Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Event Analysis Training - Run NT and Pay the Price

Most large enterprise networks have a few legacy systems around – either because they were “forgotten” or because they support an old application that was never ported to a newer release. Such legacy systems can be the Achilles  heel of network security.

The following sanitized screen shot comes from one of Tenable’s research sites:

Botnetclientfiltered

What we are looking at (click on it to see a high resolution image) is a Windows NT 4.0 system that has been “forgotten” and is also being controlled as part of a botnet. This blog entry will discuss how the above Security Center screen shot can be analyzed to arrive at this conclusion.

Analyzing IDS Events

The Security Center can process network IDS events from a wide variety of sources including application specific detections from the Passive Vulnerability Scanner (PVS). The primary focus of the PVS is to passively identify all client and server applications in network traffic and generate an alert when there are specific vulnerabilities associated with them. In the case of botnet traffic, a certain percentage of HTTP, IRC and other client detection rules implemented by Tenable for the PVS will often highlight compromised systems.

In the above screen shot, the Security Center user has listed IDS events and focused on a system that had multiple “Generic BOTNET Client Detection” events. Regardless of what type of network monitoring solution you use (Snort, TippingPoint, etc.), I tend to find the signatures that look for “known” botnet and command and control events to be very reliable with a low false positive rate.

Another example of this was detected by the Snort sensor also running in this environment, with the Emerging Threats signature set. One of the interesting rules in that signature set is to look for IRC traffic on ports not normally associated with IRC, such as port 80:

Ircport80

The above screen was generated by analyzing logs gathered with the Log Correlation Engine (LCE).

How do we know it is an NT 4 System?

Nessus has a very sophisticated operating system identification system designed for IT audits. It uses the most reliable forms of system fingerprinting available.

In this case, the remote system was detected as being Windows NT 4.0 through interaction with the MS RPC service as shown below:

Osid

This same network also had the PVS running on it, and it also fingerprinted it as NT 4.0:

Passiveosid

Looking at the Windows User Management set of plugins (shown below) we can see a few that have been protected. In particular plugin 10907 checks if the Guest account belongs to a group, which was very common on NT 4.0 default installations.

Vulns2

How do we know it is forgotten?

Determining that a computer has been “forgotten” is more a matter of opinion than something that can be detected with a plugin. Let’s ask some questions:

Why would a Windows NT 4.0 system still be around?  Perhaps the server is part of an embedded device such as a medical system, printer or other legacy service. In this case however, there were no unknown services on this host and no other “odd” devices on the network this computer was on.

Why would it not be in DNS? If you notice on the popup “System Information Summary” screen, the DNS name for this IP address is unknown. If a system on a large corporate network is not part of DNS or the AD, there is a good chance that the IT group does not know about this system.

How Could this System Have Been Exploited?

The LCE was running on this network for some time, but the botnet activity was only recently discovered. There were no inbound network connections that resulted in “attack” events or other types of correlated activity. One day, the “guest” account simply was part of a group.There are many “LAN” aware worms such as SirCam and Nimba variants that look for local network shares in an attempt to exploit more computers. It is quick likely that this NT 4.0 system was victim to a worm-style attack.

For More Information

Nessus is very effective at identifying a wide variety of “Unsupported” operating systems. These include Windows NT 4.0, Windows 95/98/ME and a variety of unsupported Linux and UNIX systems.

Microsoft runs a web page of their products which have been “end of lifed” (EOL) here:

http://support.microsoft.com/gp/lifesupsps

In particular, Windows NT has been EOL’ed since December 31st 2004. It contains many vulnerabilities that Microsoft has not offered patches for.

There may be many good reasons for having an older computer system on your network. A great example would be to run older software application that was never ported to a newer OS platform. You might not have a choice either. It is possible that Windows NT comes as part of your printer, phone system, security camera or other type of embedded applications.

Regardless, being able to identify these types of systems on an ongoing basis is very useful. If the system is needed, you can develop a risk mitigating strategy to compensate for any vulnerabilities associated with these unsupported operating systems. If the system is not needed it be removed from the network, thus closing the security exposure.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training