Using Posh-SecMod PowerShell Module to Automate Nessus (Part 2)
Working with Policies
Policies in Nessus is where we define what a scan is going to do from:
- What plugins to run.
- What types of plugin should run and which should not.
- Concurrency.
- Port Scanning Settings.
- Credentials
- and many many many more.
This is why when I started looking at using PowerShell for automation I came to the conclusion that creating polices and editing them is much better in a GUI than in a shell. But still I included some basic functions for working with policies.
Lets start by listing what policies are in the server:
PS >Show-NessusPolicy -Index 0 PolicyID PolicyName PolicyOwner Visibility -------- ---------- ----------- ---------- -4 Internal Network Scan Tenable Policy Distributio... shared -3 Web App Tests Tenable Policy Distributio... shared -2 Prepare for PCI-DSS audits... Tenable Policy Distributio... shared -1 External Network Scan Tenable Policy Distributio... shared 8 Exploit Available Only carlos private 7 Moderate Scan carlos private 6 All Plugins with Full Scan carlos private
We can make copies of existing Policies:
PS >Copy-NessusPolicy -Index 0 -PolicyID 8 PolicyID PolicyName PolicyOwner Visibility -------- ---------- ----------- ---------- 9 Copy of Exploit Available ... carlos private
We can also remove exiting policies:
PS >Remove-NessusPolicy -Index 0 -PolicyID 9 True
You can also download the XML for a policy as a XML .Net Object, you can download the XML in to file quite easily using the methods offered by .Net:
PS C:\> Show-NessusPolicy -Index 0 -PolicyID 1 PolicyID PolicyName PolicyOwner Visibil -------- ---------- ----------- ------- 1 Mobile Devices Audit carlos private PS C:\> $MobilePolicy = Get-NessusPolicyXML -Index 0 -PolicyID 1 PS C:\> $MobilePolicy.Save("$env:HOMEPATH\Desktop\mobilepolicy.xml")
You can also manipulate the object and query quite easyly in powershe the Policy XML to get more detailed information about a given policy:
PS C:\> $MobilePolicy = Get-NessusPolicyXML -Index 0 -PolicyID 1 PS C:\> $MobilePolicy.NessusClientData_v2.policy.policyContents.FamilySelection.FamilyItem FamilyName Status ---------- ------ MacOS X Local Security Checks disabled DNS disabled Gain a shell remotely disabled Solaris Local Security Checks disabled Port scanners disabled Web Servers disabled SMTP problems disabled Service detection disabled CGI abuses : XSS disabled Mandriva Local Security Checks disabled Databases disabled Debian Local Security Checks disabled Denial of Service disabled Default Unix Accounts disabled Settings disabled HP-UX Local Security Checks disabled Backdoors disabled VMware ESX Local Security Checks disabled SCADA disabled General disabled Red Hat Local Security Checks disabled FreeBSD Local Security Checks disabled CGI abuses disabled Windows : User management disabled Netware disabled Peer-To-Peer File Sharing disabled Slackware Local Security Checks disabled SNMP disabled Fedora Local Security Checks disabled Gentoo Local Security Checks disabled Ubuntu Local Security Checks disabled Misc. disabled FTP disabled Firewalls disabled Windows : Microsoft Bulletins disabled Junos Local Security Checks disabled Mobile Devices enabled Windows disabled Policy Compliance disabled SuSE Local Security Checks disabled RPC disabled CentOS Local Security Checks disabled CISCO disabled Scientific Linux Local Security Checks disabled AIX Local Security Checks disabled
I do promise in the future a bit more manipulation of policies, command line in this case will not be as flexible as the GUI but it should help for some simple tasks. I’m looking at the simpler JSON API added in the HTML5 interface for this, it will limit the functions to only version 5.x but then again we are all using the latest version, right?
Working with Scan Templates
Scan templates are the most used method for storing specific configuration for scan that already have a policy configured and a set of targets selected. The scan Templates can also be scheduled to run at specific intervals. I have written some functions for creating and launching scan templates. Before creating a Scan Template we first need to know the IDs of the existing policies since that ID is used in the creation since we may have several policies with the same name but with different settings. In this next example I want to create a template for scanning my home development network where I host all my virtual machines:
PS >Show-NessusPolicy -Index 0 PolicyID PolicyName PolicyOwner Visibility -------- ---------- ----------- ---------- -4 Internal Network Scan Tenable Policy Distributio... shared -3 Web App Tests Tenable Policy Distributio... shared -2 Prepare for PCI-DSS audits... Tenable Policy Distributio... shared -1 External Network Scan Tenable Policy Distributio... shared 8 Exploit Available Only carlos private 7 Moderate Scan carlos private 6 All Plugins with Full Scan carlos private PS >New-NessusScanTemplate 0 -TemplateName "Dev Lab Full Scan" -PolicyID 6 -Targets "192.168.10.1-192.168.10.2 TemplateID : template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b PolicyID : 6 PolicyName : Name : Dev Lab Full Scan Owner : carlos Targets : 192.168.10.1-192.168.10.254
As you can see the creation of the template is quite simple. The targets can be either individual hosts and/or ranges separated by commas with no spaces between them or a PowerShell collection that can be passes also. Lets take a look at the scan templates we have on the server:
PS >Show-NessusScanTemplate -Index 0 TemplateID : template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b PolicyID : 6 PolicyName : All Plugins with Full Scan Name : Dev Lab Full Scan Owner : carlos Targets : 192.168.10.1-192.168.10.254
Each scan template has a unique Template ID we use this ID when we work with the template. Lets update the existing template targets, I want to have it cover the same range bust skip some hosts I do not want scanned, I can do this using other functions provided by Posh-SecMod for working with IPs
PS >$excludelist = 192.168.10.20,192.168.10.80,192.168.10.200,192.168.10.201 PS >$ips = New-IPRange -CIDR 192.168.10.0/24 PS >$targets = $ips | ? {$_.IPAddressToString -notin $excludelist} | % {$_.IPAddressToString} PS >Update-NessusScanTemplate -Index 0 -TemplateID template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b -Targets $targets TemplateID : template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b PolicyID : 6 PolicyName : Name : Dev Lab Full Scan Owner : carlos Targets : 192.168.10.1 192.168.10.2 192.168.10.3 192.168.10.4 192.168.10.5 192.168.10.6 192.168.10.7 192.168.10.8 192.168.10.9 192.168.10.10 192.168.10.11 192.168.10.12 192.168.10.13 192.168.10.14 192.168.10.15 192.168.10.16 192.168.10.17 192.168.10.18 192.168.10.19 192.168.10.20 192.168.10.21 192.168.10.22 192.168.10.23 192.168.10.24 192.168.10.25 192.168.10.26 192.168.10.27 192.168.10.28 192.168.10.29 192.168.10.30 192.168.10.31 192.168.10.32 192.168.10.33 192.168.10.34 192.168.10.35 192.168.10.36 192.168.10.37 192.168.10.38 192.168.10.39 192.168.10.40 192.168.10.41 192.168.10.42 192.168.10.43 192.168.10.44 192.168.10.45 192.168.10.46 192.168.10.47 192.168.10.48 192.168.10.49 192.168.10.50 192.168.10.51 192.168.10.52 192.168.10.53 192.168.10.54 192.168.10.55 192.168.10.56 192.168.10.57 192.168.10.58 192.168.10.59 192.168.10.60 192.168.10.61 192.168.10.62 192.168.10.63 192.168.10.64 192.168.10.65 192.168.10.66 192.168.10.67 192.168.10.68 192.168.10.69 192.168.10.70 192.168.10.71 192.168.10.72 192.168.10.73 192.168.10.74 192.168.10.75 192.168.10.76 192.168.10.77 192.168.10.78 192.168.10.79 192.168.10.80 192.168.10.81 192.168.10.82 192.168.10.83 192.168.10.84 192.168.10.85 192.168.10.86 192.168.10.87 192.168.10.88 192.168.10.89 192.168.10.90 192.168.10.91 192.168.10.92 192.168.10.93 192.168.10.94 192.168.10.95 192.168.10.96 192.168.10.97 192.168.10.98 192.168.10.99 192.168.10.100 192.168.10.101 192.168.10.102 192.168.10.103 192.168.10.104 192.168.10.105 192.168.10.106 192.168.10.107 192.168.10.108 192.168.10.109 192.168.10.110 192.168.10.111 192.168.10.112 192.168.10.113 192.168.10.114 192.168.10.115 192.168.10.116 192.168.10.117 192.168.10.118 192.168.10.119 192.168.10.120 192.168.10.121 192.168.10.122 192.168.10.123 192.168.10.124 192.168.10.125 192.168.10.126 192.168.10.127 192.168.10.128 192.168.10.129 192.168.10.130 192.168.10.131 192.168.10.132 192.168.10.133 192.168.10.134 192.168.10.135 192.168.10.136 192.168.10.137 192.168.10.138 192.168.10.139 192.168.10.140 192.168.10.141 192.168.10.142 192.168.10.143 192.168.10.144 192.168.10.145 192.168.10.146 192.168.10.147 192.168.10.148 192.168.10.149 192.168.10.150 192.168.10.151 192.168.10.152 192.168.10.153 192.168.10.154 192.168.10.155 192.168.10.156 192.168.10.157 192.168.10.158 192.168.10.159 192.168.10.160 192.168.10.161 192.168.10.162 192.168.10.163 192.168.10.164 192.168.10.165 192.168.10.166 192.168.10.167 192.168.10.168 192.168.10.169 192.168.10.170 192.168.10.171 192.168.10.172 192.168.10.173 192.168.10.174 192.168.10.175 192.168.10.176 192.168.10.177 192.168.10.178 192.168.10.179 192.168.10.180 192.168.10.181 192.168.10.182 192.168.10.183 192.168.10.184 192.168.10.185 192.168.10.186 192.168.10.187 192.168.10.188 192.168.10.189 192.168.10.190 192.168.10.191 192.168.10.192 192.168.10.193 192.168.10.194 192.168.10.195 192.168.10.196 192.168.10.197 192.168.10.198 192.168.10.199 192.168.10.200 192.168.10.201 192.168.10.202 192.168.10.203 192.168.10.204 192.168.10.205 192.168.10.206 192.168.10.207 192.168.10.208 192.168.10.209 192.168.10.210 192.168.10.211 192.168.10.212 192.168.10.213 192.168.10.214 192.168.10.215 192.168.10.216 192.168.10.217 192.168.10.218 192.168.10.219 192.168.10.220 192.168.10.221 192.168.10.222 192.168.10.223 192.168.10.224 192.168.10.225 192.168.10.226 192.168.10.227 192.168.10.228 192.168.10.229 192.168.10.230 192.168.10.231 192.168.10.232 192.168.10.233 192.168.10.234 192.168.10.235 192.168.10.236 192.168.10.237 192.168.10.238 192.168.10.239 192.168.10.240 192.168.10.241 192.168.10.242 192.168.10.243 192.168.10.244 192.168.10.245 192.168.10.246 192.168.10.247 192.168.10.248 192.168.10.249 192.168.10.250 192.168.10.251 192.168.10.252 192.168.10.253 192.168.10.254
Launching and Managing Scans
There are 2 ways to launch scans:
- Launch a Scan using an existing policy
- Launch a Scan using a Scan Template
Lets first launch a scan using a policy and giving it a list of targets:
PS >Invoke-NessusScan -Index 0 -PolicyID 7 -Name "Lab Scan 1" -Targets 192.168.10.1-192.168.10.100 ScanID : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d ScanName : Lab Scan 1 Owner : carlos Status : running Date : 4/14/2013 2:21:02 AM
Now lets look at invoking the scan using a pre-configured template:
PS >Invoke-NessusScanTemplate -Index 0 -TemplateID template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b ScanID : a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c ScanName : Dev Lab Full Scan Owner : carlos Status : running Date : 4/14/2013 2:21:50 AM
As it can be seen for repeated scans the template is the way to go since it is already named, a policy is already set and a target list is already present. For quick scans of single devices or hosts the launching of scans using policies is better.
We can take a look at the scans with the Show-NessusScans function:
PS >Show-NessusScans 0 ScanID : a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c ScanName : Dev Lab Full Scan Owner : carlos Status : running Date : 4/14/2013 2:21:50 AM ScanID : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d ScanName : Lab Scan 1 Owner : carlos Status : running Date : 4/14/2013 2:21:02 AM
As you will be able to see each scan has a unique ScanID, this is what we will use as the way to identify scans so we can manipulate them. Lets look at suspending a scan with Suspend-NessusScan :
PS >Suspend-NessusScan -Index 0 -ScanID 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d ScanID : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d ScanName : Lab Scan 1 Owner : carlos Status : pausing Date : 4/14/2013 2:21:02 AM
We can resume the scan with Resume-NessusScan :
PS >Resume-NessusScan -Index 0 -ScanID 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d ScanID : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d ScanName : Lab Scan 1 Owner : carlos Status : resuming Date : 4/14/2013 2:21:02 AM
We can also stop the scan Stop-NessusScan :
PS >Stop-NessusScan -Index 0 -ScanID 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d ScanID : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d ScanName : Lab Scan 1 Owner : carlos Status : stopping Date : 4/14/2013 2:21:02 AM
One thing to keep in mind even if you stop the scan that what it has found to that point will still be saved as report.