The video below is part 2 in our series of the top ten things you didn't know about Nessus and covers how Nessus scans and audits routers, firewalls, virtualization, and integrates with your patch management systems.

Further Reading:

• Nessus Cisco Compliance Checks
• Junos Local Patch Checking Support Added to Nessus
• Microsoft Patch Management Integration with Nessus - Part 1 WSUS

The video below is part 3 in our series of the top ten things you didn't know about Nessus and covers Nessus plugins that provide outstanding capabilities beyond detecting traditional vulnerabilities:

Further Reading:

• Tip: Finding Open SMB File Shares
• USB Device History Auditing with Nessus
• The Value Of Credentialed Vulnerability Scanning

The video below is part 4 in our series of the top ten things you didn't know about Nessus and covers Nessus licensing and usage:

Further Reading:

• Tenable Charitable Organization Subscription Program
• Tenable Information Security Training Organization Subscription Programs

The video below is part 5 in our series of the top ten things you didn't know about Nessus and covers how to schedule scans from within Nessus:

Further Reading:

• Nessus 4.4.0 Released! (This post quickly covers Nessus scan scheduling as it was introduced in version 4.4.0.)
• Security Metrics - How Often Should We Scan?

Assessing the security of SCADA devices has always been a challenging task. SCADA devices are used in several critical infrastructure industries, including power plants, manufacturing, chemical processing, and nuclear reactors. Thus, the high availability and security of these devices are of the utmost importance. The challenge lies in assessing the security of SCADA devices without causing any adverse effects. The special purpose-built systems often operate within a limited scope and use protocols that are specific to the tasks being performed, such as Modbus, OPC, and DNP3.

In 2006, Tenable Network Security released the first Nessus® vulnerability scanner and Tenable Passive Vulnerability Scanner (PVS) SCADA plugins (you can read the original release notes for PVS in a post titled "SCADA Network Monitoring" and the original release for Nessus titled "SCADA Checks For Nessus 3"). In April 2011, a new round of SCADA plugins were released for Nessus (covering devices from Movicon, 7-Technologies, and more).

Tenable is now pleased to announce the availability of additional SCADA plugins for Nessus ProfessionalFeed, Tenable SecurityCenter, and PVS users. Tenable's research team worked alongside SCADA experts from Digital Bond to test and identify a wide variety of common SCADA devices. The plugins were announced at Digital Bond’s S4 Conference on SCADA security held on January 19, 2012. Note: Digital Bond’s Dale Peterson joined us on the Tenable Network Security podcast episode 110 and spoke about the new plugins and SCADA security.

Below is a sample of some of the new SCADA plugins:

The video below is part 6 in our series of the top ten things you didn't know about Nessus and covers information related to IPv6 scanning using Nessus:

Further Reading:

Nessus - IPv6 Scanning

Nessus has several different plugins and techniques for helping you with the fight against malware. The video below is part 7 in our series of the top ten things you didn't know about Nessus and covers 3 different ways Nessus can be used to help detect malware:

Below are a few more examples of how Nessus can detect malware:

1. Nessus Network Checks

Nessus plugins in the "Backdoor" plugin family detect certain types of generic behavior on listening services that are indicative of malware. For example, plugin #35322 detects the presence of an HTTP backdoor. Nessus detects the web server remotely and identifies a condition where the web server, regardless of the request, returns a Windows executable:

Tenable has published a new video which covers the major features in the Nessus vulnerability scanner. You can view the video below:

This video shows you how-to get started using the Nessus vulnerability scanner, including:

• Where to download Nessus
• Introduction to policies, scans, and reports
• Performing an asset discovery scan
• Running a network-based vulnerability scan
• Configuring a patch auditing scan
• Performing a configuration audit
• Detecting sensitive data (SSN & credit cards)
• Running web application tests
• Reporting & filtering
• Risk analysis and compliance (PCI DSS)

The video runs almost 38 minutes, but covers several major features for those who may be new to using Nessus.

This is the first post in a two-part series that will cover how to configure Nessus and/or SecurityCenter to integrate with Microsoft's patch management software.

WSUS Patch Management Integration

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. WSUS server 3.0 SP2 supports management of patches for the products listed here, as well as Windows 7 and Windows server 2003 SP2 patches. If you are not familiar with WSUS it is freely available to Microsoft customers as part of your Windows server licensing agreement. A great article that covers all aspects of planning, deployment, and configuration is Windows Server Update Services Learning Roadmap Community Edition.

Nessus and SecurityCenter have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus or SecurityCenter. When performing scans with the WSUS patch management plugins enabled and configured please note the following:

• Credentials entered into the policy take priority - If you've entered credentials into the scan policy and they are valid for a target system, Nessus will login and perform credentialed scanning without querying the WSUS server data.

• WSUS is queried when credentials fail - If credentials are not valid for a target system, or credentials are not entered at all into the policy at all, the WSUS server will be queried to obtain patch information for those targets. This also applies to other policy settings that may cause a credentialed scan to fail, such as the remote registry or administrative shares settings.
• The WSUS plugin communicates only with the WSUS server - The WSUS plugin makes a connection to the WSUS server IP/hostname and port specified in the policy configuration (see below in the "Patch Management WSUS Preferences"). This is an important point, as the Nessus server(s) will require access to your WSUS server, which could mean making firewall rule changes to allow the connections. However, this is a significant advantage as your target systems do not need to communicate with the Nessus server directly, which means host firewalls and remote registry settings will not get in the way of a patch audit.
• Patch information is only as up-to-date as your WSUS server - The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.

Today, Tenable Network Security announced integration between Nessus and a variety of patch management systems that will simplify scanning in cases where credentialed scans are difficult or impossible. The integration allows Nessus and SecurityCenter users to establish direct links to patch management systems. This simplifies patch audits as the systems in your environment do not all have to contain credentials in order to be scanned. You simply need to give Nessus credentials to your patch management server. This integration enhances compliance programs and helps eliminate confusion about the patch status of systems between IT operations and network security teams.

With Nessus patch management integration, you can:

• Retrieve patch manifests and status information from Red Hat® Network Satellite Server, Microsoft® Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM), and VMware® Go (formerly known as Shavlik).
• Quickly generate patch compliance reports in Nessus and SecurityCenter, based on the data returned from patch management systems. Presentation of records in the well-known Nessus format can speed auditors’ reviews, and simplify resolution of discrepancies between management systems.
• Retrieve accurate patch status information for systems that can’t be fully scanned by vulnerability assessment tools because of a lack of credentials. Credentials are only required for access to the patch management system.
• Retrieve patch status in environments where scanning is not available due to other constraints, such as limited networking.
• Help eliminate false positives caused by back ported patches in Red Hat Satellite environments.

This integration is available today in the case of Microsoft and VMware Go (Shavlik) systems, and is expected no later than Friday of this week for Red Hat. You’ll find the plugins in the ProfessionalFeed. Configuration documentation is available in the Patch Management Integration documentation. If working with patch management systems is a challenge for you, watch this space – I’ll be posting more details on how this integration works, and you can take advantage of it in your environment.

Do you know how many mobile devices reside on your network? Is your security architecture designed to secure the mobile platform and protect your users and the network from the threats they pose?

Mobile devices are a security concern for many reasons. Mobile devices are typically unmanaged – meaning they may or may not be running AV software, a firewall, or conform to enforceable security policies. Yet, whether they are provided to your employees as part of your operations or not, they are likely accessing resources on your network. To compound the problem, many mobile devices connect to your local network and the Internet directly on two separate mediums. For example, the device may associate to a wireless belonging to your organization and a 3G/4G connection to the Internet.

Why is "Cloud Storage" So Appealing?

Services such as DropBox use the cloud to enable users to share files with others and transfer work from office to home and back. The challenge is two-fold:

1. Determine how this and other cloud-based technologies align with the organization’s security policies and compliance mandates.
2. Monitor use of these solutions to ensure compliance and limit exposure while preserving benefit.

Users often turn from sanctioned file sharing methods when they reach the limits of email and internal file sharing capacity, performance, and functionality. Email was not intended to share large files, and very often restrictions are implemented on the size of an individual email and how large your inbox can grow. Users can put files on an internal file sharing service, but that limits access to local users and VPN connected users. Employees who travel or third-parties may not have access to the internal network to retrieve the files. Many IT departments do not offer an easy way to share files through more traditional methods such as public FTP servers because of security concerns.

Dropbox overcomes many of these issues and has become quite popular, as evidenced by a recent influx of $250 million additional dollars in funding. The price is right too, as you can get 2GB of storage for free and manage access to your files.

The problem is, DropBox security and usage often violate corporate policy and security best practice. Corporate policy must protect sensitive information, such as customer data and intellectual property. If this information is being transmitted insecurely to a service such as Dropbox your policies and network defenses should detect this behavior and monitor for violations and information leakage.

For example, Dropbox relies on SSL for encryption. Several attacks released this year have been reported that can circumvent SSL security, and SSL certificate authorities have been compromised, breaking down the trust that SSL relies upon for security and integrity. Client software can become the weakest link as well, even if SSL is implemented properly. The Dropbox client software has contained vulnerabilities that, when exploited, could lead to your data in the wrong hands.

To solve this problem we need to implement encryption at the file level to protect sensitive data. I have to admit, I am a Dropbox user. However, I use it with caution and implement my own security policy. Any sensitive data is sent to DropBox using file encryption (PGP in this case). Any non-sensitive information is not encrypted and I am careful to distinguish between the two.

In a perfect world, there would be no vulnerabilities.  In a perfect patching world there would be a patch for every vulnerability and we would always be able to patch all of our systems as soon as a patch was available. In the real world we do the best we can and struggle with testing cycles, incompatibilities, and legacy applications which means sometimes we have to leave insecure and unpatched systems in production.

There are a variety of situations that can cause exposure:

• Some patches break needed applications or cause compatibility problems
• Patches may not yet be available for a vulnerability but the systems must stay online and exposed Legacy applications or operating systems may still be required (for example Internet Explorer 6 may be required to access a legacy web application, probably running on a legacy web server)
• A maintenance window may not be immediately available when patches are released
• Systems in development environments may be vulnerable during development and testing phases

"The Untouchables"

An untouchable system is one on which you cannot install software (such as agents) or apply security fixes regularly. I have come up with several different examples of such systems, and tried to use examples here from my own experiences to define why they may fall into the "untouchable" category:

• Select SCADA systems - This is a broad category, but it boils down to computers that are used in control systems networks. While many may be considered to be "air-gapped" (physically disconnected from any other types of systems), that may not actually be the case since connectivity is required to manage the devices (especially those deployed in the field). I was once approached to perform a vulnerability assessment against one such system. I was told that network access would be provided, but that the system in question was responsible for providing power to thousands of people. This is a scary endeavor, as not only could you put thousands of people in the dark, but potentially damage infrstructure if the power is turned on and off too quickly. This situation requires a different approach than a traditional network vulnerability assessment or penetration testing.
• Traveling Laptops - It can be difficult to control the software and patches on systems that rarely connect to the corporate network. The concern is what happens when a laptop that has been connected to airport, hotel and other potentially hostile networks comes back to home base and plugs into your network. It may already be infected, and may not be up-to-date with patches. You can try to force users to connect back to your network via a VPN, but not all users may do this on a regular basis. During the user’s travel, the system is "untouchable".
• Network Devices – Let’s face it, no matter how redundant your network is, you just can't blast out a firmware update to your network gear at will. This leaves a good percentage of network systems that are "untouchable" for certain time periods. Routers have a bit more flexibility, but the physical switches that your systems are connected to cannot be taken down at will, or users will lose connectivity as flashing the device with new firmware requires that the system become unavailable for short time period (or longer time period depending on the device and software).

We are pleased to announce the release of four new Nessus Auditor Bundles to our product lineup. These bundles package together Nessus On-Demand Training & Certification with a ProfessionalFeed Subscription, a Perimeter Service Subscription or both, with savings up to $700!

Be among the first to take advantage of this great cost-saving option.

The Nessus Auditor bundles help you get started quickly and economically. Each includes training to get the most from your Nessus solution–and the certification to differentiate yourself in the marketplace.

Next up on our Nessus top ten list is #8, which covers how to use Nessus to find web application vulnerabilities. I've broken out the process into four different methods supported by Nessus:

1. Test For Known Vulnerabilities

Nessus contains over 2,600 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses: XSS" plugin families is written to enumerate vulnerabilities that have been publicly reported in a web application product, whether open source or commercial. To enable these plugins you must enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute unless CGI scanning is enabled.

Below is an example of one such plugin's output:

During the past few weeks, the Tenable R&D team has created several plugins to enhance SSL certificate auditing capability. Nessus will identify SSL certificates regardless of port and launch dozens of plugins to check for a variety of weaknesses and vulnerabilities. Three new plugins expand that auditing capability to more effectively audit your organization.

SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions

Tenable has released a plugin titled “SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions” (ID# 56284) to help users verify X.509 / SSL certificate chains. Based on RFC 3280 guidelines, Nessus will examine an SSL certificate found on any port to verify that it adheres to all basic constraints and key usage extensions. If an X.509 certificate in a chain fails to adhere to constraints and usage extensions, Nessus will report that violations are present. This finding means that either a root or intermediate Certificate Authority (CA) signed a certificate incorrectly.

The Nessus Top Ten List

This is the second post in a series of ten that will cover “The Top Ten Things You Didn’t Know About Nessus”. The first, starting with 10 in David Letterman top ten list fashion, is titled “There's More Than One Way To...” and covers the benefits of both credentialed and uncredentialed vulnerability scanning. Each item on the list will have a blog post and video associated with it. And now, on to number 9: “Nessus Detects Misconfiguration”.

Misconfiguration Leads To Compromise

Nessus helps you answer the question “Do my systems have uniform configuration settings?” Why is this important? Systems are increasingly more complex, and maintaining control of your configurations leads to systems that run smoother and are more resilient to attack. A recent case study that supports this concept was presented in a blog post titled "What do you mean privilege escalation is not HIGH RISK?".

Next up on our Nessus top ten list is #9, which covers how to use Nessus configuration auditing to discover information about your system configurations. The following video presents use cases and examples, from PCI compliance to detecting viruses:

Please visit Tenable's YouTube channel for more Nessus and SecurityCenter videos!

Tenable has authored a collection of plugins to identify Juniper Junos devices and perform local patch checking. By providing SSH or SNMP credentials, Nessus will log into a device running Junos and check for missing patches, such as:

• Junos J-Web Weak SSL Ciphers (PSN-2011-01-147)
• Junos debug.php Unauthenticated Debug Access (PSN-2011-02-158)
• Junos 11.1R1 on EX Series Switches Causes Multiple sfid Daemon Crashes (PSN-2011-04-241)
• Junos PIM rpd DoS (PSN-2011-07-296)
• Junos ICMP Ping 'Composite Next-Hop' DoS (PSN-2011-07-297)
• Junos Fragmented ICMP Packets DoS (PSN-2011-07-298)
• Junos IPv6 Over IPv4 Security Policy Bypass (PSN-2011-07-299)
• Junos DHCP Relay Agent Traffic Redirection (PSN-2011-07-300)

You can enable these plugins by selecting the "Junos Local Security Checks" plugin family when creating policies in Nessus (or SecurityCenter) as shown below:

Plugin ID 55392, Junos Version Detection, was added to identify the operating system version of the device being scanned:

Drum Roll Please...

Being the Product Evangelist for Tenable Network Security gives me some interesting insight into how the community views the features of our products. I meet some people who provide us with awesome suggestions for improvements and I also meet some people who scan their networks at semi-regular intervals using the default set of policies, unaware of the huge variety of features that Nessus includes.

Hence the project I have been working on: with help and support from the community and my fellow co-workers at Tenable, I have developed what we understand to be a list of the top ten things that people may not know about Nessus.

In part one, I want to explore the differences between traditional network-based scanning and scanning with credentials. So, in traditional David Letterman top ten fashion, we’ll start with number 10!

#10. There's More Than One Way To...

Security Tools Working Together

This is the third in a series of posts that describe the use of Nessus on BackTrack 5. Previous posts covered how to activate Nessus on BackTrack 5 and how to integrate Nmap, Hydra, and Nikto with Nessus. In this post we will cover initiating Nessus scans from within Metasploit. Beginning with Nessus 4, Tenable introduced the Nessus API, which lets users programmatically interface with a Nessus server using XMLRPC. Zate Berg took the initiative to write modules in Metasploit that, among other things, can launch a Nessus scan and import the results into the Metasploit database. From there, we can find which hosts are vulnerable to exploitation, exploit them, harvest the password hashes, and then use those password hashes to initiate credentialed Nessus scans.

Configuring Nessus

The first step needed to use Nessus with Metasploit is to log into Nessus and create a user for Metasploit. In this example, I created a user called "msf" with a password of "metasploit".

BackTrack 5, code name "Revolution", is a very popular Linux distribution used primarily for penetration testing. It contains a lot of different tools for scanning, testing, and exploiting everything from web applications to wireless networks. Since the creators of BackTrack 5 included such a vast array of tools, I thought it would be interesting to show how some of those tools can be integrated with your Nessus server to extend functionality and import results.

Importing Nmap Results

There are many occasions where Nmap is used to scan specific hosts or a large network of hosts. The XML results from Nmap can be imported into Nessus and used as the basis for vulnerability scanning. If you are going to use Nmap results this way, you can disable Nessus's built-in port scanners and host identification functionality, relying solely on your Nmap results to perform the scan:

Burying Stumps

Recently I've been planning and executing a plan to fix some of the landscaping around my house (as a side note, try not to plan this to happen in the middle of July when it’s 90 degrees). In talking with people who have experience with landscaping projects we seem to always hit the topic of digging up and burying stumps, and whether this is a good idea or a bad idea. For the short term, it seems like a good idea. The stumps take up space in the ground so you need less fill (which saves money), burying is cheaper than grinding them down or having them hauled away, and you don't have to look at an ugly stump. The downside is that 7-10 years down the road, the stumps begin to rot and you are left with sinkholes in your yard.

Preparing Your Backtrack 5 Installation

Nessus 4.4.1 now comes pre-installed on BackTrack 5 and requires that the user activate the installation. Before you activate Nessus on your BackTrack 5 installation, be certain you have installed Nessus either to the hard drive on the computer you plan to use or inside of a virtual machine that you plan to keep on the same host system. If you activate Nessus on a bootable USB thumb drive, DVD or a virtual machine and move it to a new host system, the Nessus activation code will no longer be valid. The Nessus activation ties itself to the physical system on which it is installed. If you do decide to move the virtual machine to a new system, or jump around to different systems using a bootable USB thumb drive or DVD, you will have to re-activate Nessus. If you are using a Nessus ProfessionalFeed, you are allowed to reset your activation by clearing the current connection between a host and an activation code. By logging into the Tenable Customer Support Portal and going to "Activation Codes", you can reset the activation code-to-host pairing. ProfessionalFeed users are currently limited to one reset every 30 days. HomeFeed users will need to re-register Nessus when moving between physical hosts.

Step 1 - Obtaining An Activation Code

The Benefits of Credentialed Scanning and Auditing

We've covered the advantages of credentialed vulnerability scanning and configuration auditing in previous blog posts, but I want to recap some of the benefits:

• Getting Around Firewalls - Whether you are scanning through network or host firewalls, credentialed scans require less ports to be open between the scanner and the target(s) and require less network bandwidth and target resources.
• Finding Localized Vulnerabilities - Several vulnerabilities, including those being exploited by attackers and penetration testers alike, are not accessible over the network but present themselves in end-user software ranging from web browsers, PDF readers and office suites. By performing a credentialed scan, Nessus is able to find vulnerabilities that requires user interaction to trigger exploitation in local software.
• Verifying Settings & Configurations - Through either Nessus plugins or configuration auditing, you can answer questions about the state of your systems. For example, if you want to know who has either local or domain administrative rights to your systems, there are plugins that report the list of users. Want to know what type of USB devices are in use in your environment or which systems have modems connected? There are plugins that test for those conditions as well. With configuration auditing, you can check any registry entry on a Windows system for a specific value or check the values on entries in configuration files on Linux/UNIX systems.

We are excited to announce that SANS is partnering with Tenable Network Security to bring you “Advanced Vulnerability Scanning Techniques Using Nessus” as part of the SANS Hosted Series of courses. This class is part of a brand new series of vendor specific classes SANS is offering to compliment your needs for training outside of SANS vendor neutral courses.

Keeping Tabs On Patches

Let’s face it; we all have to deal with patches. Everyone from an IT systems administrator to your grandma has to face the challenges of patches. Whether you have a home computer that you use to browse the web, a phone that you occasionally check email from, or 10,000 enterprise desktops spread across three continents, you're dealing with patches. Regardless of your situation, you need to be able to answer two basic questions:

• Which patches are missing?
• Which patches have been successfully installed?

If you only have one computer in the house, it probably annoys you to some degree when it’s time to apply patches, indicating that you are in fact missing patches. This answers the first question above, but the operating systems themselves have few measures for success. There are many situations that cause patches to fail, or leave vulnerable software behind after an update, that can easily be missed by the average user. Your so-called "smart-phone" is even worse. Since most users do not connect their phones to their computers, or the carrier is blocking operating system updates, you may never be able to answer the first question (I guess that's one reason why RIM maintains a prominent presence in the enterprise, as they answer both questions very well with respect to Blackberry users in your environment). Never knowing that you even require patches to be installed is a big problem, as well as knowing if they even applied successfully.

A Much Larger Problem

Enterprises with 10,000 or more desktops exacerbate the problem of patch tracking. With so many devices that require patches, things are bound to go wrong! Lately I've been using dashboards in Tenable's SecurityCenter, and thanks to Tenable CEO/CTO Ron Gula, I have some interesting SecurityCenter 4.2 "dashboards" to help me track patches. Here's just one example:

Click for larger image

NSA Hardening Guidelines

The National Security Agency (NSA) has developed security hardening guidelines for various operating systems and technologies. I remember when I first started in information technology and used these guides to harden my Windows servers. I was met with mixed success; some systems would run better, and some would cease to function due to configuration changes. This taught me about my systems and their configurations, and knowing what your systems do and how they are configured is the true key to successful systems administration. Remember, the “guidelines” are just that, a guide to configuring and securing your systems. Ultimately, it is up to you to determine which changes you will implement, and most importantly test those changes in a lab/QA environment.

Mac OS X's popularity has been growing rapidly, and so has its use in corporate environments. The NSA has released a new hardening guide for OS X. Tenable has created a configuration audit that will compare the configuration of your OS X systems with the NSA's guidelines, and below are some of the example results from an audit:

Tenable is pleased to announce the official release of the Nessus Android app! The application can be downloaded for free from the Android Market and contains the following features:

• Connect to a Nessus server (4.2 or greater)
• Launch existing scans on the server
• Start, stop or pause running scans
• Create and execute new scans and scan templates
• View and filter reports

I was recently talking to my good friend Ed Skoudis about computer security incident response. An interesting question he asks organizations that are in "incident response" mode is, "Do you run PsExec?" PsExec is part of the Windows Sysinternals’ suite of tools and implements a service that allows users to administer Windows systems remotely using the command line. More information can be found on the PsExec download page. It also contains functionality described as:

"PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like ipconfig that otherwise do not have the ability to show information about remote systems."

The Tenable research team recently published a few new plugins that contribute to how Nessus performs OS identification. When scanning devices and systems I am always amazed at how many different services will hint at, or even flat out reveal, the operating system and version.

OS Identification : HNAP

HNAP is the Home Network Administration Protocol developed by Cisco Systems. It is designed to allow remote support personnel to manage devices on users networks using a SOAP-based protocol. An unfortunate side-effect is the information being leaked across the network that can be accessed without authentication. A new plugin was developed to collect this information and use it to determine the remote operating system:

We are pleased to announce that four new Nessus policy templates will be distributed to Nessus ProfessionalFeed and HomeFeed users via the Nessus plugins feed. This is first time we've used "push" functionality to send down scan policy templates.

Click for larger image

The four new Nessus scan policy templates will appear in the "Policies" tab once your Nessus installation has updated the plugins:

• External Network Scan - This policy is tuned to scan externally facing hosts, which typically present fewer services to the network. The plugins associated with known web application vulnerabilities (CGI Abuses and CGI Abuses: XSS plugin families) are enabled in this policy. Also, all 65,535 ports are scanned for on each target.

Nessus plugin 29871 has been updated to look for the presence of malicious JavaScript on a remote web site.

(See Attack on ASP site that uses a SQL server database)

Below is an example of the plugin report:

Click for larger image

Successful Attacks from Automated Malware

Recently, malware dubbed "LizaMoon" (named after the first web site found distributing it) has been popping up in the news:

Dubbed LizaMoon, unidentified perpetrators of the scareware campaign inject script into legitimate URLs, so when people try to access the website, they get redirected to a page warning them that their PCs are infected with malware that can be removed by downloading a free AV application called Windows Stability Center.

From LizaMoon SQL Injection Attack Hits Websites

LizaMoon scans web sites for easily exploitable SQL injection vulnerabilities, then uses that to put redirects on the web site that take users to a site which installs malware. This is not a new form of attack, however the "Lizamoon" malware has been surprisingly successful. Google searches for infected sites report that over 1.5 million pages have been infected. The important thing to not about the numbers of infection is "pages" does not refer to sites, as a site can have multiple infected pages. This type of attack typically works as follows:

Supervisory Control And Data Acquisition, or SCADA, generally refers to the computers that control industrial and infrastructure systems. These include systems found in power plants, nuclear reactors, commercial buildings and more. The last few weeks have seen another serious blow to the perception of SCADA security.

On March 21^st, Luigi Auriemma posted to the Full-Disclosure mail list announcing his research and vulnerability findings in SCADA products from vendors such as Siemens, Iconics, 7-Technologies and DATAC. Auriemma’s post included links to 34 advisories ranging from overflows to denial of service. Due to the sensitive nature of SCADA systems and the resources they control, his research made the news. A day later, Ruben Santamarta (aka reversemode) announced the availability of vulnerability information in SCADA vendors including Advantech/BroadWin and CSE-Semaphore. The next day, US-Cert issued an advisory about SQL injection vulnerability in Ecava IntegraXor, another SCADA system.

With today’s plugin updates, Nessus now has the capability to warn you of hosts that are being controlled by botnets or hosting links to known malware or phishing sites.

Nessus uses a list of botnet infected hosts that is updated daily to search for your scan targets and report if the host is a known botnet zombie or is in command and control node. This is done regardless of the plugins or credentials specified and does not require sending any packets to the host to perform this check. Such hosts have been previously observed as sending malicious traffic to third-party systems across the Internet or taking an active role in attempting to control or compromise hosts for the botnet.

In addition to checking for inclusion in a botnet, Nessus will also report if a scan target is hosting links to web site addresses and specific URLs that are used by known botnets to propagate or re-directing to sites hosting phishing content. During the testing of CGI scripts, Nessus will scan the content of web pages looking for references to this type of malicious content. The ability to discover if an asset hosts botnet related malware or pages designed to steal credentials from unsuspecting users (e.g., fake eBay or banking login pages) is an incredible way to augment vulnerability scans.

To leverage this feature, make sure that your Nessus scans are looking at web site content. To enable this feature, set the Preferences -> Global Settings -> Enable CGI Tests setting to “enabled”. 

The following Nessus plugins perform the botnet and malicious website content analysis:

• 52670 – Web Site Links to malicious Content
• 52669 – Host is listed in Known Bot Database

This update is available to all Nessus users including the Nessus ProfessionalFeed and HomeFeed subscriptions, the Nessus PerimeterService and SecurityCenter customers. Tenable also offers a variety of log analysis, NetFlow analysis and passive network traffic analysis solutions which can help identify system events, user behavior and network traffic that is indicative of a botnet. To learn more about these solutions, please visit our web site or watch any of the following on-demand webinars: 

• Putting a Virus under the SIEM Microscope
• Monitoring Users and Botnets with DNS
• Tracking Application Execution for Compliance and Security
• Finding and Stopping APT

Have you ever been charged to perform a security audit for a set of hosts that has been turned off? If those hosts have been configured to be “woken up” with a “Wake-on-LAN” packet, you can now leverage this capability with your enterprise Nessus scans. This blog entry describes how organizations that leverage Nessus or SecurityCenter to scan their infrastructure can audit systems that have been powered off.

Port Scanning Never Dies

While information security threats constantly evolve from client-side attacks to web application vulnerabilities, there is one activity that is always effective: port scanning. Determining if a port is open or closed is a critical step in the discovery process associated with successfully attacking systems. For example, if port 80 or 443 is not open, it is likely there will not be a public web site associated with that system. Of course, this leads into service identification, which detects web servers listening on non-standard ports. However, you must be able to test if a port is open in the first place before you can determine which service may be running. Therefore, port scanning maintains its position as a necessary practice, even when referencing client-side attacks that can turn the remote client systems into port scanners using JavaScript.

Given the importance of port scanning, I want to cover some of the features and functions of the various port scanners included in the Nessus vulnerability scanner. The Nessus port scanner system has three network-based port scanners:

• TCP Scanner - The TCP scanner sends sequence of packets to initiate a full TCP connect to the target hosts, completing the TCP three-way handshake each time. The TCP port scanner uses a balance of speed and accuracy while using logic to tune itself as the scan progresses. The TCP scanner does not operate on Windows and Mac OS due to operating system limitations, so Nessus initiates the SYN scanner on these systems instead. However, when Nessus is installed on Linux it will implement a full-connect scanner in user space (i.e., without requiring root-level privileges). Early versions of the scanner consisted of a couple of pages of C source code. Over time it has grown in features and complexity to handle many different situations and types of networks. The TCP scanner will dynamically estimate the RTT (Round Trip Time) and make multiple passes on unresponsive ports to determine if there was a problem during the initial attempt. The TCP scanner will also read banners for some services and place this information, along with the open ports, in the Nessus knowledge base where the service identification routine and plugins can find the list of open ports for each host.

Tenable is pleased to announce the release of Nessus 4.4.1! This is a point release (moving from 4.4.0 to 4.4.1), containing several enhancements and minor bug fixes.

From a user perspective, there is a new feature that allows the SYN scanner to be selectively throttled. A new setting, nessus_syn_scanner.global_throughput.max can be added to the nessusd.conf file. The option sets the maximum number of packets per second that Nessus will send during a SYN port scan (regardless of how many hosts are scanned in parallel).

Over the past few months, fields in Nessus reports indicating whether or not an exploit exists for a given vulnerability have continued to evolve. We first announced this feature in October 2010 in a post titled New Nessus Feature: Public Exploit Availability. Ron Gula then wrote a follow-up post called ”If an exploit falls in the forest, does anyone hear it being patched?”, that described the usefulness of the information contained within the "Exploit available" and "Exploitable With" fields in Nessus plugins.

The Nessus interface has now received an update that will display the "Exploitable With" field directly in the report (prior to the latest version, this field was only contained in the HTML export).

Click for larger image

And the race is on to apply patches to the Microsoft Windows systems in your environment! One of the bulletins this month, MS011-04, fixes remotely exploitable issues in the IIS FTP service. To me, FTP falls in the same category as Telnet, which is "You should be using SSH instead". Despite the lack of security that FTP offers, it still appears to be wildly popular decades later. I performed some searches using "SHODAN", "The Computer Search Engine", which scours the Internet looking for open ports, services and banners. I told it to find systems with port 21 (FTP) open and got the following results:

• United States: 27,355
• China: 15,341
• India: 11,122
• Egypt: 10,476
• Thailand: 10,068

It's a rare honor to receive the highest ranking accorded by a reviewer - especially in a highly competitive field. Tenable is very proud to announce that Secure Computing magazine has awarded Nessus 5 out of 5 stars in all categories, including a nice write-up about Nessus features, documentation, support and user experience:

"This product has been the old standby for years, and we find it is still the good dog when it comes to straight-up vulnerability assessment."

The Nessus App for iPhone is a great way to keep tabs on running Nessus scans, initiate new scans, and quickly review vulnerability scanning results. The app is available for free in the iTunes store and works with Nessus server versions 4.2 or later and the Nessus PerimeterService. Below is a short video showcasing its features:

You will need an iPhone, iPad, or iPod touch running iOS 4.0 or later in order to run the app.

I've recently been doing a bit of research into the history of Nessus. I discovered that the first version of Nessus was published in 1998, and any time software has been around for that long there are bound to be some myths and misconceptions that develop as fast as new features over the years. This post will explain some common myths and set the record straight.

Do you know where all of your organization’s SSL certificates are and if they are providing enough protection to you and your customers? Nessus can be used to identify all SSL certificates in use, test if they are expired and with the advent of plugin # 51192, test that they have been securely signed by a valid certificate authority. This blog entry will review Nessus’s SSL certificate auditing ability and describe how plugin #51192 can help monitor your network for untrustworthy SSL certificates.

A Nessus user recently contacted me about performing a scan that would simply discover hosts on the network. This is a very low impact scan that does not look for vulnerabilities or enumerate ports. There are a few good reasons to run this type of scan:

Systems protected by a network or host-based firewall may only respond on a single port or to an ICMP echo request. Hosts that only respond to an ICMP ping will not show up in the default Nessus scan report. By enumerating these hosts you can include them in the report to show that scans were attempted but did not find any results, then determine if this is normal behavior or not.

Your internal policies may provide specific time windows when vulnerability scanning can occur. By tuning a scan that only discovers live hosts, you can check that your Nessus server is set up properly, collect a list of hosts to scan and stay within your vulnerability scanning policy guidelines.

To configure a scan that will only test if hosts are alive, use the following policy settings:

Click for larger image

Recently, Tenable added exploitability reporting for Nessus. After performing a scan, results can be filtered to see which vulnerabilities have exploits available for them. In the report, you can even see which common exploitation tools have payloads for these vulnerabilities. This is a great way to help prioritize which vulnerabilities to fix first. However, it is not a great way to manage your network or decide whether to patch a system or not. Consider the following conversation that represents many I’ve had on this topic: 

Have you ever wanted to run an external Nessus vulnerability audit of your DMZ but didn’t have access to a Nessus scanner located on the outside of your network? Tenable Network Security now offers the Nessus Perimeter Service, offering unrestricted and unlimited vulnerability scans through annual and thirty day subscriptions. 

Scan any number of Internet facing sites you are authorized to scan from your desktop computer, mobile laptop, iPhone, customer network or wherever is convenient, as often as you want, all for a flat fee. And best of all – if you are a Nessus user, you already know how to use our service. Subscribers of the Nessus Perimeter Service are logged into the Nessus scanners hosted in Tenable’s secure datacenter. 

The Nessus Perimeter Service supports all of the major features of Nessus including:

• Rapid and Accurate Discovery of Systems and Vulnerabilities
• Vulnerability Scan Scheduling
• Support for the Nessus iPhone App
• Preparing for PCI-DSS Vulnerability Audits
• In-depth Web Application Scanning
• Highlighting vulnerabilities which have public exploits
• Patch and Configuration Auditing for web servers and many other devices
• Executive, Detailed and Differential reports
• Sharing results with Tenable’s SecurityCenter and 3^rd party SIEM and GRC solutions 

Pricing for the annual and thirty day subscriptions to the Nessus Perimeter Service set a new benchmark for value in the managed scanning industry:

1 Year Nessus Perimeter Service Subscription Unlimited Scans $3600

30 Day Nessus Perimeter Service Subscription Unlimited Scans $995

Both services can be purchased on Tenable’s Online store. 

The service includes access for one user account to perform scans and analyze results. Access to Tenable’s ticketing system for world-wide Nessus support is also available 24x7. The Nessus Perimeter Service also makes use of the very latest Nessus plugins developed by Tenable’s world renowned Research team. 

To learn more about this offering, please contact our sales staff, read the Nessus Perimeter Service FAQ or watch this introductory video. If you would like to run Nessus on your own hardware, commercial organizations should consider the Nessus ProfessionalFeed. If you are a large organization and are considering SIEM or GRC solutions, you should also consider the Tenable SecurityCenter. 

Default vs. Easily Guessable Credentials

There are several Nessus plugins that test various common username and password combinations. I tend to put these into three different categories:

1. Default Credentials - Known usernames and/or passwords associated with a specific device or application. (E.g. Linksys WRT54G username "admin" password "admin")
2. Common Credentials - Commonly used username and/or passwords that are valid regardless of the application or device type (e.g. username "root" / password "toor")
3. Brute Force Guessing - User supplied list of accounts and passwords fed to Nessus via Hydra

There are 70 plugins beginning with "account_*" that try to login via telnet and/or SSH. These plugins test for generic common credentials or credentials that are known to be associated with a particular device or application.

Targeting Credentials

If you want to specifically target credentials you can use the Nessus GUI to create a custom policy to perform a very specific scan. This is a great policy to schedule on a weekly or daily basis as it is low impact (essentially just uses the login functionality of the targets) and will find critical vulnerabilities.