InProtect 1.00.0 Beta_2 VMWare Image

Given recent developments that the team has made on the InProtect project and the many emails that I see floating about on the lists, I decided to create a VMware image of an "almost" fully functioning InProtect installation. I say "almost" because, of course, like the LiveUSB that I released some time ago, I can't put the latest version of Nessus on the VM due to licensing restrictions imposed by Tenable. Note that I did not include greatly detailed instructions on the use of InProtect, I may do this later but haven't the time right now.

Please try to remember that this is a BETA, and as such may not be fully functional... if you find bugs or the like, please feel free to file them at the sf site or hit us up !

So, the quick and dirty of it is that all you will need to do is go to the Nessus website and download the latest Nessus tarball from them, upload it to the VM (scp), install it (pkg_add), start it, register it and run the /opt/Inprotect/sbin/updateplugins_1.00.pl script! Whew, that was one long runon sentence!. For everything to match up, create a user "inprotect" with password "inprotect" in your Nessus daemon. Once you have completed the aforementioned steps, you are all set and should be able to scan, note that if you want to scan outside of the VM, you will need to modify the configuration of the interface to be bridged etc... The interface is set for DHCP and everything will startup just fine with any address that you assign it or that it receives.


You will also need to throw the jpgraph stuff in /opt/Inprotect/html if you want the nifty graphs to work... but I'll probably speak more to this in an upcoming post.

I essentially used the install script to install in /opt/Inprotect on, you guessed it, FreeBSD 7.1R but of course had to make a few minor adjustments (it's not always 100% out of the gate) to get everything working together. That being said, you can probably do the same on your own distro.

some important info that you will (or may) need, i.e. username/password/medium

inprotect/inprotect/shell
root/root/console
root/root/mysql
admin/password/inprotect web interface

phpMyAdmin is installed: http://ipofyourvm/phpmyadmin/ for your mysqling pleasure.

To access InProtect simply browse to the ip of your VM: http://ipofyourvm

If you want nmap, build it from ports: /usr/ports/security/nmap

Get the VMWare Image Here
MD5
SHA256

Cheers,
JJC

InProtect LiveUSB 0.80.3 Beta!

Though the InProtect project has not made a large number of public postings lately (beta releases and the like...) we have been quite busy. We will soon be releasing a tarball of the latest 0.80.3RC1. That is not, however, the purpose of this article but rather I am releasing a liveUSB image that is an entirely self-contained and functioning installation of InProtect on a FreeBSD 6.3-Current system.

I came up with the idea to create the InProtect LiveUSB when someone requested that I build one for another project that I am an active member of (HeX). Unfortunately it has taken me several months to get the time put together to actually build this tool. Having said that, I am quite pleased with the outcome and functionality of the tool. Placing this tool onto a USB thumb drive gives the user extreme versatility from the perspective of security. Obviously the nature of a USB thumb drive is not terribly secure; we can put them in our pocket and have them fall out in a parking lot where anyone could conceivably pick it up and snag the data off of it and multiple other scenarios. I am more talking about the security of the location or client that may have a sensitive environment with sensitive data and the like. In this scenario the USB device could be taken in and left with the organization, post scan, that has such sensitive data. Again though, the primary purpose of this build is to allow for a solid demo of the InProtect system.

As I said earlier, the system was built using FreeBSD 6.3-Current, ontop of this I built fluxbox (and several applications such as firefox), mysql51, apache22, php5 and several perl modules that are InProtect dependencies. I manually configured all of the components to work with InProtect, the installer currently does not work on freebsd though I am in the process of building a port. In-short, and as stated earlier, this is a fully functional InProtect scanner with a few things that need to be completed by the end-user; Nessus 3.0.x install and jpgraph for php5 install.

The Nessus and jpgraph items are not included in this image due to their licensing restrictions (not GPL). It is for this reason they must be manually installed.

First you will need to download the InProtect LiveUSB 0.80.3 image here:

http://www.redsphereglobal.com/data/tools/security/live/inprotect-i386-0.80.3-beta.usb.img.gz
MD5 (inprotect-i386-0.80.3-beta.usb.img.gz) = 605a5b20d754ea7e6305922695f301ba
SHA256 (inprotect-i386-0.80.3-beta.usb.img.gz) = 1d562d17db0ef4e3afefcca18fd40932b7faecdddd673910c3ad11a4aab4434b

After obtaining the image and gunzipping it you will want to use dd to write it to a 2G or larger USB thumb drive. NOTE that you want to write it to the device itself and NOT to a specific partition on the device. Also, if you didn't figure it out... this will overwrite anything that you may currently have on your thumb drive.

dd if=/path/to/foo/inprotect-i386-0.80.3-beta.usb.img of=/dev/da0 bs=1M

Your output file path may be different than /dev/da0 (this is mine on a freebsd boxen). The key is that you are writing directly to the device address and NOT to a partition, that will NOT work. Assuming that you have a thumb drive and computer capable of USB2.0 this process should take around 10 minutes to write all of the data.

At this point you should be able to boot from your new shiny LiveUSB thumbdrive. The initial login details are simple (these ARE case sensitive so pay attention!):

Username: InProtect
Password: inprotect

Once logged in type startx to get into fluxbox. From here, if you are not familiar suggest playing around just a little bit. A few tips, this isn't windoze, you access the main menuwith fluxbox, I by right clicking anywhere on the desktop. The image to the right shows the menu of the InProtect LiveUSB. The highlighted option will take you to the Nessus and jpgraph installation instructions.

Even before you install Nessus or jpgraph you will be able to login to the local instance of InProtect by selecting the InProtect menu option as displayed below. Once you have selected the InProtect menu item, you will be able to use admin / admin for the login and password to access the local instance of InProtect.

Note that until you install Nessus you will not be able to run any scans.

In this image I have already created a default scan zone and default scanner so that once Nessus is installed and the Nessus user created, as noted in the instructions contained on the image, the system is fully functional and scans can be immediately created and executed.

As always please feel free to contact me or leave any comments, criticisms, suggestions or otherwise that you might have.

Cheers,
JJC

InProtect Update...

And a few operational notes....

We are working hard to get out the next RC for your scanning pleasure. In the meantime, please continue the use and bug reporting, it's been great thus far!

Now, as to a big bug and how to properly handle it. In previous versions of InProtect you were able to control the number of scans with the max_scans value in the Nessus Servers configuration dialogue. Unfortunately with the modification of the nessus_run.pl script to streamline the scanning process, the max_scans variable does not properly control the actual scans being processed by the scanner. A simple example is as follows;

Lets say you schedule a scan with 60 hosts (IP Addresses) to be scanned and have limited in the Nessus Scanner Max_Scans setting a maximum of 10 concurrent scans on said server. When this scheduled scan starts to run it will start out with 10 scans, once those begin to complete it will immediately say that it's running 20 scans then 30 and so on.

To remediate this issue, you need to do a couple of things...first lets go ahead and kill our sched.pl process so that we can clean up the database (if you still show multiple scans running and none are actually running "ps -auxxx | grep nessus"). Once this is complete, go ahead and look in your Inprotect database under the nessus_scan table for any record with a value of 'R' in the status field ( select * from nessus_scan where status='R';". If you find that you do have records with 'R' as their status, you need to set them as 'C' "UPDATE`inprotect`.`nessus_scan` SET `status` = 'C' WHERE `status` = 'R' ; ", you will also need to reset the current_scans value in the nessus_servers table "UPDATE `inprotect`.`nessus_servers` SET `current_scans` = '0';". After completing these steps you can now start your sched.pl up again. As another note, you may want to set all of the status values to 'C' just to clean up that table, once you restart sched.pl it will clean out all of the 'C' status scans and set their main schedule back to a scheduled status.

Now that we have cleaned up the remnants of the aforementioned bug, lets go ahead and talk about the current workaround. This workaround is fairly straightforward and consists of two simple modifications to your scan profile and your nessus server settings. First, let's get into the InProtect GUI and select Settings -> Nessus Servers -> Edit, at this point we will be modifying the value for Max number of hosts to scan and setting it to an extremely high number such as 10000 or more.


The next part of this workaround is to define the maximum hosts that will be scanned in the actual scan profile. This will tell the nessusd server itself how many scans that it is allowed to run at the same time. Select Settings -> Nessus Scan Profiles -> Edit your existing default profile -> Preferences, under the serverprefs section are the options max_checks and max_hosts. The max_checks value defines the number of test to be run concurrently against a single hosts and the max_hosts defines the maximum concurrent number of hosts that the nessusd server will scan. As you can see by the below image, I have set my default values to 4 checks and 10 hosts.


Regards,
JJC

InProtect Beta 0.80.2

In the interest of continuing a good thing (although this post is a bit late), we have released a new bugfix version of InProtect 0.80.x. This version is 0.80.2 and can be found at our sourceforge download location.

We hope to have an official release out on or about the new year and are working hard to meet this deadline. I would like to thank all of the users for their feedback and continued support of this project. It is always refreshing and energizing when there is good positive community usage and feedback!

As always, I invite you to join us in freenode or arcnet in #inprotect to tell us about your experiences, issues, bugs and the like.

Regards,
JJC

InProtect 0.80.1 Beta

Fixed a few of the issues that everyone was experiencing... also updated the following:

• clean install - fixed bad syntax issues
• clean install - set proper version in db
• clean install - changed admin to Admin in user group data (Admin is the original user for conformity)
• upgrade - set proper version in db
• upgrade - changed admin to Admin in user group data (Admin is the original installed user and this setting must match the current user so that proper access is given to Admin)

Also added note that Admin password is "admin" in INSTALL, this is changed as of versions 0.80.x

new tarball can be found here:

https://secure.redsphereglobal.com/data/tools/inprotect/inprotect-0.80.1.tar.gz
https://secure.redsphereglobal.com/data/tools/inprotect/inprotect-0.80.1.tar.gz.md5
https://secure.redsphereglobal.com/data/tools/inprotect/inprotect-0.80.1.tar.gz.sha256

We should have the sourceforge project site updated with this tarball at some point tomorrow. I will also be following up with upgrade instructions tomorrow, as the current instructions do not include details of upgrading to 0.80.x.

Cheers,
JJC

InProtect 0.80.0 Beta *fixed clean install sql*

My apologies for the issues that people have been experiencing with the new Beta of InProtect, but please remember that this is the purpose of a beta.

I appreciate all of the feedback in IRC and comments on this blog. Below is the URL to a version of InProtect with a cleaned up clean install sql script. Note that you may still have issues with the actual install script (not the .sql) and I am working on that right now, hopefully will have that out shortly for you.

InProtect 0.80.0 Beta **FIXED**
MD5
SHA256

Regards,
JJC

InProtect 0.80.0 Beta Released!

So we have *finally* managed to get the 0.80.0 Beta out the door, unfortunately the new packaged does not include any of the new info for the install or upgrade (there are twelve of us working on this). I'll be covering some of these topics in follow up articles over the next day or so.

Get the InProtect 0.80.0 Beta Here!

For now, let's talk about some of the major changes that we have incorporated into this version.

Gui:

• Completely revamped menu system, access control driven.
• User customizable dashboard.
• Html and PDF report formats match.
• Exportable xls reports.
• Cleaned up excessive and unneeded sql queries to enhance speed.
• Role-Based permissions.
• Exception list for hosts.
• Host specific lookup capabilities.
• Cleaner interface.
  

Database:

• All passwords are encrypted using user definable cryptographic standards such as blowfish.
• Sensitive data is encrypted.
  
• Database structure modified to allow for role-based permissions.
• Database structure modified to enhance and improve large query response (including indexing).
  

Engine:

• Max server scans are now run in a single session rather than multiple individual sessions, this reduces the load on both the nessus scanner and the InProtect console server.
• Encryption and decryption functions added for sensitive data.
• Multiple unneeded queries removed to enhance performance.
• Query function creation and destruction cleaned up to enhance performance.

That is basically a quick run-through of the new features (there are more.. but these are the big ones IMHO). There are a few additional perl libraries that are not yet mentioned in the documentation contained in the 0.80.0 tarball but are required in addition too those mentioned in the documentation, I'll list them here for you.

New Perl libraries:

• Crypt::CBC
• MIME::Base64
• IO::Socket
• POSIX
• Socket

This should be some good info to get you started for now, but as I said earlier, I will be posting some additional information (detailed info) for new installs and upgrades over the next few days. I will also try to update the official wiki and FAQ with these instructions.

So, for now feel free to download and play with it, let me know what you think, I can usually be found in #inprotect on freenode.

Cheers,
JJC

Coming Soon - InProtect 0.80.0 Beta

I am excited to announce that we are on track for a beta/alpha release of InProtect 0.80.0 this coming week. You will see a great deal of enhancements in this version, including cleaner reports and graphs, user customizable dashboard, more efficient scan scheduler and controller...and much more!

I have included a "teaser" screenshot below. Note that the latest code is always available from the InProtect Sourceforge SVN repo (but that should be considered "alpha" only)...since we are consistently making changes, fixes, tests and updates...

I am also entertaining the idea of replacing / augmenting the nmap functionality with unicornscan (sice unicorns are fast! <3 Unicorns), let me know what your thoughts / concerns / comments are.


Cheers,
JJC

Nessus 3.06 on Ubuntu 7.10 _Gutsy Gibbon_

Post upgrading to Gutsy Gibbon on one of my test systems I needed to install an application that I regularly use (Nessus). To install this I downloaded the standard Nessus 3.0.6 deb package from nessus.org and attempted install via the package manager. The installation attempt produced the following Error: Dependency is not satisfied: libssl0.9.7. Normally I wouldn't write about this, but given the fact that I noticed several locations on the internet (various forums and blogs) about this issue being unresolved for many users I figured I would post what worked for me.

The first thing that I did was install libssl-dev "sudo apt-get install libssl-dev". After installing libssl-dev I again attempted to install the Nessus 3.0.6 deb package and received the same error " Error: Dependency is not satisfied: libssl0.9.7". My next step was to download libssl0.9.7_0.9.7g-5ubuntu1.1_i386.deb directly from packages.ubuntu.com and install this deb package. That's what did the trick, Nessus is now up and running and everyone (me) is happy.

Cheers,
JJC

InProtect, on track for alpha release

...We hope to have an alpha/beta release of the upcoming InProtect 0.80.0 within two weeks.

Good positive progress has been made tuning all of the elements of the engine itself for improved performance in lowering the overall load of the scheduling engine itself. We are currently working on migration scripts for users using both the 0.22.5 and 0.22.5JC versions.

You will see some big database changes and enhancements to the GUI in the form of role-based permissions, a per-user customizable dashboard at login, cleaned up table indexes and optimized queries and much much more.

Cheers,
JJC

InProtect Wiki and Update

The project continues to gain speed and support from the community (thanks again everyone!). The core team is currently meeting every other Sunday, in the secret InProtect cave, to hash out the roadmap and future plans. Unfortunately I was not in town for the most recent meeting and away from the interweb and therefore did not make the meeting.

However I still have some updates that I can post;
The InProtect Wiki is now online and we will be working hard to keep it updated with the latest goodies, FAQ, etc...! http://inprotect.wiki.sourceforge.net, please check it out and let us know what we can do to improve it or what you would like to see added.

I continue to get visitors to #inprotect on irc.freenode.net and appreciate all of the continued feedback.

We anticipate having the CVS -to- SVN conversion done shortly and subsequently publishing an Alpha release of the new version. We will also be updating the InProtect home page with meeting notes, roadmap and so on, in the near future!

Cheers,
JJC

FIXED::[Bug 1641] NessusClient 3.0.0 Beta 4 Crash on Server Connect

I must say that I am quite pleased with Renaud Deraison of nessus.org for his rapid response and remediation of the bug that I discovered last week (NessusClient 3.0.0 Beta 4 Bug). There was an uninitialized pointer when a class was created from an XML file (rather than dynamically), which in turn created a bad memory access and therefore crashed the client.

Nessus.org has posted a fixed version, Beta 5 of the 3.0.0 NessusClient at their typical download location: http://www.nessus.org/download/.

I would also like to add to my previous posting about the feature set of the NessusClient and it's inability to export to XML (this is still true) but can be worked around (too a degree anyway). When you scan a host and if you chose to save the session, upon exiting the NessusClient, it creates a .nessus file which is pure XML (albeit it's a different XML format than the CLI xml), and which contains much more information about the scan than the other formats (it contains all the scan results, the policies, the targets associated to each scan, etc...

Thx again Renaud!

Cheers,
JJC

NessusClient 3.0.0 Beta 4 Bug

In the process of testing and writing my previous post, I missed a bug that seems to exist in Linux and Win32 builds of the NessusClient 3.0.0 Beta 4 (atleast on Windows XP SP2 and FC6). I have it installed on Ubuntu Feisty Fawn but have not connected to a Nessus scanner yet, though I suspect the results will be the same.

This bug is in the Connection Manager, if you do not remove the default Nessus server and create a new one, it will crash the NessusClient.

Shout out to Bruce for the Winblows screenshot and the initial identification that there was a problem!

Conclusion....same as my last posting, the only difference in Beta 4 is that there are newly introduced bugs and the "support" for certificate based authentication to the Nessus server.

Bug opened at: http://bugs.nessus.org/show_bug.cgi?id=1641

Cheers,
JJC

NessusClient 3.0.0 Beta 4 - Nothing really new

Today, Tenable announced their NessusClient 3.0.0 Beta 4. Being the consummate security professional (geek) that I am, I had to download it and poke around. I must say that I am still disappointed that it lacks many of the capabilities of the nessus client itself (CLI).

The look and feel are the same as since Beta 3 (and earlier Linux / Mac releases).

Main Screen, add hosts, connect to scanner, define scanning policy / type and begin scan.

Add host(s) or subnetworks


Edit scan policy.


And finally...the results!

So, now that you have seen the results and a bit of the options I'll get into it. Overall this is a somewhat useful tool for ad-hoc or verification vulnerability scans. The primary drawbacks are that it will only export to html, nbe and nsr but not txt or xml (both supported by the CLI client). While all plugins have associated CVSS scores, A significant drawback of the NessusClient is that it does not sort or readily display the results based on CVSS scores. This makes it difficult to locate results by score and thereby prioritize.

All being said, this is a good support tool and I would suggest using it in conjunction with something like InProtect that will give you the history and maintain result sets in a manageable and queryable database.

Cheers,
JJC

InProtect Update, It Lives!

Just to give a quick update about the InProtect project, it is up and alive again and we now have 12 people actively working on the project!

We are in the process of developing a roadmap and evaluating several forks to determine what should be used or adopted into the upcoming version.

As of the time of this post, we have established the team and decided that we will be converting to sourceforge's SVN repo rather than the CVS and have started evaluating the forks...some screenshots are attached below.

It's also been nice to see people continuing to use this tool and support it. If you get a free moment or need some assistance, please feel free to swing by #inprotect on irc.freenode.net and say hi.

---

Customizable Dashboard (thx Heath!)

---

Anti-aliased graphs!

---

Added reports and report sorting functionality

There are certainly more features that are in the works or have been added, but I won't steal the teams thunder. Please check back here or at the InProtect site http://inprotect.sourceforge.net regularly for updates.

Cheers,
JJC