Personal Resilience in Project Management 2 - TV Edit 1a.pdf
Xml interfaces to the popular nessus scanner
1. XML Interfaces to the
Popular Nessus
Scanner
Rajesh Deo
Network Intelligence India Pvt. Ltd.
29/03/2012
NULL Mumbai Chapter
2. The Venerable Nessus Scanner
• A comprehensive vulnerability scanner
• Can perform network tests, system audits, patch
management, compliance tests such as PCI DSS, SCADA
vulnerability audits, and so on…
• Proprietary - Tenable Network Security
• Started by Renaud Deraison in 1998 to provide to
the Internet community with a free remote security scanner
similar to SATAN and NetSaint.
• Nessus 5.0 was released on Feb 15th, 2012.
• http://www.nessus.org/products/nessus
3. Open-source Tools
• Perl/Net::Nessus::XMLRPC
• Vlatko Košturjak
• http://search.cpan.org/~kost/Net-Nessus-XMLRPC-
0.30/lib/Net/Nessus/XMLRPC.pm
• Perl 5 License (Artistic 1 & GPL 1)
• https://github.com/kost/nessus-xmlrpc-perl
• Also develops similar library for Rapid 7’s NeXpose
• Ruby/nessus-xmlrpc
• http://nessus-xmlrpc.rubyforge.org/
• GPL/BSD, by author of Net::Nessus::XMLRPC
• Python/nessus-xmlrpc
• http://code.google.com/p/nessusxmlrpc/
• Apache License 2.0
• Kurtis Miller
4. Why do we need these tools?
• Automation
• Automation
• Automation
• Custom reporting
• Custom reporting
• Custom reporting
• XML/XSL
• XPATH/XQUERY
• CLI
• http://seclists.org/metasploit/2010/q3/378
• Bridges to awesome software
• By Zate Burg
5. Why are we using Python/nessus-
xmlrpc?
• I know Python a little bit
• Matplotlib for charting/graphs
• Numpy/SciPy or Interface to R for numerical computations and
statistics.
• Not as well developed as Perl/Ruby modules but pretty close
• Last upload in Dec. 2010
• There is scope to contribute...
• ..and perhaps integrate with different tools
6. Automation: XML-RPC API in Ruby
• Write custom scripts, simple one-off tools
• Monitor long-running scans
• Get reports in XML for parsing and
custom reporting.
• Large similarity between Perl and Ruby
APIs.
7. CLI for shell lovers
• Automate with your favorite shell: Bash, Tcsh, Zsh
• Grep, sed and awk
• With an XML/RPC interface you can tunnel your scan requests to
your central Nessus server with professional feed over SSH/HTTPS
directly from within python/perl/ruby.
• Great for doing external penetration tests.
8. Multiple Targets?
• Home Feed limits you to 15 targets only at a time, good
enough for development.
• XML-RPC interface same between Professional Feed and
Home Feed.
Multiple targets
separated by “,” or “n”
9. Automation with Python
Email and
xsltproc
• Possibilities
• Have report emailed to
management desktop
• Write custom xsl reports,
process with xsltproc on Linux.
• Import into CMS solutions
10. The XML-RPC Interface for Nessus
• Partially documented
• http://www.tenable.com/documentation/nessus_XMLRPC_proto
col_guide.pdf
• An unofficial test.html from Renaud Deraison is here
• http://nessus-xmlrpc.rubyforge.org/test.html
• An update to XML docs will be available in a week, last post 2
days ago.
• https://discussions.nessus.org/message/14693;jsessionid=E2130
C8DA7ACFC58DC1850D9EFE828FE
• http://blog.upbeat.fr/tagged/Nessus?
• Unofficial documentation on .nessus v2 XML report format
• Automation using wget
• But please use ruby/perl/python interfaces, far cleaner and you can
add custom features.
11. Nessus v2 XML report format
Vulnerability
• Microsoft Excel is your friend References
Host
Inventory
Is there a
Metasploit
module for
this?
12. Custom Reports: MS Patches
With python use lxml, output to csv,
xls, sql, html or xml again!
Python constructs make it easy to
write clean code.
13. Vulnerability Management/Delta
Reporting
• Seccubus: http://seccubus.com/
• Seccubus automates regular vulnerability scans with Nessus and
OpenVAS and provides delta reporting.
• Frank Breedijk
• Perl/Javascript based.
• Need to integrate custom reporting with change management
and inventory management etc.
• Bridges to proprietary software: SharePoint, MS SQL Server,
integration into standard business workflows of IT
departments. Both Perl/Python provide modules to generate
standard business format documents.
14. Improve the tools
• Goals: Integration
• Custom reports
• Python/XML foo OK.
• We are doing one-off scripts right now.
• Reporting/Tracking should not be painful
• Web-based reports best
• Export to PDF
• Summarize and drill down interactive capability
• Need awesome reporting and charting capability
• Ruby/Ruport
• J-Query/Ext JS/Node.js
• Java/Processing
15. Questions?
Please send us your
ideas/comments/questions at
rajesh.deo@niiconsulting.com
Acknowledgements:
Tuhin Goswami
Our esteemed client where we
implemented some of the tools
presented.
Wasim Halani and
K. K. Mookhey for guidance.