New feature added.

Talking in the #metasploit channel on freenode.net today someone (you know who you are) gave me the idea of saving the username, password, hostname/ip and port to a nessus.yaml file so they would be saved between metasploit sessions.

So tonight, I added that. New commands added are:

  • nessus_save: this will save those 4 items to ~/.msf3/nessus.yaml
  • nessus_logout will now remove that file when invoked.
  • nessus_connect will look for that file and use it’s contents if invoked with no arguments.  If the file doesn’t exist, it will display usage.

So basically, load nessus, nessus_connect admin:[email protected]:8834 and then nessus_save.  Now each time you load nessus you just need to nessus_connect and it will reuse those saved creds, until you wiped them out with nessus_logout.

Up next is investigating a way to have the nessus.yaml house multiple sets of creds and let you invoke nessus_connect with the set name to login to that server (or the default set if no set name is given).  also need to modify nessus_save to take an argument that it will use for the set name.  Tackle that later this week I guess.

It’s been merged, so svn up and you are set.  Report bugs to me or via the metasploit redmine.

thanks!


Posted in Bananas and tagged , , , , , , , , , , by with no comments yet.

So much to do.

Going to write up a bit of a “todo” list here of all the things I need to work on.

  1. Nessus IVIL wrapper for Seccubus V2 – I had a wonderful talk with Frank from seccubus a couple of weeks back and we came up with the idea of “IVIL” which is basically a common XML format to report findings in from just about any tool.  I’m going to write an example IVIL aware wrapper for Nessus that will let you create scans, download reports and output in IVIL format to be loaded into seccubus V2.  Ideally anyone could write a wrapper for any tool and convert the tools output to IVIL to be loaded into seccubus for reporting.
  2. Bug fixes for the Nessus plugin.  I need to diff out all the new things in the code that are not currently in metasploit and submit that.  Also work on a couple of tweaks and new features people have suggested.
  3. Watch some more ruby videos and read some more of my ruby book.
  4. Fix up my dev environment.  I am trying to swap over to using Netbeans as my IDE and SVN over SSH to connect to remote servers to test.  Carlos Perez has been great in showing me how this works.  Probably look at moving my dev to a vm on my laptop to repurpose the current hardware as an Astaro box.
  5. Look into using meterpreter more and learning about meterpreter scripting in order to use meterpreter as an OVAL interpreter.
  6. Work more on learning nasl.  Also looking to create a nasl script to do OVAL scanning of remote hosts directly with nessus.  Lots to do here and nasl is a bit clunky after working with ruby.  Funtimes though.
  7. Keep working on my highly threaded http scanning engine.  Basically want something that is fast and scalable for finding http(s) servers on any port.  If one exists now that grabs all kinds of info on what the server/service is, love to see it.  Emphasis on the fast and scalable, talking scanning thousands of hosts and all ports.

That’s all that springs to mind right now.  Still getting over being sick and the whole family being sick after returning from Hack3rcon.

Speaking of Hack3rcon, I had a blast.  I’ll sign off here by embedding my talk on Nessus/MSF Integration.  My first ever talk and I learnt a great deal about presenting with live demo’s.  Redt of the talks are available on irongeek.com

Nessus Bridge for Metasploit Zate Berg from Adrian Crenshaw on Vimeo.


Posted in Bananas, Security, Stuff, Technology, Things and tagged , , , , , , , , , , , by with no comments yet.

Presenting the Nessus Bridge at #Hack3rcon this weekend.

This weekend (Oct 23rd and 24th) I will be in Charleston WV presenting/demoing the Nessus Bridge for Metasploit at Hack3rcon.  This will be the first time I’ll have presented anything outside of work and should be lots of fun.  Quite a few great speakers that I look forward to meeting.

I’ll post the presentation up here once it’s done for everyone else to take a look at.  Actually going to be presenting a few new commands that are not in the metasploit svn version of the plugin.

After Hack3rcon I’ll be back into high gear adding some new functionality to the plugin and branching out into writing a wrapper for Nessus to speak IVIL for Seccubus v2.  This is pretty exciting stuff for me.  Coming up with a xml format to speak “findings” that is tool agnostic is going to be a great thing.  It will mean moving findings between tools, or comparing findings between tools, will be much much easier.  Keep a look out for that one.

There has been some talk on the metasploit mailing list this week about using tools such as Nessus to scan through a MSF pivot and into another network.  Some interesting discussion and I think it’s something I will dive into in these next few weeks.  Start to examine what some of the limitations are and how we might overcome or avoid them.

that’s it for now.  have a good weekend.


Posted in Bananas, Security, Stuff, Technology, Things and tagged , , , , , , , , , , , , , , , by with no comments yet.

Nessus Bridge for Metasploit :: Plugin Commands

Welcome to part 5 of my Nessus Bridge for Metasploit coverage.  Here is part 1part 2part 3 and part 4 if you are just joining us.

Next up are the plugin commands.  These helpful little beasts are all about showing you what plugins are available on your nessus server, and how many of them you have.

  • nessus_plugin_list
  • nessus_plugin_family
  • nessus_plugin_details
  • nessus_plugin_prefs

Given that nessus has over 38,000 plugins, simply asking it to list them all would result in a very large list returned from the server.  Nessus gets around this by breaking the request down into several parts. (more…)


Posted in Bananas, Security, Stuff, Technology, Things and tagged , , , , , , , , , , , , , , , , , by with no comments yet.

Streaming Parser for Nessus Plugin up for testing.

A few late night sessions of coding and I have a version of the plugin up on github.com that uses REXML Streaming Listener to parse the NessusV2 Reports.  The benefits of this is being able to handle much larger scans, much faster as it will itterate over each host and add it as it parses it, instead of the DOM/Tree method which loads the entire file into memory before parsing.

What I’d like is a few people to test it.

[singlepic id=14 w=320 h=240 mode=web20 float=]

So, grab the code from here, unpack it and then over write your metasploit install with the files in that archive.  Should be 4 of them.

Once you have done that, test it, connect to a Nessus server, import some reports, test all the other functions and maybe even just test some importing of nmap etc too if you like.

Report any bugs to me to be fixed and then when you want to remove these files, just delete these 4 from your metasploit install and then do “svn update”.


Posted in Bananas, Security, Stuff, Technology, Things and tagged , , , , , , , , , , by with no comments yet.

Nessus Bridge for Metasploit :: Scan Commands

Welcome to part 4 of my Nessus Bridge for Metasploit coverage.  Here is part 1 and part 2 and part 3 if you are just joining us.

The Scan Commands are where this plugin starts to really differ from previously importing nessus scans from flat files.  With these commands we can stay within the metasploit framework and reach out and examine things with Nessus.  We can then use the Report Commands we just learnt about to pull that data back to later pwn stuff.

Scan Commands are as follows:

  • nessus_scan_new
  • nessus_scan_status
  • nessus_scan_pause
  • nessus_scan_pause_all
  • nessus_scan_stop
  • nessus_scan_stop_all
  • nessus_scan_resume
  • nessus_scan_resume_all (more…)

Posted in Bananas, Security, Stuff, Technology, Things and tagged , , , , , , , , , , , , , , , , , , , , by with no comments yet.

Nessus Plugin

I am developing a plugin for Metasploit that will allow you to use your remote Nessus 4.2 server to conduct recon from within the Metasploit console.  It speaks xmlrpc direct to the Nessus server and lets you do things such as import reports directly from Nessus or kick off scans.  More details can be found here : http://blog.zate.org/2010/09/26/nessus-bridge-for-metasploit-intro/

As I develop the plugin more, changes will be merged into the opensource version of Metasploit (not Express or Pro).  So in order to still be able to make many small rapid changes and get them tested by end users, without disrupting the main Metasploit dev team too much I am sticking the plugin and the library up on github.

http://github.com/Zate/Nessus-Bridge-for-Metasploit

Feel free to fork it, hack on it and submit pull requests.  If you want to just test the code, you can always grab the latest from there and stick it in your msf install.  Chances are that the github copy will be always ahead of the main msf dev branch as I’ll be commiting often as I develop.

If you don’t know how github works (I’m not that sure either.. lol) you should google for some docs on it.

I’ve got my setup so that plugins/nessus and lib/nessus/nessus-xmlrpc.rb in my /opt/msf3 directory link over the versions in the github branch I downloaded.  That way I can hack on it remotely and then commit directly very easily.  Not sure if that is how it’s done but thats how I am doing it.

Feel free to submit feature requests and bugs on that site also.


Posted in and tagged , , , , , , , , , , , , , , , , , , , , , by with 1 comment.

Nessus Bridge for Metasploit :: Intro

One of the most frustrating things for me when I started with metasploit (known as msf from here in) was not exploiting something, but finding something to exploit.  I had all these exploits at my finger tips but my ability to find something to pwn was limited by having to move back and forth between a bunch of tools and cross reference things.

This changed when I did my PwB v3 course, I got much better at determining when and how to use msf to take advantage of something I found.  There was still a lot of moving between tools but I was at least able to identify vulnerable hosts.

I use Nessus in my day job to scan for vulns and sometimes I need to be able to turn those results into demonstrations or do false positive checking.  It was a little annoying to run the scan either from the cli, or usually from the Nessus Web Client and then have to manually import the Nessusv2 report.

At the same time MSF Express came out.  WoW, that is some slick shit. (more…)


Posted in Bananas, Security, Stuff, Technology, Things and tagged , , , , , , , , , by with 7 comments.

New Things

Been a while since I have written.

So what have I been upto?  Well.  Looking back over old posts let me update a couple of things.

  • Got the phone.  Ended up with the Nexus One, on ATT, bought it outright (no contract).  Totally LOVE this phone.  It’s rooted, ROM’d and rockin.  Running Cyanogenmod 6 on it.  Seriously rocking phone.
  • I completed the OffensiveSecurity.com PwV v3.0 course.  Did 30 days worth of labs and then sat the exam for my OSCP.  Passed it too.  Was probably the best training I have ever attended and next to bootcamp for the army, one of the most intense 30 days of my career.  Loved every second of it.
  • Not working on HFC so much anymore.  The project just kind of petered out with Johnny going through some changes over in Uganda.  STill keep tabs on it and offer to help where I can.

So, new projects and things coming up, lets see. (more…)


Posted in Bananas and tagged , , , , , , , , , by with no comments yet.