Rapid7
Our Rapid7 penetration testing consultants have numerous years in various IT fields. This can range from support desk, to IT deployments, as well as information security, all the way up to performing pentests both internally to an organization as well as performing hundreds of tests for our Rapid7 customers. Our consultants have come from various backgrounds that allow Rapid7 to provide industry best experience and knowledge, as well as understanding a client’s needs and are compassionate towards the issues that are uncovered during assessments.
Key projects
- Our Rapid7 penetration testing including consultants have experience in a wide variety of assessment types, including but not limited to the following:
- Network Assessments (External, Internal, and Wi-Fi),
- Web Apps and APIs
- Mobile Applications (iOS and Android)
- Phishing and Vishing
- Physical Social Engineering
- IoT
- Advanced IoT (Vehicle, Locomotive, Aviation)
- Red Teams (Assumed Breach and Full Scope)
- Thick Clients
- Our pentesters have also gained experience, by both working for and performing assessments against, the following industry types:
- Financial
- Educational
- eCommerce
- Retail
- Oil & Gas
- Energy
- Healthcare
Tool Creation
Tools aren’t created equal, therefore, our pentesters create the tools that can either be specific to their needs or broad in use so that the community can also enjoy the benefits of the enhancements. The following is a list of tools our consultants created:
- WiFiSuite
- LinkScrape
- AutOSINT
- scapyflood
- HTTP-Sonic-Screwdriver
- sslscanalyzer
- brute-probe
- nmap-grep
- ike-trans
- autoRedTeam
- backHack
- PowerPhish
Speaking, Publishing, and Research, oh my!
Speaking
Our Rapid7 consultants participate in various speaking events ranging from B-Sides or Defcon, BlackHat, RSA, and others. We even sponsor a security conference from one of our very own pentesters, with the Layer 8 Conference.
Publishing
Have you heard of Under the Hoodie or This One Time on a Pen Test? Our Rapid7 pentesters participate in fun and exciting stories that they’ve experienced while performing a penetration test for our clients. There have been numerous stories published to our Rapid7 website such as:
- This One Time on a Pen Test: Thanks for Sharing Your Wi-Fi
- This One Time on a Pen Test: How I Hacked a Self-Driving Car
- Under the Hoodie: Playing Social Security Slots
- Under the Hoodie: Ain’t No Fence High Enough
Miscellaneous Topics
- 3 Steps to Integrate Rapid7 Products Into the DevSecOps Cycle
Research
Within the Rapid7 penetration testing team, we also encourage our consultants to utilize budget to perform research on a new topic that could potentially provide impact to the security industry. Numerous consultants have proposed working on items that have even garnered public attention, such as:
- CVE-2021-3927[67]: Fortress S03 WiFi Home Security System Vulnerabilities
- CVE-2021-20025: SonicWall Email Security Appliance Backdoor Credential
- CVE-2021-3546[78]: Akkadian Console Server Vulnerabilities (FIXED)
- CVE-2021-22123: Fortinet FortiWeb OS Command Injection
- Multiple Open Source Web App Vulnerabilities Fixed
- CVE-2021-3539 EspoCRM v6.1.6 CWE-79 (Persistent XSS)
- CVE-2021-31867 Pimcore Customer Data Framework v3.0.0 CWE-89
- CVE-2021-31869 Pimcore AdminBundle v6.8.0CWE-89 (SQL Injection
- CVE-2021-36800 Akaunting v2.1.12CWE-94 (Code injection)
- CVE-2021-36801 Akaunting v2.1.12CWE-639 (Auth bypass)
- CVE-2021-36802 Akaunting v2.1.12CWE-248 (Uncaught Exception DoS
- CVE-2021-36803 Akaunting v2.1.12CWE-79 (Persistent XSS)
- CVE-2021-36804 Akaunting v2.1.12CWE-640 (Weak Password Reset
- CVE-2021-36805 Akaunting v2.1.12CWE-79 (Persistent XSS)
- CVE-2020-7387..7390: Multiple Sage X3 Vulnerabilities