Skip to main content


Showing posts from February, 2009

Welcome to Mark Baggett - In Depth Defense

I am the course Author of SANS SEC573 Automating Information Security with Python. Check back frequently for updated tools and articles related to course material.

Using the free Nessus feed on your Mac

Tenable has changed their license and you can no longer use their vulnerability feeds for commercial use. has a free nessus feed you can subscribe to.  It is available for use here.   You will notice two update programs there.  One for Unix and one for Windows.   What about the MAC?   To subscribe the nessus feeds on your macintosh do this:
1) Download the linux update script. 2) Update it so it works on your MAC as described below.
First, in the "#Plugin dir" section you will need to to change the line that reads:
NVT_DIR="/var/lib/nessus/plugins/" to  NVT_DIR="/Library/Nessus/run/lib/nessus/plugins"

3) chmod +x
If you run the script by typing :
./  nessus 
you will see an error about not being able to find the command "md5sum".   The nessus feed update did work, but the script was unable to compare the hashes to verify it completed successfully.   That might be good enough for you and you c…

Reverse Pivots with Metasploit - How NOT to make the lightbulb

In a penetration test your target is PII kept on a corporate file server which I will call Victim2. You are outside the firewall but have gained access to an internal host, Victim1, when a user opened your word document with an embeeded Meterpreter payload. The stager embedded in the word document made a REVERSE_TCP connection to your machine which uploaded metsrv.dll to the victim. The machine you have access to (Victim1) has unfiltered access to your target (Victim2). Victim2 is vulnerable to ms08_067_netapi. Victim2 however, has NO access to the internet at all. Were it not for the strict egress firewall rules controlling Victim2 you could have used the ROUTE command to pivot your attack through your meterpreter session on Victim1 to Victim2, and have Victim2 send you a shell directly like this...

Your IP = Victim1 = Victim2 =
Background session 1? [y/N] y msf exploit(ms08_067_netapi) > route add 1 msf exploit(ms08_067…