SlideShare une entreprise Scribd logo

XML Interfaces to the popular Nessus Scanner

Network Intelligence India
Network Intelligence India

The modern Nessus scanner comes with an XML-RPC interface to control the built-in scanner engine. We review available command-line tools and programming libraries to automate scanning of large networks. We will demonstrate some tools we have developed for this purpose.

Technologie
1  sur  15
Télécharger pour lire hors ligne
XML Interfaces to the Popular Nessus Scanner Rajesh Deo Network Intelligence India Pvt. Ltd. 29/03/2012 NULL Mumbai Chapter
The Venerable Nessus Scanner • A comprehensive vulnerability scanner • Can perform network tests, system audits, patch management, compliance tests such as PCI DSS, SCADA vulnerability audits, and so on… • Proprietary - Tenable Network Security • Started by Renaud Deraison in 1998 to provide to the Internet community with a free remote security scanner similar to SATAN and NetSaint. • Nessus 5.0 was released on Feb 15th, 2012. • http://www.nessus.org/products/nessus
Open-source Tools • Perl/Net::Nessus::XMLRPC • Vlatko Košturjak • http://search.cpan.org/~kost/Net-Nessus-XMLRPC- 0.30/lib/Net/Nessus/XMLRPC.pm • Perl 5 License (Artistic 1 & GPL 1) • https://github.com/kost/nessus-xmlrpc-perl • Also develops similar library for Rapid 7’s NeXpose • Ruby/nessus-xmlrpc • http://nessus-xmlrpc.rubyforge.org/ • GPL/BSD, by author of Net::Nessus::XMLRPC • Python/nessus-xmlrpc • http://code.google.com/p/nessusxmlrpc/ • Apache License 2.0 • Kurtis Miller
Why do we need these tools? • Automation • Automation • Automation • Custom reporting • Custom reporting • Custom reporting • XML/XSL • XPATH/XQUERY • CLI • http://seclists.org/metasploit/2010/q3/378 • Bridges to awesome software  • By Zate Burg
Why are we using Python/nessus- xmlrpc? • I know Python a little bit • Matplotlib for charting/graphs • Numpy/SciPy or Interface to R for numerical computations and statistics. • Not as well developed as Perl/Ruby modules but pretty close • Last upload in Dec. 2010 • There is scope to contribute... • ..and perhaps integrate with different tools
Automation: XML-RPC API in Ruby • Write custom scripts, simple one-off tools • Monitor long-running scans • Get reports in XML for parsing and custom reporting. • Large similarity between Perl and Ruby APIs.
CLI for shell lovers • Automate with your favorite shell: Bash, Tcsh, Zsh • Grep, sed and awk • With an XML/RPC interface you can tunnel your scan requests to your central Nessus server with professional feed over SSH/HTTPS directly from within python/perl/ruby. • Great for doing external penetration tests.
Multiple Targets? • Home Feed limits you to 15 targets only at a time, good enough for development. • XML-RPC interface same between Professional Feed and Home Feed. Multiple targets separated by “,” or “n”
Automation with Python Email and xsltproc • Possibilities • Have report emailed to management desktop • Write custom xsl reports, process with xsltproc on Linux. • Import into CMS solutions
The XML-RPC Interface for Nessus • Partially documented • http://www.tenable.com/documentation/nessus_XMLRPC_proto col_guide.pdf • An unofficial test.html from Renaud Deraison is here • http://nessus-xmlrpc.rubyforge.org/test.html • An update to XML docs will be available in a week, last post 2 days ago. • https://discussions.nessus.org/message/14693;jsessionid=E2130 C8DA7ACFC58DC1850D9EFE828FE • http://blog.upbeat.fr/tagged/Nessus? • Unofficial documentation on .nessus v2 XML report format • Automation using wget • But please use ruby/perl/python interfaces, far cleaner and you can add custom features.
Nessus v2 XML report format Vulnerability • Microsoft Excel is your friend References Host Inventory Is there a Metasploit module for this?
Custom Reports: MS Patches With python use lxml, output to csv, xls, sql, html or xml again! Python constructs make it easy to write clean code.
Vulnerability Management/Delta Reporting • Seccubus: http://seccubus.com/ • Seccubus automates regular vulnerability scans with Nessus and OpenVAS and provides delta reporting. • Frank Breedijk • Perl/Javascript based. • Need to integrate custom reporting with change management and inventory management etc. • Bridges to proprietary software: SharePoint, MS SQL Server, integration into standard business workflows of IT departments. Both Perl/Python provide modules to generate standard business format documents.
Improve the tools • Goals: Integration • Custom reports • Python/XML foo OK. • We are doing one-off scripts right now. • Reporting/Tracking should not be painful • Web-based reports best • Export to PDF • Summarize and drill down interactive capability • Need awesome reporting and charting capability • Ruby/Ruport • J-Query/Ext JS/Node.js • Java/Processing
Questions? Please send us your ideas/comments/questions at rajesh.deo@niiconsulting.com Acknowledgements: Tuhin Goswami Our esteemed client where we implemented some of the tools presented. Wasim Halani and K. K. Mookhey for guidance.

Recommandé

iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker ContainersBlack Duck by Synopsys
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 

Recommandé

iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Extracting Credentials From Windows
Extracting Credentials From WindowsExtracting Credentials From Windows
Extracting Credentials From WindowsNetSPI
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker ContainersBlack Duck by Synopsys
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
Firewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakFirewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakChankey Pathak
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
44cafe heart bleed
44cafe heart bleed44cafe heart bleed
44cafe heart bleediphonepentest
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsCourtland Smith
 
Web security
Web securityWeb security
Web securitydogangcr
 
Intro to the sel4 Microkernel
Intro to the sel4 MicrokernelIntro to the sel4 Microkernel
Intro to the sel4 MicrokernelMatthew Russell
 
KACE Endpoint Systems Management Appliances - What’s New for 2017
KACE Endpoint Systems Management Appliances - What’s New for 2017KACE Endpoint Systems Management Appliances - What’s New for 2017
KACE Endpoint Systems Management Appliances - What’s New for 2017Quest
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Filr 2015
Filr 2015 Filr 2015
Filr 2015 Finceptum Oy
 
Richie_Sackman-_Resume_8-13-15
Richie_Sackman-_Resume_8-13-15Richie_Sackman-_Resume_8-13-15
Richie_Sackman-_Resume_8-13-15Richard Sackman
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
Files matter-fms
Files matter-fmsFiles matter-fms
Files matter-fmsFinceptum Oy
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS AppsHerman Duarte
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the HubBlack Duck by Synopsys
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsBlack Duck by Synopsys
 
kali linix
kali linixkali linix
kali linixMirza Baig
 
Cv fayaz
Cv fayazCv fayaz
Cv fayazFayaz Yusuf Khan
 
Venkata
VenkataVenkata
VenkataVenkata Kumar
 

Contenu connexe

Tendances

Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
Firewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakFirewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakChankey Pathak
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementTim Mackey
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsCourtland Smith
 
Web security
Web securityWeb security
Web securitydogangcr
 
Intro to the sel4 Microkernel
Intro to the sel4 MicrokernelIntro to the sel4 Microkernel
Intro to the sel4 MicrokernelMatthew Russell
 
KACE Endpoint Systems Management Appliances - What’s New for 2017
KACE Endpoint Systems Management Appliances - What’s New for 2017KACE Endpoint Systems Management Appliances - What’s New for 2017
KACE Endpoint Systems Management Appliances - What’s New for 2017Quest
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Richie_Sackman-_Resume_8-13-15
Richie_Sackman-_Resume_8-13-15Richie_Sackman-_Resume_8-13-15
Richie_Sackman-_Resume_8-13-15Richard Sackman
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilitiesOWASP
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the HubBlack Duck by Synopsys
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsBlack Duck by Synopsys
 

Tendances (20)

Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
Firewall in Perl by Chankey Pathak
Firewall in Perl by Chankey PathakFirewall in Perl by Chankey Pathak
Firewall in Perl by Chankey Pathak
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
44cafe heart bleed
44cafe heart bleed44cafe heart bleed
44cafe heart bleed
 
Data Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise InsightsData Sheet: OpenDNS Enterprise Insights
Data Sheet: OpenDNS Enterprise Insights
 
Web security
Web securityWeb security
Web security
 
Intro to the sel4 Microkernel
Intro to the sel4 MicrokernelIntro to the sel4 Microkernel
Intro to the sel4 Microkernel
 
KACE Endpoint Systems Management Appliances - What’s New for 2017
KACE Endpoint Systems Management Appliances - What’s New for 2017KACE Endpoint Systems Management Appliances - What’s New for 2017
KACE Endpoint Systems Management Appliances - What’s New for 2017
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Filr 2015
Filr 2015 Filr 2015
Filr 2015
 
Richie_Sackman-_Resume_8-13-15
Richie_Sackman-_Resume_8-13-15Richie_Sackman-_Resume_8-13-15
Richie_Sackman-_Resume_8-13-15
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Files matter-fms
Files matter-fmsFiles matter-fms
Files matter-fms
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
Making the Transition from Suite to the Hub
Making the Transition from Suite to the HubMaking the Transition from Suite to the Hub
Making the Transition from Suite to the Hub
 
Integrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIsIntegrating Black Duck into Your Environment with Hub APIs
Integrating Black Duck into Your Environment with Hub APIs
 
kali linix
kali linixkali linix
kali linix
 

Similaire à XML Interfaces to the popular Nessus Scanner

Delivering big content at NBC News with RavenDB
Delivering big content at NBC News with RavenDBDelivering big content at NBC News with RavenDB
Delivering big content at NBC News with RavenDBJohn Bennett
 
Service-oriented architecture
Service-oriented architectureService-oriented architecture
Service-oriented architectureShalva Usubov
 
WSO2 Intro Webinar - Simplifying Enterprise Integration with Configurable WS...
WSO2 Intro Webinar - Simplifying Enterprise Integration with Configurable WS...WSO2 Intro Webinar - Simplifying Enterprise Integration with Configurable WS...
WSO2 Intro Webinar - Simplifying Enterprise Integration with Configurable WS...WSO2
 
IBM Connect 2017: Your Data In the Major Leagues: A Practical Guide to REST S...
IBM Connect 2017: Your Data In the Major Leagues: A Practical Guide to REST S...IBM Connect 2017: Your Data In the Major Leagues: A Practical Guide to REST S...
IBM Connect 2017: Your Data In the Major Leagues: A Practical Guide to REST S...Serdar Basegmez
 
Integration in the age of DevOps
Integration in the age of DevOpsIntegration in the age of DevOps
Integration in the age of DevOpsAlbert Wong
 
Top 10 dev ops tools (1)
Top 10 dev ops tools (1)Top 10 dev ops tools (1)
Top 10 dev ops tools (1)yalini97
 
Effective admin and development in iib
Effective admin and development in iibEffective admin and development in iib
Effective admin and development in iibm16k
 
.Net Core 3.0. What’s inside? Павло Голубович
.Net Core 3.0. What’s inside? Павло Голубович.Net Core 3.0. What’s inside? Павло Голубович
.Net Core 3.0. What’s inside? Павло ГолубовичSigma Software
 
Node.js 101 with Rami Sayar
Node.js 101 with Rami SayarNode.js 101 with Rami Sayar
Node.js 101 with Rami SayarFITC
 
Microsoft SQL server 2017 Level 300 technical deck
Microsoft SQL server 2017 Level 300 technical deckMicrosoft SQL server 2017 Level 300 technical deck
Microsoft SQL server 2017 Level 300 technical deckGeorge Walters
 
Introduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OSIntroduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OSSteve Wong
 
Ankit Chohan - Java
Ankit Chohan - JavaAnkit Chohan - Java
Ankit Chohan - JavaAnkit Chohan
 

Similaire à XML Interfaces to the popular Nessus Scanner (20)

Cv fayaz
Cv fayazCv fayaz
Cv fayaz
 
Venkata
VenkataVenkata
Venkata
 
Delivering big content at NBC News with RavenDB
Delivering big content at NBC News with RavenDBDelivering big content at NBC News with RavenDB
Delivering big content at NBC News with RavenDB
 
Service-oriented architecture
Service-oriented architectureService-oriented architecture
Service-oriented architecture
 
WSO2 Intro Webinar - Simplifying Enterprise Integration with Configurable WS...
WSO2 Intro Webinar - Simplifying Enterprise Integration with Configurable WS...WSO2 Intro Webinar - Simplifying Enterprise Integration with Configurable WS...
WSO2 Intro Webinar - Simplifying Enterprise Integration with Configurable WS...
 
IBM Connect 2017: Your Data In the Major Leagues: A Practical Guide to REST S...
IBM Connect 2017: Your Data In the Major Leagues: A Practical Guide to REST S...IBM Connect 2017: Your Data In the Major Leagues: A Practical Guide to REST S...
IBM Connect 2017: Your Data In the Major Leagues: A Practical Guide to REST S...
 
resume
resumeresume
resume
 
Integration in the age of DevOps
Integration in the age of DevOpsIntegration in the age of DevOps
Integration in the age of DevOps
 
Top 10 dev ops tools (1)
Top 10 dev ops tools (1)Top 10 dev ops tools (1)
Top 10 dev ops tools (1)
 
KumarDevOpsEngineer
KumarDevOpsEngineerKumarDevOpsEngineer
KumarDevOpsEngineer
 
Be faster then rabbits
Be faster then rabbitsBe faster then rabbits
Be faster then rabbits
 
shazia resume
shazia resumeshazia resume
shazia resume
 
Effective admin and development in iib
Effective admin and development in iibEffective admin and development in iib
Effective admin and development in iib
 
.Net Core 3.0. What’s inside? Павло Голубович
.Net Core 3.0. What’s inside? Павло Голубович.Net Core 3.0. What’s inside? Павло Голубович
.Net Core 3.0. What’s inside? Павло Голубович
 
Jineesh
JineeshJineesh
Jineesh
 
Node.js 101 with Rami Sayar
Node.js 101 with Rami SayarNode.js 101 with Rami Sayar
Node.js 101 with Rami Sayar
 
From 0 to syncing
From 0 to syncingFrom 0 to syncing
From 0 to syncing
 
Microsoft SQL server 2017 Level 300 technical deck
Microsoft SQL server 2017 Level 300 technical deckMicrosoft SQL server 2017 Level 300 technical deck
Microsoft SQL server 2017 Level 300 technical deck
 
Introduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OSIntroduction to Apache Mesos and DC/OS
Introduction to Apache Mesos and DC/OS
 
Ankit Chohan - Java
Ankit Chohan - JavaAnkit Chohan - Java
Ankit Chohan - Java
 

Plus de Network Intelligence India

ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationNetwork Intelligence India
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyNetwork Intelligence India
 

Plus de Network Intelligence India (20)

Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
The Economics of Security
The Economics of SecurityThe Economics of Security
The Economics of Security
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
National Cyber Security Policy 2013
National Cyber Security Policy 2013National Cyber Security Policy 2013
National Cyber Security Policy 2013
 
RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Understanding Governance
Understanding GovernanceUnderstanding Governance
Understanding Governance
 
Cyber Security in Civil Aviation
Cyber Security in Civil AviationCyber Security in Civil Aviation
Cyber Security in Civil Aviation
 
Spear Phishing Methodology
Spear Phishing MethodologySpear Phishing Methodology
Spear Phishing Methodology
 
Mobile Device Management (MDM)
Mobile Device Management (MDM)Mobile Device Management (MDM)
Mobile Device Management (MDM)
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 
Information Rights Management (IRM)
Information Rights Management (IRM)Information Rights Management (IRM)
Information Rights Management (IRM)
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing Methodology
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 
Application security enterprise strategies
Application security enterprise strategiesApplication security enterprise strategies
Application security enterprise strategies
 

Dernier

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Dernier (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

XML Interfaces to the popular Nessus Scanner

  • 1. XML Interfaces to the Popular Nessus Scanner Rajesh Deo Network Intelligence India Pvt. Ltd. 29/03/2012 NULL Mumbai Chapter
  • 2. The Venerable Nessus Scanner • A comprehensive vulnerability scanner • Can perform network tests, system audits, patch management, compliance tests such as PCI DSS, SCADA vulnerability audits, and so on… • Proprietary - Tenable Network Security • Started by Renaud Deraison in 1998 to provide to the Internet community with a free remote security scanner similar to SATAN and NetSaint. • Nessus 5.0 was released on Feb 15th, 2012. • http://www.nessus.org/products/nessus
  • 3. Open-source Tools • Perl/Net::Nessus::XMLRPC • Vlatko Košturjak • http://search.cpan.org/~kost/Net-Nessus-XMLRPC- 0.30/lib/Net/Nessus/XMLRPC.pm • Perl 5 License (Artistic 1 & GPL 1) • https://github.com/kost/nessus-xmlrpc-perl • Also develops similar library for Rapid 7’s NeXpose • Ruby/nessus-xmlrpc • http://nessus-xmlrpc.rubyforge.org/ • GPL/BSD, by author of Net::Nessus::XMLRPC • Python/nessus-xmlrpc • http://code.google.com/p/nessusxmlrpc/ • Apache License 2.0 • Kurtis Miller
  • 4. Why do we need these tools? • Automation • Automation • Automation • Custom reporting • Custom reporting • Custom reporting • XML/XSL • XPATH/XQUERY • CLI • http://seclists.org/metasploit/2010/q3/378 • Bridges to awesome software  • By Zate Burg
  • 5. Why are we using Python/nessus- xmlrpc? • I know Python a little bit • Matplotlib for charting/graphs • Numpy/SciPy or Interface to R for numerical computations and statistics. • Not as well developed as Perl/Ruby modules but pretty close • Last upload in Dec. 2010 • There is scope to contribute... • ..and perhaps integrate with different tools
  • 6. Automation: XML-RPC API in Ruby • Write custom scripts, simple one-off tools • Monitor long-running scans • Get reports in XML for parsing and custom reporting. • Large similarity between Perl and Ruby APIs.
  • 7. CLI for shell lovers • Automate with your favorite shell: Bash, Tcsh, Zsh • Grep, sed and awk • With an XML/RPC interface you can tunnel your scan requests to your central Nessus server with professional feed over SSH/HTTPS directly from within python/perl/ruby. • Great for doing external penetration tests.
  • 8. Multiple Targets? • Home Feed limits you to 15 targets only at a time, good enough for development. • XML-RPC interface same between Professional Feed and Home Feed. Multiple targets separated by “,” or “n”
  • 9. Automation with Python Email and xsltproc • Possibilities • Have report emailed to management desktop • Write custom xsl reports, process with xsltproc on Linux. • Import into CMS solutions
  • 10. The XML-RPC Interface for Nessus • Partially documented • http://www.tenable.com/documentation/nessus_XMLRPC_proto col_guide.pdf • An unofficial test.html from Renaud Deraison is here • http://nessus-xmlrpc.rubyforge.org/test.html • An update to XML docs will be available in a week, last post 2 days ago. • https://discussions.nessus.org/message/14693;jsessionid=E2130 C8DA7ACFC58DC1850D9EFE828FE • http://blog.upbeat.fr/tagged/Nessus? • Unofficial documentation on .nessus v2 XML report format • Automation using wget • But please use ruby/perl/python interfaces, far cleaner and you can add custom features.
  • 11. Nessus v2 XML report format Vulnerability • Microsoft Excel is your friend References Host Inventory Is there a Metasploit module for this?
  • 12. Custom Reports: MS Patches With python use lxml, output to csv, xls, sql, html or xml again! Python constructs make it easy to write clean code.
  • 13. Vulnerability Management/Delta Reporting • Seccubus: http://seccubus.com/ • Seccubus automates regular vulnerability scans with Nessus and OpenVAS and provides delta reporting. • Frank Breedijk • Perl/Javascript based. • Need to integrate custom reporting with change management and inventory management etc. • Bridges to proprietary software: SharePoint, MS SQL Server, integration into standard business workflows of IT departments. Both Perl/Python provide modules to generate standard business format documents.
  • 14. Improve the tools • Goals: Integration • Custom reports • Python/XML foo OK. • We are doing one-off scripts right now. • Reporting/Tracking should not be painful • Web-based reports best • Export to PDF • Summarize and drill down interactive capability • Need awesome reporting and charting capability • Ruby/Ruport • J-Query/Ext JS/Node.js • Java/Processing
  • 15. Questions? Please send us your ideas/comments/questions at rajesh.deo@niiconsulting.com Acknowledgements: Tuhin Goswami Our esteemed client where we implemented some of the tools presented. Wasim Halani and K. K. Mookhey for guidance.