One of the most important goals of forensic analysis and system auditing is to determine what a system is actually running – not what appears to be running. A static review of installed system binaries may show results that are perfectly benign while the process that is actually running is not. It is important to correlate the running process with the program stored on disk to really determine what it is doing.
“Listening Process” Auditing with Nessus
Nessus users that perform credentialed audits of Windows or Unix servers can obtain a list that shows which specific processes are listening on which ports. Previously, Tenable introduced the ability to enumerate all open ports on a host with a credentialed audit. Now you can also determine the actual names of the processes with plugins 34252 and 25221.
Simple and Comprehensive Auditing
Network security audits are performed to identify vulnerabilities and security issues. Configuration audits attempt to identify issues with particular settings that are required by policy. Both result in very useful information that is invaluable in any type of audit.
However, if you know that a particular system is missing a security patch or has an incorrect configuration setting, how do you know that the system is actually running this software in the first place? For example, a CentOS web server might be missing an Apache RPM and the httpd.conf file can have all sorts of configuration issues, but if it is running a manually compiled Apache binary or even a different web server such as lighttpd, the security and configuration audit conclusions may be misleading.
Intruders commonly replace system programs with custom versions that perform malicious operations and evade detection. These custom versions, referred to as “Trojans”, are often difficult to detect since they seem to behave in the same manner as the original program.
If a Trojan program, virus or other type of malicious software gets installed on one of your computers, it will often communicate with another computer either over the Internet or through the local network. By visually inspecting the actual list of listening software and ports an analyst maybe able to spot the actual malicious program. This can be a very tedious process. Tools such as the Security Center can be used to quickly enumerate the open ports, and browse and search the actual process names. These process names can also be exported as a spread sheet where they can be further analyzed.
Tenable customers that operate the Security Center, Nessus and the Passive Vulnerability Scanner have the ability to view a list of open ports obtained through active and passive scanning. If a system was indeed compromised and modified to “hide” a listening network daemon that communicates with other systems, connections to this daemon can be observed through passive scanning.
Below is a screen shot of an MacOS X NessusClient scan report which has identified the lsass.exe process listening on port 500:
For Windows systems, the services offered by the svchost.exe process are individually identified as well:
And lastly, below is a screen shot of the Security Center that shows a list of ports and process opened on a Security Center system that has not been hardened (telnet is offered through xinetd):
This particular Security Center also has access to a Log Correlation Engine (LCE). If the LCE were configured to collect netflow data, proxy logs or directly sniffed sessions, a Security Center user could identify an open port and process with Nessus and then view and investigate all of the connections to that service. This can help tremendously to identify what the service is and what Internet or local systems it may be communicating with.
For More Information
Please refer to the following Tenable blog posts for more information on this topic:
- Detecting Manually Compiled Network Daemons
- How to perform a full 65,535 UDP and TCP port scan with just 784 packets
- Detecting Microsoft Executables being served by an Unknown Service with Nessus
- Enterprise Software Discovery with Nessus
- Boss, I think half of our FTP servers are fake!
- Detecting Compromised Windows hosts
- Detecting “Off Port” Services