Jump to content

Secure NMAP / NESSUS frontend using PHP


zerosignal0
 Share

Recommended Posts

I was wondering if someone could maybe point me in the direction of how to execute something like this. Pretty much what I am wanting to do is allow for people to access my site and run nmap / nessus scans directly from a web interface. I have seen some sites like hackertarget.com and many others do this but ultimatly I would like to make something similar to ht as they allow you to simply input your email address and ip / dns and get emailed the results. So I know that passing info back between bash and php isnt that hard but would someone mind helping a guy out with a simple example script of how to do this?

z-

ps. long nite drinkin last night so if the post is a bit scattered I will clean it later.

Link to comment
Share on other sites

If I am understanding you right: So you have a website and your looking for a user friendly interface that can nmap or nessus scan their computers? If this is right, I went a head and checked out hackertarget.com and the scans. I did not do a free scan because I do not need to. But I can help you with your "problem."

An example (if I am getting you right) is:

This would be the bash script called from PHP

<?php

$result=shell_exec("

C:\bash-2.03\bash.exe bashHTML.txt");

echo($result);

?>

And this would be the bash script generated:

#!/bin/bash

# our html code

echo "<html>"

echo "<head><title>BASH-HTML</title></head>"

echo "<body>"

echo "<h4>This page comes from Bash</h4>"

echo "Hello Everybody!"

echo "</body>"

echo "</html>"

This is just simple HTML that says (when executed):

This page comes from bash

Hello Everybody!

Note:you have to save the php document as .php

I got this little example from this website: http://www.devx.com/opensource/Article/40785/1954

It is a good little started website!

If you have any further questions feel free to ask!

cheers,

Destro

Link to comment
Share on other sites

thanks to both of you for the responses. Destro your right on cue with what I was thinking except this app will be living on a unix box so no c:\X. Thanks to dr0p for the mention of System(); as that command is what I have been toying with so far. I am going to try to tweak this idea some and get back to you with results. BTW dr0p since you mentioned filtering out the nasties I was wondering if you could elaborate a little more on sanitizing commands taken in by system(); and commands of the like? I am assuming that there are going to be complications since utilties like NMAP and NESSUS both enjoy being ran on elevated system accounts so I believe for the time being I am going to limit the processes so that I can have them executed by www-user without incident. Stay tuned ;)

Thanks again,

z-

Link to comment
Share on other sites

Your welcome! I am glad to hear the project is moving along. Also I have a question for you about how you are going to use Nessus? For Nesss you would have to set up a custom scan policy. Would would you put in this custom policy? Also if you put everything it could take a long time=not as fast results as you would like.

cheers,

Destro

Link to comment
Share on other sites

Your welcome! I am glad to hear the project is moving along. Also I have a question for you about how you are going to use Nessus? For Nesss you would have to set up a custom scan policy. Would would you put in this custom policy? Also if you put everything it could take a long time=not as fast results as you would like.

cheers,

Destro

Well the NMAP portion is something that I am going to only allow basic scans so overhead shouldn't be an issue. Nessus scans on the other hand is going to be something that only members of the sites pay services would be able to perform. Not to say that I would be charging for a free app but it would be within a suite of tools and scans for quarterly audits and such (IE. PCI standard audits). Basically I am creating this site for a penetration and audit company I am putting together for my local area and wanted to give clients easier access to scans that they can run without my intervention and also allow for a very wide array of services and prices. To answer the question about nessus policies I have put together a couple of test policies so far but have done some research on how other companies have done this and found that it is acceptable to have scans run for hours as long as the end results are easily accessed by the customer. That being said I have worked quite a bit with security metrics and have used their suite of scans which seem to basically be full nessus scans setup with customer policies revolving around PCI audits and the scans usually take 1-2 hours to perform and results are emailed and stored on there site for access by your user account. Once I get to the point of getting passed some of the prelims I can share the policies with you along with the code if your interested ;)

z-

Link to comment
Share on other sites

Since you asked, threw this example on filtering together real quick...

&lt;?php

// Basic system(); with basic filtering (lol)

extract($_POST);

echo('&lt;h1&gt;system blah&lt;/h1&gt;&lt;br&gt;&lt;br&gt;');

if ($submit != "gogo")
{
    echo('&lt;form action="" method="POST"&gt;&lt;input type="text" name="system" value=""&gt;&lt;br&gt;&lt;input type="submit" name="submit" value="gogo"&gt;&lt;/form&gt;');
}
else
{
    if (strpos($system, ";") === false &amp;&amp; strpos($system, "|") === false &amp;&amp; strpos($system, "&amp;") === false)
    {
        $output = system("$system");
        echo($output);
    }
    else
    {
        echo("I see what you did there...");
    }
}

?&gt;

Just makes sure that there aren't any characters in there that would allow someone to execute commands that you don't want them to... I might've missed some way they could sneak something in there though so don't completely rely on me.

Link to comment
Share on other sites

This is a box waiting to get rooted. Passing commands via system is a bad idea, I cant think of another way other than only letting them only scan ips(limiting character input to prevent rmrf) but even then they can manipulate the post. I am sure if you look there are php port scanners, not as good as nmap but may be a lot safer.

Link to comment
Share on other sites

Might be an idea to run the variable through escapeshellcmd() before passing it to system(). Also the extract($_POST) ain't really a good idea as you're basicly doing what register_globals once did. Generally extract should only be used within a fuction or method scope unless you're 120% sure what the content of the array is.

I'm a lazy coder :3 And thanks for the tip, didn't know about escapeshellcmd().

Link to comment
Share on other sites

  • 5 months later...

<---Begin Rant--->

Not to be a d!ck but if your not an experienced coder maybe letting webusers run commands that require elevated privleges on your box isn't the best idea. If this is a company you work for I'd suggest hiring a pro. If this is a company you are starting which it sounds like it is maybe some you should gain more experience before you start charging for professional level services like Penetration testing and PCI compliance testing. If your offering a service to customers who already use your penetration and compliance scanning why not just create a live cd for them with nmap, nessus, and some report generating software on it. This way they can run the scans on a weekly, monthly basis and provide you with reports for real penetration tests.

Again I'm not trying to be a prick but if you can't write a php script to safely run nmap scans how do you expect people to pay you. If you can't write a secure web app how can you tell them their web apps are secure? Just cause wa3f says so? You see what I mean. Any profesional penetration tester normally has at least a few years of network administration experience under there belt and probably know a few programming laguages both scripting (python,perl,ruby) and compiled (c,c#,asm)

Sorry to rant but I've been seeing alot of so called penetration testers who are charging for a bunch of automated tool scans that aren't properly configured or executed and there giving clients a false sense of security.

<---End Rant--->

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...