After the November '18 Windows updates, my InsightVM console won't start. It reaches 94% initialising, then hangs. The log shows the following repeating endlessly: 2018-11-16T11:27:43 [ERROR] [Thread: directory-watcher-file-processor-006] Received an error from the parser: [File: j50tmp.log] -- Unexpected exception com.hierynomus.mssmb2.SMBApiException: STATUS_SHARING_VIOLATION(3221225539/3221225539): Create failed for Windows\System32\dhcp\j50tmp.log at com.hierynomus.smbj.share.Share.receive(Share.java:342) ~[smb-file-service-0.2.4.jar:na] at com.hierynomus.smbj.share.Share.sendReceive(Share.java:322) ~[smb-file-service-0.2.4.jar:na] at com.hierynomus.smbj.share.Share.createFile(Share.java:135) ~[smb-file-service-0.2.4.jar:na] at com.hierynomus.smbj.share.DiskShare.createFileAndResolve(DiskShare.java:79) ~[smb-file-service-0.2.4.jar:na] at com.hierynomus.smbj.share.DiskShare.open(DiskShare.java:69) ~[smb-file-service-0.2.4.jar:na] at com.hierynomus.smbj.share.DiskShare.openFile(DiskShare.java:144) ~[smb-file-service-0.2.4.jar:na] at com.rapid7.net.smb.impl.SmbjRandomAccessFile.read(SmbjRandomAccessFile.java:57) ~[smb-file-service-0.2.4.jar:na] at com.rapid7.razor.collector.common.FileProcessor.readLines(FileProcessor.java:510) [collector-plugin-common-0.6.11.jar:na] at com.rapid7.razor.collector.common.FileProcessor.processNormalFile(FileProcessor.java:403) [collector-plugin-common-0.6.11.jar:na] at com.rapid7.razor.collector.common.FileProcessor.processFile(FileProcessor.java:260) [collector-plugin-common-0.6.11.jar:na] at com.rapid7.razor.collector.common.FileProcessor.run(FileProcessor.java:100) [collector-plugin-common-0.6.11.jar:na] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_162] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_162] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_162] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_162] at java.lang.Thread.run(Thread.java:748) [na:1.8.0_162] This appears to be related to our DHCP discovery Sites, and may be a file lock on the .log file. A couple of similar logs show locks on the temp.edb file and j50.log files. We have connections into ~15 DHCP servers so stopping each server to unlock the file will be difficult. I haven't seen this issue when starting the console previously.
Posted by Tim Lovegrove 5 months ago
Hi, I'd like to run `msfconsole` set up a job using the `exploit/multi/handler` and keep it running using `exploit -j -z`. However if I exit `msfconsole` the job is no longer running. Is it possible to persist the job even on exiting `msfconsole`? I have tried running the community edition and running the service however this doesn't seem to keep it running. Thanks.
Posted by Anthony Frisby 5 months ago
Hi, Is it possible to run metasploit-framework (as installed from https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers), as a service? I can see that you can run it as a service if you install the community edition however I was wanting to just use the framework and not the web UI and would prefer to run just the framework as a service. Is this possible? Thanks.
Posted by Anthony Frisby 5 months ago
Hi, We are trialing insightOps but we are not happy with the amount of data we can operate on received from Firewall (Fortigate) collector. First of all it seems to process packets from fgt_traffic only where there's more sources and they are valuable for us as well. Second thing is the keys. Comparing to what the collector is returning to what's in the source_data key you can't agree you get much. type key and sub_type key of the packet, and also source and destination interface is missing thus you are not able to distinguish whether it's incoming or outgoing traffic. I know you can achieve this by regular expression search but we are migrating from splunk where there was dedicated Fortigate app and the data was presented in perfect form. we would like to add more data source from fortigate (not only traffic) fgt_traffic fgt_system fgt_ips fgt_vpn etc. we would also like to add more key we can operate on. Is that something we can do or it's possible only from your side? Kind Regards
Posted by Andrzej Zakrzewski 5 months ago
During the Metasploit installation, I received the errors below. Error 1: Problem running post-install step. Installation may not complete correctly. Error running D:\metasploit/postgresql/scripts/serviceinstall.bat INSTALL: The metasploittPostgreSQL service could not be started. The service did not report an error. Error 2: Problem running post-install step. Installation may not complete correctly Postgres failed to initialize OS: Server 2016 Version 1607 (OS Build: 14393.2580
Posted by Brandon DeBruyne 5 months ago
Our appliance that hosts the Rapid7 Console is running out of space. Unfortunately the drive that has it installed is unable to allocate more space as the disk has reached its maximum. Is there anyway to do a platform backup and have it save to a different location/device? It looks like when it does this backup, it will save it to the current location. The problem with this is that there will not be enough space to do so. We have also done all of the cleanups/maintenance to free up any space.
Posted by Andrew Vaughan 5 months ago
Is it possible to use insight VM to scan an RDS instance. I have manually added the endpoint as an asset and am trying to scan using an AWS pre-authorised scanner. However I receive the following error 'Unable to submit targets for verification'.
Posted by Peter Blake 5 months ago
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb:24:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError) from /opt/metasploit-framework/embedded/framework/lib/msf/core/payload_set.rb:198:in `new' from /opt/metasploit-framework/embedded/framework/lib/msf/core/payload_set.rb:198:in `add_module' from /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager/loading.rb:73:in `on_module_load' from /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/base.rb:183:in `load_module' from /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/base.rb:238:in `block in load_modules' from /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/directory.rb:49:in `block (2 levels) in each_module_reference_name' from /opt/metasploit-framework/embedded/lib/ruby/gems/2.4.0/gems/rex-core-0.1.13/lib/rex/file.rb:133:in `block in find' from /opt/metasploit-framework/embedded/lib/ruby/gems/2.4.0/gems/rex-core-0.1.13/lib/rex/file.rb:132:in `catch' from /opt/metasploit-framework/embedded/lib/ruby/gems/2.4.0/gems/rex-core-0.1.13/lib/rex/file.rb:132:in `find' from /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/directory.rb:40:in `block in each_module_reference_name' from /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/directory.rb:30:in `foreach' from /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/directory.rb:30:in `each_module_reference_name' from /opt/metasploit-framework/embedded/framework/lib/msf/core/modules/loader/base.rb:237:in `load_modules' from /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager/loading.rb:119:in `block in load_modules' from /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager/loading.rb:117:in `each' from /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager/loading.rb:117:in `load_modules' from /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager/module_paths.rb:41:in `block in add_module_path' from /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager/module_paths.rb:40:in `each' from /opt/metasploit-framework/embedded/framework/lib/msf/core/module_manager/module_paths.rb:40:in `add_module_path' from /opt/metasploit-framework/embedded/framework/lib/msf/base/simple/framework/module_paths.rb:50:in `block in init_module_paths' from /opt/metasploit-framework/embedded/framework/lib/msf/base/simple/framework/module_paths.rb:49:in `each' from /opt/metasploit-framework/embedded/framework/lib/msf/base/simple/framework/module_paths.rb:49:in `init_module_paths' from /opt/metasploit-framework/embedded/framework/lib/msf/ui/console/driver.rb:199:in `initialize' from /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/console.rb:62:in `new' from /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/console.rb:62:in `driver' from /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/console.rb:48:in `start' from /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/base.rb:82:in `start' from /opt/metasploit-framework/bin/../embedded/framework/msfconsole:49:in `<main>'
Posted by vsly 5 months ago
I want to know if it is possible to make a backup of the BD and export it, since the equipment where it is has no more space, what I want to do is import the backup made to a new security console. My question is, is that possible? if so, there is some procedure to do it.
Posted by luis alberto 5 months ago
Does Nexpose capture the Users in the local Administrator group on Windows systems? I know it captures the Groups and Users, but can you see who's in the Admin group on an asset?
Posted by David P 5 months ago
hello, someone help me, when entering the security console and click on Dashboard this error marks me: HTTP ERROR 401 Problem accessing /saml/SSO. Reason: Response issue time is either too old or with date in the future, skew 300, time 2018-10-18T13:29:17.851Z.
Posted by Orlando Sánchez 5 months ago
understanding that Rapid7 doesn't really provide support on the base Ubuntu OS, and recommends you have a Linux admin on staff, is there a list of software that Ubuntu needs, what versions they need to be/should be etc. that can be provided to the Linux admin?
Posted by Matt Wyen 5 months ago
I've got about 9 systems all reporting this vulnerability, all 2012R2 with current IE Cumulative updates installed, most recently the below patch; 2018-10 Cumulative Security Update for Internet Explorer 11 for Windows Server 2012 R2 for x64-based systems (KB4462949) These seem to be false positives. Any help? Vulnerable software installed: Microsoft Internet Explorer 11.0.9600.19155 Vulnerable OS: Microsoft Windows Server 2012 R2 Datacenter Edition Based on the following 3 results: 1.Microsoft patch KB4089187 is not installed. 2.Microsoft patch KB4088876 is not installed. 3. ◦HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion◦UBR - value does not exist
Posted by Mark Payne 5 months ago
What are the login credentials for accessing the console from https://x.x.x.x:3780/? Install Rapid7 VM Console from Azure Marketplace. Created VM with admin a/c username/password. Can access VM via ssh using admin a/c credentials. No credentials were prompted for Rapid7 VM Console access.
Posted by Dilesh Fernando 5 months ago
We are doing a poc with rapid 7. We were using dchp for addressing scheme, we have Network analysis team change the addressing to static ips, currently console is reconfigured with new ip, but the one of the scanners the only scanner is currently not able to talk to console because it cant get the new ip. How do we fix this, do we rerun a script? Will this also affect anything ?
Posted by vanessa villalpando 5 months ago
TL;DR: Does anyone have a working example of a Windows "Default Account" check and the steps necessary to implement it? How do you properly remove old custom/community checks? How do you update custom/community checks that may have been changed? --- I'm trying to create a custom "Default Account" vulnerability check to search for the existence of previously used local administrator passwords in our environment. I've set a server to use this password, and am following the CIFS example here: https://kb.help.rapid7.com/docs/nexpose-common-vulnerability-check-examples The vulnerability is never found though. I'm seeing several issues with the custom vuln I'm trying to write. 1) The "load content" command seems to work, and I see no failures in nsc.log. The custom check appears under the community category, I can search for cmty-* in the InsightVM console, etc. I see no problems with it. However, when I view the scan log, I see no mention of cmty-anything, which seems to indicate the check was never used in the scan. I've intentionally created scan with this check, and only this check, enabled, nothing. I also know that the cift check -should- work. Using "mount.cifts" from a linux workstation, I can clearly generate "permission denied" errors for bad passwords, and see no such failure for good passwords. In other words, it isn't failing due to lack of inbound port access, bad credentials, services not running, etc. The vulnerability does actually exist and I think I could quite easily write a quick bash script to test for it. 2) Previously built checks, which didn't work, still appear in the console. These checks were removed from the "CustomScanner" directory. Each time "load content" is run, I also see "Vulnerability cmty-old-check-that-doesnt-exist found in database, but does not have a vulnerability descriptor file.". Running the database maintenance scripts doesn't seem to help. 3) Checks which I modified the XML for do not get updated. For example, I changed a category from "Default" to "Default Account". However, the categories remains the same. I'm unsure if the actual check (the ".vck" file) is actually being updated or not.
Posted by Mike 5 months ago