Cross referencing the results of your vulnerability scans with the list of public exploits helps identify likely targets for authorized penetration testing teams. Removing these vulnerabilities significantly raises the value of a penetration test since the team will have to work much harder to find issues that aren’t found through automation. There are many subtle issues to consider when correlating available exploits with vulnerabilities. In this blog entry, we’ll highlight these issues by considering exploit correlation with attacks available from the Metasploit project, Core, and Immunity with the results of a very large Nessus scan of several thousand web servers.
In the screenshot below, we’ve loaded the results of a Nessus scan of several thousand Internet-facing web servers into Nessus 5. We can see right away that there are six unique types of vulnerabilities that are “critical.” These are typically vulnerabilities with a CVSS score of 10. There are also ten instances of these six “critical” types of vulnerabilities. This is a very small percentage of the total population of scanned web servers.
When viewing the “high” vulnerabilities, it can be seen that there are many issues occurring on hundreds and thousands of the scanned systems.
If we add a filter to only show those vulnerabilities which can be exploited with an exploit from the CANAVAS framework, we see that it identifies two unique high and one medium severity vulnerabilities.
The type of issues that can be exploited by Core IMPACT can be seen in the following screen shot. In this case, CORE had an exploit available for one of the critical vulnerabilities identified by the original Nessus scan. A total of four unique vulnerabilities were identified as exploitable.
Finally, when using the list of exploits available with the Metasploit framework, a total of four unique vulnerabilities were identified as exploitable.
If you are using penetration testing to add value to your security audits, consider the following questions:
Were there any Critical or High vulnerabilities for which we didn’t have any exploits?
In our case there were plenty.
For Critical issues, Nessus plugin 45004 (Apache 2.2 < 2.2.15 Multiple Vulnerabilities) fired for three web sites and was correctly correlated by Core IMPACT and Metasploit, but there were five other critical vulnerabilities identified that were left untouched by the penetration tools. The bulk of these were critical remote security issues in HP’s System Management and Adobe’s Flash Media server web interfaces.
For the High issues, both Core IMPACT and Metasploit had exploits for Nessus plugin 50069 (Apache 2.0 < 2.0.64 Multiple Vulnerabilities), and these were on more than 5,000 systems. Neither had an exploit for Nessus plugin 32655 (Apache < 2.0.59 mod_rewrite LDAP Protocol URL Handling Overflow).
However, aside from these Apache issues, the bulk of the high severity issues identified by Nessus are spread across PHP versioning issues and web application vulnerabilities for which there aren’t identifying items, such as, CVE numbers on which to correlate. This shows how in some cases, it may be very easy to point out the presence of a vulnerability with a scanner, yet be very difficult to exploit with a penetration testing framework.
Were there any vulnerabilities the exploit tools agreed on?
If you have access to multiple penetration testing tools, knowing what sort of exploits are readily compromised by a majority of attackers can help you prioritize what to fix. Within Nessus 5, the filtering can be used to select any vulnerability for which all of the penetration testing frameworks have documented exploits. The following is an example screen shot:
In this case, Nessus plugin 39806 (FCKeditor ‘CurrentFolder’ Arbitrary File Upload) identified something that was exploitable by all three exploit frameworks. This was a high-severity vulnerability, but given our list of thousands of audited web sites, wasn’t even shown on our initial summary screen shot. Without the ability to correlate a known exploit with this vulnerability, it may not have been given much attention.
Although not shown in this example, both Core IMPACT and Metasploit shared detection of the vulnerability identified by Nessus plugin 31654 (Apache < 1.3.37 mod_rewrite LDAP Protocol URL Handling Overflow). This is another example of how this type of correlation can elevate vulnerabilities that are “lower on the list” of priority when ranked purely by severity and then by prevalence.
Nessus performs exploit correlation with a variety of frameworks. Correlating the vulnerabilities found with the known exploits for those vulnerabilities can help you prioritize risk and determine what to fix first. And by doing so, any type of penetration test exercise will have to work on exploits or issues that have not been discovered through automation.
There are some other very subtle conclusions that you could draw from this analysis.
- If you were preparing for a penetration test and did not have the tools or time to conduct testing before hand, correlating the vulnerabilities found with Nessus allows you to prioritize what needs to be addressed first.
- Since Metasploit is free and widely deployed, you can assume that any reasonably-skilled adversary will make use of it and you should give some preference to fixing vulnerabilities exploitable by that framework.
- Deploying Nessus for scans externally and internally, as well as performing scans with and without credentials, identifies vulnerabilities that can be used to “simulate” external penetration tests, as well as those being launched against client-side applications, such as, email, browsers, and chat tools.
Organizations can perform this sort of analysis in real time, across multiple organizations, and with multiple users by using Tenable’s Unified Security Monitoring solution, which includes Nessus, the Passive Vulnerability Scanner (PVS), and SecurityCenter. This solution allows flexible vulnerability scanning, continuous network traffic monitoring to identify vulnerabilities, and enterprise-grade reporting, alerting, dashboards, and ticketing.
For example, the screen shot below was created with SecurityCenter and PVS watching network traffic on a network of 1,000 desktops, workstations, and servers. It has a real-time dashboard, which dynamically identifies vulnerabilities exploitable by CORE's product line and by the Metasploit project for the past fifty days.
This type of trending can provide great insight as to how likely a penetration testing team will be able to compromise and target your network.
For More Information
Previous Tenable Blog Entries
- If an exploit falls in the forest, does anyone hear it being patched?
- Passively Detect all of your Exploitable Vulnerabilities – PVS 3.4 released
- Using Nessus and Metasploit Together
Tenable SecurityCenter Dashboards which track exploits
- Tracking Risk By Graphing Exploitable, Unsupported and Vulnerable Software
- Asset-based 25-Day Exploitability trends
- Trending New, Exploitable, CVSS 10 and Internet Facing Vulns
Tenable Media Sites