My mix of 5-port no-brand gigabit-switch and a handful of Linksys WRT54G doesn’t turn out to be a very stable choice for network connectivity, so I just put in a order for a Netgear GS716T-200EUS, a 16-port gigabit switch with VLAN capability. It will arrive in a few days, which should be just in time for my server move.

I figured 16 ports should be enough. The devices that I am planning to connect to the switch now and in the future is:

I have some other equipment like networked printers and print-servers which I will put on the ISP-supplied router (that also has a 4-port switch).

We are expecting an additional family member late May/early June and I have to give up my old home office and move to the space under the stairs instead. No matter how much I love technology, flesh and bones has priority when it comes to living arrangement.

It will however not be all bad. Sure, the amount of space is significantly smaller, but used correctly it won’t effect me too much. Here is some pictures for the interested.

The new office is the result from a trip to Ikea. Following items was bought:

Desk

• 1 x Trofast frame, pine (000.636.72)
• 1 x Trofast frame, pine (800.636.72)
• 2 x Trofast shelf, pine (700.635.84)
• 1 x Vika Furuskog table top, pine (401.365.58)
• 1 x Trofast large storage box, white (200.892.42)
• 3 x Trofast medium storage box, white (956.851.00)
• 3 x Trofast small storage box, white (800.892.39)

Chair

• 1 x Franklin bar stool (201.992.07)
• 1 x Ritva cushion (200.696.92)

Bookshelf (no picture yet)

• 1 x Billy bookshelf, white (400.857.14)

Still have some way to go before it is completed. Will let you know the progress . Many thanks to IKEA Hackers for a inspiring website!

Metasploit is a very cool tool to use in your penetration testing, if you didn’t already knew that. There is a few things you should add to it for a really good time: Armitage and XSS Framework.

Armitage makes Metasploit a multi-player exploitation tool with a graphical user interface, and XSS Framework makes XSS-attacks with Metasploit easier to perform. You can also use BeEF to exploit XSS-vulnerabilities.

But before I go and talk about all those tools I thought I should start off with how you can perform and import vulnerability scans from within Metasploit itself. It has been known for a while that you can use “db_import” to import data from various security tools:

msf> db_import
Usage: db_import <filename> [file2...]

Filenames can be globs like *.xml, or **/*.xml which will search recursively
Currently supported file types include:
    Acunetix XML
    Amap Log
    Amap Log -m
    Appscan XML
    Burp Session XML
    Foundstone XML
    IP360 ASPL
    IP360 XML v3
    Microsoft Baseline Security Analyzer
    Nessus NBE
    Nessus XML (v1 and v2)
    NetSparker XML
    NeXpose Simple XML
    NeXpose XML Report
    Nmap XML
    OpenVAS Report
    Qualys Asset XML
    Qualys Scan XML
    Retina XML

But that means that you need to first run the scan and then import it to Metasploit. A much cooler feature is to run the vulnerability scan directly from your Metasploit console.

Nessus from msfconsole / Armitage

To run a Nessus vulnerability scan from the Metasploit console you first need to have a Nessus installation somewhere. I’ll wait while you install it, and don’t forget to register your installation so you can download the latest plugins for it.

In Metasploit you start with loading the nessus plugin:

msf> load nessus

and then connect to the Nessus installation

msf> nessus_connect -h
[*] You must do this before any other commands.
[*] Usage:
[*]        nessus_connect username:password@hostname:port <ssl ok>
[*]  Example:> nessus_connect msf:msf@192.168.1.10:8834 ok
[*]         OR
[*]        nessus_connect username@hostname:port <ssl ok>
[*]  Example:> nessus_connect msf@192.168.1.10:8834 ok
[*]         OR
[*]        nessus_connect hostname:port <ssl ok>
[*]  Example:> nessus_connect 192.168.1.10:8834 ok
[*]           OR
[*]        nessus_connect
[*]  Example:> nessus_connect
[*] This only works after you have saved creds with nessus_save
[*]
[*] username and password are the ones you use to login to the nessus web front end
[*] hostname can be an ip address or a dns name of the web front end.
[*] port is the standard that the nessus web front end runs on : 8834.  This is NOT 1241.
[*] The "ok" on the end is important.  It is a way of letting you
[*] know that nessus used a self signed cert and the risk that presents.

msf> nessus_connect user:password@localhost:8834 ok

If you save the credentials using

msf> nessus_save

You only need to issue

msf> nessus_connect

to automatically connect to your Nessus instance. Be warned, your Nessus credentials are stored in the clear in ~/.msf4/nessus.yaml - but it saves on typing…

After you have connected to the Nessus scan it is time to scan the target. First we need to select a policy:

msf> nessus_policy_list
[+] Nessus Policy List
[+]

[+] ID  Name                        Comments
--  ----                        --------
-1  Web App Tests              
-2  Internal Network Scan      
-3  Prepare for PCI DSS audits 
-4  External Network Scan      

Then we need to start the scan:

msf> nessus_scan_new -h
[*] Usage:
[*]        nessus_scan_new <policy id> <scan name> <targets>
[*]  Example:> nessus_scan_new 1 "My Scan" 192.168.1.250
[*]
[*] Creates a scan based on a policy id and targets.
[*] use nessus_policy_list to list all available policies

msf> nessus_scan_new -4 “Metasploit Scan” 192.168.1.0/24

Once the scan is completed it is time to import the result into Metasploit

msf> nessus_report_list

msf> nessus_report_get -h
[*] Usage:
[*]        nessus_report_get <report id>
[*]  Example:> nessus_report_get f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca
[*]
[*] This command pulls the provided report from the nessus server in the nessusv2 format
[*] and parses it the same way db_import_nessus does.  After it is parsed it will be
[*] available to commands such as db_hosts, db_vulns, db_services and db_autopwn.
[*] Use: nessus_report_list to obtain a list of report id's

msf> nessus_report_get f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca

After which it is time to check what we now know about our target network using the “hosts”, “services” and “vulns” commands.

References

Metasploit Unleashed: Working With Nessus

Metasploit Unleashed: Nessus Via Msfconsole

I have recently had the need to merge multiple Nessus reports into single reports and here is the code I used to do it. Take care and if it breaks for you you get to keep both pieces . Please note that you need to change the report name to the same value, like this:

sed -i -e s/\<Report\ name=\".*\"\>/\<Report\ name=\"Combined\ report\ name\"\>/g reports/*.xml

mergeReports.pl

#!/usr/bin/env perl

use strict;
use warnings;

use XML::Merge;

if ( $#ARGV < 0 ) {
    print "Merging into " . $ARGV[0] . "\n";
    my $merge_obj = XML::Merge->new( 'filename' => $ARGV[0] );
    foreach my $filename (@ARGV) {
        if ( $filename ne $ARGV[0] ) {
            print "Merging " . $filename . "...";
            $merge_obj->merge( 'filename' => $filename );
            print " Done!\n";
        }
    }

    print "Tyding up.... " . $ARGV[0];
    $merge->tidy();
    print "Done!\n";
} else {
    print "Usage: mergeReports.pl Output.xml inputfiles.xml\n";
}

When you do penetration testing it is useful to become “friends” with the employees of the target organization to gather information and perhaps slip a spiked link or two to the employee in hopes that the user clicks and executes its content. However, it is quite tedious to manually clone a Facebook profile (a lot of copy and paste, downloading and re-uploading of images etc.) and become one of the target organization employees. Luckily there is now a tool available to automate the task.

FBPwn (Facebook Pwn (slang for owning [taking control over] a resource)) is a application written in Java that downloads a target profile and, if one so chooses, clones the acquired information into a new Facebook profile.

First you need to create a Facebook profile which will be used to access the data and, if chosen, updates the profile information with the targets including pictures. You can also make FBPwn to send friend requests to the cloned profile’s Facebook friends, and more often then not the friends will accept the friend requests because it is from someone they “know” (has the same name and picture of someone they know). The tool has, even at this early stage of development, quite a few tricks up its sleeve and I will go through each of them here.

Getting FBPwn

You can download FBPwn from the Google code project site. As it is written in Java is will run practically everywhere Java can run. Here I will go through version beta-0.1.6, which is the latest release at this moment.

First off we download it:

Then we unpack and execute the “run.sh” script (OSX, Linux) or “run.bat” (Windows). You will be greeted with the following screen:

Using FBPwn

First you need to configure one or more Facebook profiles to be used to access the profile you want to attack. The Facebook profile needs to be created separately from this tool and the profile language needs to be set to English for FBPwn to work at this stage.

Select one of the accounts you want to use for the next step and click on the “Attack !” button.

Friend URL: The URL of the Facebook profile you want to target. For an example: http://www.facebook.com/profile.php?id=100001638343979

At the moment FBPwn has following attack methods (plugins):

• Add Victims Friends
  Add the target profile’s friends to the configured profile.
• Check Friend Request Task
  Ask to become friend with the targeted profile.
• Dump Friends Task
  Download the target profile’s list of Facebook friends.
• Dump Images Task
  Download the images from the target profile.
• Dump Info Task
  Download the target profile’s information.
• Dump Thumbnail Images Task
  Download the target profile’s thumbnail images.
• Dump Wall Task
  Download the target profile’s wall postings.
• Profile Cloner Task
  Clone the target profile into the configured account.

Once you have selected the modules you want to use click on the “Lunch Attack” button.

The “Monitor Submitted Tasks” tab will show the progress of the selected tasks.

Do note that Facebook’s Terms of Use actually forbids many of the things FBPwn is performing. For an example, under section 4 (Registration and Account Security)  section 1 and section 2. You have been warned.

VirusTotal.com, possible the best malware analysis service on the web, has a application for Windows called “VT Uploader” which sends selected file to VirusTotal.com for analysis. Unfortunately they don’t have a similar program for OSX… Well, here is how I implemented the same functionality using Automator in OSX .

First off you need an API key for VirusTotal.com, which you get by register yourself on the website (found in your Inbox -> Public API).

Second you need the Python script from Bryce Boe that uploads a file to VirusTotal.com. Make sure that you put your API key into the code (API_KEY variable) and run it from the command line to make sure that you have all the Python dependencies:

$ /usr/bin/python virustotal_report.py eicar.com

You can download the simplejson dependency by using the easy_install utility like this:

$ sudo easy_install simplejson

When you have the prerequisites you start a new “Service” project in Automator. Create a new “Run Shell Script” action and choose the shell “/usr/bin/python”. Paste the code from Bryce Boe’s site in the “Run Shell Script” editor.

Select “Pass input: as arguments” on the top right of the action window.

Finally you select “Service receives selected files or folders in Finder”.

Save the project at “Send to Virustotal”, and you have a nice menu item for it in Finder:

Until next time .

I found this cool Automator script for OSX that allows you to paste text from your selection to Pastebin.com.

The steps provided in the original article was a bit difficult to follow at first so here is a visual walkthrough how to do it:

Start the Automator application

Create a new “Service” application

Drag a “Run AppleScript” action to the workflow workspace

Paste in the code from https://gist.github.com/761482 into the “Run AppleScript” code window

Then I created a “Copy to Clipboard” action

Then I made sure that the actions are “Service receives selected text in any application” and “Input is entire selection” with “Output replaces selected text” unchecked.

Finally I saved the file as “Pastebin.bin.workflow”.

when you select some text and right-click you get a nice option of sending the selected text to Pastebin.com:

Many thanks to Marc Abramowitz for his very nice blog entry. I haven’t been looking at Automator before but now I think I will automate a lot of tasks in OSX .