Hi All, On the report "top 25 remediations by risk", we'll have a remediation such as "update to the latest version of Adobe Air". Is there any way to see (either in a report, or the web console) the actual devices under this remediation? Ideally, I'd like to see this in the web console, so I can run filters etc.
Posted by Jonathon Zachariah about a year ago
We have a DC in a firewalled network. We are seeing failed communication (via ASA logs) between the collector and the DC on TCP 49154. I see no mention of that port anywhere in the documentation. We are unable to query the DC via WMI and this is the only port we are seeing denies on since creating the log source. Thoughts? Just allow 49154 and call it good? TIA
Posted by Scot Lymer about a year ago
Hello, I am a student in cuber security and i have one problem. In the lab we hacked the Windows XP with the command "msfpayload windows/adduser" Now they want to hack again the Windows XP but with the "windows/exec" to run any command in the windows XP. Can you tell me how to do it? I am searching all the time in google and i can't find the way. Please guys Thank you
Posted by Nefeli Anthi about a year ago
I have a machine running Windows 10 with the latest Fall Creator's update and Rapid7 is showing this: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentBuild - contains unexpected value 16299 However, that is the build number of the Fall Creator's Update aka Redstone3 is 16299. https://en.wikipedia.org/wiki/Windows_10_version_history Think there may be an error the database of vulnerabilities? Also, this machine does have the March set of patches installed. It also keyed off of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\Policies\System\CredSSP\Parameters - key does not exist UBR - contains unexpected value 309
Posted by Chris Bachmann about a year ago
Hello, We are running a POC of InsightIDR and we are getting the following message (in bootstrap.log) when we try and activate a collector. Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: RegistrationManager attempting to connect to the server: https://eu.data.insight.rapid7.com/api/1/collector/register Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: **** Agent key for this Collector is: 311aa03d-7c6f-446b-a015-c85a113b4ff8 Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger error SEVERE: Registration process failed with exception javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.registerWithServer(RegistrationManager.java:203) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.doRegister(RegistrationManager.java:108) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.checkRegistration(RegistrationManager.java:72) at com.rapid7.razor.collector.bootstrap.impl.BootstrapProcess.call(BootstrapProcess.java:46) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Wireshark gives me a 59 30.875484 my collector ip my proxy ip TLSv1.2 61 Alert (Level: Fatal, Description: Certificate Unknown) We have allowed SSL pass through and the server can get to the site. Any ideas?
Posted by Martin Austin about a year ago
Has anyone tried to utilize the exchange transport in Insight IDR with Exchange 2010. I know that the official stance is that it is not supported, however, I would like to know if anyone has tried it, if it worked or if it blew up their exchange 2010 server
Posted by Jack Rider about a year ago
In the installation instructions for Metasploit, it is mentioned that the AV and Firewalls must be disabled since the AV software will detect Metasploit as malicious and prevent it from running. Disabling AV and Firewall on the Server where Metasploit is running will create a risk and leave my server unprotected. So my questions here are? 1. Will Metasploit work with an AV software such as Cylance which provides a file less, signature less method of detection? 2. What are the compensatory controls that need to be in place to ensure that my server and network are not at risk due to the AV being blocked? 3. If the AV is blocked, does the Metasploit software not get downloaded either?
Posted by Debrup Bhattacharjee about a year ago
I have an asset group that is basically what I consider low hanging fruit, typically below a risk score of 100. There aren't any methods to purge dead assets, inactive assets, sites with 0 vulnerabilities, etc. Are there any features or scripts available that I can use to automate the clearing of assets that are in this group?
Posted by Drew Tabor about a year ago
I am a new user to InsightVM. My scan is showing a ton of Google Chrome Vulnerability entries. The device does not have Chrome on it so I am guessing it is an old version that has not been completely uninstalled. Is there a way to find out where this thing is hiding?
Posted by Ron Gallimore about a year ago
I haven't had any luck with submitting corrections for typos etc. in check descriptions so they don't show up in reports. I've talked to various people through the years about a method for submitting check recommendations and other related content. (The great work with fingerprints via recog aside) I'll submit the question again for 2018. I've been working through checks for common UDP services known for DoS amplification for my environment. While going through them I'm finding that amplification checks for services like quote of the day, chargen, etc. are triggering for services on TCP. I'm going through and generating copies of the checks and including the simple UDP check that Ross Kirk helped me add to checks for systems vulnerable to memcached amplification. I'm currently replacing the default checks to reduce false positives. Is there any way to submit simple modifications outside of the less than useful 'idea portal'? Last I checked there was no workflow through support for things like this. Examples: chargen-amplification qotd-amplification etc. https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/cmty-qotd-amplification.vck https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/cmty-chargen-amplification.vck If there are issues with the tweaks, I'm open to learning what I might be doing improperly and improve so that I can give back to the Nexpose community.
Posted by BrianWGray about a year ago
I am trying to install and setup Linux agent with Docker Dockerfile >>> FROM ubuntu:16.04 RUN apt-get update -y COPY Linux_Insight_Agent/ /app/ RUN chmod u+x /app/agent_installer.sh RUN ./app/agent_installer.sh install_start It is throwing me the error ------------------------------------------- Installing systemd service [INFO] Failed to connect to bus: No such file or directory Configuration file /etc/systemd/system/ir_agent.service is marked executable. Please remove executable permission bits. Proceeding anyway. Created symlink /etc/systemd/system/default.target.wants/ir_agent.service, pointing to /etc/systemd/system/ir_agent.service. Please anyone can help me on this and suggest me some another way to setup it on docker container. NOTE: I don't want to use docker agent.
Posted by ashwani about a year ago
Just trying to extend the DRP timeframe from 45 to 50 days. My concern is the safe-keeping of the existing 45 days of data. The following message pops up when attempting to change the setting: "You cannot stop the routine once it starts, and all data removal is permanent. Do you want to enact this policy?" What are the real implications of this ominous warning message? Hoping it doesn't wipe everything and start with a new data set. I doubt is would, but wanted to confirm with someone who has actually done it.
Posted by David Honeycutt about a year ago
I'm looking to differentiate between solutions that require a patch or software upgrade vs vulnerabilities/solutions that are a consequence of system or application configuration. I'd like to be able to run a query for each to identify which is introducing more risk, configuration issues or patch management issues?
Posted by Sean Harcourt about a year ago
I'm evaluating the InisghtVM tool in vulnerability assessment for our small (but certain to grow) Docker container servers. I have not been able to assess the images even though the tool does recognize the servers as container hosts. When I reached out to the group standing up the containers, they explained they are placing and building the images directly on the servers and use no registry. Is it possible for InsightVM to work with this use case?
Posted by Diana Orrick about a year ago