I wrote two scripts to help parse through nessus results from a penetration test or vulnerability assessment. The first is to convert a nbe file to an sqlite database called nbe2sql. The second script takes the sqlite database and outputs all IPs with TCP and UDP ports open, in a csv format to help on report generation.

The next piece I want to write is a gui frontend to help explore and verify results from the nessus scan. Some features planned are grouping of results by IP, vulnerability, or port. Analyst notes would be entered directly into the application, which would also help on report generation.

Code:

• nessus_tools-1.0-src.zip (Python source code)
• nessus_tools-1.0.zip (Windows Binaries)

Sorry that I didn’t post an update in November, my travel schedule got a bit crazy and I didn’t have time gather new tools. Here is a list of the November and December updates for my bin toolkit:

Internet:

• Network Calculator – WildPackets’ subnet, hexpert and latency calculator.

Multimedia:

• ImgBurn 2.1.0.0 – CD/DVD burning tool – Now supports creating ISO’s from files on your hard disk, or burning them direct to a disc.

Security:

• NBTEnum 3.3 – Reed Arvin’s tool to enumerate NetBIOS information from Windows hosts as NULL or under the context of a specified user.

Utils:

• 7-Zip 4.42 – Compress and extract util, portable version – I added this only now because I needed a tool to browse and extract ISO files.
• Explore2fs 1.08beta9 – GUI explorer tool for accessing ext2 and ext3 filesystems.
• HT Editor 0.9.3 – Console mode hex editor – Yes, I know 0.9.4 is out, but there isn’t a Windows binary available yet.
• HxD 1.6.1.0 – Graphical hex editor.
• listdir – A small perl script I wrote that lists all directories within a path you define. This helps me index all the hard drives I have that are ‘offline’.
• Undelete Plus 2.3.0.0 – File undelete – Seems to have a better interface than Restoration, but we will see if it performs better. Anyone have experience with these tools? I havent used either of them yet, so I will keep both for now.

Utils / Sysinternals:

• Autoruns 8.54 – Display every program that starts on bootup
• DebugView 4.63 – Monitor debug output
• Process Explorer 10.21 – Task manager on crack
• Process Monitor 1.0 – System monitoring tool that replaces Regmon and Filemon. It also includes process, thread, and DLL monitoring as well as advanced filtering, event information, and basic data mining capabilities.
• PsTools 2.42 – Small suite of unix like command line utils. Now supports -accepteula on the command-line in order to avoid breaking non-interactive scenarios.
• Streams 1.53 – Find alternate data streams in files.

I also cleaned up the PStart menu. The main categories are the same, but now inside the Internet group, I have three subgroups called Client, Server, and Utils. I also created subgroups in the utils category for Undelete and System Information. There are now three utils under the System Information subgroup (aida32, CPU-Z, SIW) and I am wondering if I can remove one or two of them. Seeing that aida32 is a dead project since 2004, I might just keep CPU-Z and SIW.

Here is a list of the October updates for my bin toolkit:

Internet:

• tftpd32 – DHCP, TFTP, SNTP and Syslog servers as well as a TFTP client.

Multimedia:

• Foxit Reader 2.0 – Fast pdf reader.
• VLC-0.8.5-r2 – Media player. Portable version from portableapps.com.

Security:

• pwdump6-1.4.2 – Foofus’ util to extract NTLM and LanMan hashes from a Windows target.
• tcpdump – MicroOLAP’s version of tcpdump for windows that doesnt require 3rd party drivers.

Utils:

• contig-1.53 – Sysinternals’ single file defragmenter.
• Power Defragmenter 2.0.125 – GUI frontend to contig.
• sdelete-1.51 – Sysinternals’ secure file delete.
• SIW 1.64 – All sorts of system information.
• Taskbar Shuffle 2.0 – Rearrange your windows taskbar with ease. This new version fixes some bugs, but it introduces a seperate application to automatically check for new versions. I talked to the author about a feature to disable the autocheck, but he seems to always want this in there. Deleting the updater application will make the main app popup an error, so my ‘fix’ is to block the application from talking to the internet. This application also fires off some antivirus software, but it is a false positive.

I just came back from the Electronic Crimes Task Force quarterly conference, held at the Wells Fargo Bank in San Francisco. This was my first ECTF conference, so I didn’t know what to expect, and right away I felt underdressed because everyone was in suits. I met some interesting ‘suits’ during this conference, from DEA and USSS to local police.

The four talks during this conference didn’t give me any new information, but I did learn more about the ECTF and the role of the USSS. I had a nice chat with a Wells Fargo employee that was part of the intrusion detection team. He told me that his job is really boring because the ids is tuned so well, that they catch ‘bad guys’ within minutes. They use realsecure for HIDS, but I forgot to ask how they correlate the data, and whether they have central ids management for all banks or per a number of banks/district/etc.

I also had a small chat with four DEA agents, and they told me about a recent case that involved a Canadian pharmacy company, and how my employer helped. Another person I talked to was from my local county sheriff’s department, in the computer crimes division. He said that there was only one other person to help him with computer crimes, and how they are totally overworked. He also mentioned that my city will be out of contract with them next year. I wonder if my city will be opening up their own computer crimes unit, as I would be interested in helping out if they were.

The SF chapter of OWASP had a meeting today and it rocked. Alex Stamos from iSEC Partners (whom also hosted the meeting) presented ‘Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0’ and Jeremiah Grossman from WhiteHat Security presented ‘Hacking Intranet Websites from the Outside’. I believe both of these talks were presented at DEFCON earlier this year, but since I was in Hawaii at the time, it was good to see these talks.

After seeing how many security professionals showed up to the meeting, it made me want to create a sf / bay area security group. There have been lots of local security groups popping up recently, like NYSEC, NoVASec and BeanSec. Anyone else interested in this?

I use two different methods for environment. One is for commandline, the other for gui.

For the commandline environment, I have four scripts that do the work.

• shell.bat – this is the main script you run, which calls env.bat
• env.bat – this is where you define dir paths you want to include, and it calls setfile.bat with your current path
• setfile.bat – this script takes the path from env.bat and calls setbin with it, to set the BINDIR
• setbin – this file contains the ‘set BINDIR’ line

For those that want a gui, I use PStart.

On how I categorize the applications, I have four directories. Internet, Multimedia, Security, and Utils.