PaulDotCom mailing list archives
Re: Fully Automating Security Scanners
From: Jonathan Cran <jcran () 0x0e org>
Date: Sat, 11 Jun 2011 15:38:06 -0500
On 06/11/2011 02:10 PM, Jim Halfpenny wrote:
Has anyone ever looked into scripting/automating community or commercialsecurity scanners? Are there utilities which anyone found helpful to support this? How effective and what aspects of automation have you been able to achieve, auto execution of regularly-scheduled scans, or creation and modification of new scans, targets, and outputs of reports? Anatoly
You'll want to take a look at the nexpose, nessus, and openvas API wrappers in the Metasploit Framework. You'll find them directly under the lib directory. Props to their creators, (hdm/jabra, zate, and Vlatko Kosturjak respectively) i'm only conveying the usage info. There's a number of ways you can integrate this code into your own workflow: 1) Directly use the libraries in your own ruby scripts - For the nexpose library, specifically take a look at the cmd_nexpose_scan function, this should give you 80% of what you need to start running scans via ruby. The nessus lib has some nice usage examples directly in the library: require 'nessus-xmlrpc' n=NessusXMLRPC::NessusXMLRPC.new('https://localhost:8834','user','pass'); if n.logged_in id,name = n.policy_get_first puts "using policy ID: " + id + " with name: " + name uid=n.scan_new(id,"textxmlrpc","127.0.0.1") puts "status: " + n.scan_status(uid) while not n.scan_finished(uid) sleep 10 end content=n.report_file_download(uid) File.open('report.xml', 'w') {|f| f.write(content) } end Take a look at the plugins/ directory for more examples of how to use the libraries. If you're not familiar w/ ruby, irb is an awesome way to play around w/ a library while getting familiar with it. Nessus library has some nice usage in the library: jcran@disko$: irb -r openvas-omp.rb irb> vas = OpenVASOMP.new(user=>'openvas',password=>'[password]') ## connect to localhost:9390 irb> vas.version_get ## return the OpenVAS version irb> fwiw, the openVAS api seems somewhat unnecessarily complicated to me 2) Use framework RC scripts to drive the code (which in turn, drives the vulnscanner API) This is a quick way to hammer out a couple working scripts you can stick in a cronjob, but it also gives you the least control. Depends on what you're looking for. Here's an example of an RC file that connects to nexpose & runs a scan: # Connect to a postgres db so we can save / auto-import results db_connect msf3:[password]@localhost:5432/msf3 # Load the Nexpose Plugin load nexpose # Connect to the host nexpose_connect nxadmin:[password]@sob ok # Run a scan w/ default settings nexpose_scan 10.0.0.0/24 # say bye bye! exit -y you could then create a .sh which calls the rc: #!/bin/bash /path/to/framework/msfconsole -r nexpose_scan.rc 3) Use the command line client (nessus-only) The nessus plugin / library also includes cli interface (hell yeah) which is pretty sexy if you're looking to quick way to automate stuff -- and there's some great examples of usage in the README: ./nessus-cli.rb --user user --password pass --scan localhost-scan --wait 5 -D --output report-localhost.xml --target 127.0.0.1 --verbose --policy mypolicy --url https://localhost:8834 Hope it helps! jcran -- Jonathan Cran jcran () 0x0e org 515.890.0070
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Fully Automating Security Scanners Anatoly Bodner (Jun 11)
- Re: Fully Automating Security Scanners Michael Lubinski (Jun 11)
- Re: Fully Automating Security Scanners Jim Halfpenny (Jun 11)
- Re: Fully Automating Security Scanners Jonathan Cran (Jun 11)
- Re: Fully Automating Security Scanners Anatoly Bodner (Jun 11)
- Re: Fully Automating Security Scanners Jonathan Cran (Jun 11)
- Re: Fully Automating Security Scanners Todd Haverkos (Jun 13)
- Re: Fully Automating Security Scanners Ron Gula (Jun 13)