» Nessus

Presenting nbesort.rb: An Easy Way to Sort Nessus Results by Finding

Posted on November 18, 2010 by David Shaw in Main | 6 Comments
No self respecting security engineer will tell you that they rely on automated vulnerability scanners to do the bulk of their analysis. Juicy findings that demonstrate the severity of the threat they represent usually come from thorough manual analysis. As a security engineer, it is this manual analysis of software that I live for, and it is by far my favorite part of testing. However, this is not to say that vulnerability scanners do not play an important role: without Tenable’s Nessus (our vulnerability scanner of choice), I would be overwhelmed with the sheer volume of low level findings that I’d have to deal with before being free to “dive deep” into the assessment. Things like outdated software versions and known configuration issues make a lot of sense to be tested by an automated scanner then subsequently validated and interpreted by a trained engineer.The problem with this approach lies in the fact that there are a lot of findings that Nessus generates, including many that are not useful for my scope of assessment. I know I’m not alone in being less than thrilled with the Flash-based front end for Nessus that has been standard for a few versions now, and exporting the report to HTML is really just as annoying to deal with. It is for these reasons that I wrote a small script which I am now very happy to release to you: nbesort.rb.

The data that I need from Nessus is a complete list of the issues its raised, with affected hosts and ports listed under each finding. In this way, it is easy for me to discard irrelevant findings and to pinpoint every host in scope when I see that an issue is valid and important (and hopefully exploitable). Although this seems like a simple request, the mostly-broken Nessus web front end is incapable of providing this information in an easily accessible way. Don’t get me wrong: Nessus is great software. I just don’t like the new way that data is displayed through a Flash front end.

I am happy to announce that approval to release nbesort.rb to the world was granted, and the (open source) script is available on GitHub at https://github.com/davidshaw/nbesort.rb/

Using nbesort.rb to sort Nessus results by finding is very simple. The first step to using nbesort.rb is to login to the web portal and export your report as an NBE. This is the standard Nessus output, and the name of the script should help you remember to export .nbe instead of .nessus. nbesort.rb is a Ruby (command line) script, executed by running ruby nbesort.rb <your_nbe file>. The resulting text will output to stdout, so if you want to save to a file you just have to add >outfile.txt to the end.

I hope that nbesort.rb saves you a few minutes the next time you have to parse through a big Nessus output. Remember: every minute you save on the low-hanging fruit is another minute you get to spend banging away on the critical issues you’re so close to cracking. Happy scanning!

Checking for SSL Vulnerabilities on the Command Line

Posted on July 3, 2009 by The Shell Shakespear 2 Comments

While Nessus is a wonderful vulnerability scanner, sometimes it is too slow and resource heavy for individual issues. The following 2 equivalent scripts perform checks for the following SSL related Nessus plugins:

  • 20007: SSL Version 2 (v2) Protocol Detection
  • 26928: SSL Weak Cipher Suites Supported
  • 31705: SSL Anonymous Cipher Suites Supported

The first is the curl version:

#!/bin/bash
# phaas at redspin.com: Never us a 'sh when a bash is necessary
# Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643)
 
if [ $# -lt 1 ]
then
  echo "List SSL Weakness present for a given website"
  echo "Usage: `basename $0` website {port}"
  exit 1
fi
web=${1-'www.redspin.com'}
port=${2-'443'}
 
# Check for the insecure SSLv2 version
curl -m1 -Ik "https://$web:$port" --ciphers sslv2 &amp;&gt; /dev/null
if [[ "$?" -eq 0 ]]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi
 
# Enumerate weak SSL ciphers using curl
IFS=$'\n' # Loop across lines, rather than words
ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers)
for line in `openssl ciphers -v $ciphers | tr -s ' '`; do
	version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:]`
	cipher=`echo "$line" | cut -d' ' -f1`
	auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2`
	strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'`
	if [[ "$auth" == 'None' ]]; then auth="no"; fi
	if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi
 
	#echo "curl -m1 -Ik https://$web:$port --ciphers $cipher -$version &amp;&gt; /dev/null"
	curl -m1 -Ik "https://$web:$port" --ciphers "$cipher" -$version &amp;&gt; /dev/null
	if [[ "$?" -eq 0 ]]; then
		echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support"
	fi
done

And the following is the openssl version:

#!/bin/bash
# phaas at redspin.com: Never us a 'sh when a bash is necessary
# Checks the Equivalent of Nessus Plugin 20007, 26928 and 31705 (10863+21643)
 
if [ $# -lt 1 ]
then
  echo "List SSL Weakness present for a given website"
  echo "Usage: `basename $0` website {port}"
  exit 1
fi
web=${1-'www.redspin.com'}
port=${2-'443'}
 
# Check for the insecure SSLv2 version
sslv2=`echo -e '' | openssl s_client -connect $web:$port -ssl2 -no_ssl3 -no_tls1 2&gt;/dev/null | grep -i 'SSLv2'`
if [ -n "$sslv2" ]; then echo -e "$web:$port: (ssl2) Weak SSLv2 encryption enabled"; fi
 
# Enumerate weak SSL ciphers using openssl
IFS=$'\n' # Loop across lines, rather than words
ciphers='LOW:EXP:eNULL:aNULL' # Include EXP (Export Ciphers)
for line in `openssl ciphers -v $ciphers | tr -s ' '`; do
	version=`echo "$line" | cut -d' ' -f2 | tr [:upper:] [:lower:] | tr -d 'v'`
	cipher=`echo "$line" | cut -d' ' -f1`
	auth=`echo "$line" | tr -s ' ' | grep -o "Au=[^ ]*" | cut -d'=' -f2`
	strength=`echo "$line" | sed 's#Kx=[^ ]*##' | grep -o '([0-9]*)' | tr -d '()' | grep -v 'None'`
 
	if [[ "$auth" == 'None' ]]; then auth="no"; fi
	if [[ -z "$strength" ]]; then strength="without encryption"; else strength="at $strength bit encryption"; fi
 
	#echo "openssl s_client -connect $web:$port -$version -cipher $cipher"
	supported=`echo "" | openssl s_client -connect $web:$port -$version -cipher $cipher 2&gt;&amp;1 | grep DONE`
	if [[ -n "$supported" ]]; then
		echo -e "$web:$port: ($version) $cipher = Supported $strength with $auth authentication support"
	fi
done

I decided to include both because while openssl is usually included by default on most Linux distributions, curl is easier to obtain on Windows machines.

Finding the Needle in the NBEstack

Posted on June 10, 2009 by Nathan Drier 1 Comment

I’m a huge fan of the Nessus vulnerability scanner.  It’s got plug-ins for anything you could ask for, runs great in a Linux environment, and outputs a ton of information (thanks to thousands and thousands of checks).  While all that information is a good thing, sometimes you are just looking for specific issues or findings across a network.  A quick way I like to strip out interesting information is grepping through the output files for certain Nessus ID’s.  Here is a quick list of interesting plug-ins:

  • 16314 – Lists suspicious and unwanted software.
  • 36217 – Detection of the Conficker worm.
  • 23938 – Locates Cisco routers with missing / default passwords.
  • 38153 – A nice summary of missing Microsoft patches.
  • 11936 – Identification details about the machines OS.
  • 10673 – Locates SQL servers with default / blank SA accounts.
  • 10396 – Details about SMB shares.
  • 23910 – Locates modified HOSTS files – can be an indication of a virus or malware.

To search for these, I usually do a quick grep nessus-id *.nbe and then use cut with custom delimiters to filter out the IP addresses and other pertinent information.