1 2 3 Previous Next

Information Security

70 Posts authored by: rapid7-admin Employee

Originally Posted by Didier Godart





Don't miss the PCI SC Magazine eConference tomorrow March 22, 2011.
I will talk about the PCI Compliance versus Security perspective and share my view on the following :


Is PCI a Compliance or Security Program?


When: 22 March 2011 1pm EDT


Where: https://events.unisfair.com/index.jsp?code=SCW&seid=3262&eid=474


Fee: Free




This 3-letter acronym has significantly impacted the security and IT industry over the last years. Some consider PCI as a daunting undertaking, a source of constraints, stress and restrictions. For them,  PCI is at best a supplemental insurance hopefully preventing penalties. Others religiously believe that meeting PCI compliance requirements dramatically increases their overall security posture.


In this Webcast, Didier Godart, Risk and Compliance Manager at Rapid7 and one of the co-authors of the first versions of PCI DSS will reflect on the current state of PCI. As PCI is spreading further and further into the realm of business decision makers, is it leading to a fundamental paradigm shift moving the discussion from compliance to true security? Can PCI itself be used as a strict security regimen? What are some areas for additional potential for PCI? Where are its boundaries?


Looking for your comments and feedbacks. Please let us know your answer to the following question:


How do you consider PCI ?


a) as a compliance program.


b) as a foundation for your company security?


Didier Godart


Risk Product Manager



Originally Posted by Marcus J. Carey





Over the last few years I’ve been focused on empowering security professionals through my work with DojoSec and DojoCon. I’ve had the pleasure of serving tons of people with the success of many of my community efforts. To be honest, I’m surprise how many people have been informed and inspired by the projects I’ve been associated with. I have been able to establish relationships with both commercial and open source communities. I believe that my mission in life is to help as many people as possible.  I am pleased to join Rapid7 as Community Manager. In doing so, I have taken the opportunity to take my mission of empowering security professionals to another level. Rapid7 shares the same passion as I do for serving the security community. The old saying is “Find a job you love and you will never work a day in your life.” My love is serving and empowering others. I will be working on Rapid7 events, Metasploit/NeXpose outreach, engaging directly with Rapid7 customers, and open source security research.

Originally Posted by Trevor Richardson



Since Microsoft is on this new staggered pattern of releases, we can expect a feast or famine every other month...so get used to it. Depending on what side of the desk you sit on you can adjust the context. With that being said, this month’s release brought us 3 patches addressing  4 vulnerabilities. I think we were all expecting to see the MHTML protocol handler issue resolved, however it didn't make the cut. Make sure IE is in restricted mode or at least you're restricting ActiveX and Active Scripting for your users until the fix is released. This vulnerability is already being leveraged for geo-political warfare according to Google.

The honorable mention of this release goes to MS11-015. MS11-015 is classified as the only "Critical" update this release.




MS11-015 CVE-2011-0042

This vulnerability is exposed when the Stream Buffer Engine (SBE) trys to parse “.dvs-ms” files.  This limitation will allow any of your IE users to be remotely exploited when using Windows Media Center or Media Player to play these files.  You can expect social engineering vectors to be used here… emails pointing to a DVS file or an iFrame rendering one.


MS11-016 - CVE-2010-3146 / MS11-017 CVE-2011-0029


The last two I won’t spend too much time on them, as they fall in line with the not so surprising DLL Hijacking exposures we’ve been seeing from Microsoft. You'll also see them called “binary planting vulnerabilities"...at the end of the day they're the same issue.  HD has a great post detailing the characteristics of this exposure here.

Below is the official breakdown of the March 2011 Patch Tuesday Release:

MS11-015/KB2510030 - Critical (XP, Vista, 7)/Important (2008 R2) Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030) This security update resolves one publicly disclosed vulnerability in DirectShow and one privately reported vulnerability in Windows Media Player and Windows Media Center. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so. **PATCH ASAP**


MS11-016/KB2494047 - Important (Microsoft Groove 2007): Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062) This security update resolves a publicly disclosed vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user opens a legitimate Remote Desktop configuration (.rdp) file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.


MS11-017/KB2508062 - Important (CP, Vista, 7, 2003, 2008, 2008 R2): Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047) This security update resolves a publicly disclosed vulnerability in Microsoft Groove that could allow remote code execution if a user opens a legitimate Groove-related file that is located in the same network directory as a specially crafted library file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Until next time….

Originally Posted by Chris Kirsch





We got a ton of requests to let you know when the new Dual Core Metasploit track "msf mastering success & failure" would be available for download. Dual Core had given the track a debut at the Rapid7 Skye High party at Ruby Skye in San Francisco as part of the RSA Conference (view the live performance)

I'm exited to let you know that we've now received the final copy. Even better: Dual Core has made the song available free of charge - woot! Big thanks on behalf of the community!

Here is the free song download in three different formats:


We all appreciate getting things for free - but it's also important to give back. If you like
the track, I encourage you to visit Dual Core's website to check out his other albums and swag.

Originally Posted by Chris Kirsch




Rapid7 is looking to sponsor students at seven high schools in the Boston Metro area to participate in the 2011 Cyber Foundations Competition. This is your chance to make sure your local high school's students can participate in this great learning experience - for free! The sponsorship is our way of giving back to the local community by investing in our youth and increasing awareness around IT security risks.

Cyber Foundations is the entry-level competition in a series of increasingly challenge contests sponsored by the U.S. Cyber Challenge (USCC).  USCC was chartered to identify and nurture talented Americans who can become the cyber leaders, cyber guardians and cyber warriors for United States companies, government agencies, and military services.

Opportunities for students who do well in these competitions range from gift certificates and awards, recognition by political leaders, to internships and scholarships.  For example, the U.S. Navy has authorized full-four year scholarships for high school students who excel in the U.S. Cyber Challenge.

Cyber Foundations has two parts:


  1. On-line tutorial and video education materials that allow students to expand their knowledge and
  2. quizzes that allow students to demonstrate mastery.


Three topics are presented and tested:  networking, operating systems, and system administration.   Each topic has a separate set of educational materials and a separate test.  Teachers may use the materials in class, but that is not required. Students may prepare and compete without teacher involvement; U.S. Cyber Challenge does not want to exclude talented young people who attend schools that do not have IT-savvy teachers.  Students and teachers both report that the tutorial material takes only 3 or 4 hours to review, although students that spend more time and do the exercises seem to get higher scores.

The three topics are the foundation skills needed by any person hoping to become a skilled cyber professional.  In addition, these three skills are in high demand throughout industry and government.  The U.S. Bureau of Labor statistics ranked jobs requiring these skills as the 2
nd fastest growing in the United States between now and 2018, with 155,000 new jobs opening up (see study).

Dates for the 2011 Cyber Foundations competition are:


  • February 24, 2011: Deadline for high schools to register with Rapid7 for the sponsorship
  • February 21 to March 3: Online tutorial for Module 1 (Networking) open.
  • March 4: Competition for Module 1.
  • March 7 to March 17: Tutorial for Module 2 (Operating Systems) open.
  • March 18: Competition for Module 2.
  • March 21 to April 7: Tutorial for Module 3 (System Administration) open.
  • April 8: Competition for Module 3.


To apply for a sponsorship, please send an email with the following information to info@rapid7.com by February 24:


  • Name of the school
  • Address
  • City
  • County
  • Zip
  • Private/ public school
  • School coordinator for the competition (First name, Last name, Email address)


The school coordinator's role is to make students aware of the competition and to distribute the login code to the students. This can be a teacher, principal or school administrator. If you have questions about the school coordinator's involvement or the program in general, please feel free to contact the organizers directly at coordinator@uscyberchallenge.org.

Sponsorships will be distributed on a first come, first serve basis, so be quick!

Originally Posted by Chris Kirsch



Thanks to all of you who attended our party at Ruby Skye on Wednesday. We were overwhelmed by how many RSA delegates showed up: The club holds close to a thousand people, and we were operating at capacity for most of the night. Apologies if you had to wait in line for a few minutes!


In case you missed our cirque-style trapeze artists, here's a video courtesy of amngibson.




Have a great weekend and sleep off the RSA Conference buzz!


Update: Just received this great picture taken by Travis Arnold at the party – thought you’d enjoy it!



Originally Posted by Chris Kirsch



As we're all recovering from the epic RSA Rapid7 party at Ruby Skye last night, I wanted to thank Dual Core for the debut performance of
"mastering success and failure - msf" featuring the
Metasploit Framework. Awesome track - the room went nuts!

Here's a video of the full performance. The msf track starts at 2:50 mins:



Video courtesy of amngibson lostinsecurity asked us to publish the lyrics, so here they are:



you should meet this friend of mine, allow me if i may
this guy is going places, believe me when i say
advanced for his age, has a blog and his own page
just starting out, still in high school most days
friends called him jim, but his parents named him james _
couldn’t tell the difference either way it seemed the same
computers were his thing, took the knowledge as it came
challenging his brain while his friends were playing games
he stayed inside reading and pursuing what he dreamed _
with his nose buried in his book, slowly learning C _
hit an error in his program, guessing what it means
memory corrupted, debugger on the screen
found his first overflow, the bug was in his math _
but he’d read about these hacks and this metasploit app
_ using tools, he created up a pattern found the offset
shellcode encoded exploit for his project




here’s another story, this one’s not his fault
googled for his address, was shocked at the results
a list of every student from his college up and down
full credentials, everything on each of the accounts
where’d they get his password?  now he’s gotta know
in a zone, all alone, with his db_autopwn
scanning for the systems in the labs and all the classes
big surprise, they were way behind on patches
he called up the helpdesk, explained it at his best
they didn’t understand, told him hold for a sec
passed him on to senior staff, again report the steps
what he thought would happen last then became what happened next
they took it as a threat, you could say they jumped the gun
told him he could be expelled for pulling off this little stunt
said he violated policies and now his name was cursed
“so just turn yourself in before you make it worse”




graduated up, now his exploits are homemade
remembering in school and just thinking it like “no way”
checks getting cashed every time he finds an 0day
the upgrade to pro, left the others back to role play
lives in his own place, mortgage and his loan paid
full benefits, health insurance skip the co-pay
remembers when he started with his linker and his loader
_ now he’s writing payloads and made his own encoder
plus he made a name, now the internet was buzzing
writing tons of modules from scanning into fuzzing
leveraging the framework and tools that he was loving _
he was living out his dream so he wouldn’t stop for nothing
finally he made it, he could walk the talk in code _
but the journey’s where it happened, remember how you grow
the right tools and hard work he found that he could show
all’s well that ends well, i guess that’s how it goes




Like the Metasploit Framework itself, Dual Core's track will be available for free download. The studio recording still needs the final mix, so we'll keep you updated!

Originally Posted by Trevor Richardson



I think we all knew this was coming...January's release was just too light. This month Microsoft released 12 updates which address 22 vulnerabilities. There were 3 critical updates this release and 9 important fixes. The honorable mention would have to go to the CSS recursive import fix.


MS11-003 - CVE-2010-3971- This issue effects the way Cascading Style Sheets access memory in IE. By creating a "use-after-free" condition the attacker is given an opportunity to slip in and execute code on the target.  This code execution occurs when a C++ object is re-used after it has been de-allocated. Memory that was previously allocated for the object can be re-used by an attacker. This bug would allow full control of the victims machine if exploited... "kinda" a big deal =|


MS11-006 - CVE-2010-3970 - Say Cheese? Those holiday party pics are the perfect place for one of these shady images to be buried.  After convincing a user to browse to a network share to view a malious thumbnail, the exploit targets the Windows Shell. Because of IE's inability to parse a negative "biClrUsed" value, the results is a stack-based buffer overflow.  This exploit allows an attacker to then take full control at the users privilege level.






MS11-007 - CVE-2011-0033 - This issue targets the Microsoft/Adobe joint venture OpenType CFF(Compact Font Format). Your users are all smiles knowing that they have a secret admire for Valentines. After browsing a page and rendering the malicious font, "Be Mine"  takes on a whole new meaning. This vulnerability targets a weakness in the way that the OpenType CFF validates parameter values. If exploited this would let the attacker run arbitrary code in kernel mode. This is the perfect example of why security awareness trainings shouldn't be back burnered.

Below is the official breakdown of the February 2011 Patch Tuesday Release:


MS11-003/KB2482017 - Critical (XP, Vista, 7)/Moderate(2003, 2008, 2008R2):


Cumulative Security Update for Internet Explorer (2482017)This security update resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user opens a legitimate HTML file that loads a specially crafted library file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. **PATCH ASAP**


MS11-006/KB2483185 - Critical (XP, Vista, 2003, 2008): Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)


This security update resolves a publicly disclosed vulnerability in the Windows Shell graphics processor. The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. **PATCH ASAP**


MS11-007/KB2485376 - Critical (Vista, 7, 2008, 2008R2)/Important (XP, 2003): Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)


This security update resolves a privately reported vulnerability in the Windows OpenType Compact Font Format (CFF) driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font. In all cases, an attacker would have no way to force users to view the specially crafted content. Instead, an attacker would have to convince users to visit a Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. **PATCH ASAP**


MS11-004/KB2489256 - Important (Vista, 7, 2008, 2008R2): Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)


This security update resolves a publicly disclosed vulnerability in Microsoft Internet Information Services (IIS) FTP Service. The vulnerability could allow remote code execution if an FTP server receives a specially crafted FTP command. FTP Service is not installed by default on IIS.


MS11-005/KB2478953 - Important (2003): Vulnerability in Active Directory Could Allow Denial of Service (2478953)


This security update resolves a publicly disclosed vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sent a specially crafted packet to an affected Active Directory server. The attacker must have valid local administrator privileges on the domain-joined computer in order to exploit this vulnerability.


MS11-008/KB2451879 - Important (Visio 2002, Visio 2003, Visio 2007): Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2451879)


This security update resolves two privately reported vulnerabilities in Microsoft Visio. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited either of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


MS11-009/KB2475792 - Important (W7, 2008 R2): Vulnerability in JScript and VBScript Scripting Engines Could Allow Information Disclosure (2475792)


This security update resolves a privately reported vulnerability in the JScript and VBScript scripting engines. The vulnerability could allow information disclosure if a user visited a specially crafted Web site. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.


MS11-010/KB2476687 - Important (XP, 2003): Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2476687)


This security update resolves a privately reported vulnerability in the Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Windows XP and Windows Server 2003.

The vulnerability could allow elevation of privilege if an attacker logs on to a user's system and starts a specially crafted application that continues running after the attacker logs off in order to obtain the logon credentials of subsequent users. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.


MS11-011/KB2393802 - Important (XP, Vista, W7, 2003, 2008, 2008R2):


Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802)This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
MS11-012/KB2479628 - Important (XP, Vista, W7, 2003, 2008, 2008 R2):


Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2479628)This security update resolves five privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
MS11-013/KB2496930 - Important (XP, W7, 2003, 2008 R2):


Vulnerabilities in Kerberos Could Allow Elevation of Privilege (2496930)This security update resolves one privately reported vulnerability and one publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if a local, authenticated attacker installs a malicious service on a domain-joined computer.


MS11-014/KB2478960 - Important (XP, 2003):Vulnerability in Local Security Authority Subsystem Service Could Allow Local Elevation of Privilege (2478960) This security update resolves a privately reported vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows XP and Windows Server 2003.

The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Originally Posted by Derek Abdine



So there I was.  An uneventful Sunday morning watching the Colbert Report on my DVR when a commercial for Overstock.com flashed on my screen.  Overstock was touting their newest site address: o.co.  Easy for customers to get to! Frustrating for whoever owned o.com.  I thought this was  a great idea on their part--a site address that is as incredibly easy to remember as it is fast to type.  Indeed, the introduction of the .co TLD will offer businesses many new ways to reach their clients.  However, in a world full of domain name snatching the .co TLD is ripe for abuse.


It was surprising to me (or maybe not so much?) that IANA picked .co instead of something like .corp.  Such a choice for a tld makes it easy for someone to mistype .com and end up in the Bank of Malory instead their intended destination. The flood gates have already opened and .co domains are being snatched up like crazy.  This is creating a unique opportunity for some people--steampowered.co (not to be mistaken for steampowered.com which is Valve's game content delivery platform) has been taken up and held hostage for ads.  Yes, over time this may settle down.  Over time this may become less of an issue because Valve will eventually (hopefully) register a dispute for the domain name.  However, this represents a unique opportunity for all phishers alike. 


This creates even bigger problems for SaaS service providers.  Thankfully many banking organizations such as BofA, Citi, etc. have already secured these names.  At the time of writing, hsbc.co (again, not to be mistaken with hsbc.com) was snapped up by some Colombian internet service provider.  What kind of services hiding valuable data could be offered with SaaS?  CRM? Vulnerability Management? Banking?  It's literally a wide-open world and a golden opportunity for malcontent. 


Something else to keep an eye on would be the potential for SSL fail.  What is the probability that say, a browser vendor used substring matching on the certificate CN with the hostname? 


My prediction for 2011:


1. A ton of domain disputes.
2. Phishing attacks on the rise.
3. An abundance of SSL fail.


Happy new year!

Originally Posted by Tas Giakouminakis




During the holiday season of the past weeks, I reflected a lot on the past with my loved ones. At the same time, I couldn’t help thinking about the Rapid7 journey so far and the exciting path before us. I thought I’d share some of this with you.




2010 was an explosive year for Rapid7. By adding a full-time development team to the Metasploit Project, we grew the open source community more than five-fold, now reaching over a million unique downloads per year. We brought penetration testing to a new level with a series of commercial releases, namely Metasploit Express and Metasploit Pro. Many have argued that this makes the Metasploit Project the most successful collaboration between an open source project and a commercial vendor. At the Metasploit Project acquisition anniversary in October, the Metasploit Framework, had been updated with 292 additional exploits and 207 auxiliary modules, an increase of 91 and 209 percent respectively since version 3.2, the current version at the time of the acquisition. Since then, we’ve added many more.

2010 was also a year of exploits. Rapid7 CSO HD Moore discovered and added notorious exploits, including
DLL hijacking and VxWorks, which have impacted enterprises and security professionals since being reported. Later that year, Joshua “Jabra” Abraham discovered a vulnerability in SAP Business Objects. We expanded our team of researchers, most notably adding Chris Gates and Rob Fuller. I’m sure we’ll see a lot more exploits in 2011.

w3af sponsorship brought with it great talent, and you’ll see some of the exciting advancements we’ve made in Web scanning over the course of the year. We continued to expand the unification of vulnerability management, penetration testing and configuration assessment in the NeXpose vulnerability scanner, having received our FDCC lab certification.  And it won’t stop there.  We’re dedicated to giving our customers the actionable, real security they demand.

Originally Posted by Trevor Richardson




So I know we all were hoping to see a fix for some of this Windows Graphic Rendering Engine nastiness...but no go. For now, you'll need to resort to the good ol' FixIt option or if you wanna get your hands dirty, you can modify the ACL on shimgvw.dll directly.

Either way, if you're running IE, you'll have to patiently wait for the official patch release.

So this monthly release was lean-n-mean, Microsoft released (2) bulletins, addressing (3) vulnerabilities. One of which is pretty hardcore - expect to see active exploitation, while the other takes a lot more finesse for an attacker.






Pure Evil: MS11-002 addresses 2 privately reported vulnerabilities(CVE-2011-0026 & CVE-2011-0027).  Both target the way Microsoft Data Access Components validate memory allocation. Essentially an attacker could provoke a user into going to a website, in which a process to target MDAC can be executed. This would allow the attacker to take control of the target under the user's permissions. With that being said, your standard users are less of a concern. Your CEO that demanded Admin privileges? Well, thats another story =)


Kinda Evil: MS11-001 address a publicly disclosed vulnerability that effects Windows Backup Manager (CVE-2010-3145). So "001" is not just another "Important" patch, it marks a seemingly predictable trend of DLL-loading vulnerabilities. I'm not quite sure what that's all about, but its definitely notable.  So whats "001" all about? In order to exploit this, the user would have to knowingly accept a backup file from a 3rd party or visit an untrusted remote file system. If your users are doing these types of things, a patch is the least of your worries = | The other element that makes this less exposure have less B-A-N-G is that it only affects Windows Vista.

Below is the official breakdown of the January 2011 Patch Tuesday Release:


MS11-002/KB294871 - Critical (Windows XP,Vista,Win7,2003,2008 *Server Core): This  security update resolves two privately reported vulnerabilities in   Microsoft Data Access Components. The vulnerabilities could allow remote   code execution if a user views a specially crafted Web page. An   attacker who successfully exploited this vulnerability could gain the   same user rights as the local user. Users whose accounts are configured   to have fewer user rights on the system could be affected less than   users who operate with administrative user rights. **Patch ASAP**


MS11-001/KB294871 – Important (Windows Vista): This security update resolves a publicly disclosed vulnerability in  Windows Backup Manager. The vulnerability could allow remote code  execution if a user opens a legitimate Windows Backup Manager file that  is located in the same network directory as a specially crafted library  file. For an attack to be successful, a user must visit an untrusted  remote file system location or WebDAV share and open the legitimate file  from that location, which in turn could cause Windows Backup Manager to  load the specially crafted library file.

Until next time...Happy Patching!


Originally Posted by Chris Kirsch






Wouldn’t it be fantastic to be invisible for a day? Walk straight into a bank vault in the morning, be a fly on the wall in the Oval Office for lunch, and spend an evening in your favorite movie star’s house. Well, now you can - with Metasploit!


We tested our Metasploit invisibility cloak on a field day recently. Our venue of choice: an anti-virus test lab. The goal was to test how well Metasploit’s anti-virus protection would hold up against the most recent versions of the world’s top ten anti-virus vendors. The results were better than we had hoped for: Every single vendor had gaping holes, two didn’t trigger alerts at all.


I don’t want to single out specific vendors, so I’ve anonymized the chart. In addition, exploit developers and anti-virus engines are in a constant arms race, so I don’t want to disclose how we make our exploits invisible. Otherwise, the AV vendors would fix the holes, my colleagues in development would have to code through the weekend, and I would have to buy them a beer next time. Instead, they're now working on making Metasploit Pro completely invisible.




If you're interested in Metasploit and anti-virus, also check out n00bznet's recent blog post on the subject.

Originally Posted by Matt Barrett




One of my biggest challenges in learning how to pentest was finding systems to test against. I heard that using your   neighbors network is "frowned upon", and hanging out in a   Starbucks and pwning your fellow coffee drinkers on the public wifi raises the occasional eyebrow.

So what do I do? Build a test environment. The concept itself isn't difficult, but there are easy and hard ways to do it. I wanted two machines: one with my vulnerable VMs,  the  other with Metasploit and NeXpose . This isn't necessary, but in my case the Metasploit Pro machine would generate a lot of traffic and I wanted to make sure it has all the   resources it needs.

What you need

  • A decent box
  • Multiple Processors/Cores
  • Lots of RAM (4 GB or more)
  • Lots of HD space
  • Some sort of virtualization software (VMWare, VirtualBox, Hypervisor)
  • Pre-built virtual machines or installer ISOs
  • Optional: A second box with two NICs (dedicated for Metasploit and assorted other tools)
  • A can-do attitude


Target machine specs

  • Intel Core 2 Quad @2.66 GHz
  • 8 GB Crucial DDR3 RAM
  • 500 GB WD HD
  • Ubuntu 10.04 LTS 64 bit
  • VMWare Workstation


Metasploit box specs

  • AMD Quad Something, 1.8 GHz
  • 8 GB DDR2 RAM (noname)
  • 500 GB HD
  • Ubuntu 9.10 64 bit


There are a few reasons I chose this setup. The Core 2 Quad is  hyper-threaded (can span tasks across several cores if necessary), which  is ideal for VMware Workstation. For the amount of VMs I wanted, 4 GB of  RAM simply wouldn't be enough. This setup can host six to eighth VMs at once. You can scale it up or down based on your requirements.

  • Metasploitable (Download through BitTorrent)
  • Ultimate LAMP
  • Windows XP SP3
  • Windows 2003 Server R2
  • RedHat 6.5
  • Windows 7 RC2
  • Windows 2000 Advanced Server SP4


I highly recommend that you first define your network. When I built my environment I did  this last, but in hindsight it would have been so much easier the other way around (my loss of five hours is your gain =]). I gave a  pretty basic overview of how to do this in my VPN Pivot post.

You have two options to set up your pentesting lab.


Option 1: The easy option - everything on one machine



This is the best option if you have limited resources. For example, I use this setup on my laptop. I only had to set up all machines on the same virtual virtual adapter, and I was golden.

First I opened up my virtual network editor (Edit -> Virtual Network Editor). If you're running VMware on Linux, click
Add Network...; on Windows, choose one from the list (VMNet1 is a good place to start).  I then switched the network configuration to Host Only and selected my subnet (I chose but you can pick whatever  you want so long as it's a private range) and saved it. With this set  up, I could now assign this virtual network to all the machines as I  built them.





Option 2: The tricky option - separate tool and target machines


This one took me a bit to figure out, so I'm providing more detail. What made this setup tricky is that I didn't want  a bunch of über-vulnerable machines chillin' in my network so I had  to keep them private, like in the single machine deployment. The  problem is to keep them unavailable from any other machine but my pentesting machine. The first thing to notice is that the  box running Metasploit Pro has two NICs - for a reason.  After fiddling with it for literally days, I learned that there really  isn't any way to give access from the second machine to a "host only"  network. To make it easier, I will refer to the Metasploit machine as Box A and the machine with the target VMs as Box B.

So here's what I did:

I set up Box A so that access out is on eth0 and access to the box  with Box B is on eth1. (I only did this on Linux; setup on Windows will be different.) First, I configured a DHCP server on Box A, but
only for eth1. Otherwise, this can muck up your other interface. But don’t worry…  it’s easy.

First, I installed the DHCP server:



root@pro_server: apt-get install dhcp3-server




Next, I fired up my favourite text editor and edited the config so that it only runs on eth1:




root@pro_server: vim /etc/dhcp3/dhcpd.conf




Find this line








Replace with the following line








Save and exit.

Next I made a backup copy of the
/etc/dhcp3/dhcpd.conf file:




root@pro_server: cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.back




I edited the conf file: /etc/dhcp3/dhcpd.conf file using the following command




root@pro_server: vim /etc/dhcp3/dhcpd.conf file




From here, I just modified the file as I saw fit (you can check out my config here). I needed to ensure that the subnet range on eth1 was  different from that of eth0. I chose, then I modified my  interfaces file:





root@pro_server: vim /etc/network/interfaces




Make the IP of Box A  on eth1 static and in the range. I chose, saved, and then ran:




root@pro_server: service dhcp3-server restart




I then connected the two machines with a network cable, going from eth1 on Box A to eth0 on Box B.

As a result, Box B was completely reliant on Box A for network connectivity. If you want, you can set up services like Internet Connection  Sharing and File Sharing.

While Option 2 is not required for all pentesting labs, I built  mine this way because my lab would be used by several people, and I did not want to run out of resources.


How to host the vulnerable target machines

When installing/building the VMs I was presented with a ton  of options for RAM, processor, and network adapters. I simply thought: "What would be period correct for a particular operating  system?" That is, what would be the minimum system requirement to install it when the OS first came out? here is my recommendation for RAM - thanks to the Metasploit team for their input:

  • Metasploitable: 256 MB (pre-built)
  • Ultimate Lamp: 384 MB (pre-built)
  • Windows XP SP3: 512 MB
  • Windows 2003 Server R2: 512 MB
  • RedHat 6.5: 256 MB
  • Windows 7 RC2: 768 MB
  • Windows 2000 Advanced Server SP4: 256 MB




I also assigned a single core to each VM across the board (they're  not going to be doing much processing). Installing the operating systems was easy. Some of the installers were older and a bit tricky, but  for the most part VMware Workstation just did it for me. If you use VirtualBox, you may have to install them manually. (I'm not sure about Hypervisor.)

For each VM, I set up the network individually. For Option 1 (the self-contained test environment) I  simply assigned the network setting to VMnet1 (the host-only network we  created earlier).

Option 2 was totally different. Since Box A is the actual DHCP server  in this scenario, I wanted to make sure all of the VMs be assigned IP addresses that would be on the same subnet as Box A. Instead of assigning each a host-only IP address, I bridged the connections so all share the connection as Box B and are assigned IP addresses from box A.

I was now ready to test: Launch Metasploit Pro, create a project, and scan the network. Low and behold… Success!






















Folks, this setup took me a few tries before I got it right. If you have any questions, feel free to comment or email me directly.

Originally Posted by Chris Kirsch






"Prost Neujahr!" That's what we say for "Happy New Year" in Germany, where I just spent a few days with my family to relax and get away from work. A futile attempt, since the Bundesamt für Verfassungsschutz (Federal Office for the Protection of the Constitution, or BfV for short) decided to publish new statistics about cyber attacks. (And, yes, Germans love long words.)

According to the BfV's
department for counter-espionage, the number of attacks on German government agencies has almost doubled - from 900 to 1,600 in the first nine months of 2010 compared to the previous year. The attackers are targeting political, military and economic organizations. According to the agency, a large majority of the attacks originate from government agencies in China. It's not surprising that this is  the case. However, what's surprising is that the German government publicly calls the Chinese government out for these attacks. According to the BfV, China's attacks are getting more and more sophisticated and often use emails that contain malicious attachments - a simple attack, which seems to work just fine.

To protect against this new threat, Germany is founding the National Cyber Defense Center, a joint venture of the BSI, BfV, BND, and other agencies. A political solution to a political problem, but unlikely one that will reduce the effectiveness of these social engineering attacks, unless they focus on training the users (
see blog post).

NATO already identified cyber warfare as a potential attack vector that could invoke the alliance. Fanned by the Stuxnet debate, NATO's general secretary Anders Fogh Rasmussen is debating whether computer viruses and tanks should be viewed at equal footing from a legal perspective. This sounds like the dark ages of cryptography where many countries placed strong cryptography under export control or even outlawed its use.

Applying the laws of physical weapons to the online world did not work then and is unlikely to work now. In 2007, Germany introduced a
"no hacking tools" law that makes the publication of vulnerabilities or the distribution of hacking tools unlawful. This is hampering the work of white hat hackers because they can no longer legitimate find and warn about security issues, but it doesn't deter the criminals. Just think: Should we outlaw hammers because someone used one as a murder weapon? Outlaw murder, not the hammer. Otherwise, you are deterring the good guys from doing legitimate work. Also, Germany is effectively crippling its domestic talent pool to train experts in penetration testing to defend its network or, if we are intellectually honest, to launch counter-attacks.

Stopping China's attacks is far from easy, but there are better approaches. With the West being so dependent on China, a war with China is out of the question, and tariffs on Chinese goods would fuel domestic inflation. If hacking attacks are state-sponsored, the West must exert diplomatic pressures on China to stop the hacking attacks, threatening to favor investment in other countries such as India. If attacks are not state-sponsored but instead originate from organized crime, regular laws regarding financial crime or sabotage can be applied and criminals can be extradited and persecuted.

Have a safe and sane 2011! Prost Neujahr!

Originally Posted by Sean Taylor



Gawker got owned. Bad. The resulting data breach resulted in some pretty entertaining fallout: a hacker gang took down a website purely on perceived arrogance and self-worth of the target, millions of accounts wound up compromised all across the web. NPR and other outlets wound up trying to tell us for like the 10th time how to make a secure password. Overall, it was probably the second-most entertaining data-breach this year. (The first one, of course, was when the GNAA goatse'd the world with the help of the media.) 

The coverage of the Gawker Media breach had me smiling in that megalomaniacal cat-stroking fashion. Everyone talked about the passwords-- not a whole lot more. It sort of demonstrates the disconnect between the general security community as a whole and the people who are most affected by secure and insecure products and measures. Strong passwords are really just the beginning. In fact, I really don't think the passwords are the worst part of the leak. 

Gawker Media is one of the more interesting aspects of the 21st century Internet: a blogging franchise. Sort of like how Yum! Inc. owns Taco Bell, KFC and a bunch of other restaurants, Gawker Media owns a bunch of different blogs, most notably
Kotaku for gaming, io9 for Sci-FI, Gizmodo for tech, and-- even that ever-pervasive staple of the Internet-- Fleshbot for porn. (And if you think that porn-blog is in the least bit worksafe, you're completely wrong.) If you have an account on any Gawker site, you have access to the whole Gawker Media franchise. So if one site gets popped, it's likely that the other sites will get popped as well. That means, of course, #gnosis ran out of the Gawker site like bandits with 1.3 million e-mail addresses and passwords. 

Let's take a step back and provide a vague explanation from a business perspective. What does 1.3 million e-mail addresses mean? That means 1.3 million potential customers, 1.3 million potential consumers, 1.3 million potential viewers-- and as a result, a potential for a whole boatload more money than just 1.3 million. Granted, people are so seasoned against spam now that it's more likely that you'll only get about 13,000 users to return on your investment-- but that Gawker list? It's free, baby. You'd have nothing to lose and everything to gain as an advertiser with that list. After all, there's no way to legitimately prove the data was taken from that Gawker hack. And even if the seed data you used was, in fact, considered illegally rooted-- assuming anyone who cared enough to enforce that sort of law brought the hammer down on the advertiser (hint: highly unlikely)-- all the information you had gathered at that point isn't necessarily illegal in itself. Every day, advertisers are harvesting your Facebook information, your Twitter statuses and all sorts of other information about you. In a bank somewhere-- or in multiple places with multiple stories, really-- there's tons and tons of various little tidbits about you. What your favorite color is, what makes you angry, what turns you on-- all sorts of fun horrors like that. Any rogue entity who wishes to advertise at you with this information is going to do it. Advertisers are scrupulous by nature-- their entire business is about making money off of people by telling them to give someone money. That's all advertising is. If they make you laugh, you might give them money. If they scare you, you might give them money. If they appeal to your sense of self-importance, you might give them money. Competition dictates they abuse your psyche in order to get the most optimal gain for their employers. 

This is just advertisers! For the most part, these people will bind themselves by US law in some way or another-- from class-action lawsuits getting angry at their tactics, regulators stepping up to the plate and putting the kibosh on their ridiculousness or by their own self-regulation. What about the lawless, what can they do with this sort of data? 

We can start with the e-mails. Going back to the iPad "hack" that Weev and the Goatses managed to drag out of Apple's database, the list had quite a few high-profile people on it-- like a significant amount of .gov e-mail addresses. Goatse Security, in the name of honesty and white-hattery, censored the e-mail addresses when they released all the data. Well, let me be more accurate: when they released all the data
to the press. All it takes is one little GNAA member to, say, sell the list to a spamming gang in Russia or an informative espionage gang in China. Suddenly, both of those groups have quite significant access to people within the government. 

What's interesting about e-mails, though, is that almost everyone has an e-mail address. Those who don't are either never connected to the Internet or somehow find other magical ways to register and communicate on the Internet. And because everyone has an e-mail address, someone needs to set up the infrastructure for it. Because of both the human desire to control and make things easy, employees are given addresses that follow a pattern-- usually firstname.lastname or firstname_lastname. A single e-mail exposed in this list at a single corporation will expose the pattern used by the company, thus leaving the potential to expose
all users to potential contact by anyone who downloads this data. Suddenly 1.3 million becomes more than 1.3 million. 

But what does 1.3 million actually mean? That's roughly the population of just one or two
counties in Los Angeles-- is it really worth it to be able to contact those sorts of people? What if it's just 1.3 million Internet denizens? Who cares if half of that number wind up being spam bots? 

Gawker Media attracts people of all shapes and sizes, of all backgrounds and types because of its business model-- being a blogging franchise of a vast array of generic, eye-drawing interests. Everyone in one way or another who's on the Internet is likely connected to a blog like this. And the data proves it-- from .gov to .com to .org.ua, there's quite a demographic of English speakers and readers who go to Gawker-based blogs. Programmers, journalists, cooks, pornographers, Catholics-- you name it, they're probably on that list somewhere. 

Because of the absolute diversity that exists within the Gawker network, this breach is much more significant than just a few thousand poor schmucks with the password 123456. Let's say you're an attacker who wants to go after TheWidgetReport.com, a blog all about the state of the Widget market. (It's even got a few cutesy jokes mocking the Widget industry.) They've got a few hundred writers-- after all, they've got the market on Widget reporting cornered. 

All of the writers at TheWidgetReport have an e-mail address-- but you don't know what their e-mail addresses are. They're never listed on the site, and in order to actually e-mail them you have to go through some ridiculous form that probably never gets to them anyway. (You know, because they don't want to expose the world to their e-mail address-- after all, that would get them quite a lot of spam and people they don't want to talk to to begin with!) However, every article written on TheWidgetReport is associated with a writer in some way or another, listed in the credit of each article that pops up. 

Let's say Shirley Cache is a writer for TheWidgetReport and just
adores Jalopnik. She's got an account on Gawker's network-- in fact, she's the only one of a few editors and writers from TheWidgetReport who know anything about the Gawker network. The Gawker breach happens-- but Shirley's smart. She's been around the Internet. She knows that if she uses the same password everywhere, it's going to come back and haunt her. The same goes for her other colleagues with Gawker accounts, thus rendering the passwords rather useless. 

The issue is that now the attackers knows what the pattern is for TheWidgetReport-- firstinitial_lastname@thewidgetreport.com. Now all the attacker has to do is write a script to scrape every article on The Widget Report and convert the authors into e-mail addresses. Suddenly the attacker's got a rather worthwhile list not only for performing social engineering attacks but for selling to spammers, too. Instead of simply having three addresses for an attack vector for TheWidgetReport, the attacker now has a nearly complete list of all employees at the company! This provides a much stronger likelihood of breaking into TheWidgetReport and running away with even more data than before-- such as, for example, all the readers of TheWidgetReport's e-mail addresses and passwords. 

Michael Burns asked us to make predictions for 2011, and I believe information is finally going to take center-stage as the thing everyone wants to abuse. Information is the crux of any form of attack-- for example, you can only create a buffer overflow
after you've gleaned information regarding a specific vulnerability. Indeed, information can be abused for personal gain as well-- for example, advertisers harvesting your delicious Likes and Dislikes on Facebook as if it were fine-grain corn. With WikiLeaks taking over the headlines with how it deals with information, I made the prediction that we're going to see a whole lot more attacks based around information: character assassinations, massive spam campaigns and propaganda out the wazoo just to name a few. 

In essence, I think the Gawker hack is a nice little window into what's to come. Sure, data breaches have come in some form or another at some time or another-- that's why
DatalossDB is so diligently documenting them. Indeed, blackhats are already well aware of the worth a plethora of precisely gathered information yields to anyone who wishes to purchase. But the security spectrum is shifting, and as it shifts, the lowest common denominator with the most potential gain is what gets the most attention. This is why you saw hacking trends shift from remote buffer overflow exploits to local buffer overflows to SQL injections eventually to XSS-- each item in the sequence became more and more secure over time, forcing the Internet background radiation to gravitate toward simplicity with greater gain. (I probably used "Internet background radiation" incorrectly there, but man is that a great topic! Read that paper!) 

In 2011, information will be in the crosshairs of the LCD of hackers and skiddies. It's just too ripe for the plundering-- there's no way to completely stop the abuse of it other than by reducing or obscuring the information, and to do that would disrupt business entirely. Information
needs to be out there in order for a lot of people to function. And some information is worth quite a bit of bank to the unscrupulous and wickedly intelligent.

Filter Blog

By date: By tag: