InProtect LiveUSB 0.80.3 Beta!

Though the InProtect project has not made a large number of public postings lately (beta releases and the like...) we have been quite busy. We will soon be releasing a tarball of the latest 0.80.3RC1. That is not, however, the purpose of this article but rather I am releasing a liveUSB image that is an entirely self-contained and functioning installation of InProtect on a FreeBSD 6.3-Current system.

I came up with the idea to create the InProtect LiveUSB when someone requested that I build one for another project that I am an active member of (HeX). Unfortunately it has taken me several months to get the time put together to actually build this tool. Having said that, I am quite pleased with the outcome and functionality of the tool. Placing this tool onto a USB thumb drive gives the user extreme versatility from the perspective of security. Obviously the nature of a USB thumb drive is not terribly secure; we can put them in our pocket and have them fall out in a parking lot where anyone could conceivably pick it up and snag the data off of it and multiple other scenarios. I am more talking about the security of the location or client that may have a sensitive environment with sensitive data and the like. In this scenario the USB device could be taken in and left with the organization, post scan, that has such sensitive data. Again though, the primary purpose of this build is to allow for a solid demo of the InProtect system.

As I said earlier, the system was built using FreeBSD 6.3-Current, ontop of this I built fluxbox (and several applications such as firefox), mysql51, apache22, php5 and several perl modules that are InProtect dependencies. I manually configured all of the components to work with InProtect, the installer currently does not work on freebsd though I am in the process of building a port. In-short, and as stated earlier, this is a fully functional InProtect scanner with a few things that need to be completed by the end-user; Nessus 3.0.x install and jpgraph for php5 install.

The Nessus and jpgraph items are not included in this image due to their licensing restrictions (not GPL). It is for this reason they must be manually installed.

First you will need to download the InProtect LiveUSB 0.80.3 image here:

http://www.redsphereglobal.com/data/tools/security/live/inprotect-i386-0.80.3-beta.usb.img.gz
MD5 (inprotect-i386-0.80.3-beta.usb.img.gz) = 605a5b20d754ea7e6305922695f301ba
SHA256 (inprotect-i386-0.80.3-beta.usb.img.gz) = 1d562d17db0ef4e3afefcca18fd40932b7faecdddd673910c3ad11a4aab4434b

After obtaining the image and gunzipping it you will want to use dd to write it to a 2G or larger USB thumb drive. NOTE that you want to write it to the device itself and NOT to a specific partition on the device. Also, if you didn't figure it out... this will overwrite anything that you may currently have on your thumb drive.

dd if=/path/to/foo/inprotect-i386-0.80.3-beta.usb.img of=/dev/da0 bs=1M

Your output file path may be different than /dev/da0 (this is mine on a freebsd boxen). The key is that you are writing directly to the device address and NOT to a partition, that will NOT work. Assuming that you have a thumb drive and computer capable of USB2.0 this process should take around 10 minutes to write all of the data.

At this point you should be able to boot from your new shiny LiveUSB thumbdrive. The initial login details are simple (these ARE case sensitive so pay attention!):

Username: InProtect
Password: inprotect

Once logged in type startx to get into fluxbox. From here, if you are not familiar suggest playing around just a little bit. A few tips, this isn't windoze, you access the main menuwith fluxbox, I by right clicking anywhere on the desktop. The image to the right shows the menu of the InProtect LiveUSB. The highlighted option will take you to the Nessus and jpgraph installation instructions.

Even before you install Nessus or jpgraph you will be able to login to the local instance of InProtect by selecting the InProtect menu option as displayed below. Once you have selected the InProtect menu item, you will be able to use admin / admin for the login and password to access the local instance of InProtect.

Note that until you install Nessus you will not be able to run any scans.

In this image I have already created a default scan zone and default scanner so that once Nessus is installed and the Nessus user created, as noted in the instructions contained on the image, the system is fully functional and scans can be immediately created and executed.

As always please feel free to contact me or leave any comments, criticisms, suggestions or otherwise that you might have.

Cheers,
JJC

InProtect Update...

And a few operational notes....

We are working hard to get out the next RC for your scanning pleasure. In the meantime, please continue the use and bug reporting, it's been great thus far!

Now, as to a big bug and how to properly handle it. In previous versions of InProtect you were able to control the number of scans with the max_scans value in the Nessus Servers configuration dialogue. Unfortunately with the modification of the nessus_run.pl script to streamline the scanning process, the max_scans variable does not properly control the actual scans being processed by the scanner. A simple example is as follows;

Lets say you schedule a scan with 60 hosts (IP Addresses) to be scanned and have limited in the Nessus Scanner Max_Scans setting a maximum of 10 concurrent scans on said server. When this scheduled scan starts to run it will start out with 10 scans, once those begin to complete it will immediately say that it's running 20 scans then 30 and so on.

To remediate this issue, you need to do a couple of things...first lets go ahead and kill our sched.pl process so that we can clean up the database (if you still show multiple scans running and none are actually running "ps -auxxx | grep nessus"). Once this is complete, go ahead and look in your Inprotect database under the nessus_scan table for any record with a value of 'R' in the status field ( select * from nessus_scan where status='R';". If you find that you do have records with 'R' as their status, you need to set them as 'C' "UPDATE`inprotect`.`nessus_scan` SET `status` = 'C' WHERE `status` = 'R' ; ", you will also need to reset the current_scans value in the nessus_servers table "UPDATE `inprotect`.`nessus_servers` SET `current_scans` = '0';". After completing these steps you can now start your sched.pl up again. As another note, you may want to set all of the status values to 'C' just to clean up that table, once you restart sched.pl it will clean out all of the 'C' status scans and set their main schedule back to a scheduled status.

Now that we have cleaned up the remnants of the aforementioned bug, lets go ahead and talk about the current workaround. This workaround is fairly straightforward and consists of two simple modifications to your scan profile and your nessus server settings. First, let's get into the InProtect GUI and select Settings -> Nessus Servers -> Edit, at this point we will be modifying the value for Max number of hosts to scan and setting it to an extremely high number such as 10000 or more.


The next part of this workaround is to define the maximum hosts that will be scanned in the actual scan profile. This will tell the nessusd server itself how many scans that it is allowed to run at the same time. Select Settings -> Nessus Scan Profiles -> Edit your existing default profile -> Preferences, under the serverprefs section are the options max_checks and max_hosts. The max_checks value defines the number of test to be run concurrently against a single hosts and the max_hosts defines the maximum concurrent number of hosts that the nessusd server will scan. As you can see by the below image, I have set my default values to 4 checks and 10 hosts.


Regards,
JJC

InProtect Beta 0.80.2

In the interest of continuing a good thing (although this post is a bit late), we have released a new bugfix version of InProtect 0.80.x. This version is 0.80.2 and can be found at our sourceforge download location.

We hope to have an official release out on or about the new year and are working hard to meet this deadline. I would like to thank all of the users for their feedback and continued support of this project. It is always refreshing and energizing when there is good positive community usage and feedback!

As always, I invite you to join us in freenode or arcnet in #inprotect to tell us about your experiences, issues, bugs and the like.

Regards,
JJC

InProtect 0.80.0 Beta *fixed clean install sql*

My apologies for the issues that people have been experiencing with the new Beta of InProtect, but please remember that this is the purpose of a beta.

I appreciate all of the feedback in IRC and comments on this blog. Below is the URL to a version of InProtect with a cleaned up clean install sql script. Note that you may still have issues with the actual install script (not the .sql) and I am working on that right now, hopefully will have that out shortly for you.

InProtect 0.80.0 Beta **FIXED**
MD5
SHA256

Regards,
JJC

InProtect 0.80.0 Beta Released!

So we have *finally* managed to get the 0.80.0 Beta out the door, unfortunately the new packaged does not include any of the new info for the install or upgrade (there are twelve of us working on this). I'll be covering some of these topics in follow up articles over the next day or so.

Get the InProtect 0.80.0 Beta Here!

For now, let's talk about some of the major changes that we have incorporated into this version.

Gui:

• Completely revamped menu system, access control driven.
• User customizable dashboard.
• Html and PDF report formats match.
• Exportable xls reports.
• Cleaned up excessive and unneeded sql queries to enhance speed.
• Role-Based permissions.
• Exception list for hosts.
• Host specific lookup capabilities.
• Cleaner interface.
  

Database:

• All passwords are encrypted using user definable cryptographic standards such as blowfish.
• Sensitive data is encrypted.
  
• Database structure modified to allow for role-based permissions.
• Database structure modified to enhance and improve large query response (including indexing).
  

Engine:

• Max server scans are now run in a single session rather than multiple individual sessions, this reduces the load on both the nessus scanner and the InProtect console server.
• Encryption and decryption functions added for sensitive data.
• Multiple unneeded queries removed to enhance performance.
• Query function creation and destruction cleaned up to enhance performance.

That is basically a quick run-through of the new features (there are more.. but these are the big ones IMHO). There are a few additional perl libraries that are not yet mentioned in the documentation contained in the 0.80.0 tarball but are required in addition too those mentioned in the documentation, I'll list them here for you.

New Perl libraries:

• Crypt::CBC
• MIME::Base64
• IO::Socket
• POSIX
• Socket

This should be some good info to get you started for now, but as I said earlier, I will be posting some additional information (detailed info) for new installs and upgrades over the next few days. I will also try to update the official wiki and FAQ with these instructions.

So, for now feel free to download and play with it, let me know what you think, I can usually be found in #inprotect on freenode.

Cheers,
JJC

Coming Soon - InProtect 0.80.0 Beta

I am excited to announce that we are on track for a beta/alpha release of InProtect 0.80.0 this coming week. You will see a great deal of enhancements in this version, including cleaner reports and graphs, user customizable dashboard, more efficient scan scheduler and controller...and much more!

I have included a "teaser" screenshot below. Note that the latest code is always available from the InProtect Sourceforge SVN repo (but that should be considered "alpha" only)...since we are consistently making changes, fixes, tests and updates...

I am also entertaining the idea of replacing / augmenting the nmap functionality with unicornscan (sice unicorns are fast! <3 Unicorns), let me know what your thoughts / concerns / comments are.


Cheers,
JJC

InProtect, on track for alpha release

...We hope to have an alpha/beta release of the upcoming InProtect 0.80.0 within two weeks.

Good positive progress has been made tuning all of the elements of the engine itself for improved performance in lowering the overall load of the scheduling engine itself. We are currently working on migration scripts for users using both the 0.22.5 and 0.22.5JC versions.

You will see some big database changes and enhancements to the GUI in the form of role-based permissions, a per-user customizable dashboard at login, cleaned up table indexes and optimized queries and much much more.

Cheers,
JJC

InProtect 0.22.5JC Patch

So, finally I threw something together that should get your InProtect into a more shiny and multi-user friendly version. Granted I did not have a ton of time to properly package and document everything but it is what it is right now.

The download location is listed below.

0.22.5JC patch includes the following updates but is not limited to them

• Report enhancements (additional pdf reports for only serious, critical, medium and low vulns)
• User Group capabilities (notes on this will be posted at http://global-security.blogspot.com)
• Reports viewing (give non-administrative users the capability to see other reports, either globally or based on their group membership)
• Report limiting on the report screen (sort by 5, 10 or 20 results at a time, for those larger and more frequently scanned nets)
• Set jpgraph options to use AA for prettier charts / graphs (this will run a bit slower, I'm not gonna lie but it's better!)
• * Removed the "informational" findings from the stats on the Main page.

I'll be writing more on the specific functions and how to use them shortly. Also in the next small patch will be the database optimizations as well as page loading splash for those impatient multi-clickers in your organization.

Download Here
MD5 Verification

Please test this out (backup your stuff first) and let me know what you think etc... I can be found lurking around #inprotect on irc.freenode.net or post a comment here!

Cheers,
JJC

Pending InProtect Patch

Despite multiple attempts over the past 6 months to contact the team that is developing the InProtect (Nessus frontend) project, I have been unsuccessful. Resulting from this, I have built some modifications that I'll be releasing within the next week in the form of a patch that contains the following enhancements:

• Database optimizations for enhanced performance
  
• Report enhancements (additional pdf reports)
  
• User Group capabilities
• Reports viewing (give non-administrative users the capability to see other reports, either globally or based on their group membership)
• Report limiting on the report screen (sort by 5, 10 or 20 results at a time, for those larger and more frequently scanned nets)
• A few more things that will be in the rel documentation...

Please feel free to join us on irc.freenode.net in #inprotect to answer any questions, or if you would like to beta-test the patch prior to it's release. Also, if you have any contrib that you would like added, please come to #inprotect and we can discuss.

Regards,
JJC