Automating Authenticated Vulnerability Scanning of GCP Hosts with Rapid7’s InsightVM

  1. Keep practicing Go (just started a couple months ago and loving it!) and getting more familiar with GCP APIs
  2. As a PoC to be able to scan GCP hosts in a network without having to add agents or deal with managing/rotating SSH keys/Auth Failures, but still get reports.

So! The workflow:

  1. Client request linux hosts in project → network → subnetwork to be scanned. You (or someone with org level permissions) approve/launch or deny request.
  2. If approved (aka You again or me in this case), an image of pre-configured scanner is taken from scanner image project and an instance is created inside of client’s subnetwork.
  3. Script is slept for a few minutes for instance to start and get an IP address and the scan engine to start. Once it has an IP, the scanner’s internal IP is added to a blacklist so the script doesn’t waste time adding a private key to it and the scanner scanning itself.
  1. As InsightVM is starting up, it will redirect to a starting.html page shown below. This means that you can’t log into the scanner just yet. So I created a waiter that checks for the login page every minute and if the request gets redirected to the starting.html page, that means the scanner isn’t ready. When the redirecting stops, the script can move forward with setting up the scan as it can then reach the login.jsp page and authenticate with the API.
starting.html
login.jsp, scanner is ready
import base64
auth_string = "username:password"
base64.b64encode(auth_string)
# header = {"Authorization”: f“Basic {auth_string}"}
username = "bot"
ssh-pubic-key = "ssh-rsa AAA..." #insert full-key
# when using console to add ssh-key to instance
add_via_console_format = f"{key} {username}"
# when using API to add ssh-key to instance
add_via_API_format = f"{username}:{key} {username}"
See those sweet successful authentications??

Final thoughts:

  • Why InsightVM vs other scanners? Well it was just easier to get a trial key. It’s possible to do this PoC for Nessus if you have can use the Tenable.io API (not just the Nessus scanner itself since you cannot add credentials via API). I’m not completely sure if you can do this with Qualys given their virtual scanners are deployed through GCP Deployment Manager which makes it a bit more complicated.
  • Why not Docker? Baby Steps! I wanted to see how possible this was first.
  • One big flaw is the scanner by default will be launched in the central region in the subnetwork, with some tweaking of the code, this can be more dynamic.
  • Anyway, here is the code for it (I just started using Go around Christmas 2019 so go easy on me fellow Gophers, I know there are some improvements needed). Also, remember, only scan what you have permissions to scan. This is just the code, you will still need to set up the InsightVM scanner image.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store