Post on 05-Dec-2014
description
XML Interfaces to the Popular Nessus Scanner Rajesh Deo
Network Intelligence India Pvt. Ltd.
29/03/2012
NULL Mumbai Chapter
The Venerable Nessus Scanner
• A comprehensive vulnerability scanner
• Can perform network tests, system audits, patch management, compliance tests such as PCI DSS, SCADA vulnerability audits, and so on…
• Proprietary - Tenable Network Security
• Started by Renaud Deraison in 1998 to provide to the Internet community with a free remote security scanner similar to SATAN and NetSaint.
• Nessus 5.0 was released on Feb 15th, 2012.
• http://www.nessus.org/products/nessus
Open-source Tools
• Perl/Net::Nessus::XMLRPC
• Vlatko Košturjak
• http://search.cpan.org/~kost/Net-Nessus-XMLRPC-0.30/lib/Net/Nessus/XMLRPC.pm
• Perl 5 License (Artistic 1 & GPL 1)
• https://github.com/kost/nessus-xmlrpc-perl • Also develops similar library for Rapid 7’s NeXpose
• Ruby/nessus-xmlrpc
• http://nessus-xmlrpc.rubyforge.org/
• GPL/BSD, by author of Net::Nessus::XMLRPC
• Python/nessus-xmlrpc
• http://code.google.com/p/nessusxmlrpc/
• Apache License 2.0
• Kurtis Miller
Why do we need these tools?
• Automation
• Automation
• Automation
• Custom reporting
• Custom reporting
• Custom reporting
• XML/XSL
• XPATH/XQUERY
• CLI
• http://seclists.org/metasploit/2010/q3/378
• Bridges to awesome software
• By Zate Burg
Why are we using Python/nessus-xmlrpc? • I know Python a little bit
• Matplotlib for charting/graphs
• Numpy/SciPy or Interface to R for numerical computations and statistics.
• Not as well developed as Perl/Ruby modules but pretty close
• Last upload in Dec. 2010
• There is scope to contribute...
• ..and perhaps integrate with different tools
Automation: XML-RPC API in Ruby
• Write custom scripts, simple one-off tools • Monitor long-running scans • Get reports in XML for parsing and
custom reporting. • Large similarity between Perl and Ruby
APIs.
CLI for shell lovers
• Automate with your favorite shell: Bash, Tcsh, Zsh • Grep, sed and awk • With an XML/RPC interface you can tunnel your scan requests to
your central Nessus server with professional feed over SSH/HTTPS directly from within python/perl/ruby.
• Great for doing external penetration tests.
Multiple Targets?
Multiple targets separated by “,” or “\n”
• Home Feed limits you to 15 targets only at a time, good enough for development.
• XML-RPC interface same between Professional Feed and Home Feed.
Automation with Python
Email and xsltproc
• Possibilities • Have report emailed to
management desktop • Write custom xsl reports,
process with xsltproc on Linux. • Import into CMS solutions
The XML-RPC Interface for Nessus
• Partially documented • http://www.tenable.com/documentation/nessus_XMLRPC_proto
col_guide.pdf
• An unofficial test.html from Renaud Deraison is here • http://nessus-xmlrpc.rubyforge.org/test.html
• An update to XML docs will be available in a week, last post 2 days ago. • https://discussions.nessus.org/message/14693;jsessionid=E2130
C8DA7ACFC58DC1850D9EFE828FE
• http://blog.upbeat.fr/tagged/Nessus? • Unofficial documentation on .nessus v2 XML report format
• Automation using wget • But please use ruby/perl/python interfaces, far cleaner and you can
add custom features.
Nessus v2 XML report format
• Microsoft Excel is your friend
Host Inventory
Vulnerability References
Is there a Metasploit module for
this?
Custom Reports: MS Patches
With python use lxml, output to csv, xls, sql, html or xml again!
Python constructs make it easy to write clean code.
Vulnerability Management/Delta Reporting • Seccubus: http://seccubus.com/
• Seccubus automates regular vulnerability scans with Nessus and OpenVAS and provides delta reporting.
• Frank Breedijk
• Perl/Javascript based.
• Need to integrate custom reporting with change management and inventory management etc.
• Bridges to proprietary software: SharePoint, MS SQL Server, integration into standard business workflows of IT departments. Both Perl/Python provide modules to generate standard business format documents.
Improve the tools
• Goals: Integration
• Custom reports
• Python/XML foo OK.
• We are doing one-off scripts right now.
• Reporting/Tracking should not be painful
• Web-based reports best
• Export to PDF
• Summarize and drill down interactive capability
• Need awesome reporting and charting capability
• Ruby/Ruport
• J-Query/Ext JS/Node.js
• Java/Processing
Questions?
Please send us your ideas/comments/questions at rajesh.deo@niiconsulting.com
Acknowledgements: Tuhin Goswami Our esteemed client where we implemented some of the tools presented. Wasim Halani and K. K. Mookhey for guidance.