It’s been a while since my last post…I’ve been busy playing with cool new things, writing some Post Modules for Metasploit (that will hopefully get accepted and published), and last but not least the daily grind. Anyways, this blog post is for the cool new things……namely BackTrack 5! It’s been about a month or so since BackTrack 5 was available for download, and after playing with the release for a while and running through a couple of installs on various machines and VM’s I decided to document my steps for configuration past install. Now this is not a tutorial on how to install BT to your Drive, but more of a collection of the tips and tricks I have picked up and the customizations I found helpful. For details on how to get it and how to install it I will refer you over to the BackTrack site.

First Steps

First of all reset your password

root@bt:~# passwd

Next, I’ll walk though disabling some stuff set to start on boot. I grew accustomed to starting with nothing running, like BT 4 used to. This version out of the box starts networking and DHCP, portmap, statd, and a postgres db instance for Metasploit. First of all, BT5 handles running scripts/services on start a little differently than the previous versions. It utilizes the newer upstart job system as well as the older init.d and rc*.d scripts, kind of similar to newer versions of Ubuntu.

Upstart jobs are basically config files located in the /etc/init/ directory and contain directives that tell it what to do and on what event to execute. The older init.d scripts are linked to the upstart job if one exists and will generate an error telling you to use the upstart job instead if invoked from a command line. To manage these services use the initctl commands (start, stop, list, etc). The start-up behavior of Networking, portmap, and statd is controlled by by these jobs. To understand how these jobs work, let’s take a look at the networking.conf from the /etc/init/ directory:

description "configure virtual network devices" 

start on (local-filesystems
          and stopped udevtrigger) 

task 

pre-start exec mkdir -p /var/run/network 

exec ifup -a 

So it starts when local-filesystems are started (an event trigger) and executes and ifup -a. That reads your interfaces files and brings up any interfaces that are set to auto there. so, just open your interfaces file, delete all the interfaces you don’t need, add static information for eth0 (if desired) and comment out the “auto” lines. You can then start your networking with ifup eth0 (if thats the interface you use). Below is what my /etc/network/interface file looks like:

To disable Portmap and Statd, you need to edit the /etc/init/portmap-boot.conf file. You just need to comment the “exec” line. Here is what my edited file looks like:

The “framework-postgres” service is started from good ole rc*.d. belwo is the update-rc command to prevent that from starting at boot

Next I disabled KPackageKit (I like apt-get better) and NetworkStatus services from within the KDE Service Manager GUI. You can access this from the KDE Menu item Settings -> System Settings -> Startup and Shutdown. Here’s a screen shot:

After your done, reboot. After you log back in, do a netstat to verify you don’t have anything running. I use -tuanp options to get a good feel for what you have listening. Now on to installing some applications….

Installing and Configuring Applications:

As I mentioned before, I favor apt-get over any of the GUI based stuff so all my apps are installed from the Konsole via apt-get install <name>. Here are the list of necessities for me:

apt-get install kate
apt-get install kcalc
apt-get install cadaver
apt-get install pure-ftpd
apt-get install xchat
apt-get install banshee
apt-get install openoffice.org
apt-get install ksnapshot
apt-get install okular
apt-get install oketa 

Now I really like BasketNotes, but it isn’t in the BT repositories and I didn’t have much luck installing from source so I had to kind of jury rig it. This is not recommended by the BT folks, but I haven’t had any problems so far. Anyways, I added the repo, installed the app, and then removed the repo by opening the source.list file and deleting the entry. Use this at your own risk…See the screen shots for details:

Next I fire up Kate and configure it for use. I use Kate as my main script editor for python, ruby, etc. so I make a few adjustments to make it easier to use. From the top menu select Settings -> Configure Kate. Update the following items:

• under editor component -> open/save -> advanced -> Backup on save – clear all check boxes
• under editor component -> Appearance – check “show line numbers” and “show indention lines”
• under application -> Sessions – check start a new session

Now it’s time to update your system, including Metasploit, and Exploit db. I usually update these every time I boot up my laptop. First to update you system from the repos:

root@bt:~# apt-get update && apt-get upgrade 

Now let’s update Metapsloit:

root@bt:~# cd /pentest/exploits/framework3
root@bt:~# svn update 

…and for exploit db, we need to get things set up so we can just do a svn update from here on out:

root@bt:~# cd /pentest/exploits
root@bt:~# cp exploitdb/searchsploit searchsploit
root@bt:~# rm -rf exploitdb
root@bt:~# svn co svn://www.exploit-db.com/exploitdb
root@bt:~# mv searchsploit /exploitdb/searchsploit 

Here’s how we will update that from here on out:

root@bt:~# cd /pentest/exploits/exploitdb
root@bt:~# svn update 

If you have a laptop, your probably going to want to disable tap-to-click on the track pad. That just drives me crazy, and so dod figuring out how to fix it. To do so, edit the /usr/lib/X11/xorg.conf.d/10-synaptics.conf using nano or kate and add the line: Option “MaxTapTime” “0″ to first the first section. see the screen shot below:

Now let’s get our FTP server up and running. Basically, we are going to create an FTP directory, an ftp user and group on our system to run the service, and a ftp user/password to log in with. Here are the commands that will need to be run to accomplish this (note after the “pure-pw useradd” command you will be prompted to set the password):

root@bt:~# mkdir /ftphome
root@bt:~# groupadd ftpgroup
root@bt:~# useradd -g ftpgroup -d /dev/null -s /etc ftpuser
root@bt:~# pure-pw useradd Kx499 -u ftpuser -d /ftphome
root@bt:~# pure-pw mkdb
root@bt:~# cd /etc/pure-ftpd/auth/
root@bt:~# ln -s ../conf/PureDB 60pdb
root@bt:~# chown -R ftpuser:ftpgroup /ftphome/
root@bt:~# /etc/init.d/pure-ftpd restart
root@bt:~# update-rc.d -f pure-ftpd remove 

Now once you have it set up, you’ll use the pure-pw utility for all your user maintenance. for example, to change the password your would use this command(again, you will be prompted for new password):

root@bt:~# pure-pw passwd [user]
root@bt:~# pure-pw mkdb 

Ok, on to Dradis. Dradis is an excellent tool for documentation and a good place to organize all your information during a pen test. Before I get into it, there is an excellent post with some useful templates that I use here…Sometime down the road I’ll put together a blog post on customizing and using Dradis. The framework has a decent set of import plugins and is very customizable with the ability to import just about any kind of data with a little ruby fu. details can be found on their site here

Alright, to get it going navigate to the /pentest/misc/dradis directory and run the following commands. The ./reset.sh will only be run the first time and any time you want to start over with a fresh database. It 1) backs up the database and files to an archive 2) clears the database for a fresh slate.

root@bt:~# ./reset.sh
root@bt:~# ./start.sh 

Next you’ll want to open your web browser to https://127.0.0.1:3004 and set up your password. You’ll enter it twice and then click the “initialize” button. this will be the password you will use every time you or any else accesses the web client. This will have to be done only after running the reset.sh script. From here on out you will just log in with the user name of your choice (it doesn’t matter) and your password. See the screen shots below:

Now we need to get Java set up/updated/installed. Download the appropriate version from here and save to your /tmp directory. Then run the following commands (make sure you modify them for the version you are installing) and you should be good to go.

mkdir /opt/java && cd /opt/java && sh /tmp/jre-6u25-linux-i586.bin
update-alternatives --install "/usr/bin/java" "java" "/opt/java/jre1.6.0_25/bin/java" 1
update-alternatives --set java /opt/java/jre1.6.0_25/bin/java
ln -s /opt/java/jre1.6.0_25/lib/i386/libnpjp2.so /usr/lib/mozilla/plugins/ 

While your at it I would grab some good Firefox plugins too. I personally like Live Http Headers, Show IP, Tamper Data, and SQLite Manager.
And last but not least…let’s get VNC going. I prefer x11vnc over the kde default, I think it just works better, you can get it from the repos:

root@bt:~# apt-get install x11vnc

Once you’ve got it installed, execute it with the -storepasswd option to specify a password and store it to file

root@bt:~# x11vnc -storepasswd
Enter VNC password:
Verify password:
Write password to /root/.vnc/passwd? [y]/n y
Password written to: /root/.vnc/passwd

Now run it with the following options:

x11vnc -xkb -safer -forever -usepw -display :0

I also set up an init.d script so I could get it up and running by just typing “/etc/init.d/x11-vnc start”. You could also use this to set it to start on boot, but I opted not to. Here’s the init.d script that I have saved to /etc/init.d/x11-vnc:

#! /bin/sh
### BEGIN INIT INFO
# Provides: x11vnc
# Required-Start:
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 1
### END INIT INFO
#
# x11vnc starts and stops the pure-ftpd ftp daemon
if [ ! -e `dirname /var/run/x11vnc.pid` ];then
       mkdir `dirname /var/run/x11vnc.pid`
fi
case "$1" in
  start)
        echo -e "Starting x11vnc: \n"
        start-stop-daemon --start --quiet --pidfile /var/run/x11vnc.pid --make-pidfile --background --exec /usr/bin/x11vnc -- -safer -forever -usepw -display :0
        ;;
   stop)
        echo -e "Stopping x11vnc: \n"
        start-stop-daemon --stop --quiet --pidfile /var/run/x11vnc.pid
        ;;
    *)
        echo "Usage: x11vnc {start|stop}" >&2
        exit 1
        ;;
esac 

That’s it folks….up and running with all the goodies. Hope you found it useful, and if you have any other tips feel free post a comment. My next blog post will be geared towards getting Nexpose up and running and a small tutorial on how to use it both as a stand alone scanner and integrated with the Metasploit Framework.

UPDATE: To run xchat as another user, use the following commands:

xhost +
su - nonrootuser -c xchat

Here is the parsing script if you just want to get right down to it: IEHist Parsing Script

Have you ever fired up a tool and ever wondered “How does that work?” or “How did they do that?”…..Well, it happens to me all the time. It just so happened I was using NirSoft’s iehv.exe and wondered how they get the history info (partly because I want to write a Metasploit module to parse IE information). So I began digging.

It seems that there are a few Windows functions that will allow you to get this information from the WinInet API’s. Namely FindFirstUrlCacheEntry and FindNextUrlCacheEntry, here is a list of all the functions. Nice, but I started thinking about how the index.dat files contain all this information and was wondering if there was an easy way to parse it. There seemed to be a few tools out there to do so, but nothing that I could get the source to.

This goes back to my motive here…A file to parse is easier to deal with in a Metasploit module than looping over railgun calls to get that information from Windows API functions. Soooo, I fired up a hex editor and opened up the file. Just like I thought there were some clearly identifiable structure within it. After a great deal of google-fu and some serious trial & error I was able to loosely identify the structures contained in this file and this gave me a clear path to creating my own utility to parse these files.

First of all, here’s a list of all the location  that IE’s  index.dat is found:

Windows XP and 2000

• C:\Documents and Settings\<username>\Cookies\index.dat
• C:\Documents and Settings\<username>\Local Settings\History\History.IE5\index.dat
• C:\Documents and Settings\<username>\Local Settings\History\History.IE5\MSHistXX\index.dat
• C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5\index.dat
• C:\Documents and Settings\<username>\UserData\index.dat

Windows Vista and 7

• C:\Users\<username>\Roaming\Microsoft\Windows\Cookies\index.dat
• C:\Users\<username>\Roaming\Microsoft\Windows\Cookies\Low\index.dat
• C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\index.dat
• C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\Low\index.dat
• C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\index.dat\MSHistXX\index.dat
• C:\Users\<username>\Local\Microsoft\Windows\History\History.IE5\Low\index.dat\MSHistXX\index.dat
• C:\Users\<username>\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
• C:\Users\<username>\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5index.dat
• C:\Users\<username>\Roaming\Microsoft\Internet Explorer\UserData\index.dat
• C:\Users\<username>\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat

I started with the index.dat from the root of the Temporary Internet Files folder. First glance showed a file with a descriptive header, a bunch of garbage (00′s and FF’s) then a HASH tag and some data, then DEADBEEF repeated and in little endian (backwards). Scrolling farther down there seemed to be a repetitive structure starting with a URL tag that seemed to contain the url of the history record, the page title, http headers, and some other stuff. Here are screen shots of the sections of the file I was talking about.

After a bit of poking around I was able to come up with this (rather loose) mappng of the URL structure. Now all dwords or qwords that represent dates, offsets, or struct sizes are stored little-endian style, or backwards. So if the 4 byte dword is displayed as 02 00 00 00 it’s really 00 00 00 02 or 2 in decimal. Strings (Url, Title, Headers) are stored in normal order and null terminated, and the DEADBEEF padding is little endian. Here’s the breakdown as I have it:

Bytes 1-4 = URL tag, this always the same and padded with a space to make the DWORD
Bytes 5-8 = struct size in blocks ( a block = 128 bytes)
Bytes 9-16 = Modified Date stored as a hex representation of the number of ticks since 01-01-1601
Bytes 17 -24 = Accessed Date stored as a hex representation of the number of ticks since 01-01-1601
Bytes 49 -52 = Offset to Type tag: Vistited (History), Cookie (Cookies), or DEADBEEF (Temp. Files)
Bytes 53-56 = Offset to URL
Bytes 61-64 = Offset to Title
Bytes 69-72 = Offset to HTTP Headers.

Here’s a breakdown of a sample URL structure to help you visualize it:

Extracting the Data

Alright, now that we now the data structure we need to script up something to parse out what we need. For my intents and purposes, I am only interested in the Modified Date, Accessed Date, and the Url (the sections of the structure highighted yellow in the graphic above). I’m going to use Ruby here, I have been favoring it as my scripting language lately and it shoudl do the job quite well. You could use anything you like, Python would be a good alternative as well.

Now lets figure out how to get our data. We could open the file and seek around using the offsets, but that would be a pain in the ass and probably slower. I opted to go with utilizing the regex.scan method to manipulate the and parse out what we need with capturing groups. We can write the regex based on the raw hex data from our dump. So, we need to search for the hex values for URL and a space, jump 4 bytes, capture the next 8 (Date Modified), capture the next 8 again (Date Accessed), jump to our type tag, and capture everything up to the first null byte and we should have what we need in the 3 capture groups.

regex = /\x55\x52\x4C\x20.{4}(.{8})(.{8}).*?\x00\x00\x00\x00\xEF\xBE\xAD\xDE(.*?)\x00/

Now the dates are going to be hex values in little endian, so they need to be reversed and converted to decimal or float. This value reresents the number of ticks since 01-01-1601. Now one caveat that I came across is that the Time class in ruby does like dates earlier that the Epoch and 1601 is well before that, so I had to use the DateTime class. Only problem here is that unlike the Time class you cannot add seconds just days. So we need to convert our ticks ( 1tick = 100 nonoseconds) to days instead of seconds and add it to 01-01-1601. Now there may be a more elegant way to do this, but I could not figure out how to unpack these values so they would be the reversed hex values i needed using the unpack method/function so I did it myself with arrays. Here’s how I parsed out he dates.

origh = url[0].unpack('H*')[0]
harr = origh.scan(/[0-9A-Fa-f]{2}/).map { |i| i.to_s}
newh = harr.reverse.join
hfloat = newh.hex.to_f
sec = hfloat/10000000
days = sec/86400 timestamp = t + days
mod = timestamp.to_s

Here is the completed script. Options are:
-t for type and acceptable vaues are: HISTORY, COOKIES, or TEMP
-f for the input file

Example Usage:

iehist.rb -t HISTORY C:\\index.dat iehist.rb -t COOKIES C:\\index.dat iehist.rb -t TEMP C:\\index.dat 

I tend to copy the index.dat to another location then run the script against it. Sometimes I can’t copy it, so I do a “type index.dat > C:\tempindex.dat” from the windows command line. That usually does the trick quite well. That’s about it, thanks for taking the time read the how instead of just running the damn script :)

My latest ventures with BackTrack have brought me to play around with Nexpose from Rapid 7. I had been looking for low cost vulnerability scanning solution to use at work. I am familiar with Nessus, and like it a lot, but wasn’t sure if the bean counters would fork up $1500 a year for a Professional Feed license. This brought me to Nexpose Community Edition from Rapid 7. It’s just as capable as Nessus and the Community edition lets you scan up to 32 ip addresses at a time for free….you just can’t beat that. Now to be fair, Nessus doesn’t have a comparable dumbed down version, the Nessus PF is comparable in features to the Nexpose Express edition which carries a $3000 price tag. My budget was close to nothing so I went with Nexpose.

Now, justy to get some of the differences and caveats between the Community version and the “Pay for” version out there. In the community version:

• Host discovery is limited at best, we need to use Nmap
• Policy or security template checking is disabled
• Unable to modify the existing scan templates (there are a handful of real useful preconfigured tempaltes included though)
• Allowed report types are Audit and Executive Summary (export to PDF/HTML) and Simple XML format…more on this later.

Anyways, I’m going to run through how to use it and how soem of the scans work. I’ll also touch on the API and how to extend some of the included reporting. First of all installation onto BackTrack 5 is a breeze, just follow the directions from the quick-start guide for a Ubuntu installation and you’ll be up and running no time. Once it’s installed, you can start it by:

root@bt:# cd /opt/rapid7/nexpose/nsc
root@bt:/opt/rapid7/nexpose/nsc# ./nsc.sh

Now when it starts for the first time, it will take a while to initialize. After that it will start quickly. After it’s gone through the initialization phase, log into http://127.0.0.1:3780. Log in with user nxadmin and the password you created during installation. just a tip, don’t forget that password…if you do you’ll have to reinstall! The next step will be to get an activation code from Rapid7, just follow the directions on the screen. It’s pretty painless.

The process for getting a scan going is pretty straight forward: Host discovery, create a site, add ip’s to scan to that site, set a scan template, and scan. I’ll walk you through it with some screen shots below.

Host Discovery

Now before we get to adding the site you need to figure out what hosts you want to scan. I suggest using nmap to do the host discovery, due to the 32 ip address limitation with the Community version of Nexpose it won’t do any discovery by passing it a subnet. Take the nmap output and parse out the ip’s splitting them up if you have more than 32.

Creating a Site and Adding Assets

After logging in and setting activating the software you will be at the Home page. From here just add the “New Site” button.

Give your site a name on the General tab and click “Next”. Enter or paste in your list of IP addresses in the Devices tab, alternatively you could upload a text file with a list of IP addresses. If you gerpped and piped nmap out put to a file that is :)

Click “Next” and select the scan template you want in the Scan Setup tab. There are quite a few scan templates to pick from, an the Nexpose Administrator’s Guide has  a wealth of information on how the scans work and what each scan type actually does. One feature to note is the use of Scan optimizer ports for some of the templates that don’t default to a SYN scan for port/service discovery. These are basically ports that the scan engine uses to determine the optimal scan method for each host. Pretty cool…Anyways, there are a few scans that I end up using the most and you probably will too. Here’s a brief run-down of these:

Exhaustive:
This thorough network scan of all systems and services uses only safe checks, including patch/hotfix inspections, policy
compliance assessments, and application-layer auditing. This scan could take several hours, or even days, to complete, depending on
the number of target assets.The scan includes all ports, uses optimizer ports to determine scan type, all safe checks, and no check types disabled

Full Audit:
This full network audit of all systems uses only safe checks, including network-based vulnerabilities, patch/hotfix checking, and application-layer auditing. NeXpose scans only default ports and disables policy checking, which makes scans faster than with the Exhaustive scan. Also, NeXpose does not check for potential vulnerabilities with this template. Includes ports 1 – 1040, no tcp optimizer ports – uses syn scan , disables policy check types.

Microsoft HotFix:
This scan verifies proper installation of hotfixes and service packs on Microsoft Windows systems. For optimum success, use administrative credentials. Includes ports 139,135, 445, 1433, 2400 , no tcp optimizer ports – uses syn scan, only checks for microsoft hot-fixviolations

Now, just a quick note. In testing the different scan and doing some comparisons the Exhaustive and Full Audit scans returned the same number of vulns (349) while the Pentest Scan only returned 6. The Microsoft Hot-Fix scan was very accurate.

Click ”Next” and enter credentials if you have them. Set up the Windows/Samba credentials at the least. These will give you teh ability to check for windows patches as well as various configuration checks on windows machines. I have been prodominately scanning Windows machines on my network for vulnerability assessments so I used Domain Admin credentials. If your’re conducting a pentest you probably dont have thoise credentials…..yet :) Here’s a screen shot of how to set it up.

Click “Next” and add some information for the reports like organization, primary contact, title, etc. When your done, just click “Save” and you’re done the site setup.

Starting a Scan

After you have created a site and added hosts/targets to it, which are refernced as Assets, you will be back at the Home tab and should see your new site under the Site Listing section. To start a scan, click the little green arrow next to you newly createrd site and specify which of the Assets from that site you want to scan. You have the aptions to scan all Assets or just select the teh ones you want.

Click “Start Now” and you will see the scan start and Nexpose will begin reporting the status of that scan back to you. Depending on the scan template and the number of host, the scan could take some time. This screen will show you the Assets discovered and teh number of vulnmerabilities found against each one.

The scan log shows a good deal of detail and can be real helpful in determining how a specific installed application was identified and what chekcs were being done. Great tool for troubleshooting. I found it particularly useful when the scan identified a flash vulnerability on one of my machines. I did not have flah installed, but had the flash plugin for internet explorere installed. A quick gerep of teh log helped me identify where it was installed and what registry was indicating so. To  Acces teh scan log, click the “View Scan Log” button.

Once the scan is complete, the Nexpose web interface shows a wealth on information about the assets grouped by site. From the Assets tab, just select your site and you will see a Site Summary, Scan Listing, and Asset Listing. The Asset listing shows each asset, the vulns discovered, and the number of exploitable vulns. I love that feature. It uses exploits from Metasploit and ExploitDB for it’s exploit identification.

If you click on a specific asset, it Brings you to an Asset Summary. This shows sepcific informatyion about the Asset(ip, hosts name, MAC, OS, etc.), vulnerability details, exploit details, installed software, service/port, and shares. Good wealth of information. I love the exploit details, easily gives you the information to fire up Metasploit and demonstrate how exploitable said vulnerability really is. Cool stuff. See the screenshots below:

Reporting

The community version of Nexpose does inlcude a few reporting options and they are definately adequate…although the one that you get in the “Pay For” version seem quite attractive as well. So, in you get the option to use Full Audit, Executive Summary, and Nexpose Simple XML format. These reports can be exported to PDF and HTML (except the simple XML format of course).

The Full Audit is exactly that. You get: an executive summary, a listing of the assets discovered, vulnerabilities (grouped by severity with affected assets for each vuln), software listing (grouped by software showing instances installed across site), service listing (grouped same as software). The vulnerability section as a description and a detailed resolution. The way the report is structured, it is great for remediation of these issues. You just walk through the Hih, medium, and low vulnerability by vulnerability addressing the affected assets.

The executive Summary if just the executive summary section of the Full Audit report. The Simple XMl is an xml output listing the device and the vulnerabilities found for each device. The details for the vulnerabilities are slim to none, a real basic xml dump.

You run and access the report from the Report tab. To create a report, just click the “New Report” button and follow the wizard to select the report type, output format, the assets to include, and the vulns to include (all or just critical and high). See the 2 screenshots below for reference.

Vulnerabilities Tab

The Vulnerabilities tab shows all of teh vulnerabilities across the site(s) with exploitability, CVSS score, risk factor, and the ability to exclude them from reporting. I guess this is useful if you have a vulnerability you cannot address beacuse of soem 3rd party application requirements or something. No need to keep reminding you how that legacy app is screwing your security posture or anything…..I digress. Anyways, heres a screen shot for you.

Nexpose API and Extending the Simple XML Format

Another cool thing that Rapid7 has done is expose and API for automating many tasks associated with Nexpose. They have functions/methods that allow you to create sites, add assets, run scans, query vulnerability details, create reports, and delete assets/sites all from an external application. They are very well documented and some very handy samples in ruby are out there as well. The Nexpose Community Forums are a great resource for this stuff, and include the detailed documentation as well.

Armed with the API, I went about my task. I liked the Full Audit report, but wanted a report that was grouped and sorted by asset or host as well. Since nothing came out of the box I decided to enhance the Simple XML format by replacing the limited vulnerability nodes in the XML format with the full vulnerability details retireved with a call to the API to query the vuln by identifier. That combined with an xsl formatting document resulted in a xml file that could easily be displayed in most browsers and show all the information I wanted in a nice format. The report lists each host/asset and a table of vulnerabilities for that host with title, severity, PCI severity, CVSS score, port, service, and service description. If you click on the vulnerability title, a window will pop up with all the details for that vulnerability. Note: the pop-up doesn’t work right in IE, but I don’t care b/c I don’t use it. Here is an example of the finished product.

Here is a screenshot of the orginal XML output in the Nexpose Simple XM format:

Here is the modified XML:

Here is ruby script (inside the zip) and the xsl stylesheet I worte to make this happen. Note: the xslstyle sheet needs to be in the same diectory as the xml file to work right.

nexpose.xsl
ns_updatexml.zip

That’s it, in my next post I’ll cover how to use Nexpose from within Metasploit…yep you can scan right from msfconsole and log the results to the db. Great integration, it also automates the process of scanning more than 32 ip addresses at once. Have fun scanning….

From time to time I came across the need whip up some Command-Line Fu to handle simple tasks either in my daily Network Administration tasks or when poking around in a machine looking to escalate privileges. When come across some cool ones, I’m going to post them up in the Command-Line Fu section. Here’s a good one to start it off: show me all versions of java Installed with their corresponding uninstall strings.
@for /f %a in ('@reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall') do @(reg query %a /v DisplayName|find "Java" && reg query %a /v UninstallString|find "UninstallString") 2>nul
Here’s the theory behind it. The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall key lists all programs installed by GUID, a cryptic character/number combination. The DisplayName value and UninstallString are the values under that key that you want. So, loop through the keys and find a DisplayName using reg query containing the text “Java”. When found execute another reg query to pull the uninstall string…that’s what the && does. The 2>nul get’s rid of the error message noise. You end up with output like this (don’t mind the word wrap):

C:\Documents and Settings\kfaber>@for /f %a in ('@reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Uninstall') do @(reg query %a /v DisplayName|find "Java" && reg query %a /v
UninstallString|find "UninstallString") 2>nul 

 DisplayName REG_SZ Java(TM) 6 Update 25
 UninstallString REG_EXPAND_SZ MsiExec.exe /X{26A24AE4-039D-4CA4-87B4 -2F83216025FF}
 DisplayName REG_SZ Java 2 Runtime Environment, SE v1.4.2_15
 UninstallString REG_EXPAND_SZ MsiExec.exe /I{7148F0A8-6813-11D6-A77B -00B0D0142150} 

UPDATE: I figured I woudl update with teh process I use to clean this up. Basically, I use psexec to fire off the uninstall string, but modify it to run silent and log to a file. Type the file after a few minutes to verify it all worked. Here is the output from the session:

C:\Documents and Settings\kfaber>psexec \\abc-101 cmd 

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com 

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>@for /f %a in ('@reg query HKEY_LOCAL_MACHINE\SOFTWARE\Micro soft\Windows\
CurrentVersion\Uninstall') do @(reg query %a /v DisplayName|find "J ava" && reg query %a /v
UninstallString|find "UninstallString") 2>nul 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MsJavaVM
 DisplayName REG_SZ Java(TM) 6 Update 25
 UninstallString REG_EXPAND_SZ MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2 F83216025FF}
 DisplayName REG_SZ Java(TM) 6 Update 3
 UninstallString REG_EXPAND_SZ MsiExec.exe /I{3248F0A8-6813-11D6-A77B-0 0B0D0160030}
 DisplayName REG_SZ Java Auto Updater 

C:\WINDOWS\system32>MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030} /quiet /log c:\javalog.txt
C:\WINDOWS\system32>type c:\javalog.txt