sahirh at mielesecurity.com
Fri Jan 27 06:42:14 PST 2006
In fact you're right, we're not planning on going by the port number alone,
but by the service fingerprint as well. Obviously building AI into the tool
will take a little bit of time... and we'll still have false positives.
There's an idea to correlate results from multiple tools like amap etc, but
there's a strong chance that two tools will report the service differently.
However using the CVE or BID is a good idea -- in the recon module for
Nessus, we can pull that out of the nbe file.
From: Chuck Fullerton [mailto:cfullerton at fullertoninfosec.com]
Sent: Friday, January 27, 2006 7:41 PM
To: vmukhi at vsnl.com
Cc: framework at metasploit.com
Subject: Re: [framework] GUI
This sounds like a great project. May I make a suggestion?
In #2 you wrote about parsing the output from other tools. Instead of
using an open port it might be better to use another unique ID for the
vulnerability due to the fact that an FTP server could be on a different
port than 21. I'd recommend using the CVE or Bugtraq ID.
Hope that helps.
vmukhi at vsnl.com wrote:
>We've been working on extending features of the framework 3.0, and since
>we're fairly new to both Ruby and the internals of the framework, we
>to develop a GUI with a few extra features, this was a good learning
>experience which we figured other people on the list could also benefit
>from. We initially started development using the Tcl/Tk ruby extensions -
>however after about two days, we realized it wasn't going anywhere, so we
>switched over to FXruby (www.fxruby.org). Our goal is to create a GUI
>extension that does the following:
>1. Execute recon modules that will parse the output from nmap, nikto,
>etc. These will determine the target o/s and service versions.
>2. Select exploits which have targets that match the recon results (for
>example, if nmap detects iis5.0, the gui will recommend exploits that
>work against iis5.0). In the same vein if we detect that port 21 is closed,
no point in displaying ftp exploits.
>3. Allow the user in one shot to select multiple exploits, payload and
>encoders and run all of these in permutation/combination. This would be a
>useful way to test IDS signatures against different encoders. It should
>manage all the successfully exploited sessions. Logically you can extend
>this to scan a complete subnet and execute a mass-attack.
>We've decided however to abandon FXRuby in favour of Qt (for ease of
>development). Do more experienced Ruby coders think this is a wise
>We're attaching the work we'd done in FXRuby. One problem we faced was
creating a FXLabel widget before calling the create method. We had no choice
but to create empty labels and then populate their text property later.
> The code is embarassingly unstructured, but our goal was just to get
things working. Hopefully people on the list will find it useful. You can
get it working by first installing FXRuby from fxruby.org and then copying
the two attached files into the framework directory and running 'ruby -Ilib
msfgui.rb'. The UI works under windows also.
>Looking forward to your feedback!
>Vijay Mukhi & team.
More information about the framework