Black Hat Race To Root Results

Blog Post created by rapid7-admin on Aug 9, 2010

Originally Posted by jcran



We had a good number of folks compete for prizes in the Race to Root competition at this year's Black Hat, so thanks to everyone who came by. Three competitors came out on top. Anders Hansen took first place! He'll be receiving both a ProxMark3 (http://proxmark3.com/) and a MAKInterface Magstripe Reader/Writer (http://www.makinterface.de/index_e.php3?frompage=/makstusbe.php3), Haikon Krohn took second place and will pick up a ProxMark3, and our third place finalist (JT Taylor) will also be receiving a MAKInterface. 

I was surprised by the number of folks who had heard about Metasploit Express but hadn't had a chance to try it yet. There's a seven-day trial available here (
http://www.rapid7.com/contact/metasploit-express-contact.jsp) if you'd like to try it. Much of the time in the booth was spent demoing features and talking through pentesting scenarios. Some of the features that we ended up talking a lot about: 

- Vulnerability Scanner Integration - You can control the NeXpose vulnerability scanner right in the interface of Metasploit Express, and don't have to bother with exporting / importing results. We can also import from other formats like Nessus, Qualys, and nmap. All that info gets imported, and you can simply hit bruteforce or exploit to bang on it. Doesn't get much simpler than that. The exploit mapping is significantly better than anything previously available with Metasploit, and can be configured to stop after the first exploit hits. 

- Post-Exploitation Collection - This was a useful feature in the Race to Root competition. By exploiting a device & running the collection scripts, you can quickly grab data from massive number of machines. In the case of Race to Root, this picked up an SSH key which gave access to the target device. 

- Pass-The-Hash Attacks - Built-in to the product is quite likely the simplest way to take control of a corporate windows network today. If you're able to take control of a single device on a network; be it with automatic exploitation (described by one attendee as autopwn on steroids), bruteforce, or manual exploitation; you can use Metasploit Express to collect hashes from the device. Once you have hashes for a single box on a domain, it's very likely that the administrator had used the same password on all the boxes on the domain, and therefore, you have the hashes for all the boxes. By simply re-running bruteforce with known credentials, you can own the entire domain in a matter of minutes. Watching this happen turns out to be quite convincing for management. 

Also of major interest were the reporting features (yep, we've got editable reports) and post-exploitation pivoting functionality (got it too :). Pivoting is a recent add, so if you haven't had a chance to check it out, download the 3.4.1 trial and give it a go. 

Huge props to our marketing team for putting together a rather awesome Black Hat party. It was during that party that we announced the next version of Metasploit; Metasploit Pro. You can find the trailer (yes, we have a trailer!) here:
http://www.rapid7.com/revolution .

Thanks again to everyone who came by the booth at Black Hat, whether it was to learn about NeXpose, learn about Metasploit Express, or just to say hello.