Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

User Poll: Your Favorite Nessus Results

Not All Vulnerabilities Are Created Equal

We recently asked a select group of Nessus users which Nessus plugins provide the most interesting results for a given scan. This is a great question because you can often find patterns in the types of vulnerabilities that contain characteristics such as ubiquity and ease of exploitability. Several of the favorite plugins that penetration testers see during scans have to do with default or missing passwords that give an attacker instant access to the exposed service. The good news is that this type of vulnerability is usually easy to fix . Using Nessus makes this type of vulnerability easy to spot in your environment.

From Zach (@quine on Twitter)

Zach wrote to tell us about two of his favorite plugins to find in the Nessus reports:

  • Nessus plugin 21564 - VNC Server Remote Authentication Bypass - This is a great pick, and falls into the category of "low hanging fruit", a characteristic of vulnerabilities you will find on this list. The VNC vulnerability allows an attacker to connect to and control the remote computer using a graphical interface without credentials.
  • Any plugin that finds Oracle vulnerabilities, specifically ones related to the default username and passwords combinations, is useful. I like this one because it targets an enterprise application that often stores very critical and/or sensitive information.

    Zach also mentioned that he particularly liked to know "if TIGER and SCOTT are waiting for me" which is one of the default username and password combinations for Oracle. Nessus contains many plugins to test Oracle databases, including:

  • Zach mentioned that credentialed checks using audit policies for the CIS benchmarks were particularly useful to provide a defense-in-depth view. He commented, "It's always handy to get a thorough report to hand off to admins, citing all the delightful findings they need to address to close the gap between their system’s posture and the CIS benchmarks."

    From Jason Oliver

    Jason has to perform scans for organizations that "want 100% scanning coverage based on an asset inventory". Nessus has two plugins that he uses to meet these requirements:

  • Ping the remote host
  • OS Identification
  • Jason also reminds us that we have to select "Log live hosts in the report", located in the Advanced tab under "Ping the remote host" to have Nessus log all live hosts (even hosts with no open TCP/UDP ports or vulnerabilities). Using some command line Kung Fu, Jason pulls the scanned targets from the report:

    $ awk -F '|' '/10180/ {print $3}' *.nbe | sort -u > ScannedTargets

    Tip

    You can perform the same filtering operation using Tenable’s NessusClient, rather than exporting to the NBE format and using grep, awk or other command line favorites. First, create a filter that will only display results from plugin 10180:


    NessusFilter-interesting.png

    Next, from the "Stylesheet" pulldown menu select "Sort By Host" and click the "View Template" button:


    SortByHost-interesting1.png

    The resulting report displays the hosts that contain results from plugin 10180 (i.e. all live hosts):

    ReportHosts-interesting.png

    Some final thoughts from Jason on vulnerability scanner coverage highlights the importance of knowing what is plugged into your network:

    "The short back story on coverage is people should know what is on their network, and what risks are associated with every item allowed on the network, so that on any given day new vulnerabilities are not found simply by booting different machines."

    In the low hanging fruit category, Jason likes open X11 servers (very similar to the VNC vulnerability!) with plugin 19948, Open X11 Server.

    "natron" wrote in with his favorite

    "One of the first things I always look for are SQL server boxes with a blank 'sa' password. They are still common enough, and they always grant full admin on the box. I love command injection vulnerabilities, because there is almost zero chance of crashing a service/server in the exploitation process."

    This is a fantastic point. Remote exploitation of buffer overflow vulnerabilities have been referred to as "controlled crashes” – a term that makes it clear how systems can become unstable when a remote exploit is launched against it. A vulnerability that exploits behavior, such as command injection, has a much better chance of being successful without crashing the remote service or system.

    Conclusion

    Each one of the attacks described here by Nessus users does not involve a buffer overflow exploit. The favorite vulnerabilities for many attackers are the ones that exploit behavior, such as authentication bypass and default or weak passwords. You can use Nessus to detect these vulnerabilities and remediate them as quickly as possible. Thank you to all those who contributed ideas!

    Resources

    • Monitoring Telnet Security - An example of how to use Nessus, PVS, and Security Center to detect the Solaris TELNET authentication bypass vulnerability.

    Related Articles

    Cybersecurity News You Can Use

    Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

    Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

    Tenable Vulnerability Management

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    100 assets

    Choose Your Subscription Option:

    Buy Now

    Try Tenable Web App Scanning

    Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

    Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

    Buy Tenable Web App Scanning

    Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

    5 FQDNs

    $3,578

    Buy Now

    Try Tenable Lumin

    Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

    Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

    Buy Tenable Lumin

    Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

    Try Tenable Nessus Professional Free

    FREE FOR 7 DAYS

    Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

    NEW - Tenable Nessus Expert
    Now Available

    Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

    Fill out the form below to continue with a Nessus Pro Trial.

    Buy Tenable Nessus Professional

    Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

    Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

    Select Your License

    Buy a multi-year license and save.

    Add Support and Training

    Try Tenable Nessus Expert Free

    FREE FOR 7 DAYS

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Already have Tenable Nessus Professional?
    Upgrade to Nessus Expert free for 7 days.

    Buy Tenable Nessus Expert

    Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

    Select Your License

    Buy a multi-year license and save more.

    Add Support and Training