Shell is only the Beginning

The Mimikatz extension on Meterpreter allows us to use the same commands we would on the standalone tool inside of Meterpreter as native commands. This blog post will cover specifically the stealing of a users certificates by exporting their keys for use by the attacker. In this specific scenario we have gotten a Meterpreter session on a developers system. The system is a Windows 7 System as we can see

if we look at the context we are running under we can see we are running under the target account:

Now lets take a look at what privilege level we have. For this I use a small Meterpreter script I wrote that tells me some basic information of the privilege level I’m working under the script is:

print_status "Admin token: #{is_admin?()}"
print_status "Running as SYSTEM: #{is_system?()}"
print_status "UAC Enabled: #{is_uac_enabled?()}"

When I run the script I get to see if the session is running in a elevated state, if I’m running as SYSTEM and if UAC is enabled:

As you can see the session is limited in terms of privileges, but this does not affect what we want to do which is steal the user certificates. Lets load mimikatz and take a look at the commands it offers:

for this we use the load command and the name of the extension:

the command that are added to our Meterpreter session:

We will use the mimikatz_command custom command to work with certificates.  The command takes 2 options the –f for the module name and –a for the arguments to pass to the module itself.

The command in mimikatz for working with certificates is under the crypto module. To look at the options we just specify the crypto module with no command selected so as to make mimikatz show the commands available:

Since the mimikatz tool is written in French the descriptions for the commands are in Frech but their names are self descriptive. Lets first list the stores available:

As we can see we only have access to the users store. Lets take a look at the certificates we can reach:

As we can see we have access to 2 certificates, one of them is a code signing certificate and the other is a a user certificate from their type. We can also see on the exportability field that one says no the other says yes (in French) this means the Private Key for the certificate. If we try to export them you will see the private key export will fail for the code signing certificate:

We can get around this by patching the API to allow us to export the key. One thing to keep in mind for some keys we have to also patch the LSASS to allow the Microsoft Software Key Storage Provider to export CNG certificates, for this we need to be running as SYSTEM or have the admin token and also the Debug Privilege. In this case for the Code Signing Certificate we do not need that level of access but it is good to know what would be needed if we where not able. To patch the API we use the patchapi command of the crypto module:

Lets try the export of the certificates again:

This time we where successful. The private key for each certificate was exported as a PFX file with a password of mimikatz that we can now download from the target system:

As you can see this only a simple yet effective example of the power of the mimikatz module other than credential collection. Thanks to Erick Milam ( @Brav0Hax )  from Accuvant for peaking my interest on it when he asked me how to steal a users certificate today. Hope you find it useful.

Just updated DNSRecon to check if it can pull the Bind Version by doing a query for the TXT Record version.bind and it will now check if the RA Flag is set in responses from each of the NS servers it detects. If the server has recursion enabled it could be used for DDoS attacks and for performing Cache Snooping.

Example of a run where it is able to pull the Bind Version:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d zonetransfer.me -x zt.xml
[*] Performing General Enumeration of Domain: zonetransfer.me
[-] DNSSEC is not configured for zonetransfer.me
[*]      SOA ns16.zoneedit.com 69.64.68.41
[*]      NS ns12.zoneedit.com 209.62.64.46
[*]      Bind Version for 209.62.64.46 8.4.X
[*]      NS ns16.zoneedit.com 69.64.68.41
[*]      Bind Version for 69.64.68.41 8.4.X
[*]      MX ASPMX2.GOOGLEMAIL.COM 173.194.75.27
[*]      MX ASPMX3.GOOGLEMAIL.COM 173.194.66.27
[*]      MX ASPMX4.GOOGLEMAIL.COM 173.194.65.26
[*]      MX ASPMX5.GOOGLEMAIL.COM 173.194.70.26
[*]      MX ASPMX.L.GOOGLE.COM 74.125.140.27
[*]      MX ALT1.ASPMX.L.GOOGLE.COM 173.194.75.26
[*]      MX ALT2.ASPMX.L.GOOGLE.COM 173.194.66.27
[*]      MX ASPMX2.GOOGLEMAIL.COM 2607:f8b0:400c:c03::1a
[*]      MX ASPMX3.GOOGLEMAIL.COM 2a00:1450:400c:c03::1b
[*]      MX ASPMX4.GOOGLEMAIL.COM 2a00:1450:4013:c01::1b
[*]      MX ASPMX5.GOOGLEMAIL.COM 2a00:1450:4001:c02::1a
[*]      MX ASPMX.L.GOOGLE.COM 2607:f8b0:4002:c01::1a
[*]      MX ALT1.ASPMX.L.GOOGLE.COM 2607:f8b0:400c:c01::1b
[*]      MX ALT2.ASPMX.L.GOOGLE.COM 2a00:1450:400c:c03::1a
[*]      A zonetransfer.me 217.147.180.162
[*]      TXT zonetransfer.me Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes
[*]      TXT zonetransfer.me google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Enumerating SRV Records
[*]      SRV _sip._tcp.zonetransfer.me www.zonetransfer.me 217.147.180.162 5060 0
[*] 1 Records Found
[*] Saving records to XML file: zt.xml

The information on version and recursion are also saved in the XML as you can see: infidel02:dnsrecon carlos$ cat zt.xml <?xml version="1.0" ?> <records> <record address="69.64.68.41" mname="ns16.zoneedit.com" type="SOA"/> <record Recursive="False" Version="8.4.X" address="209.62.64.46" target="ns12.zoneedit.com" type="NS"/> <record Recursive="False" Version="8.4.X" address="69.64.68.41" target="ns16.zoneedit.com" type="NS"/> <record address="173.194.75.27" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.66.27" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.65.26" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.70.26" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="74.125.140.27" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.75.26" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.66.27" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c03::1a" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:400c:c03::1b" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4013:c01::1b" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4001:c02::1a" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="2607:f8b0:4002:c01::1a" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c01::1b" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2a00:1450:400c:c03::1a" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="217.147.180.162" name="zonetransfer.me" type="A"/> <record name="zonetransfer.me" strings="Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes" type="TXT"/> <record name="zonetransfer.me" strings="google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA" type="TXT"/> <record address="217.147.180.162" name="_sip._tcp.zonetransfer.me" port="5060" target="www.zonetransfer.me" type="SRV"/> <scaninfo arguments="./dnsrecon.py -d zonetransfer.me -x zt.xml" time="2013-05-29 11:36:06.550073"/> <domain domain_name="zonetransfer.me"/> </records>

Here is an example where recursion is enabled, you will see that the message is shown differently since this information is crucial during an engagement:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d acmelab.com -n 192.168.1.80
[*] Performing General Enumeration of Domain: acmelab.com
[*] DNSSEC is configured for acmelab.com
[*] DNSKEYs:
[*]     NSEC KSk RSASHA256 ...
[*]     NSEC ZSK RSASHA256 ...
[*]     NSEC ZSK RSASHA256 ...
[*]     NSEC KSk RSASHA256 ...
[*]      SOA labns1.acmelab.com 192.168.1.80
[*]      NS labns1.acmelab.com 192.168.1.80
[-]      Recursion enabled on NS Server 192.168.1.80
[*]      MX mail1.acmelab.com 192.168.1.4
[*]      A acmelab.com 192.168.1.2
[*]      TXT acmelab.com v=spf1 192.168.1.0/24
[*]      TXT _domainkey.acmelab.com o=~; r=postmaster@acmelab.com
[*] Enumerating SRV Records
[*]      SRV _finger._tcp.acmelab.com web1.acmelab.com 192.168.1.2 79 0
[*]      SRV _http._tcp.acmelab.com web2.acmelab.com 192.168.1.3 80 0
[*]      SRV _http._tcp.acmelab.com web1.acmelab.com 192.168.1.2 80 0
[*]      SRV _sip._tls.acmelab.com chat.acmelab.com 192.168.1.5 443 0
[*]      SRV _sipinternaltls._tcp.acmelab.com chat.acmelab.com 192.168.1.5 5061 0
[*]      SRV _https._tcp.acmelab.com web1.acmelab.com 192.168.1.2 443 0
[*]      SRV _https._tcp.acmelab.com web2.acmelab.com 192.168.1.3 443 0
[*] 7 Records Found

Hope you guys find it as useful as I have :)

Recently I got 2 Raspberry Pi Camera modules for my Raspberry Pi boards for some projects I have in mind. I was sad to find out I could not stream unless I had a monitor connected to the Pi and after some additional digging I found out that the initial version of the tools Raspistill and Raspivid the no preview option was broken causing it to not work. After some digging in the forums and trial and error I found how to fix it while the tools are updated and added to the package repo. Plus it was a good exercise in compiling files for ARM.

Update your system applications and download the required software to compile userland:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install git gcc build-essential cmake vlc

Download and configure sources

Create a folder to hold development files and clone the latest userland for raspian.

cd ~
mkdir Development
git clone git://github.com/raspberrypi/userland.git
cd userland

Create the proper make files:

sed -i 's/if (DEFINED CMAKE_TOOLCHAIN_FILE)/if (NOT DEFINED CMAKE_TOOLCHAIN_FILE)/g' makefiles/cmake/arm-linux.cmake

Fix Raspistill

Open Raspistill command source file at line 1034:

nano +1034 host_applications/linux/apps/raspicam/RaspiStill.c

Modify the line from:

MMAL_STATUS_T status = -1;

to:

MMAL_STATUS_T status = MMAL_SUCCESS;

Fix Raspivid

Open the raspivid source file at line 852:

nano +852 host_applications/linux/apps/raspicam/RaspiVid.c

Modify the line from:

MMAL_STATUS_T status = -1;

to:

MMAL_STATUS_T status = MMAL_SUCCESS;

Build and Install the Latest Userland

Configure a build folder and build and install the userland binaries. This should take around 30 to 45 minutes:

mkdir build
cd build
sudo cmake -DCMAKE_BUILD_TYPE=Release ..
sudo make
sudo make install

You should now be able to create a steam with VLC and connect to it on a headless system using the -n parameter for no preview:

raspivid -o - -t -1 -w 920 -h 540  -n | cvlc -vvv --network-caching=0 stream:///dev/stdin --sout '#rtp{sdp=rtsp://:8554/}' :demux=h264

For some time now I have been maintaining guides for installing Metasploit Framework on OSX, Ubuntu and CentOS. I decided this weekend to write a script to facilitate going thru all the steps. The script aids in installing Framework on OSX Mountain Lion and Ubuntu 12.10/13.04. the script can be found at https://github.com/darkoperator/MSF-Installer

To use the script on OSX Java, Xcode and Command Development Tools from Xcode must be installed before running the script. In the case of OSX I also added the option of installing GNU GCC in the case you want to compile the old Ruby 1.8.7 that requieres it. When you download the script you must make it executable, when ran with no arguments or with -h it will how the usage help message:

$ chmod +x msf_install.sh 
$ ./msf_install.sh -h
Scritp for Installing Metasploit Framework
By Carlos_Perez[at]darkoperator.com
Ver 0.1.0

-i                :Install Metasploit Framework.
-p      :password for MEtasploit databse msf user. If not provided a roandom one is generated for you.
-g                :Install GNU GCC (Not necessary uless you wish to compile and install ruby 1.8.7 in OSX
-h                :This help message

To start the installation you just run the script with the -i option and the installation will start. In the case of OSX it will:

• Check that dependencies are meet.
• Check if Homebrew is installed and of not it will install it.
• Install Ruby 1.9.3
• Install base ruby gems.
• Install and configure Postgres for use with Metasploit
• Install GCC if selected.
• Download and install Metasploit Framework.
• Installs all necessaries Ruby Gems using bundler.
• Configure the database connection and sets the proper environment variables.
• Download and install the latest version of Armitage.
• Download and install the Pentest plugin and DNSRecon Import plugin.

in the case of Ubuntu 12.10 and 13.04 it will:

• Install all necessary packages
• Install base ruby gems.
• Configure Postgres for use with Metasploit
• Download and install Metasploit Framework.
• Installs all necessaries Ruby Gems using bundler.
• Configure the database connection and sets the proper environment variables.
• Download and install the latest version of Armitage.
• Download and install the Pentest plugin and DNSRecon Import plugin.

I let the script be as verbose as possible on purpose so as to identify any surprise changes from R7 or from any of the platforms. I hope it is useful to others as I know it will in my lab setups.

Update on Monday, April 29, 2013 at 9:02AM by Carlos Perez

For better followup on updates and bug fixes check https://github.com/darkoperator/MSF-Installer did a fix on a regex and made sure the apt-get cache is updated before installing.

Listing Reports Available

We can retrieve a list of the reports available on the Nessus Server and the information that they provide with Get-NessusReports function and we provide it a index for the session or an object of Nessus.Server.Session :

C:\> Get-NessusReports -Index 0


ServerHost : 192.168.10.3
ReportID   : a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c
ReportName : Dev Lab Full Scan
Status     : completed
KB         : True
AuditTrail : True
Date       : 4/14/2013 2:36:21 AM
Session    : Nessus.Server.Session

ServerHost : 192.168.10.3
ReportID   : beb54ae5-ddd5-4700-3e85-d0241ade948354bf668ec4c5c319
ReportName : Lab Full Unauthenticated Scan
Status     : completed
KB         : True
AuditTrail : True
Date       : 4/11/2013 6:39:22 AM
Session    : Nessus.Server.Session

ServerHost : 192.168.10.3
ReportID   : 908185a5-19cc-e2e4-6073-2134043611b99e3d5fcf060ec31e
ReportName : Scan Dev Lab
Status     : completed
KB         : True
AuditTrail : True
Date       : 4/11/2013 4:26:13 AM
Session    : Nessus.Server.Session

ServerHost : 192.168.10.3
ReportID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ReportName : Lab Scan 1
Status     : completed
KB         : True
AuditTrail : True
Date       : 4/14/2013 2:36:21 AM
Session    : Nessus.Server.Session

The main properties for each report object are:

• ReportID – This is the unique identifier of the report since Nessus Allows for several reports to have the same name. This is the value we will use for when requesting specific reports for their information.
• ReportName – The friendly name gave to the scan that generated the report.
• Status – When running a Nessus scan the information from the scan is populating a report as it is running so this property will tell us if the results are from a completed scan or is the scan still running.
• KB – this is know as the Knowledge Base of the scan and it is generated per host, this will tell you what plugins where launched and if any errors where encountered. If your Nessus server has less than 2GB of memory the KB is not generated for the hosts so as to save space in memory while executing. The information is stored in the server.
• AuditTrail – This is a execution information that is saved for each plugin it will tell us if the plugin ran with no issues and if a problem was found it will tell us what was the error message. This is saved per plugin and it is stored on the server.
• Date – This is the date when the report was launched in UTC .

The Get-NessusReports function produces objects for each report and these have 2 ScriptMethods that we can use against the object it self

• GetReportItems() – this method retrieves al reported entries (Info, Low, Medium, High and Critical) with all the details for each in the properties of the object.
• GetXML() – This method retrieves the XML .Net object that represents the NessusV2 format of the report.

Getting a Summary of Each Host in a Report

We can query a report and get a summary of the hosts that are in the report and the number of items reported for each severity level, this is done with Get-NessusReportHostSummary.

C:\> Get-NessusReportHostSummary -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c


Hostname : 192.168.10.10
Info     : 51
Low      : 1
Medium   : 4
High     : 0
Critical : 0

Hostname : 192.168.10.12
Info     : 51
Low      : 2
Medium   : 5
High     : 1
Critical : 1

Hostname : 192.168.10.13
Info     : 95
Low      : 2
Medium   : 12
High     : 0
Critical : 0

Hostname : 192.168.10.2
Info     : 38
Low      : 1
Medium   : 1
High     : 0
Critical : 0

Hostname : nessus.darkoperator.com
Info     : 39
Low      : 1
Medium   : 3
High     : 0
Critical : 0

Getting a Summary per Vulnerability in a Report

We can get a summary for each item found and how many of them are in the report using the function  Get-NessusReportVulnSummary

C:\> Get-NessusReportVulnSummary -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c


PluginID     : 10107
PluginName   : HTTP Server Type and Version
PluginFamily : Web Servers
Count        : 5
Severity     : Info

PluginID     : 10147
PluginName   : Nessus Server Detection
PluginFamily : Service detection
Count        : 1
Severity     : Info

PluginID     : 10150
PluginName   : Windows NetBIOS / SMB Remote Host Information Disclosure
PluginFamily : Windows
Count        : 4
Severity     : Info

PluginID     : 10263
PluginName   : SMTP Server Detection
PluginFamily : Service detection
Count        : 2
Severity     : Info

PluginID     : 10267
PluginName   : SSH Server Type and Version Information
PluginFamily : Service detection
Count        : 1
Severity     : Info

PluginID     : 10287
PluginName   : Traceroute Information
PluginFamily : General
Count        : 4
Severity     : Info

PluginID     : 10394
PluginName   : Microsoft Windows SMB Log In Possible
PluginFamily : Windows
Count        : 3
Severity     : Info

PluginID     : 10736
PluginName   : DCE Services Enumeration
PluginFamily : Windows
Count        : 49
Severity     : Info

PluginID     : 10761
PluginName   : COM+ Internet Services (CIS) Server Detection
PluginFamily : Windows
Count        : 3
Severity     : Info

PluginID     : 10785
PluginName   : Microsoft Windows SMB NativeLanManager Remote System Information
               Disclosure
PluginFamily : Windows
Count        : 4
Severity     : Info

PluginID     : 10863
PluginName   : SSL Certificate Information
PluginFamily : General
Count        : 5
Severity     : Info

PluginID     : 10881
PluginName   : SSH Protocol Versions Supported
PluginFamily : General
Count        : 1
Severity     : Info

PluginID     : 10884
PluginName   : Network Time Protocol (NTP) Server Detection
PluginFamily : Service detection
Count        : 2
Severity     : Info

PluginID     : 10940
PluginName   : Windows Terminal Services Enabled
PluginFamily : Windows
Count        : 4
Severity     : Info

........

Getting all Host Information from a Report

If we want all the information available for each host in a report we use the function Get-NessusReportHostsDetailed, this function will download the report XML, Parse it and generate PowerShell objects for each piece of information found. The information will be divided in to 2 parts for each hosts

• Host_Properties – This is the information about the host that was gathered during the enumeration of the hosts including IP addresses, Netstat information, Operating System and other values.
• ReportItems – This are each of the entries in the vulnerabilities tab of a report.

C:\> Get-NessusReportHostsDetailed -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c

Host                          Host_Properties               ReportItems
----                          ---------------               -----------
nessus.darkoperator.com       @{system_type=general-purp... {@{Host=nessus.darkoperato...
192.168.10.2                  @{operating_system=Microso... {@{Host=192.168.10.2; Port...
192.168.10.13                 @{operating_system=Microso... {@{Host=192.168.10.13; Por...
192.168.10.12                 @{operating_system=Microso... {@{Host=192.168.10.12; Por...
192.168.10.10                 @{operating_system=Microso... {@{Host=192.168.10.10; Por...

Here is an example of the information we can get in the host properties:

C:\> $reporthost = Get-NessusReportHostsDetailed -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c |  select -First 1
C:\> $reporthost.Host_Properties


system_type            : general-purpose
netstat_listen_tcp4_0  : 0.0.0.0:22
local_checks_proto     : local
netstat_listen_tcp46_3 : :::22
netstat_listen_tcp4_2  : 0.0.0.0:8834
HOST_START             : Sun Apr 14 02:22:48 2013
host_ip                : 192.168.10.3
operating_system       : Linux Kernel 2.6.32-358.0.1.el6.x86_64 on CentOS release 6.4
                         (Final)
netstat_listen_tcp4_1  : 0.0.0.0:1241
mac_address            : 00:0C:29:28:7A:F9
HOST_END               : Sun Apr 14 02:31:13 2013
netstat_listen_tcp6_5  : :::8834
host_fqdn              : nessus.darkoperator.com
netstat_listen_tcp6_4  : :::1241

Report items will contain the information about each vulnerability and each informational plugin that was lunched and was successful in executing.

C:\> $reporthost.ReportItems[3]


Host                 : nessus.darkoperator.com
Port                 : 0
ServiceName          : general
Severity             : Info
PluginID             : 33276
PluginName           : Enumerate MAC Addresses via SSH
PluginFamily         : General
RiskFactor           : None
Synopsis             : This plugin enumerates MAC addresses on a remote host.
Description          : By connecting to the remote host via SSH with the supplied
                       credentials, this plugin enumerates MAC addresses.
Solution             : Disable any unused interfaces.
PluginOutput         :
                       The following MAC address exists on the remote host :

                         - 00:0C:29:28:7A:F9 (interface eth0)

SeeAlso              :
CVE                  :
BID                  :
ExternaReference     :
PatchPublicationDate :
VulnPublicationDate  :
Exploitability       :
ExploitAvailable     :
CANVAS               :
Metasploit           :
COREImpact           :
MetasploitModule     :
CANVASPackage        :
CVSSVector           :
CVSSBase             :
CVSSTemporal         :
PluginType           : local
PluginVersion        :

One of the great advantages of PowerShell is that it makes managing the large amount of data quite simple and provides options to export the objects in to XML, CSV and even generate our custom HTML reports. Lets look at the GridView option that allow us to see all the report items in a grid and even add filters to the view The command we use is:

$reporthost.ReportItems | Out-GridView

Working with the Nessus v2 XML

We can retrieve the XML .Net Object representation of a report if you which to manipulate the XML it self or use it for other purposes. Getting a XML .Net Object of the report and saving it to disk as a .nessus file

C:\> $nessusreport = Get-NessusV2ReportXML -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c
C:\> $nessusreport.Save("$env:HOMEPATH\Desktop\DevLabRepor.nessus")

Getting access to the information in XML is super easy since in PowerShell it is just like working with a regular .Net object

C:\> $nessusreport.NessusClientData_v2.Report.ReportHost

name                          HostProperties                ReportItem
----                          --------------                ----------
nessus.darkoperator.com       HostProperties                {ReportItem, ReportItem, R...
192.168.10.2                  HostProperties                {ReportItem, ReportItem, R...
192.168.10.13                 HostProperties                {ReportItem, ReportItem, R...
192.168.10.12                 HostProperties                {ReportItem, ReportItem, R...
192.168.10.10                 HostProperties                {ReportItem, ReportItem, R...


C:\> $nessusreport.NessusClientData_v2.Policy


policyName                : All Plugins with Full Scan
policy_comments           :
Preferences               : Preferences
FamilySelection           : FamilySelection
IndividualPluginSelection : IndividualPluginSelection

Filtering Report Items

I know that many people are new to PowerShell and still learning the power it has to filter and manipulate objects so the function Retrieve and filter report items Get-NessusReportItems is here to help with some of the filtering. The function will filter at the server the reported items for Host and Severity and return the appropriate report item objects for use: 

C:\> Get-NessusReportItems -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce7b209483c -HostFilter 192.168.10.12 -SeverityFilter critical,high


Host                 : 192.168.10.12
Port                 : 3389
ServiceName          : msrdp
Severity             : High
PluginID             : 58435
PluginName           : MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote
                       Code Execution (2671387) (uncredentialed check)
PluginFamily         : Windows
RiskFactor           : High
Synopsis             : The remote Windows host could allow arbitrary code execution.
Description          : An arbitrary remote code vulnerability exists in the
                       implementation of the Remote Desktop Protocol (RDP) on the remote
                       Windows host. The vulnerability is due to the way that RDP
                       accesses an object in memory that has been improperly initialized
                       or has been deleted.

                       If RDP has been enabled on the affected system, an
                       unauthenticated, remote attacker could leverage this
                       vulnerability to cause the system to execute arbitrary code by
                       sending a sequence of specially crafted RDP packets to it.

                       This plugin also checks for a denial of service vulnerability in
                       Microsoft Terminal Server.

                       Note that this script does not detect the vulnerability if the
                       'Allow connections only from computers running Remote Desktop
                       with Network Level Authentication' setting is enabled or the
                       security layer is set to 'SSL (TLS 1.0)' on the remote host.
Solution             : Microsoft has released a set of patches for Windows XP, 2003,
                       Vista, 2008, 7, and 2008 R2 :

                       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
PluginOutput         :
SeeAlso              :
CVE                  : {CVE-2012-0002, CVE-2012-0152}
BID                  : {52353, 52354}
ExternaReference     : {OSVDB:80000, OSVDB:80004, EDB-ID:18606, IAVA:2012-A-0039...}
PatchPublicationDate : 2012/03/13
VulnPublicationDate  : 2012/03/13
Exploitability       : Exploits are available
ExploitAvailable     : true
CANVAS               : true
Metasploit           : true
COREImpact           : true
MetasploitModule     : MS12-020 Microsoft Remote Desktop Checker
CANVASPackage        : White_Phosphorus
CVSSVector           : CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSBase             : 9.3
CVSSTemporal         : 7.3
PluginType           : remote
PluginVersion        :

Host                 : 192.168.10.12
Port                 : 5355
ServiceName          : llmnr
Severity             : Critical
PluginID             : 53514
PluginName           : MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code
                       Execution (2509553) (remote check)
PluginFamily         : Windows
RiskFactor           : Critical
Synopsis             : Arbitrary code can be executed on the remote host through the
                       installed Windows DNS client.
Description          : A flaw in the way the installed Windows DNS client processes
                       Link- local Multicast Name Resolution (LLMNR) queries can be
                       exploited to execute arbitrary code in the context of the
                       NetworkService account.

                       Note that Windows XP and 2003 do not support LLMNR and successful
                       exploitation on those platforms requires local access and the
                       ability to run a special application.  On Windows Vista, 2008, 7,
                       and 2008 R2, however, the issue can be exploited remotely.
Solution             : Microsoft has released a set of patches for Windows XP, 2003,
                       Vista, 2008, 7, and 2008 R2 :

                       http://technet.microsoft.com/en-us/security/bulletin/ms11-030
PluginOutput         :
SeeAlso              :
CVE                  : CVE-2011-0657
BID                  : 47242
ExternaReference     : {OSVDB:71780, IAVA:2011-A-0039, MSFT:MS11-030}
PatchPublicationDate : 2011/04/12
VulnPublicationDate  : 2011/04/12
Exploitability       : Exploits are available
ExploitAvailable     : true
CANVAS               :
Metasploit           : true
COREImpact           : true
MetasploitModule     : Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
CANVASPackage        :
CVSSVector           : CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSSBase             : 10.0
CVSSTemporal         : 7.8
PluginType           : remote
PluginVersion        :

Getting a Host KB and Plugin Audit

To get the KB is very simple and it is used mainly when opening support tickets with Tenable or when we want to trace what plugins executed or if we want to see what information some plugins used to determined if the host is vulnerable.

C:\> Get-NessusReportHostKB -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c -ReportHost 192.168.10.12 | Out-File -FilePath $env:HOMEPATH\Desktop\lab.txt

If we want to see the audit trail for a plugin that executed against a hosts we can retrieve it and it will tell us more information as to why it did not trigger:

C:\> Get-NessusReportPluginAudit 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c -Host 192.168.10.12 -PluginID 35952 | fl


Host     : 192.168.10.12
PluginID : 35952
ExitCode : 1
Reason   : Can't open socket on port 49777.

Conclusion

I hope you liked this short series. I’m currently working on expanding the functions for Nessus even more and looking forward to the new stuff that will be coming out with new releases so as to add support to those.