Wouldn't it be interesting to know which places you go to on the Internet or in your corporate network that have major vulnerabilities in real-time? How many of those customer portals, web sign-up forms or even the corporate blog web servers are vulnerable to recent or even not-so-recent security issues? You might think about scanning them with Nessus, but performing scans all the time or trying to obtain permission to scan isn't practical. However, there is plenty of information contained in raw network traffic that can be used to discover many different types of vulnerabilities.
This is the basis for the Passive Vulnerability Scanner (PVS) product from Tenable. In this blog entry, we will discuss how the PVS can be turned "outside" to gain knowledge of vulnerabilties throughout the Internet just by interacting them with everyday protocols.
Looking for Vulnerable Web Sites
Normally, when the PVS is deployed on an enterprise network it is told to focus "inwards" on vulnerabilities for specific addresses such as 10.10.0.0/16 or 192.168.10.0/24. However, one of the of the ways we test the PVS here at Tenable is to simply surf the web, send email, chat, use P2P CLIENTS and so on and let the PVS watch our traffic.
What we found interesting is that many common Internet sites had vulnerabilities that could be discovered just through traffic analysis. We're not talking about web application vulnerabilities, we're talking about older web servers, older versions of PHP and even unpatched 3rd party applications.
I call this "Vulnerability Tourism" because it can really show which sites are locked down and which sites have issues. It can even identify the underlying technology used at almost any site and show which sites are more "complex" than others.
What is the Passive Vulnerability Scanner?
Several years ago, Tenable released a product named "NeVO" that stood for the "Network Vulnerability Observer". It was renamed to the Passive Vulnerability Scanner (PVS) in early 2006. The PVS sniffs network traffic and produces vulnerability reports that rival what you can obtain from a credentialed Nessus scan. Nessus has advantages over the PVS when it comes to performing detailed and interactive tests as well as configuration audits, but the PVS has an advantage of silently watching your network 24x7.
Turning the PVS Inside Out
A very interesting exercise with the PVS is to set it wide open, and then start surfing the Internet or Intranet, sending mail to your contacts, chatting with folks on IM and so on. PVS has the ability to stream "new" pieces of vulnerability or network information via SYSLOG
So as you visit places like common news, search, and e-commerce web sites, send mail to your contacts, FTP product updates from your vendor or interact with anyone on just about any Internet protocol, you can see in real-time what the PVS has discovered in the network traffic.
By no means did we do an audit of the entire Internet; however, after surfing to many different news, search, merchandise, entertainment and other types of sites and using the PVS to analyze the traffic, several trends can easily be seen. We also visited a variety of "security" and "technology" company web sites and viewed their customer support login screens as well as various forms to request white papers and product demos. We didn't post specific results here because often the content on these web sites was copy-written, and we also didn't read each of these site's acceptable use policies.
The following general trends were very easy to observe:
- Many of the advertising servers that render marketing campaigns, click through images and other types of commercials seem to run with older versions of Apache and PHP. For example, visiting major newspaper and TV stations web sites "looked" like they were very vulnerable, but in fact it was the web servers hosting dynamic marketing content that seemed to be insecure.
- Doing Google searches for e-commerce sites claiming to be PCI certified showed basic vulnerabilities in many of the web portals, especially to newer vulnerabilities. It could be argued that this makes sense because PCI audits are only required quarterly and a site might not scan that often. I'd like to think that sites which accept credit card information would patch things like PHP quicker than what we saw.
- There is usually a disparity in security levels or technology between a hosted web site and something interactive such as a support portal, ticketing system or white-paper request form. Very often we'd visit a web site and the PVS would discover the web server of the site, but when submitting a web form, a different server would be used that was missing security patches.
Identifying Underlying Technology and Complexity
Even when no vulnerabilties are found, the PVS is looking at the network traffic to the visited sites and attempting to enumerate web servers, mail servers, the open ports and even guess the operating system. This may also yield some surprising results such as a few IIS web servers in a sea of Apache systems, or some Linux devices at a place you'd expect to be 100% Microsoft.
Another thing we ran into was that some sites are very, very complex. Visiting a simple news site could cause content to be loaded from more than 10 unique web servers. This is likely a form of load balancing, but when evaluating these unique web server types, they usually were not all of the same application. We also saw this occasionally at some smaller technology vendor sites where the blog, the main web server, the white paper request form and the e-commerce site were all different systems and different technologies. In today's environment where different functions can be outsourced, this may be understandable. However, when these systems all have similar IP addresses and are on the same network, it may be overly complex.
If finding Internet vulnerabilities simply through watching "normal" network traffic seems interesting to you, then consider what can be discovered when all traffic within an enterprise network can be analyzed. The Security Center can manage multiple Passive Vulnerability Scanners the same way it manages multiple Nessus scanners.
All information from the PVS is available for reporting, consumption via spread sheets, alerting, etc. by any Security Center users. Information from the PVS can also be used to identify new assets, sort them into various asset groups and even schedule active or credentialed scans of newly found hosts with Nessus.
The PVS can also search your network traffic for evidence of documents and data in motion that contain sensitive data such as credit card numbers. It can also point out which servers host "office" files such as PDFs, Spread Sheets and Word documents.
For More Information
Multiple demonstration videos are available online.
To learn more about Tenable's strategy to use active scanning, credentialed scanning and passive network monitoring, please consider reading the Blended Security Assessments white paper. The paper outlines both the advantages and disadvantages of active and passive scanning and how using both in a blended manner is more accurate than just using one technique.