Navigation

Entries by Carlos Perez (157)

Sunday
Apr282013

Script to Automate Metasploit Framework Installation

For some time now I have been maintaining guides for installing Metasploit Framework on OSX, Ubuntu and CentOS. I decided this weekend to write a script to facilitate going thru all the steps. The script aids in installing Framework on OSX Mountain Lion and Ubuntu 12.10/13.04. the script can be found at https://github.com/darkoperator/MSF-Installer

To use the script on OSX Java, Xcode and Command Development Tools from Xcode must be installed before running the script. In the case of OSX I also added the option of installing GNU GCC in the case you want to compile the old Ruby 1.8.7 that requieres it. When you download the script you must make it executable, when ran with no arguments or with -h it will how the usage help message:

$ chmod +x msf_install.sh 
$ ./msf_install.sh -h
Scritp for Installing Metasploit Framework
By Carlos_Perez[at]darkoperator.com
Ver 0.1.0

-i                :Install Metasploit Framework.
-p      :password for MEtasploit databse msf user. If not provided a roandom one is generated for you.
-g                :Install GNU GCC (Not necessary uless you wish to compile and install ruby 1.8.7 in OSX
-h                :This help message

To start the installation you just run the script with the -i option and the installation will start. In the case of OSX it will:

  • Check that dependencies are meet.
  • Check if Homebrew is installed and of not it will install it.
  • Install Ruby 1.9.3
  • Install base ruby gems.
  • Install and configure Postgres for use with Metasploit
  • Install GCC if selected.
  • Download and install Metasploit Framework.
  • Installs all necessaries Ruby Gems using bundler.
  • Configure the database connection and sets the proper environment variables.
  • Download and install the latest version of Armitage.
  • Download and install the Pentest plugin and DNSRecon Import plugin.

in the case of Ubuntu 12.10 and 13.04 it will:

  • Install all necessary packages
  • Install base ruby gems.
  • Configure Postgres for use with Metasploit
  • Download and install Metasploit Framework.
  • Installs all necessaries Ruby Gems using bundler.
  • Configure the database connection and sets the proper environment variables.
  • Download and install the latest version of Armitage.
  • Download and install the Pentest plugin and DNSRecon Import plugin.

I let the script be as verbose as possible on purpose so as to identify any surprise changes from R7 or from any of the platforms. I hope it is useful to others as I know it will in my lab setups.

Thursday
Apr182013

Using Posh-SecMod PowerShell Module to Automate Nessus (Part 3)

Listing Reports Available

We can retrieve a list of the reports available on the Nessus Server and the information that they provide with Get-NessusReports function and we provide it a index for the session or an object of Nessus.Server.Session :

C:\> Get-NessusReports -Index 0


ServerHost : 192.168.10.3
ReportID   : a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c
ReportName : Dev Lab Full Scan
Status     : completed
KB         : True
AuditTrail : True
Date       : 4/14/2013 2:36:21 AM
Session    : Nessus.Server.Session

ServerHost : 192.168.10.3
ReportID   : beb54ae5-ddd5-4700-3e85-d0241ade948354bf668ec4c5c319
ReportName : Lab Full Unauthenticated Scan
Status     : completed
KB         : True
AuditTrail : True
Date       : 4/11/2013 6:39:22 AM
Session    : Nessus.Server.Session

ServerHost : 192.168.10.3
ReportID   : 908185a5-19cc-e2e4-6073-2134043611b99e3d5fcf060ec31e
ReportName : Scan Dev Lab
Status     : completed
KB         : True
AuditTrail : True
Date       : 4/11/2013 4:26:13 AM
Session    : Nessus.Server.Session

ServerHost : 192.168.10.3
ReportID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ReportName : Lab Scan 1
Status     : completed
KB         : True
AuditTrail : True
Date       : 4/14/2013 2:36:21 AM
Session    : Nessus.Server.Session

The main properties for each report object are:

  • ReportID – This is the unique identifier of the report since Nessus Allows for several reports to have the same name. This is the value we will use for when requesting specific reports for their information.
  • ReportName – The friendly name gave to the scan that generated the report.
  • Status – When running a Nessus scan the information from the scan is populating a report as it is running so this property will tell us if the results are from a completed scan or is the scan still running.
  • KB – this is know as the Knowledge Base of the scan and it is generated per host, this will tell you what plugins where launched and if any errors where encountered. If your Nessus server has less than 2GB of memory the KB is not generated for the hosts so as to save space in memory while executing. The information is stored in the server.
  • AuditTrail – This is a execution information that is saved for each plugin it will tell us if the plugin ran with no issues and if a problem was found it will tell us what was the error message. This is saved per plugin and it is stored on the server.
  • Date – This is the date when the report was launched in UTC .

 

The Get-NessusReports function produces objects for each report and these have 2 ScriptMethods that we can use against the object it self

  • GetReportItems() – this method retrieves al reported entries (Info, Low, Medium, High and Critical) with all the details for each in the properties of the object.
  • GetXML() – This method retrieves the XML .Net object that represents the NessusV2 format of the report.

image

 

Getting a Summary of Each Host in a Report

We can query a report and get a summary of the hosts that are in the report and the number of items reported for each severity level, this is done with Get-NessusReportHostSummary.

C:\> Get-NessusReportHostSummary -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c


Hostname : 192.168.10.10
Info     : 51
Low      : 1
Medium   : 4
High     : 0
Critical : 0

Hostname : 192.168.10.12
Info     : 51
Low      : 2
Medium   : 5
High     : 1
Critical : 1

Hostname : 192.168.10.13
Info     : 95
Low      : 2
Medium   : 12
High     : 0
Critical : 0

Hostname : 192.168.10.2
Info     : 38
Low      : 1
Medium   : 1
High     : 0
Critical : 0

Hostname : nessus.darkoperator.com
Info     : 39
Low      : 1
Medium   : 3
High     : 0
Critical : 0

 

Getting a Summary per Vulnerability in a Report

We can get a summary for each item found and how many of them are in the report using the function  Get-NessusReportVulnSummary

C:\> Get-NessusReportVulnSummary -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c


PluginID     : 10107
PluginName   : HTTP Server Type and Version
PluginFamily : Web Servers
Count        : 5
Severity     : Info

PluginID     : 10147
PluginName   : Nessus Server Detection
PluginFamily : Service detection
Count        : 1
Severity     : Info

PluginID     : 10150
PluginName   : Windows NetBIOS / SMB Remote Host Information Disclosure
PluginFamily : Windows
Count        : 4
Severity     : Info

PluginID     : 10263
PluginName   : SMTP Server Detection
PluginFamily : Service detection
Count        : 2
Severity     : Info

PluginID     : 10267
PluginName   : SSH Server Type and Version Information
PluginFamily : Service detection
Count        : 1
Severity     : Info

PluginID     : 10287
PluginName   : Traceroute Information
PluginFamily : General
Count        : 4
Severity     : Info

PluginID     : 10394
PluginName   : Microsoft Windows SMB Log In Possible
PluginFamily : Windows
Count        : 3
Severity     : Info

PluginID     : 10736
PluginName   : DCE Services Enumeration
PluginFamily : Windows
Count        : 49
Severity     : Info

PluginID     : 10761
PluginName   : COM+ Internet Services (CIS) Server Detection
PluginFamily : Windows
Count        : 3
Severity     : Info

PluginID     : 10785
PluginName   : Microsoft Windows SMB NativeLanManager Remote System Information
               Disclosure
PluginFamily : Windows
Count        : 4
Severity     : Info

PluginID     : 10863
PluginName   : SSL Certificate Information
PluginFamily : General
Count        : 5
Severity     : Info

PluginID     : 10881
PluginName   : SSH Protocol Versions Supported
PluginFamily : General
Count        : 1
Severity     : Info

PluginID     : 10884
PluginName   : Network Time Protocol (NTP) Server Detection
PluginFamily : Service detection
Count        : 2
Severity     : Info

PluginID     : 10940
PluginName   : Windows Terminal Services Enabled
PluginFamily : Windows
Count        : 4
Severity     : Info

........

 

Getting all Host Information from a Report

If we want all the information available for each host in a report we use the function Get-NessusReportHostsDetailed, this function will download the report XML, Parse it and generate PowerShell objects for each piece of information found. The information will be divided in to 2 parts for each hosts

  • Host_Properties – This is the information about the host that was gathered during the enumeration of the hosts including IP addresses, Netstat information, Operating System and other values.
  • ReportItems – This are each of the entries in the vulnerabilities tab of a report.

 

C:\> Get-NessusReportHostsDetailed -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c

Host                          Host_Properties               ReportItems
----                          ---------------               -----------
nessus.darkoperator.com       @{system_type=general-purp... {@{Host=nessus.darkoperato...
192.168.10.2                  @{operating_system=Microso... {@{Host=192.168.10.2; Port...
192.168.10.13                 @{operating_system=Microso... {@{Host=192.168.10.13; Por...
192.168.10.12                 @{operating_system=Microso... {@{Host=192.168.10.12; Por...
192.168.10.10                 @{operating_system=Microso... {@{Host=192.168.10.10; Por...

Here is an example of the information we can get in the host properties:

C:\> $reporthost = Get-NessusReportHostsDetailed -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c |  select -First 1
C:\> $reporthost.Host_Properties


system_type            : general-purpose
netstat_listen_tcp4_0  : 0.0.0.0:22
local_checks_proto     : local
netstat_listen_tcp46_3 : :::22
netstat_listen_tcp4_2  : 0.0.0.0:8834
HOST_START             : Sun Apr 14 02:22:48 2013
host_ip                : 192.168.10.3
operating_system       : Linux Kernel 2.6.32-358.0.1.el6.x86_64 on CentOS release 6.4
                         (Final)
netstat_listen_tcp4_1  : 0.0.0.0:1241
mac_address            : 00:0C:29:28:7A:F9
HOST_END               : Sun Apr 14 02:31:13 2013
netstat_listen_tcp6_5  : :::8834
host_fqdn              : nessus.darkoperator.com
netstat_listen_tcp6_4  : :::1241

Report items will contain the information about each vulnerability and each informational plugin that was lunched and was successful in executing.

C:\> $reporthost.ReportItems[3]


Host                 : nessus.darkoperator.com
Port                 : 0
ServiceName          : general
Severity             : Info
PluginID             : 33276
PluginName           : Enumerate MAC Addresses via SSH
PluginFamily         : General
RiskFactor           : None
Synopsis             : This plugin enumerates MAC addresses on a remote host.
Description          : By connecting to the remote host via SSH with the supplied
                       credentials, this plugin enumerates MAC addresses.
Solution             : Disable any unused interfaces.
PluginOutput         :
                       The following MAC address exists on the remote host :

                         - 00:0C:29:28:7A:F9 (interface eth0)

SeeAlso              :
CVE                  :
BID                  :
ExternaReference     :
PatchPublicationDate :
VulnPublicationDate  :
Exploitability       :
ExploitAvailable     :
CANVAS               :
Metasploit           :
COREImpact           :
MetasploitModule     :
CANVASPackage        :
CVSSVector           :
CVSSBase             :
CVSSTemporal         :
PluginType           : local
PluginVersion        :

One of the great advantages of PowerShell is that it makes managing the large amount of data quite simple and provides options to export the objects in to XML, CSV and even generate our custom HTML reports. Lets look at the GridView option that allow us to see all the report items in a grid and even add filters to the view The command we use is:

$reporthost.ReportItems | Out-GridView

 

image

Working with the Nessus v2 XML

We can retrieve the XML .Net Object representation of a report if you which to manipulate the XML it self or use it for other purposes. Getting a XML .Net Object of the report and saving it to disk as a .nessus file

C:\> $nessusreport = Get-NessusV2ReportXML -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c
C:\> $nessusreport.Save("$env:HOMEPATH\Desktop\DevLabRepor.nessus")

Getting access to the information in XML is super easy since in PowerShell it is just like working with a regular .Net object

C:\> $nessusreport.NessusClientData_v2.Report.ReportHost

name                          HostProperties                ReportItem
----                          --------------                ----------
nessus.darkoperator.com       HostProperties                {ReportItem, ReportItem, R...
192.168.10.2                  HostProperties                {ReportItem, ReportItem, R...
192.168.10.13                 HostProperties                {ReportItem, ReportItem, R...
192.168.10.12                 HostProperties                {ReportItem, ReportItem, R...
192.168.10.10                 HostProperties                {ReportItem, ReportItem, R...


C:\> $nessusreport.NessusClientData_v2.Policy


policyName                : All Plugins with Full Scan
policy_comments           :
Preferences               : Preferences
FamilySelection           : FamilySelection
IndividualPluginSelection : IndividualPluginSelection

Filtering Report Items

I know that many people are new to PowerShell and still learning the power it has to filter and manipulate objects so the function Retrieve and filter report items Get-NessusReportItems is here to help with some of the filtering. The function will filter at the server the reported items for Host and Severity and return the appropriate report item objects for use: 

C:\> Get-NessusReportItems -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce7b209483c -HostFilter 192.168.10.12 -SeverityFilter critical,high


Host                 : 192.168.10.12
Port                 : 3389
ServiceName          : msrdp
Severity             : High
PluginID             : 58435
PluginName           : MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote
                       Code Execution (2671387) (uncredentialed check)
PluginFamily         : Windows
RiskFactor           : High
Synopsis             : The remote Windows host could allow arbitrary code execution.
Description          : An arbitrary remote code vulnerability exists in the
                       implementation of the Remote Desktop Protocol (RDP) on the remote
                       Windows host. The vulnerability is due to the way that RDP
                       accesses an object in memory that has been improperly initialized
                       or has been deleted.

                       If RDP has been enabled on the affected system, an
                       unauthenticated, remote attacker could leverage this
                       vulnerability to cause the system to execute arbitrary code by
                       sending a sequence of specially crafted RDP packets to it.

                       This plugin also checks for a denial of service vulnerability in
                       Microsoft Terminal Server.

                       Note that this script does not detect the vulnerability if the
                       'Allow connections only from computers running Remote Desktop
                       with Network Level Authentication' setting is enabled or the
                       security layer is set to 'SSL (TLS 1.0)' on the remote host.
Solution             : Microsoft has released a set of patches for Windows XP, 2003,
                       Vista, 2008, 7, and 2008 R2 :

                       http://technet.microsoft.com/en-us/security/bulletin/ms12-020
PluginOutput         :
SeeAlso              :
CVE                  : {CVE-2012-0002, CVE-2012-0152}
BID                  : {52353, 52354}
ExternaReference     : {OSVDB:80000, OSVDB:80004, EDB-ID:18606, IAVA:2012-A-0039...}
PatchPublicationDate : 2012/03/13
VulnPublicationDate  : 2012/03/13
Exploitability       : Exploits are available
ExploitAvailable     : true
CANVAS               : true
Metasploit           : true
COREImpact           : true
MetasploitModule     : MS12-020 Microsoft Remote Desktop Checker
CANVASPackage        : White_Phosphorus
CVSSVector           : CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSSBase             : 9.3
CVSSTemporal         : 7.3
PluginType           : remote
PluginVersion        :

Host                 : 192.168.10.12
Port                 : 5355
ServiceName          : llmnr
Severity             : Critical
PluginID             : 53514
PluginName           : MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code
                       Execution (2509553) (remote check)
PluginFamily         : Windows
RiskFactor           : Critical
Synopsis             : Arbitrary code can be executed on the remote host through the
                       installed Windows DNS client.
Description          : A flaw in the way the installed Windows DNS client processes
                       Link- local Multicast Name Resolution (LLMNR) queries can be
                       exploited to execute arbitrary code in the context of the
                       NetworkService account.

                       Note that Windows XP and 2003 do not support LLMNR and successful
                       exploitation on those platforms requires local access and the
                       ability to run a special application.  On Windows Vista, 2008, 7,
                       and 2008 R2, however, the issue can be exploited remotely.
Solution             : Microsoft has released a set of patches for Windows XP, 2003,
                       Vista, 2008, 7, and 2008 R2 :

                       http://technet.microsoft.com/en-us/security/bulletin/ms11-030
PluginOutput         :
SeeAlso              :
CVE                  : CVE-2011-0657
BID                  : 47242
ExternaReference     : {OSVDB:71780, IAVA:2011-A-0039, MSFT:MS11-030}
PatchPublicationDate : 2011/04/12
VulnPublicationDate  : 2011/04/12
Exploitability       : Exploits are available
ExploitAvailable     : true
CANVAS               :
Metasploit           : true
COREImpact           : true
MetasploitModule     : Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
CANVASPackage        :
CVSSVector           : CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSSBase             : 10.0
CVSSTemporal         : 7.8
PluginType           : remote
PluginVersion        :

 

Getting a Host KB and Plugin Audit

To get the KB is very simple and it is used mainly when opening support tickets with Tenable or when we want to trace what plugins executed or if we want to see what information some plugins used to determined if the host is vulnerable.

C:\> Get-NessusReportHostKB -Index 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c -ReportHost 192.168.10.12 | Out-File -FilePath $env:HOMEPATH\Desktop\lab.txt

 

If we want to see the audit trail for a plugin that executed against a hosts we can retrieve it and it will tell us more information as to why it did not trigger:

C:\> Get-NessusReportPluginAudit 0 -ReportID a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c -Host 192.168.10.12 -PluginID 35952 | fl


Host     : 192.168.10.12
PluginID : 35952
ExitCode : 1
Reason   : Can't open socket on port 49777.

 

Conclusion

I hope you liked this short series. I’m currently working on expanding the functions for Nessus even more and looking forward to the new stuff that will be coming out with new releases so as to add support to those.

Tuesday
Apr162013

Using Posh-SecMod PowerShell Module to Automate Nessus (Part 2)

Working with Policies

Policies in Nessus is where we define what a scan is going to do from:

  • What plugins to run.
  • What types of plugin should run and which should not.
  • Concurrency.
  • Port Scanning Settings.
  • Credentials
  • and many many many more.

This is why when I started looking at using PowerShell for automation I came to the conclusion that creating polices and editing them is much better in a GUI than in a shell. But still I included some basic functions for working with policies.

Lets start by listing what policies are in the server:

PS >Show-NessusPolicy -Index 0

PolicyID                      PolicyName                    PolicyOwner                   Visibility
--------                      ----------                    -----------                   ----------
-4                            Internal Network Scan         Tenable Policy Distributio... shared
-3                            Web App Tests                 Tenable Policy Distributio... shared
-2                            Prepare for PCI-DSS audits... Tenable Policy Distributio... shared
-1                            External Network Scan         Tenable Policy Distributio... shared
8                             Exploit Available Only        carlos                        private
7                             Moderate Scan                 carlos                        private
6                             All Plugins with Full Scan    carlos                        private

We can make copies of existing Policies:

PS >Copy-NessusPolicy -Index 0 -PolicyID 8

PolicyID                      PolicyName                    PolicyOwner                   Visibility
--------                      ----------                    -----------                   ----------
9                             Copy of Exploit Available ... carlos                        private

We can also remove exiting policies:

PS >Remove-NessusPolicy -Index 0 -PolicyID 9
True

You can also download the XML for a policy as a XML .Net Object, you can download the XML in to file quite easily using the methods offered by .Net:

 PS C:\> Show-NessusPolicy -Index 0 -PolicyID 1

 PolicyID                     PolicyName                   PolicyOwner                  Visibil
 --------                     ----------                   -----------                  -------
 1                            Mobile Devices Audit         carlos                       private


 PS C:\> $MobilePolicy = Get-NessusPolicyXML -Index 0 -PolicyID 1

 PS C:\> $MobilePolicy.Save("$env:HOMEPATH\Desktop\mobilepolicy.xml")

You can also manipulate the object and query quite easyly in powershe the Policy XML to get more detailed information about a given policy:

 

 PS C:\> $MobilePolicy = Get-NessusPolicyXML -Index 0 -PolicyID 1

 PS C:\> $MobilePolicy.NessusClientData_v2.policy.policyContents.FamilySelection.FamilyItem

 FamilyName                                                Status
 ----------                                                ------
 MacOS X Local Security Checks                             disabled
 DNS                                                       disabled
 Gain a shell remotely                                     disabled
 Solaris Local Security Checks                             disabled
 Port scanners                                             disabled
 Web Servers                                               disabled
 SMTP problems                                             disabled
 Service detection                                         disabled
 CGI abuses : XSS                                          disabled
 Mandriva Local Security Checks                            disabled
 Databases                                                 disabled
 Debian Local Security Checks                              disabled
 Denial of Service                                         disabled
 Default Unix Accounts                                     disabled
 Settings                                                  disabled
 HP-UX Local Security Checks                               disabled
 Backdoors                                                 disabled
 VMware ESX Local Security Checks                          disabled
 SCADA                                                     disabled
 General                                                   disabled
 Red Hat Local Security Checks                             disabled
 FreeBSD Local Security Checks                             disabled
 CGI abuses                                                disabled
 Windows : User management                                 disabled
 Netware                                                   disabled
 Peer-To-Peer File Sharing                                 disabled
 Slackware Local Security Checks                           disabled
 SNMP                                                      disabled
 Fedora Local Security Checks                              disabled
 Gentoo Local Security Checks                              disabled
 Ubuntu Local Security Checks                              disabled
 Misc.                                                     disabled
 FTP                                                       disabled
 Firewalls                                                 disabled
 Windows : Microsoft Bulletins                             disabled
 Junos Local Security Checks                               disabled
 Mobile Devices                                            enabled
 Windows                                                   disabled
 Policy Compliance                                         disabled
 SuSE Local Security Checks                                disabled
 RPC                                                       disabled
 CentOS Local Security Checks                              disabled
 CISCO                                                     disabled
 Scientific Linux Local Security Checks                    disabled
 AIX Local Security Checks                                 disabled

I do promise in the future a bit more manipulation of policies, command line in this case will not be as flexible as the GUI but it should help for some simple tasks. I’m looking at the simpler JSON API added in the HTML5 interface for this, it will limit the functions to only version 5.x but then again we are all using the latest version, right? Winking smile

Working with Scan Templates

Scan templates are the most used method for storing specific configuration for scan that already have a policy configured and a set of targets selected. The scan Templates can also be scheduled to run at specific intervals. I have written some functions for creating and launching scan templates. Before creating a Scan Template we first need to know the IDs of the existing policies since that ID is used in the creation since we may have several policies with the same name but with different settings. In this next example I want to create a template for scanning my home development network where I host all my virtual machines:

PS >Show-NessusPolicy -Index 0

PolicyID                      PolicyName                    PolicyOwner                   Visibility
--------                      ----------                    -----------                   ----------
-4                            Internal Network Scan         Tenable Policy Distributio... shared
-3                            Web App Tests                 Tenable Policy Distributio... shared
-2                            Prepare for PCI-DSS audits... Tenable Policy Distributio... shared
-1                            External Network Scan         Tenable Policy Distributio... shared
8                             Exploit Available Only        carlos                        private
7                             Moderate Scan                 carlos                        private
6                             All Plugins with Full Scan    carlos                        private


PS >New-NessusScanTemplate 0 -TemplateName "Dev Lab Full Scan" -PolicyID 6 -Targets "192.168.10.1-192.168.10.2


TemplateID : template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b
PolicyID   : 6
PolicyName :
Name       : Dev Lab Full Scan
Owner      : carlos
Targets    : 192.168.10.1-192.168.10.254

As you can see the creation of the template is quite simple. The targets can be either individual hosts and/or ranges separated by commas with no spaces between them or a PowerShell collection that can be passes also. Lets take a look at the scan templates we have on the server:

PS >Show-NessusScanTemplate -Index 0


TemplateID : template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b
PolicyID   : 6
PolicyName : All Plugins with Full Scan
Name       : Dev Lab Full Scan
Owner      : carlos
Targets    : 192.168.10.1-192.168.10.254

Each scan template has a unique Template ID we use this ID when we work with the template. Lets update the existing template targets, I want to have it cover the same range bust skip some hosts I do not want scanned, I can do this using other functions provided by Posh-SecMod for working with IPs

PS >$excludelist = 192.168.10.20,192.168.10.80,192.168.10.200,192.168.10.201
PS >$ips = New-IPRange -CIDR 192.168.10.0/24
PS >$targets = $ips | ? {$_.IPAddressToString -notin $excludelist} | % {$_.IPAddressToString}
PS >Update-NessusScanTemplate -Index 0 -TemplateID template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b -Targets $targets


TemplateID : template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b
PolicyID   : 6
PolicyName :
Name       : Dev Lab Full Scan
Owner      : carlos
Targets    : 192.168.10.1 192.168.10.2 192.168.10.3 192.168.10.4 192.168.10.5 192.168.10.6 192.168.10.7 192.168.10.8
             192.168.10.9 192.168.10.10 192.168.10.11 192.168.10.12 192.168.10.13 192.168.10.14 192.168.10.15
             192.168.10.16 192.168.10.17 192.168.10.18 192.168.10.19 192.168.10.20 192.168.10.21 192.168.10.22
             192.168.10.23 192.168.10.24 192.168.10.25 192.168.10.26 192.168.10.27 192.168.10.28 192.168.10.29
             192.168.10.30 192.168.10.31 192.168.10.32 192.168.10.33 192.168.10.34 192.168.10.35 192.168.10.36
             192.168.10.37 192.168.10.38 192.168.10.39 192.168.10.40 192.168.10.41 192.168.10.42 192.168.10.43
             192.168.10.44 192.168.10.45 192.168.10.46 192.168.10.47 192.168.10.48 192.168.10.49 192.168.10.50
             192.168.10.51 192.168.10.52 192.168.10.53 192.168.10.54 192.168.10.55 192.168.10.56 192.168.10.57
             192.168.10.58 192.168.10.59 192.168.10.60 192.168.10.61 192.168.10.62 192.168.10.63 192.168.10.64
             192.168.10.65 192.168.10.66 192.168.10.67 192.168.10.68 192.168.10.69 192.168.10.70 192.168.10.71
             192.168.10.72 192.168.10.73 192.168.10.74 192.168.10.75 192.168.10.76 192.168.10.77 192.168.10.78
             192.168.10.79 192.168.10.80 192.168.10.81 192.168.10.82 192.168.10.83 192.168.10.84 192.168.10.85
             192.168.10.86 192.168.10.87 192.168.10.88 192.168.10.89 192.168.10.90 192.168.10.91 192.168.10.92
             192.168.10.93 192.168.10.94 192.168.10.95 192.168.10.96 192.168.10.97 192.168.10.98 192.168.10.99
             192.168.10.100 192.168.10.101 192.168.10.102 192.168.10.103 192.168.10.104 192.168.10.105 192.168.10.106
             192.168.10.107 192.168.10.108 192.168.10.109 192.168.10.110 192.168.10.111 192.168.10.112 192.168.10.113
             192.168.10.114 192.168.10.115 192.168.10.116 192.168.10.117 192.168.10.118 192.168.10.119 192.168.10.120
             192.168.10.121 192.168.10.122 192.168.10.123 192.168.10.124 192.168.10.125 192.168.10.126 192.168.10.127
             192.168.10.128 192.168.10.129 192.168.10.130 192.168.10.131 192.168.10.132 192.168.10.133 192.168.10.134
             192.168.10.135 192.168.10.136 192.168.10.137 192.168.10.138 192.168.10.139 192.168.10.140 192.168.10.141
             192.168.10.142 192.168.10.143 192.168.10.144 192.168.10.145 192.168.10.146 192.168.10.147 192.168.10.148
             192.168.10.149 192.168.10.150 192.168.10.151 192.168.10.152 192.168.10.153 192.168.10.154 192.168.10.155
             192.168.10.156 192.168.10.157 192.168.10.158 192.168.10.159 192.168.10.160 192.168.10.161 192.168.10.162
             192.168.10.163 192.168.10.164 192.168.10.165 192.168.10.166 192.168.10.167 192.168.10.168 192.168.10.169
             192.168.10.170 192.168.10.171 192.168.10.172 192.168.10.173 192.168.10.174 192.168.10.175 192.168.10.176
             192.168.10.177 192.168.10.178 192.168.10.179 192.168.10.180 192.168.10.181 192.168.10.182 192.168.10.183
             192.168.10.184 192.168.10.185 192.168.10.186 192.168.10.187 192.168.10.188 192.168.10.189 192.168.10.190
             192.168.10.191 192.168.10.192 192.168.10.193 192.168.10.194 192.168.10.195 192.168.10.196 192.168.10.197
             192.168.10.198 192.168.10.199 192.168.10.200 192.168.10.201 192.168.10.202 192.168.10.203 192.168.10.204
             192.168.10.205 192.168.10.206 192.168.10.207 192.168.10.208 192.168.10.209 192.168.10.210 192.168.10.211
             192.168.10.212 192.168.10.213 192.168.10.214 192.168.10.215 192.168.10.216 192.168.10.217 192.168.10.218
             192.168.10.219 192.168.10.220 192.168.10.221 192.168.10.222 192.168.10.223 192.168.10.224 192.168.10.225
             192.168.10.226 192.168.10.227 192.168.10.228 192.168.10.229 192.168.10.230 192.168.10.231 192.168.10.232
             192.168.10.233 192.168.10.234 192.168.10.235 192.168.10.236 192.168.10.237 192.168.10.238 192.168.10.239
             192.168.10.240 192.168.10.241 192.168.10.242 192.168.10.243 192.168.10.244 192.168.10.245 192.168.10.246
             192.168.10.247 192.168.10.248 192.168.10.249 192.168.10.250 192.168.10.251 192.168.10.252 192.168.10.253
             192.168.10.254

 

Launching and Managing Scans

There are 2 ways to launch scans:

  • Launch a Scan using an existing policy
  • Launch a Scan using a Scan Template

Lets first launch a scan using a policy and giving it a list of targets:

PS >Invoke-NessusScan -Index 0 -PolicyID 7 -Name "Lab Scan 1" -Targets 192.168.10.1-192.168.10.100


ScanID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ScanName : Lab Scan 1
Owner    : carlos
Status   : running
Date     : 4/14/2013 2:21:02 AM

Now lets look at invoking the scan using a pre-configured template:

PS >Invoke-NessusScanTemplate -Index 0 -TemplateID template-b9d6c48e-516a-fe81-4294-458df6acfd45a74d7adc86d4815b


ScanID   : a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c
ScanName : Dev Lab Full Scan
Owner    : carlos
Status   : running
Date     : 4/14/2013 2:21:50 AM

As it can be seen for repeated scans the template is the way to go since it is already named, a policy is already set and a target list is already present. For quick scans of single devices or hosts the launching of scans using policies is better.

We can take a look at the scans with the Show-NessusScans function:

PS >Show-NessusScans 0


ScanID   : a3fb5b8c-60db-1dda-fac7-ee46c0d0a638ea8ce79ab209483c
ScanName : Dev Lab Full Scan
Owner    : carlos
Status   : running
Date     : 4/14/2013 2:21:50 AM

ScanID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ScanName : Lab Scan 1
Owner    : carlos
Status   : running
Date     : 4/14/2013 2:21:02 AM

As you will be able to see each scan has a unique ScanID, this is what we will use as the way to identify scans so we can manipulate them. Lets look at suspending a scan with Suspend-NessusScan :

PS >Suspend-NessusScan -Index 0 -ScanID 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d


ScanID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ScanName : Lab Scan 1
Owner    : carlos
Status   : pausing
Date     : 4/14/2013 2:21:02 AM

We can resume the scan with Resume-NessusScan :

PS >Resume-NessusScan -Index 0 -ScanID 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d


ScanID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ScanName : Lab Scan 1
Owner    : carlos
Status   : resuming
Date     : 4/14/2013 2:21:02 AM

We can also stop the scan Stop-NessusScan :

PS >Stop-NessusScan -Index 0 -ScanID 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d


ScanID   : 0c0a28e2-824a-3606-4bd2-965d0da1c62272dde8c29f1faa6d
ScanName : Lab Scan 1
Owner    : carlos
Status   : stopping
Date     : 4/14/2013 2:21:02 AM

 

One thing to keep in mind even if you stop the scan that what it has found to that point will still be saved as report.

Monday
Apr152013

Using Posh-SecMod PowerShell Module to Automate Nessus (Part1)

About 2 months ago I was chatting with some of the members of one of the QA Teams at work and they where telling me about their workflows for automating the testing of code and hosts added to the lab. One showed me some of the scripts they use and then it came to me why not automate Nessus from with in PowerShell. I would say that in 2 days in my spare time  using Brandon Perry Nessus-Sharp library for Nessus-XMLRPC written in C# https://github.com/brandonprry/nessus-sharp I forked the library and started modifying it to the needs I had I came up with a basic usable module. Sadly I got distracted with several projects and helping a bit to organize BSides PR I had not updated and cleaned the code until recently. Now that I have more time I would like to share the function I created and merge in to Posh-SecMod PowerShell module since I believe they could be useful to someone as they have to me.

Installing the Module

Posh-SecMod can be found at  https://github.com/darkoperator/Posh-SecMod and installing it is very simple. The module is a PowerShell v3 module only at the moment so it will only run on:
  • Windows 7
  • Windows 2008
  • Windows 2008R2
  • Windows 8
  • Windows 2012
For installing PowerShell on versions of Windows bellow you will need to install .Net 4.0 and then download and install the Windows Management Framework 3.0. Believe me it is all worth it just for the ISEv3. We start by running PowerShell with elevated privileges and make sure that you have set the ExecutionPolicy to RemoteSigned since none of the scripts, binaries and modules are signed with authenticode.
Set-ExecutionPolicy RemoteSigned

We then install the latest version of PSGet from inside PowerShell:

(new-object Net.WebClient).DownloadString("http://psget.net/GetPsGet.ps1") | iex

Once installed we can either install directly from GitHub using PSGet to Download the latest version of the module zip from GitHub by running.

import-module PsGet
install-module -ModuleUrl https://github.com/darkoperator/Posh-SecMod/archive/master.zip

The module will be available for use.

Listing Function to Interact with Nessus Server

To get a list of all the functions available for managing and automating Nessus we can load the module and filter the list for the word Nessus:

C:\> import-module Posh-SecMod
C:\> Get-Command -Module Posh-SecMod | where {$_.Name -like "*nessus*"}

CommandType Name ModuleName
----------- ---- ----------
Function Copy-NessusPolicy Posh-SecMod
Function Get-NessusPolicyXML Posh-SecMod
Function Get-NessusReportHostKB Posh-SecMod
Function Get-NessusReportHostsDetailed Posh-SecMod
Function Get-NessusReportHostSummary Posh-SecMod
Function Get-NessusReportItems Posh-SecMod
Function Get-NessusReportPluginAudit Posh-SecMod
Function Get-NessusReports Posh-SecMod
Function Get-NessusReportVulnSummary Posh-SecMod
Function Get-NessusServerAdvancesSettings Posh-SecMod
Function Get-NessusServerFeedInfo Posh-SecMod
Function Get-NessusServerGeneralSettings Posh-SecMod
Function Get-NessusServerLoad Posh-SecMod
Function Get-NessusServerMobileSettings Posh-SecMod
Function Get-NessusSession Posh-SecMod
Function Get-NessusUsers Posh-SecMod
Function Get-NessusV2ReportXML Posh-SecMod
Function Import-NessusV2Report Posh-SecMod
Function Invoke-NessusScan Posh-SecMod
Function Invoke-NessusScanTemplate Posh-SecMod
Function New-NessusScanTemplate Posh-SecMod
Function New-NessusSession Posh-SecMod
Function New-NessusUser Posh-SecMod
Function Remove-NessusPolicy Posh-SecMod
Function Remove-NessusScanTemplate Posh-SecMod
Function Remove-NessusSession Posh-SecMod
Function Remove-NessusUser Posh-SecMod
Function Resume-NessusScan Posh-SecMod
Function Show-NessusPolicy Posh-SecMod
Function Show-NessusScans Posh-SecMod
Function Show-NessusScanTemplate Posh-SecMod
Function Start-NessusServerFeedUpdate Posh-SecMod
Function Stop-NessusScan Posh-SecMod
Function Suspend-NessusScan Posh-SecMod
Function Update-NessusScanTemplate Posh-SecMod
Function Update-NessusUserPassword Posh-SecMod

Lets start by connecting to a Nessus Server. For this module I follow the philosophy of Session like we have with PSSession in PowerShell so as to be able to work with more than one Nessus server at the same time providing me greater flexibility. the Function to create a session is called New-NessusSession. All functions have help information that tells the user the purpose and all have examples of usage that can be read using the Get-Help cmdlet or it’s aliases man and help. To se the general information on the function we would do a

help <nessus function>

Full details can be seen by adding the –Full option or to only look at the usage example we can just use the –Example option.

Connecting to a Nessus Server and Working with Sessions

Lets connect to a Nessus Server  using the New-NessusSession function giving it the host to connect to, the credentials and since I do not have valid SSL Certificate on my test Nessus Server I use the switch –IgnoreSSL so it will not validate the certificate:

C:\> New-NessusSession -ComputerName nessus.darkoperator.com -Credentials (Get-Credential) -IgnoreSSL

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


User : carlos
IsAdmin : True
Index : 0
SessionState : Nessus.Data.NessusManagerSession
SessionManager : Nessus.Data.NessusManager
IdleTimeout : 30
ScannerBootTime : 4/11/2013 12:04:58 AM
PluginSet : 201302261815
LoaddedPluginSet : 201302261815
ServerUUID : fd14bd4c-27bc-7c35-0308-876409e7758d0b0d82169800a061
Token : bfeaa869adea6cc99de404c73caf3d60594d92376716e28a
MSP : True
ServerHost : nessus.darkoperator.com

As you create connections to Nessus servers the connections a re stored in to the global variable $Global:nessusconn as you can see information about the server is included with each session object. Each session is referenced by the Index value. In fact each session has a type of Nessus.Server.Session we can have several connection and to one one we just do the same as we did before, the session is added automatically.

C:\> New-NessusSession -ComputerName 192.168.1.230 -Credentials (Get-Credential) -IgnoreSSL

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


User : carlos
IsAdmin : True
Index : 1
SessionState : Nessus.Data.NessusManagerSession
SessionManager : Nessus.Data.NessusManager
IdleTimeout : 30
ScannerBootTime : 4/11/2013 8:53:03 AM
PluginSet : 201304120815
LoaddedPluginSet : 201304120815
ServerUUID : c1938596-19fe-dd76-9f74-1a680d6701b17b39b69cbe76805b
Token : 7275b221322838890ec4e50e9655591e49ce620c0c6fbb6f
MSP : True
ServerHost : 192.168.1.230

If you use a valid certificate on your Nessus Server you can skip the –IgnoreSSL. If the certificate is not valid you will see the errors as of to why it was not and you will see warning message asking you to continue. You can also use the –Verbose options, you will see that warnings and verbose messages come in different colors in PowerShell for easier distinction.

image 

To get all current sessions we use the Get-NessusSession function and it also allows us to select an individual session and save it to a variable.

C:\> Get-NessusSession


User : carlos
IsAdmin : True
Index : 0
SessionState : Nessus.Data.NessusManagerSession
SessionManager : Nessus.Data.NessusManager
IdleTimeout : 30
ScannerBootTime : 4/11/2013 12:04:58 AM
PluginSet : 201302261815
LoaddedPluginSet : 201302261815
ServerUUID : fd14bd4c-27bc-7c35-0308-876409e7758d0b0d82169800a061
Token : bfeaa869adea6cc99de404c73caf3d60594d92376716e28a
MSP : True
ServerHost : nessus.darkoperator.com

User : carlos
IsAdmin : True
Index : 1
SessionState : Nessus.Data.NessusManagerSession
SessionManager : Nessus.Data.NessusManager
IdleTimeout : 30
ScannerBootTime : 4/11/2013 8:53:03 AM
PluginSet : 201304120815
LoaddedPluginSet : 201304120815
ServerUUID : c1938596-19fe-dd76-9f74-1a680d6701b17b39b69cbe76805b
Token : 7275b221322838890ec4e50e9655591e49ce620c0c6fbb6f
MSP : True
ServerHost : 192.168.1.230

To remove a session from the list and log off from the server we use the Remove-NessusSession function:

PS C:\> Remove-NessusSession -Index 0
True

 

Retrieving Nessus Server Configuration Settings

We can get feed and version information for each session using the Get-NessusServerFeedInfo function, we can pipe the the sessions from Get-NessusSession objects in to it or specify the session or sessions thru the index parameter:

C:\> Get-NessusSession | Get-NessusServerFeedInfo


Feed : ProFeed
ServerVersion : 5.0.2
WebServerVersion : 4.0.31 (Build H20130328A)
MSP : False
Expiration : 9/19/2013 4:00:00 AM
ServerHost : nessus.darkoperator.com

Feed : ProFeed
ServerVersion : 5.0.2
WebServerVersion : 4.0.31 (Build H20130328A)
MSP : False
Expiration : 12/31/2013 5:00:00 AM
ServerHost : 192.168.1.230

We can see if we have a proxy configured to pull Nessus Feed, this is known in the Nessus GUI as the General Settings, the functions to get the configuration we use the Get-NessusServerGeneralSettings :

C:\> Get-NessusServerGeneralSettings -Index 1


proxy :
proxy_port :
proxy_username :
proxy_password :
user_agent :
custom_host :

we can pull the advanced settings from the servers with the Get-NessusServerAdvancesSettings and as you can see one of my servers runs in windows and the other runs on Linux.

C:\> Get-NessusSession | Get-NessusServerAdvancesSettings

allow_post_scan_editing : yes
auto_enable_dependencies : yes
auto_update : yes
auto_update_delay : 24
cgi_path : /cgi-bin:/scripts
checks_read_timeout : 5
disable_ntp : no
disable_xmlrpc : no
dumpfile : /opt/nessus/var/nessus/logs/nessusd.dump
global.max_hosts : 125
global.max_scans : 0
global.max_web_users : 1024
listen_address : 0.0.0.0
listen_port : 1241
log_whole_attack : no
logfile : /opt/nessus/var/nessus/logs/nessusd.messages
max_checks : 5
max_hosts : 30
nasl_log_type : normal
nasl_no_signature_check : no
non_simult_ports : 139, 445, 3389
optimize_test : yes
plugin_upload : yes
plugins_timeout : 320
port_range : default
purge_plugin_db : no
qdb_mem_usage : high
reduce_connections_on_congestion : no
report_crashes : yes
rules : /opt/nessus/etc/nessus/nessusd.rules
safe_checks : yes
silent_dependencies : yes
slice_network_addresses : no
ssl_cipher_list : strong
stop_scan_on_disconnect : no
stop_scan_on_hang : no
throttle_scan : yes
use_kernel_congestion_detection : no
www_logfile : /opt/nessus/var/nessus/logs/www_server.log
xmlrpc_idle_session_timeout : 30
xmlrpc_listen_port : 8834

allow_post_scan_editing : yes
auto_enable_dependencies : yes
auto_update : yes
auto_update_delay : 24
cgi_path : /cgi-bin:/scripts
checks_read_timeout : 5
disable_ntp : no
disable_xmlrpc : no
dumpfile : C:\Program Files\Tenable\Nessus\nessus\logs\nessusd.dump
global.max_scans : 0
global.max_web_users : 0
listen_address : 0.0.0.0
listen_port : 1241
log_whole_attack : no
logfile : C:\Program Files\Tenable\Nessus\nessus\logs\nessusd.messages
max_checks : 5
max_hosts : 100
nasl_log_type : normal
nasl_no_signature_check : no
non_simult_ports : 139, 445, 3389
optimize_test : yes
plugin_upload : yes
plugins_timeout : 320
port_range : default
purge_plugin_db : no
qdb_mem_usage : high
reduce_connections_on_congestion : no
report_crashes : yes
rules : C:\Program Files\Tenable\Nessus\conf\nessusd.rules
safe_checks : yes
silent_dependencies : yes
slice_network_addresses : no
ssl_cipher_list : strong
stop_scan_on_disconnect : no
stop_scan_on_hang : no
throttle_scan : yes
www_logfile : C:\Program Files\Tenable\Nessus\nessus\logs\www_server.log
xmlrpc_idle_session_timeout : 30
xmlrpc_listen_port : 8834

If I wan to see how many users, scans and just the general load on the server I can use the Get-NessusServerLoad to get this information, this can come useful if we see a server running slowly or we want to script to always use the server with the least load to launch our scans:

C:\> get-nessussession | Get-NessusServerLoad


ServerHost : nessus.darkoperator.com
Platform : LINUX
ScanCount : 0
SessionCount : 2
HostCount : 0
TCPSessionCount : 0
LoadAverage : 0.00

ServerHost : 192.168.1.230
Platform : WINDOWS
ScanCount : 0
SessionCount : 1
HostCount : 0
TCPSessionCount : 0
LoadAverage : 0.00

 

Working with Nessus Server Users

We can list and work with users in the Nessus Server, we can find all the Nessus Server user manipulation functions by searching for *nessususer* in the name of the functions in the module:

C:\> Get-Command -Module Posh-SecMod | where {$_.Name -like "*nessususer*"}

CommandType Name ModuleName
----------- ---- ----------
Function Get-NessusUsers Posh-SecMod
Function New-NessusUser Posh-SecMod
Function Remove-NessusUser Posh-SecMod
Function Update-NessusUserPassword Posh-SecMod

As you can see we can list the users, create a new user, remove a user and change the password of a user (if we are Admin of course).  Lets start by listing the users on the server:

C:\> New-NessusUser -IsAdmin -Credentials (Get-Credential) -Index 0

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


ServerHost : nessus.darkoperator.com
Name : Paul
IsAdmin : True
LastLogging : 1/1/0001 12:00:00 AM
Session : Nessus.Server.Session

I can change the password for the user Paul:

C:\> Update-NessusUserPassword -Index 0 -Credentials (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


ServerHost : nessus.darkoperator.com
Name : Paul
IsAdmin : True
LastLogging : 1/1/0001 12:00:00 AM
Session : Nessus.Server.Session

C:\> New-NessusSession -ComputerName nessus.darkoperator.com -Credentials (Get-Credential) -IgnoreSSL

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


User : Paul
IsAdmin : True
Index : 2
SessionState : Nessus.Data.NessusManagerSession
SessionManager : Nessus.Data.NessusManager
IdleTimeout : 30
ScannerBootTime : 4/11/2013 12:04:58 AM
PluginSet : 201302261815
LoaddedPluginSet : 201302261815
ServerUUID : fd14bd4c-27bc-7c35-0308-876409e7758d0b0d82169800a061
Token : ec1d58e6b2fd2db1da9788bc6a259cd318ca551cc140de93
MSP : True
ServerHost : nessus.darkoperator.com

Lets close the session we created for testing and remove the user Paul:

C:\> Remove-NessusSession -Index 2
True

C:\> Remove-NessusUser -Index 0 -UserName Paul
True
C:\> Get-NessusUsers -Index 0


ServerHost : nessus.darkoperator.com
Name : carlos
IsAdmin : True
LastLogging : 4/12/2013 12:23:04 PM
Session : Nessus.Server.Session

ServerHost : nessus.darkoperator.com
Name : admin1
IsAdmin : True
LastLogging : 12/31/1969 8:00:00 PM
Session : Nessus.Server.Session

On the next blog post I will cover how to work with Policies and Scans. I do invite you to install it and start playing with it and the other functions in the module.

Friday
Apr122013

VI-ToolBox PowerCLI PowerShell Module

Recently I decided to migrate some of the PowerCLI (http://communities.vmware.com/community/vmtn/server/vsphere/automationtools/powercli) scripts I use for managing the lab at work and when I consult in infrastructure in to a module so as to make it easier for me to maintain. Also placed the module in GitHub so I can use git to keep it updated between my machines. The module can be found in https://github.com/darkoperator/VI-ToolBox

For using the module you just download the files in to a folder called VI-Toolbox in any of the that PowerShell v2 and v3 look in to for modules. You can list the folder by looking at the variable inside a PowerShell session:

C:\Users\Carlos> $env:PSModulePath
C:\Users\Carlos\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

Once downloaded the files must be unlocked since Windows tends to block all PowerShell files downloaded from the web. If using PowerShell v2 you will have to right click on each file, going to properties and click on Unblock. In PowerShell v3 we can use the Unblock-File cmdlet with the following command:

Get-ChildItem $env:HOME\Documents\WindowsPowerShell\Modules\VI-Toolbox\* | Unblock-File

Lets start by importing the module and listing the functions we have available:

C:\Users\Carlos> Import-Module VI-ToolBox
C:\Users\Carlos> Get-Command -Module VI-Toolbox

CommandType     Name                                               ModuleName
-----------     ----                                               ----------
Function        Disconnect-VIMSession                              VI-ToolBox
Function        Get-VIMSessions                                    VI-ToolBox
Function        Get-VIUserEvents                                   VI-ToolBox
Function        Get-VMConsoleConnectionCount                       VI-ToolBox
Function        Get-VMEvents                                       VI-ToolBox
Function        Get-VMMountedCDRom                                 VI-ToolBox
Function        Get-VMToolStatus                                   VI-ToolBox
Function        Search-VMIPAddress                                 VI-ToolBox
Function        Search-VMMacAddress                                VI-ToolBox
Function        Search-VMOldSnapshots                              VI-ToolBox

Before we can use the functions we must connect to a vCenter server that manages the ESX/ESXi servers. For this we use the Connect-VIServer cmdlet offered by PowerCLI

C:\Users\Carlos> Connect-VIServer -Server vcenter

Name                           Port  User
----                           ----  ----
vcenter                        443   administrator

Once connected we can start working with the functions in the module.

Finding a VM given its IP Address

Many times in a virtual infrastructure we may find our selfs trying to find a VM with a given IP Address Specially when that VM is mis-behaving. To search for a VM the Search-VMIPAddress is available, we can give this function either a group of VMs thru the pipeline using the Get-VM cmdlet or if no VM Object is given it will search against all. Now vCenter uses the information given by the VMware Tools so they need to be installed and running on the host we are looking for:

C:\Users\Carlos> Search-VMIPAddress -IPAddress 192.168.10.10

VMName                                 VMHost                                IPAddress
------                                 ------                                ---------
ALAB-DC01                              labesxi01.darkoperator.com            192.168.10.10

Finding VM's given their MAC Address

Some times users will not install VMware Tools on their hosts, they might not support them or simply the service is not running. We can look for the VM given its MAC Address with the Search-VMMacAddress Function:

C:\Users\Carlos> Search-VMMacAddress -MAC 00:0c:29:eb:df:67


VMName       : ALB-DC02
VMHost       : labesxi01.darkoperator.com
AddapterName : Network adapter 1
NetworkName  : VM Network
MacAddress   : 00:0c:29:eb:df:67

Working with User Sessions

One of the things I always keep an eye out is for who is connecting to the server and to kill any old sessions for this I wrote 2 functions one call Get-VIMSessions and the other Disconnect-VIMSessions. In the following example I have 2 sessions for the Administrator user, one is our current session the other is a previous one that is Idle:

C:\Users\Carlos> Get-VIMSessions


UserName       : Administrator
FullName       :
Status         : Idle
Key            : 523ce38c-3fe5-d0d5-da47-8354f3a0c8ef
LoginTime      : 4/12/2013 6:35:40 PM
LastActiveTime : 4/12/2013 6:39:45 PM

UserName       : Administrator
FullName       :
Status         : Current Session
Key            : 52dcfcc9-a945-631f-c993-0e72c9e8fd08
LoginTime      : 4/12/2013 6:41:53 PM
LastActiveTime : 4/12/2013 6:41:53 PM

Now we see that in Status we can see what session is our current one in the case of several sessions with the same name. We disconnect sessions using the session key as the way to identify the session we want to kill:

C:\Users\Carlos> Disconnect-VIMSession -Key 523ce38c-3fe5-d0d5-da47-8354f3a0c8ef
True
C:\Users\Carlos> Get-VIMSessions


UserName       : Administrator
FullName       :
Status         : Current Session
Key            : 52dcfcc9-a945-631f-c993-0e72c9e8fd08
LoginTime      : 4/12/2013 6:41:53 PM
LastActiveTime : 4/12/2013 6:43:11 PM

Finding VMs with mounted ISO Images

One of the problems of many VMware Admins that have DRS is when their VM's have mounted CDROM Images and prevents the VMs from moving from one vmhosts to the next. For finding this VMs the Get-VMMountedCDRom function can be used against a given collection of VMs or against all, here is an ugly example:

C:\Users\Carlos> Get-VMMountedCDRom

Name                                                      ISO file
----                                                      --------
v-win2k81
ALAB-DC01                                                 [isostore] Microsoft/OS/en_windows_server_2012_x64_dv...
OEL6                                                      [] /usr/lib/vmware/isoimages/linux.iso
v-win2k82
v-win2k3
NSEC_DOM                                                  [isostore] Microsoft/en_windows_server_2012_x64_dvd_9...
fedora                                                    [isostore] Linux/Fedora-18-x86_64-DVD.iso
ALAB-WinXP01                                              [isostore] Microsoft/OS/en_windows_xp_service_pack_3_...
Win7-tmpl x64
Win2k8                                                    [isostore] Microsoft/en_windows_server_2008_datacente...
vuln-win2k8r2
win2k3-vmtest                                             [isostore] win2k3entsp2.iso
ALAB-LOGSRV                                               [isostore] Microsoft/OS/en_windows_server_2008_r2_sta...
ALAB-Win801                                               [isostore] Microsoft/OS/en_windows_8_enterprise_x64_d...
win2k3-tmpl x86
ALAB-Win802                                               [isostore] Microsoft/OS/en_windows_8_enterprise_x64_d...
ALAB-WinXP02                                              [isostore] Microsoft/OS/en_windows_xp_service_pack_3_...
ESXi5.1-01                                                [isostore] VMWare/VMware-VMvisor-Installer-5.1.0-7997...
MSFRH                                                     [] /usr/lib/vmware/isoimages/linux.iso
NessusScanner                                             [] /usr/lib/vmware/isoimages/linux.iso
vuln-xp
ALB-Exch10                                                [isostore] Microsoft/Exchange/mu_exchange_server_2010...
OSX Lion                                                  [isostore] Apple/OSX.LION.GM.iso
WinXP-tmpl-x86
win2k301                                                  [isostore] win2k3entsp2.iso
win2k302                                                  [isostore] win2k3entsp2.iso
Xenserver                                                 [isostore] XenServer-6.1-install-cd.iso
Win2k8R2-core-tmpl x64
Debian6                                                   [] /usr/lib/vmware/isoimages/linux.iso
Ubuntusrv                                                 [isostore] Linux/ubuntu-12.04.1-server-amd64.iso
ALAB-WSUS                                                 [isostore] Microsoft/OS/en_windows_server_2012_x64_dv...
vuln-7
ALAB-Win702                                               [isostore] Microsoft/OS/en_windows_7_ultimate_with_sp...
win2k81
ALAB-Win701                                               [isostore] Microsoft/OS/en_windows_7_enterprise_x64_d...
CentOS6x64                                                [] /usr/lib/vmware/isoimages/linux.iso
Win2k82
test2centos                                               [isostore] Linux/CentOS-6.3-x86_64-bin-DVD1.iso
vCenter                                                   [isostore] VMWare/VMware-VIMSetup-all-5.1.0-799735.iso
BIND_NS                                                   [] /usr/lib/vmware/isoimages/linux.iso
hvtest                                                    [isostore] Microsoft/OS/en_windows_server_2012_x64_dv...
ALB-DC02                                                  [isostore] Microsoft/OS/en_windows_server_2008_r2_sta...
SL6                                                       [] /usr/lib/vmware/isoimages/linux.iso
win2k8r2tmpl
win2k8_vuln                                               [isostore] Microsoft/en_windows_server_2008_datacente...

Now we can unmount the images from all the machines:

C:\Users\Carlos> get-vm | Get-CDDrive | Set-CDDrive -NoMedia -Confirm:$false

Checking VMware Tools

I wrote a simple function to check if tools are running, outdated or just not installed. The function Get-VMToolStatus can get the status of the tools for a collection of VMs or all if none is specified. Here is an example for finding all the VM's whose tools need attention:

C:\Users\Carlos> Get-VMToolStatus | where {$_.ToolStatus -notin "toolsNotRunning","toolsNotRunning","toolsOK"} | ft -AutoSize

Name                 ToolStatus
----                 ----------
fedora        toolsNotInstalled
win2k3-vmtest toolsNotInstalled
ESXi5.1-01    toolsNotInstalled
Xenserver     toolsNotInstalled
Ubuntusrv     toolsNotInstalled
test2centos   toolsNotInstalled
vCenter                toolsOld

Working with User Login, Permission and VM Console Events

Many times I find my self looking at login/Logoff actions and checking permissions for my customers to make sure nobody was given permissions they do not need or track the actions of a developer. Since this is a repeatable task I wrote a function that lets me filter events for sessions by the type of actions, The function is Get-VIUserEvents and one can filter for the following events:

  • Privilege Management
  • Login/Logoff
  • Connection to VM Console

Many times I need to filter and look in specific time frames so the function supports filtering the search by:

  • Hours
  • Days
  • Months
  • Specific date in the past Also one can filter by user name.

To get a list of the event types we can look at the help information for the parameter:

C:\Users\Carlos> help Get-VIUserEvents -Parameter eventtype

-EventType < string >
    Type of events to filter for. Accepts Permission, Session, Console or Any

    Required?                    false
    Position?                    named
    Default value
    Accept pipeline input?       false
    Accept wildcard characters?  false

Here is an example where we look for session events, in the last 8 hours and filter for the user administrator:

C:\Users\Carlos> Get-VIUserEvents -Hours 8 -EventType Session -UserName administrator


IpAddress            : fe80::6966:22f4:8dc0:b35b%10
UserAgent            : VMware VI Client/4.0.0
Locale               : en_US
SessionId            : 523ce38c-3fe5-d0d5-da47-8354f3a0c8ef
Key                  : 103
ChainId              : 103
CreatedTime          : 4/12/2013 6:35:40 PM
UserName             : Administrator
Datacenter           :
ComputeResource      :
Host                 :
Vm                   :
Ds                   :
Net                  :
Dvs                  :
FullFormattedMessage : User Administrator@fe80::6966:22f4:8dc0:b35b%10 logged in as VMware VI Client/4.0.0
ChangeTag            :
DynamicType          :
DynamicProperty      :

IpAddress            : 192.168.1.243
UserAgent            : Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.18033)
Locale               : en
SessionId            : 52e52807-1476-783b-f480-d11d4551570c
Key                  : 276
ChainId              : 276
CreatedTime          : 4/12/2013 6:41:52 PM
UserName             : Administrator
Datacenter           :
ComputeResource      :
Host                 :
Vm                   :
Ds                   :
Net                  :
Dvs                  :
FullFormattedMessage : User Administrator@192.168.1.243 logged in as Mozilla/4.0 (compatible; MSIE 6.0; MS Web
                       Services Client Protocol 4.0.30319.18033)
ChangeTag            :
DynamicType          :
DynamicProperty      :

IpAddress            : 192.168.1.243
UserAgent            : Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.18033)
Locale               : en
SessionId            : 52dcfcc9-a945-631f-c993-0e72c9e8fd08
Key                  : 277
ChainId              : 277
CreatedTime          : 4/12/2013 6:41:53 PM
UserName             : Administrator
Datacenter           :
ComputeResource      :
Host                 :
Vm                   :
Ds                   :
Net                  :
Dvs                  :
FullFormattedMessage : User Administrator@192.168.1.243 logged in as Mozilla/4.0 (compatible; MSIE 6.0; MS Web
                       Services Client Protocol 4.0.30319.18033)
ChangeTag            :
DynamicType          :
DynamicProperty      :

Working with VM Power On, Power Off, Deletion, Creation and Console Events

Many times I found myself fishing thru events for monitoring actions taken on events that affected the availability of VM's and to monitor VM Sprawl so I crated in my toolkit Get-VMEvents to help me parse the events. Just like the user event function we can filter by event type and dates. We can see the event types we can filter thru can be seen in the parameter help:

C:\Users\Carlos> help Get-VMEvents -Parameter eventtype

-EventType <string>
    Specific types of event to filter on. Accepts Creation, Deletion, Console, PowerOn, PowerOff or Any

    Required?                    false
    Position?                    named
    Default value
    Accept pipeline input?       false
    Accept wildcard characters?  false
 

Here is an example of checking for PowerOn events in the last couple of hours:

C:\Users\Carlos> Get-VMEvents -EventType PowerOn -Hours 3


Template             : False
Key                  : 373
ChainId              : 373
CreatedTime          : 4/12/2013 8:02:14 PM
UserName             :
Datacenter           : VMware.Vim.DatacenterEventArgument
ComputeResource      : VMware.Vim.ComputeResourceEventArgument
Host                 : VMware.Vim.HostEventArgument
Vm                   : VMware.Vim.VmEventArgument
Ds                   :
Net                  :
Dvs                  :
FullFormattedMessage : NessusScanner on  labesxi01.darkoperator.com in Lab is powered on
ChangeTag            :
DynamicType          :
DynamicProperty      :