I have a machine running Windows 10 with the latest Fall Creator's update and Rapid7 is showing this: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion CurrentBuild - contains unexpected value 16299 However, that is the build number of the Fall Creator's Update aka Redstone3 is 16299. https://en.wikipedia.org/wiki/Windows_10_version_history Think there may be an error the database of vulnerabilities? Also, this machine does have the March set of patches installed. It also keyed off of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\currentversion\Policies\System\CredSSP\Parameters - key does not exist UBR - contains unexpected value 309
Posted by Chris Bachmann 11 months ago
Hello, We are running a POC of InsightIDR and we are getting the following message (in bootstrap.log) when we try and activate a collector. Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: RegistrationManager attempting to connect to the server: https://eu.data.insight.rapid7.com/api/1/collector/register Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: **** Agent key for this Collector is: 311aa03d-7c6f-446b-a015-c85a113b4ff8 Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger error SEVERE: Registration process failed with exception javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.registerWithServer(RegistrationManager.java:203) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.doRegister(RegistrationManager.java:108) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.checkRegistration(RegistrationManager.java:72) at com.rapid7.razor.collector.bootstrap.impl.BootstrapProcess.call(BootstrapProcess.java:46) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Wireshark gives me a 59 30.875484 my collector ip my proxy ip TLSv1.2 61 Alert (Level: Fatal, Description: Certificate Unknown) We have allowed SSL pass through and the server can get to the site. Any ideas?
Posted by Martin Austin 11 months ago
Has anyone tried to utilize the exchange transport in Insight IDR with Exchange 2010. I know that the official stance is that it is not supported, however, I would like to know if anyone has tried it, if it worked or if it blew up their exchange 2010 server
Posted by Jack Rider 11 months ago
In the installation instructions for Metasploit, it is mentioned that the AV and Firewalls must be disabled since the AV software will detect Metasploit as malicious and prevent it from running. Disabling AV and Firewall on the Server where Metasploit is running will create a risk and leave my server unprotected. So my questions here are? 1. Will Metasploit work with an AV software such as Cylance which provides a file less, signature less method of detection? 2. What are the compensatory controls that need to be in place to ensure that my server and network are not at risk due to the AV being blocked? 3. If the AV is blocked, does the Metasploit software not get downloaded either?
Posted by Debrup Bhattacharjee 11 months ago
I have an asset group that is basically what I consider low hanging fruit, typically below a risk score of 100. There aren't any methods to purge dead assets, inactive assets, sites with 0 vulnerabilities, etc. Are there any features or scripts available that I can use to automate the clearing of assets that are in this group?
Posted by Drew Tabor 11 months ago
I am a new user to InsightVM. My scan is showing a ton of Google Chrome Vulnerability entries. The device does not have Chrome on it so I am guessing it is an old version that has not been completely uninstalled. Is there a way to find out where this thing is hiding?
Posted by Ron Gallimore 11 months ago
I haven't had any luck with submitting corrections for typos etc. in check descriptions so they don't show up in reports. I've talked to various people through the years about a method for submitting check recommendations and other related content. (The great work with fingerprints via recog aside) I'll submit the question again for 2018. I've been working through checks for common UDP services known for DoS amplification for my environment. While going through them I'm finding that amplification checks for services like quote of the day, chargen, etc. are triggering for services on TCP. I'm going through and generating copies of the checks and including the simple UDP check that Ross Kirk helped me add to checks for systems vulnerable to memcached amplification. I'm currently replacing the default checks to reduce false positives. Is there any way to submit simple modifications outside of the less than useful 'idea portal'? Last I checked there was no workflow through support for things like this. Examples: chargen-amplification qotd-amplification etc. https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/cmty-qotd-amplification.vck https://github.com/BrianWGray/cmty-nexpose-checks/blob/master/cmty-chargen-amplification.vck If there are issues with the tweaks, I'm open to learning what I might be doing improperly and improve so that I can give back to the Nexpose community.
Posted by BrianWGray 11 months ago
I am trying to install and setup Linux agent with Docker Dockerfile >>> FROM ubuntu:16.04 RUN apt-get update -y COPY Linux_Insight_Agent/ /app/ RUN chmod u+x /app/agent_installer.sh RUN ./app/agent_installer.sh install_start It is throwing me the error ------------------------------------------- Installing systemd service [INFO] Failed to connect to bus: No such file or directory Configuration file /etc/systemd/system/ir_agent.service is marked executable. Please remove executable permission bits. Proceeding anyway. Created symlink /etc/systemd/system/default.target.wants/ir_agent.service, pointing to /etc/systemd/system/ir_agent.service. Please anyone can help me on this and suggest me some another way to setup it on docker container. NOTE: I don't want to use docker agent.
Posted by ashwani 11 months ago
Just trying to extend the DRP timeframe from 45 to 50 days. My concern is the safe-keeping of the existing 45 days of data. The following message pops up when attempting to change the setting: "You cannot stop the routine once it starts, and all data removal is permanent. Do you want to enact this policy?" What are the real implications of this ominous warning message? Hoping it doesn't wipe everything and start with a new data set. I doubt is would, but wanted to confirm with someone who has actually done it.
Posted by David Honeycutt 11 months ago
I'm looking to differentiate between solutions that require a patch or software upgrade vs vulnerabilities/solutions that are a consequence of system or application configuration. I'd like to be able to run a query for each to identify which is introducing more risk, configuration issues or patch management issues?
Posted by Sean Harcourt 11 months ago
I'm evaluating the InisghtVM tool in vulnerability assessment for our small (but certain to grow) Docker container servers. I have not been able to assess the images even though the tool does recognize the servers as container hosts. When I reached out to the group standing up the containers, they explained they are placing and building the images directly on the servers and use no registry. Is it possible for InsightVM to work with this use case?
Posted by Diana Orrick 11 months ago
I'm evaluating the InisghtVM tool in vulnerability assessment for our small (but certain to grow) Docker container servers. I have not been able to assess the images even though the tool does recognize the servers as container hosts. When I reached out to the group standing up the containers, they explained they are placing and building the images directly on the servers and use no registry. Is it possible for InsightVM to work with this use case?
Posted by Diana Orrick 11 months ago
I'm looking at the CVE-2018-6789 CVSS scores in Nexpose checks? They don't make much sense to me and I'm curious how even at a preliminary scoring they ended up being what they are? The current scoring lists the issue as a Local attack vector for a network centric RCE among other issues? Looking at the following example ID ```ubuntu-cve-2018-6789 CVSS 2 (AV:L/AC:M/Au:N/C:P/I:P/A:P)``` Reviewing score sources the Ubuntu link structure is broken. The UI points to https://usn.ubuntu.com/USN-3565-1 but the current call structure is https://usn.ubuntu.com/3565-1/ NVD to date hasn't published a score. Looking at the Debian link has sources like RedHat that include a more appropriate score which is roughly double the current score listed. https://security-tracker.debian.org/tracker/DSA-4110-1 -> https://security-tracker.debian.org/tracker/CVE-2018-6789 -> https://access.redhat.com/security/cve/cve-2018-6789 ```(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)``` The available Nexpose information doesn't seem to aline with the current check's description: https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/ Is this information evaluated by an analyst or a default value for imported issues?
Posted by BrianWGray 11 months ago
What goes into the composition of the Vulnerability Risk Score and Vulnerability Severity Level? How are they measured? What is the difference between these 2? Is one considered "better" than the other?
Posted by Kevin Keer 11 months ago