Thursday, January 9, 2014

Open Source Vulnerability Scanning

I love being able to use open source software and intelligence to perform security tasks. When asked to do some vulnerability scanning away from my commercial tools, I found some work by Adam Ziaja ().
On a Kali linux machine I installed his script called “vulnerability check”. Adam has put together what he calls “ A simple script uses open source software (nmap, vFeed and DPE) and performs almost same task as Nessus or AVDS”. 

After following his instructions and installing the software and updating the databases:

I created my own wrapper script around his work.


vc_run
usage: vc_run network_range report_name
example: ./vc_run 10.10.1.0/24 report-10.10
#!/usr/bin
# Map the network with software version discovery
nmap -sV $1 -oX /root/reports/$2.xml > /root/reports/$2.nmap.txt
# Feed authors script with our NMAP Results
php vc.php /opt/vFeed/vfeed.db /opt/dpe/dpe_db.xml /root/reports/$2.xml > /root/reports/$2.vfeed.txt
# Convert the xml to html (install xsltproc)
xsltproc /root/reports/$2.xml -o /root/reports/$2.html
# Uncomment to open in browser at the end of the run
#firefox /root/reports/$2.html
Additional, after running the scan, each CVE can be evaluated on three items. (1) risk, (2) is there a OS (Microsoft, Linux) patch available and (3) is there a public exploit available.  

The following command lines where used to acquire this additional detail:
/opt/vFeed/vfeedcli.py get_risk CVE-2010-3972
Severity: High
Top vulnerability: True
       [cvss_base]: 10.0
       [cvss_impact]: 10.0
       [cvss_exploit]: 10.0
PCI compliance: Failed
/opt/vFeed/vfeedcli.py get_ms CVE-2010-3972
[Microsoft_ms_id]: MS11-004
[Microsoft_ms_title]: Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution
[stats] 1 Microsoft MS Patch(s)
/opt/vFeed/vfeedcli.py get_msf CVE-2010-3972
[msf_id]: iis75_ftpd_iac_bof.rb
[msf_title]: Microsoft IIS FTP Server Encoded Response Overflow Trigger
[msf_file]: metasploit-framework/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb
[stats] 1 Metasploit Exploits/Plugins



These results should be summarized into this report to provide system admins with a prioritized, actionable list that will provide immediate tangible results.  The remaining vulnerabilities can be remediated as time allows and as patches or fixes are released from vendors.

Additional work that could be done. It would be interesting to parse the output, grep for the CVE and then script the get_risk, get_ms, get_msf commands for a bit more automation...


Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)