Nessus Who What Why piis 8yahoo com isac

  • Slides: 23
Download presentation
Nessus

Nessus

Who, What, Why • piis 8@yahoo. com – isac “piss” • Tenable Nessus 4.

Who, What, Why • piis 8@yahoo. com – isac “piss” • Tenable Nessus 4. 2. x • Seccubus • Inprotect • Improving the use of the tools • Lots of new features and changes **Some statements contained herein are my own poorly validated conclusions and may be utter rubbish.

Objective • Nessus – Quick overview – Version 4. x , What is new

Objective • Nessus – Quick overview – Version 4. x , What is new • Seccubus – Why – Bulk scanning • Inprotect – Why • Data – The bane of my existance

Nessus The Nessus® vulnerability scanner is the world-leader in active scanners, featuring high-speed discovery,

Nessus The Nessus® vulnerability scanner is the world-leader in active scanners, featuring high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of your security posture. Nessus scanners can be distributed throughout an entire enterprise, inside DMZs and across physically separate networks. -- Tenable In computer security, Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a nonenterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. --wilipedia

Nessus • • Apr 04 1998 first alpha version released on bugtraq May 17

Nessus • • Apr 04 1998 first alpha version released on bugtraq May 17 2000 1. 0. 0 released Feb 24 2003 2. 0. 0 released Dec 07 2004 2. 2. 1 released – Foreshadowing of a future • Jan 1 2005 Feed Model Changes • Dec 12 2005 3. 0. 0 released – Closed Source, proprietary license • Oct 30 2006 2. 2. 9 released – Last open source build

Nessus • Mar 12 2008 3. 2 released • Jul 31 2008 Feed Model

Nessus • Mar 12 2008 3. 2 released • Jul 31 2008 Feed Model Changes – Registered / Direct Home/Professional • Feb 16 2009 Mail Lists Disabled – Web based ‘Discussion Forums’ / nessus-announce stays • Apr 09 2009 4. 0. 0 released • Nov 30 2010 4. 2. 0 released – Web based interface • Apr 15 2010 4. 2. 2 released

Shiny • Web Interface, no more stand-alone client – Flash / XMLRPC communications –

Shiny • Web Interface, no more stand-alone client – Flash / XMLRPC communications – Keep a copy of the 4. 0. 2 client – Web Interface is still unique to each scan engine • NTP 1241 disabled for Home Feed – Other limitations on Home Feed, ie. 15 max hosts – NTP 1241 enabled for Professional Feed – …but for how long? • Shared Policies • New xml output format, . nessus v 2 • Still no easy way to share reports

Flash • Why, Why – <insert paranoia here> • Renaud states – “In the

Flash • Why, Why – <insert paranoia here> • Renaud states – “In the (not-so-distant) future, yes, HTML 5 will probably be the way to go and our backend is ready for that. ” … “However, today, we use Flash because it's the most efficient technology to take us where we need to be. ” • Adobe • Flash Decompilers

XMLRPC • ? ? ? – It's remote procedure calling using HTTP as the

XMLRPC • ? ? ? – It's remote procedure calling using HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned. -xmlrpc. com • Future scripting / integration with 3 rd party tools? – libs available for perl / ruby / C /. net / php / etc. • 3 rd party catch-up • Kost on Freshmeat – Net: : Nessus: : XMLRPC (perl) – nessus-xmlrpc (ruby) • Port 1241 ?

Home vs. Professional Home • • • Free Max 15 hosts (simultaneous) No Credential

Home vs. Professional Home • • • Free Max 15 hosts (simultaneous) No Credential Scanning No Compliance checks Kost on Freshmeat No SCADA checks No NTP / port 1241 • • • Professional $1200 / year Unlimited hosts Credential Scanning Compliance Checks SCADA checks NTP /port 1241 support

Compliance (Pro. Feed only) • As of May 4 th , 68 audit files.

Compliance (Pro. Feed only) • As of May 4 th , 68 audit files. – – – – – Windows best practices *nix (linux, bsd, solaris, hpux) best pratices Antivirus Confidential data PCI / Banking data SSN Copyright / P 2 P Govt Keywords And more

Hacks • Bypass Home restrictions (unconfirmed) – Did not get this to work. Seems

Hacks • Bypass Home restrictions (unconfirmed) – Did not get this to work. Seems like it works as long as you are offline. • Shared Reports (scriptable) – Drop reports to local user space • 4. 0. 2 on new linux – Tenable only gives you an. rpm ( Fedora - libssl / libcrypto dependency) – Copy old. 0. 9. 8 n and symlink it to. 8

Hacks • Report Sharing • Files have “cryptic” names • Files stored in /opt/nessus/var/nessus/users/<username>/reports

Hacks • Report Sharing • Files have “cryptic” names • Files stored in /opt/nessus/var/nessus/users/<username>/reports • • 5 ef 4 e 929 -8263 -99 ac-8 ef 1 -78 e 85 fe 6 d 0165 b 65 e 004 c 8 e 3 ead 4. name 5 ef 4 e 929 -8263 -99 ac-8 ef 1 -78 e 85 fe 6 d 0165 b 65 e 004 c 8 e 3 ead 4. nessus. v 1 • Script a cp job to move files to alternate user space

 • http: //seccubus. com/ written by Frank Breedijk, Security Engineer at Schuberg Philis

• http: //seccubus. com/ written by Frank Breedijk, Security Engineer at Schuberg Philis • Lightweight web based front end, perl and php with a flat file db • User authentication is dependent on the web server • Good for a small team does not scale well to a large user base

scanmonitor. pl • Not a fan of cron • Not a fan of “empty”

scanmonitor. pl • Not a fan of cron • Not a fan of “empty” scans • Needed a more flexible scheduler • scanmonitor. pl allows for a continuous scan loop of the entire enterprise with minimal empty cycles between scan jobs – initial scans 60 K IPs in 16 hours on 4 scan engines • **Can quickly eat hard drive space and memory

mrtg / resources

mrtg / resources

mrtg / resources

mrtg / resources

Inprotect • http: //inprotect. sourceforge. net/ written by Greg Kuhnert and team • Web

Inprotect • http: //inprotect. sourceforge. net/ written by Greg Kuhnert and team • Web based front end, perl and php with a sql db • Nice system, should scale nicely to a large user base • Installation is improving but still a bit rough

DATA

DATA

What’s next • Automated parsing of critical findings • Trend exposure time • Compare

What’s next • Automated parsing of critical findings • Trend exposure time • Compare known postures

Demo

Demo

‘The Making of Horror’ Joshua Hoffine

‘The Making of Horror’ Joshua Hoffine