UPNP vulnerable

Automatic things are sometimes bad things. One packet can be enough.
Better make rules.

Don’t download and install the free UpnP Vulnerability scanner by Rapid7.
It installs files. makes no directory has no icon and is not listed in program features or add/remmove.
It dumos an exe and files in your java directory. I emailed them and chewed them out asking how to be clean my system of their tool. Note that rapid 7 is associated with www.metasploit.com who freely distributed the metasploit source fraeworkk source code which is an exploit vulnerability kit. And is the most popular.
How stupid was i to install it!

Docs @ Rapid7 here is rapid 7 teaching you how to go Phsihing
https://community.rapid7.com/docs/DOC-2112 setting up a usb drop key.

They cannot be trusted

I used it and I don’t see any added files in the Java directory. Could you be more specific?

c:\users\current profile\appdata\temp look around in there.

there is also a file scannow.exe or something look in your java dir

C:\Program Files (x86)\Java\

i already deleted it all

There is no such .exe file in my Java directory and
all of the files are signed by Oracle. There was a Folder in the AppData so I deleted it since I have also deleted the tester because I no longer need it. To be honest though, I think you’re being needlessly paranoid about this. I think the tester is perfectly safe. I scanned it with Comodo and MBAM and it came up clean.

That’s not a 100% guarantee that it’s safe :slight_smile: Not saying that this file isn’t, though.

I didn’t even have Java installed so running the scanner prompted me to download it, so I didn’t bother with it. But as for Rapid7’s trustworthiness, don’t they offer Metasploit, among other products, for vulneraibility testing purposes? Read their wiki page, they seem pretty notable in vulnerability assessment.

True as well. Since I didn’t use their tool I had to take DrHaze word for it. But… First thing they tell you in uni is that wiki is not a reliable source.

yes…they have PDF files on how to make usb drop keys and starting phishing campaigns…
Sure try my product to test this while i teach people to hack you and give the metasploit framework source code away out the back door as the ultimate exploit development kit.


trust these people…right… 88)

www.metasploit.com leads to these rapid7 urls i listed under documentation.
if you look close enough they want $3000 for their Metaploit Express tester and the Pro Metapsploit rumors of $15,000 going around. but do some research. Metasploit source code dev environment is the most popular exploit dev platform out there.I won’t link the tar ball source code 88)

Vulnerability exploitation tools – SecTools Top Network Security Tools a list of the most popular sploit kits

Need a Book to get started writing exploits in metasploit??


and the charge people money for testing something they have already found a new exploit for sure it’s secure.

www.grc.com has a UpNP Router Scanner now to. So their are two opinions not just rapid7’s router scanner now. just go to shields up and go through the pages. You cannot directly link to it.

The scanner is perfectly safe but if you don’t want to use it there is a UPnP vulnerability checker at GRC that tests whether your router will respond to UPnP requests coming from outside your personal network and that’s what you need to be concerned with. If your router does not accept those requests there is no need to disable UPnP and lose it’s convenience within your network.

My router passes the test BTW :slight_smile:

Did they answer your email regarding how to clean your system of the tool?

In case you didn’t check yet and are curious about what files/folders the original .exe might have created:

No I will look at this camas link much appreciated.