This one feels like it’s been a long time coming, and since the Mrs. was out of town last week, I ended up not being able to keep up with regular duties and put together a new post. It doesn’t help that I’m still somewhat new to forcing new topics every week, but enough of the excuses. I present the latest entry, working with Tenable’s API using PowerShell.
A little bit of a backstory in how this came to happen. Having implemented a new vulnerability program, I wanted to find a good metric to pull actual counts on vulnerabilities based upon their severity. Nessus does a nice job in rolling up their reports, but the counts are summarized in the reporting rollup. I needed something that would give total without being summarized by system. Initially, I was going to write some long winded functions that would require:
- Detailed Csv manually saved.
- Parse the columns in the CSV to get summary
- Count each one by host
- Repeat
With that process, there would have been a lot of things running, but being done as a manual process. That was not a good reason to be scripting something out. Enter the Nessus API documentation. The mapping should be found at the https://[nessus_server]:[portNo]/api. If working with the cloud API, it can be found at https://cloud.tenable.com/api. I updated this script, shared fully at the end, to test for this if no port is specified.
I before I could work with the scans, I needed to authenticate to the application. After browsing to session -> create I was able to find if I post to /session with username and password in I would get the API key back. Initially this was giving me fits, but at the bottom of the API documentation there is a form to test the method.
I was having some issues keeping the session open and @maendarb recommended I take a look at Posh Nessus. I reviewed the session handling, and was able to get the credential passed in the same manner. I was receiving my access token with the following command:
I was receiving errors whenever I would test without passing it through as a PSCredential though, although in later modified runs, it was converting the JSON with no issues.
Next I needed to see how the session was passed, so I watched a scan retrieval flow through using the same test technique as with the authentication credential through Owasp ZAP. When the token was passed through, it was passed using the x-cookie header. Adding this to the Invoke-RestMethod -header parameter as a part of the command below was able to get me a JSON object returned of all my scans.
The only thing left to do was to create a loop through the last active scan by scan ID, and obtain the vulnerability count by host based upon critical score. Still had to pull the scan details, which was outlined in the API documentation. It was as simple as looping through the scans and passing the scan id through one last Invoke-RestMethod.
Lastly the script needed to just add the counts up by host to give me the real total on the number of vulnerabilities found based upon vulnerability classification. The full script can be found here.
A few things learned within this process…
- Working with API’s in PowerShell can be amazingly simplistic with the Invoke-RestMethod.
- Once the initial session creation was completed within Tenable’s API, it has become easy to use PowerShell to automate a lot of my old manual reporting functions.
- Getting comfortable with a good web proxy will make things a lot easier for formatting commands to pass.
No comments:
Post a Comment