Using Posh-SecMod PowerShell Module to Automate Nessus (Part 2)
Tuesday, April 16, 2013 at 8:21AM
Carlos Perez

Working with Policies

Policies in Nessus is where we define what a scan is going to do from:

This is why when I started looking at using PowerShell for automation I came to the conclusion that creating polices and editing them is much better in a GUI than in a shell. But still I included some basic functions for working with policies.

Lets start by listing what policies are in the server:

PS >Show-NessusPolicy -Index 0

PolicyID                      PolicyName                    PolicyOwner                   Visibility
--------                      ----------                    -----------                   ----------
-4                            Internal Network Scan         Tenable Policy Distributio... shared
-3                            Web App Tests                 Tenable Policy Distributio... shared
-2                            Prepare for PCI-DSS audits... Tenable Policy Distributio... shared
-1                            External Network Scan         Tenable Policy Distributio... shared
8                             Exploit Available Only        carlos                        private
7                             Moderate Scan                 carlos                        private
6                             All Plugins with Full Scan    carlos                        private

We can make copies of existing Policies:

PS >Copy-NessusPolicy -Index 0 -PolicyID 8

PolicyID                      PolicyName                    PolicyOwner                   Visibility
--------                      ----------                    -----------                   ----------
9                             Copy of Exploit Available ... carlos                        private

We can also remove exiting policies:

PS >Remove-NessusPolicy -Index 0 -PolicyID 9
True

You can also download the XML for a policy as a XML .Net Object, you can download the XML in to file quite easily using the methods offered by .Net:

 PS C:\> Show-NessusPolicy -Index 0 -PolicyID 1

 PolicyID                     PolicyName                   PolicyOwner                  Visibil
 --------                     ----------                   -----------                  -------
 1                            Mobile Devices Audit         carlos                       private


 PS C:\> $MobilePolicy = Get-NessusPolicyXML -Index 0 -PolicyID 1

 PS C:\> $MobilePolicy.Save("$env:HOMEPATH\Desktop\mobilepolicy.xml")

You can also manipulate the object and query quite easyly in powershe the Policy XML to get more detailed information about a given policy:

 

 PS C:\> $MobilePolicy = Get-NessusPolicyXML -Index 0 -PolicyID 1

 PS C:\> $MobilePolicy.NessusClientData_v2.policy.policyContents.FamilySelection.FamilyItem

 FamilyName                                                Status
 ----------                                                ------
 MacOS X Local Security Checks                             disabled
 DNS                                                       disabled
 Gain a shell remotely                                     disabled
 Solaris Local Security Checks                             disabled
 Port scanners                                             disabled
 Web Servers                                               disabled
 SMTP problems                                             disabled
 Service detection                                         disabled
 CGI abuses : XSS                                          disabled
 Mandriva Local Security Checks                            disabled
 Databases                                                 disabled
 Debian Local Security Checks                              disabled
 Denial of Service                                         disabled
 Default Unix Accounts                                     disabled
 Settings                                                  disabled
 HP-UX Local Security Checks                               disabled
 Backdoors                                                 disabled
 VMware ESX Local Security Checks                          disabled
 SCADA                                                     disabled
 General                                                   disabled
 Red Hat Local Security Checks                             disabled
 FreeBSD Local Security Checks                             disabled
 CGI abuses                                                disabled
 Windows : User management                                 disabled
 Netware                                                   disabled
 Peer-To-Peer File Sharing                                 disabled
 Slackware Local Security Checks                           disabled
 SNMP                                                      disabled
 Fedora Local Security Checks                              disabled
 Gentoo Local Security Checks                              disabled
 Ubuntu Local Security Checks                              disabled
 Misc.                                                     disabled
 FTP                                                       disabled
 Firewalls                                                 disabled
 Windows : Microsoft Bulletins                             disabled
 Junos Local Security Checks                               disabled
 Mobile Devices                                            enabled
 Windows                                                   disabled
 Policy Compliance                                         disabled
 SuSE Local Security Checks                                disabled
 RPC                                                       disabled
 CentOS Local Security Checks                              disabled
 CISCO                                                     disabled
 Scientific Linux Local Security Checks                    disabled
 AIX Local Security Checks                                 disabled

I do promise in the future a bit more manipulation of policies, command line in this case will not be as flexible as the GUI but it should help for some simple tasks. I’m looking at the simpler JSON API added in the HTML5 interface for this, it will limit the functions to only version 5.x but then again we are all using the latest version, right? Winking smile

Working with Scan Templates

Scan templates are the most used method for storing specific configuration for scan that already have a policy configured and a set of targets selected. The scan Templates can also be scheduled to run at specific intervals. I have written some functions for creating and launching scan templates. Before creating a Scan Template we first need to know the IDs of the existing policies since that ID is used in the creation since we may have several policies with the same name but with different settings. In this next example I want to create a template for scanning my home development network where I host all my virtual machines:

PS >Show-NessusPolicy -Index 0

PolicyID                      PolicyName                    PolicyOwner                   Visibility
--------                      ----------                    -----------                   ----------
-4                            Internal Network Scan         Tenable Policy Distributio... shared
-3                            Web App Tests                 Tenable Policy Distributio... shared
-2                            Prepare for PCI-DSS audits... Tenable Policy Distributio... shared
-1                            External Network Scan         Tenable Policy Distributio... shared
8                             Exploit Available Only        carlos                        private
7                             Moderate Scan                 carlos                        private
6                             All Plugins with Full Scan    carlos                        private


PS >New-NessusScanTemplate 0 -TemplateName "Dev Lab Full Scan" -PolicyID 6 -Targets "192.168.10.1-192.168.10.2


TemplateID : template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b
PolicyID   : 6
PolicyName :
Name       : Dev Lab Full Scan
Owner      : carlos
Targets    : 192.168.10.1-192.168.10.254

As you can see the creation of the template is quite simple. The targets can be either individual hosts and/or ranges separated by commas with no spaces between them or a PowerShell collection that can be passes also. Lets take a look at the scan templates we have on the server:

PS >Show-NessusScanTemplate -Index 0


TemplateID : template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b
PolicyID   : 6
PolicyName : All Plugins with Full Scan
Name       : Dev Lab Full Scan
Owner      : carlos
Targets    : 192.168.10.1-192.168.10.254

Each scan template has a unique Template ID we use this ID when we work with the template. Lets update the existing template targets, I want to have it cover the same range bust skip some hosts I do not want scanned, I can do this using other functions provided by Posh-SecMod for working with IPs

PS >$excludelist = 192.168.10.20,192.168.10.80,192.168.10.200,192.168.10.201
PS >$ips = New-IPRange -CIDR 192.168.10.0/24
PS >$targets = $ips | ? {$_.IPAddressToString -notin $excludelist} | % {$_.IPAddressToString}
PS >Update-NessusScanTemplate -Index 0 -TemplateID template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b -Targets $targets


TemplateID : template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b
PolicyID   : 6
PolicyName :
Name       : Dev Lab Full Scan
Owner      : carlos
Targets    : 192.168.10.1 192.168.10.2 192.168.10.3 192.168.10.4 192.168.10.5 192.168.10.6 192.168.10.7 192.168.10.8
             192.168.10.9 192.168.10.10 192.168.10.11 192.168.10.12 192.168.10.13 192.168.10.14 192.168.10.15
             192.168.10.16 192.168.10.17 192.168.10.18 192.168.10.19 192.168.10.20 192.168.10.21 192.168.10.22
             192.168.10.23 192.168.10.24 192.168.10.25 192.168.10.26 192.168.10.27 192.168.10.28 192.168.10.29
             192.168.10.30 192.168.10.31 192.168.10.32 192.168.10.33 192.168.10.34 192.168.10.35 192.168.10.36
             192.168.10.37 192.168.10.38 192.168.10.39 192.168.10.40 192.168.10.41 192.168.10.42 192.168.10.43
             192.168.10.44 192.168.10.45 192.168.10.46 192.168.10.47 192.168.10.48 192.168.10.49 192.168.10.50
             192.168.10.51 192.168.10.52 192.168.10.53 192.168.10.54 192.168.10.55 192.168.10.56 192.168.10.57
             192.168.10.58 192.168.10.59 192.168.10.60 192.168.10.61 192.168.10.62 192.168.10.63 192.168.10.64
             192.168.10.65 192.168.10.66 192.168.10.67 192.168.10.68 192.168.10.69 192.168.10.70 192.168.10.71
             192.168.10.72 192.168.10.73 192.168.10.74 192.168.10.75 192.168.10.76 192.168.10.77 192.168.10.78
             192.168.10.79 192.168.10.80 192.168.10.81 192.168.10.82 192.168.10.83 192.168.10.84 192.168.10.85
             192.168.10.86 192.168.10.87 192.168.10.88 192.168.10.89 192.168.10.90 192.168.10.91 192.168.10.92
             192.168.10.93 192.168.10.94 192.168.10.95 192.168.10.96 192.168.10.97 192.168.10.98 192.168.10.99
             192.168.10.100 192.168.10.101 192.168.10.102 192.168.10.103 192.168.10.104 192.168.10.105 192.168.10.106
             192.168.10.107 192.168.10.108 192.168.10.109 192.168.10.110 192.168.10.111 192.168.10.112 192.168.10.113
             192.168.10.114 192.168.10.115 192.168.10.116 192.168.10.117 192.168.10.118 192.168.10.119 192.168.10.120
             192.168.10.121 192.168.10.122 192.168.10.123 192.168.10.124 192.168.10.125 192.168.10.126 192.168.10.127
             192.168.10.128 192.168.10.129 192.168.10.130 192.168.10.131 192.168.10.132 192.168.10.133 192.168.10.134
             192.168.10.135 192.168.10.136 192.168.10.137 192.168.10.138 192.168.10.139 192.168.10.140 192.168.10.141
             192.168.10.142 192.168.10.143 192.168.10.144 192.168.10.145 192.168.10.146 192.168.10.147 192.168.10.148
             192.168.10.149 192.168.10.150 192.168.10.151 192.168.10.152 192.168.10.153 192.168.10.154 192.168.10.155
             192.168.10.156 192.168.10.157 192.168.10.158 192.168.10.159 192.168.10.160 192.168.10.161 192.168.10.162
             192.168.10.163 192.168.10.164 192.168.10.165 192.168.10.166 192.168.10.167 192.168.10.168 192.168.10.169
             192.168.10.170 192.168.10.171 192.168.10.172 192.168.10.173 192.168.10.174 192.168.10.175 192.168.10.176
             192.168.10.177 192.168.10.178 192.168.10.179 192.168.10.180 192.168.10.181 192.168.10.182 192.168.10.183
             192.168.10.184 192.168.10.185 192.168.10.186 192.168.10.187 192.168.10.188 192.168.10.189 192.168.10.190
             192.168.10.191 192.168.10.192 192.168.10.193 192.168.10.194 192.168.10.195 192.168.10.196 192.168.10.197
             192.168.10.198 192.168.10.199 192.168.10.200 192.168.10.201 192.168.10.202 192.168.10.203 192.168.10.204
             192.168.10.205 192.168.10.206 192.168.10.207 192.168.10.208 192.168.10.209 192.168.10.210 192.168.10.211
             192.168.10.212 192.168.10.213 192.168.10.214 192.168.10.215 192.168.10.216 192.168.10.217 192.168.10.218
             192.168.10.219 192.168.10.220 192.168.10.221 192.168.10.222 192.168.10.223 192.168.10.224 192.168.10.225
             192.168.10.226 192.168.10.227 192.168.10.228 192.168.10.229 192.168.10.230 192.168.10.231 192.168.10.232
             192.168.10.233 192.168.10.234 192.168.10.235 192.168.10.236 192.168.10.237 192.168.10.238 192.168.10.239
             192.168.10.240 192.168.10.241 192.168.10.242 192.168.10.243 192.168.10.244 192.168.10.245 192.168.10.246
             192.168.10.247 192.168.10.248 192.168.10.249 192.168.10.250 192.168.10.251 192.168.10.252 192.168.10.253
             192.168.10.254

 

Launching and Managing Scans

There are 2 ways to launch scans:

Lets first launch a scan using a policy and giving it a list of targets:

PS >Invoke-NessusScan -Index 0 -PolicyID 7 -Name "Lab Scan 1" -Targets 192.168.10.1-192.168.10.100


ScanID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ScanName : Lab Scan 1
Owner    : carlos
Status   : running
Date     : 4/14/2013 2:21:02 AM

Now lets look at invoking the scan using a pre-configured template:

PS >Invoke-NessusScanTemplate -Index 0 -TemplateID template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b


ScanID   : a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c
ScanName : Dev Lab Full Scan
Owner    : carlos
Status   : running
Date     : 4/14/2013 2:21:50 AM

As it can be seen for repeated scans the template is the way to go since it is already named, a policy is already set and a target list is already present. For quick scans of single devices or hosts the launching of scans using policies is better.

We can take a look at the scans with the Show-NessusScans function:

PS >Show-NessusScans 0


ScanID   : a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c
ScanName : Dev Lab Full Scan
Owner    : carlos
Status   : running
Date     : 4/14/2013 2:21:50 AM

ScanID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ScanName : Lab Scan 1
Owner    : carlos
Status   : running
Date     : 4/14/2013 2:21:02 AM

As you will be able to see each scan has a unique ScanID, this is what we will use as the way to identify scans so we can manipulate them. Lets look at suspending a scan with Suspend-NessusScan :

PS >Suspend-NessusScan -Index 0 -ScanID 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d


ScanID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ScanName : Lab Scan 1
Owner    : carlos
Status   : pausing
Date     : 4/14/2013 2:21:02 AM

We can resume the scan with Resume-NessusScan :

PS >Resume-NessusScan -Index 0 -ScanID 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d


ScanID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ScanName : Lab Scan 1
Owner    : carlos
Status   : resuming
Date     : 4/14/2013 2:21:02 AM

We can also stop the scan Stop-NessusScan :

PS >Stop-NessusScan -Index 0 -ScanID 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d


ScanID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ScanName : Lab Scan 1
Owner    : carlos
Status   : stopping
Date     : 4/14/2013 2:21:02 AM

 

One thing to keep in mind even if you stop the scan that what it has found to that point will still be saved as report.

Article originally appeared on Security and Networking (http://darkoperator.squarespace.com/).
See website for complete article licensing information.