Web application auditing is really difficult if you don’t know about the presence of a website or specific application. You may not know about a web server. You may not know what applications run on that single web server. You may even have malicious websites installed on your network by malware or Trojans. Nessus is great for scanning and finding web servers, even on uncommon ports, but you need to scan often to get the most benefit. Fortunately, Tenable’s Passive Vulnerability Scanner (PVS) can discover new web servers and all of their active web sites in real-time and without any impact to your network. This blog discusses how the PVS can be used to audit networks to find all authorized and malicious websites in use.
How Does this Work?
The PVS watches all network traffic and recognizes various protocols such as HTTP, SMTP and FTP in a port-independent manner. This means if you have a web server running on port 8000 with traffic to it, the PVS will identify it along with its web server type and vulnerabilities.
By watching and tracking successive web sessions and decoding the HTTP protocol, the PVS can monitor state on all of the web servers on each port and host and produce reports such as the one shown below.
In this screen shot, the PVS has found six different websites running on port 80 on host 192.168.20.8. If a new web site is added to this web server tomorrow, the PVS would find it as long as it saw traffic to the site.
This is very useful for large scale network monitoring. The PVS will not only see new web servers get added to the network, it will also track when new web sites are operational on them as well.
Web Application Scanning
Since there really isn’t a reliable way to remotely enumerate all web sites that may be on a given web server, having the list of active web sites is very useful. Performing a web application assessment with Nessus or any other form of web application audit depends on knowing the exact name(s) of the web site. Just scanning port 80 of an IP address is not sufficient. Different web sites on the same hosts can have different technologies, code, databases, permissions and functions.
Additionally, as said in the introduction, unless you are performing a complete port scan across your entire network range on a daily basis, your ability to discover new web sites with active scanning is limited. A single PVS sensor can enumerate thousands of web servers and each web site they are hosting. If you are using a combination of Tenable’s SecurityCenter, PVS and Nessus, once new web sites are passively discovered, you can follow up with active web application audits using Nessus.
Are you hosting Malicious Web Sites?
If your organization is subject to infections by malware that hosts malicious web servers, using the PVS is an excellent way to detect hostile web sites on your own network. For example, consider the screen shot below:
This particular detection came from a university network we monitor with the full Tenable Unified Security Monitoring suite of passive, scanning and logging products. Needless to say, all of their official web sites end with an "edu" extension. However, as can be seen in the screen shot, several highly suspicious .com websites are being hosted.
In this case, the web servers turned out to be running on shared workstations infected with malware. If these were scanned by Nessus or other vulnerability scanners, the web server would have been identified, but the suspicious website names would not likely be reported.
For More Information
If you are interested in learning more about Tenable’s Passive Vulnerability Scanner, we have posted several detailed screen shots as well as demonstration videos on our web site. The PVS does much more than log vulnerabilities and can also provide a forensic audit trail of all DNS, HTTP, FTP, NFS and SMB activity. If you would like to try out the product, please feel free to contact our sales staff.