Re: Fully Automating Security Scanners

[Anatoly Bodner <abodner () gmail com>]

John,

This is fantastic information. I cannot thank you enough for the time you
took to share this knowledge with me and the community!

Anatoly
On Jun 11, 2011 5:12 PM, "Jonathan Cran" <jcran () 0x0e org> wrote:
> On 06/11/2011 02:10 PM, Jim Halfpenny wrote:
> > Has anyone ever looked into scripting/automating community or commercial
> > > security scanners? Are there utilities which anyone found helpful to
support
> > > this? How effective and what aspects of automation have you been able
to
> > > achieve, auto execution of regularly-scheduled scans, or creation and
> > > modification of new scans, targets, and outputs of reports?
> > > Anatoly
> You'll want to take a look at the nexpose, nessus, and openvas API
> wrappers in the Metasploit Framework. You'll find them directly under
> the lib directory. Props to their creators, (hdm/jabra, zate, and Vlatko
> Kosturjak respectively) i'm only conveying the usage info.
>
> There's a number of ways you can integrate this code into your own
> workflow:
>
> 1) Directly use the libraries in your own ruby scripts -
>
> For the nexpose library, specifically take a look at the
> cmd_nexpose_scan function, this should give you 80% of what you need to
> start running scans via ruby.
>
> The nessus lib has some nice usage examples directly in the library:
>
> require 'nessus-xmlrpc'
> n=NessusXMLRPC::NessusXMLRPC.new('https://localhost:8834','user','pass&apos;);
> if n.logged_in
> id,name = n.policy_get_first
> puts "using policy ID: " + id + " with name: " + name
> uid=n.scan_new(id,"textxmlrpc","127.0.0.1")
> puts "status: " + n.scan_status(uid)
> while not n.scan_finished(uid)
> sleep 10
> end
> content=n.report_file_download(uid)
> File.open('report.xml', 'w') {|f| f.write(content) }
> end
>
>
> Take a look at the plugins/ directory for more examples of how to use
> the libraries. If you're not familiar w/ ruby, irb is an awesome way to
> play around w/ a library while getting familiar with it. Nessus library
> has some nice usage in the library:
>
> jcran@disko$: irb -r openvas-omp.rb
> irb> vas = OpenVASOMP.new(user=>'openvas',password=>'[password]')
> ## connect to localhost:9390
> irb> vas.version_get ## return the OpenVAS version
> irb>
>
>
> fwiw, the openVAS api seems somewhat unnecessarily complicated to me
>
>
> 2) Use framework RC scripts to drive the code (which in turn, drives the
> vulnscanner API)
>
> This is a quick way to hammer out a couple working scripts you can stick
> in a cronjob, but it also gives you the least control. Depends on what
> you're looking for. Here's an example of an RC file that connects to
> nexpose & runs a scan:
>
> # Connect to a postgres db so we can save / auto-import results
> db_connect msf3:[password]@localhost:5432/msf3
> # Load the Nexpose Plugin
> load nexpose
> # Connect to the host
> nexpose_connect nxadmin:[password]@sob ok
> # Run a scan w/ default settings
> nexpose_scan 10.0.0.0/24
> # say bye bye!
> exit -y
>
> you could then create a .sh which calls the rc:
> #!/bin/bash
> /path/to/framework/msfconsole -r nexpose_scan.rc
>
>
> 3) Use the command line client (nessus-only)
>
> The nessus plugin / library also includes cli interface (hell yeah)
> which is pretty sexy if you're looking to quick way to automate stuff --
> and there's some great examples of usage in the README:
>
> ./nessus-cli.rb --user user --password pass --scan localhost-scan --wait
> 5 -D --output report-localhost.xml --target 127.0.0.1 --verbose --policy
> mypolicy --url https://localhost:8834
>
>
> Hope it helps!
>
>
> jcran
>
> --
> Jonathan Cran
> jcran () 0x0e org
> 515.890.0070
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com