XML Interfaces to thePopular NessusScannerRajesh DeoNetwork Intelligence India Pvt. Ltd.29/03/2012NULL Mumbai Chapter
The Venerable Nessus Scanner• A comprehensive vulnerability scanner• Can perform network tests, system audits, patch management, compliance tests such as PCI DSS, SCADA vulnerability audits, and so on…• Proprietary - Tenable Network Security• Started by Renaud Deraison in 1998 to provide to the Internet community with a free remote security scanner similar to SATAN and NetSaint.• Nessus 5.0 was released on Feb 15th, 2012. • http://www.nessus.org/products/nessus
Open-source Tools• Perl/Net::Nessus::XMLRPC • Vlatko Košturjak • http://search.cpan.org/~kost/Net-Nessus-XMLRPC- 0.30/lib/Net/Nessus/XMLRPC.pm • Perl 5 License (Artistic 1 & GPL 1) • https://github.com/kost/nessus-xmlrpc-perl • Also develops similar library for Rapid 7’s NeXpose• Ruby/nessus-xmlrpc • http://nessus-xmlrpc.rubyforge.org/ • GPL/BSD, by author of Net::Nessus::XMLRPC• Python/nessus-xmlrpc • http://code.google.com/p/nessusxmlrpc/ • Apache License 2.0 • Kurtis Miller
Why do we need these tools?• Automation• Automation• Automation• Custom reporting• Custom reporting• Custom reporting • XML/XSL • XPATH/XQUERY• CLI• http://seclists.org/metasploit/2010/q3/378 • Bridges to awesome software • By Zate Burg
Why are we using Python/nessus-xmlrpc?• I know Python a little bit • Matplotlib for charting/graphs • Numpy/SciPy or Interface to R for numerical computations and statistics.• Not as well developed as Perl/Ruby modules but pretty close • Last upload in Dec. 2010 • There is scope to contribute... • ..and perhaps integrate with different tools
Automation: XML-RPC API in Ruby• Write custom scripts, simple one-off tools• Monitor long-running scans• Get reports in XML for parsing and custom reporting.• Large similarity between Perl and Ruby APIs.
CLI for shell lovers• Automate with your favorite shell: Bash, Tcsh, Zsh• Grep, sed and awk• With an XML/RPC interface you can tunnel your scan requests to your central Nessus server with professional feed over SSH/HTTPS directly from within python/perl/ruby. • Great for doing external penetration tests.
Multiple Targets?• Home Feed limits you to 15 targets only at a time, good enough for development.• XML-RPC interface same between Professional Feed and Home Feed. Multiple targets separated by “,” or “n”
Automation with Python Email and xsltproc • Possibilities • Have report emailed to management desktop • Write custom xsl reports, process with xsltproc on Linux. • Import into CMS solutions
The XML-RPC Interface for Nessus• Partially documented • http://www.tenable.com/documentation/nessus_XMLRPC_proto col_guide.pdf• An unofficial test.html from Renaud Deraison is here • http://nessus-xmlrpc.rubyforge.org/test.html• An update to XML docs will be available in a week, last post 2 days ago. • https://discussions.nessus.org/message/14693;jsessionid=E2130 C8DA7ACFC58DC1850D9EFE828FE• http://blog.upbeat.fr/tagged/Nessus? • Unofficial documentation on .nessus v2 XML report format • Automation using wget • But please use ruby/perl/python interfaces, far cleaner and you can add custom features.
Nessus v2 XML report format Vulnerability• Microsoft Excel is your friend References Host Inventory Is there a Metasploit module for this?
Custom Reports: MS Patches With python use lxml, output to csv, xls, sql, html or xml again! Python constructs make it easy to write clean code.
Improve the tools• Goals: Integration • Custom reports • Python/XML foo OK. • We are doing one-off scripts right now.• Reporting/Tracking should not be painful • Web-based reports best • Export to PDF • Summarize and drill down interactive capability • Need awesome reporting and charting capability • Ruby/Ruport • J-Query/Ext JS/Node.js • Java/Processing
Questions? Please send us your ideas/comments/questions at firstname.lastname@example.org Acknowledgements: Tuhin Goswami Our esteemed client where we implemented some of the tools presented. Wasim Halani and K. K. Mookhey for guidance.