Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Automating Vulnerability Scans InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Automating Vulnerability Scans

Published: 2016-02-03
Last Updated: 2016-02-03 07:44:21 UTC
by Xavier Mertens (Version: 1)
4 comment(s)

Today, I’ll explain you how to automate vulnerability scans. There are plenty of vulnerability scanners on the “market” (commercial or free solutions). Usually, I'm using OpenVAS mainly because it is free.  A lot has been said about this solution, it makes also me sometimes frustrated but, at the end, it is doing a good job. The OpenVAS architecture is based on different components: a manager, one (or more) scanner, command line tools and a web frontend called "Greenbone Security Assistant". Let's focus on the command line tool called "omp" which uses the OpenVAS Management Protocol. This tool proposes a set of command to interact with an OpenVAS manager like:
  • get-targets
  • get-tasks
  • create-tasks
  • start-tasks

The number of action is quite limited and allow only basic tasks. But it provides the “-X” or "--xml” argument which allows us to send raw XML data to the server! This is much more powerful! (a complete reference is available here). To use omp, the very first step is to create a configuration file to automate the connection. Create a $HOME/omp.config file like this:

[Connection]
host=127.0.0.1
port=9390
username=xavier
​password=mystrongpassword
(Don't forget to restrict access to the file because it contains sensitive data!)
 
We are now ready to talk to the OpenVAS manager and to retrieve some data ('--pretty-print' is recommended to increase the visibility):
$ omp --pretty-print --xml "<get_targets/>"
<get_targets_response status_text="OK" status="200">
     <target id="dcc82d64-1c87-44d8-aef5-24c1f552ddcd">
          <owner>
               <name>xavier</name>
          </owner>
          <name>Local Hosts</name>
          <comment></comment>
          <creation_time>2016-02-02T22:12:08+01:00</creation_time>
          <modification_time>2016-02-02T22:12:08+01:00</modification_time>                            
          <writable>1</writable>
          <in_use>1</in_use>
          <permissions><permission>
          <name>Everything</name>
          </permission></permissions>
          <user_tags>
               <count>0</count>
          </user_tags>
          <hosts>192.168.254.0/24</hosts>
          <exclude_hosts></exclude_hosts>
          <max_hosts>254</max_hosts>
          <port_list id="c7e03b6c-3bbe-11e1-a057-406186ea4fc5">
               <name>OpenVAS Default</name>
               <trash>0</trash>
          </port_list>
          <ssh_lsc_credential id="">
               <name></name>
[... stuff removed ...]
Let's create a new scan from the command line. Considering that OpenVAS has already been configured for your environment, the different steps are: 
  • Create a target
  • Create a tasks (and assign the target to it)
  • Start the task
  • Get results
First, to create our target, we send the following XML data. XML data is returned by the command with results (good or bad):
$ omp --xml '
<create_target>
     <name>My New Scan</name>
     <hosts>192.168.254.0/24</hosts>
</create_target>'

<create_target_response id="dcc82d64-1c87-44d8-aef5-24c1f552ddcd" status_text="OK, resource created" status="201"></create_target_response>
The next step is to create a new task. A limitation of the XML interface is that some parameters can be specified by their name while others must be referenced with their internal ID (like the newly created target). We can use command line tools to parse the returned XML and extract the required information:
$ omp --xml ‘...’ | xmlstarlet sel -t -v /create_target_response/@id
dcc82d64-1c87-44d8-aef5-24c1f552ddcd
Now we can create the task:
$ omp --xml '
<create_task>
        <name>My New Scan</name>
        <preferences>
                <preference>
                        <scanner_name>source_iface</scanner_name>
                        <value>eth0</value>
                </preference>
        </preferences>
        <config id="74db13d6-7489-11df-91b9-002264764cea"/>
        <target id="dcc82d64-1c87-44d8-aef5-24c1f552ddcd"/>
</create_task>'

<create_task_response id="8fc4cccd-243f-4edb-a390-5f83d04f90b6" status_text="OK, resource created" status="201"></create_task_response>
We are now ready to launch the vulnerability scan. Let's review the available tasks:
$ omp --xml ‘<get_tasks/>'
And start the one with our new ID:
$ omp —xml ‘<start_task task_id="8fc4cccd-243f-4edb-a390-5f83d04f90b6"/>

<start_task_response status=“200" status_text="OK"/>
Once the task is completed, you can get results in any defined formats:
$ omp --xml '
<get_reports report_id="cc995c30-0a5d-486d-a02f-a03eba63172a"
format_id="c402cc3e-b531-11e1-9163-406186ea4fc5”/>’
Let's think further... If we can talk to an OpenVAS manager via XML, it could be easy to integrate OpenVAS with other tools? Good news: there is a Python library available to control OpenVAS: openvas.omplib.
 
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
4 comment(s)
Diary Archives