A friend of mine, who was preparing to teach a workshop that included information about Nessus, recently asked: "What are the top three things you would tell people about Nessus?" Below is a more detailed version of my response:

1) Network Scanning - With over 28,000 plugins, Nessus has some excellent coverage in terms of vulnerability scanning for your systems and network. When running a network-based scan it is important to tune it appropriately. Look at the different plugin families and enable the ones that you think are most relevant. In addition, review the Advanced options for your scan. If you are performing web application testing, take a look at the Advanced options global variable settings. If speed is not a factor, you can get some awesome results by enabling CGI scanning, experimental plugins and thorough tests. Finally, don't just look at the high level alerts: some medium and low level alerts can lead to root access!

Imagine a scenario where you are tasked to audit the security of an organization’s efforts to “cloud-source” applications, operating systems, databases and other aspects of IT infrastructure. You want to fire up your favorite network scanner, Nessus, but are warned that some of the outsourced companies have clauses that prevent auditing, network scanning or security testing. Even still – some of the technology is at the API or SQL level and there isn’t even an identifiable OS to scan. Last, even though you may be able to perform a scan quickly, some of the cloud resources get charged at an hourly rate and the act of auditing costs your company money that the application group did not budget for. Fortunately, passive vulnerability scanning can help audit remote resources that are now off your network and “in the cloud”.

Tenable Network Security has released version 4.0.1 of the Nessus vulnerability scanner. This point release includes a variety of minor bug fixes as well as support for additional authentication schemes. All customers are encouraged to upgrade to the latest version of the Nessus Server and NessusClient. Below is a summary of some of the fixes and improvements:

At a recent OWASP meeting in Princeton, NJ I gave a short presentation on some techniques to have Nessus dig deeper into your web applications. There are several approaches to web application testing:

"Blind Tests" - Often a penetration tester is provided a range of address spaces and some rules of engagement to define the parameters of the test. Information such as which IP addresses and/or hostnames are running web servers is not typically provided, nor is a list of which web applications are running on those web servers. Nessus contains functionality to identify running web servers and vulnerable web applications, which is is very useful if you have large amounts of address space to scan. This does not replace manual testing, but provides a starting point for detailed web application tests.

Not All Vulnerabilities Are Created Equal

We recently asked a select group of Nessus users which Nessus plugins provide the most interesting results for a given scan. This is a great question because you can often find patterns in the types of vulnerabilities that contain characteristics such as ubiquity and ease of exploitability. Several of the favorite plugins that penetration testers see during scans have to do with default or missing passwords that give an attacker instant access to the exposed service. The good news is that this type of vulnerability is usually easy to fix . Using Nessus makes this type of vulnerability easy to spot in your environment.

Tenable has released version 3.2 of the Log Correlation Engine (LCE) which includes the ability to store, compress and search any log that is sent to it. This functionality is available to all current LCE customers as a point release upgrade. It also builds upon the existing log normalization, correlation, user tracking and anomaly detection that were already available in prior versions.

Click on the below image for a demonstration of the LCE performing full log searches from within the Security Center:

The Story:

--Pentagon Official Charged with Espionage Conspiracy
(May 13 & 14, 2009)
A Pentagon official has been charged with espionage conspiracy for
allegedly leaking confidential documents to a Chinese government
operative. James Wilbur Fondren Jr. has been on administrative leave
from his job as Deputy Director, Washington Liaison Office, US Pacific
Command (PACOM) since February 2008. Fondren was allegedly able to
access the sensitive information through his security clearance. If he
is convicted of the charges against him, he could face five years in
prison and a fine of US $250,000.
http://www.nextgov.com/nextgov/ng_20090514_7707.php
http://www.scmagazineus.com/Defense-Department-insider-charged-with-espionage/article/136743/
http://www.usdoj.gov/opa/pr/2009/May/09-nsd-469.html
[Editor's Note (Northcutt): Limiting access rights based on roles is essential.]

My comment on this (which didn't get posted along with Northcutt's) was: "

Is this where I get to say "I told you so"??

Tenable CEO, Ron Gula will interview Digital Bond Researcher Jason Holcomb about project Bandolier. Bandolier is a project funded by the Department of Energy which focuses on securing a wide variety of SCADA and Control System applications through configuration hardening. The project has produced several configuration auditing polices for Nessus ProfessionalFeed and Security Center users. Mr. Holcomb will discuss the specific types of Control System technologies that have been audited, how they can be obtained, the types of Nessus audit functions that have been used and also demonstrate how these scans can be used on production networks and Control Systems.

Title: "Control System Auditing with Nessus - Project Bandolier"
Date: Thursday, June 4, 2009
Time: 2:00 PM - 3:00 PM EDT

Register now by clicking the link below:
https://www1.gotomeeting.com/register/169860257

The Story:

This has been tried before and - it should come as no surprise to anyone - the software industry has some mighty powerful lobbyists. Indeed, some of them speak out in this little tidbit. I think it would have been more honest if Business Software Alliance Senior Director of Public Policy in Europe Francisco Mingorance had said "Good luck, bwaaaahaaahaaahaaaa!" instead of hewing the ridiculous party line that the software industry has been spouting for decades. I like intellectual honesty when I encounter it.

On Friday April 10, the Conficker worm was supposed to wake up and start network scanning. I grabbed the following screen shot from one of Tenable’s research sites:

Web sites have a way of evading vulnerability scanners in the form of virtual hosting. It is a common practice to host multiple web-sites (and associated applications) on a single web server using only one IP addresses. This causes problems for vulnerability scanners, including Nessus, as they look for vulnerabilities on the single IP or hostname provided. The remote server directs this traffic to a specific virtual host or web application, leaving a considerable amount of virtual real-estate untouched. The problem is that Nessus has no easy way to enumerate the domain names or additional IP addresses associated with a given system. Scanning every hostname, domain name and IP address associated with the server could reveal additional vulnerabilities in the web applications or hosts associated with the given server. For example, when scanning just a single IP address in the lab, I received the following result:

When Denial of Service Become Remote Code Execution

When vulnerabilities are discovered, they are classified by various organizations using different methods. For example, CVSS scoring uses an algorithm to determine a severity rating from 1 to 10. This rating has been adopted by the NVD (National Vulnerabilities Database) and is used by Tenable to provide scores within the Nessus plugins. Sometimes a vulnerability is announced and its original rating is set as moderate or low. This is frequently the case with Denial Of Service (DoS) vulnerabilities as they allow an attacker to disrupt services but not gain remote access to the system. However, sometimes an advisory describes a vulnerability that seems to only cause DoS conditions, but is really an indicator of a condition that may permit remote code execution. This discrepancy typically occurs because the researcher does not fully understand or does not diagnose the underlying problem.

I get the chance to speak with many different types of customers and potential customers. I am particularly interested in how they want to monitor and report on their network activity. I am frequently asked what type of metrics can be tracked for upper management. Trending charts are very popular, but what goes in them can be deceiving. Let’s consider some examples.

A Nessus user recently asked us the following question:

"I would like to have Nessus read Nmap scan results from the command line. I already have Nmap portscanning and operating system fingerprinting, can I import the Nmap findings using Nessus in batch mode?"

Tenable has supported Nmap usage within Nessus for several years. Nmap and Nessus have different types of scanning philosophies and understanding how they work can help you achieve success with your network scanning efforts. The Nessus server includes its own portscanning, service fingerprinting and operating system identification techniques that are similar but independent from Nmap’s. However, you may run into a situation where Nmap was run first and you already have the output from this tool and want to apply the results to your vulnerability scan. I set out to do this in my lab and realized this would be a good opportunity to highlight some of the features in Nessus. Below is a step-by-step guide on configuring Nessus to run batch mode scans based on Nmap results: