Most famous Metasploit Auxillary modules top 10

At Rapid7, often get asked what the top 10 Metasploit modules are. This is a hard question to answer: What does "top" mean anyway? Is it a personal opinion, or what is being used in the industry? Because many Metasploit users work in highly sensitive environments, and because we respect our users' privacy, the product doesn't report any usage reports back to us.

We may have found a way to answer your questions: We looked at our metasploit.com web server stats, specifically the Metasploit Auxiliary and Exploit Database, which exploit and module pages were researched the most. Here they are, annotated with Tod Beardley's excellent comments:

1. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues.
   
2. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you’ve ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it.
   
3. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice.
   
4. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines -- this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It’s now pretty much a case study in stack buffer overflows in Windows, so it’s got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2.
   
5. Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop (CVE-2010-0017, MSB-MS10-006): Not sure why this module is popular -- it’s a client side DoS. Historically, it’s a neat DoS, since it demos a bug in Windows 7’s kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you.
   
6. Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it’s on this list, it’s probably the most popular social engineering-style module.
   
7. Apache mod_isapi <= 2.2.14 Dangling Pointer (CVE-2010-0425): Although this is an exploit in Apache, don’t be fooled! It’s only exploitable on Windows (so that knocks out the biggest chunk of Apache installs at the time of this module’s release), and it’s only a DoS. Again, kind of a mystery as to why it’s so popular.
   
8. Java AtomicReferenceArray Type Violation Vulnerability (CVE-2012-0507): This was initially discovered in the wild as a Java 0-day, and this module represented the fevered work of sinn3r and Juan Vazquez, who turned out the first reliable public cross-platform exploit for the bug. The blog post "CVE-2012-0507 - Java Strikes Again" shows a screenshot of Meterpreter sessions on Windows, Ubuntu, and OSX systems. In fact, this may be the first publicly demonstrable Java exploit that Just Works against all three platforms for the vulnerable versions of Java -- no extra configuration or fingerprinting is needed.
   
9. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It’s not sexy, but it’s super handy for testing payloads and setup. Even though it’s a lowly #9, I’d bet it’s the most-used module in classroom and test environments.
   
10. Microsoft Plug and Play Service Overflow (CVE-2005-1983, MSB-MS05-039): This exploits the Plug and Play service on Windows 2000. This is the exploit that MS06-040 replaced, though until MS06-040, this was the most reliable exploit around for Windows 2000. The Zotob worm used it. Note that while the exploit isn’t 100% reliable, failed attempts had a tendency to trigger a reboot of the target, so the next attempt would be 100% successful. In other words, for some people, the reboot-on-failure is really more of a feature than a bug.

Let us know if you find this ranking interesting so we can continue sharing it in the future. We're excited to see how this list will look next month, and what the major changes will be!

Exclusive: 'Bigger than phone hacking' - Soca sat on blue-chip dirty tricks evidence for years

Angry MPs join calls for secret list of those involved as banks and pharmaceutical firms are linked to rogue private investigators

 

Banks and pharmaceutical companies are on a secret list of blue-chip firms that hired private investigators who break the law, The Independent has learned.

The revelation that firms from two of this country’s biggest industries may have commissioned corrupt PIs – without facing prosecution – will fuel concerns that corporations potentially involved in the unlawful trade in private information have so far escaped proper investigation
This newspaper has previously revealed that law firms, insurance companies and financial services organisations have used PIs for years to obtain a range of private data.
Information on the banks and pharmaceutical companies is contained in an explosive list of corrupt PIs’ clients handed to a parliamentary committee by the Serious Organised Crime Agency (Soca). The list of 101 clients also includes some wealthy individuals.
Following weeks of damaging revelations in The Independent, Soca finally bowed to political pressure earlier this week and privately released to MPs the historical details which its investigators ignored for years.
However, the agency has classified the material as secret to safeguard individuals’ human rights and protect the “financial viability of major organisations by tainting them with public association with criminality”.
The decision comes as the newspaper industry is at the centre of the largest criminal investigation in British history over practices including the hiring of corrupt PIs.
Asked this evening if the classified information contained details of banks and pharmaceutical companies, Keith Vaz, chairman of the Home Affairs Select Committee, said: “This affects all manner of organisations.”
Mark Lewis, the lawyer who represents the Milly Dowler family and a long-time scourge of Fleet Street, said: “Consistency demands that the same rules apply to all, whether you run a newspaper, a pharmaceutical company or a law firm.
“As soon as you depart from the  equal applicability of law to all, then the law really does become an ass.”
Trevor Pearce, the director-general of Soca, decided to classify the details of blue-chip companies, in line with Cabinet Office guidelines about sensitive material.
He demanded the list be “kept in a safe in a locked room, within a secure building and that the document should not be left unattended on a desk at any time”.
However, in what would amount to a remarkable snub, the committee is so angry with Soca that it is considering releasing the information under parliamentary privilege.
Mr Vaz said: “We will come to a view as to whether or not we will publish this list. These events took place up to five years ago. Those companies or individuals who either instructed private investigators to break the law or did nothing to stop them must be held to account.”
It is understood other members of the committee are furious that they are being asked to participate in the cover-up. One source said: “This is bigger than the phone-hacking scandal and the committee does not want to be held accountable when all this comes out in the wash.”
Last month The Independent revealed that Soca compiled a dossier in 2008 that outlined how firms, individuals and organised crime bosses hired criminal PIs.
The investigators broke the law to obtain sensitive information, including mobile phone records, bank statements and details of witnesses under police protection.
Soca was analysing intelligence from mostly Scotland Yard investigations that had also failed to prosecute the offenders for the most serious offences – and completely ignored the blue-chip clients who may have profited from their crimes.
The report – which showed the practices went far wider than the newspaper industry – was dismissed by Lord Justice Leveson, who considered it fell outside the narrow terms of reference for his inquiry into the media.
One of five police investigations reviewed by Soca found private detectives listening in to targets’ phone calls in real time. During another police inquiry, the Soca report said officers found a document entitled “The Blagger’s Manual”, which outlined methods of accessing personal information by calling companies, banks, HM Revenue and Customs, councils, utility providers and the NHS.
Illegal practices identified by Soca investigators went well beyond the relatively simple crime of voicemail hacking and also included police corruption, computer hacking and perverting the course of justice.
Meanwhile, in an extraordinary joint admission on the Soca website, Mr Pearce and Commander Neil Basu of the Metropolitan Police admit the agency sat for years on evidence of criminality, until it was finally forced to act in May 2011 by former British Army intelligence officer Ian Hurst whose computer was allegedly hacked  by corrupt private investigators.
Mr Hurst told The Independent: “For reasons that remain unclear, the Leveson Inquiry did not touch the sides with regard to the police. In the final analysis, law enforcement agencies are going to have to justify why they conspired for years to protect the offenders and their clients, which extend way beyond the media.”
The joint statement also failed to address why Soca has still not passed all its historical evidence to Scotland Yard, which is currently investigating the crimes that the agency ignored.
Tom Watson, the campaigning Labour MP, said: “Why is the Met Police not in possession of all the information it would usually require to investigate criminal wrongdoing? Why did Soca not give all the physical evidence in the form of the original hard drives to the Met?
“The Yard and Soca need to provide an urgent explanation as to why the latter is still sitting on a bank of data that any decent police investigator would require to do a proper job.”
Rob Wilson, a senior Conservative MP, has written to Home Secretary Theresa May calling on her to sack Mr Pearce and Soca chairman Sir Ian Andrews over their refusal to publish the list of blue-chip clients.
A Soca spokesman said: “Trevor Pearce provided the chair of the committee with further confidential information on 22 July 2013. Soca is unable to comment further on that detail. However, as stated in the DG’s covering letter  – which is published on the Soca website –  the information provided does not allege, either expressly or by implication, that the individuals and companies named in it, or any individuals working for those companies, have or even may have committed a criminal offence.”