Latest changes to the Nessus Plugin submitted to Metasploit.

Late night last night I got the code cleaned up and submitted to msfdev.

Should probably be in the Metasploit svn in a few days, I know those guys are super busy with an upcoming release.

In the mean time you can download it from the GitHub – http://github.com/Zate/Nessus-Bridge-for-Metasploit

Changes:

  • Streaming Parser for Nessus V2 Reports.
    • This streams the file from the nessus server and processes each host as it finds it instead of loading the entire file into memory which can be very intensive on large reports.  Performance is much better though it can take a while to interate through large numbers of hosts.
  • Added activity indicator on nessus_report_get
  • nessus_report_get now displays the OS information as reported by nessus for each host it imports.
  • Fixed a bug where you could try to import a running scan.  Now checks to make sure a scan is not currently running when you import.
  • added nessus_template_list to show templates.  More work on templates coming.
  • Changed nessus_policy_list to use scans/list as the point it gets it’s info from, much faster.
  • Added experimental support for a new search index system I am working on that might replace how searches are done in msf.  makes an index on local (or in memory) for searching.  Access is via nessis_exploits
  • Fixed bug so that it now checks that the policy exists when creating a new scan.
  • added “return” to the -h option in all the commands so that it will not run the command when -h is specified.
  • fix various whitespace issues.
  • One existing bug is how the scanner gets displayed in db_hosts.  It takes up 2 lines. Working on it.

In Progress:

I am working on redoing the whole search functionality in msf, not just the Nessus Plugin.  This includes typing search at the command prompt, and the searching done by modules and things like db_autopwn.  I think we can move it to searching through index files on local much much faster than  the current way.

Nessus has added exploit information to the reports for each plugin that has a viable exploit in Metasploit (and other exploit engines).  I’m going to try to add this information as a “ref” to each vuln listed in db_vulns.  I still need to go through and check the accuracy of the mappings of plugin to exploit though.

If it’s accurate the next step is to create something like nessus_find_exploits that creates a Nessus scan policy that ONLY scans for vulns with plugins that have a Metasploit exploit attached.  This could be a good recon tool for scanning a network for hosts that are Metasploitable.

Lastly, I’m thinking we need a precision scanning mode, to be able to find an exploit we’d like to use and “scan” a given range of addresses (or just one) for the vuln associated with that exploit.  Two ways I see this working.

  1. We could use the vuln scanner of your choice (probably Nexpose or Nessus to begin with) for that specific vuln on that specific port on that host, or any port on any host.
  2. Inversely, perhaps now is the time to add a generic “scanner” module to Metasploit that will allow you to lightly and quietly test a host for that vuln for that exploit.

I am leaning towards number 2.  Number 1 would be much easier and quicker to build and use but I also seeing it as being much more “loud” on the network.  I’d almost prefer a precision, tactical, quiet probe of a host to verify that the vuln exists, not a blast across a host or network testing the way a traditional vuln scanner does.  So I’m thinking it’d be hand crafted checks, perhaps added to each exploit module?  Checks that do things like, is the remote host supported a supported target.  Can we actually connect to RPORT and if we send a specific set of information over, does it indicate the host is vulnerable to this exploit.  Need to think on this more.

So, thats the state of the Nessus Plugin for Metasploit right now, sent to msfdev for review and hopefully with less bugs in it than it had before.  It could really use some testing though.  My own test network is very primitive and I am sure there are things I’m missing from my imports.

Thanks.


Posted in Security, Technology and tagged , , , , , , , by with 2 comments.

Comments

Pingbacks & Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *