Does Nexpose capture the Users in the local Administrator group on Windows systems? I know it captures the Groups and Users, but can you see who's in the Admin group on an asset?
Posted by David P about a month ago
hello, someone help me, when entering the security console and click on Dashboard this error marks me: HTTP ERROR 401 Problem accessing /saml/SSO. Reason: Response issue time is either too old or with date in the future, skew 300, time 2018-10-18T13:29:17.851Z.
Posted by Orlando Sánchez about a month ago
understanding that Rapid7 doesn't really provide support on the base Ubuntu OS, and recommends you have a Linux admin on staff, is there a list of software that Ubuntu needs, what versions they need to be/should be etc. that can be provided to the Linux admin?
Posted by Matt Wyen about a month ago
I've got about 9 systems all reporting this vulnerability, all 2012R2 with current IE Cumulative updates installed, most recently the below patch; 2018-10 Cumulative Security Update for Internet Explorer 11 for Windows Server 2012 R2 for x64-based systems (KB4462949) These seem to be false positives. Any help? Vulnerable software installed: Microsoft Internet Explorer 11.0.9600.19155 Vulnerable OS: Microsoft Windows Server 2012 R2 Datacenter Edition Based on the following 3 results: 1.Microsoft patch KB4089187 is not installed. 2.Microsoft patch KB4088876 is not installed. 3. ◦HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion◦UBR - value does not exist
Posted by Mark Payne about a month ago
What are the login credentials for accessing the console from https://x.x.x.x:3780/? Install Rapid7 VM Console from Azure Marketplace. Created VM with admin a/c username/password. Can access VM via ssh using admin a/c credentials. No credentials were prompted for Rapid7 VM Console access.
Posted by Dilesh Fernando about a month ago
We are doing a poc with rapid 7. We were using dchp for addressing scheme, we have Network analysis team change the addressing to static ips, currently console is reconfigured with new ip, but the one of the scanners the only scanner is currently not able to talk to console because it cant get the new ip. How do we fix this, do we rerun a script? Will this also affect anything ?
Posted by vanessa villalpando about a month ago
TL;DR: Does anyone have a working example of a Windows "Default Account" check and the steps necessary to implement it? How do you properly remove old custom/community checks? How do you update custom/community checks that may have been changed? --- I'm trying to create a custom "Default Account" vulnerability check to search for the existence of previously used local administrator passwords in our environment. I've set a server to use this password, and am following the CIFS example here: https://kb.help.rapid7.com/docs/nexpose-common-vulnerability-check-examples The vulnerability is never found though. I'm seeing several issues with the custom vuln I'm trying to write. 1) The "load content" command seems to work, and I see no failures in nsc.log. The custom check appears under the community category, I can search for cmty-* in the InsightVM console, etc. I see no problems with it. However, when I view the scan log, I see no mention of cmty-anything, which seems to indicate the check was never used in the scan. I've intentionally created scan with this check, and only this check, enabled, nothing. I also know that the cift check -should- work. Using "mount.cifts" from a linux workstation, I can clearly generate "permission denied" errors for bad passwords, and see no such failure for good passwords. In other words, it isn't failing due to lack of inbound port access, bad credentials, services not running, etc. The vulnerability does actually exist and I think I could quite easily write a quick bash script to test for it. 2) Previously built checks, which didn't work, still appear in the console. These checks were removed from the "CustomScanner" directory. Each time "load content" is run, I also see "Vulnerability cmty-old-check-that-doesnt-exist found in database, but does not have a vulnerability descriptor file.". Running the database maintenance scripts doesn't seem to help. 3) Checks which I modified the XML for do not get updated. For example, I changed a category from "Default" to "Default Account". However, the categories remains the same. I'm unsure if the actual check (the ".vck" file) is actually being updated or not.
Posted by Mike about a month ago
Hello, I install Metasploit on Ubuntu 18.04 (everything is updated) and when I trying to do msfdb init command I'm getting this error: root@xyzxyzxyz:/opt/metasploit-framework# sudo msfdb init Traceback (most recent call last): 2: from /usr/local/bin/msfdb:10:in `<main>' 1: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require' /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require': cannot load such file -- rex/text (LoadError) You've got some helpfull advices?!
Posted by Tomasz Osowski about a month ago
When I use multi handler I am getting different result from others.When I type the following in the command line 'msf > use exploit/multi/handler' the result is 'msf exploit(multi/handler) >' while I see everyone else is getting 'msf exploit(handler) >' I dont know whether it is an error or not.And following this I cant listen to a port for incoming connections .Help needed
Posted by Tot Jr about a month ago
Running InsightVM. It appears that for every Windows machine it hits, it enumerates some accounts on AD. This triggers an alert in Microsoft ATA for every test machine. The question is, does anyone know what test this is, and a good way to either fix it or suppress the error?
Posted by WIlliam Stuart about a month ago
I am unable to install the Insight agent on a Windows 2012 R2 server - the agent installs but the service fails to start so the install never completes. Seems a bit basic that the agent won't even install - the only thing I can see is the following error in the log for the ir_agent: Python could not construct the class instance Traceback (most recent call last): File "E:\jenkins\WORKSP~1\PY-FOR~2\agent\persistence\winsvc.py", line 26, in __init__ File "E:\jenkins\WORKSP~1\PY-FOR~2\agent\agent.py", line 234, in __init__ File "E:\jenkins\WORKSP~1\PY-FOR~2\agent\agent.py", line 95, in __init__ File "E:\jenkins\WORKSP~1\PY-FOR~2\agent\platforms\windows\mixins.py", line 144, in _agent_shutdown File "E:\jenkins\WORKSP~1\PY-FOR~2\agent\platforms\base\mixins.py", line 135, in _agent_shutdown SystemExit: 1 %2: %3 And the following in the agent.log in the Agent directory: 2018-10-31 22:55:23,540 [INFO] [agent.agent]: Registered as singleton. PID: Unavailable 2018-10-31 22:55:23,540 [INFO] [agent.platforms.windows.mixins]: Unable to obtain uuid using method FIRMWARE_API - AgentID '00000000-0000-0000-0000-000000000000' is invalid 2018-10-31 22:55:23,571 [INFO] [agent.platforms.windows.mixins]: Unable to obtain uuid using method WMI - AgentID '00000000-0000-0000-0000-000000000000' is invalid 2018-10-31 22:55:23,571 [ERROR] [agent.platforms.windows.mixins]: Unable to obtain uuid from any known methods - attempt random generation ONLY if config allows 2018-10-31 22:55:23,571 [ERROR] [agent.agent]: Exception occurred while retrieving/caching agent id: Agent config is prevents random agentid Traceback (most recent call last): File "E:\jenkins\WORKSP~1\PY-FOR~2\agent\agent.py", line 84, in __init__ File "E:\jenkins\WORKSP~1\PY-FOR~2\agent\common.py", line 333, in __get__ File "E:\jenkins\WORKSP~1\PY-FOR~2\agent\platforms\windows\mixins.py", line 135, in plat_hostId File "E:\jenkins\WORKSP~1\PY-FOR~2\agent\platforms\base\mixins.py", line 72, in _agentid_random agent.exceptions.InvalidAgentidException: Agent config is prevents random agentid Any ideas? thanks Barry
Posted by Barry Smith about a month ago
We are running monthly reports that includes Vulnerability/Proof/Solution information for the 10 highest risk machines per site. There are different ways to output the vulnerability info via the built-in templates or SQL query, but I have no idea how to select 10 machines with the highest risk per site automatically. The idea is to have many sites in the scope. The vulnerability solution can be a rollup. I am looking for the fields below: IP Address Hostname Risk Score Vulnerability Title Vulnerability Description CVEs (maybe in a comma delimited list) CVSS score Patch required If it won't make it too complicated, Certainty and Owners fields would be great as well.
Posted by prashanth sedhumadhavan about a month ago
Hi, I just installed Metasploit Framework on Windows 10. It installed correctly, but I have a problem. I am trying to connect to the database in msfconsole. After running db_status, it says there's a database but it's not connected. I tried "msfdb init" and "msfdb.bat init" but it gives the error: Starting database at C:/Users/MikeH/.msf4/db...failed C:/metasploit-framework/bin/../embedded/framework/msfdb:68:in `readlines': No such file or directory @ rb_sysopen - C:/Users/MikeH/.msf4/db/log (Errno::ENOENT) from C:/metasploit-framework/bin/../embedded/framework/msfdb:68:in `tail' from C:/metasploit-framework/bin/../embedded/framework/msfdb:119:in `start_db' from C:/metasploit-framework/bin/../embedded/framework/msfdb:195:in `init_db' from C:/metasploit-framework/bin/../embedded/framework/msfdb:316:in `<main>' Also, "systemctl start PostgreSQL" doesn't work either. So how do I fix this so I can start using framework? On Windows. Please reply. Thanks
Posted by Mike Held about a month ago
I used to be able to pull status of engines via the Ruby API bindings Connection.list_engines. With API v3, I see no way to pull engine status from the API. The best I can get is lastRefreshDate. Am I missing something, or is this truly gone? Forcing a refresh and checking for error would be an OK work-around - but I don't see that either.
Posted by Noah Birnel about a month ago
Hi all, I am using Nexpose and having a difficulty with managing vulnerabilities which actually share the same solution. For example, 15 PHP CVE-xxx vulnerabilities exist and all of them needs to be resolved by updating the PHP version. This situation leads to a massive increase in vulnerability numbers in reports, and assigned people have difficult times since they need to go on the same type of vulnerability several times. Actually I am looking for an option like the one in Nessus which is "Hide results from plugins initiated as a dependency". Does anyone have any recommendation for us to make things easier about this situation? Top remediation report helps this a little bit, however, the console still lists all vulnerabilities. Regards
Posted by Onur A about a month ago
Can I review criticality value of vulnerability? For example, I have vulnerability in python, It's cvss score is 9 - high. I've made an analysis and made a conclusion, that the risk of vulnerability exploitation is low for us and want to reset criticality of this vulnerability to low. How can I do it in Nexpose?
Posted by Maxim Korovenkov about a month ago