Welcome to the Tenable Network Security Podcast - Episode 94

Hosts:

• Paul Asadoorian, Product Evangelist
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • Tenable Ranks 17th Among Security Companies on Inc. 5000
  • Junos Local Patch Checking Support Added to Nessus
  • The Top Ten Things You Didn't Know About Nessus - #10

We are pleased to announce that Tenable has been ranked in the Inc 500/5000 for the second year in a row. In the 2011 rankings, we were ranked the fastest-growing private company in the enterprise security software market. We ranked 934^th overall, and 17^th among all security companies.

As a company, we’re changing the way that enterprises think about information security solutions by helping them move from ‘point-in-time’ security to ‘continuous’ security and compliance monitoring.  There’s no such thing as ‘good enough security,’ which is why we’re consistently developing new resources and innovative solutions to help our clients stay ahead of emerging threats.  This approach has been the cornerstone of our success.

See more about our Unified Security Monitoring platform at http://www.tenable.com/solutions

See more about the Inc. 5000 on their website: http://www.inc.com/inc5000/welcome 

Tenable has authored a collection of plugins to identify Juniper Junos devices and perform local patch checking. By providing SSH or SNMP credentials, Nessus will log into a device running Junos and check for missing patches, such as:

• Junos J-Web Weak SSL Ciphers (PSN-2011-01-147)
• Junos debug.php Unauthenticated Debug Access (PSN-2011-02-158)
• Junos 11.1R1 on EX Series Switches Causes Multiple sfid Daemon Crashes (PSN-2011-04-241)
• Junos PIM rpd DoS (PSN-2011-07-296)
• Junos ICMP Ping 'Composite Next-Hop' DoS (PSN-2011-07-297)
• Junos Fragmented ICMP Packets DoS (PSN-2011-07-298)
• Junos IPv6 Over IPv4 Security Policy Bypass (PSN-2011-07-299)
• Junos DHCP Relay Agent Traffic Redirection (PSN-2011-07-300)

You can enable these plugins by selecting the "Junos Local Security Checks" plugin family when creating policies in Nessus (or SecurityCenter) as shown below:

Plugin ID 55392, Junos Version Detection, was added to identify the operating system version of the device being scanned:

Drum Roll Please...

Being the Product Evangelist for Tenable Network Security gives me some interesting insight into how the community views the features of our products. I meet some people who provide us with awesome suggestions for improvements and I also meet some people who scan their networks at semi-regular intervals using the default set of policies, unaware of the huge variety of features that Nessus includes.

Hence the project I have been working on: with help and support from the community and my fellow co-workers at Tenable, I have developed what we understand to be a list of the top ten things that people may not know about Nessus.

In part one, I want to explore the differences between traditional network-based scanning and scanning with credentials. So, in traditional David Letterman top ten fashion, we’ll start with number 10!

#10. There's More Than One Way To...

Welcome to the Tenable Network Security Podcast - Episode 93

Hosts:

• Paul Asadoorian, Product Evangelist
• Ron Gula, CEO/CTO
• Jack Daniel, Product Manager
• Carlos Perez, Lead Vulnerability Researcher

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch auditing using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Welcome to the Tenable Network Security Podcast - Episode Episode 92

Hosts:

• Paul Asadoorian, Product Evangelist
• Ron Gula, CEO/CTO
• Carlos Perez, Lead Vulnerability Researcher

Announcements

• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch auditing using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

I attended the Black Hat Briefings this year after teaching the "Advanced Vulnerability Scanning Using Nessus" course. There were several really great presentations covering a wide range of topics. My only wish is that I could have cloned myself and attended more of the talks! Following is a recap of the presentations I attended:

Don Bailey - War Texting Weaponizing Machine 2 Machine

Several of the presentations this year centered on the topic of embedded systems. This is right up my alley, as I've always had a fascination with embedded computing. Don gave some great examples of embedded systems, including:

A few interesting notes on this month's Microsoft Patch Tuesday release:

• Windows DNS servers are vulnerable to remote exploitation. However, they must implement a specific configuration.
• We've released a new plugin to detect the Remote Desktop Web Access service on Windows.
• Another five vulnerabilities in Internet Explorer have been fixed. I believe this to be one of the more critical things to patch. While Microsoft claims there are no known exploits, no one can be certain.

To further aid in your efforts to evaluate the exposures presented by the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:

• MS11-057 - Nessus Plugin ID 55787 (Credentialed Check)

Security Tools Working Together

This is the third in a series of posts that describe the use of Nessus on BackTrack 5. Previous posts covered how to activate Nessus on BackTrack 5 and how to integrate Nmap, Hydra, and Nikto with Nessus. In this post we will cover initiating Nessus scans from within Metasploit. Beginning with Nessus 4, Tenable introduced the Nessus API, which lets users programmatically interface with a Nessus server using XMLRPC. Zate Berg took the initiative to write modules in Metasploit that, among other things, can launch a Nessus scan and import the results into the Metasploit database. From there, we can find which hosts are vulnerable to exploitation, exploit them, harvest the password hashes, and then use those password hashes to initiate credentialed Nessus scans.

Configuring Nessus

The first step needed to use Nessus with Metasploit is to log into Nessus and create a user for Metasploit. In this example, I created a user called "msf" with a password of "metasploit".

BackTrack 5, code name "Revolution", is a very popular Linux distribution used primarily for penetration testing. It contains a lot of different tools for scanning, testing, and exploiting everything from web applications to wireless networks. Since the creators of BackTrack 5 included such a vast array of tools, I thought it would be interesting to show how some of those tools can be integrated with your Nessus server to extend functionality and import results.

Importing Nmap Results

There are many occasions where Nmap is used to scan specific hosts or a large network of hosts. The XML results from Nmap can be imported into Nessus and used as the basis for vulnerability scanning. If you are going to use Nmap results this way, you can disable Nessus's built-in port scanners and host identification functionality, relying solely on your Nmap results to perform the scan: