Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Disabling Password Guessing attempts with Nessus

As part of the more than 17,000 plugins available in the Nessus Direct and Registered plugin feeds, many of these look for common user name and password combinations. They will attempt to find administrator accounts without passwords, simple passwords and vendor defaults. Although these checks aren't performing an exhaustive brute force password audit, they may cause enough login failures to "lock out" operational accounts.

Tenable's research group recently introduced logic into the body of the Nessus plugin checks to prevent guessing of accounts. If auditors are running Nessus in a sensitive environment, they can now easily disable the types of plugins which could result in login failures on Windows and Unix systems.

This blog entry discusses account "lock outs", how the new plugin changes work, and what sort of security vulnerabilities might not be checked with this setting enabled.

Understanding Account Lock Outs

As part of hardening a system, users should choose strong passwords that are complex enough to avoid brute force guess attempts. In some cases though, an organization may feel the need to further secure a system by limiting the number of times an account can be accessed unsuccessfully. This can limit the ability for a hacker or insider to try many combinations of user names and passwords to gain access to a system.

A problem that can occur with this type of security is that scanning for a common list of default backdoors, vendor accounts or simple passwords can render the account locked. A locked account could require a certain amount of time before it can be accessed again or it could require some other types of administrator action to "unlock" it.

In an operational environment, we'd like to avoid any type of impact to the availability of the systems that are being scanned. For example, having a Windows 2003 server with its administrator account locked out could prevent a help desk from performing their job. In sensitive environments, some organizations require every login failure to be investigated.

Auditing Password Policy With the Direct Feed and Security Center

Nessus Direct Feed and Security Center users can audit remote UNIX and Windows systems for poor password policies in seconds. Rather than testing 100s, 1000s or even more different username and password combinations, a remote operating system can be audited to see if its password policy is complex enough.

For example, password policies can specify a minimum password length and how often it should be changed. These variables are obtained performing direct queries against the operating system and have no side effects. Testing against a policy is more efficient than testing against a list of 1000s or more of known potential passwords. These audit policy tests require remote credentials to audit the systems.

These types of checks are included in many of the audit policies Tenable has produced to meet NIST SCAP, PCI and Center for Internet Security standards.

Performing Tests With This Setting

Under the current set of plugins being distributed as of November 1st, 2007, there is a new plugin preference variable. Its name is 'Do not log in with user accounts not specified in the policy'.

To access this under the Nessus Client, create a new policy and view the option under the 'Global variable settings' drop down option under the 'Advanced' tab as shown below:

If this setting is checked, then Nessus will not attempt to log into a remote host with anything other than the accounts specified in the Credentials section of the scan policy.

If you have not updated your plugins since November 1st, this setting will not be available. These checks have been made available to both the Direct Feed and Registered Feed customers. Also, if you are using the new Nessus Client, you must create a new policy for this item to be available in the user interface.

Knowing When to Use This Setting

The focus of this plugin change is to prevent unintentional use of plugins that attempt a login vis SMB for Windows systems or SSH for UNIX systems.

There are several "vulnerability" plugins which look for common user name and password combinations. For example, attempting to see if a Windows 2003 server has a blank administrator password is a great security check, but the act of measuring it may cause a login failure.

If you have manually installed Hydra on your Nessus scanner and you also select those plugins for execution, Hydra will run unaffected by this setting. 

For More Information

Information about the Direct Feed is available here. We've blogged in the past about how password auditing is accomplished much more efficiently buy auditing a policy than trying to brute force a password. Combining this new feature of not testing for user accounts specified with the scan policy along with the configuration auditing features of the Direct Feed is an excellent way to efficiently test your system configurations without impact.

If you are a Nessus 3.0.6 Windows user, the client distributed with along with the Nessus scanner does not support this new scan option. Instead, users should upgrade to the new Nessus Client 3.0.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training