Vulnerability Intelligence and Assessment with vulners.com

1. Vulnerability Intelligence & Assessment with vulners.com Alexander Leonov Pentestit Lab, 2016

2. 2 #:whoami - Security Analyst at Mail.Ru Group - Texts and Analytics for vulners.com - Security Automation blog at avleonov.com

3. 3 Vulners Project - Was created by QIWI security team - Vulnerability source data aggregator - Normalized, machine-readable content - API-driven development - Absolutely free

4. 4 Vulners Project

5. 5 Definition Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Glossary of Key Information Security Terms NISTIR 7298 R2

6. 6 Risks - Information systems takeover - Revocation of the licenses - Business continuity - Money loss - ... and more

7. 7 Vulnerability management process - Mandatory component of information security - Need2be for a security-aware companies - Necessary to perform in accordance with the PCIDSS and others - Best practice for survival in the Internet

8. 8 Vulnerability management lifecycle Discover Prioritize Assets AssessReport Remediate Verify

9. 9 Some problems of Vulnerability Scanners - When the scan is finished, the results may already be outdated - Per-host licensing Knowledge base - How quickly vendor adds new vulnerability checks? - Some vulnerabilities may be found only with authorization or correct service banner - No scanners will find all vulnerabilities of any software - You will never know real limitations of the product

10. 10 Nessus vs. Openvas All CVEs: 80196 Nessus CVE links: 35032 OpenVAS CVE links: 29240 OpenVAS vs. Nessus: 3787;25453;9579

11. 11 Nessus vs. Openvas All CVEs: 80196 Nessus CVE links: 35032 OpenVAS CVE links: 29240 OpenVAS vs. Nessus: 3787;25453;9579 2673 OpenVAS plugins 6639 Nessus plugins 38207 OpenVAS plugins and 50896 Nessus plugins All NASL plugins OpenVAS: 49747 Nessus: 81349

12. 12 Why? - “Old” vulnerabilities - Vendor forgot to add links to CVE id - Vulnerabilities in plugins (WordPress VideoWhisper) - Don’t support “Local” software (openMairie) - Stopped adding new vulnerabilities (vBulletin)

13. 13 Examples: OpenVAS detects, Nessus not - D-Link DIR-100 Router Multiple Vulnerabilities - Cisco Firepower Management Center Privilege Escalation Vulnerability - vBulletin 3.6.x to 4.2.2/4.2.3 Forumrunner 'request.php' SQL Injection - WordPress VideoWhisper Live Streaming Integration Multiple Vulnerabilities

14. 14 Examples: Nessus detects, OpenVAS not - Solaris vulnerabilities since 2010 - Apple Quicktime - MOV File Parsing Memory Corruption Vulnerability

15. 15 In other words - Vulnerability Scanner is a necessity - Don't depend too much on them - Scanner does not detect some vulnerability — it’s YOUR problem not your VM vendor - Choose solution you can control and vendors you can trust - Have alternative sources of Vulnerability Data

16. 16 Vulnerability Intelligence and PCI DSS

17. 17 Vulnerability Data Sources - Born in 90’s - Every product has it’s own source of vulnerability data - Most information is not acceptable for automatic vulnerability scanners - MITRE, NVD, SCAP, OVAL and others failed to standardize it - Everyone is working on their own - "Search”? Forget about it. Use Google instead.

18. 18 vulners.com: Information security “Google” - Vulnerability source data aggregator - Created by security specialists for security specialists - Incredibly fast search engine - Normalized, machine-readable content - Audit features out-of-the-box - API-driven development - Absolutely free

19. 19 Content #Bug Bounty Hacker One openbugbounty.org Vulnerability Lab XSSed #Bulletins Network Vendor Cisco F5 Networks Huawei OpenWrt Palo Alto Networks #Bulletins Software Apache Httpd Drupal Mozilla Nginx OpenSSL Opera ownCloud PostgreSQL Samba TYPO3 WPScan Database Xen Project #Bulletins Virtualization Vendor VMware #Bullitens BSD FreeBSD #Bullitens Hardware Lenovo #Bullitens Linux Amazon Linux AMI Arch Linux CentOS Linux Debian Linux Gentoo Linux Oracle Linux RedHat Linux Slackware Linux SUSE Linux Ubuntu Linux #Detection Vendor NMAP OpenVAS Tenable Nessus W3AF #Exploit Base 0day.today DSquare Exploit Pack Exploit-DB Immunity Canvas Malware exploit database Metasploit SAINTexploit™ #Media rdot.org ThreatPost #Possible 0day Hackapp InfoWatch APPERCUT #Vulnerability Base CERT ERPScan ICS Microsoft Vulnerability Research NDV CVE Positive Technologies seebug.org Symantec Zero Day Initiative 58 Sources

20. 20 Stats

21. 21 Under the hood

22. 22 Search - Google-style search string - Dorks, advanced queries and many more - UX-driven - Human-oriented - References and data linkage - Extremely fast

23. 23 Search results

24. 24 Object

25. 25 Search requests - Any complex query title:httpd type:centos order:published last year - Sortable by any field of the model (type, CVSS, dates, etc.) - Apache Lucene syntax (AND, OR and so on) - Exploit search by sources and CVE’s cvelist:CVE-2014-0160 type:exploitdb sourceData:.bash_profile sourceData:"magic bytes”

26. 26 Requests - CentOS bulletins with remotely exploited vulnerabilities: (type:centos AND (title:"Critical" OR title:"Important") AND cvss.vector:"AV:NETWORK") order:published - Important CVE vulnerabilities in Microsoft software: (type:cve AND cvss.score:[6 TO 10] AND description:"Microsoft") order:published Search requests

27. 27 Search requests - Nessus plugins for remotely exploited vulnerabilities; exclude Windows: type:nessus AND cvss.score:[6 TO 10] AND cvss.vector:"AV:NETWORK" AND (NOT naslFamily:"Local" AND NOT naslFamily:"Windows : Microsoft Bulletins" AND NOT naslFamily:"Windows") order:published - OpenSSL and OpenSSH vulnerabilities: (type:openssl OR ( type:cve AND cpe:*openssh* ) ) order:published

28. 28 Parameters https://vulners.com/api/v3/search/id/?id= CISCO-SA-20161005-OTV-NXOS.NASL

29. 29 Search API - GET/POST REST API with JSON output - Search https://vulners.com/api/v3/search/lucene/?query=type:centos%2 0cvss.score:[8%20TO%2010]%20order:published - Information https://vulners.com/api/v3/search/id?id=CESA-2016:1237 &references=true - Export https://vulners.com/api/v3/archive/collection? type=exploitdb

30. 30 RSS - Fully customizable news feed in RSS format - Powered by Apache Lucene query https://vulners.com/rss.xml?query=type:debian - No cache, it builds right when you ask it to. - Atom, Webfeeds, mrss compatible

31. 31 Telegram Bot - Up to 3 subscriptions - In-app search - Broadcast for emergency news https://telegram.me/vulnersBot

32. 32 Email Subscriptions - Up to 5 subscriptions - Awareness service - Absolutely customizable https://vulners.com/#subscription s

33. 33 Email Subscriptions

34. 34 Linux Audit GUI - Linux OS vulnerability scan - Immediate results - Dramatically simple https://vulners.com/#audit

35. 35 - RedHat - CentOS - Fedora - Oracle Linux - Ubuntu - Debian Linux Audit GUI

36. 36 Linux Audit GUI

37. 37 Linux Audit API curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d '{"os":"centos","package":["pcre-8.32-15.el7.x86_64", "samba-common-4.2.3- 11.el7_2.noarch", "gnu-free-fonts-common-20120503-8.el7.noarch", "libreport-centos- 2.1.11-32.el7.centos.x86_64", "libacl-2.2.51-12.el7.x86_64"],"version":"7"}' https://vulners.com/api/v3/audit/audit/

38. 38 Linux Audit API - JSON result: Vulnerabilities list Reason of the decision References list (exploits, and so on) - Ready to go for Red Hat and Debian family - Typical call time for 500+ packages list = 160ms - It’s fast. Really fast.

39. 39 Linux Audit API { "result": "OK", "data": { "reasons": [ { "providedPackage": "sos-3.2-35.el7.centos.noarch", "operator": "lt", "bulletinID": "CESA-2016:0188", "providedVersion": "0:3.2-35.el7.centos", "bulletinPackage": "sos-3.2-35.el7.centos.3.noarch.rpm", "bulletinVersion": "3.2-35.el7.centos.3", "package": "sos-3.2-35.el7.centos.noarch" }, ...

40. 40 Agent-Based Scanner$ git clone https://github.com/videns/vulners-scanner $ cd vulners-scanner $ ./linuxScanner.py _ __ ___ _| |_ __ ___ _ __ ___ / / | | | | '_ / _ '__/ __| V /| |_| | | | | | __/ | __ _/ __,_|_|_| |_|___|_| |___/ ========================================== Host info - Host machine OS Name - centos, OS Version - 7 Total found packages: 1026 Vulnerable packages: krb5-libs-1.13.2-10.el7.x86_64 CESA-2016:0532 - 'Moderate krb5 Security Update', cvss.score - 6.8 openssh-server-6.6.1p1-23.el7_2.x86_64 CESA-2016:0465 - 'Moderate openssh Security Update', cvss.score - 7.7 libtdb-1.3.6-2.el7.x86_64 CESA-2016:0612 - 'Critical ipa Security Update', cvss.score - 0.0 kernel-tools-3.10.0-327.4.5.el7.x86_64 CESA-2016:1033 - 'Important kernel Security Update', cvss.score - 0.0 CESA-2016:1633 - 'Important kernel Security Update', cvss.score - 4.3 CESA-2016:0185 - 'Important kernel Security Update', cvss.score - 7.2 CESA-2016:1539 - 'Important kernel Security Update', cvss.score - 7.2 CESA-2016:1277 - 'Important kernel Security Update', cvss.score - 7.2 openssl-libs-1.0.1e-51.el7_2.2.x86_64 - Available at GitHub - Example of integration - Free to fork

41. 41 It’s absolutely free! - Free for commercial and enterprise use DB and API - Make your own solutions using our powers: Security scanners Threat intelligence Subscriptions Security automation - Just please, post references if you can ;-)

42. 42 Integration Example

43. 43 Thanks - aleonov@vulners.com - Scanner: https://github.com/videns/vulners-scanner/ - Vulners Blog: https://blog.vulners.com/ - My Blog: http://avleonov.com/tag/vulners-com/

Vulnerability Intelligence and Assessment with vulners.com

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

Vulnerability Intelligence and Assessment with vulners.com

Plus De Contenu Connexe

Diaporamas pour vous (20)

Similaire à Vulnerability Intelligence and Assessment with vulners.com (20)

Plus récents (20)