Hack Whack and Smack

Parsing Nessus to find Java Remote Class Loading

On every internal pentest I perform I always find myself searching through lots of Nessus findings to actually get the output I want, so I wrote a script. This script is piggy backed of a cool python class called dotnessus_v2 parser (http://code.google.com/p/pynessus/). Basically my script takes a Nessus file as the input and parses the RMI Registry and RMI Object detection plugins and creates you a nice easy Metasploit RC file that runs the auxiliary module against all affected hosts and ports without any user interaction, allowing you to crack on with other stuff while you wait for positive results, e.g. Pwnable services that allow remote class loading.

The reason I did this was because in a standard /24 cidr range your likely to get around 30-50 ports on 20 or so hosts if the environment if fairly populated. This speeds the pwnage process up ten fold. In addition to this it will also create you a webhosts.txt file that lists all the HTTP/HTTPS services that Nessus finds so that you can later run more scripts against these, e.g. I often use my screenshot script to take a screendump of all available web services or nikto each host etc.

Anyway, here is the script in action: