1. Nessus IVIL wrapper for Seccubus V2 – I had a wonderful talk with Frank from seccubus a couple of weeks back and we came up with the idea of “IVIL” which is basically a common XML format to report findings in from just about any tool.  I’m going to write an example IVIL aware wrapper for Nessus that will let you create scans, download reports and output in IVIL format to be loaded into seccubus V2.  Ideally anyone could write a wrapper for any tool and convert the tools output to IVIL to be loaded into seccubus for reporting.
2. Bug fixes for the Nessus plugin.  I need to diff out all the new things in the code that are not currently in metasploit and submit that.  Also work on a couple of tweaks and new features people have suggested.
3. Watch some more ruby videos and read some more of my ruby book.
4. Fix up my dev environment.  I am trying to swap over to using Netbeans as my IDE and SVN over SSH to connect to remote servers to test.  Carlos Perez has been great in showing me how this works.  Probably look at moving my dev to a vm on my laptop to repurpose the current hardware as an Astaro box.
5. Look into using meterpreter more and learning about meterpreter scripting in order to use meterpreter as an OVAL interpreter.
6. Work more on learning nasl.  Also looking to create a nasl script to do OVAL scanning of remote hosts directly with nessus.  Lots to do here and nasl is a bit clunky after working with ruby.  Funtimes though.
7. Keep working on my highly threaded http scanning engine.  Basically want something that is fast and scalable for finding http(s) servers on any port.  If one exists now that grabs all kinds of info on what the server/service is, love to see it.  Emphasis on the fast and scalable, talking scanning thousands of hosts and all ports.

That’s all that springs to mind right now.  Still getting over being sick and the whole family being sick after returning from Hack3rcon.

Speaking of Hack3rcon, I had a blast.  I’ll sign off here by embedding my talk on Nessus/MSF Integration.  My first ever talk and I learnt a great deal about presenting with live demo’s.  Redt of the talks are available on irongeek.com

Nessus Bridge for Metasploit Zate Berg from Adrian Crenshaw on Vimeo.

I’ll post the presentation up here once it’s done for everyone else to take a look at.  Actually going to be presenting a few new commands that are not in the metasploit svn version of the plugin.

After Hack3rcon I’ll be back into high gear adding some new functionality to the plugin and branching out into writing a wrapper for Nessus to speak IVIL for Seccubus v2.  This is pretty exciting stuff for me.  Coming up with a xml format to speak “findings” that is tool agnostic is going to be a great thing.  It will mean moving findings between tools, or comparing findings between tools, will be much much easier.  Keep a look out for that one.

There has been some talk on the metasploit mailing list this week about using tools such as Nessus to scan through a MSF pivot and into another network.  Some interesting discussion and I think it’s something I will dive into in these next few weeks.  Start to examine what some of the limitations are and how we might overcome or avoid them.

that’s it for now.  have a good weekend.

Next up are the plugin commands.  These helpful little beasts are all about showing you what plugins are available on your nessus server, and how many of them you have.

• nessus_plugin_list
• nessus_plugin_family
• nessus_plugin_details
• nessus_plugin_prefs

Given that nessus has over 38,000 plugins, simply asking it to list them all would result in a very large list returned from the server.  Nessus gets around this by breaking the request down into several parts.

nessus_plugin_list

This will list all the plugin families and show you how many plugins are in each family.  They can range from just a few, to thousands.  The plugin family names returned here are used in further commands.

nessus_plugin_family

Now armed with our plugin family name from the list command above, we can request the names of the plugins from one of the families.  Be warned, for some families this can result in a long list.  Returned from this command is a table showing the plugin ID, plugin name and plugin file name. The file name is what we use to get the plugin details (this strikes me as odd, I would have used the plugin ID as the identifier, the file name is annoying to use.)

nessus_plugin_details

This cool command returns us the details of exactly what the plugin does.  Included are such gems as the risk factor, cvss score(s), cvss vector(s), description, solution, any identifiers such as CVE/BID and details on exploit availability.  As yet the exploit availability does not link to the exploit, though I’d love to see us come up with some common reference method for exploits, similar to CVE (you listening NIST/SCAP people, hop to it).

nessus_plugin_prefs

Lastly, we have the prefs.  This shows the default server/plugin prefs and is quite long.  This is what things will default too if you do not change the setting to what you want in your policy. It returns 3 columns, Name, Value and Type.  Value shows what it’s currently set to and type tells you what kinds of settings it can have.  Really though it’s much easier to change these through the nessus web console right now for each policy.

I’m working on being able to create policies and templates from the command line to be used to do pinpoint scans for specific vulns on specific ports but it’s not there yet.  Missing is the ability to accurately and quickly tie a plugin to an exploit and working with these large entry/value pair lists on the command line is cumbersome.  End goal is to allow you to go through a process to create a scan template for a specific exploit and then scan for it and autopwn it when found.  Still a bit of work to do before I get there.

Thats all for plugins, up next in the series is User Commands.

What I’d like is a few people to test it.

So, grab the code from here, unpack it and then over write your metasploit install with the files in that archive.  Should be 4 of them.

Once you have done that, test it, connect to a Nessus server, import some reports, test all the other functions and maybe even just test some importing of nmap etc too if you like.

Report any bugs to me to be fixed and then when you want to remove these files, just delete these 4 from your metasploit install and then do “svn update”.

The nexpose importer and the nmap importer both use REXML Stream Processors.

So tonight I copied the nmap_xml.rb file and am working on making it process Nessus v2 files.  I am hoping that both the Nessus plugin, and the db_import will benefit from these changes.

I’ve been looking at it for a few days and kind of avoiding it because it’s difficult and is going to require large portions of my time fumbling through learning how the current one works enough to know how/what to modify.

Well turns out it’s simpler than I thought. In about an hour tonight I copied it, modified it, wrote some code to include it in the plugin and have the plugin send it data and got it parsing the hostname for each entry in a file.

Now I just need to work out what to call at what time with what values to get the hosts, vulns and services in the DB.  I know where that is in the code so I think this might not take me as long as I thought.

Harder will be making the right changes to db.rb to A) make it work, and B) still allow msf to function .. lol

The Scan Commands are where this plugin starts to really differ from previously importing nessus scans from flat files.  With these commands we can stay within the metasploit framework and reach out and examine things with Nessus.  We can then use the Report Commands we just learnt about to pull that data back to later pwn stuff.

Scan Commands are as follows:

• nessus_scan_new
• nessus_scan_status
• nessus_scan_pause
• nessus_scan_pause_all
• nessus_scan_stop
• nessus_scan_stop_all
• nessus_scan_resume
• nessus_scan_resume_all

Lots of those look similar, and in fact they are.  Only difference is one command acts on one scan ID, the other acts on all running scans.

Important to note that these work on scans, not reports.  The difference?  Scan becomes a report after it completes. (Yeah I know running scans show up in the output of nessus_report_list – set myself a task in github to fix that).

Ok, lets start with the boring ones first.

nessus_scan_status

This command shows you the status of all currently running scans.  If you have no running scans, well it wont show you any (see, very accurate).  XML that comes back from the command involved also shows policies and templates.  Future functionality will display those, but for now it just lists running scans and some info about them (such as progress if it is multiple hosts).

(nessus_scan_pause || nessus_scan_stop || nessus_scan_resume) <scan id>

They do exactly what they sound like they might do.  They pause, stop and resume running scans (not reports).  You need to supply the scan id (from nessus_scan_status) and it will return confirmation that it has done the task.

You can also use all 3 commands with _all on the end and no scan ID.  This will iterate through all scans available and do the specified action on them.  Pretty simple.

Ok, that leads us to the bread and butter nessus_scan_new command.

nessus_scan_new <policy id> <scan name> <targets>

No more do you have to drop to a command line or tab over to the web console to start a nessus scan.  You simply need to provide the policy ID for the policy you’d like to scan with (get that from nessus_policy_list), name your scan (use “quotes are cool” for multiple words) and give it the hosts you’d like to scan.  Hosts scan be one (192.168.1.1), a network cidr (192.168.1.0/24) or a range (192.168.1.1-127).  Hit enter and it goes to work.

So with what we have discovered so far we can do the following:

• Auth to our nessus box.
• Start a new scan
• import the results of that scan to our metasploit workspace.

Nice. So what else could there be?

Next up we will learn about the plugin commands for getting all kinds of useful information about the vulnerabilities we discover.

This changed when I did my PwB v3 course, I got much better at determining when and how to use msf to take advantage of something I found.  There was still a lot of moving between tools but I was at least able to identify vulnerable hosts.

I use Nessus in my day job to scan for vulns and sometimes I need to be able to turn those results into demonstrations or do false positive checking.  It was a little annoying to run the scan either from the cli, or usually from the Nessus Web Client and then have to manually import the Nessusv2 report.

At the same time MSF Express came out.  WoW, that is some slick shit.

I got to thinking, why not code a plugin that can do some limited stuff over xmlrpc from within the msfconsole and give me the ability to at least import my scan without having to go download it, transfer it over and then delete it.

So the Nessus Bridge for Metasploit was born. (Still in dev, so please report bugs)

The general concept is to allow you to do various tasks with your Nessus server, from within the msf command line.  By that I mean scan with Nessus, review the results, import the results and then exploit the results.

These next few blog posts will be some pointers on what it can (and can’t) do and how to use it.

Commands are broken up into the following categories and I will be covering each category in a separate entry.

• Generic Commands
• Reports Commands
• Scan Commands
• Plugin Commands
• User Commands
• Policy Commands

Click though each link to see a more detailed explanation of the commands available for each category and how to use them

Something else being Iphone or Android.  Lets examine the choices.

• Iphone 3GS 16 or 32 GB.
• Nexus One
• Droid
• HTC Desire?

In terms of plan, I am looking for unlimited everything.  Unlim voice minutes, texting and data.

So, I just priced the Iphone 3GS 16GB x2 on AT&T’s website, $495 upfront and $210 a month.  Holy crap!  Not worried about the up front but the monthly is much more than the $160 odd we pay now.

Other option is 2x Nexus One.  We’d need to change our current T-Mobile family plan to 2x single plans, $80 each.  Still about the same $160 we pay now.  Only catch is, not 100% sure we CAN do that.  I read things about people having to setup new accounts in other names because the $179 Nexus One price is “new” customers only.

And the droid, nice phone, and Verizon is having a GREAT deal on them, buy one, get one free.  Sweet, only $199 due now.  But, umm, the monthly is $225!.  Ah, yeah, pass.

So, I wonder if I could Hybrid it.  The wife really wants an Iphone.  I think she’d be fine on a Nexus One, but she has a ipod touch and is comfortable with it.  So what if, we got her a 16gb 3GS and me a Nexus One.  She’d be AT&T, I’d be T-Mobile but that is ok.

So, adding that all up, assuming I can actually get the Nexus One at the prices advertised, is $120 for her, $80 for me.  Still about $200 a month.

Damn.  So I guess I need to work out;

1. Can we in fact get 2x Nexus One’s at the $179 price, on separate accounts, for about $80 a month without going insane.
2. Can the wife make do with an Android phone over the Iphone?

Wish me luck

meh.

And then I got an email.  An email telling me, that a plugin on Aharon’s blog needed updating.  I mean that isn’t exactly earth shattering news, but it has got me thinking on why I still use wordpress for my blogs, but love Drupal so much.

Simple reason.  Updates.  Drupal BLOWS for updating compared to WordPress.  Let me walk you through what it takes for me to update a plugin in wordpress, or even upgrade wordpress itself to a new version.

1. Open the email I got sent (sure I cheat and install a plugin to send me emails when things need updating, but it’s super simple to install)
2. Click the link.
3. Login.
4. Look for the “Upgrade Automagically” link.
5. Click it.
6. Done.

It’s really that simple.  I can install new plugins, new themes, upgrade wordpress versions, all simply from within the WordPress Dashboard.  Pure awesome.  This is what Druapal misses.

Sure Drush does some of that, a little.  For me though, my one wish for Drupal 7 is WordPress-like install/upgrade functionality of core and modules.  Let me “browse” modules like I browse plugins in wordpress.

Please.

Right now I am on like month 3 of several things.  I think it’s a case of trying to do to much.

I have a course coming up soon on Pen Testing with Backtrack (PWB) that I am pretty excited about.  It’s 30 days of labs, a bunch of video lectures and a final exam that is 24H long.  Yes, 24H exam, I cannot wait.  I haven’t had anything really challenge me in a while.

Decided also that I am going to add a few new categories to this blog and write more often.

Adding :

• Fatherhood – going to write a little about my boys and some of the cool things they do.
• Games – going to write a few opinion pieces on Games, MMO’s and PC gaming specifically.
• Security – going to weigh in on a few security topics that have been on my mind, this might prompt me to invest more of myself in my career.

This is in addition to the 3 categories i already have; Things, Stuff and Bananas.  All very important.