We are new R7 users (one day old) and are noticing what could be false flags. Wondering if any one has any thoughts on the below. Are #1 and #2 false flags or should we do what describe? 1) R7 is performing an POST on a GET. "R7 reported POST requests to those urls. But from the user's perspective those urls are browser urls when user switches from page to page. Those are not API urls (which starts with /api). When I open Chrome dev tools and network tab I notice that when we go from page to page all those URLs are accessed with GET request. So I am confused. Why did R7 access those URLs with POST method at all?" Is the solution to deny POST here to close this out? 2) CORS issue. Currently the rule is that we return back client's ip address as a value of ACCESS-CONTROL-ALLOW-ORIGIN header. But if client didn't send Origin header with it's ip address or url, we return wildcard *. We could instead send an error back if client sent a request without Origin header. So a wildcard would never be sent back as a regular value in response header. In normal situations when client access the app from the browser, Origin header will always be present. However, R7 is sending this request without Origin header. So if I deny requests without Origin header, client's experience should not be affected. Is that what R7 is suggesting we do to close this out? 3) Long scans. It took a few hours to run the scan in the demo, and now as a customer it is taking longer. Some of this could be us (greater attack surface as we change the product). But looking at the log for our scan, it looks like R7 is constantly logging out and back in. Is this expected behavior? Thanks, Judah
Posted by Judah Phillips 9 months ago
I use metasploit pro for penetration testing. For one of the servers, i was running bruteforce check. While checking, i received these errors. Can anyone tell me if someone has come across such errors and solution for it? One thing I notice is that, whenever target OS closes the port (because of account lockout policy), this kind of error occurs. But ideally, it should not give such call trace errors and continue the other tests. In my case, it abruptly ends the bruteforce check. Metasploit pro version: 4.14.3 Host OS: Ubuntu Target OS: Fortios Error log: [+] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 SUCCESSFUL - username:password [-] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 - No authentication required [-] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 - No authentication required [*] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 INCORRECT - username:password [-] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 - No authentication required [-] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 - Unexpected HTTP response code 302 (is this really Chef WebUI?) [-] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 UNABLE TO CONNECT - username:password [-] [2018.09.20-13:40:47] Auxiliary failed: Errno::ECONNRESET Connection reset by peer [-] [2018.09.20-13:40:47] Call stack: [-] [2018.09.20-13:40:47] <internal:prelude>:76:in `__read_nonblock' [-] [2018.09.20-13:40:47] <internal:prelude>:76:in `read_nonblock' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:72:in `read' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:202:in `get_once' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/lib/rex/proto/http/client.rb:550:in `block in read_response' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:74:in `timeout' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/lib/rex/proto/http/client.rb:539:in `read_response' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/lib/rex/proto/http/client.rb:230:in `_send_recv' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/lib/metasploit/framework/login_scanner/http.rb:192:in `check_setup' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce/quick.rb:242:in `block in run_scanner' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:91:in `block in timeout' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:33:in `block in catch' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:33:in `catch' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:33:in `catch' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:106:in `timeout' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce/quick.rb:238:in `run_scanner' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce/quick.rb:109:in `block (3 levels) in run' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce/quick.rb:105:in `loop' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce/quick.rb:105:in `block (2 levels) in run' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/lib/msf/core/thread_manager.rb:100:in `block in spawn'
Posted by Jenis 9 months ago
The number of assets changes daily, I do run a discovery scan on the populated assets but it seems like asset linking does not work fully and I end up with duplicate assets. The site is defined with an AD LDAP query and is set to consume daily, it has nearly doubled in size in the last few weeks. Should I be running a discovery scan on these?
Posted by firstname.lastname@example.org 9 months ago
Using InsightVM, I have successfully setup and connected to our Docker registry. Going from Containers > Repositories, I see the list of our repositories. I click on one of them and see the list of image IDs. They are not assessed. I click on Assess and it displays a message: Image could not be assessed. Image [redacted] could not be assessed. The image could not be found in any available registry. You can configure a new registry connection (recommended) or manually upload the image using the output of docker save command. Add a Registry Connection. Cancel, Or upload an image file As I already have the registry connection, and links to the repos setup in InsightVM, is there a step I'm missing?
Posted by Rudi Coursen 9 months ago
Hi, I have some weird problem. I have a site and when I try to scan the site it cannot connect to windows machines. The scan time for the machines are quite low (less than a minute). When scanning a single asset it works like it should. Has any one had this issue and knows to overcome it? Thanks.
Posted by Netsec Team 9 months ago
Hello All, I am trying to integrate the Nexpose Scanner to QRadar via API site import method which required Nexpose SSL certificate to add into QRadar console. I am new to nexpose, could you please guide me how to get this cert from nexpose? Regards
Posted by Shaf 9 months ago
[-] ***rting the Metasploit Framework console...| [-] * WARNING: No database support: No database YAML file Hello, I just did a clean install of kali linux 2018.4 on hyper-v. Did get-apt update && apt-get dist upgrade Opened msfconsole and saw I was running msf 4, so I ran this command curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \ chmod 755 msfinstall && \ ./msfinstall And now when I start msfconsole i get the No database YAML file, any suggestions?
Posted by Siggi Arnar 9 months ago
Hello I have been getting support from Rapid7 support portal for almost a month now. This is where I login: https://rapid7support.force.com/customers/login?inst=1O However, today when I entered the user name and password, I was redirected to the following screen: https://insight.rapid7.com/login I do not know what to do now. I have three open cases for which I need urgent support. I last logged in successfully on Friday (11 Jan 2019). How can I access the support portal now?
Posted by SUH 9 months ago
Environment: win 10 pro Des: I have downloaded and installed the Metasploit Framework v5.0.1 on my computer. When I type msfconsole in cmd, it can start the framework but fail to connect to the database. I like to config msf to connect to PostgreSQL. Firstly it occurs I haven't config database.yml properly, so I copy the file metasploit-framework\embedded\framework\config\database.yml.example, rename to database.yml and place it into the same directory, which is metasploit-framework\embedded\framework\config\, but then I got WARNING: No database support: ActiveRecord::ConnectionNotEstablished while starting msfconsole, after that, I run db_xxx command in msf such as db_status, but it shows No database driver installed. I already register the embedded PostgreSQL as a service and I can connect correctly using Navicat. Use net start PostgreSQL to start the service. I tried gem install pg -v '0.20.0', but problem still there. I am not familiar with Ruby, could u tell me how to deal with?
Posted by willijk 9 months ago
How do you handle hardware management devices, in my case I have a number of HP iLOs? Currently the management interface is a separate asset from the actual server/OS. Internal support for addressing vulnerabilities lies with the same group for both OS and Hardware. Does it make sense to keep these separate, and thus use 2 license for 1 device, or is there a method where these can be correlated together? Thanks!
Posted by Brad 9 months ago
Using vSphere to dynamically learn the assets in a given site. Many of the assets are now showing the assets IPv6 link local address instead of the IPv4 address. How can I have only the IPv4 address appear for each asset? Thank you.
Posted by David Miller 9 months ago
My weekly maintenance was taking longer than ususal this morning and the console shows aide running at over 95% of cpu. I found an older guide recommending that aide not be on Nexpose servers here https://www.rapid7.com/docs/download/Nexpose_Hardening_Guide.pdf. We didn't install it on our InsightVM console so I'm guessing it's included now and considered safe on the console despite the load it's putting on my system currently?
Posted by Charles Burch 9 months ago
I'd like to create a Dynamic Asset Group that includes all assets that do not have an IP address. I've tried using regex in the IP Address LIKE field, but nothing populates. Has anyone had any success with this? The scenario is we use the Active Directory discovery connection, and it imports stale assets that are no longer on the network, so it imports the name & OS of the asset, but not an IP address. I'd like to create an asset group to find all of these assets to purge and exclude from global reports.
Posted by Zach Garrow 9 months ago
Can somebody explain this finding? "The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a violation of PCI DSS section 1.3.6 to have databases listening on ports accessible from the Internet, even when protected with secure authentication mechanisms" So, by virtue of us having our scanner on a network that can scan our SQL servers we are receiving this as a finding? We manage our SQL servers via SSMS, but they are not open to external networks. Is there any way to 'remediate' this other than to not allow our Nexpose appliance to scan our SQL server vlan? I suppose there are a few servers that don't need 1433 open to anything outside the local server.
Posted by Mark Payne 9 months ago