Many of today's latest worms and viruses are using interesting methods to propagate across the network. For example, the Conficker.A / Downadup worm sets up a web server for victims to connect to and download a copy of the malware. What I find interesting about this method is that no matter what request is made to the HTTP server, it responds with a Microsoft executable file. Nessus detects such an HTTP server with plugin id 35322 "HTTP Backdoor Detection":

Nessus plugin #36036 performs a network based check for Windows computers infected with a variant of the Conficker virus. The scan does not need credentials, but does require ports 445 or 139 to be open between the Nessus scanner and your scanned systems. The plugin is based on research from the University of Bonn in Germany.

Conficker exploits Windows systems vulnerable to MS08-067. Tenable has worked with many organizations to help them perform both un-credentialed network scans and credentialed patch audits with Nessus to find systems that are still vulnerable. We wrote a blog about our typical experiences working with customers performing these scans. 

Getting In The Middle

Un-patched and out-of-date software is a common attack vector for penetration testers and attackers alike. Applications such as Adobe Reader and Microsoft Office are popular targets due to their widespread use on Windows systems and user’s willingness to click on just about anything. They both have the ability to perform self-updates, similar to the operating system, but limited to one particular software package. However, what happens when the software update process itself is insecure? Enter a program called "evilgrade", which exploits this process to install software of an attacker's choosing. For this attack to succeed, the victim machine must be the victim of a Man-In-The-Middle (MITM) attack.

(PDF version of this is available from my personal website, PDF of Powerpoint handouts from Source Boston 2009)

Introduction: Truth

Since I started in security, 20 years ago, "they aren’t taking security seriously" has been the constant complaint of the security expert. Even in organizations where security is taken seriously, it has been at the expense of living in a constant relationship of opposing management or other business units. Some of us enjoy the strife; most don’t. In fact, most of us enjoy being employed more than we enjoy being right.

Passive Detection

Monitoring networks for potential security violations can uncover some interesting events and surprising aspects of applications.
Base64 encoding is used by many applications to "obscure" the password when it travels across the network. Base64 encoding does not implement a cryptographic algorithm to protect sensitive information, yet is often used in many networks and end-user applications.

A challenge for many penetration testers is to find a vulnerable system they can use to test their penetration testing skills and tools before they use them against paying clients. I recently found a distribution called "Hackerdemia", a Slax-based Linux distribution containing several vulnerabilities, including un-patched software, mis-configured services, default passwords and a few other surprises. My goal was to bring up the distribution in a virtual machine, assign it an IP address using host-only mode and scan it using Nessus.

Tenable recently released an audit policy for Linux servers running PHP which tests for hardening recommendations from the Open Web Application Security Project (OWASP). OWASP maintains a set of guidelines for hardening web servers, with specific attention given to PHP and Cold Fusion technologies.

Tenable has been operating a new “Discussions Forums” web site for all Nessus users and Tenable customers. The forum is located at https://discussions.nessus.org/. It offers the following discussion areas:

• Announcements
• Nessus : Scanning
• Nessus : Reports
• Nessus : Advanced
• Nessus : Compliance Checks (*)
• Nessus : Feature Requests, Bug Reports
• Security Center (*)
• Log Correlation Engine (*)
• Passive Vulnerability Scanner (*)

(*) – Customer access only

Nessus plugin #35730 can perform an audit of Windows computers to obtain a list of all USB devices that may have been connected to it at one point in time. This plugin compliments plugin #24274 which utilizes a WMI query to list all currently installed USB devices.

Tenable CSO Marcus Ranum gave a talk about the limitations of Cyber Warfare at this month's Dojosec in Columbia, Maryland. A video of his presentation, as well all of the other speakers, is now online at Vimeo.

I was also recently interviewed for Hak5 Episode 503. If you have not heard of Hak5, they have several very high quality shows which cover a wide variety of topics relating to network security, open source, penetration testing, modifying hardware, product demos and more.

The original article:

 --Judge Says Man Must Decrypt Drive
(February 26 & March 3, 2009)
A federal judge has ruled that a man suspected of having child
pornography on an encrypted drive on his laptop computer is not
protected by the Fifth Amendment. US District Judge William Sessions
ruled that Sebastien Boucher surrendered those rights when he allowed
his laptop to be searched the first time, and ordered Boucher to provide
the court with an unencrypted version of the drive in question. The
ruling reverses an earlier decision in which a judge ruled that Boucher
was protected from incriminating himself under the Fifth Amendment. The
original request from the US department of Justice had been to make
Boucher surrender his encryption passwords; the appeal asked only that
he decrypt the drive in view of the grand jury. Boucher's laptop was
searched in December 2006 while crossing the border into the US from
Canada. Agents claim to have seen the offending content, then shut down
the computer. When they tried to access the images after Boucher's
arrest, they were unable to because of his PGP program.
http://news.cnet.com/8301-13578_3-10172866-38.html?tag=pop
http://www.theregister.co.uk/2009/03/03/encryption_password_ruling/
http://www.wcax.com/Global/story.asp?S=9909241

There are several things about this particular article that really bother me - and they're all about the rights of citizens to be free of government interference.

Recently, Tenable’s Research group added the ability for Nessus credentialed scans to automatically start and stop the Windows Remote Registry service. This blog entry discusses the technical and political ramifications of this new feature.

Scanning Systems without the Remote Registry service running

The Remote Registry service allows remote computers with credentials to access the registry of the computer being audited. If the service is not running, reading keys and values from the registry won’t be possible, even with full credentials.

Here is a screen shot of a Windows 2003 server that does not have the Remote Registry running:

You can see that although it is "Automatic" and should be running at boot, for some reason, it has not been started. When scanning this Windows 2003 server with a credentialed Nessus scan policy, plugin #26917 will generate a warning that the registry could not be read:

This can be an issue when scanning Vista workstations, as Vista disables the registry service by default.

Nessus is usually very accurate because it performs file level checks for patch auditing However,  the registry is a vital part to performing a complete audit as many vulnerability checks in the Tenable Home and Professional Feeds leverage registry access to determine the remote version of the Windows system, the location of system files, etc.

You can enable the Remote Registry service during the scan

Recently, Tenable added the ability to start the Remote Registry service during a credentialed scan. This requires auditing Windows servers with an Administrator account. Note that this feature is disabled by default.

To configure a Nessus scan policy,  enable the four plugins in the “Settings” plugin family that start and stop the Remote Registry service and determine if the service was started or stopped correctly. A screen shot of these plugins (#35703, #35704, #35705 and #35706) is shown below:

Enabling these plugins is not enough. A scan preference is also required and is available under the Advanced scan policy tab as shown below:

If the plugins are enabled and the scan preference is also set, then Nessus will attempt to start the Remote Registry service (if it’s not running already) before attempting a credentialed audit of the Windows computer.

All Windows OSes (Windows XP, 2003, Vista and 2008) are supported by these plugins.

Political and Audit Ramifications

There are several non-technical issues to consider when using these new plugins in your infrastructure.

Is this secure?

If your organization has a policy that restricts running the Remote Registry service on Windows platforms, this new functionality provides the option to keep this service disabled.

The concern over running this service could come from external sources. There are many public and government regulations that recommend that the Remote Registry service be disabled.  Some organizations turn these recommendations into required baseline configurations.

If leaving  the Remote Registry service running in your organization is considered a security risk, these new plugins provide the ability to only run it for a few minutes during an audit and then turning it off. This enables you to get the essential information while limiting the security risk of leaving the Remote Registry service running all the time. Note that starting and stopping the Remote Registry service may come under your organization’s Change Management Policy.

Also note that if Nessus has the privileges to start the registry service remotely, any attacker with the same privileges could do the same.

Is this compliant with my security policy?

If you are using Nessus to perform FDCC, DISA STIG or Center for Internet Security Windows configuration audits, it is very likely that these policies will test to ensure that the Remote Registry service is not running. If this is the case the audit will fail during the scan.

However, the results of the scan will show the following two informational vulnerabilities:

These records show that the service was stopped before the scan was completed.

If this did not meet the criteria for a particular type of audit, you could follow up this scan with a second scan that showed the registry service was indeed disabled.

How Does This Impact IT?

As with all things in IT, it is strongly recommended that you test this functionality in your environment. Tenable performed extensive testing of this technology prior to releasing it, but there are many issues to be considered:

• Starting and stopping the Remote Registry service generates Windows event logs. If you run a SIM or log management tool that can detect change purely through log analysis, inform your security monitoring team about this new type of audit so they do not become alarmed.
• If your IT group has any third party tools that continuously monitor and “force” the registry off, the Nessus scans will still run, but at some point when the registry gets disabled, the scan results that require registry access won’t run.
• If you perform a scan and lose connectivity in the middle of an audit, or if you manually stop the scan in the middle of an audit, you could end up leaving the Remote Registry Service running on the scanned server.
• If you are auditing servers that are extremely short on available CPU, memory or disk I/O, starting the Remote Registry service could take long.

Typically though, the impact on IT from performing these types of audits is very low. The screen shot below shows a full patch audit with the dynamic enabling and disabling of the Remote Registry service on an underpowered Windows 2003 virtual machine:

That is less than a minute for a full patch and vulnerability audit on a Windows 2003 server. During the scan, there was very little CPU or memory usage as a result of the audit.

For More Information

This functionality is available to all Nessus users, including those using the Home Feed to audit their personal computers and networks, as well as to Professional Feed subscribers who can make use of this technology to audit corporate, university and government networks.

If the topic of IT auditing interest you, we have many other excellent blog entries on this subject listed below:

• Knowing When to Patch
• Testing the Effectiveness of your Patch Management System
• Finding Vulnerabilities older than 30 Days