 Okay. May the demo gods be with me. Let's start. I must say, wow, it's a big turnout. My name is Frank. Some of you may know me as Secubus on Twitter and some of the other stuff I do. But that's not what I'm talking about. I'm talking about Secubus. And to show you what it's all about, I want to tell this story about two guys. This guy called C. Lulis or any other name you choose to give him. And Bre Rightlatt. So they've both been given a task to perform a weekly vulnerability scan of all their public IP addresses of their company. And C. Lulis decided to just use a regular vulnerability scanner, which means that he has to get up at a rather awkward time. I think this is a time I went to bed yesterday and was a bit shaky, as you can see. He has to manually start his scan and then just wait for it to finish. Then when this guy is finished, he actually has to recuperate a little bit, analyze the report in the morning, and yeah, that's not good for you. It's like doing DEF CON parties. Bre Rightlatt decides to use Secubus. So he spends his morning setting it up. Then he actually goes home. He relaxes a bit. And the scanning happens at night. So I'm just going to let the scanning happen. And when he wakes up in the morning, he can just actually look at his findings and remediate. So what is the problem we're trying to solve here? If you do vulnerability scans with Nessus, can I see a raise of hand? Who here does vulnerability scanning with Nessus? Wow. Who actually scans the same infrastructure more than once? Yeah. It doesn't seem to be designed to do that, actually. So it's a good vulnerability scanner. I don't think it's too expensive. If you don't use it commercially, it's actually free. But it generates quite a big report that you have to go through every time. And scanning is not very quick. It takes time. It's not automated. And you spend about four times as much time analyzing your stuff than you actually do scanning. And then you get the results in the GUI. And, well, it's not very good, the GUI. So I think the work risk ratio, if you want to do regular scanning, is off. Secubus is a wrapper around Nessus OpenVas. And it has a web GUI that's geared towards ticking off the findings. So it's actually designed to say, okay, let's go to these findings. Which ones have I done? Which ones haven't I gotten on? And it compares consecutive scans. Currently, it supports the following scanners. And this is OpenVas, Necto, and there's more to follow. And what do we do differently? Well, first of all, we start the scans from the command line, which means you can hook them up to CronTab, which means you can stay in bed to do your scanning. We store the findings in the database. Currently, I regard the file system as being a database. And that will change in the future. And we present stuff through the web GUI. So what just happened when I clicked do scan demo? It actually started the Nessus client, which went out to a Nessus demon which is running on this PC. It's scanning one of my targets. This is one of my target. And let me pull up the other target. So that might be an interesting scan. And let me see if it's still running. Everything runs on VMware on my laptop. So every now and then, I have to speak slower and make the timing work better. It is actually scanning. Yeah. Yeah, it's still scanning. Okay. So what happened when I clicked the do scan command? There's a configuration file that was parsed, which tells me where does the scanner live, what password and username to use. I'm not going to put that on the screen. Where do my binaries live, et cetera. And then the client is starting. And here we finish. So now is demo time. This is actually the Secubus GUI. And there's a couple of scans here. I just did the demo scan, like I said, with the do scan demo. And there's a couple of things that we can see here. We see that the scan just ran at this date at an interesting time because my time zones are different. And you can actually get the Nessus HTML report. If it still supported XML, you could get the XML report, but it doesn't anymore. And the NBE output, which is actually rather interesting to us. And then if I click on changes, I got the same output as I just got on the command line. But that's not the interesting thing. The interesting thing is here with the status. So I click on new. Let me see if I can take that a little bit. Is that still readable? Barely. So you can filter. There's filter capabilities in here. So I can look at all the findings from the XP host and see that it's actually a really old XP installation. So I clearly don't want this in my network. So I change the status here. I say it's an open risk. Put a little comment in, select all the findings and do a bulk update. And this actually sets the status of all the findings that I just selected to open, meaning there's a risk. Now I've got another host, which is a web server. And that web server has a couple of ports. So you can also filter on port. It's got port 21 open with anonymous FTP. Now for the sake of the demo, I'm going to assume that that's actually a policy violation. So no anonymous FTP allowed. Bulk update that. Go to the SSH port and I know that's okay because I've run this demo before. And then when I go to port 80, there's one finding that's actually of interest of me. So I'm going to click that open. It's a trace enable off that's not set in the configuration. So I'll mark this as open. Let me refresh that. And all the other findings is no issue. And then there's a couple of others, which are of no interest. So that's a quick rundown of the findings. Let me set out to actually fix them as well. So stopping the FTP demon. And yeah, let's fix this one as well. I guess that's the best fix for it. So in the interest of time, I'll wait for this to die and then start a new scan. Okay, so let's go to week two. We've got Mr. C. Lula's again doing his scan at 4 a.m. Not liking it very much. He has to wait for it, sleeping in the office again and sleeping the rest of the day as well because he's just too naked to do it. And you could wonder if you look at the results and you do the printout of the two Nestos reports if it's really worth it because you've got this big report that you've got to read and it will be subtly different from the report of last week. I mean, who can spot the five differences here? You can? Let's see if you got them right. So be right, Lat. He's decided to do it a little bit differently since, well, he already got his scan configured. He can actually go home straight away, relax there a little bit, wait for the scan to happen at night and wake up in the morning and happily analyze his work again. So what's the trick? How do I compare the two scans? I just showed you the, quickly showed you the NBE output, the Nestos backend file. And it's actually a very simple file format and a little bit broken here and there. There's a type field so it will be a result or it will be a timing or it will be an info and timing an info are just ignored. We're really only interested in the results. Then there's a network and it seems that Tenable thinks that everything that's between dots, the first three things that are between dots is actually a network which is very interesting if you're scanning some www.something.co.uk because I think the network is www.something.co. It gets the IP address and then the plug-in ID, port, priority and the output of the plug-in. If the ports can find something it's actually not going to bother with the last three fields and cut it off. So I take that output, take it and put it into a three into memory and store that on the disc as well. And that three structure you can really easily use to compare your previous scan with your current scan. And then it's all about the statuses I just showed you. So new means it wasn't in the previous scan, it isn't the current scan. Changed means it was in the previous scan, it's in the current scan as well but it changed a little bit. Now we're being a little bit more intelligent than that because output that has got time stamps in it, we actually ignored that the time stamp changed because that's expected behavior. And gone means it was in the previous scan, it's not there. And then as a user you assign your statuses. So in the previous example we assigned, just assigned open and no issue, meaning it's a risk, it's not a risk. We can assign fixed meaning it's gone, I'm happy it's gone and we can assign hard masked. And hard masked means don't bother me with this finding ever again. And by default there's two findings in Ness's, the trace route and the Ness's configuration information that I by default put in hard masked category because it's just fluff. So then the machine assigned statuses, you get hard masked, well no, just skip that slide. The whole idea behind it is, well if it was okay in the past it didn't change, why would you bother human with it? The cycle that it fits in is a cycle of scanning your infrastructure, comparing it automatically, then you get the system assigned statuses of new, changed and gone and then as a human you go and assess it and assign the issue, no issue statuses. And then you go and fix your findings and scan again. So let's see if we've got a result already. Yeah, it's done, cool. So I click on the demo again and you'll see that the counters are different, there's only three new findings this time, there's four findings that have changed and there's 30 findings that have gone. So if I click on the gone findings and I look by host, surprisingly enough there's 24 findings of the XP host gone because it got offline. So glad it's gone, market is fixed and we're done here. The web server, well we shut down the FTP demon so all the findings related to that are gone, happy with that and there's the one finding that we wanted to kill, which is also gone. So that's good. Then let's clear the filters. There's four findings that have changed. One of them is to have better detection on the web server and we can see here that it's now disclosing its entire pedigree, it's telling you who it is, what modules it's got installed, exact version numbers, the whole lot and the little section here is actually the diff of the two findings. So what are the actual changes? So while fixing one finding they actually introduce another one. So this needs to be fixed. So let me just refresh that list. Then this is actually all the same issue, it's all about the banners and that's a pattern that you see quite often is that there's one little thing wrong with your infrastructure and you see it back in three or four findings. Let's just all mark this as open. Moving along to the new findings, well it now knows that it's got web dev running, so it marks that as a finding. Security back ported, I don't care. Name of the distribution, it's all related to the extra information disclosure. So let me go around again and do a quick change on the system. Fail. Yeah. Let's actually restart the demo again, demo scan. So going on to week three, who wants to guess what Mr. C. Lula's does? Well, he uses his sender scanner, gets up early, sleeps in the office, then waits for it to finish, sleeps under his desk, analyzes his results and analyzes a big fucking report in the morning. Be right there, uses Secubus. So again, he just goes home, has a good time, plays some pinball, scans the stuff at night, wakes up in the morning and happily can analyze and remediate his findings. Now one of the questions I get a lot is what's the name about? It's been asked a couple of times, so I tried to insert it in the presentation. It's not about the Secubus. That's a demon that comes and has sex with male guys and wears them out. It's something like that because everything you do should lead to more sex. The Insecubus is its distant cousin. It's a cousin of the Secubus. It's the female cousin of the Secubus. The Insecubus is the male cousin of the Secubus. And it actually tries to wear security people out by making them read the same report over and over again. Secubus on the other hand tries to wear the vulnerabilities and system administrators out by keep reminding them that there are vulnerabilities out there in the network and you should fix your shit. And it doesn't actually cost me as the security guy a lot of time to keep reminding you that it costs you time to deal with me. Like the Secubus, it's a creature of the night or any other time you choose it to schedule. So let's see if it's actually already finished. No, that would be too soon. Yeah. Let me go on by telling you how we use it in the company I work for. We provide mission critical outsourcing services to companies like banks and energy trading floors and online shops. So we really wanted to scan all our external IP addresses regularly. And yeah, the thing is it's regular. No, it's big companies. So what we do is we scan. I started writing Secubus at somewhere in 2007. And I did a measurement in 2009. And I was scanning a total of 4000 IP addresses. And that resulted in a total of over eight and a half thousand Nessus findings. So who wants to have a guess at how long that took to analyze every month? Yeah, that's what we're trying to avoid. I could actually do it with the amount of change we have. I could analyze this stuff in about a day and a half. So that's quite a big reduction. We're not the only ones using it. It's used by a Dutch provider of virtual hosting services, a science institute, and yeah, some defense contractors and some other companies that use this as well. The community is growing. It would be very nice if you told me you use it so I can have actually know that what I do makes sense. Yeah, let's go see. They're most finished. So I'm not going to go through, don't worry, I'm not going to go through the old ticking off again, but just to show you that the amount of findings is the four findings that changed, which were the ones that changed when we put the header in and now we're taking the header out again. And there's another three findings that are gone. So you can see it really winding down. It's taking less and less time to analyze these findings. So recapping, if you want to be masochistic and you want to continue using just using your scanner and the standard reporting capabilities, it means you have to get up early. You have to look at noninformatic stuff like trace routes every month. You get a lot of boring repetitive work. And I don't know about you, but I hate that shit. I like to do interesting stuff, like to actually deal with the issues at hand. And it means you got a lot of work, even if your infrastructure did not change. On the other hand, if you use Secubus monthly, weekly, whatever you like, it means you can schedule your scans. You only have to look at the findings that need your attention. It means you have less errors because you got less repetitive work to do. And you get a better balance between the amount of changes in your network and the amount of work that you do. And if a network changes frequently, it means that there's actually a bigger security risk as well. So by cleverly comparing stuff that's relevant, you can actually cut quite a lot of fat out of the analysis process. So why did we choose to release the tool as open source? Well, it was because we needed it. First of all, we built it just to make our own lives easier, and then we decided, okay, we use a lot of open source software, let's give something back to the community. So it's GPL version two if you want to use it. So what's ahead for future versions of the product? Well, we want to put it in a database back end. Using the file system is maybe convenient and easy to program, but it becomes a hassle once your program grows, and it actually gets slower and slower when you store more and more findings. It will also be easier to make a link between findings and issues. Issues, something we'll introduce in version two, which will mean, okay, I've made this configuration mistake and it shows up in four findings. There's other findings that actually show more issues. We want to support more scanners. We're going to support Nectal in version 1.5. We want to support Nmap in version 2.0. Metasploit and Metasploit Express in version 2.1. And I'm really one of the reasons I'm here is to solicit your opinions about what other shit we should include and be compatible with. We plan to make it a more open architecture, things like maybe pluggable authentication, maybe trouble ticketing integration, and more reporting. Things like graphs, dashboards, audit trails, who did what, trends over time. I don't know what you guys need. Tell me. Our ultimate goal, well we failed at it this year, is actually to become sort of a middle hub for this kind of information. So get everything in, analyze it, and be the platform to use to analyze and report on this stuff. If you want to do that, we need your help. Well, as you could clearly see, we need user interface designers, because I suck at that. But people who want to code, people who get us requirements, reports designers, testers, and people to use it. Now speaking of help, I was bitching to Jebra over there about metasploit express integration at the speakers party, was it two days ago? So he said, no worries, I'll do that for you. So I got up in the morning and saw, okay, time to write some code. And I'm like, let's tease him a little bit. Have you finished yet? Well, he said I need some sample output, so I suggested that he get in contact with Rapid7. And then a couple of hours later, I see something like generating XML test data. So I'm like, oh my God, I have to chase my slides now. So I go to the 10,000-cent hacker pyramid. Guess who's sitting there, not having completed that yet. But halfway through the pyramid, all tests are passing. And this morning he tweets that. He will be releasing his beta. And I made a promise that I would actually change my slides. So there you go, Jebra. He's Jebra, he codes in Perl. So yeah, metasploit express integration in version 2.0. Actually, today we'll be releasing version 1.5. It should be up on our site in 15, 20 minutes, depending on the length of Q&A. And it will include Nikto scanning. I talked to Chris Sulel and I said, listen, you really need MBE output for Nikto. And he wasn't, yeah. So I decided to do it for him. I wrote him a module that actually outputs MBE. So version 2.1.3, which was released before DEF CON, so I could make this announcement. Thanks for that. That's actually the version that you need. And I've got another demo of that. So on the virtual machines, I've got that other web server running here. So that's the one we'll be scanning. And I created a new scan, configuration for it. So do the demo Nikto scan. And it's running in the background. Other stuff we put in there. We heard about people that it's actually hard to install. So I got a colleague of mine, Peter Slootweg, to actually create a RPM for it. So you can install it on Fedora-based systems. Compliance. Yeah, some of us actually have to deal with compliance. And it's nice that you can actually get that Nest's output in there as well. The difference between normal output and compliance output is that normal output comes on one line for each finding. And the compliance output is a lot of lines per finding. So I had to find a way to deal with it. And like I said, the Nikto scanning. So let's see what that looks like. If it's finished. Yeah, good question. There is support for different locations in the scanning engines that work with client server architecture. So Nest is an open vast. You talk with a client to it. In each scan you can have a separate configuration. So you could say, I only want to port scan this and I only want to do a full scan there, but you can also specify another scanner. Then what you do is stick a scanner in that network. So you put a Nest's engine in that network and you connect to that engine and it scans locally. So you have to buy two Nest's licenses or get open fast. Yeah, that's no problem. You can just separate that out. I don't care that there's an overlap in IP because every job is in an isolated environment. Any other questions while we wait for the scanning to finish? You can not very easily in this version, but if you'll contact me afterwards I'll show you how to do it. The second version that we're working on will actually have an upload function so that you can take your scanner output and upload it as well as a manual finding category where you go, okay, I tell that to this board, it's confirmed and input that. So here's what a NectoScan looks like in Secubus. Again, it looks pretty similar. You get the 14 lines of outputs that are normally in a single finding, single plug-in in Nest. You now actually get each line of Necto output as a separate finding. So I'm running a little bit quicker than I really anticipated. Where do you get it? Go to Secubus.com. I'll be taking some questions then. I have one other thing. You saw C. Lulus. I ripped the shirt off his back. So anybody willing to, I said I would try to make Christian Riley wear it, but he bluntly refuses it. So who's willing to take that off my hand for a nice, it says, number one security consultant. You're not wearing it. Okay, thanks.