The Tenable Appliance is an easy way to get up and running quickly with Tenable products such as Nessus and Security Center. The Tenable Appliance is a virtual machine image that is compatible with:

• VMware ESX versions 3.5 and older
• vSphere/etc. 4.0 versions
• VMware Player, Server, Workstation and Fusion.

We have produced a video demonstration that walks you through installation and configuration of the appliance:

The Tenable Appliance is available for download in the customer support portal for all customers. There is also an update which brings the appliance up to date with the latest versions of Nessus (4.0.2) and Security Center (3.4.5).

Defeating Zombies

Attackers have a number of avenues leading directly into your network, and more importantly, into your data. Each week I read about new data losses, phishing scams and the release of hundreds of new vulnerabilities and exploits. Organizations are employing a rear guard action that is not necessarily tuned to today's attack techniques.

Tried and true defensive measures such as firewalls, anti-virus software, Intrusion Detection Systems provide "operational security", but even if this is running flawlessly, it is typically not enough. Security programs need to evolve with the latest attack trends and Internet technologies. A great blog post by Tim Mugherini titled, "Don't be the Smelly Kid" sums this up nicely. This defines a shift from attackers targeting network services, and moving towards attacking web application and client software. These new methods require updated education for management and the implemention of new and different security projects to protect your infrastructure.

Considering Halloween is around the corner, your security strategy can be compared to the situations in typical horror movies. When the defenseless victims are under attack from whatever threat is posed (zombies, Jason, Freddy, Michael Meyers, etc.), they often make common mistakes such as taking all of the furniture in the room and piling it in front of the door and leaving the windows unsecured. Shooting zombies in any other location other than the head is another good example (those who have read "The Zombie Survival Guide: Complete Protection from the Living Dead" know that the only way to destroy a zombie is to destroy the brain!).

Last week Microsoft released 13 security bulletins covering 34 vulnerabilities, much to the delight of overworked system administrators who now have to roll out and test the patches in their environment. Organizations are most likely at different stages in the patch deployment process, some may still be testing and some may have the patches rolled out to the entire environment. What all organizations have in common is the need to verify that patches have been installed properly. Nessus has several features, including credentialed scanning and plugins that list missing patches and can assist in the patch verification process. We have produced a short video that demonstrates how to run this type of scan:

Black Tuesday

This month Microsoft released 13 new security advisories. While 13 sounds like a moderate number, digging into each of the security advisories reveals that each one actually patches multiple vulnerabilities, bringing the grand total to 34 individual vulnerabilities. Couple that with the recent Adobe announcements disclosing 29 vulnerabilities with the Adobe Reader product and release of the associated patches and administrators have their work cut out for them (note that Nessus plugins have been released to detect these vulnerabilities, refer to plugin id 42119 and 42120). Assessing the risk for your organization when there are this many patches in common software can be a daunting task, but an important one. While both Microsoft and Adobe attach a severity rating to each advisory, organizations need to evaluate the risk each vulnerability poses to their specific environment and implement a patching cycle that is most effective at reducing risk for them. For example, the Microsoft IIS FTP server remote exploit vulnerability has a “critical” rating, but if you are already implementing mitigating factors, or are not running IIS on mission critical systems, then you will want to focus your efforts on getting other patches tested and installed first.

The current version of the Nessus 4.2 client and server is labeled as "ALPHA1" and is still very much in development. However, the new client interface has been completely overhauled, moving to a web-based interfaced. This introduces a substantial change for the end user without significantly changing the features they are accustomed to. We wanted everyone to get a sneak preview of the new version, see some of the new features and give feedback early in the development phase. A short video has been uploaded to our new video channel on You Tube:

We would appreciate feedback and suggestions on how to make the new NessusClient even better. You can visit the Nessus discussion forums and let us know what you think!

Web applications that manage sensitive data are usually protected with either basic or form-based authentication. Nessus can be configured with the appropriate credentials for these authentication schemes as they relate to web application testing. This post covers these authentication schemes in-depth, and explores some of the potential problems you may experience when scanning with credentials and how to overcome them.

Basic Authentication

For web applications, or sections of web applications, that require basic authentication, you can enter one username and password pair that Nessus can use each time it is prompted for credentials. On the "Advanced" tab in the "Login configurations" section, enter the desired username and password in the "HTTP account" and "HTTP password" fields as shown below.

Tenable is pleased to announce the release of Version 4.0.2 of the Nessus vulnerability scanner!. This release includes several fixes and support for the latest operating systems from Microsoft and Apple. All customers are encouraged to upgrade to the latest version of the Nessus Server and NessusClient. Following is a summary of some of the fixes and improvements:

Welcome to the Tenable Network Security Podcast - Episode 3

Announcements

• New whitepaper on web application testing is being released next week.
• Correction on The Tenable appliance it does support Security Center, with future support for PVS and LCE Hardware appliance has been announced as well
• As always be sure to check out our blog at http://blog.tenablesecurity.com

Remote "0Day" IIS FTPd Exploit

On September 1, 2009 security researcher "kingcope" released an exploit for a previously undisclosed vulnerability in the Microsoft IIS 5.0/6.0 FTP Server. Microsoft had not been made aware of the problem, therefore there is no patch available at this time. The exploit is known to work against Windows 2000 servers running IIS 5.0 and 6.0, and rumored to cause a denial of service against 6.0 on Windows 2003.

Tenable is pleased to announce the release of the Tenable Virtual Appliance! The appliance replaces the Nessus VM Appliance and provides a preinstalled image of all Tenable applications in one easy to configure interface. The Tenable Virtual Appliance is available for Tenable customers and is provided for use with VMware Server, VMware Player and VMware ESX Server. Currently, Nessus and Security Center applications are available on the appliance with the Log Correlation Engine and Passive Vulnerability Scanner to be released soon. Tenable ProfessionalFeed customers can download the latest version of the Tenable Virtual Appliance along with any available updates from the Tenable Support Portal.

A "Rogue" Access Point

Detecting and preventing rogue wireless access points is a major concern for many organizations. It is important to ensure that all wireless networks are established and configured in compliance with the organization’s policies and standards for wireless networks. The problem is that it is very easy for a user to establish a rogue wireless access point either inadvertently or deliberately. A wireless access point plugged into your network will typically have an Ethernet connection tied into some part of your LAN, and provide wireless access to an attacker that bridges the connections. Users could put one on the network for convenience, or a company provisioned access point could be misconfigured by the IT department. Recently the PCI standards council has produced a document called "The Information Supplement: PCI DSS Wireless Guideline", that outlines the recommendations for securing wireless networks for PCI DSS compliance. This is a good reminder of the importance for organizations to continually seek out rogue access points in their environments and remove them.

Scanning web applications with Nessus offers the end user several new configuration options in the Nessus client. You should take into account:

• Number of web servers and applications being scanned
• Size of the applications (e.g. how many parameters does each CGI application have?)
• Depth and scope of the scan with respects to the type of tests being performed and how exhaustive they should be

This video demonstrates how to setup Nessus to scan a web application using the new options:

You can visit our You Tube video channel at http://www.youtube.com/tenablesecurity for more exciting video tutorials!

Security and usability do not mix

PHP has a horrible reputation in the security industry based on a long history of vulnerabilities and vendor resistance to fixing them and improving security practices. It suffers from a common problem; the technology is designed to be easy to use, and therefore a high level of security is difficult to achieve. Many who are new to web application programming use PHP, but often do not pay attention to security. In addition poor developer coding practices, PHP itself presents many vulnerabilities in its default configuration even when seemingly harmless coding practice is in use. This leaves a plethora of vulnerable applications, some home grown, many open-source and some commercial. As a result, many of these applications suffer from web application specific vulnerabilities. To give you an idea of just how many PHP specific vulnerabilities there are, I ran some searches on the OSVDB web site. Below are the results:

Finding the Needle in the Haystack

It is important to know what applications and services are in your environment to properly evaluate risk. Recently, a question was posed about detecting phpMyAdmin, a popular application for managing MySQL databases. We've previously explored how this application could be used to take over a system, demonstrating the risk this application may pose. There are several actions to perform when searching for applications on your network (in this case we are searching for a web application). This blog post describes how Nessus can be used to perform the following actions:

1. Detect if the application is running
2. Test for known vulnerabilities
3. Detect if the application is patched
4. Evaluate the authentication mechanism
5. Find any unknown flaws
6. Check the security configuration of the host

Nmap continues to be a powerful tool for port scanning, operating system identification, service identification and now supports extended information with NSE (Nmap Scripting Engine) scripts. A recently released NASL script allows you to import the Nmap results into Nessus. For example, you can run Nmap with the following switches:

Backtrack 4 is a Linux distribution and “Live CD “ (a bootable operating system on CD or DVD) that is designed for penetration testers. It contains a wide array of tools for performing penetration tests, web application assessments and reverse engineering. It is a simple process to get the latest version of Nessus installed and running on Backtrack 4.

There are two ways to create a Backtrack 4 bootable drive: create the partitions manually or run the install.sh program. I highly recommend running the install.sh program to perform a full installation of Backtrack 4. While you can boot the distribution from a manually partitioned CD or USB thumb drive, the file system is only temporary and you will lose changes on certain partitions. To avoid having to install Nessus each time you boot, you can install Backtrack 4 on any device, hard drive or USB thumb drive, and have a completely writable file system. You will need to boot Backtrack 4 and click on the "install.sh" icon on the desktop:

Your organization's network is a never-ending source of vulnerability information. New systems and applications are constantly being added, making the job of consistent vulnerability identification and risk management difficult. Tenable provides several tools to assist in this process. Nessus, combined with the Security Center, can provide detailed information about the vulnerabilities in your environment. The problem that many administrators face is that they are not always successful in getting management to recognize problems and provide resources for remediation. This blog post describes some tactics I have compiled over the years to help expedite this process.

On July 21-22, 2009 Renaud and I attended the New York City Infragard CTF event. It was a great experience being able to participate in the games, learn and teach people about security. Below is a breakdown of how the event was organized, including several examples of attack and defense techniques we performed.

Day 1 - The Game

The game is divided into two areas; one for attackers ("Red Cell") and one for defenders ("Blue Cell"). The Blue Cell is further divided into teams, each defending a set of machines that represents a real company. The attackers can use whatever tools they have at their disposal. The defenders must defend everything from mock SCADA systems, VoIP, Microsoft Exchange and web servers running several different web applications. It is a good representation of what a real company may look like, which makes this type of exercise particularly educational.

We had a great turnout for the Webinar we held on July 15, but don’t worry if you missed it – the webinar and slides are now online! In this presentation we covered:

• How Nessus performs a wide variety of web application security tests such as cross site scripting, remote file includes, and SQL injection.
• Scanning web application testing platforms, such as Moth.
• The recent web application security testing updates which provide a wider attack surface and give the end user more control over the web application testing options.
• How Nessus can also perform patch and configuration auditing of the underlying OS, web server and SQL databases.
• How to create custom compliance checks to audit your web server configurations.

Traditional buffer overflow vulnerabilities require specific conditions to be met on the system, payload to be written for the target platform and an exploit smart enough to get around system execution protections in memory. Some of the most dangerous exploits rely on vulnerabilities that can be triggered in a varying number of conditions and circumstances. A far more reliable approach is to take over a process or manipulate a protocol to gain access to the system that does not require that a buffer overflow vulnerability be present.

This brings us to the HP Discovery & Dependency Mapping Inventory (DDMI) agent, which runs on a variety of platforms, including Windows and Linux, to provide central inventory management. HP's DDMI agent contains a flaw that allows an attacker to connect to it without credentials and manage the agent. The agent fails to check for a valid SSL certificate from managing DDMI servers, which means anyone can pretend to be the server and control the agent, providing the ability to:

Browsing the web is increasingly hazardous, especially given the recently released vulnerabilities and associated exploits. It’s interesting how the vulnerabilities are being referred to as "remote". While they are remotely exploitable, there are differences in how they are executed. One form of remote exploit requires no user interaction. A process listens on a port and is exploited over the network without the end user having to perform any action. The ActiveX vulnerability referenced in this plugin is remote, but does require that the user have a web browser loaded and actually be browsing the web. The exploit can be embedded into different web pages and executed without the user's knowledge or interaction on that particular page. Exploits that are “remote” in this context, but require a user to perform an action, are called “context dependant” by several vulnerability databases. Tenable has developed a plugin to detect a vulnerability that can be exploited in this manner.

Attackers have access to a great deal of public information about your organization. Public web sites, domain records, routing information and several other sources can provide an attacker with useful information to launch attacks. Public documents posted on your web site contain metadata that can be very useful to an attacker. Metadata, in the context of the documents created within your organization, is information about the document itself. This can include who created it, their email address, the creation date, the software used to create and publish it and the software version and platform. This information can then be used to create client-side attacks that specifically target individuals and the software they are using.

Implementing Different Scan Types

Often, Nessus and Security Center users ask how often they should run a vulnerability scan, and what kinds of scans should be run. In a previous post we explored some of the different scan types, including network checks, local checks and configuration auditing. I often encourage people to run all three types of scans against their network with different frequency. All three types provide interesting and useful results that should be included in your vulnerability management program. In this post we will explore the differences, and benefits, of running the first two types of scans mentioned: network-based scans and local checks.

It’s the Small Things

Embedded systems continue to be overlooked in many environments, but often can present as much risk, if not more, than other systems on your network. Every enterprise has some form of an embedded device, from printers to routers and switches, that exists on the network and exposes services that could be exploited. Some recent examples include:

This webinar will feature myself and Ron Gula and discuss how to use Nessus to perform security auditing of custom web applications.

Security breaches can come from those you least suspect. Have you ever wondered what would prevent a malicious insider from obtaining privileged credentials during an IT audit? It would be a simple matter of just setting up a Linux or Windows box with a sniffer or backdoor to grab the domain or root password during the audit. Tenable has written Nessus 3 and Nessus 4 to take advantage of underlying protection mechanisms in SSH and Windows authentication protocols to limit your exposure to this type of attack.

This blog entry describes how you can securely audit your Unix and Windows hosts to limit exposing these credentials to an insider and also how to use Metasploit to test any vulnerability scanner to see if it is vulnerable to this type of attack.

A friend of mine, who was preparing to teach a workshop that included information about Nessus, recently asked: "What are the top three things you would tell people about Nessus?" Below is a more detailed version of my response:

1) Network Scanning - With over 28,000 plugins, Nessus has some excellent coverage in terms of vulnerability scanning for your systems and network. When running a network-based scan it is important to tune it appropriately. Look at the different plugin families and enable the ones that you think are most relevant. In addition, review the Advanced options for your scan. If you are performing web application testing, take a look at the Advanced options global variable settings. If speed is not a factor, you can get some awesome results by enabling CGI scanning, experimental plugins and thorough tests. Finally, don't just look at the high level alerts: some medium and low level alerts can lead to root access!

Tenable Network Security has released version 4.0.1 of the Nessus vulnerability scanner. This point release includes a variety of minor bug fixes as well as support for additional authentication schemes. All customers are encouraged to upgrade to the latest version of the Nessus Server and NessusClient. Below is a summary of some of the fixes and improvements:

At a recent OWASP meeting in Princeton, NJ I gave a short presentation on some techniques to have Nessus dig deeper into your web applications. There are several approaches to web application testing:

"Blind Tests" - Often a penetration tester is provided a range of address spaces and some rules of engagement to define the parameters of the test. Information such as which IP addresses and/or hostnames are running web servers is not typically provided, nor is a list of which web applications are running on those web servers. Nessus contains functionality to identify running web servers and vulnerable web applications, which is is very useful if you have large amounts of address space to scan. This does not replace manual testing, but provides a starting point for detailed web application tests.

Not All Vulnerabilities Are Created Equal

We recently asked a select group of Nessus users which Nessus plugins provide the most interesting results for a given scan. This is a great question because you can often find patterns in the types of vulnerabilities that contain characteristics such as ubiquity and ease of exploitability. Several of the favorite plugins that penetration testers see during scans have to do with default or missing passwords that give an attacker instant access to the exposed service. The good news is that this type of vulnerability is usually easy to fix . Using Nessus makes this type of vulnerability easy to spot in your environment.

Web sites have a way of evading vulnerability scanners in the form of virtual hosting. It is a common practice to host multiple web-sites (and associated applications) on a single web server using only one IP addresses. This causes problems for vulnerability scanners, including Nessus, as they look for vulnerabilities on the single IP or hostname provided. The remote server directs this traffic to a specific virtual host or web application, leaving a considerable amount of virtual real-estate untouched. The problem is that Nessus has no easy way to enumerate the domain names or additional IP addresses associated with a given system. Scanning every hostname, domain name and IP address associated with the server could reveal additional vulnerabilities in the web applications or hosts associated with the given server. For example, when scanning just a single IP address in the lab, I received the following result:

When Denial of Service Become Remote Code Execution

When vulnerabilities are discovered, they are classified by various organizations using different methods. For example, CVSS scoring uses an algorithm to determine a severity rating from 1 to 10. This rating has been adopted by the NVD (National Vulnerabilities Database) and is used by Tenable to provide scores within the Nessus plugins. Sometimes a vulnerability is announced and its original rating is set as moderate or low. This is frequently the case with Denial Of Service (DoS) vulnerabilities as they allow an attacker to disrupt services but not gain remote access to the system. However, sometimes an advisory describes a vulnerability that seems to only cause DoS conditions, but is really an indicator of a condition that may permit remote code execution. This discrepancy typically occurs because the researcher does not fully understand or does not diagnose the underlying problem.

A Nessus user recently asked us the following question:

"I would like to have Nessus read Nmap scan results from the command line. I already have Nmap portscanning and operating system fingerprinting, can I import the Nmap findings using Nessus in batch mode?"

Tenable has supported Nmap usage within Nessus for several years. Nmap and Nessus have different types of scanning philosophies and understanding how they work can help you achieve success with your network scanning efforts. The Nessus server includes its own portscanning, service fingerprinting and operating system identification techniques that are similar but independent from Nmap’s. However, you may run into a situation where Nmap was run first and you already have the output from this tool and want to apply the results to your vulnerability scan. I set out to do this in my lab and realized this would be a good opportunity to highlight some of the features in Nessus. Below is a step-by-step guide on configuring Nessus to run batch mode scans based on Nmap results:

While Nessus has traditionally been a network vulnerability scanner, it contains quite a bit of functionality that can be used to identify vulnerabilities in custom web applications. This is not to say that Nessus will replace your favorite web application testing tool (or methodology), but it does provide useful information that can be used as the foundation for web application assessments or to indicate that deeper testing is warranted.

There are two different approaches when performing web application testing. The first is part of a larger so-called "blind" test, where you are given a range of IP addresses and asked to test the devices and systems within those ranges. The web applications running within this space will usually be tested generically, but they may not specifically test for web vulnerabilities in a general scan. You need to first find and enumerate which web applications are running and then run targeted scans that specifically look for web vulnerabilities. The second form of testing is when you are given the URL, and typically credentials, to the web application and asked to test it specifically. Nessus can help with both of these tasks, and provide valuable information that will help with your testing. Nessus provides some of the first steps to web application testing, such as identifying the web server software and technologies, detecting vulnerabilities in common/popular web application software and rudimentary CGI application testing. This post focuses on using Nessus for network-based testing, and describes several compliance based checks that provide very thorough testing of web application environments, including scanning to test for the OWASP PHP security specifications and Apache CIS Benchmarks.

Stacking Up to CIS Benchmarks

The Center for Internet Security (CIS) establishes consensus benchmarks for a large variety of applications and operating systems. These benchmarks are a valuable aid to evaluate the security of your systems. Tenable has produced a number of Nessus audit files that have been certified by the Center for Internet Security to perform audits against the CIS standards. These audit files are available to ProfessionalFeed and Security Center customers through the the Tenable Support Portal.
To use these audit files, you will need to provide Nessus with credentials to login to the target host to compare the configuration against the CIS standards. Scans that use login credentials run much faster than network-based scans and the results often provide more detailed vulnerability
findings and information on configuration issues.

Conficker Attacks UPnP

The Conficker worm behavior has been analyzed by many security professionals who have shared their findings with the community (the paper from SRI is a great example). One of the common findings is that Conficker will connect to the local route/gateway via UPnP and make changes to the firewall, if the firewall supports unauthenticated UPnP. If so, it uses UPnP to open a high numbered port in the firewall, allowing access to that port from the Internet. It then opens the same port on the infected host, and uses it to distribute the worm further across Internet. The use of UPnP as well as insecure UPnP devices can be detected by Tenable's Nessus and PVS products.

PCI-DSS Scanning

The effectiveness of the Payment Card Industry (PCI) standards to secure systems responsible for credit card transaction processing is a question of debate among information security professionals. Regardless of the hype or negativity surrounding PCI, it remains a requirement for many organizations to follow. Nessus has built-in PCI-DSS compliance checks that compare scan results with the PCI standards and produce a report on your compliance posture. It is very important to note that a successful compliance scan does not guarantee compliance or a secure infrastructure. Compliance scanning is just one tool to be used as part of a comprehensive program that includes the appropriate policies and procedures to ensure that assets are appropriately protected.

Tenable has published official performance comparisons between Nessus 4, Nessus 3 and Nessus 2. We strongly encourage anyone interested in performing this type of performance analysis to follow the comprehensive methods we used in testing. The major findings of our testing include the following:

• Nessus 4 was up to five times faster than Nessus 3 on Windows.
• Not only does Nessus 4 use less memory, its shorter scan times reduces processing time.
• Nessus 4 is ten times faster than Nessus 2.

Of course, every network is different and quantifying performance for a network scanner is not an easy task. While we found the performance gap to be quite significant in our testing, results may not be typical in your environment - your mileage may vary. In particular, slow web server scan targets and increased network latency will limit any performance improvement. You are encouraged to share your experience about performance on the Nessus Discussion Portal.

Today there are more than 25600 plugins covering 10160 unique CVE IDs and 7073 Bugtraq IDs available to Nessus HomeFeed and ProfessionalFeed users. We expect this number to keep growing and are confident that Nessus will remain the premier scanning solution for performing network scanning, patch auditing and configuration testing of desktops, servers, databases and network devices.

XSLT Reporting

A new feature in Nessus 4 is the ability to use XSLT stylesheets to create custom reports. The stylesheets read the .nessus XML file and allow you to create a number of different report styles, such as HTML and CSV, as well as extract or sort specific data from the scan results. Nessus 4 comes with several built-in stylesheets that can sort results and display a report based on several criteria, including:

• Sort By CVE
• Sort By IP Address
• Sort By Port
• Sort By Vulnerability

You can use this feature in conjunction with the report filtering to more easily create custom reports.

Tenable is pleased to announce the release of Nessus version 4! This blog post highlights some of the enhancements and new features available in Nessus 4.0. One of the most notable features is the ability to create custom XSLT reports based on your scan results. Nessus now also supports a fully multi-threaded scanning engine, which is improves performance and decrease your scan times. Nessus ProfessionalFeed and HomeFeed customers can upgrade to the latest version by visiting the Nessus Web Site. Please review the updated Nessus 4.0 Installation Guide and NessusClient 4.0 User Guide for installation and upgrade instructions and a complete list of new functionality and features. The following is a highlight of some of the features and improvements:

Nessus Scanning Through Firewalls

A number of factors can inhibit a successful Nessus scan: busy systems, congested networks, hosts with large amounts of listening services and legacy systems with poor performance all contribute to scan failure(s). However, firewalls (or other types of filtering devices) are one of the major causes of slow or inaccurate scans. Firewalls are essential for an organization’s perimeter protection and internal network segregation. Host-based firewalls are now common on both Linux and Windows systems. Scanners can be placed on network segments behind a firewall to avoid these problems, but this may not be feasible in your network, create extra burden moving a scanner around and is ineffective against host-based firewalls. Even if you allow the scanner's IP address through the firewall, connection tracking and stateful inspection can interfere with the scan. There are two strategies for dealing with firewalls when using Nessus to perform internal or external vulnerability scans.

Default vendor logins and passwords are a common security issue that Nessus can scan for. Some of these default accounts can pose a serious security risk, depending on the type of access they permit. Nessus plugin id 35029 ("Dell Remote Access Controller Default password (calvin) for 'root' account") is a great example of this. It looks for a default username and password present on DRAC (Dell Remote Access Controller) devices which provide remote systems management for Dell servers.

The Tenable research team has been steadily working on creating accurate checking for Conficker infected hosts. Over the weekend researchers Felix Leder and Tillmann Werner of the University at Bonn released details on how to detect Conficker using network-based checks. This checking methodology was used as a basis for Nessus plugin 36036 as well as the Nmap NSE script created for the same purpose.

Penetration testers spend a lot of time searching for software vulnerabilities, such as buffer overflows or SQL injection. However, there are many other ways in which networks and systems can present vulnerabilities. Open SMB file shares can disclose sensitive information about an organization: I've found everything from student grades to bank account numbers using this technique. A great way to check for the presence of open SMB shares is to run a quick Nessus scan from the command line as follows:

Many of today's latest worms and viruses are using interesting methods to propagate across the network. For example, the Conficker.A / Downadup worm sets up a web server for victims to connect to and download a copy of the malware. What I find interesting about this method is that no matter what request is made to the HTTP server, it responds with a Microsoft executable file. Nessus detects such an HTTP server with plugin id 35322 "HTTP Backdoor Detection":

Getting In The Middle

Un-patched and out-of-date software is a common attack vector for penetration testers and attackers alike. Applications such as Adobe Reader and Microsoft Office are popular targets due to their widespread use on Windows systems and user’s willingness to click on just about anything. They both have the ability to perform self-updates, similar to the operating system, but limited to one particular software package. However, what happens when the software update process itself is insecure? Enter a program called "evilgrade", which exploits this process to install software of an attacker's choosing. For this attack to succeed, the victim machine must be the victim of a Man-In-The-Middle (MITM) attack.

Passive Detection

Monitoring networks for potential security violations can uncover some interesting events and surprising aspects of applications.
Base64 encoding is used by many applications to "obscure" the password when it travels across the network. Base64 encoding does not implement a cryptographic algorithm to protect sensitive information, yet is often used in many networks and end-user applications.

A challenge for many penetration testers is to find a vulnerable system they can use to test their penetration testing skills and tools before they use them against paying clients. I recently found a distribution called "Hackerdemia", a Slax-based Linux distribution containing several vulnerabilities, including un-patched software, mis-configured services, default passwords and a few other surprises. My goal was to bring up the distribution in a virtual machine, assign it an IP address using host-only mode and scan it using Nessus.

(Note: This Blog was originally released in 2007 and was updated in March of 2009 to reflect an additional form of OS detection based on HTTP banners.)

Tenable's Research group recently introduced a highly accurate form of operating system identification. This new method combines input from various other plugins that perform separate techniques to guess or identify a remote operating system. This blog entry describes this new process and shows some example results .

Why a new process?

Two reasons.

First, although we feel that TCP/IP fingerprinting to guess a remote network stack is useful, there are too many variables and limitations involved to be considered 100% reliable. TCP/IP fingerprinting techniques send specially crafted packets which trigger a different reaction from one OS to another. These different reactions are used to identify if the host is Windows, Linux, Cisco IOS and so on. Many variables on the network and on the host can influence how a stack behaves and cause unmatched or inaccurate guesses as to what exactly the remote OS actually is. And even when TCP/IP stack fingerprinting works 100%, it often can only guess the remote kernel, but not the specific Linux, Windows or other types of distributions. 

Second, many Nessus users perform full credentialed scans and in-depth analysis of various applications.  While logged into a UNIX or Windows system, or performing certain types of application queries, it is trivial to accurately determine the remote operating system. This information was previously reported, but contained in the results of many separate plugins. This type of information is extremely accurate compared to TCP/IP fingerprinting techniques. For example, Mac OS X systems can be accurately identified through their network time protocol (ntp) daemon without credentials. Running commands like "uname" on UNIX or looking up certain registry settings for Windows can yield highly accurate results.

This new process elegantly combines the best of each of these approaches, plus adds many new techniques which contribute to Nessus's guess of what a remote operating system really is.

How the new process works

Plugin #11936 (OS Identification) is still the main ID Nessus users should use to perform OS enumeration of their scanned systems. Prior to the recent change, this NASL script performed TCP/IP fingerprinting of OS stacks and also targeted a few Windows and Mac OS X protocols to increase the accuracy of the reported OS. The new process now takes input from the following other NASL scripts, which each reports their own OS guessing:

• os_fingerprint_ftp.nasl Uses the remote FTP banner to attempt to identify the underlying operating system. (Note, this functionality was added in Feb 2009)
• os_fingerprint_html.nasl Uses the HTML content returned by certain HTTP requests to fingerprint the remote OS. (note, this functionality was add in Feb 2009)
• os_fingerprint_http.nasl Uses the remote web server signature to infer the version of Windows or the Linux distribution running on the remote host.
• os_fingerprint_mdns.nasl If an mDNS server is present, will perform a highly accurate identification of Apple OS X systems.
• os_fingerprint_msrprc.nasl Identifies the remote version and service pack of Windows by making certain MSRPC requests against the remote Windows box.
• os_fingerprint_ntp.nasl Queries the Network Time Protocol daemon to perform a highly accurate OS guess.
• os_fingerprint_sinfp.nasl Implements the SinFP TCP/IP fingerprinting algorithm. Only requires one open port to fingerprint an OS.  (Note this script does not work on Nessus 2.)
• os_fingerprint_smb.nasl Identifies the remote Windows OS based on a query to SMB.
• os_fingerprint_snmp.nasl If credentials are available to perform an SNMP query, data from the 'sysDesc' parameter is reported.
• os_fingerprint_ssh.nasl Attempts to identify the remote OS by the SSH banner.
• os_fingerprint_telnet.nasl Attempts to identify the remote OS by the Telnet banner.
• os_fingerprint_uname.nasl If SSH credentials of the remote UNIX hosts is provided, the results of 'uname -a' are obtained.
• os_fingerprint_linux_distro.nasl If SSH credentials of the remote Linux host is provided, the  specific release will be obtained.
• os_fingerprint_xprobe.nasl This script attempts to identify the OS type and version by sending more or less incorrect ICMP requests using the techniques outlined in Ofir Arkin's paper 'ICMP Usage In Scanning'.

More OS fingerprinting modules will  be added in the future.

Each of these plugins will report a confidence level for their scan results. For example, "real" OS detects through direct interaction with the operating system such as SNMP probes, running the 'uname' command or performing certain types of Windows registry queries all have a 100% confidence level. Other types of queries such as performing TCP or ICMP fingerprints, or trying to fingerprint an application, have been labeled with a value less than 100%.  The result with the highest confidence level is used to guess the remote operating system.

Nessus users should either enable dependencies while scanning (which is the default value) or manually select which of these new plugins (available in the "General" plugin family)  they wish to be launched. 

New Fingerprints

Several of the plugins will report 'unknown' fingerprints for devices that do not have an existing match. Please email these signatures to os-signatures@nessus.org to be incorporated into future plugin updates.

All Nessus users benefit from these plugin submissions. The more fingerprints that are submitted, the more accurate future Nessus scans will be.

Evasion

No discussion of accurate remote OS identification is complete without understanding how this process can be evaded.

Several years ago, it was considered that TCP/IP stack fingerprinting was the most reliable method of OS identification because application banners could be easily modified. It is fairly trivial to make an Apache web server look like it is an IIS web server or place an Exchange email banner on your Postfix mail server.

Today though, with the presence of technologies like /proc on Linux, sysctl on FreeBSD or the registry on Windows, modifying how your network stack behaves is also very easy.

The bottom line is that if someone wants to be fingerprinted like a different type of operating system, they can configure their system like this. By using many different application and fingerprint methods, and then weighting the results, Nessus will always be able to report something that can be used for auditing.

Example Scan Output

Here is some example text OS IDs from a Nessus 3 scan that included credentials for some systems:

The remote host is running Linux Kernel 2.4
Confidence Level : 70
Method : SinFP

The remote host is running Linux Kernel 2.6.9-5.EL
Confidence Level : 100
Method : uname

The remote host is running Microsoft Windows Server 2003, Enterprise Edition (English)
Confidence Level : 100
Method : SMB

The remote host is running Microsoft Windows XP Service Pack 2
Confidence Level : 99
Method : MSRPC

The remote host is running Linux Kernel 2.6
Confidence Level : 60
Method : ICMP

The remote host is running Mac OS X 10.4.9 (intel)
Confidence Level : 100
Method : NTP

Notice that many of these "confidence levels are 100%. This is because the UNIX check used the 'uname' command and the Windows host had port 445 open. Both of these checks are 100% accurate and there is no room for interpretation.

Plugin Availability and Updates

This new type of detection is available to all Nessus users who have updated their plugins recently with either the Professional or Home Feeds. Security Center users also benefit from the accuracy of these updated methods. The ability to accurately classify an OS is vital for automatic asset discovery and classification.

Tenable Network Security has released a virtual appliance for the Nessus 3 vulnerability scanner. The VMWare appliance is available to ProfessionalFeed and Security Center customers.

The appliance image allows for rapid deployments and effortless management of Nessus 3 scanners in virtual environments. Users do not need to concern themselves with managing an operating system and can focus on managing their scanner configurations, operation and performance.

When installing the image for the first time, a console based user interface displays the IP addresses obtained by a DHCP lease as shown below:

A web based user interface can then be used to configure your Nessus scanner, provision users for use with the Nessus Client or Security Center, subscribe it to the ProfessionalFeed, view appliance logs, save/restore appliance configurations and much more. Below is a screen shot of the main configuration interface:

Downloads for this appliance image, along with documentation, are available on the Tenable Support Portal to existing ProfessionalFeed and Security Center customers. An unlimited number of virtual Nessus appliances can be provisioned for use with the Security Center. Stand-alone images require a ProfessionalFeed subscription to receive the latest Nessus plugins.