Nessus Bridge for Metasploit :: Report Commands

Welcome to part 3 of my Nessus Bridge for Metasploit coverage.  Here is part 1 and part 2 if you are just joining us.

Report commands are where we get to actually do things.  They concist of some commands to manage/import reports directly on your Nessus server.  No more going to the web console, exporting a report, moving it to your msf box and running db_import_nessus to get it into your workspace and available to db_autopwn or work with.

The implemented (so far) commands are:

  • nessus_report_list
  • nessus_report_get
  • nessus_report_hosts
  • nessus_report_host_ports
  • nessus_report_host_detail

Ok, make sure you are loaded up and authed to your server and we will check these out. (more…)

Posted in Bananas and tagged , , , , , , , , , , , , by with no comments yet.

Nessus Bridge for Metasploit :: Generic Commands

(some features discussed in this post are not yet in msf, grab the latest code from here if you want to test)

Ok, so you have your msf installed (I like to install from the svn) and you have run “svn update” to ensure you have all the latest goodies.
Go ahead and fireup the msf console (“msfconsole” at your prompt) and you should be presented with the standard msfconsole banner and blurbage telling how much cool shit you just loaded up.

Lets load up some more, type “load nessus” and press enter.  Some new lines should scroll by telling you that you just loaded the Nessus Bridge for Nessus 4.2.x.  So yeah, just incase you are curious, this plugin works with the latest Nessus.  Prior to 4.0 will not work, neither will OpenVAS.

The line below that says to type nessus_help for a list of commands.  So go ahead and do that.

So it shows us the following commands available for the “Generic” group. (more…)

Posted in Bananas and tagged , , , , , , , , , , , by with no comments yet.

Nessus Bridge for Metasploit :: Intro

One of the most frustrating things for me when I started with metasploit (known as msf from here in) was not exploiting something, but finding something to exploit.  I had all these exploits at my finger tips but my ability to find something to pwn was limited by having to move back and forth between a bunch of tools and cross reference things.

This changed when I did my PwB v3 course, I got much better at determining when and how to use msf to take advantage of something I found.  There was still a lot of moving between tools but I was at least able to identify vulnerable hosts.

I use Nessus in my day job to scan for vulns and sometimes I need to be able to turn those results into demonstrations or do false positive checking.  It was a little annoying to run the scan either from the cli, or usually from the Nessus Web Client and then have to manually import the Nessusv2 report.

At the same time MSF Express came out.  WoW, that is some slick shit. (more…)

Posted in Bananas, Security, Stuff, Technology, Things and tagged , , , , , , , , , by with 7 comments.

New Things

Been a while since I have written.

So what have I been upto?  Well.  Looking back over old posts let me update a couple of things.

  • Got the phone.  Ended up with the Nexus One, on ATT, bought it outright (no contract).  Totally LOVE this phone.  It’s rooted, ROM’d and rockin.  Running Cyanogenmod 6 on it.  Seriously rocking phone.
  • I completed the PwV v3.0 course.  Did 30 days worth of labs and then sat the exam for my OSCP.  Passed it too.  Was probably the best training I have ever attended and next to bootcamp for the army, one of the most intense 30 days of my career.  Loved every second of it.
  • Not working on HFC so much anymore.  The project just kind of petered out with Johnny going through some changes over in Uganda.  STill keep tabs on it and offer to help where I can.

So, new projects and things coming up, lets see. (more…)

Posted in Bananas and tagged , , , , , , , , , by with no comments yet.

Time for a new phone

Apr 11 my contract with T-Mobile is up.  We currently have a family plan, with 2 Blackberries on it.  My work no longer reimburses for my part of the account so no real need for me to have a Blackberry anymore (only reason was because of enterprise integration).  So now the time is right to make the switch to something else.

Something else being Iphone or Android.  Lets examine the choices.

  • Iphone 3GS 16 or 32 GB.
  • Nexus One
  • Droid
  • HTC Desire?

In terms of plan, I am looking for unlimited everything.  Unlim voice minutes, texting and data.

So, I just priced the Iphone 3GS 16GB x2 on AT&T’s website, $495 upfront and $210 a month.  Holy crap!   (more…)

Posted in Stuff, Technology, Things and tagged , , , , , , , by with no comments yet.

What I want from Drupal 7

So tonight, I didn’t feel much like anything.  Logged into Wow, meh.  Logged into EVE, meh.  Don’t feel like playing any of the games I have installed, don’t feel like reading on the nook, watching TV or anything really.


And then I got an email.  An email telling me, that a plugin on Aharon’s blog needed updating.  I mean that isn’t exactly earth shattering news, but it has got me thinking on why I still use wordpress for my blogs, but love Drupal so much.

Simple reason.  Updates.  Drupal BLOWS for updating compared to WordPress.  Let me walk you through what it takes for me to update a plugin in wordpress, or even upgrade wordpress itself to a new version. (more…)

Posted in Stuff, Things and tagged , , , , , , , , by with no comments yet.

So much to learn, so little time.

I’m having some major schizophrenia with learning these days.  Just so many disparate things I want to learn and I’m not making as much progress learning as I used to.  I used to be able to suck up a new subject once or twice a week.  Like totally suck it up, have a great understanding and be able to expand on it and move it in new directions.

Right now I am on like month 3 of several things.  I think it’s a case of trying to do to much.

I have a course coming up soon on Pen Testing with Backtrack (PWB) that I am pretty excited about.  It’s 30 days of labs, a bunch of video lectures and a final exam that is 24H long.  Yes, 24H exam, I cannot wait.  I haven’t had anything really challenge me in a while.


Posted in Bananas, Fatherhood, Games, Security, Stuff, Things and tagged , , , , , , , , , by with no comments yet.

Google Wave, so far it’s the answer to a question no one asked.

I want to like it.  I like tons of other Google services.  I’m a Google Fan Boy, but I just dont get Wave.

It reminds me of online multiplayer games.  It sucks to use alone.  I invited some friends, we got on it.. and it’s a chat client?  Well at least thats how we used it, it was a rather kludgy chat client.  Google Chat group chat is better, using communicator at work is better.

I dont see how to email to it, how to connect it to my gmail.

I’m just a bit stumped on what it is good for.  It’s fancy, it’s sexy, but it’s confusing.

Edit:  I found out at least some stuff to do with it.  Type in “with:public” in the search box, ok now stuff starts to make more sense.

I am intrigued by the seemingly total lack of security though.  So is this guy, and he has great points.

Posted in Stuff, Things and tagged , , , , , , , , , by with no comments yet.

Spam, really ?

On a page I havent showed to anyone, havent linked to from any where.  That’s sweet.

I am guessing it’s just a case of searching for blog.* on domains, and if it’s got a wordpress, hit it up.  Still, kinda cool.

So, working hard on Drupal.  I like Drupal, but boy is there a major steep learning curve to go beyond simple site.  I’m working with Organic Groups.  I figure a “Cause” on HFC can be a Group, and a “Need” be a response.  Thing is, when I think about a fully working HFC, I kind of see hackers browsing through a catalog of “Needs” looking for ones that meet their skills.

So that to me speaks of Taxonomoy.  I think I can go one further.  What if there was a shared taxonomy between Needs and Hackers?  A Hacker selects from a set of skills that they have, or things they are interested in.  When a Cause posts a Need, it fills out the same skills.  We can then match up hackers to needs in many ways.  Show a “New Needs” box to Hackers browsing that only show them Needs that require their skills.  All kinds of possabilities become available. (more…)

Posted in Stuff, Things and tagged , , , , , , , , , by with no comments yet.

On thin ice.

We desperately need a server upgrade.  We currently have 2 dedicated boxes, and it’s certainly starting to show it’s age.  Major problem is space.  I need more space to be able to upgrade TR and TF.

So I am putting the pressure on Aharon to buy us something new.  Looking at this —

It’s what a site I frequent quite often ( uses, and they have many times our current users, so if it works for them, should work for us.

We can get a nicely configured quadcore i970 box, 12gb ram, 2x500gb drives, for about $300 a month.  Only caveate is bandwidth, it comes with 2.5TB.  Not sure how much we are currently using.  I should look that up.

Biggest issue with that is backups.  The drives are not mirrored (ouch!).  so what happens if we have a disk failure? (more…)

Posted in Stuff, Things and tagged , , , , , , , , , by with no comments yet.