I had this post queuing up for a while now but kept holding back waiting on the new version of Metasploit 3.5.0-dev, in addition each time I visited the Metasploit IRC room I would see Zate talking about some cool feature he is working on implementing.
Now on to the reason for this post, being a fan of both Metasploit and Nessus I was very happy when I saw a tweet a month or so back making mention of a project that would bring both of these wonderful tools together in a nice easy to use fashion. That project was labeled ” Nessus Bridge for Metasploit”. The basic goal behind this project was to “allow you to do various tasks with your Nessus server, from within the msf command line. By that I mean scan with Nessus, review the results, import the results and then exploit the results.” After reading those few lines form the project home page I was already sold.
What can you do with this plug-in or bridge you might ask?
The commands are broken up into the following categories below and are covered in details over at the http://blog.zate.org .
A few prerequisites are needed before you can start hacking away:
- A host with Metasploit installed and configured (I recommend BackTrack 4)
- A host with a Nessus server installed and updated (I recommend you install on your BT4 host)
- A vulnerable host to test with (I recommend you download metasploitable)
Brief demo section before I get into the interview:
- First fire-up both Metasploit and Nessus and run an update to ensure you have the latest signatures.
- Login into Nessus and create your scanning policy
- Close out your browser and prepare to have some fun CLI style!
- Load up the nessus module within msfconle with “load nessus”
- Next connect to your nessus server with “nessus_connect username:password@host:port ok”
- From this point on you can view all polices, perform a scan, import the rules and then use db_autopwn to seal the deal.
Using nessus_policy_list and nessus_scan_new
Now on to the Q & A section with the Author:
Question: How did you get started on your Infosec journey, and also the blogging sphere?
Answer: I started out as a Secure data communication guy for the Australian Army and then left to became a Lotus Notes/Web App guy, migrated over to a Solaris/Linux admin and then into Web App Sec and Threat/Vuln Management. From there I became interested in pen testing, exploits and just generally how the attacker works/thinks.
Blogging is relatively new for me. I am bad at it, and my blog came about really because I wanted to get some ideas down out of my head where others could see them. I’ve not really done much in the way of blogging until the Nessus Plugin as I am bad about keeping up with it and finding things to talk about. Always seemed to be something else
to do. I think the plugin has given me something to start with and now I am queuing up posts for weeks ahead.
Q: What was your motivation behind this project?
A: Part of it was being envious of the cool integration that Nexpose has with Metasploit and most of it was being frustrated at having to move between interfaces to try and find things to exploit. When I first started with Metasploit it was annoying to have these cool exploits to use but I struggled to find exploitable hosts.
I then did the offensivesecurity.com PwB v3 course and gained some knowledge on how to find things to exploit and then I did some playing around with importing nessus scans. It was clunky and around the same time I was experimenting with putting a Drupal front end on Nessus. Part of that process was the discovery of a cool nessus-xmlrpc ruby library by k0st.
Everything kind of clicked together and I thought what if i could stick that library in Metasploit and talk directly to the my Nessus server and import the data right into Metasploit. Some awkward talks about licenses later and HDM merged k0st’s library and my basic shell of a plugin. (Big thanks to k0st for his hard work on the library which i used as a starting point)
Q: What advice would you give a newcomer that would like start using this bridge?
A: Test it out and send me (or Metasploit) bug reports/enhancement requests… hehe. Full guide on using the plugin is up at http://blog.zate.org/2010/09/26/nessus-bridge-for-metasploit-intro/ . Don’t be shy, join #nessus or #metasploit on freenode and ask questions (I am in there as MrUrbanity or Zate). Start with working with all the tools on one box (nessus, msf, database) and I find Ubuntu (native or vmware player) the best way to start. Scan things (that you have permission to scan, or own) and play with it, see how it works.
Q: What tips would you give someone for maximizing the usefulness of this bridge?
A: This plugin wont magically make your Nessus scans more accurate, you still have to tweak/tune them and honestly right now that is probably best done through the web interface for policy tuning. Don’t expect to scan a class C and have it import easily, big reports are a pain right now (streaming parser coming soon). Ideally the way to use this is scan, examine, import, pwn. It’s not a replacement for knowing about exploits and vulnerabilities, you will still need to do some work :).
Q: Why did you choose Metasploit above other application/frameworks to incorporate this functionality?
A: I don’t think there is another offensive exploitation tool out there with the same power and flexibility to allow it’s end users to join in the fun and submit modifications. It’s one thing to do a RFE (Request for Enhancement) and another entirely to code that enhancement and submit it to be included in the tool. I think the combination of free msf and a free (or cheap) nessus scanner is pretty powerful for a security guy trying hard to keep his network running securely. Also ruby is just a joy to code in.
Q: On a personal note, how did you get your handle?
A: I tend to go by MrUrbanity a lot and Urbanity means polite/refined/quiet which depending on who you ask is either me, or not me. I’m a pretty calm guy, takes quite a bit to offend or upset me so the name kind of fit.
Q: If someone wants to assist you with this project what’s the best approach?Couple of ways. Email me (zate75 [at] gmail.com) or find me on IRC (freenode in #metasploit and #nessus) or head to http://github.com/Zate/Nessus-Bridge-for-Metasploit – fork it, hack it and submit a pull request for me to include your changes. I then submit a diff to msfdev about once a week (or when I have significant changes).
A: You can also help me out a great deal by grabbing the code off github and running it and then reporting any bugs or features back to github. Why github and not the metasploit site? Mainly to not annoy the msfdevs. This way I can tweak/hack/commit as often as I need to and not impact their work on msf. I can then just submit working code
when I need it included in msf.
A big thank you to Zate a.k.a MrUrbanity for letting me interview and most importantly for making such a contribution to the community.