Tenable Blog

BackTrack 5, code name "Revolution", is a very popular Linux distribution used primarily for penetration testing. It contains a lot of different tools for scanning, testing, and exploiting everything from web applications to wireless networks. Since the creators of BackTrack 5 included such a vast array of tools, I thought it would be interesting to show how some of those tools can be integrated with your Nessus server to extend functionality and import results.

Importing Nmap Results

There are many occasions where Nmap is used to scan specific hosts or a large network of hosts. The XML results from Nmap can be imported into Nessus and used as the basis for vulnerability scanning. If you are going to use Nmap results this way, you can disable Nessus's built-in port scanners and host identification functionality, relying solely on your Nmap results to perform the scan:

The Benefits of Credentialed Scanning and Auditing

We've covered the advantages of credentialed vulnerability scanning and configuration auditing in previous blog posts, but I want to recap some of the benefits:

• Getting Around Firewalls - Whether you are scanning through network or host firewalls, credentialed scans require less ports to be open between the scanner and the target(s) and require less network bandwidth and target resources.
• Finding Localized Vulnerabilities - Several vulnerabilities, including those being exploited by attackers and penetration testers alike, are not accessible over the network but present themselves in end-user software ranging from web browsers, PDF readers and office suites. By performing a credentialed scan, Nessus is able to find vulnerabilities that requires user interaction to trigger exploitation in local software.
• Verifying Settings & Configurations - Through either Nessus plugins or configuration auditing, you can answer questions about the state of your systems. For example, if you want to know who has either local or domain administrative rights to your systems, there are plugins that report the list of users. Want to know what type of USB devices are in use in your environment or which systems have modems connected? There are plugins that test for those conditions as well. With configuration auditing, you can check any registry entry on a Windows system for a specific value or check the values on entries in configuration files on Linux/UNIX systems.

As a vendor, Tenable has to demonstrate compliance in many different types of categories. The Payment Card Industry, the Center for Internet Security and US government's FDCC program all have certification standards and procedures for vendors like Tenable. Since Tenable is certified in most of these these categories (we're in the process of becoming an ASV), I though it would be interesting for our blog readers to share some of our insights into the differences and misconceptions between them.

NSA Hardening Guidelines

The National Security Agency (NSA) has developed security hardening guidelines for various operating systems and technologies. I remember when I first started in information technology and used these guides to harden my Windows servers. I was met with mixed success; some systems would run better, and some would cease to function due to configuration changes. This taught me about my systems and their configurations, and knowing what your systems do and how they are configured is the true key to successful systems administration. Remember, the “guidelines” are just that, a guide to configuring and securing your systems. Ultimately, it is up to you to determine which changes you will implement, and most importantly test those changes in a lab/QA environment.

Mac OS X's popularity has been growing rapidly, and so has its use in corporate environments. The NSA has released a new hardening guide for OS X. Tenable has created a configuration audit that will compare the configuration of your OS X systems with the NSA's guidelines, and below are some of the example results from an audit:

I was recently talking to my good friend Ed Skoudis about computer security incident response. An interesting question he asks organizations that are in "incident response" mode is, "Do you run PsExec?" PsExec is part of the Windows Sysinternals’ suite of tools and implements a service that allows users to administer Windows systems remotely using the command line. More information can be found on the PsExec download page. It also contains functionality described as:

"PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like ipconfig that otherwise do not have the ability to show information about remote systems."

We are pleased to announce that four new Nessus policy templates will be distributed to Nessus ProfessionalFeed and HomeFeed users via the Nessus plugins feed. This is first time we've used "push" functionality to send down scan policy templates.

Click for larger image

The four new Nessus scan policy templates will appear in the "Policies" tab once your Nessus installation has updated the plugins:

• External Network Scan - This policy is tuned to scan externally facing hosts, which typically present fewer services to the network. The plugins associated with known web application vulnerabilities (CGI Abuses and CGI Abuses: XSS plugin families) are enabled in this policy. Also, all 65,535 ports are scanned for on each target.

Successful Attacks from Automated Malware

Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news:

Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center.

From LizaMoon SQL Injection Attack Hits Websites

LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:

With today’s plugin updates, Nessus now has the capability to warn you of hosts that are being controlled by botnets or hosting links to known malware or phishing sites.

Tenable is pleased to announce the release of Nessus 4.4.1! This is a point release (moving from 4.4.0 to 4.4.1), containing several enhancements and minor bug fixes.

From a user perspective, there is a new feature that allows the SYN scanner to be selectively throttled. A new setting, nessus_syn_scanner.global_throughput.max can be added to the nessusd.conf file. The option sets the maximum number of packets per second that Nessus will send during a SYN port scan (regardless of how many hosts are scanned in parallel).

And the race is on to apply patches to the Microsoft Windows systems in your environment! One of the bulletins this month, MS011-04, fixes remotely exploitable issues in the IIS FTP service. To me, FTP falls in the same category as Telnet, which is "You should be using SSH instead". Despite the lack of security that FTP offers, it still appears to be wildly popular decades later. I performed some searches using "SHODAN", "The Computer Search Engine", which scours the Internet looking for open ports, services and banners. I told it to find systems with port 21 (FTP) open and got the following results:

• United States: 27,355
• China: 15,341
• India: 11,122
• Egypt: 10,476
• Thailand: 10,068