EMET 5.5 Released
Microsoft announced on the TechNet blog the availability of a new version of its EMET tool (EMET stands for "Enhanced Mitigation Experience Toolkit"). The purpose of this tool is to implement extrat security controls to prevent common vulnerabilities in software like: DEP ("Data Execution Prevention"), ASLR ("Address Space Layout Randomization") or certificate trust (Pinning).
The new release introduces the following changes:
- Compatibility with Windows 10
- Improved deployment and configuration via GPO
- Improved writing of the mitigations to the registry
- EAF/EAF+ pseudo-mitigation performance improvements
- Support for untrusted fonts mitigation in Windows 10
More info about configuration guidelines is available here.
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key
Automating Vulnerability Scans
Today, I’ll explain you how to automate vulnerability scans. There are plenty of vulnerability scanners on the “market” (commercial or free solutions). Usually, I'm using OpenVAS mainly because it is free. A lot has been said about this solution, it makes also me sometimes frustrated but, at the end, it is doing a good job. The OpenVAS architecture is based on different components: a manager, one (or more) scanner, command line tools and a web frontend called "Greenbone Security Assistant". Let's focus on the command line tool called "omp" which uses the OpenVAS Management Protocol. This tool proposes a set of command to interact with an OpenVAS manager like:
- get-targets
- get-tasks
- create-tasks
- start-tasks
The number of action is quite limited and allow only basic tasks. But it provides the “-X” or "--xml” argument which allows us to send raw XML data to the server! This is much more powerful! (a complete reference is available here). To use omp, the very first step is to create a configuration file to automate the connection. Create a $HOME/omp.config file like this:
[Connection] host=127.0.0.1 port=9390 username=xavier password=mystrongpassword
(Don't forget to restrict access to the file because it contains sensitive data!)
We are now ready to talk to the OpenVAS manager and to retrieve some data ('--pretty-print' is recommended to increase the visibility):
$ omp --pretty-print --xml "<get_targets/>"
<get_targets_response status_text="OK" status="200">
<target id="dcc82d64-1c87-44d8-aef5-24c1f552ddcd">
<owner>
<name>xavier</name>
</owner>
<name>Local Hosts</name>
<comment></comment>
<creation_time>2016-02-02T22:12:08+01:00</creation_time>
<modification_time>2016-02-02T22:12:08+01:00</modification_time>
<writable>1</writable>
<in_use>1</in_use>
<permissions><permission>
<name>Everything</name>
</permission></permissions>
<user_tags>
<count>0</count>
</user_tags>
<hosts>192.168.254.0/24</hosts>
<exclude_hosts></exclude_hosts>
<max_hosts>254</max_hosts>
<port_list id="c7e03b6c-3bbe-11e1-a057-406186ea4fc5">
<name>OpenVAS Default</name>
<trash>0</trash>
</port_list>
<ssh_lsc_credential id="">
<name></name>
[... stuff removed ...]
Let's create a new scan from the command line. Considering that OpenVAS has already been configured for your environment, the different steps are:
- Create a target
- Create a tasks (and assign the target to it)
- Start the task
- Get results
First, to create our target, we send the following XML data. XML data is returned by the command with results (good or bad):
$ omp --xml '
<create_target>
<name>My New Scan</name>
<hosts>192.168.254.0/24</hosts>
</create_target>'
<create_target_response id="dcc82d64-1c87-44d8-aef5-24c1f552ddcd" status_text="OK, resource created" status="201"></create_target_response>
The next step is to create a new task. A limitation of the XML interface is that some parameters can be specified by their name while others must be referenced with their internal ID (like the newly created target). We can use command line tools to parse the returned XML and extract the required information:
$ omp --xml ‘...’ | xmlstarlet sel -t -v /create_target_response/@id dcc82d64-1c87-44d8-aef5-24c1f552ddcd
Now we can create the task:
$ omp --xml '
<create_task>
<name>My New Scan</name>
<preferences>
<preference>
<scanner_name>source_iface</scanner_name>
<value>eth0</value>
</preference>
</preferences>
<config id="74db13d6-7489-11df-91b9-002264764cea"/>
<target id="dcc82d64-1c87-44d8-aef5-24c1f552ddcd"/>
</create_task>'
<create_task_response id="8fc4cccd-243f-4edb-a390-5f83d04f90b6" status_text="OK, resource created" status="201"></create_task_response>
We are now ready to launch the vulnerability scan. Let's review the available tasks:
$ omp --xml ‘<get_tasks/>'
And start the one with our new ID:
$ omp —xml ‘<start_task task_id="8fc4cccd-243f-4edb-a390-5f83d04f90b6"/> <start_task_response status=“200" status_text="OK"/>
Once the task is completed, you can get results in any defined formats:
$ omp --xml ' <get_reports report_id="cc995c30-0a5d-486d-a02f-a03eba63172a" format_id="c402cc3e-b531-11e1-9163-406186ea4fc5”/>’
Let's think further... If we can talk to an OpenVAS manager via XML, it could be easy to integrate OpenVAS with other tools? Good news: there is a Python library available to control OpenVAS: openvas.omplib.
ISC Stormcast For Wednesday, February 3rd 2016 http://isc.sans.edu/podcastdetail.html?id=4851
×
![modal content]()
Diary Archives
Comments