HackerStorm.com Nessus and OpenVas Reporter

Pretty Reports For Your Scan Results

We have made available a tool we developed for providing online reports from nessus and OpenVas scans. Its designed primarily to share scan results on an intranet server. Its writtten entirely in PHP, and installtion is just a case of unzipping the download file. Scan job reports need to be exported to XML format and copied to the XML folder to begin viewing the results. The tool also lets you export the scan results to a spreadsheet, or you can save the page as html from within the web browser to send to others. The tool is completley free to use so enjoy showing your friends and workmates some pretty scan reports. Some of the features as it stands today are;

• Our tool is completely free to use.
• Nessus v3 required & OpenVas v2.
• Simply export scan jobs into XML format and copy to the XML folder
• View by Risk
• View by Severity
• Executive summary as well as detailed reports
• Ports and services report
• Vulnerability categoy report
• Export scan jobs to Excel (very useful with autofilter enabled).
• Save report as html and send as an offline copy in html.
• Easy installation, just extract the zip file to your web server!

We have used the variables we collect and send them to Flash Charting scripts, in this example, we used ColdFusion, see screenshot below. In theory, you can get dynamically updated flash charts by conducting scheduled scans via cron jobs and exporting the data. ColdFusion have flash charts that check for new data and update automatically, it means that as your scans run during the day you can see if anything new or unusual comes up.

Demo of our Nessus DashBoard

Potential uses include;

1. Install scripts into different directories and share scan reports with your users/customers with file/folder permissions applied to each directory. This is a great way to allow your users to view their scan jobs without showing them everything. You could organise the reports on a per departmental basis (Finace, HR, Corp Website, etc) or per customer as mentioned earlier.
2. Realtime monitoring with dynamic charting and updates, see dahboard above as a demo/example.
3. The Excel spreadsheet feature is very useful. Once you export the results, add you logo, enable 'autofilter' to the columns for easy browsing, e.g. by IP, Risk, Severity, Vulnerability or a combination of all!. We usually, create these and send them out to our users as its much easier to track what been done in the spreadheet but highlighting items or making comments for false positives.
   

The world is your Oyster, its just down to how much time you want to spend developing the scripts to suit your needs!.

Please feel free to browse our website and have a play with some sample Nessus and OpenVas scans. Downloads are available here .

Scanner versions required are;

• Nessus Scanner v3
• OpenVas Scanner v2

Server requirements for viewing the reports are;

• Linux OS
• Apache webserver
• PHP v5

Future developements? we are not sure yet. we are considering a PDF output as well as a word document output for hte scan reports to make sahring and working the results much easier. Watch this space.

PCI Compliant Tools & Services

The following list are scanning services and tools approved by the PCI Security Standards Council.

403 Labs, LLC
Accume Partners
Accuvant
Acertigo - An EXCELSIS Company
Achilles Guards Inc (Critical Watch)
Alert Logic
Alexander Open Systems, Inc
Ambersail
AppSec Consulting
Arsenal Security Group, Inc.
Backbone Security
BEW Global, Inc.
BT Counterpane
Calence, Inc.
Canon Technology Solutions
Chief Security Officers
Coalfire Systems, Inc
Communication Valley
ComplyGuard Networks Inc
Computer Task Group
Comsec Consulting
Context Information Security Ltd
Control Case
ControlScan
Core Security Technologies
CSIS Security Group
Cyberklix Inc.
Deloitte CA
Digital Defense Inc
Digital Resources Group
Dyntek Inc.
Emergis Inc.
Enterprise Risk Management, Inc.
Ernst & Young Portugal
FishNet Security
Fort Consult ApS
Fortrex
Foundstone, Inc - A Division of McAfee
Global DataGuard
Halock Security Labs
Handshake Networking Ltd
HCL Comnet LTD
igxglobal, Inc.
Informzaschita
InfoTech Consulting
Integralis -US
Integralis Ltd.
Internet Security Auditors
Internet Security Systems (IBM)
Internet Security Systems (IBM)
IOActive, Inc.
Jefferson Wells International
K3DES, LLC
Lighthouse Computer Services
Microsolved Inc. (MSI)
Mnemonic
MWR Info Security Limited
NCC Group PLC
NCI Secured Intelligence
nCircle Network Security
Neohapsis
Netcraft Ltd
NetDiligence
NetSPI
netVigilance, Inc
NGS Software Ltd (Next Generatiion)
Nixu Ltd.
NTA Monitor Limited
NTT Data Security, Co.
Pentura Ltd
Perimeter Internetworking Corporation
ProCheckUp Ltd
Protiviti
PSC (Payment Software Company)
QinetiQ
Qualys
Quest Media & Supplies
QuietMove, Inc.
RandomStorm
Rapid7 LLC
Rits Information Security
RSM McGladrey, Inc.
ScanAlert
Seccuris Inc
Secode Norge AS
Secure Enterprise Computing
SecureState LLC
SecureTest Ltd
SecureWorks
Securicon
Security Advisers LLC
Security Innovation
Security Metrics, INC
Security PS Inc
SensePost
Simovits Consulting
Sirius Computer Solutions
Solutionary, Inc.
Solutionary,Inc.
Specialized Security Services, Inc
SPI Dynamic
SPIGuard (Stragetic Profits)
Spohn and Associates
Sunera LLC
SunGard
Symantec
Sysnet Ltd
Technology Nexus Security AB
Tekmark Global Solutions
TraceSecurity, Inc.
True Digital Security, Inc.
Trustwave
Verisign
Verisign
Verizon Business
Vigilar, Inc
Westpoint Ltd
WhiteHat Security, Inc.

Note, EEYE have just launched PCI compliance reporting in their products, watch this space, it will no doubt be an approved PCI vendor shortly.

Tim Mehmet
HackerStorm.com

Source: http://www.pcisecuritystandards.org/

The Difference between Vulnerability Assessment and Penetration Testing

Theres a lot of confusion out there still even amongst security professionals as to the difference between penetration testing (pen test) and vulnerability assessment (va).

The difference is quite significant, the two items can be described as follows.


Vulnerability Assesment

Wikipedia describribes a vulnerbility assesment as "the process of identifying, quantifying and prioritising (ranking) the vulnerabilites on a system".

I could not agree more and more importantly, the definition is not tied to any specifics such as, its internet visibility only, or its done on internal only and so on. The scope of the assesment can be anything you like and the indentification of a vulnerability is not tied to just detection from a scanning tool.

So what does this mean to the security analyst in reality?

Normally, the VA is a passive, non intrusive assesment and the key word here is 'assesment'.

Lets consider the below simple but all too common example. When we conduct our assesment, we must quantify and prioritise, once done we can begin to plan and mitigate the issues.

Example: A Microsoft web server exploit published, your Microsoft web server is assessed as being vulnerable, the web service on the server is internet visible, exploits are confirmed available to attackers to exploit the web service, the server handles credit card transactions!

Clearly, in the above example, the risks are pretty high including the liklehood of being exploited on a server which (you would hope) is deemed critical due to credit card details. Had the server not been internet visible, such as a private intranet, the risk would be lower, becuase we have quanitifed the issue, we can now proritise and create the remediation and mitigation work accordingly.

Vendors also often refer to vulnerability assesment, these are usually (but not restricted to ) vulnerability scanning vendors or patch managment vendors. Both are vaild for VA. In the above example, if using a scanner, the vulnerability will be detected and then the VA process would kick in. With Patch Managment, you are simply getting the same information but in another way, at which point the assesment process kicks in again. Most companies do both scanning and patch management, its two ways of constantly evaluating your vulernabity exposure, its two persepectives from which to detect vulnerabilites. Patch management does not always tell you that there is an issue, specially if vendors do not have a patch ready to deploy. Scanner's also can miss things depending on the frequency and visitbility that the tools have to test and also if there is no actual exploit to create a test with.

Dont forget, these solutions can be used both proactively as well as reactively. If your concerned about a server , you can scan it and run a patch report and produce a VA in no time.

There are many other ways to assess yourself for a vulnerability and many tools and services with which to do it, e.g. Integrity checking, compliance mangemnt, Anti Virus and of course, a Penetration Test !. Also worth noting is that the status of any vulnerability ( or not) can change at any point so regular assesments are required.


Penetration Testing

Again, according to wikipedia, the following is a description of what a penetration test is;

"A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious user, known as a cracker (though often incorrectly referred to as a hacker). The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered."

Yet again, we find ourselves agreeing with this description. The first diffierence with VA is that a penetration test is 'active' whereas a VA is passive and non-intrusive.

The next difference is that a penetration test may use the holes discovered in a VA to verify risks and exposures by exploiting the hole ( this is what makes it active or intrusive). Penetration testing methodlogies do have in their process a vulnerability assessment, this is one of the first steps when testing becuase you have to find the potenital holes in security in order to penetrate!

A penetration test can have a scope of testing which can be internet only, internal only, both and anything else that you want to simulate. Unlike some explanations I have heard, a penetration test is not restricted to just the hackers view from the internet. Infact, I have conducted many Pen Tests to verify and assist with the lock down and hardening of a new platform or service (in complete privacy) before it goes live.

The scope of a penetration test can literally be anything from a vulnerability assessment to fully exploiting the targets to destructive testing.

Vulnerability Scanners: The Cost Issue With Auto Discovery

Many times people try to discover hosts on their networks with vulnerability scanners. Whilst this is a good thing on small networks, it can be a problem on very large networks with potentially many thousands of hosts to check. If your trying to get approval for a commercial solution the costs can be astronomical. So, what can we do ?

In order to reduce costs, one should consider using their asset managment system to identify the live (or production) devices. Doing this means that you can purchase your solution with far less assets in terms of licenses (normally based on number of IP addresses).

Non live or non production devices should not be visible (officially), your policy must dictate that all developement and test systems be hidden and if it cant be hidden, the owners must ensure it is secure and complies with policy and also ensure that there is no connectivty with your live environments (for example). This still leaves us with the issue of discovering new hosts on the network.

Obviously, proper configuration managment will add new hosts to your asset managment system and hence you can add all new devices to the scanners, but for the rogues in your business with a history of ignoring policy, one could simply use a tool like NMAP to check for new hosts on the remaining un-used IP address. Its relatively cheap (free!) and its rapid in terms of performance, also, its quite clever, you can export your live IP's to a file and tell NMAP to exclude it making the analysis of the results much easier ! if it finds something 'alive' thats not on your live asset list, its easily identified and can be investigated. In fact, one could configure it for regular scheduled scans and have alarms sent to your security team if something appears thats not in the asset register.

Many people fail to get approval for their business cases becuase they dont think out of the box. The license costs normally play a big part in business cases getting rejected becuase people assume they must use the scanner for all IP's within the allocated network range. The reality is, you only need to scan whats in production (or live) and you only have to be able to identify when a non approved device appears on your network at which point you can add the host and scan it as and when they appear then remove it once the un-approved device is removed.

Taking these very simple steps above can not only reduces costs, you can end up with something thats highly effective and proactive but more importantly, you can give yourself a genuine fighting chance at getting you business case approved.

Tim Mehmet
HackerStorm.com