Tenable Blog

I've recently been doing a bit of research into the history of Nessus. I discovered that the first version of Nessus was published in 1998, and any time software has been around for that long there are bound to be some myths and misconceptions that develop as fast as new features over the years. This post will explain some common myths and set the record straight.

A Nessus user recently contacted me about performing a scan that would simply discover hosts on the network. This is a very low impact scan that does not look for vulnerabilities or enumerate ports. There are a few good reasons to run this type of scan:

Systems protected by a network or host-based firewall may only respond on a single port or to an ICMP echo request. Hosts that only respond to an ICMP ping will not show up in the default Nessus scan report. By enumerating these hosts you can include them in the report to show that scans were attempted but did not find any results, then determine if this is normal behavior or not.

Your internal policies may provide specific time windows when vulnerability scanning can occur. By tuning a scan that only discovers live hosts, you can check that your Nessus server is set up properly, collect a list of hosts to scan and stay within your vulnerability scanning policy guidelines.

To configure a scan that will only test if hosts are alive, use the following policy settings:

Click for larger image

Tenable is excited to announce a new release of the Nessus vulnerability scanner! This is a major release (moving from 4.2.2 to 4.4.0) and includes several new features and enhancements, including the addition of scan scheduling and enhanced reporting. The GUI and web server have both been updated and will be released through the plugin feed. The enhancements included in the plugin feed will be backward compatible with Nessus 4.2, and some of the new features will be available in Nessus 4.2 via the plugin feed update. However all users are strongly encouraged to upgrade to the latest version to take advantage of all the new features.

The list below outlines the changes included in the 4.4.0 release, including sample reports, scheduling examples and more:

User interface

• A brand new reporting engine produces improved reports. Two new HTML reports have been added: a detailed plugin report (results displayed by plugin / vulnerability) and an "Executive Summary" report that summarizes the top 10 most vulnerable hosts on the network.

Click for larger image
An example of the "Executive Summary" report

A new video has been uploaded to the Tenable Security YouTube Channel titled, "Advanced Web Application Scanning Using Nessus":

Reconfiguring Access Points

Wireless threats come in many different forms, such as disclosure of cleartext credentials, breaking encryption schemes such as WEP and attacking wireless drivers on client systems. While you can extend the range of wireless signals, for the most part these attacks require that the attacker be in close physical proximity of the wireless network and/or client to execute. This is the primary reason why most organizations do not assign a high priority to defending against these attacks. There are far more attackers on the Internet than will be in close proximity to your wireless deployment.

However, something that worries me greatly are wireless attacks that break down these physical barriers. What if attackers could remotely attack a system and then use it to perform local wireless attacks? There have been some papers posted about using the local client system to enumerate wireless networks, but not much in the way of launching attacks. Malware that embeds itself in wireless routers has received limited exposure (except for the infamous "Chuck Norris" worm, that may have been due to the popularity of the "Chuck Norris Facts" web site).

In an effort to stay ahead of attackers, I recommend that organizations place a higher priority on protecting wireless clients and access points. There are several very concerning vulnerabilities in access points that are trivial to exploit. One example is the D-Link DCC Protocol Security Bypass.

I am often astonished as to just how many vulnerability checks are included with Nessus. There is something to be said for the scope of the nearly 40,000+ plugins (the numbering of the plugins started at 10001). On October 19, 2010, Nessus plugin number 50,000 was published into the feed. Let's go back and take a look at some of the first plugins:

The "official" first numbered Nessus plugin in the feed is ColdFusion Multiple Vulnerabilities (File Upload/Manipulation) - Plugin ID 10001. I found some interesting information about this vulnerability:

"Although this vulnerability has been known for a while we think it is worse than originally thought. Users can upload and potentially execute files on the web server. Furthermore, few sites seem to have fixed the problem. Major commercial, government, and military sites have been found to still be vulnerable. We hope this advisory helps get the word out to all those webmasters.

-weld"

I'm excited to announce Tenable's new eCommerce site. This site supports:

• Nessus ProfessionalFeed purchases of 1, 2 and 3 years
• Renewals of ProfessionalFeed subscriptions of 1, 2 or 3 years
• Initiating the renewal process directly from the Tenable Support Portal

The renewal link is available for ProfessionalFeeds within 90 days of expiration and up to a year afterwards.

Tenable is pleased to announce the official release of the Nessus App for iPhone! The application can be downloaded for free on the App Store and contains the following features:

• Connect to a Nessus server (4.2 or later)
• Launch existing scan templates on a server
• Start, stop or pause running scans
• Create and execute new scans and scan templates
• View and filter reports

You will need iPhone® or iPod touch® iOS 4.0 or later in order to run the app. Following are some screenshots of the application in action:

The first thing you will need to do is add a new Nessus server:

Awful, awful, awful.....Magic!

It was my wife’s turn to choose a movie the other night, which means there were no kung fu fight scenes, sword fights or car chases. Instead, there was a scene that depicted a father-to-be talking to a father of three children. The father with three children was explaining to the father-to-be what parenthood was really like and stated: "Parenthood is awful... awful… awful... but then there is this magical moment that makes it all worth it… then awful... awful... awful and repeat". Parents reading this, especially ones with small children, are probably laughing. However, I thought that the "awful, awful, awful, magic!" analogy also very accurately described penetration testing.