Leveraging Wake-On-LAN Support to Audit Powered-Off Hosts with Nessus

Have you ever been charged to perform a security audit for a set of hosts that has been turned off? If those hosts have been configured to be “woken up” with a “Wake-on-LAN” packet, you can now leverage this capability with your enterprise Nessus scans. This blog entry describes how organizations that leverage Nessus or SecurityCenter to scan their infrastructure can audit systems that have been powered off.

The most important item that you need to configure your scans is the list of Ethernet addresses of the hosts you want to wake up. A host that is configured for Wake-on-LAN isn’t fully powered off. The Ethernet card remains powered on and if it receives a specific packet, it will boot up the system. You also need to have your Nessus scanner installed on the same physical network as the target hosts.

If you have many different subnets, you may want to leverage SecurityCenter to control all your scanners from one central location. Nessus scanners managed by SecurityCenter do not need to be subscribed to the ProfessionalFeed. Tenable has many customers that leverage dozens and a few that manage hundreds of Nessus scanners this way.

To boot systems that have been configured for Wake-on-LAN, Nessus sends a  broadcast packet to each Ethernet address that it should wake. Ethernet addresses can be obtained from many types of resources including:

• Uncredentialed Nessus scans of the local collision domain
• Uncredentialed Nessus scans of any Windows or OS X host running NetBIOS
• Credentialed Windows or Unix audits
• A list of all Ethernet addresses seen by the Log Correlation Engine’s new_mac.tasl correlation script
• An Ethernet address table provided by your network administrator
• A list of “live” addresses obtained from your DHCP server 

There are several Nessus plugins that track Ethernet addresses such as: 

• 10180 – Ping the Remote host (if the host responds to an arp request)
• 10150 – Windows NetBIOS / SMB Remote Host Information Disclosure
• 12218 – mDNS Detection
• 24272 - Network Interface Enumeration (WMI)
• 33276 – Enumerate MAC Addresses via SSH
• 35716 – Ethernet Card manufacturer Detection

SecurityCenter users can leverage aggregate Nessus scans and quickly export spreadsheets with lists of IP addresses and Ethernet addresses as shown below:

In addition to the list of Ethernet addresses, you need two other things:

• You need to be running Nessus 4.4 or higher to use the wol.nasl plugin
• You need network access to the scanned targets for UDP broadcast packets. The Wake-on-LAN packets sent by Nessus leverage broadcast addresses. If your routers or firewalls block this type of packet between your Nessus scanners and the targets, the special packets won’t be sent. 

You will need to set two preferences to configure a scan to make use the Wake-on-LAN feature. Following is a sample screen shot of the preference screen in Nessus 4.4.1:

The first preference is simply a list of Ethernet addresses in a file such as: 

[root@megalon db]# cat list.txt
00:26:82:3c:71:c0
00:24:2c:85:ed:5a
00:22:b0:b5:8f:66
00:0c:29:6a:08:3a
00:1d:72:bd:8b:4e
00:21:6a:4a:b8:4a
00:22:5f:6d:e8:e4
d8:a2:5e:0a:36:cb
d8:a2:5e:0d:fc:89

The second parameter allows you to tune your scan to specify how long to wait for systems to boot prior to running the scan. During this time, Nessus will reissue the Wake-on-LAN packet to keep systems that boot quickly from going back to standby every minute. After the time to wait has passed, Nessus will proceed with the audit. 

If you have questions or feedback about this new feature of Nessus, please let us know at @TenableSecurity on Twitter, on the Tenable Discussion Forums or with Tenable’s Support team.