Hi, we've installed an InsightVM scan engine on a Ubuntu 16.04 64-bit VM. When prompted, we chose to install a scan engine rather than a security console. We also chose for the communications to go from the console to the scan engine, so the scan engine should be listening for incoming communications on port 40814/tcp as I understand it. The installation appeared to be successful. Just to be safe, we rebooted the VM. We were never asked to enter our license key, which seemed odd. We also were never asked to input a shared secret from the security console. After installation, we do "netstat -an | grep LISTEN", and do not see port tcp/40814 as being in a listening state. I tried manually running: sudo systemctl start nexposeengine and sudo systemctl start nexposeengine.service Each time, "echo $?" shows the return code was 0, indicating it was successful, but we still don't see port tcp/40814 as listening. When I attempt to create a new scan engine from the security console, I input the scan engine IP but when the console tries to connect we see "java.net.ConnectException: Connection refused". Any idea what we're doing wrong? Thank you, -Kevin Cawlfield
Posted by Kevin Cawlfield 9 months ago
Hi, we are trying to install Metasploit Pro on remote Ubuntu 16.04 LTS server in cloud and we followed recommended commands for linux headless server from official webpage: ``` wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run chmod +x ./metasploit-latest-linux-x64-installer.run sudo ./metasploit-latest-linux-x64-installer.run ``` However, this always starts an GUI installer and we need to automate installation using ANSIBLE/BASH so we cannot use GUI but just CLI installer. Could please give us an advise on how to proceed? We have already purchased license so we need to start using it as soon as possible. Thanks a lot best regards, Ivan Ulicky Security Engineer
Posted by Ivan Ulicky 9 months ago
Hi, I'm trying to follow the report customization referenced within the support documentation for InsightVM (https://insightvm.help.rapid7.com/docs/report-templates-and-sections), however for some of the reports (e.g. Top Remediations with Details) I do not have option to copy the report. Is there a way to copy this report to use as a template for custom reports as described in the documentation?
Posted by Eric A 9 months ago
I am trying to active a new install of the virtual appliance. I keep getting 'activation failed cannot activate at this time'. I ran rebooted, and ran the diagnostics: Category Description Status Result Database Diagnostics Deleted Sites Consistency Success There are no partially deleted sites. Database Diagnostics Node Synopsis Consistency Success All nodes have synopsis data. Database Diagnostics Scan Synopsis Consistency Success All scans have synopsis data. Database Diagnostics Asset Synopsis Consistency Success All assets have synopsis data. Database Diagnostics Site Synopsis Consistency Success All site synopsis tables appear consistent. Database Diagnostics Asset Group Synopsis Consistency Success All asset groups have synopsis data. Database Diagnostics Scan Status Consistency Success All scan statuses appear consistent. Database Diagnostics Policy Synopsis Consistency Success The policy synopsis table appears to be consistent. Database Diagnostics Asset Policy Rule Synopsis Consistency Success All asset and policy rules have synopsis data. Database Diagnostics Asset Policy Synopsis Consistency Success All asset and policies have synopsis data. OS Diagnostics Supported OS Success System is running on a supported OS: Ubuntu Linux 16.04 OS Diagnostics Memory requirements Success Total OS memory: 7983MB JVM maximum memory: 5971MB. Used Memory: 2946MB OS Diagnostics Disk space requirements Success System meets minimum disk space requirements: 74928MB free. General Diagnostics VM Version Success VMSC Name: CN=Rapid7 Security Console, O=Rapid7 Last update: 117483016 (2018-03-14) VM version: OpenJDK 64-Bit Server VM 25.102-b14 (Linux amd64) OS version: Ubuntu Linux 16.04 General Diagnostics VM Scan Engine Version Success Local scan engine Status: Active OS version: Ubuntu Linux 16.04 Last Update: 117483016 (2018-03-14) Rapid7 Hosted Scan Engine Status: Unknown Network Diagnostics Host-based firewalls disabled Success Network Diagnostics Gateway Ping Success Gateway ping via ICMP ECHO () : ALIVE Gateway ping via TCP on port 21, 23 and 80 () : ALIVE Network Diagnostics DNS Name Resolution Success Successfully resolved 'www.rapid7.com' to 18.104.22.168
Posted by Michael Marohn 9 months ago
Hello: Any custom metasploit module I create isn't getting loaded. I tried both of these demos: https://www.offensive-security.com/metasploit-unleashed/building-module/ and https://github.com/rapid7/metasploit-framework/wiki/Loading-External-Modules and got the same result that the modules were NOT found. Before posting here, I checked these out: https://forums.kali.org/showthread.php?28940-Metasploit-modules-not-loading! and https://www.offensive-security.com/metasploit-unleashed/modules-and-locations/ Just working with the later URL, on the Kali host, I do indeed have the file in the right location (according to the demo) root@kali:~/.msf4/modules/exploits/test# ls -al total 12 drwxr-xr-x 2 root root 4096 Mar 19 13:59 . drwxr-xr-x 3 root root 4096 Mar 19 13:58 .. -rw-r--r-- 1 root root 9 Mar 19 13:59 test_module.rb I then ran reload_all and when using this command: use exploit/test/test_module it returns with Failed to load module. I also tried to manually load that path and it failed too: msf > loadpath ~/.msf4/modules/ Loaded 0 modules: Any assistance you can provide in solving why metasploit isn't picking up any custom modules is greatly appreciated!
Posted by Chris 9 months ago
I'm working on developing custom reports, similar to some of the .Jar files I've found here in the docs (like https://kb.help.rapid7.com/docs/trend-and-top-remediations-report-template). I'm new to Nexpose and just wanted to modify a couple of the rules around the template, and load it back into the Nexpose Report console using the upload a file option to create a new template. However when I repackage the .jar and upload it, I receive a message saying the file is not trusted. What is the proper channel/process to create a custom jar template like that? I appreciate your help!
Posted by Joshie Nygaard 9 months ago
Hello, Based on documentation I should find "Amazon Web Services Asset Sync" in "Administration" -> "Connections" -> "Create/Manage". But from dropdown I can only see "Amazon Web Services (Legacy)" and other 5 none AWS related options. And it also redirects back to creation of connection without errors if I try to setup "AWS (Legacy)" option. So how to setup connection to AWS? Thanks Dainius
Posted by Dainius 9 months ago
Hi We have a couple of servers scanned by insightvm (agent and ssh/key) which are reporting vulnerabilities from stored files (bundled JREs). These are part of installers stored on the machines with JRE bundled by vendor. Is there any way to exclude some paths from scanning (rather than exclude the hundreds of vulnerabilities reported)? Is there a better way to do this? Thanks,
Posted by h 9 months ago
Hi All, On the report "top 25 remediations by risk", we'll have a remediation such as "update to the latest version of Adobe Air". Is there any way to see (either in a report, or the web console) the actual devices under this remediation? Ideally, I'd like to see this in the web console, so I can run filters etc.
Posted by Jonathon Zachariah 9 months ago
We have a DC in a firewalled network. We are seeing failed communication (via ASA logs) between the collector and the DC on TCP 49154. I see no mention of that port anywhere in the documentation. We are unable to query the DC via WMI and this is the only port we are seeing denies on since creating the log source. Thoughts? Just allow 49154 and call it good? TIA
Posted by Scot Lymer 9 months ago
Hello, I am a student in cuber security and i have one problem. In the lab we hacked the Windows XP with the command "msfpayload windows/adduser" Now they want to hack again the Windows XP but with the "windows/exec" to run any command in the windows XP. Can you tell me how to do it? I am searching all the time in google and i can't find the way. Please guys Thank you
Posted by Nefeli Anthi 9 months ago
I have a machine running Windows 10 with the latest Fall Creator's update and Rapid7 is showing this: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentBuild - contains unexpected value 16299 However, that is the build number of the Fall Creator's Update aka Redstone3 is 16299. https://en.wikipedia.org/wiki/Windows_10_version_history Think there may be an error the database of vulnerabilities? Also, this machine does have the March set of patches installed. It also keyed off of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\Policies\System\CredSSP\Parameters - key does not exist UBR - contains unexpected value 309
Posted by Chris Bachmann 9 months ago
Hello, We are running a POC of InsightIDR and we are getting the following message (in bootstrap.log) when we try and activate a collector. Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: RegistrationManager attempting to connect to the server: https://eu.data.insight.rapid7.com/api/1/collector/register Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: **** Agent key for this Collector is: 311aa03d-7c6f-446b-a015-c85a113b4ff8 Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger error SEVERE: Registration process failed with exception javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.registerWithServer(RegistrationManager.java:203) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.doRegister(RegistrationManager.java:108) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.checkRegistration(RegistrationManager.java:72) at com.rapid7.razor.collector.bootstrap.impl.BootstrapProcess.call(BootstrapProcess.java:46) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Wireshark gives me a 59 30.875484 my collector ip my proxy ip TLSv1.2 61 Alert (Level: Fatal, Description: Certificate Unknown) We have allowed SSL pass through and the server can get to the site. Any ideas?
Posted by Martin Austin 9 months ago
Has anyone tried to utilize the exchange transport in Insight IDR with Exchange 2010. I know that the official stance is that it is not supported, however, I would like to know if anyone has tried it, if it worked or if it blew up their exchange 2010 server
Posted by Jack Rider 9 months ago
In the installation instructions for Metasploit, it is mentioned that the AV and Firewalls must be disabled since the AV software will detect Metasploit as malicious and prevent it from running. Disabling AV and Firewall on the Server where Metasploit is running will create a risk and leave my server unprotected. So my questions here are? 1. Will Metasploit work with an AV software such as Cylance which provides a file less, signature less method of detection? 2. What are the compensatory controls that need to be in place to ensure that my server and network are not at risk due to the AV being blocked? 3. If the AV is blocked, does the Metasploit software not get downloaded either?
Posted by Debrup Bhattacharjee 9 months ago
I have an asset group that is basically what I consider low hanging fruit, typically below a risk score of 100. There aren't any methods to purge dead assets, inactive assets, sites with 0 vulnerabilities, etc. Are there any features or scripts available that I can use to automate the clearing of assets that are in this group?
Posted by Drew Tabor 9 months ago
I am a new user to InsightVM. My scan is showing a ton of Google Chrome Vulnerability entries. The device does not have Chrome on it so I am guessing it is an old version that has not been completely uninstalled. Is there a way to find out where this thing is hiding?
Posted by Ron Gallimore 9 months ago