Navi Services — Automate Vulnerability Management tasks with Docker and pytenable
Time is our most valuable asset;
I often obsess about this concept about time. It’s one of the main reasons why I gravitate towards automation with python. Besides it’s simplicity and ease of use, it can save a lot of time on repeatable and predictable tasks.
With this obsession in mind, I spent the last few weekends creating use case driven Proof of Concepts on simple automation scripts using docker, pytenable and navi. I will write more about each script and I plan on writing more scripts/services. For now, I’d like to introduce the first four containers to navi services!
Introducing: Navi Services
There are four new navi services; each deployed using Docker and powered by pytenable to help with advanced tagging of assets and automating dependency scans. These Docker containers are simple to use; just provide your authentication keys and let the container do its job.
Below is a short overview of each project.
Scan Awareness Tags
The Scan Awareness Container uses navi to download asset and vulnerability data into a SQLite DB which is used for searching and parsing plugin data. The results are a number of Tenable.io tags with one of these three characteristics:
- Scan Duration found in output of 19506 Plugin
- Credential Failures based on plugins: 104410, 21745, 110385, 117885
- Scan ID based on the last hosts found using the Scan ID for every scan in the last 35 days.
Why?
Scan visibility can be very difficult. Consider the screenshot below showing an asset that was scanned by 8 different scans, potentially 8 different policies; this type of behavior is likely to cause more problems than solutions. The first step is knowing you have a problem.
Without Tagging by Scan ID, it is very difficult to figure out if an asset is being beaten up by poor scan practices.
Deploy with Docker — packetchaos/scantags
docker run -d -e access_key="your Access Key" -e secret_key="your secret Key" packetchaos/scantagsGot ideas?
If you got ideas, please share them. Enter a comment below or open a ticket or a PR on Github.
Critical Tags
The Critical Tags Container uses navi to download asset and vulnerability data into a SQLite DB which is used for searching and parsing plugin data. The results are a number of Tenable.io tags with one of these eight characteristics:
- CISA Known Exploits using ‘CISA’ found in the Plugin Cross References
- Long Scan Times using duration in the 19506 plugin.
- Credential issues using plugins 104410, 21745, 110385, 117885
- Certificate issues using plugins 10863, 15901, 69511, 51192, 42981, 60108
- Web Servers using plugin 24260
- Docker hosts using 93561
- VMware Hosts and Virtual Machines using plugins 20301 and 20094 respectively.
- Reboots Required using plugins 35453 and 163103
Deploy using Docker — packetchaos/critical_tags
docker run -d -e access_key="your Access Key" -e secret_key="your secret Key" packetchaos/critical_tagsNavi Command for Easy Deployment
navi deploy critical-tagsGot ideas?
If you got ideas, please share them. Enter a comment below or open a ticket or a PR on Github.
Dependency Scans
Currently there are two different docker containers to solve two mildly different use cases.
- Simple Dependency Scan — Start one scan follow it’s progress then start scan two
- Discovery then Vuln scan — Start scan one, typically a discovery scan, follow it’s progress then start scan two, typically a vulnerability scan, using the responding IPs from scan one as alternative targets to the second scan.
- Launch ‘trigger’ scan
- Check progress every min
- Launch ‘fire’ scan
docker run -d -e access_key="your Access Key" -e secret_key="your secret Key" -e trigger="trigger scan" -e target="target/fire scan" packetchaos/dependencyscan Discovery Scan Then a Vulnerability Scan
- Launch ‘trigger’ scan with new subnets as ‘targets’
- Check progress every min
- Extract ‘hosts’ from scan one
- Launch ‘fire’ scan with ‘hosts’ from scan one.
docker run -d -e access_key="your Access Key" -e secret_key="your secret Key" -e trigger="discovery scan ID" -e fire="vulnerability scan" -e targets="target subnet(s)" packetchaos/discovery_then_vulnscan 
