Академический Документы
Профессиональный Документы
Культура Документы
https://twitter.com/k0st
Agenda
● Introduction
● Tools
● Protocols
● How to automatize them
● How to interconnect them
● Security implications
● Future
● Q&A
45-60 minutes
Same...
● Vulnerabilities are growing
● Less time, more vulnerabilities to check
● Vulnscanners are becoming like anti-viruses
(ehrm. anti-malwares)...
Age of the fattest
Any pentesters here?
Goals
● Replace pentester?
● Automatize the boring stuff
● More time for fun stuff
● Don't worry for your job
● Yes, hard to replace completely :)
● Known limitations
● What can be automatized in current state of
vulnerability scanner
Typical network pentest?
Enumeration
Vulnerability
mapping
Exploitation
Popular tools
● Port scanners
● Nmap
– http://www.nmap.org
● Vulnerability scanners
● OpenVAS
– http://www.openvas.org
● Nessus
– http://www.nessus.org
● NeXpose
– http://www.rapid7.com
● Exploitation
● Metasploit
– http://www.metasploit.com
Nmap
● Portscanner => Security scanner
● Scripting (Nmap Scripting Language - NSE)
● Mainly post portscanning
● Cannot script process of portscanning
● New stuff: scripts can add new targets
● No API
● Command line only
● Not much to automatize
Protocols?
● OpenVAS
● OpenVAS Transport Protocol (OTP)
● OpenVAS Management Protocol (OMP)
● OpenVAS Administrator Protocol (OAP)
● Nessus
● Nessus Transport Protocol (NTP)
● Nessus XMLRPC
● NeXpose
● Rapid7 NeXpose API
Nessus protocols
● Nessus Transport Protocol (NTP)
● Default port: 1241
● Socket based (SSL)
● Discontinued/Obsolete
– No new features will be added
● Nessus XMLRPC
● Default port: 8834
● New interface (Nessus 4.2+)
● http(s) based
● http://www.nessus.org/documentation/nessus_4.4_XMLRPC_protocol_guide.pdf
● Unofficial: http://nessus-xmlrpc.rubyforge.org/
OpenVAS protocols
● OpenVAS Transport Protocol (OTP)
● Port: 9390 (IANA)
● Socket based (SSL) - client/server
● Nessus legacy
● OpenVAS scanning daemon communication (openvassd <=> openvasmd)
● http://www.openvas.org/compendium/changes-ntp-otp.html
● OpenVAS Management Protocol (OMP)
● Port: 9391
● Socket based (SSL) – control scanning/reporting, ...
● OpenVAS management daemon communication (openvasmd <=> clients)
● http://www.openvas.org/openvas-cr-30.html
● OpenVAS Administration Protocol (OAP)
● Port: 9392
● Socket based (SSL) – control users, feed, ...
● OpenVAS administration daemon communication (openvasad <=> clients)
● http://www.openvas.org/openvas-cr-28.html
OpenVAS architecture
is it easier to understand now? :)
Rapid7 NeXpose API
● Port 3780
● http(s) / XML based
● http://community.rapid7.com/redmine/projects/1/wiki/NeXpose_API
● URL: https://localhost:3780/api/1.1/xml
● XML in Request and response
● Manage sites, scans and reports...
Rapid7 example request/response
<?xml version="1.0" encoding="UTF-8"?>
<LoginRequest sync-id="arbitrary_integer"
user-id="my-username" password="my-
password"/>
my $n = Rapid7::NeXpose::API->new(
url=>'https://localhost:3780',password=>'test');
my $sl = $n->sitelist();
print "Starting scan for first site found: ";
printf "%s with ID: %s\n", $sl->[0]->{'name'}, $sl->[0]->{'id'};
$n->sitescan($sl->[0]->{'id'});
Nessus XMLRPC
● Ruby by me
● http://nessus-xmlrpc.rubyforge.org
● Metasploit: take a look in lib/nessus/ dir ;)
● Perl by me
● http://search.cpan.org/perldoc?Net::Nessus::XMLRPC
● Python by martinarrieta
● http://pynessus-xmlrpc.sourceforge.net/
● empty?
Protocol example
POST https://127.0.0.1:8834/login
login=user&password=test
<authenticate_response status="200"
status_text="OK" />
Example
● YOU
Questions? Comments? Feedbacks?
@k0st
This is zero