Network VA Automation | Lucideus Research

Network Vulnerability Assessment forms a crucial part of security infrastructure for any organisations. Identifying unsecure components in the network timely can help in avoiding large number of attacks. However, in a large corporate network conducting VA can be a cumbersome task, hence ,the need for automation. In this article we will see one of the possible approaches to automate the Network VA using Nessus, Nmap and Python. This will come handy in scheduling multiple VA scans for a large network without any manual intervention.


Tools Used
Let’s begin with understanding the tools we will use: Python: We will leverage python for this automation task. Python is a scripting language which has large no. of modules for user support. We will be requiring two python modules for interfacing with scanners.

Python-nmap: This is an NMAP API in python. This will help us to control nmap using the automation script.
  • Nessrest: This is a python based wrapper written over Nessus REST API. This will allow the automation script to interface with Nessus and schedule scans.

    These modules can be easily downloaded as:
pip install python-nmap
Pip install nessrest

NMAP:  Every network VA utilizes NMAP. This is the best tool available to perform a deep analysis of any network. If used properly this tool can eliminate the need for any other tool almost completely. Moreover, this is an open-source tool. This can be easily installed as:

apt-get install nmap


NESSUS: Nessus is considered as the best Network VA scanner available in the industry. It has an exhaustive database of vulnerabilities which gets updated regularly. Moreover we can schedule the scans according to our requirements. This conducts an extensive VA over an asset in the network and generates report in form of CSV, PDF and HTML. In this article we are using a trial version of nessus, which can be downloaded here: https://www.tenable.com/products/nessus/select-your-operating-system



    Methodology:


    After collecting all the necessary tools for our VA let’s now decide our approach. The best way according to our experience in Network VA is to conduct NMAP scan of TCP and UDP ports of the an asset in the network. This will list all the open ports of an asset with a particular IP address. This practice will ensure in speeding up the Nessus scan as the scan will be limited to a few open ports which might be vulnerable. Moreover, this will also reduce the chance of false positives which Nessus might give.


    This approach can be easily coded in the python script and the whole network VA can be automated over a large network infrastructure.


    Script Development:


    Now we can start with our development process. First in the python script we need to import all the required modules as follows:


    import nmap
    import json
    import time
    import sys
    from nessrest import ness6rest



    Nmap is the python-nmap APi, json module helps in manipulation of json blobs which we use for transmitting the data,
    time is used for utilizing the time parameters in the script , sys is used for system level functions and nessrest is the Nessus API python wrapper. Now we will start the NMAP scan of IPs. Here we are taking IPs in a python dictionary by the name of scan_dict, we can fill this dictionary with IPs by either hardcoding them, through the command line and also through a database. For Nmap scan we do the following:


    nessus_dict = {}
    index = 1


    nm_tcp_options = '-Pn -sV -sC'
    nm_udp_options = '-sU -Pn --top-ports 100 -sV -sC'
    nm_scan = nmap.PortScanner()


    for ip_scan in scan_dict.keys():
    ip_list = scan_dict[ip_scan].split(',')
    for ip_val in ip_list:
    nessus_dict[index] = {}
    nessus_dict[index]['name'] = ip_scan
    nessus_dict[index]['ip'] = ip_val
    try:
    data_tcp = nm_scan.scan(str(ip_val),arguments=nm_tcp_options)
    port_list = []
    for ports in data_tcp['scan'][str(ip_val)]['tcp'].keys():
    if not ports in port_list:
    port_list.append(str(ports))
    except Exception,e:
    pass
    print "Exception: " + str(e)


    try:


    # print "Starting udp scan for " + nessus_dict[index]['ip']
    data_udp = nm_scan.scan(str(ip_val),arguments=nm_udp_options)


    for ports in data_udp['scan'][str(ip_val)]['udp'].keys():
    if not ports in port_list:
    port_list.append(str(ports))
    except Exception,e:
    pass
    print "Exception: " + str(e)


    nessus_dict[index]['ports'] = ','.join(port_list)
    index +=1


    print nessus_dict
    We start by initializing an object nm_scan of nmap.PortScanner(). Then we iterate over scan_dict and pass each element containing an IP address to the scanner object and initiate an NMAP scan with options:
    • -Pn -sV -sC for TCP port scanning
    • -sU -Pn --top-ports 100 -sV -sC for UDP port scanning


    Using this the code snippet will prepare a python dictionary nessus_dict, which has data in the following format of key-value pair:


    { 1:  
    ‘name’:
    ‘ip’:
    ‘ports’:<Comma separated list of open ports on the given IP address>
    }


    Now we will send the IPs and open ports to the Nessus scanner for generating the final VA report. First we will authenticate our connection with Nessus and setup a scan policy.


    scan = ness6rest.Scanner(url="https://ip:8834", login="username", password="password", insecure=True)
    scan.policy_set('policy_name')


    Here we initiate an object scan with ness6rest.Scanner and set a VA scan policy. We can remove the insecure=True option if we have configured SSL certificates for Nessus. Now we will initiate the Nessus scan.


    for keys in nessus_dict.keys():
    try:
    scan.policy_limit_ports(ports=nessus_dict[keys]['ports'])
    scan.scan_add(targets=nessus_dict[keys]['ip'],name=nessus_dict[keys]['name']+nessus_dict[keys]['ip'])
    scan.scan_run()
    scan._scan_status()
    time.sleep(60)
    scan_data = scan.download_scan(export_format="csv")
    file_nessus = 'final_scan_'+str(time.time())+'.csv'
    scan_file = open(file_nessus,'w')
    scan_file.write(scan_data)
    except:
    pass


    Here we start the scan for the ports found in NMAP scans and generate a final CSV report containing description of all the vulnerabilities found on the asset.


    Sample output of a Nessus Scan


    Way Forward:


    This is a basic script which we developed to automate Network VA, we can further interface this script with several other tools to create a proper automation suite with a dashboard to manage VA of a a large infrastructure.