Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

User Poll: Your Favorite Nessus Results

Not All Vulnerabilities Are Created Equal

We recently asked a select group of Nessus users which Nessus plugins provide the most interesting results for a given scan. This is a great question because you can often find patterns in the types of vulnerabilities that contain characteristics such as ubiquity and ease of exploitability. Several of the favorite plugins that penetration testers see during scans have to do with default or missing passwords that give an attacker instant access to the exposed service. The good news is that this type of vulnerability is usually easy to fix . Using Nessus makes this type of vulnerability easy to spot in your environment.

From Zach (@quine on Twitter)

Zach wrote to tell us about two of his favorite plugins to find in the Nessus reports:

  • Nessus plugin 21564 - VNC Server Remote Authentication Bypass - This is a great pick, and falls into the category of "low hanging fruit", a characteristic of vulnerabilities you will find on this list. The VNC vulnerability allows an attacker to connect to and control the remote computer using a graphical interface without credentials.
  • Any plugin that finds Oracle vulnerabilities, specifically ones related to the default username and passwords combinations, is useful. I like this one because it targets an enterprise application that often stores very critical and/or sensitive information.

    Zach also mentioned that he particularly liked to know "if TIGER and SCOTT are waiting for me" which is one of the default username and password combinations for Oracle. Nessus contains many plugins to test Oracle databases, including:

  • Zach mentioned that credentialed checks using audit policies for the CIS benchmarks were particularly useful to provide a defense-in-depth view. He commented, "It's always handy to get a thorough report to hand off to admins, citing all the delightful findings they need to address to close the gap between their system’s posture and the CIS benchmarks."

    From Jason Oliver

    Jason has to perform scans for organizations that "want 100% scanning coverage based on an asset inventory". Nessus has two plugins that he uses to meet these requirements:

  • Ping the remote host
  • OS Identification
  • Jason also reminds us that we have to select "Log live hosts in the report", located in the Advanced tab under "Ping the remote host" to have Nessus log all live hosts (even hosts with no open TCP/UDP ports or vulnerabilities). Using some command line Kung Fu, Jason pulls the scanned targets from the report:

    $ awk -F '|' '/10180/ {print $3}' *.nbe | sort -u > ScannedTargets

    Tip

    You can perform the same filtering operation using Tenable’s NessusClient, rather than exporting to the NBE format and using grep, awk or other command line favorites. First, create a filter that will only display results from plugin 10180:


    NessusFilter-interesting.png

    Next, from the "Stylesheet" pulldown menu select "Sort By Host" and click the "View Template" button:


    SortByHost-interesting1.png

    The resulting report displays the hosts that contain results from plugin 10180 (i.e. all live hosts):

    ReportHosts-interesting.png

    Some final thoughts from Jason on vulnerability scanner coverage highlights the importance of knowing what is plugged into your network:

    "The short back story on coverage is people should know what is on their network, and what risks are associated with every item allowed on the network, so that on any given day new vulnerabilities are not found simply by booting different machines."

    In the low hanging fruit category, Jason likes open X11 servers (very similar to the VNC vulnerability!) with plugin 19948, Open X11 Server.

    "natron" wrote in with his favorite

    "One of the first things I always look for are SQL server boxes with a blank 'sa' password. They are still common enough, and they always grant full admin on the box. I love command injection vulnerabilities, because there is almost zero chance of crashing a service/server in the exploitation process."

    This is a fantastic point. Remote exploitation of buffer overflow vulnerabilities have been referred to as "controlled crashes” – a term that makes it clear how systems can become unstable when a remote exploit is launched against it. A vulnerability that exploits behavior, such as command injection, has a much better chance of being successful without crashing the remote service or system.

    Conclusion

    Each one of the attacks described here by Nessus users does not involve a buffer overflow exploit. The favorite vulnerabilities for many attackers are the ones that exploit behavior, such as authentication bypass and default or weak passwords. You can use Nessus to detect these vulnerabilities and remediate them as quickly as possible. Thank you to all those who contributed ideas!

    Resources

    • Monitoring Telnet Security - An example of how to use Nessus, PVS, and Security Center to detect the Solaris TELNET authentication bypass vulnerability.