xml interfaces to the popular nessus scanner
DESCRIPTION
The modern Nessus scanner comes with an XML-RPC interfaceto control the built-in scanner engine. We review available command-linetools and programming libraries to automate scanning of large networks.We will demonstrate some tools we have developed for this purpose.TRANSCRIPT
XML Interfaces to the Popular Nessus Scanner Rajesh Deo
Network Intelligence India Pvt. Ltd.
29/03/2012
NULL Mumbai Chapter
The Venerable Nessus Scanner
• A comprehensive vulnerability scanner
• Can perform network tests, system audits, patch management, compliance tests such as PCI DSS, SCADA vulnerability audits, and so on…
• Proprietary - Tenable Network Security
• Started by Renaud Deraison in 1998 to provide to the Internet community with a free remote security scanner similar to SATAN and NetSaint.
• Nessus 5.0 was released on Feb 15th, 2012.
• http://www.nessus.org/products/nessus
Open-source Tools
• Perl/Net::Nessus::XMLRPC
• Vlatko Košturjak
• http://search.cpan.org/~kost/Net-Nessus-XMLRPC-0.30/lib/Net/Nessus/XMLRPC.pm
• Perl 5 License (Artistic 1 & GPL 1)
• https://github.com/kost/nessus-xmlrpc-perl • Also develops similar library for Rapid 7’s NeXpose
• Ruby/nessus-xmlrpc
• http://nessus-xmlrpc.rubyforge.org/
• GPL/BSD, by author of Net::Nessus::XMLRPC
• Python/nessus-xmlrpc
• http://code.google.com/p/nessusxmlrpc/
• Apache License 2.0
• Kurtis Miller
Why do we need these tools?
• Automation
• Automation
• Automation
• Custom reporting
• Custom reporting
• Custom reporting
• XML/XSL
• XPATH/XQUERY
• CLI
• http://seclists.org/metasploit/2010/q3/378
• Bridges to awesome software
• By Zate Burg
Why are we using Python/nessus-xmlrpc? • I know Python a little bit
• Matplotlib for charting/graphs
• Numpy/SciPy or Interface to R for numerical computations and statistics.
• Not as well developed as Perl/Ruby modules but pretty close
• Last upload in Dec. 2010
• There is scope to contribute...
• ..and perhaps integrate with different tools
Automation: XML-RPC API in Ruby
• Write custom scripts, simple one-off tools • Monitor long-running scans • Get reports in XML for parsing and
custom reporting. • Large similarity between Perl and Ruby
APIs.
CLI for shell lovers
• Automate with your favorite shell: Bash, Tcsh, Zsh • Grep, sed and awk • With an XML/RPC interface you can tunnel your scan requests to
your central Nessus server with professional feed over SSH/HTTPS directly from within python/perl/ruby.
• Great for doing external penetration tests.
Multiple Targets?
Multiple targets separated by “,” or “\n”
• Home Feed limits you to 15 targets only at a time, good enough for development.
• XML-RPC interface same between Professional Feed and Home Feed.
Automation with Python
Email and xsltproc
• Possibilities • Have report emailed to
management desktop • Write custom xsl reports,
process with xsltproc on Linux. • Import into CMS solutions
The XML-RPC Interface for Nessus
• Partially documented • http://www.tenable.com/documentation/nessus_XMLRPC_proto
col_guide.pdf
• An unofficial test.html from Renaud Deraison is here • http://nessus-xmlrpc.rubyforge.org/test.html
• An update to XML docs will be available in a week, last post 2 days ago. • https://discussions.nessus.org/message/14693;jsessionid=E2130
C8DA7ACFC58DC1850D9EFE828FE
• http://blog.upbeat.fr/tagged/Nessus? • Unofficial documentation on .nessus v2 XML report format
• Automation using wget • But please use ruby/perl/python interfaces, far cleaner and you can
add custom features.
Nessus v2 XML report format
• Microsoft Excel is your friend
Host Inventory
Vulnerability References
Is there a Metasploit module for
this?
Custom Reports: MS Patches
With python use lxml, output to csv, xls, sql, html or xml again!
Python constructs make it easy to write clean code.
Vulnerability Management/Delta Reporting • Seccubus: http://seccubus.com/
• Seccubus automates regular vulnerability scans with Nessus and OpenVAS and provides delta reporting.
• Frank Breedijk
• Perl/Javascript based.
• Need to integrate custom reporting with change management and inventory management etc.
• Bridges to proprietary software: SharePoint, MS SQL Server, integration into standard business workflows of IT departments. Both Perl/Python provide modules to generate standard business format documents.
Improve the tools
• Goals: Integration
• Custom reports
• Python/XML foo OK.
• We are doing one-off scripts right now.
• Reporting/Tracking should not be painful
• Web-based reports best
• Export to PDF
• Summarize and drill down interactive capability
• Need awesome reporting and charting capability
• Ruby/Ruport
• J-Query/Ext JS/Node.js
• Java/Processing
Questions?
Please send us your ideas/comments/questions at [email protected]
Acknowledgements: Tuhin Goswami Our esteemed client where we implemented some of the tools presented. Wasim Halani and K. K. Mookhey for guidance.