PaulDotCom

Thwarting Client Side attacks with Software Restriction Policy

Wed, 15 May 2013 09:00:38 -0500

A few weeks ago I started looking at Windows Software Restriction Policy (SRP) and using it to stop client side attacks. This is going to go over some of the options, setup and the results once enabled.

SRP is easy to setup via Group Policy Object (GPO). Inside GPO editor create New Software Restriction Policy. Once create the default will be setup. You can look around to see basic options. Here is my tested setup.

Enforcement: Select "All Software files" and "All users except local administrators"

Under Designated File types: Remove type LNK - this will make sure that shortcuts placed outside of the designated execution directories will run. When I initially tested what I thought would work none of the shortcuts on the toolbar or desktop would launch an application and I found this to be the issue.

Ignore trusted publishers, this is used if we are limiting applications based on the certificate authority.

Select "Additional Rules"

The default execution directories will be selected.

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

Since mine is 64bit Windows I added

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%

Security level for these are all going to be "Unrestricted" I want them to be able to execute as normal.

Now back under "Security Levels" the default setting is Unrestricted, since we are changing users over to defined execution directories I want to set anything not specifically allowed in the Additional Rules section to "Disallowed." So we change the default to Disallowed.

Save this and run gpupdate /force on the target machine.

Now to test a client side attack using SET. I am going to use the java attack method. 1 -> Social-Engineering Attacks, 2 -> Website Attack Vectors, 1 -> Java Applet Attack Method, 1 -> Web Templates, 1 -> Java Required, 2 -> Windows Reverse_TCP Meterpreter, 16 -> Backdoored Executable - Enter port of listener (default 443)

Fire it up and wait till it starts the payload handler.

Once the handler is started you are ready to test the attack. Go ahead and run the unsafe java applet.

You will notice that the the site is responding but the java applet is unable to execute the payload.

After attempting this and being successful, I tried running SET with PowerShell Injection and to my surprise the attack succeeded. I realized with PowerShell the payload was running from the C:\Windows\sysWOW64\WindowsPowerShell directory which by default is explicitly allowed. To defeat this attack I added the path to the list of Additional Rules and set it to "Basic User", retested the attack with PS Injection and the attack failed as expected. I tested this with multiple payloads and encoding methods and everyone of them did not result in a successful attack.

I ran two other tests, the first was using EXE embedded PDF and an older version of Adobe Reader (9.3). SRP was able to successfully stop this attack.

Finally I tested a physical attack using a USB Rubber Ducky Human Interface Device (HID) from the folks over at hak5 (www.hak5.com). I used a great little payload generator found over on google code (https://code.google.com/p/simple-ducky-payload-generator/ ) It is pretty slick and simple, I used a meterpreter powershell injection payload that didn't attempt to elevate privileges. SRP was able to successfully stop this attack. If the user had admin privileges and entered in creds in the UAC window it would have worked since I allow Local Admins unrestricted access.

In Production the are likely other directories where code needs to execute, those will need to be added to the allow list. As the config is done, administrators will be able to bypass these rules for installation of software etc. Administrators will also need to ensure that ACLs are properly set since a curious user could move executables into the approved directories and run them. While this is like a bit tough to implement in a very large organization this is a very effective method for stopping client side attacks.

To find other executable directories in use in your environment enable SRP with defaults (fully unrestricted) and set the following registry key:

"HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
String Value: LogFileName, <path to log file>

This will log the executable and the directory it was run from a little data mining can determine were applications need to execute from. Also Inventory Collector from Application Compatibility toolkit can assist in this task.

Update:

One PDC reader noted that the configuration would allow a PowerShell attack from SET to work on 32bit systems since the path on 32bit is C:\Windows\System32\WindowsPowerShell - Also this directory exists on 64bit machines as well, a modification to the SET Payload could allow the attack to succeed.

A fix for this is to also add "C:\Windows\System32\WindowsPowerShell" to the locked down policy under "Additional Rules"

This methods above would work for the given attack vector, there may be other vectors that need additional rules depending on the environment.

-Greg

Episode 332 with Guest Brian Snow & Tech Segment with Tim Conway Thursday 6PM ET

Mon, 13 May 2013 08:03:03 -0500

Join us for PaulDotCom Security Weekly Episode 332, With guest Brian Snow. Brian spent his first 20 years at NSA doing and directing research that developed cryptographic components and secure systems. Many cryptographic systems serving the U.S. government and military use his algorithms; they provide capabilities not previously available and span a range from nuclear command and control to tactical radios for the battlefield. He created and managed NSA's Secure Systems Design division in the 1980s. He has many patents, awards, and honors attesting to his creativity. Also, for our tech segment we are joined by Tim Conway. Tim is the Technical Director of the Industrial Control Systems and SCADA programs at SANS, where he is responsible for developing, reviewing, and implementing technical components of the ICS and SCADA product offerings. Tim was formerly the Director of Compliance and Operations Technology at the Northern Indiana Public Service Company (NIPSCO).

Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

NOTE: The video will play the most recent show up until we are live!

Drunken Security News - Episode 331

Sat, 11 May 2013 22:54:10 -0500

It's time for another Drunken Security News. Much of the gang was on the road this week so Patrick Laverty sat in with Paul and Engineer Steve for the show, plus Jack's epic beard called in via Skype from lovely Maryland.

First, Paul admitted it was a stretch to bring this into a security context but he wanted to talk about an article that he found in The Economist (via Bruce Schneier) about one theory that if the US would simply be nicer to terrorists, release them from Guantanamo Bay, Cuba and stop hunting them down around the world, that they would in turn be nicer to us. Also, fewer would pop up around the world. The thinking is that jailing and killing them turns others into terrorists. So here's the leap. Can the same be said for black hat hackers? If law enforcement agencies stop prosecuting the hackers, will they be nicer and will there be fewer of them? I think we all came to the same conclusion. "Nah."

Paul also found an Adam Shostack article about how attention to the tiniest details can be important to the largest degree. The example given was the vulnerability to the Death Star in the original Star Wars movie was so small and the chances of it being exploited were so remote that the Empire overlooked it, Grand Moff Tarkin even showing his arrogance shortly before his own demise. The same can be said for our systems. It might be a tiny hole and maybe you think that no one would look for it and even if they do, what are the chances they both find it and exploit it? In some cases, it can have quite dire consequences. The Empire overlooked a small vulnerability that they shouldn't have. Are you doing the same with your systems?

Did we happen to mention that Security BSides Boston is May 18 at Microsoft NERD in Cambridge, MA and Security BSides Rhode Island is June 14th and 15th in Providence, RI. Good seats and good conference swag are still available. We all hope to see you there!

The Onion's Twitter account was breached by the Syrian Electronic Army and they handled it a way that only The Onion can, making light of both themselves and the SEA. Additionally, possibly for the first time ever, The Onion published a non-parody post about exactly how the breach occurred.

Additionally, the National Republican Congressional Committee (NRCC) web site got spam hacked/defaced with Viagra ads. The only thing we were wondering is, are we sure it was hacked and not just a convenient online pharmacy for their members?

A new whitepaper was released from MIT talking about "Honeywords". The problem being solved here is creating a way for server admins to know sooner when a passwords file has been breached on a server. In addition to the correct password, this new system would add a bunch of fake passwords as well. When the attacker starts trying usernames and passwords, if they use one of the fake passwords, the server admin would be notified that someone is doing that and it is very likely that the passwords file has been breached. It's an interesting concept to ponder.

Jack had an article from Dennis Fisher at Threatpost, asking the question about what's the point of blaming various people for cyberespionage if we don't have a plan to do something about it.

The NSA also has its own 643 page document telling its members how to use Google to find things like Excel documents in Russian that contain the word "login". Wait, I feel like I've heard of this somewhere before. Oh yeah, that's right. Johnny Long was talking about Google Hacking at least as far back as 2007. It's just interesting some times to see things that the media gets wind of and without the slightest bit of checking, thinks something is "new".

That's it for this week. As always, check in each Thursday night at 6 pm Eastern time to catch PaulDotCom Security Weekly!

Episode 331 Show Notes

Episode 331 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Interview with Kurt Baumgartner - Episode 331

Fri, 10 May 2013 11:38:48 -0500

Episode 331 Show Notes

Kurt Baumgartner of Kaspersky Labs joins us to talk about Red October, a research paper that he co-authored, along with the other areas that he works on at Kaspersky.

Episode 331 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Interview With Rob Cheyne - Episode 331

Fri, 10 May 2013 11:10:51 -0500

Rob Cheyne is a highly regarded technologist, trainer, security expert and serial entrepreneur.

He was the co-founder and CEO of Safelight Security, a leading provider of information security education programs. He has taught information security training classes to tens of thousands of developers, architects, and managers for industry-leading organizations. He has over 20 years of experience in the information technology field and has been working in information security since 1998.

Rob regularly speaks at security and training conferences, and frequently presents to the local chapters of various security organizations.

Episode 331 Show Notes

Episode 331 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Episode 331 with Guest Rob Cheyne & Tech Segment with Kurt Baumgartner Thursday 6PM ET

Tue, 07 May 2013 17:05:33 -0500

Join us for PaulDotCom Security Weekly Episode 331 Rob Cheyne joins us from SafeLight Security. Prior to Safelight, Rob was a principal security instructor at Symantec, joining the company with the acquisition of @stake, a digital security consultancy, in 2004. Rob was a founding employee of @stake where he developed application security assessment methodologies and directed @stake's Application Security Center of Excellence. While at @stake, Rob led secure architecture and design reviews, secure code reviews, application penetration tests and a range of specialized security audits for Fortune 500 companies. He also worked on @stake's SmartRisk Analyzer team, which was spun off into Veracode, Inc. Rob is the author of LC4, a version of the award-winning L0phtCrack password auditing software. Also, for our tech segment we are joined by Kaspersky's Kurt Baumgartner to talk about the Red October Report: an Advanced Cyber-Espionage Campaign Targeting Diplomatic and Government Institutions Worldwide.

Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

NOTE: The video will play the most recent show up until we are live!

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand, Allison Nixon and Mike Perez.

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Drunken Security News - Episode 330

Tue, 07 May 2013 12:00:24 -0500

We're finally back with the videos from PaulDotCom Security Weekly. We had some technical issues with the recording of the shows, so if you didn't hear them live, unfortunately, they're gone forever. But we think we've got a handle on it and we have episode 330 for you. First was an interview with Andrew Righter, and in the video below, Paul talks with Banasidhe, President of the Board for Security BSides Las Vegas. She's on this week to tell us about the mentor program they are using for first-time speakers at the Vegas conference. More mentors are still needed, so if you're interested, please get in touch with the BSides Vegas crew.

As part of Rapid7's research, they found they can track any ships, private or military while on the ocean and access a system that prevents collisions. It's not like these things can turn on a dime, or do the hallway dance when two people keep choosing the same side to walk on.

Not only are printers on the internet vulnerable, but now they're capable of being used to launch DDOS attacks. You can send a request over UDP and then the response is larger and even better, you can redirect the response elsewhere. So how exactly do we fix this sort of thing?

Larry also reports that Twitter is saying that "the hacks will continue!" however what should be cleared up is that that hacking isn't directly against Twitter. It's not an attack in the sense where the Twitter developers have written bad code getting compromised, it's the attack against what I like to call "Layer 8" the human. The problem is largely with spear phishing against users. There isn't much any system can do if someone asks you for your password and you give it to them. If you need to see what kinds of things that can happen with these attacks, check out the stock chart for the Dow Jones on April 23, 2013. Look at that one downward spike. That's when the AP News Twitter feed was hijacked and tweeted that the White House had been bombed and Obama was dead. I'm not sure which is really worse, that the AP gave up their password to this attack or that the traders on Wall Street based their stock strategy on a single tweet.

Would anyone want to offer a little startup capital for our new security venture called "Wickid Pissa Security"? Ok, maybe you have to be from Mass or Rhode Island to really get that one.

Paul talked about an article that tells of the seven elements of success for a security program. Or, as Larry sums it up, "1. Don't click on shit. 2. Refer to Rule 1." Easy. But the article refers to buy-in from everyone on board and using metrics to measure how efficient your program is. What good does it do to put in all this work and have no idea whether it even mattered or changed anything at all. Plus, those numbers can help at review time.

Apparently smart meters and blackouts are a problem in the UK. Or as the article mentions, "Smart meters are essentially crap computers in a crap box"

What were you doing at 14? As for me, I was sorting baseball cards and watching Brady Bunch re-runs ("Marcia, Marcia, Marcia!") Check out this 14 year old, Ali Hasan Gauri found an XSS vulnerability in a Cisco subdomain. Yeah, that's the kind of stuff that if he were to tell me about it at 14, my eyes would glaze over and ask if he wanted pizza. Meanwhile, he'll probably be retired-wealthy by 22.

When the guys simply keep talking about the same vulnerabilities showing up week after week, at what point does listening to PaulDotCom Security Weekly become required listening for developers? It almost seems we should have a special segment for the router vulnerability of the week!

Can the new Google Glass be hacked? Easy root access can lead to lots of spyware, but a couple other problems that Larry seems to be aware of is they don't have great battery life and it can be embarrassing when porn comes up during a staff meeting. As an aside, Saturday Nigh Live also did their own review of Google Glass.

There's all that and more, so listen in to get all the details. Don't miss this week's show on Thursday, May 9 at 6 pm with Kaspersky Lab's Kurt Baumgartner and Safelight Security's Rob Cheyne. Don't miss it!

Interview with Andrew Righter - Episode 330

Fri, 03 May 2013 11:38:46 -0500

After 5 years of diving into the Security world head first, Andrew has finally come up bruised, beaten and a little less stupid. Like most hackers, he has ripped apart, modified and rewritten every electron and every bit possible - and under proper supervision has even gotten to play with a few really expensive toys. He now spends his time bootstrapping his DARPA CFT project (Netoko), hacking automotive networks (GoodThopter), or playing with academics as a Visiting Scholar at the University of Pennsylvania.

Episode 330 Show Notes

Episode 330 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Episode 330 with Guest Andrew Righter & Special Guest GK "Banasidhe" Southwick Thursday 6PM ET

Tue, 30 Apr 2013 08:57:16 -0500

Join us for PaulDotCom Security Weekly Episode 330 After 5 years of diving into the Security world head first, Andrew has finally come up bruised, beaten and a little less stupid. Like most hackers, he has ripped apart, modified and rewritten every electron and every bit possible - and under proper supervision has even gotten to play with a few really expensive toys. He now spends his time bootstrapping his DARPA CFT project (Netoko), hacking automotive networks (GoodThopter), or playing with academics as a Visiting Scholar at the University of Pennsylvania. Banasidhe (pronounced ban-shee) is currently the volunteer Producer and President of the Board for Security BSides Las Vegas, Inc., (as well as 2IC for DCSkytalks and 2IC of PhySec for DerbyCon). With literally decades of Event Planning, Production, Logistics, Operations and Security experience, she stepped down as Safety & Security Director of BSidesLV two years ago and stepped-up into her current role as Producer, to ensure that BSidesLV continues to live up to the irreverant, uncommon, wake-up call to conventional InfoSec Conferences, that was conceived by her predecessor five years ago. Since taking the helm at BSidesLV, banasidhe has instituted several new tracks, including an OTR track, an AFK, community oriented track, and a Mentorship program for first time presenters. Banasidhe's actual day job is Director of Operations for the SECore.info division of the Open Security Foundation, where she's working on finding the funding to pull the site out of beta and into the stark, glaring light of day. She can be found on twitter @banasidhe . Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

NOTE: The video will play the most recent show up until we are live!

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand, Allison Nixon and Mike Perez.

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Hack Naked TV Episode 55

Fri, 26 Apr 2013 09:07:37 -0500

In this episode we talk about Ronald McDonald style beat downs. Virus Total adding pcap analysis and Japan talking about shutting down TOR.

Links for this episode:

Hacker Destruction

Virus otal Adds PCAP Analysis

Japan and TOR. A love story.

Offensive Countermeasures at Black Hat

-strandjs

Video Feeds:

Episode 329 with Guest Brad Bowers, Tech Segment by Sumit Siddharth and Mini Tech Segment by Allison Thursday 6PM ET

Mon, 22 Apr 2013 07:42:51 -0500

Join us for PaulDotCom Security Weekly Episode 329 Brad Bowers is a Security Operations Manager for a large financial institution with over 10 years of experience in security engineering, system forensics and incident response. Brad is a frequent writer and presenter on topics of emerging threats and threat intelligence. For the last couple years Brad has been working on projects focusing on hardware and RF security.check one out! We will also be joined by Sumit Siddarth, who will be delivering a tech segment for us based on his course he is delivering at BackHat Vegas "The Art of Exploiting Injection Flaws" Very awesome sneak peak! Sumit is currently the head of penetration testing at 7Safe, and runs the security blog Notsosecure. Our very own Allison will show us an interesting way to get a free SOCKS proxy as well. Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

NOTE: The video will play the most recent show up until we are live!

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand, Allison Nixon and Mike Perez.

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Drunken Security News - Episode 327

Thu, 18 Apr 2013 09:10:05 -0500

And here we go! Drunken Security News, episode 327 with Paul, Jack and Allison in studio. As always, you can follow along at the PaulDotCom wiki's show notes.

Allison found a story about how a Canon EOS can be hacked and used as a remote surveillance tool. When an article includes the line: "However, the camera's connectivity was not designed with security in mind", you know that's not going to end well. The article goes on to describe how the images can be transferred to a server via FTP (hello clear text!) and the camera even has its own web server with pretty weak authentication. Apparently, Canon believes the situation is a feature, not a bug.

Jack had a couple of quick hits, from South Korea claiming that some of their recent attacks came from, want to guess? Yes! North Korea! Who'da thunk?

Also, Jack linked to some free security tools offered by Microsoft. And yes, free is good, especially when it's as in free beer. We love free beer, and free security tools. Thanks Microsoft!

Paul found an article with tips on how ~~hackers~~, I mean security researchers can most easily stay out of jail. Some of the tips in this article sound like they're taken straight from a video that Allison found a few months ago from the Hack In The Box conference with presenter The Grugq, talking about OpSec. Some of the pieces of advice include: "don't trust anyone" (that didn't work out so well for LulzSec), "don't reveal your plans", "don't work from home" and more. All seems to be worthwhile information, if that's the direction you choose to go with your skills. Not that anyone at PaulDotCom ever condones accessing a computer or network that you don't have permission to access.

If you're in the New England area, definitely consider attending both BSides Boston on May 18 and BSides Rhode Island on June 14 and 15.

Paul described an article talking about another vulnerability in Linksys wireless routers. It was described by the author as a "Cross Site File Upload" vulnerability. Multiple vulnerabilities were found in both the WRT54GL and EA2000 routers. Amazingly, some of the vulnerabilities were revealed by simply adding a / to the end of a URL accessing the device.

Jack and Paul got into it a little bit about a post by Dr. Gene Spafford where Spaf thinks that CTF competitions may be focusing on the wrong skills. Maybe competitions make learning more fun and can also create a stress situation which may be more like a real world attack and defense of a system. Paul countered with his belief that there is still a great deal of value in sitting in front of a system that is under active attack. It's not often that the crew will truly disagree with points of view, so this makes for a great discussion.

And is it possible to have a Drunken Security News without including something about porn? Of course not. And Paul doesn't disappoint. Maybe this one also falls into the "no kidding" bucket, but Paul talked about top porn sites becoming more of a malware risk. Gee, did you really think you can go to a free porn site and be completely risk-free of malware? Right. And there's zero chance of catching an STD from a prostitute. As Paul mentioned, always use protection when visiting your porn sites.

There's all that and more in the stories for the week, watch the video for all the great discussions and don't miss Dr. Whit Diffie on tonight's PaulDotCom Security Weekly!

Using Posh-SecMod PowerShell Module to Automate Nessus (Part1)

Mon, 15 Apr 2013 06:54:05 -0500

About 2 months ago I was chatting with some of the members of one of the QA Teams at work and they where telling me about their workflows for automating the testing of code and hosts added to the lab. One showed me some of the scripts they use and then it came to me why not automate Nessus from with in PowerShell. I would say that in 2 days in my spare time using Brandon Perry Nessus-Sharp library for Nessus-XMLRPC written in C# https://github.com/brandonprry/nessus-sharpI forked the library and started modifying it to the needs I had I came up with a basic usable module. Sadly I got distracted with several projects and helping a bit to organize BSides PR I had not updated and cleaned the code until recently. Now that I have more time I would like to share the function I created and merge in to Posh-SecMod PowerShell module since I believe they could be useful to someone as they have to me.

Installing the Module

Posh-SecMod can be found at https://github.com/darkoperator/Posh-SecModand installing it is very simple. The module is a PowerShell v3 module only at the moment so it will only run on:

Windows 7
Windows 2008
Windows 2008R2
Windows 8
Windows 2012

For installing PowerShell on versions of Windows bellow you will need to install .Net 4.0 and then download and install the Windows Management Framework 3.0. Believe me it is all worth it just for the ISEv3.

WMF 3.0 - http://www.microsoft.com/en-us/download/details.aspx?id=34595
.Net Framework 4.0 - http://www.microsoft.com/en-us/download/details.aspx?id=17851

We start by running PowerShell with elevated privileges and make sure that you have set the ExecutionPolicy to RemoteSigned since none of the scripts, binaries and modules are signed with authenticode.

Set-ExecutionPolicy RemoteSigned

We then install the latest version of PSGet from inside PowerShell:

(new-object Net.WebClient).DownloadString("http://psget.net/GetPsGet.ps1") | iex

Once installed we can either install directly from GitHub using PSGet to Download the latest version of the module zip from GitHub by running.

import-module PsGet
install-module -ModuleUrl https://github.com/darkoperator/Posh-SecMod/archive/master.zip

The module will be available for use.

Listing Function to Interact with Nessus Server

To get a list of all the functions available for managing and automating Nessus we can load the module and filter the list for the word Nessus:

C:\> import-module Posh-SecMod
C:\> Get-Command -Module Posh-SecMod | where {$_.Name -like "*nessus*"}

CommandType Name ModuleName
----------- ---- ----------
Function Copy-NessusPolicy Posh-SecMod
Function Get-NessusPolicyXML Posh-SecMod
Function Get-NessusReportHostKB Posh-SecMod
Function Get-NessusReportHostsDetailed Posh-SecMod
Function Get-NessusReportHostSummary Posh-SecMod
Function Get-NessusReportItems Posh-SecMod
Function Get-NessusReportPluginAudit Posh-SecMod
Function Get-NessusReports Posh-SecMod
Function Get-NessusReportVulnSummary Posh-SecMod
Function Get-NessusServerAdvancesSettings Posh-SecMod
Function Get-NessusServerFeedInfo Posh-SecMod
Function Get-NessusServerGeneralSettings Posh-SecMod
Function Get-NessusServerLoad Posh-SecMod
Function Get-NessusServerMobileSettings Posh-SecMod
Function Get-NessusSession Posh-SecMod
Function Get-NessusUsers Posh-SecMod
Function Get-NessusV2ReportXML Posh-SecMod
Function Import-NessusV2Report Posh-SecMod
Function Invoke-NessusScan Posh-SecMod
Function Invoke-NessusScanTemplate Posh-SecMod
Function New-NessusScanTemplate Posh-SecMod
Function New-NessusSession Posh-SecMod
Function New-NessusUser Posh-SecMod
Function Remove-NessusPolicy Posh-SecMod
Function Remove-NessusScanTemplate Posh-SecMod
Function Remove-NessusSession Posh-SecMod
Function Remove-NessusUser Posh-SecMod
Function Resume-NessusScan Posh-SecMod
Function Show-NessusPolicy Posh-SecMod
Function Show-NessusScans Posh-SecMod
Function Show-NessusScanTemplate Posh-SecMod
Function Start-NessusServerFeedUpdate Posh-SecMod
Function Stop-NessusScan Posh-SecMod
Function Suspend-NessusScan Posh-SecMod
Function Update-NessusScanTemplate Posh-SecMod
Function Update-NessusUserPassword Posh-SecMod

Lets start by connecting to a Nessus Server. For this module I follow the philosophy of Session like we have with PSSession in PowerShell so as to be able to work with more than one Nessus server at the same time providing me greater flexibility. the Function to create a session is called New-NessusSession. All functions have help information that tells the user the purpose and all have examples of usage that can be read using the Get-Help cmdlet or it’s aliases man and help. To se the general information on the function we would do a

help <nessus function>

Full details can be seen by adding the –Full option or to only look at the usage example we can just use the –Example option.

Connecting to a Nessus Server and Working with Sessions

Lets connect to a Nessus Server using the New-NessusSession function giving it the host to connect to, the credentials and since I do not have valid SSL Certificate on my test Nessus Server I use the switch –IgnoreSSL so it will not validate the certificate:

C:\> New-NessusSession -ComputerName nessus.darkoperator.com -Credentials (Get-Credential) -IgnoreSSL

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


User : carlos
IsAdmin : True
Index : 0
SessionState : Nessus.Data.NessusManagerSession
SessionManager : Nessus.Data.NessusManager
IdleTimeout : 30
ScannerBootTime : 4/11/2013 12:04:58 AM
PluginSet : 201302261815
LoaddedPluginSet : 201302261815
ServerUUID : fd14bd4c-27bc-7c35-0308-876409e7758d0b0d82169800a061
Token : bfeaa869adea6cc99de404c73caf3d60594d92376716e28a
MSP : True
ServerHost : nessus.darkoperator.com

As you create connections to Nessus servers the connections a re stored in to the global variable $Global:nessusconn as you can see information about the server is included with each session object. Each session is referenced by the Index value. In fact each session has a type of Nessus.Server.Session we can have several connection and to one one we just do the same as we did before, the session is added automatically.

C:\> New-NessusSession -ComputerName 192.168.1.230 -Credentials (Get-Credential) -IgnoreSSL

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


User : carlos
IsAdmin : True
Index : 1
SessionState : Nessus.Data.NessusManagerSession
SessionManager : Nessus.Data.NessusManager
IdleTimeout : 30
ScannerBootTime : 4/11/2013 8:53:03 AM
PluginSet : 201304120815
LoaddedPluginSet : 201304120815
ServerUUID : c1938596-19fe-dd76-9f74-1a680d6701b17b39b69cbe76805b
Token : 7275b221322838890ec4e50e9655591e49ce620c0c6fbb6f
MSP : True
ServerHost : 192.168.1.230

If you use a valid certificate on your Nessus Server you can skip the –IgnoreSSL. If the certificate is not valid you will see the errors as of to why it was not and you will see warning message asking you to continue. You can also use the –Verbose options, you will see that warnings and verbose messages come in different colors in PowerShell for easier distinction.

To get all current sessions we use the Get-NessusSession function and it also allows us to select an individual session and save it to a variable.

C:\> Get-NessusSession


User : carlos
IsAdmin : True
Index : 0
SessionState : Nessus.Data.NessusManagerSession
SessionManager : Nessus.Data.NessusManager
IdleTimeout : 30
ScannerBootTime : 4/11/2013 12:04:58 AM
PluginSet : 201302261815
LoaddedPluginSet : 201302261815
ServerUUID : fd14bd4c-27bc-7c35-0308-876409e7758d0b0d82169800a061
Token : bfeaa869adea6cc99de404c73caf3d60594d92376716e28a
MSP : True
ServerHost : nessus.darkoperator.com

User : carlos
IsAdmin : True
Index : 1
SessionState : Nessus.Data.NessusManagerSession
SessionManager : Nessus.Data.NessusManager
IdleTimeout : 30
ScannerBootTime : 4/11/2013 8:53:03 AM
PluginSet : 201304120815
LoaddedPluginSet : 201304120815
ServerUUID : c1938596-19fe-dd76-9f74-1a680d6701b17b39b69cbe76805b
Token : 7275b221322838890ec4e50e9655591e49ce620c0c6fbb6f
MSP : True
ServerHost : 192.168.1.230

To remove a session from the list and log off from the server we use the Remove-NessusSession function:

PS C:\> Remove-NessusSession -Index 0
True

Retrieving Nessus Server Configuration Settings

We can get feed and version information for each session using the Get-NessusServerFeedInfo function, we can pipe the the sessions from Get-NessusSession objects in to it or specify the session or sessions thru the index parameter:

C:\> Get-NessusSession | Get-NessusServerFeedInfo


Feed : ProFeed
ServerVersion : 5.0.2
WebServerVersion : 4.0.31 (Build H20130328A)
MSP : False
Expiration : 9/19/2013 4:00:00 AM
ServerHost : nessus.darkoperator.com

Feed : ProFeed
ServerVersion : 5.0.2
WebServerVersion : 4.0.31 (Build H20130328A)
MSP : False
Expiration : 12/31/2013 5:00:00 AM
ServerHost : 192.168.1.230

We can see if we have a proxy configured to pull Nessus Feed, this is known in the Nessus GUI as the General Settings, the functions to get the configuration we use the Get-NessusServerGeneralSettings :

C:\> Get-NessusServerGeneralSettings -Index 1


proxy :
proxy_port :
proxy_username :
proxy_password :
user_agent :
custom_host :

we can pull the advanced settings from the servers with the Get-NessusServerAdvancesSettings and as you can see one of my servers runs in windows and the other runs on Linux.

C:\> Get-NessusSession | Get-NessusServerAdvancesSettings

allow_post_scan_editing : yes
auto_enable_dependencies : yes
auto_update : yes
auto_update_delay : 24
cgi_path : /cgi-bin:/scripts
checks_read_timeout : 5
disable_ntp : no
disable_xmlrpc : no
dumpfile : /opt/nessus/var/nessus/logs/nessusd.dump
global.max_hosts : 125
global.max_scans : 0
global.max_web_users : 1024
listen_address : 0.0.0.0
listen_port : 1241
log_whole_attack : no
logfile : /opt/nessus/var/nessus/logs/nessusd.messages
max_checks : 5
max_hosts : 30
nasl_log_type : normal
nasl_no_signature_check : no
non_simult_ports : 139, 445, 3389
optimize_test : yes
plugin_upload : yes
plugins_timeout : 320
port_range : default
purge_plugin_db : no
qdb_mem_usage : high
reduce_connections_on_congestion : no
report_crashes : yes
rules : /opt/nessus/etc/nessus/nessusd.rules
safe_checks : yes
silent_dependencies : yes
slice_network_addresses : no
ssl_cipher_list : strong
stop_scan_on_disconnect : no
stop_scan_on_hang : no
throttle_scan : yes
use_kernel_congestion_detection : no
www_logfile : /opt/nessus/var/nessus/logs/www_server.log
xmlrpc_idle_session_timeout : 30
xmlrpc_listen_port : 8834

allow_post_scan_editing : yes
auto_enable_dependencies : yes
auto_update : yes
auto_update_delay : 24
cgi_path : /cgi-bin:/scripts
checks_read_timeout : 5
disable_ntp : no
disable_xmlrpc : no
dumpfile : C:\Program Files\Tenable\Nessus\nessus\logs\nessusd.dump
global.max_scans : 0
global.max_web_users : 0
listen_address : 0.0.0.0
listen_port : 1241
log_whole_attack : no
logfile : C:\Program Files\Tenable\Nessus\nessus\logs\nessusd.messages
max_checks : 5
max_hosts : 100
nasl_log_type : normal
nasl_no_signature_check : no
non_simult_ports : 139, 445, 3389
optimize_test : yes
plugin_upload : yes
plugins_timeout : 320
port_range : default
purge_plugin_db : no
qdb_mem_usage : high
reduce_connections_on_congestion : no
report_crashes : yes
rules : C:\Program Files\Tenable\Nessus\conf\nessusd.rules
safe_checks : yes
silent_dependencies : yes
slice_network_addresses : no
ssl_cipher_list : strong
stop_scan_on_disconnect : no
stop_scan_on_hang : no
throttle_scan : yes
www_logfile : C:\Program Files\Tenable\Nessus\nessus\logs\www_server.log
xmlrpc_idle_session_timeout : 30
xmlrpc_listen_port : 8834

If I wan to see how many users, scans and just the general load on the server I can use the Get-NessusServerLoad to get this information, this can come useful if we see a server running slowly or we want to script to always use the server with the least load to launch our scans:

C:\> get-nessussession | Get-NessusServerLoad


ServerHost : nessus.darkoperator.com
Platform : LINUX
ScanCount : 0
SessionCount : 2
HostCount : 0
TCPSessionCount : 0
LoadAverage : 0.00

ServerHost : 192.168.1.230
Platform : WINDOWS
ScanCount : 0
SessionCount : 1
HostCount : 0
TCPSessionCount : 0
LoadAverage : 0.00

Working with Nessus Server Users

We can list and work with users in the Nessus Server, we can find all the Nessus Server user manipulation functions by searching for *nessususer* in the name of the functions in the module:

C:\> Get-Command -Module Posh-SecMod | where {$_.Name -like "*nessususer*"}

CommandType Name ModuleName
----------- ---- ----------
Function Get-NessusUsers Posh-SecMod
Function New-NessusUser Posh-SecMod
Function Remove-NessusUser Posh-SecMod
Function Update-NessusUserPassword Posh-SecMod

As you can see we can list the users, create a new user, remove a user and change the password of a user (if we are Admin of course). Lets start by listing the users on the server:

C:\> New-NessusUser -IsAdmin -Credentials (Get-Credential) -Index 0

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


ServerHost : nessus.darkoperator.com
Name : Paul
IsAdmin : True
LastLogging : 1/1/0001 12:00:00 AM
Session : Nessus.Server.Session

I can change the password for the user Paul:

C:\> Update-NessusUserPassword -Index 0 -Credentials (Get-Credential)

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


ServerHost : nessus.darkoperator.com
Name : Paul
IsAdmin : True
LastLogging : 1/1/0001 12:00:00 AM
Session : Nessus.Server.Session

C:\> New-NessusSession -ComputerName nessus.darkoperator.com -Credentials (Get-Credential) -IgnoreSSL

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential


User : Paul
IsAdmin : True
Index : 2
SessionState : Nessus.Data.NessusManagerSession
SessionManager : Nessus.Data.NessusManager
IdleTimeout : 30
ScannerBootTime : 4/11/2013 12:04:58 AM
PluginSet : 201302261815
LoaddedPluginSet : 201302261815
ServerUUID : fd14bd4c-27bc-7c35-0308-876409e7758d0b0d82169800a061
Token : ec1d58e6b2fd2db1da9788bc6a259cd318ca551cc140de93
MSP : True
ServerHost : nessus.darkoperator.com

Lets close the session we created for testing and remove the user Paul:

C:\> Remove-NessusSession -Index 2
True

C:\> Remove-NessusUser -Index 0 -UserName Paul
True
C:\> Get-NessusUsers -Index 0


ServerHost : nessus.darkoperator.com
Name : carlos
IsAdmin : True
LastLogging : 4/12/2013 12:23:04 PM
Session : Nessus.Server.Session

ServerHost : nessus.darkoperator.com
Name : admin1
IsAdmin : True
LastLogging : 12/31/1969 8:00:00 PM
Session : Nessus.Server.Session

On the next blog post I will cover how to work with Policies and Scans. I do invite you to install it and start playing with it and the other functions in the module.

Episode 328 With Dr. Whitfield Diffie & Jeremy Zerechak Thursday 6PM ET

Sun, 14 Apr 2013 19:29:46 -0500

Join us for PaulDotCom Security Weekly Episode 328 with Dr. Whitfield Diffie, an american cryptographer and one of the pioneers of public-key cryptography, contributor to the Diffie-Hellman key exchange. We'll also have Jeremy Zerechak writer and director of Code2600 and upcoming film Hackers in Uganda Jeremy is also a decorated Iraq War Veteran and an advocate of veteran rights. Sit back and enjoy the show live or participate in the live chat on our Ustream channel:

NOTE: The video will play the most recent show up until we are live!

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand, Allison Nixon and Mike Perez.

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Interview with Richard Bejtlich - Episode 327

Fri, 12 Apr 2013 15:30:45 -0500

Richard Bejtlich is Mandiant's Chief Security Officer. Prior to joining Mandiant, Mr. Bejtlich was the Director of Incident Response for General Electric, where he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). He wrote The Tao of Network Security Monitoring, Extrusion Detection, and co-authored Real Digital Forensics. He currently writes for his blog TaoSecurity and teaches for Black Hat.

Episode 327 Show Notes

Episode 327 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.