Hello all, I've found that when performing scans by IP addresses, the scanner identifies hostnames of some assets but not all. I would like to know how the scanner detects a hostname of an IP address. And also hope to know a way to ensure hostname detection for all devices.
Posted by Donggun Kim 4 months ago
Hi, we have a deployment requirement that the scanning account is not a local administrator on any machines. I've followed the guidance here: https://help.rapid7.com/nexpose/en-us/Files/Managing_credentials_Windows.html and am generally getting reasonable results. The final issue now is the scanning which utilises the Windows local administrative shares. It's well known that the local admin share permissions can't be altered to grant a non-local admin access. The work around is to add a new share and grant the correct permission to that. The documentation backs that up with "If you are not using administrator permissions then you will not be granted access to administrator shares and non-administrative shares will need to be created for read access to the file system for those shares." So I have created my non-administrative shares, however the documentation doesn't tell you how to configure Nexpose to actually try to utilise those new shares instead. Looking through the logs I can see it still just tries the admin shares which the account can not access. Can anyone offer any guidance on where this will be configured?
Posted by ISDSec Team 4 months ago
Interested in learning more regarding user tags listed next to user name under User Details. When an alert populates in Investigations then clicking on the event populated you're presented with Investigation Details page, on the right side of the page a blue link/s lists users associated with the event, when a user name is clicked, you're linked to User Details. The User Detail page lists the users name near the top-left of the page, along with other info. If a user is added to "watchlist" or a similar descriptor such as: o365 Admin, Service Account, etc, a tag will populate to the right (top-left of screen) of the users name, on the User Detail page. Can anyone educate me on the "Removed" tag that is sometimes listed to the right of a users name under User Details? I've looked through IDR support docs but have been unsuccessful locating a "key" describing certain tags. All responses are appreciated - thanks in advance!
Posted by TWolfe 4 months ago
Hi I have some issues auto generate a site report after an scan. - scan a site - generate a report - email the report to report owner. I cannot get InsightVM to generate a report after scan. Email is working when in manuel run a report /Jacob
Posted by Jacob Husted 4 months ago
Is anyone generating reports based on risk score? Not the numeric value of severity but the actual 0-1000 score give to each vulnerability. I'm not able to identify it in any of the query language capability nor in the report options. I'd prefer not to create a SQL script specially for it.
Posted by chris zieg 5 months ago
We are new R7 users (one day old) and are noticing what could be false flags. Wondering if any one has any thoughts on the below. Are #1 and #2 false flags or should we do what describe? 1) R7 is performing an POST on a GET. "R7 reported POST requests to those urls. But from the user's perspective those urls are browser urls when user switches from page to page. Those are not API urls (which starts with /api). When I open Chrome dev tools and network tab I notice that when we go from page to page all those URLs are accessed with GET request. So I am confused. Why did R7 access those URLs with POST method at all?" Is the solution to deny POST here to close this out? 2) CORS issue. Currently the rule is that we return back client's ip address as a value of ACCESS-CONTROL-ALLOW-ORIGIN header. But if client didn't send Origin header with it's ip address or url, we return wildcard *. We could instead send an error back if client sent a request without Origin header. So a wildcard would never be sent back as a regular value in response header. In normal situations when client access the app from the browser, Origin header will always be present. However, R7 is sending this request without Origin header. So if I deny requests without Origin header, client's experience should not be affected. Is that what R7 is suggesting we do to close this out? 3) Long scans. It took a few hours to run the scan in the demo, and now as a customer it is taking longer. Some of this could be us (greater attack surface as we change the product). But looking at the log for our scan, it looks like R7 is constantly logging out and back in. Is this expected behavior? Thanks, Judah
Posted by Judah Phillips 5 months ago
I use metasploit pro for penetration testing. For one of the servers, i was running bruteforce check. While checking, i received these errors. Can anyone tell me if someone has come across such errors and solution for it? One thing I notice is that, whenever target OS closes the port (because of account lockout policy), this kind of error occurs. But ideally, it should not give such call trace errors and continue the other tests. In my case, it abruptly ends the bruteforce check. Metasploit pro version: 4.14.3 Host OS: Ubuntu Target OS: Fortios Error log: [+] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 SUCCESSFUL - username:password [-] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 - No authentication required [-] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 - No authentication required [*] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 INCORRECT - username:password [-] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 - No authentication required [-] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 - Unexpected HTTP response code 302 (is this really Chef WebUI?) [-] [2018.09.20-13:40:33] xxx.xxx.xxx.xxx:8008 UNABLE TO CONNECT - username:password [-] [2018.09.20-13:40:47] Auxiliary failed: Errno::ECONNRESET Connection reset by peer [-] [2018.09.20-13:40:47] Call stack: [-] [2018.09.20-13:40:47] <internal:prelude>:76:in `__read_nonblock' [-] [2018.09.20-13:40:47] <internal:prelude>:76:in `read_nonblock' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:72:in `read' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/rex-core-0.1.13/lib/rex/io/stream.rb:202:in `get_once' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/lib/rex/proto/http/client.rb:550:in `block in read_response' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:74:in `timeout' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/lib/rex/proto/http/client.rb:539:in `read_response' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/lib/rex/proto/http/client.rb:230:in `_send_recv' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/lib/metasploit/framework/login_scanner/http.rb:192:in `check_setup' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce/quick.rb:242:in `block in run_scanner' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:91:in `block in timeout' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:33:in `block in catch' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:33:in `catch' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:33:in `catch' [-] [2018.09.20-13:40:47] /opt/metasploit/ruby/lib/ruby/2.3.0/timeout.rb:106:in `timeout' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce/quick.rb:238:in `run_scanner' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce/quick.rb:109:in `block (3 levels) in run' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce/quick.rb:105:in `loop' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/modules/auxiliary/pro/bruteforce/quick.rb:105:in `block (2 levels) in run' [-] [2018.09.20-13:40:47] /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/gems/metasploit-framework-4.17.11/lib/msf/core/thread_manager.rb:100:in `block in spawn'
Posted by Jenis 5 months ago
The number of assets changes daily, I do run a discovery scan on the populated assets but it seems like asset linking does not work fully and I end up with duplicate assets. The site is defined with an AD LDAP query and is set to consume daily, it has nearly doubled in size in the last few weeks. Should I be running a discovery scan on these?
Posted by firstname.lastname@example.org 5 months ago
Using InsightVM, I have successfully setup and connected to our Docker registry. Going from Containers > Repositories, I see the list of our repositories. I click on one of them and see the list of image IDs. They are not assessed. I click on Assess and it displays a message: Image could not be assessed. Image [redacted] could not be assessed. The image could not be found in any available registry. You can configure a new registry connection (recommended) or manually upload the image using the output of docker save command. Add a Registry Connection. Cancel, Or upload an image file As I already have the registry connection, and links to the repos setup in InsightVM, is there a step I'm missing?
Posted by Rudi Coursen 5 months ago
Hi, I have some weird problem. I have a site and when I try to scan the site it cannot connect to windows machines. The scan time for the machines are quite low (less than a minute). When scanning a single asset it works like it should. Has any one had this issue and knows to overcome it? Thanks.
Posted by Netsec Team 5 months ago
Hello All, I am trying to integrate the Nexpose Scanner to QRadar via API site import method which required Nexpose SSL certificate to add into QRadar console. I am new to nexpose, could you please guide me how to get this cert from nexpose? Regards
Posted by Shaf 5 months ago
[-] ***rting the Metasploit Framework console...| [-] * WARNING: No database support: No database YAML file Hello, I just did a clean install of kali linux 2018.4 on hyper-v. Did get-apt update && apt-get dist upgrade Opened msfconsole and saw I was running msf 4, so I ran this command curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \ chmod 755 msfinstall && \ ./msfinstall And now when I start msfconsole i get the No database YAML file, any suggestions?
Posted by Siggi Arnar 5 months ago
Hello I have been getting support from Rapid7 support portal for almost a month now. This is where I login: https://rapid7support.force.com/customers/login?inst=1O However, today when I entered the user name and password, I was redirected to the following screen: https://insight.rapid7.com/login I do not know what to do now. I have three open cases for which I need urgent support. I last logged in successfully on Friday (11 Jan 2019). How can I access the support portal now?
Posted by SUH 5 months ago
Environment: win 10 pro Des: I have downloaded and installed the Metasploit Framework v5.0.1 on my computer. When I type msfconsole in cmd, it can start the framework but fail to connect to the database. I like to config msf to connect to PostgreSQL. Firstly it occurs I haven't config database.yml properly, so I copy the file metasploit-framework\embedded\framework\config\database.yml.example, rename to database.yml and place it into the same directory, which is metasploit-framework\embedded\framework\config\, but then I got WARNING: No database support: ActiveRecord::ConnectionNotEstablished while starting msfconsole, after that, I run db_xxx command in msf such as db_status, but it shows No database driver installed. I already register the embedded PostgreSQL as a service and I can connect correctly using Navicat. Use net start PostgreSQL to start the service. I tried gem install pg -v '0.20.0', but problem still there. I am not familiar with Ruby, could u tell me how to deal with?
Posted by willijk 5 months ago
How do you handle hardware management devices, in my case I have a number of HP iLOs? Currently the management interface is a separate asset from the actual server/OS. Internal support for addressing vulnerabilities lies with the same group for both OS and Hardware. Does it make sense to keep these separate, and thus use 2 license for 1 device, or is there a method where these can be correlated together? Thanks!
Posted by Brad 5 months ago