Re: Fully Automating Security Scanners

[Jonathan Cran <jcran () 0x0e org>]

On 06/11/2011 02:10 PM, Jim Halfpenny wrote:
> Has anyone ever looked into scripting/automating community or commercial
> > security scanners? Are there utilities which anyone found helpful to support
> > this? How effective and what aspects of automation have you been able to
> > achieve, auto execution of regularly-scheduled scans, or creation and
> > modification of new scans, targets, and outputs of reports?
> > Anatoly
You'll want to take a look at the nexpose, nessus, and openvas API
wrappers in the Metasploit Framework. You'll find them directly under
the lib directory. Props to their creators, (hdm/jabra, zate, and Vlatko
Kosturjak respectively) i'm only conveying the usage info.

There's a number of ways you can integrate this code into your own
workflow:

1) Directly use the libraries in your own ruby scripts -

For the nexpose library, specifically take a look at the
cmd_nexpose_scan function, this should give you 80% of what you need to
start running scans via ruby.

The nessus lib has some nice usage examples directly in the library:

    require 'nessus-xmlrpc'
    n=NessusXMLRPC::NessusXMLRPC.new('https://localhost:8834','user','pass');
    if n.logged_in
      id,name = n.policy_get_first
      puts "using policy ID: " + id + " with name: " + name
      uid=n.scan_new(id,"textxmlrpc","127.0.0.1")
     puts "status: " + n.scan_status(uid)
      while not n.scan_finished(uid)
          sleep 10
       end
      content=n.report_file_download(uid)
       File.open('report.xml', 'w') {|f| f.write(content) }
    end


Take a look at the plugins/ directory for more examples of how to use
the libraries. If you're not familiar w/ ruby, irb is an awesome way to
play around w/ a library while getting familiar with it. Nessus library
has some nice usage in the library:

    jcran@disko$: irb -r openvas-omp.rb
    irb>  vas = OpenVASOMP.new(user=>'openvas',password=>'[password]')
    ## connect to localhost:9390
    irb>  vas.version_get ## return the OpenVAS version
    irb>


fwiw, the openVAS api seems somewhat unnecessarily complicated to me


2) Use framework RC scripts to drive the code (which in turn, drives the
vulnscanner API)

This is a quick way to hammer out a couple working scripts you can stick
in a cronjob, but it also gives you the least control. Depends on what
you're looking for. Here's an example of an RC file that connects to
nexpose & runs a scan:

# Connect to a postgres db so we can save / auto-import results
db_connect msf3:[password]@localhost:5432/msf3
# Load the Nexpose Plugin
load nexpose 
# Connect to the host
nexpose_connect nxadmin:[password]@sob ok
# Run a scan w/ default settings
nexpose_scan 10.0.0.0/24
# say bye bye!
exit -y

you could then create a .sh which calls the rc:
#!/bin/bash
/path/to/framework/msfconsole -r nexpose_scan.rc


3) Use the command line client (nessus-only)

The nessus plugin / library also includes cli interface (hell yeah)
which is pretty sexy if you're looking to quick way to automate stuff --
and there's some great examples of usage in the README:

./nessus-cli.rb --user user --password pass --scan localhost-scan --wait
5 -D --output report-localhost.xml --target 127.0.0.1 --verbose --policy
mypolicy --url https://localhost:8834


Hope it helps!


jcran

-- 
Jonathan Cran
jcran () 0x0e org
515.890.0070

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com