Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Protecting Scanning Credentials from Malicious Insiders

Security breaches can come from those you least suspect. Have you ever wondered what would prevent a malicious insider from obtaining privileged credentials during an IT audit? It would be a simple matter of just setting up a Linux or Windows box with a sniffer or backdoor to grab the domain or root password during the audit. Tenable has written Nessus 3 and Nessus 4 to take advantage of underlying protection mechanisms in SSH and Windows authentication protocols to limit your exposure to this type of attack.

This blog entry describes how you can securely audit your Unix and Windows hosts to limit exposing these credentials to an insider and also how to use Metasploit to test any vulnerability scanner to see if it is vulnerable to this type of attack.


Scanning with Credentials

Credentials such as username and password provide valuable information and resources to an attacker. Collecting this information on the local network can yield escalation of privileges and access to other systems where the username/password pair is being re-used. Unfortunately, we need to use credentials to login in to systems and applications and to perform vulnerability scans that require local access to the system for patch checking and configuration auditing. Credentialed vulnerability scans can be of great assistance in identifying security issues in your environment, as long as a malicious insider doesn’t take advantage of this process. For example, you may have 100 Linux and Windows systems on the network with an account that allows the Nessus vulnerability scanner to authenticate to perform local scanning. This account needs to exist on all systems, but does not typically require root or Administrator/SYSTEM privileges. An attacker would need to have already compromised a system containing these credentials or be a malicious insider who has network access. The attacker simply waits for the Nessus vulnerability scanner to login and steals the credentials, giving them access to every host on the network where these credentials are valid. The following sections describe how the attack would work on the different platforms and offer defensive recommendations.

Linux/UNIX Systems Using SSH

One attack strategy is to install a trojan SSH server. This process would listen on port 22 and interact with the connecting system just as an SSH server would, except the username/password pair would be saved before being passed to another SSH process to complete the login. This is actually a common practice by attackers who compromise a system and want to collect additional usernames and passwords without going through the process of cracking each password hash. To combat this threat, be certain to configure SSH to use public key authentication which removes the password from the login process and makes it extremely difficult to hijack. In addition, consider the scenario where you have configured Nessus to scan a class C network and an attacker has connected a new system within that network range. They can setup a trojan SSH server as described above and collect the Nessus credentials. Nessus can be configured to only scan hosts in the known_hosts file on the Nessus server. In the scan policy this can be set in the "Credentials" tab under "SSH Settings":


SSH_Settings.png

The field labeled "SSH known_hosts file" allows you specify this file and restrict Nessus to only scanning the hosts contained within.

Windows Systems

Windows systems treat authentication differently depending on the version of Windows that is running. Changing these settings could break backward compatibility with older versions of the operating system. However, a malicious insider could set up a system that would force the Nessus server (or any other vulnerability scanner) to send credentials in clear-text, or other formats that are easily cracked using readily-available tools. A great article by HD Moore titled, "MS08-068: Metasploit and SMB Relay" covers some of the techniques implemented in this attack (including a module for Metasploit that performs these attacks).

Nessus contains several options for authenticating to Windows:


Windows_Creds.png

The setting to “Never send SMB credentials in clear text" is checked by default and prevents applications from tricking Nessus into transmitting credentials in clear-text. Nessus can also be configured to exclusively use NTLMv2 authentication, which uses a stronger key exchange mechanism that is more difficult to successfully attack. An additional defense that you can enable in your network is to ensure that SMB packet signing is enabled. This forces systems who want to talk SMB to each other to first negotiate packet signing before they will talk SMB.

Conclusion

Nessus contains several features that allow you to configure it to use the most secure methods available to login to the remote systems. There is no further risk allowing Nessus to perform authenticated scans than there would be if you allow your management system to patch your systems. It is also important to monitor your systems to ensure that credentials have not been compromised. For example, using Tenable's Security Center you can monitor when an account was used to successfully login to a system, then correlate that event with a vulnerability scan. If the date and time stamps do not match, your credentials may have been compromised. Tenable’s Passive Vulnerability Scanner can also help monitor for malicious insider attacks by identifying new hosts that appear on the network that could indicate malicious insider activity.

Resources


Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training