BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
Xml interfaces to the popular nessus scanner
1. XML Interfaces to the
Popular Nessus
Scanner
Rajesh Deo
Network Intelligence India Pvt. Ltd.
29/03/2012
NULL Mumbai Chapter
2. The Venerable Nessus Scanner
• A comprehensive vulnerability scanner
• Can perform network tests, system audits, patch
management, compliance tests such as PCI DSS, SCADA
vulnerability audits, and so on…
• Proprietary - Tenable Network Security
• Started by Renaud Deraison in 1998 to provide to
the Internet community with a free remote security scanner
similar to SATAN and NetSaint.
• Nessus 5.0 was released on Feb 15th, 2012.
• http://www.nessus.org/products/nessus
3. Open-source Tools
• Perl/Net::Nessus::XMLRPC
• Vlatko Košturjak
• http://search.cpan.org/~kost/Net-Nessus-XMLRPC-
0.30/lib/Net/Nessus/XMLRPC.pm
• Perl 5 License (Artistic 1 & GPL 1)
• https://github.com/kost/nessus-xmlrpc-perl
• Also develops similar library for Rapid 7’s NeXpose
• Ruby/nessus-xmlrpc
• http://nessus-xmlrpc.rubyforge.org/
• GPL/BSD, by author of Net::Nessus::XMLRPC
• Python/nessus-xmlrpc
• http://code.google.com/p/nessusxmlrpc/
• Apache License 2.0
• Kurtis Miller
4. Why do we need these tools?
• Automation
• Automation
• Automation
• Custom reporting
• Custom reporting
• Custom reporting
• XML/XSL
• XPATH/XQUERY
• CLI
• http://seclists.org/metasploit/2010/q3/378
• Bridges to awesome software
• By Zate Burg
5. Why are we using Python/nessus-
xmlrpc?
• I know Python a little bit
• Matplotlib for charting/graphs
• Numpy/SciPy or Interface to R for numerical computations and
statistics.
• Not as well developed as Perl/Ruby modules but pretty close
• Last upload in Dec. 2010
• There is scope to contribute...
• ..and perhaps integrate with different tools
6. Automation: XML-RPC API in Ruby
• Write custom scripts, simple one-off tools
• Monitor long-running scans
• Get reports in XML for parsing and
custom reporting.
• Large similarity between Perl and Ruby
APIs.
7. CLI for shell lovers
• Automate with your favorite shell: Bash, Tcsh, Zsh
• Grep, sed and awk
• With an XML/RPC interface you can tunnel your scan requests to
your central Nessus server with professional feed over SSH/HTTPS
directly from within python/perl/ruby.
• Great for doing external penetration tests.
8. Multiple Targets?
• Home Feed limits you to 15 targets only at a time, good
enough for development.
• XML-RPC interface same between Professional Feed and
Home Feed.
Multiple targets
separated by “,” or “n”
9. Automation with Python
Email and
xsltproc
• Possibilities
• Have report emailed to
management desktop
• Write custom xsl reports,
process with xsltproc on Linux.
• Import into CMS solutions
10. The XML-RPC Interface for Nessus
• Partially documented
• http://www.tenable.com/documentation/nessus_XMLRPC_proto
col_guide.pdf
• An unofficial test.html from Renaud Deraison is here
• http://nessus-xmlrpc.rubyforge.org/test.html
• An update to XML docs will be available in a week, last post 2
days ago.
• https://discussions.nessus.org/message/14693;jsessionid=E2130
C8DA7ACFC58DC1850D9EFE828FE
• http://blog.upbeat.fr/tagged/Nessus?
• Unofficial documentation on .nessus v2 XML report format
• Automation using wget
• But please use ruby/perl/python interfaces, far cleaner and you can
add custom features.
11. Nessus v2 XML report format
Vulnerability
• Microsoft Excel is your friend References
Host
Inventory
Is there a
Metasploit
module for
this?
12. Custom Reports: MS Patches
With python use lxml, output to csv,
xls, sql, html or xml again!
Python constructs make it easy to
write clean code.
13. Vulnerability Management/Delta
Reporting
• Seccubus: http://seccubus.com/
• Seccubus automates regular vulnerability scans with Nessus and
OpenVAS and provides delta reporting.
• Frank Breedijk
• Perl/Javascript based.
• Need to integrate custom reporting with change management
and inventory management etc.
• Bridges to proprietary software: SharePoint, MS SQL Server,
integration into standard business workflows of IT
departments. Both Perl/Python provide modules to generate
standard business format documents.
14. Improve the tools
• Goals: Integration
• Custom reports
• Python/XML foo OK.
• We are doing one-off scripts right now.
• Reporting/Tracking should not be painful
• Web-based reports best
• Export to PDF
• Summarize and drill down interactive capability
• Need awesome reporting and charting capability
• Ruby/Ruport
• J-Query/Ext JS/Node.js
• Java/Processing
15. Questions?
Please send us your
ideas/comments/questions at
rajesh.deo@niiconsulting.com
Acknowledgements:
Tuhin Goswami
Our esteemed client where we
implemented some of the tools
presented.
Wasim Halani and
K. K. Mookhey for guidance.