Title: Query Security Center v4 API for IAVMs across multiple Nessus Scanners (ACAS)
Description: Remotely poll X number of scanners for IAVM numbers.
A customer had dozens of Nessus Scanners world-wide and needed IAVM data from each of them in a most up-to-date fashion. Apparently Tenable has some sort of roll-up/replication server or capability but it rarely worked and/or was rarely accurate. Because of this, the customer had one person manually logging into the web interface of each Nessus scanner and manually searching for specific IAVMs and then transposing the data to an Excel spreadsheet. ...On average, they claimed there were anywhere from 15-30 IAVMs they wanted to track. The Security Center interface only allowed the searcher to query for one IAVM at a time. This was known to be a full-time job (8 hrs/day) for the person gathering the data. ...Oh and the report was generated every day.
After reading up on the Security Center API which covered many of the functions necessary interact with the API in perl/python, I was able to produce a PowerShell script that would poll each server for all of the IAVMs and save them to a CSV. Not multi-threaded, the script took about 15 minutes to complete. It's listed below and contains the interactions described above and includes comments that were necessary in the web-page interaction debugging process (e.g. the HTTP POST data) that allowed me to construct the information in the format necessary to interact with the API.
To use:
- Copy the script below into a file and save it as whatever-you-want-to-call-it.ps1
- I named mine Get-NessusV4Report.ps1 but I'm really querying the Security Center and only scanning for IAVMs so call yours something more accurate.
- Run the script in the following fashion:
- PS C:\>whatever-you-want-to-call-it.ps1 -PathToServerList servers.txt -PathToIAVMList iavms.txt
- It will prompt for credentials, and assuming you have legitimate nessus scanners in your servers.txt and legitimate IAVMs in your iavms.txt, (and the SecurityCenter version is v4), it will prodcue a CSV to your desktop and let you know when it's done.
Param (
[parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$PathToServerList,
[parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$PathToIAVMList,
[ValidateNotNullOrEmpty()] [string]$OutputCsv = "$($env:USERPROFILE)\Desktop\NessusSC_VulnerabilitySummary_$(Get-Date -Format 'yyyy-MM-dd').csv"
)
if (-not(Test-Path $PathToIAVMList)) { Write-Warning "File not found, try again: $($PathToIAVMList)"; break }
if (-not(Test-Path $PathToServerList)) { Write-Warning "File not found, try again: $($PathToServerList)"; break }
#if (-not(Test-Path $OutputCsv)) { Write-Warning "File not found, try again: $($OutputCsv)"; break }
#$PathToIAVMList = 'iavms.txt'
#$PathToServerList = 'Servers.txt'
$IAVMList = @([System.IO.File]::ReadAllLines($PathToIAVMList) | Where-Object { $_ -notmatch '^\#' })
$ServerList = @([System.IO.File]::ReadAllLines($PathToServerList) | Where-Object { $_ -notmatch '^\#' })
if ($IAVMList.Count -eq 0) { Write-Warning "IAVMList is empty. Please populate $($PathToIAVMList) with the IAVM list you want to scan for on each ACAS server."; break }
if ($ServerList.Count -eq 0) { Write-Warning "ServerList is empty. Please populate $($PathToServerList) with the servers you want to run this query against."; break }
$ValidCred = $false
Do {
$Username = Read-Host -Prompt "Enter username"
$Password = Read-Host -Prompt "Enter password" ##The password is provided in plaintext intentionally. If a SecureString was used, we'd have to convert it back to plaintext to be able to pass to the NESSUS API which would require Administrator elevation.
if ([System.String]::IsNullOrEmpty($Username) -or [System.String]::IsNullOrEmpty($Password)) {
Write-Warning "You must enter a username and password to proceed."; continue
}
if ($Credential.UserName -match '\\') {
Write-Warning "A backslash character was found ('\'), please only supply a username without any domain identification."; continue
}
$ValidCred = $true
} Until ($ValidCred)
## These settings are required to successfully establish a connection to an SSL server due to the elevated security posture
## adopted by the org.
[Net.ServicePointManager]::Expect100Continue = $true
[Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Ssl3, [System.Net.SecurityProtocolType]::Tls, [System.Net.SecurityProtocolType]::Tls11, [System.Net.SecurityProtocolType]::Tls12
$Results = @()
#$ServerList = @('acas01')
foreach ($s in $ServerList) {
Write-Host $s
if (-not(Test-Connection $s -Count 1 -Quiet)) { Write-Warning "Could not connect to $($s), skipping..."; continue }
[System.Net.WebRequest]::DefaultWebProxy = $null
$Login = New-Object PSObject -Property @{
'username' = $username
'password' = $password
}
$ConnectBody = @{
module = 'auth'
action = 'login'
input = (ConvertTo-Json -Compress $Login)
}
try {
## Login to the SecurityCenter API -- required by the API
$ret = Invoke-WebRequest -URI "https://$($s)/request.php" -Method POST -Body $ConnectBody -UseBasicParsing -SessionVariable sv -ErrorAction Stop
} catch {
Write-Error $Error[0]
continue
}
if ($ret.StatusCode -ne 200) {
Write-Warning "An error occurred with the HTTP request. HTTP Status Code: ($($ret.StatusCode)); HTTP Status Description ($($ret.StatusDescription))"
continue
}
$ApiResponse = $ret.Content | ConvertFrom-Json
if ($ApiResponse.error_code -ne 0) {
Write-Warning "The API returned an error trying to authenticate to the server ($($s)). `r`nAPI Error Code: ($($ApiResponse.error_code)); `r`nAPI Error Message: ($($ApiResponse.error_msg)) `r`nConstructed HTTP POST param: $($ConnectBody.input)"
continue
}
# Extract the token
$resp = (ConvertFrom-Json $ret.Content)
$token = $resp.response.token
$sessionid = $resp.response.sessionID
#$IAVMList = @('2016-B-0036')
foreach ($IAVMId in $IAVMList) {
## Structure the queries into objects that can output JSON compressable format to properly send the query
$QueryFilters = New-Object PSObject -Property @{
'filterName' = 'iavmID'
'operator' = '='
'value' = $IAVMId
}
$QueryData = @{
sortDir = 'desc'
sortField = 'severity'
endOffset = 29
tool = 'sumiavm'
sourceType = 'cumulative'
filters = '[' + (ConvertTo-Json -Compress $QueryFilters) + ']'
startOffset = 0
}
## What the filter looks like after compression, if filtering on iavmid 2016-B-0036:
## [{"operator":"=","value":"2016-B-0036","filterName":"iavmID"}]
$QueryBody = @{
module = 'vuln'
action = 'query'
input = (ConvertTo-Json -Compress $QueryData).Replace('\','').Replace('"filters":"', '"filters":').Replace('}]",', '}],')
token = $token
}
## What the POST data (input property of the QueryBody var) looks like after compression:
## {"endOffset":29,"sourceType":"cumulative","filters":"[{\"operator\":\"=\",\"value\":\"2016-B-0036\",\"filterName\":\"iavmID\"}]","sortDir":"desc","sortField":"severity","startOffset":0,"tool":"sumiavm"}
## Notice all of the extra encoding of escape characters (\) and quotations in the wrong place. The replace() filters fixes that.
## What the POST data looks like after compression and replacement filters:
## {"endOffset":29,"sourceType":"cumulative","filters":[{"operator":"=","value":"2016-B-0036","filterName":"iavmID"}],"sortDir":"desc","sortField":"severity","startOffset":0,"tool":"sumiavm"}
try {
$ret = Invoke-WebRequest -URI "https://$($s)/request.php" -Method POST -Headers @{"X-SecurityCenter"="$($token)"} -Body $QueryBody -UseBasicParsing -WebSession $sv -ErrorAction Stop
} catch {
Write-Error "An error occurred connecting to server ($($s)), with error: $($error[0])"
}
#$ret
if ($ret.StatusCode -ne 200) {
Write-Warning "An error occurred with the HTTP request. HTTP Status Code: ($($ret.StatusCode)); HTTP Status Description ($($ret.StatusDescription))"; continue
}
$ApiResponse = $ret.Content | ConvertFrom-Json
if ($ApiResponse.error_code -ne 0) {
Write-Warning "The API returned an error trying to authenticate to the server ($($s)). API Error Code: ($($ApiResponse.error_code)); API Error Message: ($($ApiResponse.error_msg))"; continue
}
# Extract data from response. The response comes back URL Encoded (e.g. single-line) so to convert that back to an object that PowerShell very easily manipulates, JSON works perfectly.
$data = (ConvertFrom-Json ($ret.Content)).response
## Write the results to the output object. The results are empty if 0 are returned so we need a slightly different object to report 0.
if ($data.totalRecords -eq 0) {
$Results += New-Object PSObject -Property @{
'IAVMId' = $IAVMId
'Severity' = ''
'Total' = $data.totalRecords
'HostTotal' = $data.totalRecords
'Server' = $s
} | Select-Object IAVMId,Severity,Total,HostTotal,Server
} else {
$Results += New-Object PSObject -Property @{
'IAVMId' = $data.results.iavmId
'Severity' = $data.results.severity
'Total' = $data.results.total
'HostTotal' = $data.results.hostTotal
'Server' = $s
} | Select-Object IAVMId,Severity,Total,HostTotal,Server
}
## Manually wipe out variables so we don't get errant data from a previous query added to a query that didn't return correctly.
$QueryFilters=$QueryBody=$QueryData=$ApiResponse=$data=$ret=$null
}
#$ConnectBody = @{
# module = 'auth'
# action = 'logout'
# input = '[]'
# token = $token
#}
# Login to the SecurityCenter
#$ret = Invoke-WebRequest -URI "https://$($s)/request.php" -Method POST -Body $ConnectBody -UseBasicParsing -SessionVariable sv
}
$Results | Export-Csv -NoTypeInformation $OutputCsv
Write-Output "Results have been copied to: $($OutputCsv)"
## Extracted HTTP POST data for Nessus Security Center report generation.
#{"sortDir":"desc","sortField":"severity","endOffset":29,"tool":"sumiavm","sourceType":"cumulative","filters":[{"filterName":"iavmID","operator":"=","value":"2016-B-0036"}],"startOffset":0}
Hi, just wanted to say thank you for this post :)
ReplyDeleteIt helped me fix something in a script I'm working on to get analysis data with PS using the API.
Glad you were able to use some part of it for what you needed.
Delete