Introduction:
Doing a security audit for your infrastructure, web site or services whether it be annually or every six months is a great first step to better securing your systems, but in many cases it is not enough.Adding to that, if the audit only involves one tool, our attack surface unfortunately is pretty small.
The idea of this post is to tell everyone about how to use the Faraday platform to be able to do continuous scannings using almost all the auditing tools on the market.
The goal will be to do a scan every week or by events after a set of targets with different tools and obtain all the results on your Faraday platform. This should allow you to detect and mitigate new issues in your infrastructure.
While it is always necessary to conduct regular manual security audits (at least for the time being the software is not better than people). By doing continuous scannings it can help a company pick off a lot of the low hanging fruit and let them concentrate on trickier stuff.
Preparation:
We are going to use the following tools:- w3af
- nmap
- nikto
- burp
- zap
- nessus
- openvas
Using a set of scripts together with different API we can obtain from a list of IPs/ Websites the corresponding reports.
Each report must be copied to $HOME/.faraday/report/[workspace_name]
Faraday than will convert all the reports into valuable information to be interpreted by the user.
Script:
The following script will centralize all the actions we mentioned before../cscan.py: #execute each script inside ./scripts/network/ and ./scripts/web/
./scripts/web #directory for web tools
./scripts/network #directory for network tools
./output #temporary directory where the reports are generated
./websites.txt #Website list
./ips.txt #IPs/Networks list
./plugin #plugin or library necessary for ./scripts/
./config.py #global configuration
The following is the nmap script
./scripts/network/nmap
NAME="nmap_$(date +%s).xml"
${CS_NMAP:=nmap} -iL $1 -oX $2$NAME
It very simply takes two parameters, the first is the target and the second the output directory for the report, it can be programmed in any languages, the following tools are available:
./scripts/web/burp.sh
./scripts/web/zap.sh
./scripts/web/nikto.sh
./scripts/web/w3af.sh
./scripts/network
./scripts/network/nmap.sh
./scripts/network/openvas.sh
./scripts/network/nessus.sh
Before starting to use it, review ./config.py as it contains specific configurations that can change your system, some include the path of the tools, openvas/nessus credentials, etc.
Demo:
Schedule:
The last step is configure how reguarly you are going to run the tool.A simple example would be using cron each day at midnight executing the tool and moving the reports to the workspace "workspace_name"
# crontab -l
0 0 * * * bash /root/dev/cscan/cscan.py ; mv /root/dev/cscan/output/* /root/.faraday/report/workspace_name/
Another option is to configure the scripts with Jenkins and we would be able to set up different configurations with events do the scanning starts. An example would be each time a new merge / release is done there it will be a scan of the web site or specific IP,
Faraday Web UI:
Each time a report is incorporated this will include only the new information. Using tags we can categorize the vulnerabilities where it is necessary to focus our attention.1) In the image below we can see our first import from Nessus.
2) In the second image we tagged the vulnerabilities, as a real vulnerability or a false positive.
3) Finally in the last image we loaded a second Nessus report and here we can observe the new vulnerabilities.
This continuous procedure lets a company have an expanded vision overtime of their infrastructure.
Tool:
You can find the code on Github:http://github.com/infobyte/cscan
In the next iteration of Faraday we are going to be distributing it within the tool sets in the directory $FARADAY_DIR/scripts/cscan/
Install:
*For burp it is necessary include the plugin plugin/carbonator/carbonator.py, it has some modifications to adapt it for our implementation.A couple more requirements:
* pip install python-owasp-zap-v2 w3af-api-client
To-Do:
To add more tools and to improve the detection of errors of the tools.We are really looking forward to hear your recommendations, questions and pull requests!
ليست هناك تعليقات:
إرسال تعليق