Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Vulnerability Intelligence & Assessment
with vulners.com
Alexander Leonov
Pentestit Lab, 2016
2
#:whoami
- Security Analyst at Mail.Ru Group
- Texts and Analytics for vulners.com
- Security Automation blog at avleono...
3
Vulners Project
- Was created by QIWI security team
- Vulnerability source data aggregator
- Normalized, machine-readabl...
4
Vulners Project
5
Definition
Vulnerability is a weakness in an information system, system
security procedures, internal controls, or imple...
6
Risks
- Information systems takeover
- Revocation of the licenses
- Business continuity
- Money loss
- ... and more
7
Vulnerability management process
- Mandatory component of information security
- Need2be for a security-aware companies
...
8
Vulnerability management lifecycle
Discover
Prioritize
Assets
AssessReport
Remediate
Verify
9
Some problems of Vulnerability Scanners
- When the scan is finished, the results may already be outdated
- Per-host lice...
10
Nessus vs. Openvas
All CVEs: 80196
Nessus CVE links: 35032
OpenVAS CVE links: 29240
OpenVAS vs. Nessus: 3787;25453;9579
11
Nessus vs. Openvas
All CVEs: 80196
Nessus CVE links: 35032
OpenVAS CVE links: 29240
OpenVAS vs. Nessus: 3787;25453;9579...
12
Why?
- “Old” vulnerabilities
- Vendor forgot to add links to CVE id
- Vulnerabilities in plugins (WordPress VideoWhispe...
13
Examples: OpenVAS detects, Nessus not
- D-Link DIR-100 Router Multiple Vulnerabilities
- Cisco Firepower Management Cen...
14
Examples: Nessus detects, OpenVAS not
- Solaris vulnerabilities since 2010
- Apple Quicktime - MOV File Parsing Memory ...
15
In other words
- Vulnerability Scanner is a necessity
- Don't depend too much on them
- Scanner does not detect some vu...
16
Vulnerability Intelligence and PCI DSS
17
Vulnerability Data Sources
- Born in 90’s
- Every product has it’s own source of vulnerability data
- Most information ...
18
vulners.com: Information security “Google”
- Vulnerability source data aggregator
- Created by security specialists for...
19
Content
#Bug Bounty
Hacker One
openbugbounty.org
Vulnerability Lab
XSSed
#Bulletins Network Vendor
Cisco
F5 Networks
Hu...
20
Stats
21
Under the hood
22
Search
- Google-style search string
- Dorks, advanced queries and many more
- UX-driven
- Human-oriented
- References a...
23
Search results
24
Object
25
Search requests
- Any complex query
title:httpd type:centos order:published last year
- Sortable by any field of the mo...
26
Requests
- CentOS bulletins with remotely exploited vulnerabilities:
(type:centos AND (title:"Critical" OR title:"Impor...
27
Search requests
- Nessus plugins for remotely exploited vulnerabilities; exclude
Windows:
type:nessus AND cvss.score:[6...
28
Parameters
https://vulners.com/api/v3/search/id/?id=
CISCO-SA-20161005-OTV-NXOS.NASL
29
Search API
- GET/POST REST API with JSON output
- Search
https://vulners.com/api/v3/search/lucene/?query=type:centos%2
...
30
RSS
- Fully customizable news feed in RSS format
- Powered by Apache Lucene query
https://vulners.com/rss.xml?query=typ...
31
Telegram Bot
- Up to 3 subscriptions
- In-app search
- Broadcast for
emergency news
https://telegram.me/vulnersBot
32
Email Subscriptions
- Up to 5 subscriptions
- Awareness service
- Absolutely customizable
https://vulners.com/#subscrip...
33
Email Subscriptions
34
Linux Audit GUI
- Linux OS vulnerability
scan
- Immediate results
- Dramatically simple
https://vulners.com/#audit
35
- RedHat
- CentOS
- Fedora
- Oracle Linux
- Ubuntu
- Debian
Linux Audit GUI
36
Linux Audit GUI
37
Linux Audit API
curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d
'{"os":"centos","pack...
38
Linux Audit API
- JSON result:
Vulnerabilities list
Reason of the decision
References list (exploits, and so on)
- Read...
39
Linux Audit API
{
"result": "OK",
"data": {
"reasons": [
{
"providedPackage": "sos-3.2-35.el7.centos.noarch",
"operator...
40
Agent-Based Scanner$ git clone https://github.com/videns/vulners-scanner
$ cd vulners-scanner
$ ./linuxScanner.py
_
__ ...
41
It’s absolutely free!
- Free for commercial and enterprise use DB and API
- Make your own solutions using our powers:
S...
42
Integration Example
43
Thanks
- aleonov@vulners.com
- Scanner: https://github.com/videns/vulners-scanner/
- Vulners Blog: https://blog.vulners...
Upcoming SlideShare
Loading in …5
×

Vulnerability Intelligence and Assessment with vulners.com

1,104 views

Published on

Webinar for Pentestit Lab, 2016

Published in: Software
  • Be the first to comment

Vulnerability Intelligence and Assessment with vulners.com

  1. 1. Vulnerability Intelligence & Assessment with vulners.com Alexander Leonov Pentestit Lab, 2016
  2. 2. 2 #:whoami - Security Analyst at Mail.Ru Group - Texts and Analytics for vulners.com - Security Automation blog at avleonov.com
  3. 3. 3 Vulners Project - Was created by QIWI security team - Vulnerability source data aggregator - Normalized, machine-readable content - API-driven development - Absolutely free
  4. 4. 4 Vulners Project
  5. 5. 5 Definition Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Glossary of Key Information Security Terms NISTIR 7298 R2
  6. 6. 6 Risks - Information systems takeover - Revocation of the licenses - Business continuity - Money loss - ... and more
  7. 7. 7 Vulnerability management process - Mandatory component of information security - Need2be for a security-aware companies - Necessary to perform in accordance with the PCIDSS and others - Best practice for survival in the Internet
  8. 8. 8 Vulnerability management lifecycle Discover Prioritize Assets AssessReport Remediate Verify
  9. 9. 9 Some problems of Vulnerability Scanners - When the scan is finished, the results may already be outdated - Per-host licensing Knowledge base - How quickly vendor adds new vulnerability checks? - Some vulnerabilities may be found only with authorization or correct service banner - No scanners will find all vulnerabilities of any software - You will never know real limitations of the product
  10. 10. 10 Nessus vs. Openvas All CVEs: 80196 Nessus CVE links: 35032 OpenVAS CVE links: 29240 OpenVAS vs. Nessus: 3787;25453;9579
  11. 11. 11 Nessus vs. Openvas All CVEs: 80196 Nessus CVE links: 35032 OpenVAS CVE links: 29240 OpenVAS vs. Nessus: 3787;25453;9579 2673 OpenVAS plugins 6639 Nessus plugins 38207 OpenVAS plugins and 50896 Nessus plugins All NASL plugins OpenVAS: 49747 Nessus: 81349
  12. 12. 12 Why? - “Old” vulnerabilities - Vendor forgot to add links to CVE id - Vulnerabilities in plugins (WordPress VideoWhisper) - Don’t support “Local” software (openMairie) - Stopped adding new vulnerabilities (vBulletin)
  13. 13. 13 Examples: OpenVAS detects, Nessus not - D-Link DIR-100 Router Multiple Vulnerabilities - Cisco Firepower Management Center Privilege Escalation Vulnerability - vBulletin 3.6.x to 4.2.2/4.2.3 Forumrunner 'request.php' SQL Injection - WordPress VideoWhisper Live Streaming Integration Multiple Vulnerabilities
  14. 14. 14 Examples: Nessus detects, OpenVAS not - Solaris vulnerabilities since 2010 - Apple Quicktime - MOV File Parsing Memory Corruption Vulnerability
  15. 15. 15 In other words - Vulnerability Scanner is a necessity - Don't depend too much on them - Scanner does not detect some vulnerability — it’s YOUR problem not your VM vendor - Choose solution you can control and vendors you can trust - Have alternative sources of Vulnerability Data
  16. 16. 16 Vulnerability Intelligence and PCI DSS
  17. 17. 17 Vulnerability Data Sources - Born in 90’s - Every product has it’s own source of vulnerability data - Most information is not acceptable for automatic vulnerability scanners - MITRE, NVD, SCAP, OVAL and others failed to standardize it - Everyone is working on their own - "Search”? Forget about it. Use Google instead.
  18. 18. 18 vulners.com: Information security “Google” - Vulnerability source data aggregator - Created by security specialists for security specialists - Incredibly fast search engine - Normalized, machine-readable content - Audit features out-of-the-box - API-driven development - Absolutely free
  19. 19. 19 Content #Bug Bounty Hacker One openbugbounty.org Vulnerability Lab XSSed #Bulletins Network Vendor Cisco F5 Networks Huawei OpenWrt Palo Alto Networks #Bulletins Software Apache Httpd Drupal Mozilla Nginx OpenSSL Opera ownCloud PostgreSQL Samba TYPO3 WPScan Database Xen Project #Bulletins Virtualization Vendor VMware #Bullitens BSD FreeBSD #Bullitens Hardware Lenovo #Bullitens Linux Amazon Linux AMI Arch Linux CentOS Linux Debian Linux Gentoo Linux Oracle Linux RedHat Linux Slackware Linux SUSE Linux Ubuntu Linux #Detection Vendor NMAP OpenVAS Tenable Nessus W3AF #Exploit Base 0day.today DSquare Exploit Pack Exploit-DB Immunity Canvas Malware exploit database Metasploit SAINTexploit™ #Media rdot.org ThreatPost #Possible 0day Hackapp InfoWatch APPERCUT #Vulnerability Base CERT ERPScan ICS Microsoft Vulnerability Research NDV CVE Positive Technologies seebug.org Symantec Zero Day Initiative 58 Sources
  20. 20. 20 Stats
  21. 21. 21 Under the hood
  22. 22. 22 Search - Google-style search string - Dorks, advanced queries and many more - UX-driven - Human-oriented - References and data linkage - Extremely fast
  23. 23. 23 Search results
  24. 24. 24 Object
  25. 25. 25 Search requests - Any complex query title:httpd type:centos order:published last year - Sortable by any field of the model (type, CVSS, dates, etc.) - Apache Lucene syntax (AND, OR and so on) - Exploit search by sources and CVE’s cvelist:CVE-2014-0160 type:exploitdb sourceData:.bash_profile sourceData:"magic bytes”
  26. 26. 26 Requests - CentOS bulletins with remotely exploited vulnerabilities: (type:centos AND (title:"Critical" OR title:"Important") AND cvss.vector:"AV:NETWORK") order:published - Important CVE vulnerabilities in Microsoft software: (type:cve AND cvss.score:[6 TO 10] AND description:"Microsoft") order:published Search requests
  27. 27. 27 Search requests - Nessus plugins for remotely exploited vulnerabilities; exclude Windows: type:nessus AND cvss.score:[6 TO 10] AND cvss.vector:"AV:NETWORK" AND (NOT naslFamily:"Local" AND NOT naslFamily:"Windows : Microsoft Bulletins" AND NOT naslFamily:"Windows") order:published - OpenSSL and OpenSSH vulnerabilities: (type:openssl OR ( type:cve AND cpe:*openssh* ) ) order:published
  28. 28. 28 Parameters https://vulners.com/api/v3/search/id/?id= CISCO-SA-20161005-OTV-NXOS.NASL
  29. 29. 29 Search API - GET/POST REST API with JSON output - Search https://vulners.com/api/v3/search/lucene/?query=type:centos%2 0cvss.score:[8%20TO%2010]%20order:published - Information https://vulners.com/api/v3/search/id?id=CESA-2016:1237 &references=true - Export https://vulners.com/api/v3/archive/collection? type=exploitdb
  30. 30. 30 RSS - Fully customizable news feed in RSS format - Powered by Apache Lucene query https://vulners.com/rss.xml?query=type:debian - No cache, it builds right when you ask it to. - Atom, Webfeeds, mrss compatible
  31. 31. 31 Telegram Bot - Up to 3 subscriptions - In-app search - Broadcast for emergency news https://telegram.me/vulnersBot
  32. 32. 32 Email Subscriptions - Up to 5 subscriptions - Awareness service - Absolutely customizable https://vulners.com/#subscription s
  33. 33. 33 Email Subscriptions
  34. 34. 34 Linux Audit GUI - Linux OS vulnerability scan - Immediate results - Dramatically simple https://vulners.com/#audit
  35. 35. 35 - RedHat - CentOS - Fedora - Oracle Linux - Ubuntu - Debian Linux Audit GUI
  36. 36. 36 Linux Audit GUI
  37. 37. 37 Linux Audit API curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d '{"os":"centos","package":["pcre-8.32-15.el7.x86_64", "samba-common-4.2.3- 11.el7_2.noarch", "gnu-free-fonts-common-20120503-8.el7.noarch", "libreport-centos- 2.1.11-32.el7.centos.x86_64", "libacl-2.2.51-12.el7.x86_64"],"version":"7"}' https://vulners.com/api/v3/audit/audit/
  38. 38. 38 Linux Audit API - JSON result: Vulnerabilities list Reason of the decision References list (exploits, and so on) - Ready to go for Red Hat and Debian family - Typical call time for 500+ packages list = 160ms - It’s fast. Really fast.
  39. 39. 39 Linux Audit API { "result": "OK", "data": { "reasons": [ { "providedPackage": "sos-3.2-35.el7.centos.noarch", "operator": "lt", "bulletinID": "CESA-2016:0188", "providedVersion": "0:3.2-35.el7.centos", "bulletinPackage": "sos-3.2-35.el7.centos.3.noarch.rpm", "bulletinVersion": "3.2-35.el7.centos.3", "package": "sos-3.2-35.el7.centos.noarch" }, ...
  40. 40. 40 Agent-Based Scanner$ git clone https://github.com/videns/vulners-scanner $ cd vulners-scanner $ ./linuxScanner.py _ __ ___ _| |_ __ ___ _ __ ___ / / | | | | '_ / _ '__/ __| V /| |_| | | | | | __/ | __ _/ __,_|_|_| |_|___|_| |___/ ========================================== Host info - Host machine OS Name - centos, OS Version - 7 Total found packages: 1026 Vulnerable packages: krb5-libs-1.13.2-10.el7.x86_64 CESA-2016:0532 - 'Moderate krb5 Security Update', cvss.score - 6.8 openssh-server-6.6.1p1-23.el7_2.x86_64 CESA-2016:0465 - 'Moderate openssh Security Update', cvss.score - 7.7 libtdb-1.3.6-2.el7.x86_64 CESA-2016:0612 - 'Critical ipa Security Update', cvss.score - 0.0 kernel-tools-3.10.0-327.4.5.el7.x86_64 CESA-2016:1033 - 'Important kernel Security Update', cvss.score - 0.0 CESA-2016:1633 - 'Important kernel Security Update', cvss.score - 4.3 CESA-2016:0185 - 'Important kernel Security Update', cvss.score - 7.2 CESA-2016:1539 - 'Important kernel Security Update', cvss.score - 7.2 CESA-2016:1277 - 'Important kernel Security Update', cvss.score - 7.2 openssl-libs-1.0.1e-51.el7_2.2.x86_64 - Available at GitHub - Example of integration - Free to fork
  41. 41. 41 It’s absolutely free! - Free for commercial and enterprise use DB and API - Make your own solutions using our powers: Security scanners Threat intelligence Subscriptions Security automation - Just please, post references if you can ;-)
  42. 42. 42 Integration Example
  43. 43. 43 Thanks - aleonov@vulners.com - Scanner: https://github.com/videns/vulners-scanner/ - Vulners Blog: https://blog.vulners.com/ - My Blog: http://avleonov.com/tag/vulners-com/

×