A Basic vunerabilty Scan on Your Backup infrastructure

  • 3 February 2022
  • 2 comments
  • 115 views

Userlevel 3
Badge

Hey all

Though i would share this as a Post.

Wanted to see if from powershell i could get a list of Veeam infrastructure components and then use NMAP with a script to look for known Vulnerabilities ( CVEs ) on the ports & Os of these components , in a move to further secure the environment with a basic report.

 

Their are a few packages that need to be installed , i like using Chocolatey to do this in Powershell.

#Pen-test VBR Objects and find known CVEs

######################################################################
#dependencies
#installs needed
#chocolatey to fetch packages

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

#use choloatey to install
# choco feature enable -n=allowGlobalConfirmation
# disables interaction for yes

#nmap ( port scanning )
#look for pop up window ( wizard completion

choco install nmap --confirm --accept-license

#saxon for conversion reporting in Html

choco install saxonhe

#git to fetch additional NSE scripts fo advanced scan

Choco install git

#Make a Directory for Script and workings

Mkdir -p C:\scan\

Here is the basic Script which will Run NMAP command and along with a script to find known vulnerabilities As-well as Saxon utility command to convert from XML to HTML using NMAP XSL style sheet

########################################################################
#The script

Connect-VBRServer -Server "localhost" # change this to VBR server # Add creds if required

#get all managed infrastructure Servers in veeam

$Hostlist=Get-VBRPhysicalHost

#select name property containing ip or hostname , ignore 'this server'

$Hostlist = $Hostlist.name | Where-Object { $_ –ne "This server" }

#add localhost to list ( represents This server if run on a vbr )

$Hostlist += ('localhost')

cd "\scan"

nmap --script-updatedb

nmap -sV --script vulners $Hostlist -oX infosecveeam.xml

#convert XMl to HTML report

C:\ProgramData\chocolatey\bin\SaxonHE\bin\.\Transform.exe -s:"C:\scan\infosecveeam.xml" -xsl:"C:\Program Files (x86)\Nmap\nmap.xsl" -o:"C:\scan\infosecveeam.html"

# open HTML Report

Invoke-Expression C:\scan\infosecveeam.html

#Invoke-Expression C:\scan\infosecveeam.xml #This opens on computer with Nmap XSL Style Sheet

Here is an additional part of the script to use alternative Scripts to find more CVE possibilities

###########################################################################

#advanced scan #likely flood of information Returned

#nmap Script directory
cd "C:\Program Files (x86)\Nmap\scripts"


#get addiotional NSE scripts for Nmap
Git clone -q "https://github.com/scipag/vulscan" vulscan

cd "\scan"

nmap -sV --script=vulscan/vulscan.nse $hostlist -oX advinfosecveeam.xml

C:\ProgramData\chocolatey\bin\SaxonHE\bin\.\Transform.exe -s:"C:\scan\advinfosecveeam.xml" -xsl:"C:\Program Files (x86)\Nmap\nmap.xsl" -o:"C:\scan\advinfosecveeam.html"

Invoke-Expression C:\scan\advinfosecveeam.html

Finally use the same package manager to remove the installed components & created content 

#######################################################

#Remove all
choco uninstall nmap
choco uninstall saxonhe
Choco uninstall git
#Uninstall chocolatey https://docs.chocolatey.org/en-us/choco/uninstallation#script
# Delete reports folder & contents
Remove-Item –path C:\scan –recurse -force

The Invoke-Expression will open the Created HTML report file.

Here is a Sample :

Head of the HTML report ( Screen Shot )

Looking to expand on this so its just a basic report ATM, ** work in progress

 

Please share comment or Mods or thoughts


2 comments

Thanx Ian. Will give it a go. 

Userlevel 7
Badge +5

Excellent post! Thank you very much for sharing @Ian_RSA 

Comment