Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: NessusWX v GTK client

from [net sec] Network Security [Permanent Link]
Subject: RE: NessusWX v GTK client
Date: Tue, 23 Aug 2005 02:11:26 +0000 
Awesome help John and thanks so much for the detailed explanation!

That actually isn't too far off from what I thought I should do (build my own nessusrc and make modifications as needed) so that makes me feel a bit better as to the sanity of my approach. :-)

Thanks again - you've made my day!


----Original Message Follows----
From: "John Scherff" <JScherff@24hourfit.com>
To: "net sec" <netsec9@hotmail.com>
Subject: RE: NessusWX v GTK client
Date: Mon, 22 Aug 2005 18:46:35 -0700

You wrote:
>>I think I just need to bite the bullet and get my hands dirty with
writing
>>my own scripts as you have.  Do you happen to know of a way I could
get a
>>hint/helper by seeing what the exact command line equivalent of the
GTK GUI
>>session would be - similar to what nmap does?  Is it part of a log
>>somewhere that I could look at?

Well, that's pretty easy: there are almost no command-line equivalents.
To get what you want, you use a combination of four things:

(1) command-line options (there are few of these)
(2) nessus server (daemon) configuration file
(3) nessus target file (containing hosts, subnets, ip ranges, etc., to
scan)
(4) nessus client configuration file

The command-line options available are (almost) all documented in the
man page for nessus.

The nessus server configuration file options are (almost) all documented
in the nessusd man page.  They're also pretty self-explanatory (the
default config file, usually in /usr/local/etc/nessus, is heavily
commented).

The target file is pretty straightforward; it's a list of targets to
scan, each on separate lines.  These can be individual host names,
fully-qualified host names, individual ip addresses, ip address ranges,
or subnets specified in CIDR notation (e.g., 10.1.20.4/24).

The last item, the nessus client configuration file, is where you will
do most of your work in getting your scans to behave the way you want
them to.  Its options are also almost completely undocumented.

So how do you create the client configuration file?  Like this:

(1) Start the GTK client, and configure it the way you want it.  E.g.,
set the scanner options, the plugin families and individual plugins, the
plugin configuration settings, etc., etc.  Take your time and work
through every option, getting it set up precisely the way you want it.
(The nice thing about the GTK client is that it has very good
context-sensitive help for most options... just hover he mouse over the
option for a second or two.)

(2) When you have everything configured the way you want, enter a bogus
host name in the target section, and start the scan.

(3) Stop the scan as soon as it starts.

(4) Close the GTK client.

(5) Go to the home directory of the user account you used to run the
scan.  In this directory will be a hidden file named .nessusrc.  Copy
and rename this file.  You will use it on the command line to provide
nessus with its configuration options.

After you do all this, you can run your nessus scan from the command
line like this:

nessus -V -c <config_file> -T nbe -xq <nessushost> <nessusport>
<nessususer> <nessuspassword> <target_file> <result_file>

Where:
   <config_file> is the re-named .nessusrc file from above,
   <nessushost> is the server running the nessus daemon
   <nessusport> is the port nessus is listening on (usu. 1241)
   <nessususer> is the nessus user ID you want to use
   <nessuspassword> is the password for the nessus account
   <target_file> is the list of hosts/networks to scan, one per line
   <result_file> is the file that will contain the nessus nbe report

Once you run the scan and have your report in NBE format, you can grep
out the stuff you don't want, then convert it to a very nicely formatted
HTML report with:

nessus -i <filename>.nbe -o <anotherfilename>.html

CAVEATS:

There is one small, minor issue with all this.  When you select plug-in
families in the GUI, what really happens in the .nessusrc file is that
each plugin gets turned on or off individually.  Because of this, your
config file will be "out-dated" as soon as you download new plugins.  To
remedy this, I recommend getting the update-nessusrc python script
(available from http://www.edgeos.com/resources/, bottom of page) or the
update-nessusrc perl script (available from
http://www.tifaware.com/perl/update-nessusrc/).  These scripts update an
existing configuration file with new plug-ins.  You tell the scripts
which plug-in families you want (or specify other selection options),
and the scripts take care of the rest.  They're by separate authors, but
both are excellent.  (The perl version looks like it has some more
configuration options - e.g., select by severity, risk, type, SANS
top-20, etc.)

NOTE: the severity filtering capabilities of the Perl update-nessusrc
script would address some of the requirements in your original posting.

Hope this helps.

(I didn't post this to the list because you sent your last message to me
directly and I didn't know if you wanted it published.  I do think the
list might benefit, so post if you wish.)

John Scherff
IT Security Analyst
24 Hour Fitness

-----Original Message-----
From: net sec [mailto:netsec9@hotmail.com]
Sent: Monday, August 22, 2005 4:03 PM
To: John Scherff
Subject: RE: NessusWX v GTK client

Thanks for the quick and very informative response.
I think I just need to bite the bullet and get my hands dirty with
writing
my own scripts as you have.  Do you happen to know of a way I could get
a
hint/helper by seeing what the exact command line equivalent of the GTK
GUI
session would be - similar to what nmap does?  Is it part of a log
somewhere
that I could look at?

Thanks again!

----Original Message Follows----
From: "John Scherff" <JScherff@24hourfit.com>
To: "net sec" <netsec9@hotmail.com>,<nessus@list.nessus.org>
Subject: RE: NessusWX v GTK client
Date: Mon, 22 Aug 2005 14:13:23 -0700

An easy way to filter particular findings out of the Nessus report is to
have nessus write its findings to an NBE file (one finding per line) and
then filter out the findings you don't want.  For example:

    If you don't want informational messages, use
    grep -v '|Security Note|' original_report.nbe > new_report.nbe

    If you don't want findings associated with Nessus ID 10264 (SNMP
community strings), use
    grep -v '|10264|' original_report.nbe > new_report.nbe

    If you don't want findings for a host named abc123.example.com, use
    grep -v '|abc123.example.com|' original_report.nbe > new_report.nbe

(Be careful on that last one... your input file and your name resolution
options will affect how the name appears in the report.)

Note that the pipe symbols in the search expression are important - they
are field delimiters.  If you omit them, you will filter out ANY record
that contains the expression - even if it appears in the (sometimes
lengthy) detailed description field.

When you have filtered out all the stuff you don't want, you can use the
"new" nbe file to create a report:

    nessus -i new_report.nbe -o new_report.html.

This method gets a little messy if you're trying to filter out many
things at once.  (Using multiple chained grep expressions will obviously
create a major performance hit.)  For my environment, I wrote a perl
script that reads filters in from text files (e.g., low-severity
filters, false-positive filters, risk-accepted findings, etc.), removes
them from my nessus report files, generates HTML reports from the
"cleaned-up" nbe files, and then emails the reports to me.

I don't use either GUI; I automate all my scans using the command-line
version.  The ease-of-use isn't there, but all the functionality is - if
you look hard enough.

R/ John Scherff
IT Security Analyst
24 Hour Fitness


-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of net sec
Sent: Monday, August 22, 2005 1:50 PM
To: nessus@list.nessus.org
Subject: NessusWX v GTK client

I am trying to get more proficient in Linux so have forced myself to
rely on the GTK native client rather than use the NessusWX.  Maybe it is
the nature of those that have relied on Windows based products to want
an easy point and click solution but some of the features that I see in
NessusWX are missing in the GTK client that I believe would be very
useful.

Examples:  Exporting reports/results directly to a mySQL database and
ability to filter/sort reports based on severity level or host vs.
vulnerabilty.

Question:  Is this readily available on the purely Linux side and I am
missing something or do most GTK users have the wherewithall to write
their own solutions using Perl etc.? (I don't yet)  Does anyone have
suggestions on relatively simple solutions to getting Nessus reports
into mySQL?  What I really want to do is produce flexible output that
can include reports sorted by vulnerabilty, only contain High Severity
items or do not include summaries.

Suggestions are appreciated and flaming somewhat expected :-)


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Alternatives to Nessus, License question, Kevin Johnson
Next by Date:  Re: Nessus report with zero hosts found, Rick L.Y. Eagles
Previous by Thread:  RE: NessusWX v GTK client, John Scherff
Next by Thread:  SMB credentials and Administrator lockouts, net sec
Indexes:  [Date] [Thread] [Top] [All Lists]