Rapid7 Blog

Open Source  

Introducing RubySMB: The Protocol Library Nobody Else Wanted To Write

The Server Message Block (SMB) protocol family is arguably one of the most important network protocols to be conversant in as a security professional. It carries the capability for File and Print Sharing, remote process execution, and an entire system of Named Pipes that serve…

The Server Message Block (SMB) protocol family is arguably one of the most important network protocols to be conversant in as a security professional. It carries the capability for File and Print Sharing, remote process execution, and an entire system of Named Pipes that serve as access points to any number of services running on a machine, such as Microsoft SQL Server. For users of Metasploit, they will know SMB as the protocol used for PSExec, a remote code execution module that can turn any Administrator credentials into a session on the box. It is also the protocol that has played host to several of the most high-profile vulnerabilities, such MS08-067 (the vulnerability used by the Conficker Worm), and MS03-039 (the vulnerability used by the Blaster Worm).Additionally, the File and Print Sharing services mean that SMB is the default means of sharing files in a Windows environment. Whenever you create a “network share” in Windows, it is being served up over SMB. I can tell you, from personal experience, that network shares are a gold mine during a penetration test.Now, armed with some understanding of why this protocol is so important, we must dive into how Metasploit handles SMB. Metasploit's current “implementation” of SMB has been an ad hoc reverse-engineered effort that started small and was added to with each major SMB vulnerability we wrote modules to target, which turned out to be rather a lot. The implementation is extremely rough, and only supports SMB1. There are some very good reasons for why this is the case.SMB is complexSMB, by its very nature is complex. It is a binary protocol, opposed to a text protocol such as HTTP, and is only readable by computers that have been trained to do so. It also has a wide array of capabilities, some of which are interdependent upon each other.Earlier I called SMB a protocol family, and that's because it is not really just one protocol, nor is it a group of protocols operating at various layers as is the case with something like RDP. It is a Frankenstein's Monster of efforts by different groups including IBM, Intel, 3COM, and Microsoft. The formative years of SMB were not governed by a single driving design, and it can be seen in the protocol. What's worse, is that for a long time there was no available developer documentation for the protocol specification. Anecdotally I have heard the story that Microsoft themselves had lost any documentations on the spec, and had to reverse engineer the protocol to provide said documentation.This left Metasploit developers and contributors in the position of only being able to look at packet captures to reproduce what they see going on.The rise of SMB2 and SMB3 and the decline of Metasploit's SMBAfter years of dealing with SMB/CIFS Microsoft finally designed a new protocol, SMB2. They rolled this out for the first time in Windows Vista, and it has since become standard in every Windows OS. SMB2 is a more elegant and more streamlined version of the SMB protocol. Unfortunately, none of Metasploit's existing code supported the new protocol. For a while this was fine as SMB1 was still enabled by default in the Windows OSes. Over the past few years it has become an increasingly common practice however, to disable SMB1 and only allow SMB2.This change meant that Metasploit could no longer talk to those boxes. Modules from information gathering, to brute forcing, to exploits all suddenly became ineffective against these boxes. On top of this, Metasploit's ad hoc implementation of SMB1/CIFS had become very recognizable due to its particular idiosyncrasies. IDS/IPS vendors began to differentiate between Metasploit's SMB traffic and that of a legitimate SMB client. All of this culminated in our SMB support becoming less and less useful as time went on.RubySMB to the rescueWe on the Metasploit team knew something had to be done about our aging SMB code. We weighed several options including trying to clean up the existing code. In the end, we decided to create a new library from scratch. This new library would support both SMB1/CIFS as well as SMB2, and be designed with an eye to coming back and adding the even newer SMB3.We are pleased to announce that, not only have we been working on this new RubySMB gem, but that we have hit the first milestone in its development. The RubySMB Gem can do full client authentication to a remote server. It can communicate over SMB1 or SMB2, and does multi-protocol negotiation so that it can find the correct dialect to speak invisibly to the user.  It handles Extended Security mode for the old SMB1, and can handle security signing for both versions of the protocol.The gem has also been integrated into Metasploit Framework for the first time. We recently added a new version of the SMB Bruteforce, auxiliary/scanner/smb/smb2_login. This version of the SMB LoginScanner module behaves essentially like the original, except that it seamlessly handles both versions of the protocol, and security signing all without any user configuration. It currently does not support the admin privilege check, which is why it has not replaced the original smb_login module.This represents Metasploit's first steps into future proofing our support for the SMB Protocol family.The Future of RubySMBWe still have a lot of work to do on the RubySMB project, and a lot of important milestones to hit. In the short term, we are shooting for the following goals:In the Gem:Support for Listing, Reading, and Writing FilesSupport for named pipesSimple SMB File Share ServerIn Framework:Converting smb_version information gathering module to use the new gemConverting PSExec to use the new gemBuilding in support for the simple file server that will allow modules to define resources on the server and set callbacks for when something requests those resources, much like how the Rex HTTPServer works today.Look at adding SMB Named Pipe transports for Meterpreter payloadsIn the longer term we have several other goals we hope to accomplish with this project:Adding Support for SMB3Adding SMB3 protocol level encryption (potential IDS/IPS evasion capabilities)Begin work on a similar project for DCERPC to integrate with this gemCreating protocol libraries at this level is not a simple or easy task, but the results will be rewarding for all members of the Metasploit Community. We will be able to not only update compatibility for our existing SMB-based features, but begin expanding those capabilities. If you are interested in joining in on this effort, please check out our starting wiki page for the project.- David “thelightcosine” Maloney

Metasploit Framework Open Source Installers

Rapid7 has long supplied universal Metasploit installers for Linux and Windows. These installers contain both the open source Metasploit Framework as well as commercial extensions, which include a graphical user interface, metamodules, wizards, social engineering tools and integration with other Rapid7 tools. While these features…

Rapid7 has long supplied universal Metasploit installers for Linux and Windows. These installers contain both the open source Metasploit Framework as well as commercial extensions, which include a graphical user interface, metamodules, wizards, social engineering tools and integration with other Rapid7 tools. While these features are very useful, we recognized that they are not for everyone. According to our recent survey of Metasploit Community users, most only used it for the open source components, preferring to use the command-line tools over the graphical ones. Also, while we do our best to ensure that Metasploit Community and Pro releases are of high quality, they are not always supplied with the latest hot new exploits and payloads available in Metasploit Framework. While it has always been possible to simply setup a development environment and run the latest metasploit-framework code from github directly, it can still be tricky to setup and keep up to date. Kali Linux 2.0 now publishes the open source pieces of Metasploit Framework with its distribution, but the release schedule still follows that of Metasploit Community / Pro editions, and it of course does not necessarily help those who prefer other operating systems. To address the needs of open source enthusiasts, those needing more frequent updates, or those simply looking for an easy way to setup a database for Metasploit Framework development use, we have created Open Source installers for Metasploit Framework for Windows, OS X and Linux x86 and x86-64 platforms. These installers utilize the Omnibus tool from chef in order to package everything needed to run Metasploit Framework, from dependent libraries, specific Ruby versions up to a built-in PostgreSQL database. The installers are easy to install and get up and running in seconds. They are also built and tested automatically each night, so you can always run 'msfupdate' and get the latest exploits and payloads without having to setup a development environment. The installers also integrate with your OSes native package manager, be it Linux RPM or DEB-based, MSI for Windows or PKG for OS X. That makes them easy to uninstall as well. For information about how to install and use these new packages, see our wiki page on the Metasploit Framework project github project. The installers themselves are also open source. So if you see a problem, pull requests or issue reports are very welcome! Note that in addition to these Metasploit-specific installers, there are other ways to get Metasploit Framework, such as through Dave Kennedy's PenTester Framework or even pre-installed in Kali Linux. The Metasploit Framework omnibus installers provide another way to get the open source Metasploit Framework running on a variety of platforms quickly and easily.

12 Days of HaXmas: Metasploit, Nexpose, Sonar, and Recog

This post is the tenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014.The Metasploit Framework uses operating system and service fingerprints for automatic…

This post is the tenth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014.The Metasploit Framework uses operating system and service fingerprints for automatic target selection and asset identification. This blog post describes a major overhaul of the fingerprinting backend within Metasploit and how you can extend it by submitting new fingerprints.Historically, Metasploit wasn't great at fingerprinting. Shortly after the Rapid7 acquisition, we added an internal fingerprinting system to the framework, but we still depended on imports from Nexpose, Nmap, and other external tools to obtain comprehensive results. The only areas where fingerprint coverage was passable were the SMB, HTTP, and web browser rules, since many modules depended on these for automatic configuration. Metasploit has the ability to import data from dozens of external sources, including web application scanners, vulnerability scanners, and even raw PCAP files. Normalizing all of this data was a challenge and the fingerprinting backend had the job of squashing conflicting OS and service names into something that modules could easily understand.By mid-2013, Metasploit's fingerprints were getting stale and the ruleset was becoming more tangled than ever. Changing one fingerprint required carefully reviewing all of the code paths where a conflicting rule might override the resulting value. New operating systems and services were released and the backend simply wasn't keeping up. For our Metasploit Pro customers, this was less of an issue due to the direct integration with Nexpose and Nmap, but we needed a fresh approach all the same.Earlier in 2013, my team was looking at whether we could improve our products using existing internet-wide scan data. Our first project involved an overhaul of the Nexpose SNMP fingerprints by leveraging the Critical.IO dataset. Nexpose fingerprints are stored as a series of regular expressions within XML files. These fingerprints were easy to read, write, and test. Over the course of a week we were able to expand Nexpose's SNMP system description fingerprints to cover approximately 85% of the devices found on the internet by the Critical.IO SNMP scan. This was a quick win and made it clear that we should be looking at internet scan data as a primary source of new fingerprints.In 2014, we took the same approach using the Project Sonar data to add fingerprints for popular HTTP services. Our approach was to sort the raw scan data by frequency, determine which fingerprints would cover the largest number of systems, and then sit down and write those fingerprints. This work improved fingerprint accuracy for our Nexpose customers and provided an opportunity to do targeted vulnerability research on the most widely exposed devices and services. The issues with the Metasploit fingerprints remained, but a plan was starting to come together.First, we had to get sign-off to open source the Nexpose fingerprint database. Next, we had write some wrapper code that made interfacing with and testing these fingerprints quick and painless. Finally, we had to rip out the existing Metasploit fingerprinting engine, normalize the entire framework to use the new fingerprints, and add some glue code to map Nexpose conventions to what Metasploit expected. This required a major effort across the Nexpose, Metasploit, and Labs teams and took the better part of five months to finally deliver.The result was Recog, an open source recognition framework. Recog is now the upstream for both Nexpose and Metasploit fingerprints. We will continue to leverage Project Sonar to add and improve fingerprints, but even better, our customers and open source users can now submit new fingerprints of their own. Recog is available under a BSD 2-Clause license and can be used within your own projects, open source or otherwise, and although the test framework is written in Ruby, the XML fingerprints are easy to process in just about every language.Metasploit users benefit through consistent formatting of third-party data imports, better fingerprinting when using scanner modules, and support for targeting newer operating systems and web browsers. Nexpose users will continue to see improvements to fingerprinting, with several major leaps in coverage as Project Sonar progresses. Metasploit contributors can take advantage of the new fingerprint.match note type to provide fingerprint suggestions to the new matching engine. If you are interested in the mechanics of how Metasploit interfaces with Recog, take a look at the OS normalization code in MDM.Recog is a great example of Rapid7's commitment to open source and our desire to collaborate with the greater information security community. Although writing fingerprints isn't the most exciting task, accurate fingerprints are a requirement for reliable vulnerability assessments and successful penetration tests. If you are looking for a chance to contribute to Metasploit, or simply want better fingerprinting for systems within your own network, please considering submitting updates to Recog. Feel free to drop by the #metasploit channel on the Freenode IRC network if you would like to chat with the development team. If you have a new fingerprint but don't feel comfortable sending a pull request, feel free to file an Issue within Recog repository on Github instead.-HD

12 Days of HaXmas: Metasploit Yearly Wrapup

This post is the seventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. Since today happens to be the last day of the year,…

This post is the seventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014. Since today happens to be the last day of the year, let's take a moment to reflect on another year of amazing Metasploit exploit development, and see what we've all been up to over the course of 2014. Of course, when I say "we," I really do mean all of us -- if you're reading this blog, more likely than not, you're part of the Metasploit open source community. Thanks so much for your continued commitment to the principles of openness and disclosure that makes Metasploit such a powerful force for Internet security today. It's a humbling and massively rewarding experience to be a part of this. Loads of new modules Judging by last year's screenshot, Metasploit Framework picked up 135 new exploits, 99 new auxiliary modules, 25 new post modules, and 32 new payloads, for a total of 291 new modules landed to the framework. If you haven't used Metasploit in a while, you might want to check in on your favorite software packages over at the Rapid7 Vulnerability Database to see if you're running anything that's at risk. Loads of commits in general We also saw 7,627 commits across the entire code base for the year, which is a stupendous show of effort for the two hundred or so contributors that landed at least one commit that made it into the Metasploit Framework master branch. In fact, the top 25 committers of 2014, by non-merge commit count were: Name/Alias Commit Count jvazquez-r7 1095 limhoff-r7 481 wchen-r7 374 Meatballs1 373 dmaloney-r7 343 todb-r7 297 joev-r7 272 jhart-r7 236 wvu-r7 223 jlee-r7 219 hmoore-r7 134 zeroSteiner 121 FireFart 100 OJ 78 brandonprry 73 m-1-k-3 57 kernelsmith 52 TomSellers 51 lsanchez-r7 45 Pedro Ribeiro 42 David Bloom 40 xistence 32 us3r777 29 trosen-r7 29 shuckins-r7 27 While it's fairly expected that the people who are paid by Rapid7 will tend to have quite a few commits, you'll notice that just about half of the top 25'ers here don't work at Rapid7 (Yes, OJ did work on Meterpreter full time for a little while in 2014, so let's count him for both.) Exceedingly few open source projects get the kind of support we enjoy, so please take a moment to thank (or blame) these people: 0a2940, agix, Ahmed Elhady Mohamed, Alton Johnson, Andrew Morris, AnwarMohamed, Arnaud SOULLIE, attackdebris, b00stfr3ak, bcoles, bcook-r7, bmerinofe, Borja Merino, brandonprry, Bruno Morisson, bturner-r7, bwall, byt3bl33d3r, cdoughty-r7, Cenk Kalpakoglu, Chris Hebert, Christopher Truncer, coma, cx, Daniel Miller, David Bloom, David Chan, David Maciejak, dheiland-r7, dmaloney-r7, DrDinosaur, dukeBarman, dummys, EgiX, Emilio Pinna, Ethan Robish, Etienne Stalmans, Fabian Br\xC3\xA4unlein, farias-r7, Fatih Ozavci, Fernando Munoz, FireFart, Florian Gaultier, floyd, Fr330wn4g3, g0tmi1k, Gabor Seljan, Gary Blosser, gigstorm, grimmlin, HackSys Team, hmoore-r7, ikkini, inkrypto, inokii, Iquaba, j0hnf, Jakob Lell, Jakub Nawalaniec, jakxx, Jay Smith, Jeff Jarmoc, jgor, jhart-r7, jiuweigui, jlee-r7, joe, joev-r7, John Sawyer, Jonas Vestberg, Jonathan Claudius, Jon Cave, JoseMi, Josh Abraham, Jovany Leandro G.C, Juan Escobar, julianvilas, Julian Vilas, Julio Auto, jvazquez-r7, kaospunk, Karmanovskii, Karn Ganeshen, kenkeiras, Ken Smith, kernelsmith, kicks4kittens, kn0, Kurt Grutzmacher, kyuzo, limhoff-r7, linuxchuck, lsanchez-r7, Lutz Wolf, m-1-k-3, Marc Wickenden, Mark Judice, Martin Vigo, Matias P. Brutti, Matt Andreko, Matteo Cantoni, Matthew Kienow, mbuck-r7, Meatballs1, Mekanismen, mercd, mfadzilr, midnitesnake, Miroslav Stampar, mschloesser-r7, mubix, mvdevnull, navs, Nicholas Nam, Niel Nielsen, Nikita, nnam, nodeofgithub, nstarke, nullbind, oj, parzamendi-r7, Pedro Laguna, Pedro Ribeiro, peregrino, Peregrino Gris, Peter Marszalik, Philip OKeefe, pyoor, RageLtMan, Ramon de C Valle, RangerCha, Rasta Mouse, ribeirux, Rich Lundeen, Rich Whitcroft, Rick Farina (Zero_Chaos), Roberto Soares Espreto, root, Royce Davis, rsmudge, Russell Sim, Sagi Shahar, Sam, Samuel, sappirate, Sascha Schirra, schierlm, scriptjunkie, Sean Verity, Sebastiano Di Paola, sgabe, shellster, sho-luv, shuckins-r7, silascutler, Silas Cutler, singe, spdfire, staaldraad, tate, TecR0c, Thanat0s, Thomas Ring, Tiago Sintra, Timothy Swartz, timwr, todb-r7, TomSellers, Tonimir Kisasondi, Trenton Ivey, trosen-r7, us3r777, Victor, Vincent Herbulot, wchen-r7, wez3, Wies\xC5\x82aw Kielas, wvu-r7, xard4s, xistence, Your Name, zeroSteiner, and Zinterax Outstanding work, all! Weekly Wrapup Oh, and since this post doubles as the weekly wrap-up, here are the new modules landed to Framework since the last release (commit 067bda4). Metasploit community contributor Borja Merino is clearly up to no good with the combination of his freshly-landed Windows outbound firewall rules checking post module and his port-knocking enabling shellcode. Port knocking is one of those super fun things to do to be extra-stealthy with your listening shells so they don't get picked up by network scanners like Project Sonar. Thanks Borja! Exploit modules Desktop Linux Password Stealer and Privilege Escalation by Jakob Lell ProjectSend Arbitrary File Upload by Brendan Coles and Fady Mohammed Osman i-FTP Schedule Buffer Overflow by Gabor Seljan and metacom exploits OSVDB-114279 Auxiliary and post modules MS14-068 Microsfot Kerberos Checksum Validation Vulnerability by juan vazquez, Sylvain Monne, and Tom Maddock exploits CVE-2014-6324 Android Browser "Open in New Tab" Cookie Theft by joev and Rafay Baloch Windows Outbound-Filering Rules by Borja Merino

Metasploit Weekly Update: On Breaking (and Fixing!) Security Software

Attacking Security InfrastructureThis week, one module stands out for me: the Symantec Endpoint Protection Manager Remote Command Execution by xistence, who built on the proof-of-concept code from Chris Graham, who turned that out after Stefan Viehbock's disclosure from last week. You can read the full…

Attacking Security InfrastructureThis week, one module stands out for me: the Symantec Endpoint Protection Manager Remote Command Execution by xistence, who built on the proof-of-concept code from Chris Graham, who turned that out after Stefan Viehbock's disclosure from last week. You can read the full disclosure text from SEC Consult Vulnerability Lab, and get an idea of the scope of this thing. But, here's the TL;dr: attackers who can communicate with Symantec's Endpoint Protection Manager can turn this central management server into a command-and-control node of an entirely coopted botnet. Pretty good find for an on-site penetration tester... or a disgruntled employee.Obviously, this is kind of a big deal, and while I don't want to beat up on Symantec (too much), this is the kind of catastrophic failure condition that makes people (rightfully) sketchy about their add-on security infrastructure. This is not just a story about a security vulnerability in some server-side component; it's a story about a security vulnerability in a product designed to manage the security posture of an organization.On top of this, the vulnerability disclosure happened to be released over RSA week. You can be sure there was much schadenfreude to be had on the expo floor.As a handler of vulnerability data, I'm also really digging this module's backstory, since it highlights the effectiveness of reasonable disclosure. Kudos to SEC Consult for disclosing this to Symantec back in December, and kudos to Symantec for not doing too much foot-dragging on getting a fix out in a reasonable amount of time. While the effects of the vulnerabilities in question are pretty much total disaster, this is a story with a happy ending: The vulnerability was uncovered, reported to the vendor and various CERTs, a fix was released, and a Metasploit module showed up to validate the fixes, all in the space of a little more than two months.Oh, and if it's not obvious to you by now: if you have this product environment, you need to patch this thing YESTERDAY.Contributing to Security InfrastructureIn Metasploit development news, we just refreshed our own CONTRIBUTING.md file for (as you might expect) Metasploit Contributors. I don't remember the last time we were below 60 outstanding pull requests, which kind of sucks. We generate more than our share of sore feelings about leaving some pull requests out there to rot, and that troubles me, personally, a lot. Like, a lot a lot. With this update from William Vu, we've laid down some some mostly common sense advice for folks who want to contribute meaningfully to the Metasploit Framework.These "rules" are absolutely not set in stone. They may be crazy stupid and overly fascist. All we are trying to do here is to set up you, the open source security practitioner, for a pleasant experience with our backlog and ultimately a successful contribution.However, if this misses the mark, then by Shuckins' beard, let us know how we can improve. Turns out, the best part of encoding our rulesy desires in CONTRIBUTING.md is that suggestions for changes are but a Pull Request away; so if you want to see something changed in that policy doc, change it how you'd like to see it and we can talk about it on the PR issue.It's like democracy, but with forks and branches and pulls and stuff. I kinda wish real-world legislation worked this way.Metasploit at RootedConIf you happen to be in the vicinity of Madrid, and, you know, didn't have any plans, you should swing by RootedCon and see Metasploit's own Juan Vazquez and Julian Villas kick the stuffing out of some SCADA gear. Really, you should go, even if you already had something else planned. I hear that @corelanc0d3r is giving his mighty training at RootedCon as well, which is chock full of revealed wisdom about Metasploit exploit dev.I'm jealous.New ModulesThis week's release has five new modules including the lolsy Symantec issue mentioned above.Exploit modulesSymantec Endpoint Protection Manager Remote Command Execution by Chris Graham, Stefan Viehbock, and xistence exploits CVE-2013-5015Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow by Fr330wn4g3 and Mike Czumak exploits OSVDB-100619GE Proficy CIMPLICITY gefebt.exe Remote Code Execution by juan vazquez, Z0mb1E, and amisto0x07 exploits ZDI-14-015Auxiliary and post modulesLinksys WRT120N tmUnblock Stack Buffer Overflow by Craig Heffner and Michael Messner exploits OSVDB-103521Apache Commons FileUpload and Apache Tomcat DoS by Unknown and ribeirux exploits CVE-2014-0050If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 7-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already usign Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Update: OpSec in Open Source Projects

The weekly Metasploit update is out, and I wanted to highlight three modules that landed in the last week, all of which target open source software. It's easy to drink the FOSS Kool-Aid, and talk about how it's more inherently secure than secret source software,…

The weekly Metasploit update is out, and I wanted to highlight three modules that landed in the last week, all of which target open source software. It's easy to drink the FOSS Kool-Aid, and talk about how it's more inherently secure than secret source software, but sadly, security is Hard Work, even in happy-hippie open source land.OpenX BackdooredFirst, a little background -- Heise Security reported that the OpenX open source ad server got itself backdoored on August 6, and this was quickly confirmed by a post on the OpenX Blog. If you happen to use this software, you'll want to update to at least version 2.8.11 pretty much right now.If you don't, well, then your friendly neighborhood penetration tester would like to have a word with you, and that word will likely take the form of James @egyp7 Lee's new Metasploit module, OpenX Backdoor PHP Code Execution, which leverages the existing backdoor functionality to execute arbitrary commands.As of today, nobody knows (or nobody's saying) how and exactly when OpenX got backdoored. Since it's an open source project, it seems unlikely that it would have been backdoored by an OpenX.com employee, but more likely by an evil contributor (or someone impersonating an evil contributor).This is why, really, I'm bringing up the OpenX compromise. Open source is great and all, but it's not magical. We spend a pretty decent amount of energy ensuring that contributions to Metasploit are not malicious, and we try to get to know pretty much everyone who's contributed more than once or twice. I know of a handful of sketchy pull requests that we've had to reject (binary-only ASM payloads leap to mind), and everyone who has commit access to the main Metasploit repository is very conscious of this trusted-outsider threat.So, if you're involved in an open source project, or use open source software, feel free to peek in on the codebase from time to time; open source is a two way street, and to invoke Eric S. Raymond, more eyeballs not only mean shallower bugs, but also tend toward higher source security.Speaking of (not) Backdooring Metasploit...This week, we have a new exploit that maintainers of Rails applications should take note of: joernchen's new exploit, Ruby on Rails Known Secret Session Cookie Remote Code Execution. Before anyone asks, yes, Metasploit Pro (and every other Rails app on Earth) is technically vulnerable. However, Metasploit (and all those other Rails apps) are only vulnerable if the attacker has insider knowledge already. It's similiar to the idea that that SSH servers are vulnerable to attack if the attacker already has an authorized private key. Allow me to elaborate.For joernchen's exploit to be successful, the attacker needs to already know the secret token that Rails uses to authenticate session cookies. Normally, of course, this token isn't exposed, since it's called "secret" for a reason. However, if an attacker does manage to learn the secret (often through sloppy source control), then he can not only impersonate other users (already bad), but bake a "poisonous cookie" full of executable Ruby code (way worse).Unfortunately, most source control systems aren't smart enough by default to avoid checking in secret tokens. As an application developer, you need to go out of your way to avoid it... so much for secure by design?For more on Rails secret tokens, Robert Heaton's blog post is about the best reference I know about right now. In the meantime, if you happen across an internal or cloud-based source control repository for a Rails application during a pen-testing engagement, this module is a super handy way to demonstrate the risk inherent in source tracking secrets like this. If you've already accidentally checked in your application's secret (and it's more likely than you might think), you will want to change it now (and fail to check it back in). Incidentally, for Metasploit Pro (and Community and Express), the secret token is randomly generated per local installation; we don't ship with a default token or anything silly like that.And speaking of Marshalled Code Execution...The last module I wanted to highlight in particular this week is one for Square's open source Squash bug reporting software. This is another Rails application, and it turns out, the YAML data that gets handled by the Squash server could get run (as executable code) without a valid API token.This is another case of failing to have safe, sane, and secure defaults. I think Reddit user catcradle5 put it best with with his comment, "It's so silly that there is a (default) YAML.load and then a YAML.safe_load." I couldn't agree more; seems to me it'd be better to have the load() method and the seriously_dangerous_load() method so developers are absolutely clear on the choices they're making.But hey, at least their secret token isn't shipped with source, but is instead generated as part of setup, so good on them for that.New ModulesWe've got ten new modules with this week's update, nearly all of them exploits. Aside from the modules mentioned above, contributor Michael Messner continues his frontal assault on consumer-grade access points with a pair of new D-Link modules, juan and sinn3r spent some time beating up on HP enterprise apps, Brendan Coles converted Serge Gorbunov's Open-FTPD vuln to Metasploit, we're now shipping last week's Firefox exploit with some updated targeting, and Borja Merino delivered a nifty local DNS cache dump post module. That last one is good for a quick assessment of what all's going on on the inside of a compromised network, handy for figuring out where the nearest domain controller is without making a whole lot of post-exploitation noise.Thanks all!D-Link Devices Unauthenticated Remote Command Execution by juan vazquez and Michael Messner exploits OSVDB-89861D-Link Devices Authenticated Remote Command Execution by juan vazquez and Michael Messner exploits OSVDB-92698HP StorageWorks P4000 Virtual SAN Appliance Login Buffer Overflow by juan vazquez and e6af8de8b1d4b2b6d5ba2610cbf9cd38 exploits ZDI-13-179HP System Management Homepage JustGetSNMPQueue Command Injection by sinn3r and Markus Wulftange exploits CVE-2013-3576OpenX Backdoor PHP Code Execution by egyp7 and Unknown exploits CVE-2013-4211Ruby on Rails Known Secret Session Cookie Remote Code Execution by joernchen of PhenoelitSquash YAML Code Execution by Charlie Eriksen exploits CVE-2013-5036Firefox onreadystatechange Event DocumentViewerImpl Use After Free by sinn3r, juan vazquez, Nils, Unknown, and w3bd3vil exploits CVE-2013-1690Open-FTPD 1.2 Arbitrary File Upload by Brendan Coles and Serge Gorbunov exploits CVE-2010-2620Windows Gather DNS Cache by Borja MerinoAvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

SecureNinjaTV Interview: Tod Beardsley About Metasploit 10th Anniversary

At Black Hat 2013 in Vegas this year, our very own Tod Beardsley was cornered by SecureNinja TV and social engineered into giving an interview. Here is the result - captured for eternity:…

At Black Hat 2013 in Vegas this year, our very own Tod Beardsley was cornered by SecureNinja TV and social engineered into giving an interview. Here is the result - captured for eternity:

Security Death Match: Open Source vs. Pay-for-Play Exploit Packs

In the blue corner: an open-source exploit pack. In the red corner: a pay-for-play incumbent. As a security professional trying to defend your enterprise against attacks, which corner do you bet on for your penetration tests?What's the goal of the game? Okay, this is…

In the blue corner: an open-source exploit pack. In the red corner: a pay-for-play incumbent. As a security professional trying to defend your enterprise against attacks, which corner do you bet on for your penetration tests?What's the goal of the game? Okay, this is a loaded question, because it really depends on what your goal is. If you are like 99% of enterprises, you'll want to protect against the biggest and most likely risks. If you are the 1% that comprise defense contractors and the military and have deep pockets, you'll want to protect against all risks, so you'll buy everything that's on the market.Let's focus on the 99% of enterprises.Round 1: Pay-for-play exploit packs attackComing from the red corner, the pay-for-play exploit packs open with these attacks:Keeping attack technology out of the wrong hands: Metasploit is often critiqued as giving weapons to malicious attackers. Here's the dirty little secret: No matter how fast we run as an industry, we're usually anywhere from a month to a year behind the bad guys. They're not stealing ideas from us; we're stealing ideas from them. (And yes, they hate us for it.) In addition, cybercriminals make more money that the average budget of a security professional, so don't think they can't afford pay-for-play packs.Exploits are “commercial-grade”: Proprietary software vendors say Metasploit includes untested community contributions that are unstable and jeopardize the stability of the target systems. When Metasploit was still a weekend project of HD Moore's, this may have been true. When Rapid7 acquired the Metasploit project in 2009, we put a 3-step quality assurance process in place that outflanked what vendors of proprietary software can offer: In addition to code reviews and automated QA, we also have the Rapid7 community of 175,000 review the code and test modules before they are accepted in the stable releases and weekly updates. As a result, we've heard from users that Metasploit exploits for the same CVE are more stable than their "commercial-grade counterparts".Ding, ding. Two points for open source.Round 2: Open source exploit packs counterComing from the blue corner, the open source exploit packs counter with full force:Pay-for-play packs are much less relevant: Metasploit focuses on exploits that are the most relevant to security professionals. Our community of 175,000 users, security researchers, and contributors acts as “sensors” for new security trends. We often get submissions from the community that include pcaps of latest attacks, proof of concept exploits, or even full Metasploit exploit modules. The community contributors also try to exploit known vulnerabilities. Not every potential vulnerability can be exploited, so through this process we identify the ones that are easiest – not only for us but also for the attacker – and therefore most likely to show up in real-world attacks. The Rapid7 security researcher team also looks at the latest exploits contained in malware kits to provide safe versions for testing your own network's security. By contrast, pay-for-play exploit packs have to focus on vulnerabilities in more obscure software to differentiate against what's available in open source, which has limited value for enterprise security professionals.Pay-for-play packs should be banned from most penetration tests: Many penetration test engagements exclude the use of unpublished zero-day exploits because it's an easy (and lazy) way into an organization that is extremely hard to defend against because they don't reflect what's out in the wild. We established earlier that pay-for-play exploit packs have the same deficiency. Therefore, they should be excluded from most penetration tests that seek to establish the most likely attack vectors.Pay-for-play packs are bad value: This is more than just arguing that open source is free and therefore impossible to beat in value. Many proprietary vendors need to make economic decisions on what's easy to exploit and therefore focus on local exploits that can escalate privileges on a machine but not gain access to a system over the network. Local exploits are of limited value to penetration testers, so ask before you sign the check.Pay-for-play packs perpetuate cybercrime: Selling a good 0-day in the underground can be a lucrative business, yielding between $20,000 and $250,000 per transaction. By publishing exploits at no cost, Metasploit destroys thousands of dollars that would otherwise go into cybercrime. (And yes, they hate us for that too.) By putting a high price on exploits, pay-for-play vendors are keeping the price for 0days high and are actually playing into the pockets of the criminals.Pay-for-play packs don't pressure vendors: Software vendors make economic decisions. They prioritize their software development based on what makes the most money. Security patches are typically pretty low on the list. This has been a huge problem for the security industry at large and explains why many vulnerabilities remain unpatched. However, there is a magic potion: Publishing an exploit for a vulnerability in Metasploit has expedited many security updates that vendors had known about for months. Metasploit's social contract is: Everybody knows, so everybody knows. Pay-for-play exploit kits are less visible and therefore contribute much less to the overall security of the industry. Often, they don't even have a disclosure policy, and there's no way to verify that they're informing vendors. This leads to worse security for everyone and favoring attackers.Pay-for-play impose their own value judgment: Exploit-pack vendors who give their software only to certain groups impose their own value judgment on society, deciding that a certain government is allowed to have their 0-days while the freedom fighters aren't. By contrast, open-source a big equalizer and inherently democratic.... Seven. Eight. Nine. Ten. Knock-out!Ding, ding, ding.And the winner is... Okay, this is the Metasploit blog, so you expected open source to win, but even if the fight was rigged, our arguments are still solid. If you are using open source for your web server because it's open source and more eyeballs create better security, why aren't you doing the same when it comes to your security tools?Security shouldn't be about who's got the deepest pockets, and that's why we're offering Metasploit Community Edition with all exploits for free. Our commercial edition Metasploit Pro mostly adds features for productivity and reporting, which are targeted at enterprises who can afford to pay for it.What's your take on open source vs. pay-for-play exploit packs? I'd love to hear your opinion - just sign in and add your comment!

Webcast: Playing in the Sandbox - Open Source Tools for Threat Intelligence

If you missed last week's webcast in the Life's a Breach series, I have good news for you: The recording is now available. In this webcast, Claudio Guarnieri, security researcher with Rapid7 and creator of Cuckoo Sandbox, shows what we can learn from analyzing malware…

If you missed last week's webcast in the Life's a Breach series, I have good news for you: The recording is now available. In this webcast, Claudio Guarnieri, security researcher with Rapid7 and creator of Cuckoo Sandbox, shows what we can learn from analyzing malware that have been caught with honeypots.By watching this webcast you will learn:How to actively collect and analyze threats in the wild to improve security practicesAbout different kinds of honeypots, and which one to use for whatHow to you set up a honeyclient to capture client-side attacksHow to use Cuckoo Sandbox for automated malware analysisHere are some questions from the audience that were answered in the webcast: Are there any honeyclients that analyze HTML5, or do they all focus on Javascript?Do you typically see honeyclients and sandboxes primarily by security researchers, or also by security professionals in enterprises? How may this change in the future?What's the best way to protect against client-side attacks?Should enterprises use honeypots and sandboxes to defend their networks?About the SpeakerClaudio is a Security Researcher at Rapid7. He is involved with general Internet badness on a daily basis. His specialties span from malware analysis to botnets tracking and cybercrime intelligence. Claudio is a core member of The Honeynet Project and The Shadowserver Founda tion, two no-profit organizations devoted to making Internet a safer place.Claudio is also the creator and lead developer of Cuckoo Sandbox, a prominent open source automated malware analysis system and runs the Malwr.com website. He presented at several international conferences including InBot, Hack In The Box, TAIS Security Conference and the Honeynet Workshops.View the Open Source Tools for Threat Intelligence Webcast Now

Magnificent7 Update - Submission Deadline

Back in August, we announced th at Rapid7 is committing $100,000 to support up to seven Open Source projects in 2012: the Magnificent7. So far we have received some really great proposals, and some requests for more time from some interesting projects, so this…

Back in August, we announced th at Rapid7 is committing $100,000 to support up to seven Open Source projects in 2012: the Magnificent7. So far we have received some really great proposals, and some requests for more time from some interesting projects, so this is a quick post to confirm that we are accepting submissions for 2012 funding until January 1, 2012. If you are interested in being considered, you do still have time to send us some information. If you have a project, or know someone with a project, that could benefit from the program here is all the relevant info:PDF applicationDOC applicationPress releaseBlog post-MJC

Being Agile within an Open Source project

When I started to work at Rapid7 almost a year and a half ago, one of the first things I thought about was: "How can w3af benefit from all the methodologies, tools and ideas that Rapid7 uses to create NeXpose?", and without using too many…

When I started to work at Rapid7 almost a year and a half ago, one of the first things I thought about was: "How can w3af benefit from all the methodologies, tools and ideas that Rapid7 uses to create NeXpose?", and without using too many brain cycles it was clear that Agile development methodologies (and more specifically SCRUM) was one of those great things.During the first months as a Rapid7 employee it was very difficult for me to spend any time developing for w3af, and the hiring of our Python developer was still an on-going project. But in September Javier Andalia joined our w3af team as a full-time employee and we finally started to work on those very needed improvements.Our w3af team organization was very simple. I was acting as a ScrumMaster Product Owner and Javier was the only team member of that small group that we called "Owls". We organized our backlog and wrote more specific user stories for the ideas we had; prioritized the user stories based on the users' needs and grouped them into small chunks of work (sprints). Our world suddenly felt more organized.But we were forgetting the most important group of all in our organization: the w3af contributors.Our first stab at the problem was to ask the contributors to commit to delivering a piece of code before the end of the sprint we were currently working on. That failed. Contributors write code for the fun of it, due dates remind them of their 9 to 5 work. We quickly realized this and moved on to a different organization for the contributors.The next solution was to have all the contributors be team members of a different scrum team called "Athenians". That team had longer sprints (4 weeks instead of the 2 we have in the Owls) and I would still be the ScrumMaster Product Owner for that team. After creating the team and milestones in Trac, we carefully selected the most interesting tasks of our backlog and assigned them to the Athenians-1 to Athenians-3 sprints. We had everything ready for our contributors to start working on those tasks! That also failed. We were still getting code contributions, but none of them were from the list we prioritized. Contributors write code for the fun of it, someone telling them what they need to work on reminds them of their 9 to 5 work.Understanding this last thing was a little bit more difficult than the first one, but we managed to get there and change our team organization once again. Our current organization for driving the efforts of our contributors is as simple as it can get:Do whatever you feel like doing,Do it whenever you want to do it.This might sound like chaos, but it's actually not. We're giving our contributors the freedom they want, while keeping only one thing on our side: the how. By reviewing all code that's sent by the contributors we can keep the quality of it to the highest levels. If their code isn't properly tested, breaks any of our unit tests, etc. it won't make it to the trunk and that's not negotiable.I hope this blog post helps other open source project leaders that have decided to use SCRUM or any other development methodology. My objective is far from defining the way we should all use Agile methodologies with open source projects: my real intention is to tell the community about our specific experience, which should help others that are going through similar paths.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now