vm revertToSnapshot Reverts the vm to a given snapshot runCmdOnGuest Runs a command or executable on the vm setPassword Updates the password in the vm object setUsername Updates the username in the vm object takeSnapshot Takes a snapshot of the vm updateProcList Updates the process list in the vm object uploadAndRun Uploads a script or executable file and runs it uploadFileToGuest Uploads a file to the vm waitForTask Waits for a given task to complete before allowing continued execution. Most of the API calls can be synchronous or asynchronous. This function allows us to toggle between the two. How are you implementing the functions? The basic layout is this: for each hypervisor (currently two), there are two classes. The first class is the hypervisor class. It contains all the attributes required to make the hypervisor work, like IP address, login information, and vm list. The other class is the vm class with supporting functions and attributes associated with the vms to handle normal vm interactions with snapshots, process lists, IP addresses, and the hypervisor. By overloading the function names across the vm classes, we can interact with any vm exactly the same, regardless of the hypervisor (or type of hypervisor) on which it runs. Moving forward The obvious thing is that we need to support more hypervisors: I would love to support cheaper or free virtualization options like VirtualBox or even Hyper-V. I hope that this library proves as useful to others as it would have been to me over the years. I welcome anyone who would like to contribute, especially if they want to start work on supporting extra hypervisors! It is a relatively simple project. I think if we do it right it will see a lot of use, and we can help a lot of people.

Metasploit Wrapup

A fresh, new UAC bypass module for Windows 10!Leveraging the behavior of fodhelper.exe and a writable registry key as a normal user, you too can be admin! Unpatched as of last week, this bypass module works on Windows 10 only, but it works…

A fresh, new UAC bypass module for Windows 10!Leveraging the behavior of fodhelper.exe and a writable registry key as a normal user, you too can be admin! Unpatched as of last week, this bypass module works on Windows 10 only, but it works like a charm!Reach out and allocate somethingThis release offers up a fresh denial/degradation of services exploit against hosts running a vulnerable version of rpcbind. Specifically, you can repeatedly allocate up to four gigabytes of RAM on the remote host with predictably bad results. It becomes worse when you realize that the allocation process is outside tracked memory, so that memory will not be unallocated. As a bonus, the granularity of the module accommodates those who wish to be truly evil by allowing them to simply degrade a host's performance, rather than completely crashing it.Hardware agnosticismThanks to our great community, this release contains a fix for a troublesome bug where a Meterpreter session would crash under a specific set of circumstances when running on an AMD CPU. The exact cause is yet to be determined, but it appears the AMD chip becomes confused about the memory it can access, and inserting an otherwise bogus move instruction causes the chip to recover or somehow right itself, allowing it to execute the originally-offending instruction. If you are a bit of a hardware junkie, feel free to read more.Improved reportingThere were multiple fixes to help in a less exciting, but still incredibly important, aspect of pen-testing: reporting. We fixed a bug in vulnerability reporting where [Metasploit](https://www.rapid7.com/products/metasploit/) was not correctly tracking the attempted vulnerabilities so reports would be less accurate than they could be. Also, an update to our scanner modules increases the CVE references for each scan to allow better reporting or researching for methods of attack.Download now supports terrible networksA new feature allows Metasploit users to control the block size when downloading files. In most cases, this is not important, but on a network that might be slow or laggy, the ability to control block size will result in more reliable downloads. Included is an adaptive flag to drop the block size in half every time a block transfer fails. If you've never had to redteam on a bad network, count yourself lucky; if you have, you'll love this new feature.It happens to the best of usIn addition to adding functionality and fixing user bugs, this release also includes a security fix reported by our community. The CSRF vulnerability is now patched; we send a hearty thank you to the reporter, @SymbianSyMoh!New ModulesExploit modules (2 new) DC/OS Marathon UI Docker Exploit by Erik DaguerreWindows UAC Protection Bypass (Via FodHelper Registry Key) by amaloteaux and winscriptingblogAuxiliary and post modules (1 new)* RPC DoS targeting *nix rpcbind/libtirpc by Pearce Barry and guidovranken exploits CVE-2017-8779Get itAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requsts 4.14.23...4.14.26Full diff 4.14.23...4.14.26To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Metasploit Wrapup

It has only been one week since the last wrapup, so it's not like much could have happened, right? Wrong! Misery Loves Company After last week's excitement with Metasploit's version of ETERNALBLUE (AKA the Wannacry vulnerability), this week SAMBA had its own "Hold My…

It has only been one week since the last wrapup, so it's not like much could have happened, right? Wrong! Misery Loves Company After last week's excitement with Metasploit's version of ETERNALBLUE (AKA the Wannacry vulnerability), this week SAMBA had its own "Hold My Beer" moment with the disclosure that an authenticated (or anonymous) client can upload a shared library to a SAMBA server, and that server will happily execute the library! The vulnerability is present in all versions of SAMBA since 2010 and was only patched a few days ago. That length of time paired with the number, simplicity, and price points of the devices that run SAMBA mean that this vulnerability will be around for a very, very long time. The always-original internet appears to have dubbed this "Sambacry" whereas we here at Rapid7 have taken a more animated path in our references. In the scant week since the vulnerability was released, we've already landed and improved a module that takes advantage of the vulnerability, and it works on fifteen different computing architectures. Because SAMBA runs on so many different architectures, and we're supporting them, this really is the perfect opportunity to go out and play with the new and improved POSIX Meterpreter! Make New Friends, But Keep the Old Just because we had a shiny new exploit does not mean we forgot about our old friend from last week, ETERNALBLUE. This update sees several improvements to last week's module, including: An improved architecture verification when port 135 is blocked Ignoring and continuing if the target does not reply to an SMB request OS Verification We've Got Your Back Not too long ago, we added a module to migrate from one architecture to another on Windows hosts. Unfortunately, if you were running as an elevated user, the new session did not maintain those privileges. Now, if you try to migrate as SYSTEM, we'll stop you and make sure you really want to privdesc(?) yourself. Speaking of Running Metasploit in Strange Places zombieCraig has extended support for the hardware bridge in Metasploit, squashing bugs and adding two new commands: testerpresent and isotpsend. The first sends keepalive packets in the background to maintain the diagnostic connection, and the second allows communication with ISO-TP compatible modules. We've also added a module to dump credentials on scadaBR systems. Target your Target For those who have enjoyed the recent Office Macro exploit, you can now embed it into custom docx templates for that personal touch. New Modules Exploit modules (5 new) Samba is_known_pipename() Arbitrary Module Load by hdm, Brendan Coles, and steelo exploits CVE-CVE-2017-7494 Octopus Deploy Authenticated Code Execution by James Otten VX Search Enterprise GET Buffer Overflow by Daniel Teixeira Auxiliary and post modules_(2 new)_ ScadaBR Credentials Dumper by Brendan Coles WordPress Traversal Directory DoS by CryptisStudents and Yorick Koster exploits CVE-CVE-2016-6897 Get It As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requests 4.14.20...4.14.23 Full diff 4.14.20...4.14.23 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. More Improvements release-notes

Metasploit Wrapup

It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update. Hacking like No Such Agency I'll admit I was wrong. For several years, I've been saying we'll never see…

It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update. Hacking like No Such Agency I'll admit I was wrong. For several years, I've been saying we'll never see another bug like MS08-067, a full remote hole in a default Windows service. While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067 did, EternalBlue has already done substantial damage to the internet. Rapid7 bloggers covered a bunch of the details last week. More on the EternalBlue Metasploit module How to scan your network for the WannaCry vulnerability with InsightVM and Nexpose A deep dive into the WannaCry vulnerability Since the last Wrapup, we've added an exploit for EternalBlue that targets x64 on the Windows 7 kernel (including 2008 R2). Updates are in the works to cover x86 and other kernels. There is also a scanner that can reliably determine exploitability of MS17-010, as well as previous infection with DOUBLEPULSAR, the primary payload used by the original leaked exploit. While EternalBlue was making all the headlines, we also landed an exploit module for the IIS ScStoragePathFromUrl bug (CVE-2017-7269) for Windows 2003 from the same dump. This one requires the victim to have WebDAV enabled, which isn't default but is really common, especially on webservers of that era. Since 2003 is End of Support, Microsoft is not going to release a patch. Dance the Samba In the few days since we spun this release, we also got a shiny new exploit module for Samba, the Unixy SMB daemon that runs on every little file sharing device ever. Expect some more discussion about it in the next wrapup. In the mean time, you can read more about the effects of the bug. WordPress PHPMailer WordPress, which powers large swaths of the internet, embeds a thing called PHPMailer for sending email, mostly for stuff like password resets. Earlier this May, security researcher Dawid Golunski published a vulnerability in PHPMailer. The vulnerability is similar to CVE-2016-10033, discovered by the same researcher. Both of these bugs allow you to control arguments to sendmail(1). Now, vulns in WordPress core are kind of a big deal, since as previously mentioned, WP is deployed everywhere. Unfortunately (or maybe fortunately depending on your perspective), there is a big caveat -- Apache since 2.2.32 and 2.4.24 changes a default setting, HttpProtocolOptions to disallow the darker corners of RFC2616, effectively mitigating this bug for most modern installations. The intrepid @wvu set forth to turn this into a Metasploit module and came out the other side with some shells and interesting discoveries that he'll cover in a more detailed technical post coming soon to a Metasploit Blog near you. Railgun While Meterpreter is a very powerful and flexible tool for post exploitation on its own, sometimes you need the flexibility to go beyond the functionality that it provides directly. There may be a special API that needs to be called to extract a credential, or a certain system call that is required to trigger an exploit. For a long time, Windows Meterpreter users have enjoyed the use of the Railgun extension, which provides a way to do just that, similar to FFI (Foreign Function Interface) that is available in many scripting languages, but operating remotely. Thanks to an enormous effort by Metasploit contributor, zeroSteiner, Linux users can now also take advantage of Railgun, as it is now implemented as part of Python Meterpreter! This functionality opens the door to many new post-exploitation module possibilities, including the ability to steal cleartext passwords from gnome-keyring. See zeroSteiner's blog and his more technical companion piece for more details. Steal all the things This week's update also continues the fine tradition of Stealing All the Things(tm). The aforementioned gnome-keyring dumper allows you to steal passwords from a logged-in user. In a similar vein, if you have a shell on a JBoss server, post/multi/gather/jboss_gather will give you all the passwords. The fun thing about both of these is that they work on the principle that you have permission to read these things -- there is no exploit here, and nothing to be patched. On the other side of things, auxiliary/admin/scada/moxa_credentials_recovery does take advantage of a vulnerability to grab all the creds from a cute little SCADA device. New Modules Exploit modules (10 new) Crypttech CryptoLog Remote Code Execution by Mehmet Ince Quest Privilege Manager pmmasterd Buffer Overflow by m0t exploits CVE-2017-6553 BuilderEngine Arbitrary File Upload Vulnerability and execution by Marco Rivoli, and metanubix MediaWiki SyntaxHighlight extension option injection vulnerability by Yorick Koster exploits CVE-2017-0372 WordPress PHPMailer Host Header Command Injection by wvu, and Dawid Golunski exploits CVE-2016-10033 Dup Scout Enterprise GET Buffer Overflow by Daniel Teixeira, and vportal Serviio Media Server checkStreamUrl Command Execution by Brendan Coles, and Gjoko Krstic(LiquidWorm) Sync Breeze Enterprise GET Buffer Overflow by Daniel Teixeira Microsoft IIS WebDav ScStoragePathFromUrl Overflow by Chen Wu, Dominic Chell, Lincoln, Rich Whitcroft, Zhiniang Peng, firefart, and zcgonvh exploits CVE-2017-7269 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption by Dylan Davis, Equation Group, Sean Dillon, and Shadow Brokers exploits CVE-2017-0148 Auxiliary and post modules (6 new) Moxa Device Credential Retrieval by K. Reid Wightman, and Patrick DeSantis exploits CVE-2016-9361 Intel AMT Digest Authentication Bypass Scanner by hdm exploits CVE-2017-5689 Module to Probe Different Data Points in a CAN Packet by Craig Smith Gnome-Keyring Dump by Spencer McIntyre Jboss Credential Collector by Koen Riepe (koen.riepe Multi Manage Network Route via Meterpreter Session by todb, and Josh Hale "sn0wfa11" Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.14.15...4.14.21 Full diff 4.14.15...4.14.21 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Recent Python Meterpreter Improvements

The Python Meterpreter has received quite a few improvements this year. In order to generate consistent results, we now use the same technique to determine the Windows version in both the Windows and Python instances of Meterpreter. Additionally, the native system language is now populated…

The Python Meterpreter has received quite a few improvements this year. In order to generate consistent results, we now use the same technique to determine the Windows version in both the Windows and Python instances of Meterpreter. Additionally, the native system language is now populated in the output of the sysinfo command. This makes it easier to identify and work with international systems.The largest change to the Python Meterpreter is the addition of Railgun functionality. Railgun - in the context of the Metasploit Framework - refers to a set of features available in the standard API (stdapi) extension of Meterpreter. The intention of the feature set is to allow the Metasploit side to call functions in native libraries on the compromised host. This has some very practical applications when it comes to post exploitation, but is also used in some older local exploit modules. The functionality has been around since 2010, but until recently was only supported by the native Windows Meterpreter.Recent additions to Metasploit are expanding the scope of this functionality to support non-Windows platforms. Specifically, the Python Meterpreter has received support for these Railgun API functions when on the Windows and Linux platforms. Bringing this functionality to the Linux platform will increase what Metasploit users can do with their sessions. To demonstrate the functionality, one of the newest Linux post-exploit modules uses Railgun to call functions in libgnome-keyring.so.0 as the current user. This is then used to enumerate and extract all plaintext passwords that it holds for the user - all without having to write any files to disk.Without Railgun, a common practice to call a native library code would be to upload a precompiled binary to perform the necessary tasks, or upload the source to compile one. Most penetration testers want to avoid writing things to disk for obvious reasons. With expanded Railgun support, uploading files such as these isn't necessary.For more technical details on how the new Python Meterpreter Railgun implementation works, check out this War Room blog post.

Exploitable Vulnerabilities: A Metasploit-Vulnerability Management Love Story

Integrating InsightVM or Nexpose (Rapid7's vulnerability management solutions) with Metasploit (our penetration testing solution) is a lot like Cupid playing “matchmaker” with vulnerabilities and exploit modules. When a vulnerability scan is imported into Metasploit, many things happen under the hood, outside of generating host, service,…

Integrating InsightVM or Nexpose (Rapid7's vulnerability management solutions) with Metasploit (our penetration testing solution) is a lot like Cupid playing “matchmaker” with vulnerabilities and exploit modules. When a vulnerability scan is imported into Metasploit, many things happen under the hood, outside of generating host, service, and vulnerability data in your workspace. In much the same way that Cupid takes into account the qualities of the individuals he is matchmaking, when a host's service is found to have a vulnerability, Metasploit will check its ever growing store of modules for one that can potentially be run against the host's vulnerabilities. This is referred to as an Automatic Exploitation Match. Match generation takes into account not only the vulnerability, but attributes of the host like platform, architecture, etc. This special set of criteria leads to the generation of module matches that have a pretty high chance of successfully being run on the host. Of course, just like with Cupid's matchmaking, given the uncertain nature of networking environments and other factors, the default configuration for a module may not always work without some tweaking of parameters (e.g. using a bind payload for a target that is behind a NAT). Two people may be compatible, but sometimes things just don't work out. Modules that have been matched with vulnerable hosts can be viewed at a single vulnerability instance's related modules tab. This is all well and good, but vulnerability instances are attributed to a single host, which means the same Vulnerability definition will show up in several Vulnerability instances, one for each host that has an instance of that Vulnerability. When dealing with a non-trivial environment containing several hosts, the table of Vulnerabilities quickly explodes in number, becoming difficult to manage and make sense of. This can be similar to the feeling of being overwhelmed by the plenty of fish that are out there in the sea: a lot of noise, when you really just want to know which are even compatible. It is difficult to determine which vulnerability instances actually have modules that can be used against them, requiring iteratively clicking on each Vulnerability instance's related modules tab to see.  If only there was a way to view the results of matchmaking modules with vulnerabilities in an intuitive and productive way… With the latest release of Metasploit Pro, we introduce the Applicable Modules tab to the workspace analysis view. This view aims to solve the problem of making sense of a massive list of vulnerabilities. Similar to the way a single vulnerability page has a related modules tab, the Applicable Modules tab in workspace analysis aggregates a list of related modules across all vulnerable instances in your workspace. Along with each module entry in this list, relevant metadata related to the module are also quickly viewable, including the affected hosts and associated vulnerabilities. Hover over the various metadata entities to view additional information, such as services on a host or a full vulnerability description, without having to navigate away from the page. You can click on a module to autoconfigure a module run with all affected hosts filled in as targets. This list defaults to being sorted by module release date, so you can quickly see the latest hotness Metasploit has to offer that can target hosts in your environment. The Applicable Modules table densely packs and associates host, vuln, and module-matching information that is relevant to your workspace into a single view, allowing for deeper insight at a glance. Metasploit generates quite a bit of insightful data regarding the relationship of vulnerabilities found in your workspace and their exploitability via modules. The Applicable Modules workspace analysis tab intuitively presents the relevant information relating hosts, vulnerabilities, and the exploit modules within Metasploit by listing modules that can target assets in your environment. Be sure to also catch the other productivity enhancements included in the latest release: “Single Host's modules view as a searchable/sortable table” and “Pushing InsightVM and Nexpose Exceptions and Validations from Task Chains”. All is fair in <3 and Infosec. Happy exploiting, friends!

Metasploit Weekly Wrapup

Ghost...what??? hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy…

Ghost...what??? hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target. And to "kick it up a notch", this exploit got itself a snazzy logo which also contains the exploit: (spoiler alert: it's called GhostButt) Forever and a day From mr_me comes a one-two punch in the form of two exploits which target an EOL'd Trend Micro appliance. Certain versions of the Threat Discovery Appliance contain both authentication bypass and command injection vulnerabilities, which can be used to gain access to the appliance and run whatevs, respectively. And because this product is no longer supported by Trend Micro, these vulns are expected to be "forever day". HTA RCE FTW If you're looking for remote code execution via an MS Office document vuln, nixawk's exploit module might fit the bill nicely. This new addition allows Framework users to easily craft a doc file containing an OLE object which references an HTML Application (HTA). When the target opens this document, the HTA is accessed over the network (Framework acting as the server, of course), and remote code execution is back on the menu. Feeling constrained? Mercurial SCM users with ssh access can now move about more freely thanks to a new exploit module from claudijd. By targeting weak repo validation in HG server's customizable hg-ssh script, users can use this module to break out of their restricted shell and execute arbitrary code. Give it a go and enjoy your new-found freedom...! But wait, there's more! Rounding out our tech updates, bcook-r7 has given us a polite push forward and "flipped the switch" so that the POSIX Meterpreter used by Framework is now providing Mettle as its payload. Not only does Mettle weigh-in at ~1/2 the size of the old POSIX Meterpreter, it also provides more functionality. Additionally, it's being actively worked on these days, unlike the old POSIX Meterpreter. Yes, plz! The Summer of Code is upon us! We are excited to welcome Tabish Imran, B.N. Chandrapal, and Taichi Kotake to the Metasploit community as 2017 Google Summer of Code students. We thank everyone who took the time to participate; it was a fierce competition, with over 30 applicants. Look forward to seeing the great projects these students create this summer! New Modules Exploit modules (6 new) WePresent WiPG-1000 Command Injection by Matthias Brun Mercurial Custom hg-ssh Wrapper Remote Code Exec by claudijd Trend Micro Threat Discovery Appliance admin_sys_time.cgi Remote Command Execution by Roberto Suggi Liverani and mr_me exploits CVE-2016-7547 Ghostscript Type Confusion Arbitrary Command Execution by hdm and Atlassian Security Team exploits CVE-2017-8291 Microsoft Office Word Malicious Hta Execution by sinn3r, DidierStevens, Haifei Li, Nixawk, ryHanson, vysec, and wdormann exploits CVE-2017-0199 Disk Sorter Enterprise GET Buffer Overflow by Daniel Teixeira Auxiliary and post modules (1 new) Upload and Execute by egyp7 Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub: Pull Requsts 4.14.12...4.14.15 Full diff 4.14.12...4.14.15 To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Metasploit Wrapup, 4.14.4 through 4.14.11

Editor's Note: While this edition of the Metasploit Wrapup is a little late (my fault, sorry), we're super excited that it's our first ever Metasploit Wrapup to be authored by an non-Rapid7 contributor. We'd like to thank claudijd -long-time Metasploit contributor, Mozilla security wrangler, and…

Editor's Note: While this edition of the Metasploit Wrapup is a little late (my fault, sorry), we're super excited that it's our first ever Metasploit Wrapup to be authored by an non-Rapid7 contributor. We'd like to thank claudijd -long-time Metasploit contributor, Mozilla security wrangler, and overall nice guy - for writing this post. If other Metasploit contributors want to get involved with spreading the word, we want to hear from you!We should be back on track timing-wise with our Wrapup for this week on Friday.  Without any further delay, here's what's new in Metasploit versions 4.14.4 through 4.14.11. - JEHere's my number, text me maybe?Metasploit sessions can happen at any time. Fortunately, you can always be plugged in to what's going on with the new session notifier plugin, compliments of wchen. This plugin allows you to send SMS notifications for Metasploit sessions to a variety of carriers (AllTel, AT&T wireless, Boost Mobile, Cricket Wireless, Google Fi, T-Mobile, Version, and Virgin Mobile) so you'll never miss out on the pwnage.Text-editors and Programming LanguagesIf you've ever been cornered by a VIM user around the water cooler and been regaled to exhaustion about why you should also choose VIM, you probably hold your ability to choose in high regard. Recently, acammack extended Metasploit to provide initial support to include more choice in what programming language you can write Metasploit modules in. The idea here would be that instead of being forced to write all modules in Ruby, you could write one in Python, Go, LOLCODE, or whatever your heart desires.Improve Your Spider SenseMany of us have had that feeling before that something doesn't add up, you can think of it as your own "hacker spider-sense." This can sometimes happen when you tell yourself, "that seemed way too easy" or "these services don't quite make sense", only to find out later that you've owned a honeypot. To help fight against this, thecarterb recently added an auxillary module to Metasploit, which allows you to check Shodan's honeyscore to see if your target is or is not known to act like a honeypot with a score between 0.0-1.0 (0.0 being not a honeypot and 1.0 being a honeypot). Having this data can be useful both after exploitation (to realize your blunder) or even earlier in the process to avoid an obvious honeypot before you send a single byte in its direction.Waste Not, Want NotYou never know when a useful bit of information will be the key to another door. In that spirit, it's encouraged to loot as much as you can when you can. Recently, a number of useful modules have been added to help you loot as much as possible and improve your odds of success...Multi Gather IRSSI IRC Passwords - This post module allows you to steal an IRSSI user's configuration file if it contains useful IRC user/network passwords. This could be helpful if you'd like to mix in a little social engineering, by impersonating your target to get additional people working for you.Windows Gather DynaZIP Saved Password Extraction - This post module allows you to harvest clear text passwords from dynazip.log files. This can be pretty handy if you have have an encrypted zip file that you need opened in a hurry.Multiple Cambium Modules - If you find yourself testing Cambium ePMP 1000's, you're in luck, as multiple modules have been added to effectively juice all sorts of information from these devices. These modules allow you to pull a variety of configuration files and password hashes over HTTP and SNMP. This is helpful to identify a shared password or password scheme that's been re-used on other network infrastructure devices to expand your influence.New ModulesExploit Modules (5 new)Cambium ePMP 1000 Arbitrary Command Execution by Karn GaneshenGithub Enterprise Default Session Secret And Deserialization Vulnerability by iblue and sinn3rSolarWind LEM Default SSH Password Remote Code Execution by Mehmet InceDebian/Ubuntu ntfs-3g Local Privilege Escalation by jannh and h00dieNETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow by Pedro RibeiroAuxiliary and post modules (10 new)Cambium ePMP SNMP Enumeration by Karn GaneshenCambium ePMP 1000 Password Hash Extractor by Karn GaneshenCambium ePMP 1000 Dump Device Config by Karn GaneshenCambium ePMP 1000 Login Scanner by Karn GaneshenMulti Gather IRSSI IRC Password(s) by claudijdMoxa UDP Device Discovery by Patrick DeSantisShodan Honeyscore Client by thecarterbArchitecture Migrate by Koen RiepeWindows Gather DynaZIP Saved Password Extraction by Brendan ColesNETGEAR WNR2000v5 Administrator Password Recovery by Pedro RibeiroGet ItAs always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:Pull Requests 4.14.4...4.14.11Full Diff 4.14.4...4.14.11To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

The Shadow Brokers Leaked Exploits Explained

The Rapid7 team has been busy evaluating the threats posed by last Friday's Shadow Broker exploit and tool release and answering questions from colleagues, customers, and family members about the release. We know that many people have questions about exactly what was released, the threat…

The Rapid7 team has been busy evaluating the threats posed by last Friday's Shadow Broker exploit and tool release and answering questions from colleagues, customers, and family members about the release. We know that many people have questions about exactly what was released, the threat it poses, and how to respond, so we have decided to compile a list of frequently asked questions. What's the story? On Friday, April 15, a hacking group known as the “Shadow Brokers” released a trove of alleged NSA data, detailing exploits and vulnerabilities in a range of technologies. The data includes information on multiple Windows exploits, a framework called Fuzzbunch for loading the exploit binaries onto systems, and a variety of post-exploitation tools. This was understandably a cause for concern, but fortunately, none of the exploits were zero days. Many targeted older systems and the vulnerabilities they exploited were well-known, and four of the exploits targeted vulnerabilities that were patched last month. Who are these shady characters? The Shadow Brokers are a group that emerged in August of 2016, claiming to have information on tools used by a threat group known as Equation Group. The initial information that was leaked by the Shadow Brokers involved firewall implants and exploitation scripts targeting vendors such as Cisco, Juniper, and Topsec, which were confirmed to be real and subsequently patched by the various vendors. Shadow Brokers also claimed to have access to a larger trove of information that they would sell for 1 million bitcoins, and later lowered the amount to 10,000 bitcoins, which could be crowdfunded so that the tools would be released to the public, rather than just to the highest bidder. The Shadow Brokers have popped up from time to time over the past 9 months leaking additional information, including IP addresses used by the Equation Group and additional tools. Last week, having failed to make their price, they released the password for the encrypted archive, and the security community went into a frenzy of salivation and speculation as it raced to unpack the secrets held in the vault. The April 15th release seems to be the culmination of the Shadow Brokers' activity; however, it is possible that there is still additional information about the Equation Group that they have not yet released to the public. Should you be worried? A trove of nation state-level exploits being released for anyone to use is certainly not a good thing, particularly when they relate to the most widely-used software in the world, but the situation is not as dire as it originally seemed. There are patches available for all of the vulnerabilities, so a very good starting point is to verify that your systems are up to date on patches. Home users and small network operators likely had the patches installed automatically in the last update, but it is always good to double-check. If you are unsure if you are up to date on these patches, we have checks for them all in Rapid7 Nexpose and Rapid7 InsightVM. These checks are all included in the Microsoft hotfix scan template. EternalBlue EternalSynergy EternalRomance EternalChampion MS17-010 msft-cve-2017-0143 msft-cve-2017-0144 msft-cve-2017-0145 msft-cve-2017-0146 msft-cve-2017-0147 msft-cve-2017-0148 EmeraldThread MS10-061 WINDOWS-HOTFIX-MS10-061 EskimoRoll MS14-068 WINDOWS-HOTFIX-MS14-068 EducatedScholar MS09-050 WINDOWS-HOTFIX-MS09-050 EclipsedWing MS08-067 WINDOWS-HOTFIX-MS08-067 If you want to ensure your patching efforts have been truly effective, or understand the impact of exploitation, you can test your exposure with several modules in Rapid7 Metasploit: EternalBlue MS17-010 auxiliary/scanner/smb/smb_ms17_010 EmeraldThread MS10-061 exploit/windows/smb/psexec EternalChampion MS17-010 auxiliary/scanner/smb/smb_ms17_010 EskimoRoll MS14-068 / CVE-2014-6324 auxiliary/admin/kerberos/ms14_068_kerberos_checksum EternalRomance MS17-010 auxiliary/scanner/smb/smb_ms17_010 EducatedScholar MS09-050 auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh, auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff, exploits/windows/smb/ms09_050_smb2_negotiate_func_index EternalSynergy MS17-010 auxiliary/scanner/smb/smb_ms17_010 EclipsedWing MS08-067 auxiliary/scanner/smb/ms08_067_check exploits/windows/smb/ms08_067_netapi In addition, all of the above exploits can also be pivoted to a Meterpreter session via the DoublePulsar implant. What else can you do to protect yourselves? If patching is still in progress or will take a little bit longer to fully implement (we get it) then there are detections for the exploits that you can implement while patching in underway. For examples of ways to implement detections, check out this blog post from Mike Scutt. Rapid7 InsightIDR, our solution for incident detection and response, has an active Threat Community with intelligence to help detect the use of these exploits and any resulting attacker behavior. You can subscribe to this threat in the community portal. For more on how threat intel works in InsightIDR, check out this 4-min Solution Short. It is also important to stay aware of other activity on your network during the patching and hardening processes. It is easy to get distracted by the latest threats, and attackers often take advantage of defender preoccupation to achieve their own goals, which may or may not have anything to do with this latest tool leak. What about that IIS 6 box we have on the public internet? It is very easy for commentators to point fingers and say that anyone who has legacy or unsupported systems should just get rid of them, but we know that the reality is much more complicated. There will be legacy systems (IIS 6 and otherwise) in organizations that for whatever reason cannot just be replaced or updated. That being said, there are some serious issues with leaving systems that are vulnerable to these exploits publicly accessible. Three of the exploits (“EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”) will remain effective on EOL systems and the impacts are concerning enough that it is really not a good idea to have internet-facing vulnerable systems. If you are in this position we recommend coming up with a plan to update the system and to keep a very close eye on the development of this threat. Due to the sophistication of this tool set, if widespread exploitation starts then it will likely only be a matter of time before the system is compromised. Should you be worried about the Equation Group? The threat from Equation Group itself to most organizations is minimal, unless your organization has a very specific threat profile. Kaspersky's initial analysis of the group lists the countries and sectors that they have seen targeted in the past. This information can help you determine if your organization may have been targeted. While that is good news for most organizations, that doesn't mean that there is no cause for concern. These tools appear to be very sophisticated, focusing on evading security tools such as antivirus and generating little to no logging on the systems that they target. For most organizations the larger threat is that of attackers co-opting these very sophisticated and now public exploits and other post-exploitation tools and using them to achieve their own goals. This increases the threat and makes defending against, and detecting, these tools more critical. We have seen a sharp decrease in the amount of time it take criminals to incorporate exploits into their existing operations. It will not be long before we will start to see more widespread attacks using these tools. Where should I build my underground bunker? While this particular threat is by no means a reason to go underground, there are plenty of other reasons that you may need to hide from the world and we believe in being prepared. That being said, building your own underground bunker is a difficult and time consuming task, so we recommend that you find an existing bunker, pitch in some money with some friends, and wait for the next inevitable bunker-level catastrophe to hit, because this isn't it.

InsightVM: Analytics-driven Vulnerability Management, All The Way To The End(point)

In 2015 Rapid7 introduced the Insight platform, built to reduce the complexity inherent in security analytics. This reality was introduced first to our InsightIDR users, who now had the capabilities of a SIEM, powered by user behavior analytics (UBA) and endpoint detection. Soon we started…

In 2015 Rapid7 introduced the Insight platform, built to reduce the complexity inherent in security analytics. This reality was introduced first to our InsightIDR users, who now had the capabilities of a SIEM, powered by user behavior analytics (UBA) and endpoint detection. Soon we started to roll out new solutions and amplified other products with platform services, which significantly reduce the overall total cost of ownership inherent with on-premise, analytics-driven solutions. Taking advantage of the Insight platform means users can automatically scale their individual use-cases, whether incident detection or vulnerability management, to meet their particular needs.This same platform now daily processes more than 50 billion events, and monitors millions of assets. With today's announcement, it is the first platform to unify solutions for vulnerability management, user behavior analytics (UBA), SIEM, IT log analytics, and application security.Vulnerability Management = VMToday Rapid7 announces the launch of InsightVM, which builds on Rapid7's award-winning, vulnerability management solution, Nexpose, now fully leveraging the power of the cloud to provide live answers to security professionals' most critical questions. InsightVM's live monitoring gathers continuous data - whether via agents or agentless - so security professionals can see the risk posed by their entire network footprint, including cloud, virtual, and endpoints.Let's dive into this more.InsightVM automatically collects live data across your environment and uses the Insight platform for data analytics and processing to provide:Liveboards, our live dashboards that are fully customizeable, update instantly with always fresh data, and can be easily queried to focus on any use case, from sys admins to CISOs, with no need for complex scripting or waiting for data to refresh. New capabilities include cards for tracking remediation progress and accountability.Insight Agents, a lightweight endpoint agent that minimizes network usage by taking a baseline at first install and then communicating only changes on a system to the InsightVM console and platform. InsightIDR uses the same agent, so you get a unified solution for monitoring endpoints for new vulnerabilities and attacker behavior. New capabilities include proxy and Linux support.Remediation workflows, which let you create and track remediation duties from within InsightVM, and enable IT and Security to work closer together on fixing issues, without miscommunication and back-and-forth meetings. New capabilities include in-product integration with JIRA to automatically create tickets for new projects, and update remediation projects when tickets are closed.A new subscription based pricing model, licensed by number of active assets you want to scan. This makes it easier and more cost effective for customers to purchase InsightVM, simplifies scope for deployment, and allows InsightVM to easily grow with your network.Along with the introduction of InsightVM, we are also helping simplify and bolster Nexpose users. In the past we had several editions of Nexpose, but with this announcement we now have two effective vulnerability management solutions: InsightVM, powered by our cloud platform, and Nexpose, our on-premise solution.Why? Well, there are a lot of reasons, primarily feedback from our customers over the years that we have been evolving our vulnerability management solution. And, this allows us to have separate product roadmaps for our dedicated on-premise offering and our cloud-powered InsightVM solution, which will make it easier to incorporate future customer feedback and deploy exciting new capabilities in both solutions!Over the coming weeks, you'll see numerous blog posts detailing these new capabilities and how they will help our customers save time, better understand their risk, and improve their security posture. If you'd like to learn more, be sure to sign up for our webcast on the 19th, and check out the FAQ.

Rapid7: Supporting the Community at BSides Boston

One of the things I love about working at Rapid7 is how deeply this company embodies the concept of giving back to the Security Community. Whether it be discussing research on adversary analytics, attack methods for breaking out of sandboxes, or simply breaking into the…

One of the things I love about working at Rapid7 is how deeply this company embodies the concept of giving back to the Security Community. Whether it be discussing research on adversary analytics, attack methods for breaking out of sandboxes, or simply breaking into the industry - Rapid7 encourages its employees to actively participate in community events, both large and small. As a proponent of engaging with the Security Community, I'm very excited that my fellow employees continue to embrace giving back to the community through volunteerism, as well as presenting on interesting topics at this year's BSides Boston on April 15th.As many are readily aware, Rapid7 is home to numerous passionate security professionals, several of whom give back personally – going well beyond all of their professional work. This year will be Patrick Laverty's third year as a member of the BSides Boston organizing committee, in addition to his other organizing roles including both the OWASP Rhode Island chapter, and the DefCon 401 (DC401) group in Providence.  It has been a great pleasure working on the organizing committee this year with Patrick.At this year's conference Patrick and I will be joined by several Rapid7 presenters who were fortunate enough to be selected to speak at the conference, including Bob Rudis, Kirk Hayes, and Justin Pagano.Bob Rudis (@hrbmstr) will be giving a presentation titled Heisenberg Cloud: At-Scale Cross-Cloud Adversary Analytics. Bob will be talking about the research conducted from Rapid7's Heisenberg honeypot program. He'll also be showing specific attack and connection profiles for the Mirai botnet. It will be a deep dive into the frequency and flavor of attacks across every region in six major cloud providers.Kirk Hayes (@l0gan) is fresh off giving presentations at DerbyCon and BlackHat regarding his “MyBFF” tool, and now in Boston he'll talk about methods he uses to break out of sandboxed environments. We may feel as though having the sandbox is keeping our users secure, but Kirk shows that it may just be a false sense of security. Find out how in Escaping Alcatraz: Breaking out of Application Sandboxed Environments.Justin Pagano (@jp4gs) will be speaking on the “Breaking Into InfoSec” panel. As the Security Operations and Engineering Manager at Rapid7, Justin will be sharing tips, suggestions, and ideas on how to start your career in Information Security – whether you're changing careers, or just starting out.In addition to moderating the “Breaking into InfoSec” panel, I have taken up the role of Volunteer Coordinator and Student Advocate on this year's BSides Boston Organizing Committee. This will be my second year as a volunteer at the conference, and I look forward to sharing my passion for helping others learn about information security in person. I'm fortunate to work for a company that encourages me to contribute to the community - they have been especially supportive of my recent work, the InfoSec Mentors Project.Security BSides is an international, non-profit organization that hosts security conferences all around the world. The focus of BSides is to be a low-cost way to get people in the security community talking to each other and sharing what they know. This year's BSides Boston conference will have four tracks, and is recording many of the presentations – so if you can't make it on April 15th, you can check out the content at a later date!Rapid7 is a proud sponsor of BSides Boston and several other Security BSides events.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now