Saturday, October 13, 2012

Nessus Part II: Integration with Metasploit

Previously I showed you how to install Nessus vulnerability scanner on your Linux system and run some basic scans. Today I would like to show a few more steps on how you can make the most of this and import your scan results directly into Metasploit, as well as how you can actually run the entire scan from within Metasploit itself. You will need to read the previous write up if you are unfamiliar with Nessus, it can be found here. Assuming you have the basics down we can now begin....

  • A Vulnerable Machine (Metasploitable 2.0 being used for today's demo, download available here
  • Stable up to date Metasploit installation, see here if you need some help gettting started you can see this here
  • Nessus v5 fully installed and running
  • Nessus scan profiles and scan types already setup as well as a already completed scan
  • a little patience
 In some cases this approach is also useful to those who like to work in teams as one person can conduct a scan and then pass the results file to another team member who can then follow the coming instructions to import the results directly into their own local MSF database for continued efforts. The key for now is you have a finished report. OK, I will start where I last left off in the previous Nessus write-up which was with a completed vulnerability scan already done on the Metasploitable 2.0 virtual machine from Rapid7 team. If you still have Nessus up in the browser you should be looking at a completed scan report, similar to this:

 Click on 'Download Report' in the upper right corner and choose the ".nessus" format which is easily imported and parsed by Metasploit.

 Since I am using Metasploitable 2.0 for my target, my report file is now saved on Desktop as "nessus_report_Metasploitable_2.0.nessus" and now we can shift our attention to Metasploit. You will need to fire up the old MSFCONSOLE to get started. Once you have Metasploit started you need to make sure your database is connected so you can actually store what you import, you can use 'db_status' command to confirm database connection status...

Now we issue the 'db_import' command and point it at the file you want to import.

COMMAND: db_import /path/to/your/nessus_report.nessus

You can use this feature for more than just Nessus by the way, it currently supports a wide variety of tools like Acunetix, Amap, Burp Suite, NeXpose, NMAP, OpenVAS and a few more (issue 'db_import' with no arguments to see a full list). You should see a message indicating your import was successful or not, hopefully it was :) You can verify the imported details by use of the 'hosts' , 'services' and 'vulns' commands which will show what is currently in the database, like so:

SIDE-NOTE: You can share scan results from other tools like NMAP scans by following the same steps, although for NMAP you might use 'services' instead of 'vulns' to see the results. You can also scan directly from within MSF by simply using the 'db_nmap' command followed by your usual NMAP syntax and results will be stored directly into the database for continued reference and use.

 OK, this covers how to import things from previously run scans as well as any other supported tool which has ability to parse output in a format MSF can use (usually XML based).

Now to see how we can actually run the Nessus scan itself directly from within the MSFCONSOLE. We can delete our imported results by simply issuing the 'hosts -d <TARGET-IP>' which will remove all records for this host IP which is contained in the database from the previous steps. Now we can start fresh and run from the console and check the database for results when its all said and done. First we need to load Nessus plugin since it is not loaded by default. This is done by simply issuing the following command:

COMMAND: load nessus

Now you can issue the suggested 'nessus_help' command to see all the options that are available to use...

OK, so Nessus plugin is now loaded into MSFCONSOLE but it is not actually connected yet. We now need to actually connect MSF to the running Nessus server. We can accomplish this with the 'nessus_connect' command and a set of valid credentials for Nessus, syntax like so:

COMMAND: nessus_connect userName:Password@<NessusServerIP>:8834 ok

NOTE: the 'ok' at the end to avoid issues with connecting due to certs

Now we are connected, we need to setup our scan as we would do in the Browser based GUI configurator. We can check the available scan "policies" by issuing the 'nessus_policy_list' command. You will need to take note of the policy ID number for the scan type you want to run as we will use it in a sec to launch the actual scan...

NOTE: It's odd but the actual '-' prefix to each number should be used to identify the ID :p

Now to launch the actual scan we put it all together:

nessus_scan_new <policy id> <scan name> <targets>

After you initiate the scan Metasploit doesn't try to bother you with a lot of verbose junk since they know your console space is valuable, so it runs in background and with the Nessus Server. In order to check if the scan is still running you can issue the 'nessus_scan_status' command with no arguments. You will be presented with a table of active running scans if still running otherwise it will simply state that there are no scans running, like so:

NOTE: if you need to pause a scan for some reason you can issue the 'nessus_scan_pause <scanid>' command which will pause your scan.

Once your scan has finished you might notice that the results have not yet actually been imported into Metasploit's database. This is because they are still on the Nessus server we connected to. We need to import them as we learned earlier so that everything pulls in. In order to do it this time we will use the Nessus plugin to handle it. You can issue the 'nessus_report_list' command to see a list of finished reports available to download and import, again you need to take note of the ID for the one you wish to work with. Once you know, you simply get it with the 'nessus_report_get' command followd by the report ID., and now we have a scan run from completely within MSFCONSOLE and all results fully populated in the MSF database of our choosing. You can now take your time to search through the results and what is available in Metasploit to exploit each finding.

Hope you enjoyed this follow up to the previous Nessus write-up. I referenced it before and received a few questions so hopefully this covers things in enough details to get you on your way. More to come soon, so stay tuned and until next time - Enjoy!

Wednesday, October 3, 2012

Cracking Password Protected Zip Files on Linux with FCRACKZIP

I recently was given the keys to the castle and once inside I did the usual snooping around and well in the end I found myself with a collection of password protected Zip files that I knew had all kinds of juicy info inside. Now I have cracked protected Zip files in the past on Windows using a few tools some friends of mine made, but I had never done it since I had moved to my new Linux setup. I decided to make a little tutorial out of the whole incident for anyone interested or in a similar situation. In my search and review I ended up using a tool called FCRACKZIP, and this will be the focus for today's writeup. They actually support a Windows binary version which syntax should be identical to what your about to read. You can download the appropriate package for you from the makers homepage here: FCRACKZIP.

If you are on a Linux machine you can install it using apt-get, like so:

COMMAND:  sudo apt-get install fcrackzip

Now if you have some protected Zip files laying around then that's great, but if you don't you can perform a quick command to make one.  Here is the syntax and quick example:

COMMAND: zip --encrypt -r <ArchiveName> </target/U/want/2/zip>
EXAMPLE: zip --encrypt -r sup3rs3cr3t /home/hood3drob1n/Desktop/fcrackzip-TuT.txt

You will get a prompt after you hit enter which will ask you to type in the password, and then again to confirm it. You should then have a password protected Zip file to use for further testing.

First, as with any tool, we start by quickly reviewing the documentation and then the help menu. Here is quick shot of the main features as outlined in the help menu:

COMMAND: fcrackzip --help

I will note since it may not be clear at first that the '-c' charset option has a few options which will aid you if you are going to perform a straight bruteforce attack on the password:
    a => lower aplha charset [a-z]
    A => UPPER aplha charset [A-Z]
    1 => numerical charset [0-9]
    ! => Special charset [!:$%&/()=?[]+*~#]
    : => Used to mark additional characters to add into the charset

You should typically start with a wordlist and then move to bruteforcing after. In order to perform Dictionary based attack just point it at the wordlist and zip file you want to crack open:

COMMAND: fcrackzip -D -p 500-worst-passwords.txt -u -v --method 2
        => try to cracking using 500-worst-passwords.txt as our pass list

NOTE: I experienced app crashes if I didn’t place the password list in same location i was running fcrackzip from so just do some copying or moving if you experience similar issues to work around the issue...

Once you have exhausted your wordlist options you can move to bruteforce attacks. Now you can use the '-l <min>-<max>' option to set the min and max password lengths for bruteforce attacks, or you can use the '-p' init option to set the default value and starting string for cracking, for example:

COMMAND: fcrackzip -b -c a -l 1-8 -u -v
        => bruteforce attack using the lower aplha charset, testing for lengths 1-8

NOTE: use of the '-u' option cuts down on the false positives as it actually tries to unzip the file using the password. It may increase load and time a little but will greatly cut down on false detections. I highly recommend using this option for pretty much all attacks...

Another example using a bruteforce attack against a fixed length via the -p/init option. It works like so:

COMMAND: fcrackzip -u -c a1 -p saaaaa
        => test a-z0-9 but only for those of 6 char in length, starting at string 'saaaaa'

This sums up the general usage of fcrackzip and you should now be on your way to opening up all those pesky zip files you don't seem to have passwords for. I'm sure there are other tools out there, but this one worked well for me so thought I would share....

Until next time, Enjoy!