#BerlinSides

@k0st: Replacing pentester with script

https://twitter.com/k0st
 Agenda
● Introduction
● Tools
● Protocols
● How to automatize them
● How to interconnect them
● Security implications
● Future
● Q&A
45-60 minutes
 Same...
● Vulnerabilities are growing
● Less time, more vulnerabilities to check
● Vulnscanners are becoming like anti-viruses
(ehrm. anti-malwares)...
Age of the fattest
Any pentesters here?
 Goals
● Replace pentester?
● Automatize the boring stuff
● More time for fun stuff
● Don't worry for your job
● Yes, hard to replace completely :)
● Known limitations
● What can be automatized in current state of
vulnerability scanner
 Typical network pentest?

Enumeration

Vulnerability
mapping

Exploitation
 Popular tools
● Port scanners
● Nmap
– http://www.nmap.org
● Vulnerability scanners
● OpenVAS
– http://www.openvas.org
● Nessus
– http://www.nessus.org
● NeXpose
– http://www.rapid7.com
● Exploitation
● Metasploit
– http://www.metasploit.com
 Nmap
● Portscanner => Security scanner
● Scripting (Nmap Scripting Language - NSE)
● Mainly post portscanning
● Cannot script process of portscanning
● New stuff: scripts can add new targets
● No API
● Command line only
● Not much to automatize
 Protocols?
● OpenVAS
● OpenVAS Transport Protocol (OTP)
● OpenVAS Management Protocol (OMP)
● OpenVAS Administrator Protocol (OAP)
● Nessus
● Nessus Transport Protocol (NTP)
● Nessus XMLRPC
● NeXpose
● Rapid7 NeXpose API
 Nessus protocols
● Nessus Transport Protocol (NTP)
● Default port: 1241
● Socket based (SSL)
● Discontinued/Obsolete
– No new features will be added
● Nessus XMLRPC
● Default port: 8834
● New interface (Nessus 4.2+)
● http(s) based
● http://www.nessus.org/documentation/nessus_4.4_XMLRPC_protocol_guide.pdf
● Unofficial: http://nessus-xmlrpc.rubyforge.org/
 OpenVAS protocols
● OpenVAS Transport Protocol (OTP)
● Port: 9390 (IANA)
● Socket based (SSL) - client/server
● Nessus legacy
● OpenVAS scanning daemon communication (openvassd <=> openvasmd)
● http://www.openvas.org/compendium/changes-ntp-otp.html
● OpenVAS Management Protocol (OMP)
● Port: 9391
● Socket based (SSL) – control scanning/reporting, ...
● OpenVAS management daemon communication (openvasmd <=> clients)
● http://www.openvas.org/openvas-cr-30.html
● OpenVAS Administration Protocol (OAP)
● Port: 9392
● Socket based (SSL) – control users, feed, ...
● OpenVAS administration daemon communication (openvasad <=> clients)
● http://www.openvas.org/openvas-cr-28.html
 OpenVAS architecture
is it easier to understand now? :)
 Rapid7 NeXpose API
● Port 3780
● http(s) / XML based
● http://community.rapid7.com/redmine/projects/1/wiki/NeXpose_API
● URL: https://localhost:3780/api/1.1/xml
● XML in Request and response
● Manage sites, scans and reports...
Rapid7 example request/response
<?xml version="1.0" encoding="UTF-8"?>
<LoginRequest sync-id="arbitrary_integer"
user-id="my-username" password="my-
password"/>

<?xml version="1.0" encoding="UTF-8"?>

<LoginResponse session-id="NeXpose
provided integer" success="1"/>
 Rapid7 NeXpose API
● Making it easy
● Perl CPAN module by me
● http://search.cpan.org/perldoc?Rapid7::NeXpose::API
● Ruby module in metasploit
● Metasploit: take a look in lib/nexpose/ dir ;)
● Ruby module by beingben
● https://github.com/beingben/r7api11-r
 Rapid7 NeXpose API - example
use Rapid7::NeXpose::API;

my $n = Rapid7::NeXpose::API->new(
url=>'https://localhost:3780',password=>'test');
my $sl = $n->sitelist();
print "Starting scan for first site found: ";
printf "%s with ID: %s\n", $sl->[0]->{'name'}, $sl->[0]->{'id'};
$n->sitescan($sl->[0]->{'id'});
 Nessus XMLRPC
● Ruby by me
● http://nessus-xmlrpc.rubyforge.org
● Metasploit: take a look in lib/nessus/ dir ;)
● Perl by me
● http://search.cpan.org/perldoc?Net::Nessus::XMLRPC
● Python by martinarrieta
● http://pynessus-xmlrpc.sourceforge.net/
● empty?
 Protocol example
POST https://127.0.0.1:8834/login

login=user&password=test

<?xml version="1.0" encoding="UTF-8"?>

<reply>
<seq></seq>
<status>OK</status>
<contents><token>c1b9ce52d5f9b73c4c86e26c8d4f0b51da43f18287e02677</token><user>
<name>nessus</name>
<admin>TRUE</admin>
</user></contents>
 API example
● Demo
 OpenVAS OMP/OAP
● Python by Hartmut Goebel
● http://pypi.python.org/pypi/openvas.omplib
● http://pypi.python.org/pypi/openvas.oaplib
● Ruby by me
● https://github.com/kost/openvas-omp-ruby
● Perl
● In progress, stay tuned :)
 OMP example API
<authenticate>
<credentials>
<username>sally</username>
<password>secret</password>
</credentials>
</authenticate>

<authenticate_response status="200"
status_text="OK" />
 Example

Let's take a look some examples in Metasploit...

 What about web test?
● Most of scanners have basic web checks
● OpenVAS can integrate most popular web
testing tools
● nikto - http://cirt.net/nikto2
● w3af - http://w3af.sourceforge.net/
● wapiti - http://wapiti.sourceforge.net/
● It depends how advance these tools are :)
● Packagers can screw it up
 Metasploit
● It's in metasploit already!
● msfupdate or svn update
● Modules
● load expose
● load nessus
● load openvas
● Scripting metasploit?
● Ruby?
● Just commands
 Security implications of APIs
● Vuln scanners are everywhere now
● compliance/law requirements
● Filter old and not needed protocols
● NTP ?
● Virtualization
● Bring up vulnerability scanner only when needed
● Authentification
● Good passwords or certificates
● Brute force possible
– No account locks in Nessus and OpenVAS!
– NeXpose has account locks
 Toolchain?
● Gaining access?
● Brute forcing (perl and NSE)
● https://github.com/kost/vulnscan-pwcrack
● Having access?
● Use libraries I have to download all reports easily
● Storing filesystem inside scanner data?
● https://github.com/kost/babushkafs
● Other nice things? Stay tuned :)
 Future
● Use multiple scanners and correlate
● Your exercise?
● Problems with APIs
● Controlling scan, but not each request
● Automatic firewall/IPS detection
● Nmap
● No API/interface
● Having API might kill current Nmap business model
 ACKnowledgements
● BerlinSides hosts
● HD Moore
● Zate

● YOU
Questions? Comments? Feedbacks?

@k0st

This is zero