Sunday, October 18, 2009

And what exactly would we be doing differently?



A blackout caused by hackers is the holy grail, the proof that extra terrestrials exist, the debunking of the Warren Commission, the final evidence that we are truly headed toward conflict with a parallel universe and shape-shifting mercury-blooded agents are among us. After Eligible Receiver after Cyber Spies Penetrated the Grid (and don't forget Aurora) after all the incidents cited in every SCADA security presentation, the hunger for one documented incident is still so strong that remote attendance won't be allowed at an upcoming SCADA Cyber Security Conference. And you can taste in the latest Call for SCADA Security Researchers from Project Grey Goose

I challenge you to try to get an answer to that question. I spent the last few weeks doing just that and ran into one brick wall after another, and I have some pretty decent connections to fall back on. It turns out that private industry, which essentially owns the U.S. power grid, enjoys a protection from public scrutiny that extends even to Freedom of Information Act (FOIA) requests, and they get to decide what falls under that protection and what does not. So who does this secrecy benefit?

Saturday, October 03, 2009

Walking through .nessus files with Python xml.etree.ElementTree

Back when I used to teach Tenable's Nessus course I was always surprised how most folks, if to perform additional analysis or manipulation scan results, used Excel to process NBE/NSR files rather than using XML. So I added some simple examples of how to use Python and Ruby to the course and how easy it is you write a simple parser. In my slides I believe I used expat which requires you to build a list/hash of the data you extract as you encounter the start or end of the element. This works and expat or Sax are the primary parsers I've used over the years, although I did recently discover minidom.

If you click on the capture above (blogger doesn't handle XML or code that well) you'll see that after parsing the .nessus file and starting with the top node (I'm not sure why I had to call getroot())
I navigated through the different nodes within the .nessus file starting with Report, ReportHost, and ending with ReportItem where I extracted the port, and plugin id so that when you run the script you get this for all the

192.168.20.3
- 22/tcp|0
- 1241/tcp|0
- 111/tcp|0
- 1243/tcp|0
- 111/tcp|10223
- 59370/tcp|11111
- 111/tcp|11111
- 33145/udp|11111
- 111/udp|11111
- 1241/tcp|22964
- 22/tcp|22964
- 1241/tcp|10863
- 1241/tcp|35291
- general/tcp|12634
- general/tcp|22869
- 59370/tcp|25221

This code snippet isn't terribly useful but it illustrates the API and how it is very straightforward to parse .nessus files.



Some Benchmarks
Besides being much cleaner (IMHO) the nice thing about ElementTree is that there is a C implementation. This is a 2.0 MB file that consists of 4 scans and the scans include the results from only a handful of targets.

On Python 2.5 / Cygwin on my Ideapad S10-2 (Windows XP SP3)

Pure Python
real 0m4.250s
user 0m3.155s
sys 0m0.357s

C Version
real 0m1.422s
user 0m0.405s
sys 0m0.374s

I wanted to do a comparison with Win32 on Python 2.6 on the same system but I was unable to get timeit.exe working from the Windows 2003 Resource Kit.


NOTE: ElementTree is available in Python 2.5 and later and you should be ashamed if you are using anything older than that.