|
|
|
Using Posh-SecMod PowerShell Module to Automate Nessus Part 3 |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Using Posh-SecMod PowerShell Module to Automate Nessus Part 3 Par BlogLe [2013-04-18] à 14:47:36
Présentation : Listing Reports Available ------------------------- We can retrieve a list of the reports available on the Nessus Server and the information that they provide with Get-NessusReports function and we provide it a index for the session or an object of Nessus.Server.Session C Get-NessusReports -Index 0 ServerHost 192.168.10.3 ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c ReportName Dev Lab Full Scan Status completed KB True AuditTrail True Date 4 14 2013 2 36 21 AM Session Nessus.Server.Session ServerHost 192.168.10.3 ReportID beb54ae5-ddd5-4700-3e85-d0241ade948354bf668ec4c5c319 ReportName Lab Full Unauthenticated Scan Status completed KB True AuditTrail True Date 4 11 2013 6 39 22 AM Session Nessus.Server.Session ServerHost 192.168.10.3 ReportID 908185a5-19cc-e2e4-6073-2134043611b99e3d5fcf060ec31e ReportName Scan Dev Lab Status completed KB True AuditTrail True Date 4 11 2013 4 26 13 AM Session Nessus.Server.Session ServerHost 192.168.10.3 ReportID 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d ReportName Lab Scan 1 Status completed KB True AuditTrail True Date 4 14 2013 2 36 21 AM Session Nessus.Server.Session The main properties for each report object are ReportID This is the unique identifier of the report since Nessus Allows for several reports to have the same name. This is the value we will use for when requesting specific reports for their information. ReportName The friendly name gave to the scan that generated the report. Status When running a Nessus scan the information from the scan is populating a report as it is running so this property will tell us if the results are from a completed scan or is the scan still running. KB this is know as the Knowledge Base of the scan and it is generated per host, this will tell you what plugins where launched and if any errors where encountered. If your Nessus server has less than 2GB of memory the KB is not generated for the hosts so as to save space in memory while executing. The information is stored in the server. AuditTrail This is a execution information that is saved for each plugin it will tell us if the plugin ran with no issues and if a problem was found it will tell us what was the error message. This is saved per plugin and it is stored on the server. Date This is the date when the report was launched in UTC . The Get-NessusReports function produces objects for each report and these have 2 ScriptMethods that we can use against the object it self GetReportItems this method retrieves al reported entries Info, Low, Medium, High and Critical with all the details for each in the properties of the object. GetXML This method retrieves the XML .Net object that represents the NessusV2 format of the report. image Getting a Summary of Each Host in a Report ------------------------------------------ We can query a report and get a summary of the hosts that are in the report and the number of items reported for each severity level, this is done with Get-NessusReportHostSummary. C Get-NessusReportHostSummary -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c Hostname 192.168.10.10 Info 51 Low 1 Medium 4 High 0 Critical 0 Hostname 192.168.10.12 Info 51 Low 2 Medium 5 High 1 Critical 1 Hostname 192.168.10.13 Info 95 Low 2 Medium 12 High 0 Critical 0 Hostname 192.168.10.2 Info 38 Low 1 Medium 1 High 0 Critical 0 Hostname nessus.darkoperator.com Info 39 Low 1 Medium 3 High 0 Critical 0 Getting a Summary per Vulnerability in a Report ----------------------------------------------- We can get a summary for each item found and how many of them are in the report using the function Get-NessusReportVulnSummary C Get-NessusReportVulnSummary -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c PluginID 10107 PluginName HTTP Server Type and Version PluginFamily Web Servers Count 5 Severity Info PluginID 10147 PluginName Nessus Server Detection PluginFamily Service detection Count 1 Severity Info PluginID 10150 PluginName Windows NetBIOS SMB Remote Host Information Disclosure PluginFamily Windows Count 4 Severity Info PluginID 10263 PluginName SMTP Server Detection PluginFamily Service detection Count 2 Severity Info PluginID 10267 PluginName SSH Server Type and Version Information PluginFamily Service detection Count 1 Severity Info PluginID 10287 PluginName Traceroute Information PluginFamily General Count 4 Severity Info PluginID 10394 PluginName Microsoft Windows SMB Log In Possible PluginFamily Windows Count 3 Severity Info PluginID 10736 PluginName DCE Services Enumeration PluginFamily Windows Count 49 Severity Info PluginID 10761 PluginName COM Internet Services CIS Server Detection PluginFamily Windows Count 3 Severity Info PluginID 10785 PluginName Microsoft Windows SMB NativeLanManager Remote System Information Disclosure PluginFamily Windows Count 4 Severity Info PluginID 10863 PluginName SSL Certificate Information PluginFamily General Count 5 Severity Info PluginID 10881 PluginName SSH Protocol Versions Supported PluginFamily General Count 1 Severity Info PluginID 10884 PluginName Network Time Protocol NTP Server Detection PluginFamily Service detection Count 2 Severity Info PluginID 10940 PluginName Windows Terminal Services Enabled PluginFamily Windows Count 4 Severity Info ........ Getting all Host Information from a Report ------------------------------------------ If we want all the information available for each host in a report we use the function Get-NessusReportHostsDetailed, this function will download the report XML, Parse it and generate PowerShell objects for each piece of information found. The information will be divided in to 2 parts for each hosts Host_Properties This is the information about the host that was gathered during the enumeration of the hosts including IP addresses, Netstat information, Operating System and other values. ReportItems This are each of the entries in the vulnerabilities tab of a report. C Get-NessusReportHostsDetailed -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c Host Host_Properties ReportItems ---- --------------- ----------- nessus.darkoperator.com system_type general-purp... Host nessus.darkoperato... 192.168.10.2 operating_system Microso... Host 192.168.10.2 Port... 192.168.10.13 operating_system Microso... Host 192.168.10.13 Por... 192.168.10.12 operating_system Microso... Host 192.168.10.12 Por... 192.168.10.10 operating_system Microso... Host 192.168.10.10 Por... Here is an example of the information we can get in the host properties C reporthost Get-NessusReportHostsDetailed -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c select -First 1 C reporthost.Host_Properties system_type general-purpose netstat_listen_tcp4_0 0.0.0.0 22 local_checks_proto local netstat_listen_tcp46_3 22 netstat_listen_tcp4_2 0.0.0.0 8834 HOST_START Sun Apr 14 02 22 48 2013 host_ip 192.168.10.3 operating_system Linux Kernel 2.6.32-358.0.1.el6.x86_64 on CentOS release 6.4 Final netstat_listen_tcp4_1 0.0.0.0 1241 mac_address 00 0C 29 28 7A F9 HOST_END Sun Apr 14 02 31 13 2013 netstat_listen_tcp6_5 8834 host_fqdn nessus.darkoperator.com netstat_listen_tcp6_4 1241 Report items will contain the information about each vulnerability and each informational plugin that was lunched and was successful in executing. C reporthost.ReportItems 3 Host nessus.darkoperator.com Port 0 ServiceName general Severity Info PluginID 33276 PluginName Enumerate MAC Addresses via SSH PluginFamily General RiskFactor None Synopsis This plugin enumerates MAC addresses on a remote host. Description By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates MAC addresses. Solution Disable any unused interfaces. PluginOutput The following MAC address exists on the remote host - 00 0C 29 28 7A F9 interface eth0 SeeAlso CVE BID ExternaReference PatchPublicationDate VulnPublicationDate Exploitability ExploitAvailable CANVAS Metasploit COREImpact MetasploitModule CANVASPackage CVSSVector CVSSBase CVSSTemporal PluginType local PluginVersion One of the great advantages of PowerShell is that it makes managing the large amount of data quite simple and provides options to export the objects in to XML, CSV and even generate our custom HTML reports. Lets look at the GridView option that allow us to see all the report items in a grid and even add filters to the view The command we use is reporthost.ReportItems Out-GridView image Working with the Nessus v2 XML ------------------------------ We can retrieve the XML .Net Object representation of a report if you which to manipulate the XML it self or use it for other purposes. Getting a XML .Net Object of the report and saving it to disk as a .nessus file C nessusreport Get-NessusV2ReportXML -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c C nessusreport.Save env HOMEPATH Desktop DevLabRepor.nessus Getting access to the information in XML is super easy since in PowerShell it is just like working with a regular .Net object C nessusreport.NessusClientData_v2.Report.ReportHost name HostProperties ReportItem ---- -------------- ---------- nessus.darkoperator.com HostProperties ReportItem, ReportItem, R... 192.168.10.2 HostProperties ReportItem, ReportItem, R... 192.168.10.13 HostProperties ReportItem, ReportItem, R... 192.168.10.12 HostProperties ReportItem, ReportItem, R... 192.168.10.10 HostProperties ReportItem, ReportItem, R... C nessusreport.NessusClientData_v2.Policy policyName All Plugins with Full Scan policy_comments Preferences Preferences FamilySelection FamilySelection IndividualPluginSelection IndividualPluginSelection Filtering Report Items I know that many people are new to PowerShell and still learning the power it has to filter and manipulate objects so the function Retrieve and filter report items Get-NessusReportItems is here to help with some of the filtering. The function will filter at the server the reported items for Host and Severity and return the appropriate report item objects for use C Get-NessusReportItems -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce7b209483c -HostFilter 192.168.10.12 -SeverityFilter critical,high Host 192.168.10.12 Port 3389 ServiceName msrdp Severity High PluginID 58435 PluginName MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution 2671387 uncredentialed check PluginFamily Windows RiskFactor High Synopsis The remote Windows host could allow arbitrary code execution. Description An arbitrary remote code vulnerability exists in the implementation of the Remote Desktop Protocol RDP on the remote Windows host. The vulnerability is due to the way that RDP accesses an object in memory that has been improperly initialized or has been deleted. If RDP has been enabled on the affected system, an unauthenticated, remote attacker could leverage this vulnerability to cause the system to execute arbitrary code by sending a sequence of specially crafted RDP packets to it. This plugin also checks for a denial of service vulnerability in Microsoft Terminal Server. Note that this script does not detect the vulnerability if the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting is enabled or the security layer is set to 'SSL TLS 1.0 ' on the remote host. Solution Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2 http technet.microsoft.com en-us security bulletin ms12-020 PluginOutput SeeAlso CVE CVE-2012-0002, CVE-2012-0152 BID 52353, 52354 ExternaReference OSVDB 80000, OSVDB 80004, EDB-ID 18606, IAVA 2012-A-0039... PatchPublicationDate 2012 03 13 VulnPublicationDate 2012 03 13 Exploitability Exploits are available ExploitAvailable true CANVAS true Metasploit true COREImpact true MetasploitModule MS12-020 Microsoft Remote Desktop Checker CANVASPackage White_Phosphorus CVSSVector CVSS2 AV N AC M Au N C C I C A C CVSSBase 9.3 CVSSTemporal 7.3 PluginType remote PluginVersion Host 192.168.10.12 Port 5355 ServiceName llmnr Severity Critical PluginID 53514 PluginName MS11-030 Vulnerability in DNS Resolution Could Allow Remote Code Execution 2509553 remote check PluginFamily Windows RiskFactor Critical Synopsis Arbitrary code can be executed on the remote host through the installed Windows DNS client. Description A flaw in the way the installed Windows DNS client processes Link- local Multicast Name Resolution LLMNR queries can be exploited to execute arbitrary code in the context of the NetworkService account. Note that Windows XP and 2003 do not support LLMNR and successful exploitation on those platforms requires local access and the ability to run a special application. On Windows Vista, 2008, 7, and 2008 R2, however, the issue can be exploited remotely. Solution Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2 http technet.microsoft.com en-us security bulletin ms11-030 PluginOutput SeeAlso CVE CVE-2011-0657 BID 47242 ExternaReference OSVDB 71780, IAVA 2011-A-0039, MSFT MS11-030 PatchPublicationDate 2011 04 12 VulnPublicationDate 2011 04 12 Exploitability Exploits are available ExploitAvailable true CANVAS Metasploit true COREImpact true MetasploitModule Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS CANVASPackage CVSSVector CVSS2 AV N AC L Au N C C I C A C CVSSBase 10.0 CVSSTemporal 7.8 PluginType remote PluginVersion Getting a Host KB and Plugin Audit ---------------------------------- To get the KB is very simple and it is used mainly when opening support tickets with Tenable or when we want to trace what plugins executed or if we want to see what information some plugins used to determined if the host is vulnerable. C Get-NessusReportHostKB -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c -ReportHost 192.168.10.12 Out-File -FilePath env HOMEPATH Desktop lab.txt If we want to see the audit trail for a plugin that executed against a hosts we can retrieve it and it will tell us more information as to why it did not trigger C Get-NessusReportPluginAudit 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c -Host 192.168.10.12 -PluginID 35952 fl Host 192.168.10.12 PluginID 35952 ExitCode 1 Reason Can't open socket on port 49777. Conclusion ---------- I hope you liked this short series. I m currently working on expanding the functions for Nessus even more and looking forward to the new stuff that will be coming out with new releases so as to add support to those.
Les mots clés de la revue de presse pour cet article : powershell nessus
Les videos sur SecuObs pour les mots clés : powershell nessus
Les mots clés pour les articles publiés sur SecuObs : nessus
Les éléments de la revue Twitter pour les mots clé : nessus
Les derniers articles du site "Blog" :
- Malware Trends - Q1 2016
- Simplified DDoS Testing at Scale
- BreakingPoint Captures Real-World 2015 Application Trends
- ATI Minecraft
- Benchmarking Open Source SDN Controllers Are They Ready for Carrier-Grade Services
- The End of Days is Here for Network Blind Spots
- Ixia ATI Research Center Finds Multiple Security Vulnerabilities in IBM Tivoli Storage Manager FastBack
- Introducing PSAttack
- Mobile World Congress 2016 Recap
- Ixia Smarter Security at RSA 2016
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
