Validating Credentialed Nessus Scans (Part 2)

Posted on April 13, 2012 by Seth

Authenticated Nessus scans are good.  For many reasons.

That said, when they fail, it can be difficult to figure out WHY they fail.  This will be the second in a 3 part series of troubleshooting credentialed scans (Part 1).  Today’s post is on Windows targets (and applies to Nessus 4.X – I will update for Nessus 5 soon, but 90% should be the same).

I’m not going to get into how to setup a credentialed scan for Windows here.  That’s covered in the Nessus documentation and other places around the web. Also, many of the settings etc below are for troubleshooting/testing.  In no way/shape or form is this considered a best practices for security guide.  I am not responsible for the security configuration of your network/host/scanner.  Practice defense in depth.

That said, some useful settings are below.

Scan Settings:

  • General – Scan – Save Knowledge Base
    This provides a detailed log of exactly what happened during the scan (though it can be a bit hard to read – not for the layman).  The scan information is stored here:
    • Windows Nessus Scanner:  C:\Program Files\Tenable\Nessus\nessus\users\username\kbs\ip_octet1\ip_octet2\ip_octet3\ip_address
    • Unix based Nessus Scanner: /opt/nessus/var/nessus/users/username/kbs/ip_octet1/ip_octet2/ip_octet3/ip_address
  • General – Scan – Silent Dependencies
    Personally, I don’t recommend that the average user should manually pick individual Nessus plugins to scan with unless you ‘really’ know what you’re doing.  Just select everything (and select ‘Safe Checks’) and let Nessus sort it out.  That said, if you hand pick your plugins, make sure to select this, otherwise you may not get complete data and many of the plugins I mention below may not trigger.
  • Credentials – Windows Credentials
    This is (surprise) where you setup the actual credentials to authenticate to the host with, but there are some important settings here too.  Notable settings are below.
    • SMB Domain (optional): If you are using an AD/LDAP or similar directory services account, be sure to set this.  If you’re using a local account, leave it blank.
    • SMB password type:  Most folks will be using ‘Password’.  If you’re using the LM or NTLM hash, you probably don’t need to read this article.
    • Only use NTLMv2: While the security minded folks will probably want to check this, it can cause scans to fail when the target does not support NTLMv2.  So if you’re absolutely sure that all of your hosts support it, you should enable it.  If not, or if you’re troubleshooting something, make sure this is turned off.
  • Preferences – Global variable settings – Do not log in with user accounts not specified in the policy
    While this is a ‘good thing’ to leave off (if the target has default accounts, you’ll still get access and see all the data you need), it can be a pain when trying to reconcile valid accounts to valid targets.  Enable this.
  • Preferences – SMB Registry : Start the Registry Service during the scan
    Un-needed services/programs should be disabled or uninstalled right?  Security 101 (or 102).  Some System Admins will disable the Remote Registry service (winreg) as well as the administrative shares (ADMIN$, IPC$, C$, etc) if they’re not needed.  Unfortunately, they are needed to run a proper scan.  That said, Nessus can enable and disable these features when it starts and finishes the scan.  The two caveats are that the Remote Registry service can’t be ‘disabled’ (manual is fine), and the account you’re scanning with has to have rights to enable it (admin).

Useful Nessus Plugins to look for in the results:

  • 10394: Microsoft Windows SMB Login Possible
    • This tells you what account the scan used to login.  Keep in mind, that the can ‘login’ with null sessions depending on your configuration, but not have access to anything else.
  • 21745: Authentication Failure – Local Checks Not Run
    • Either you fat-fingered your password somewhere, the account is locked out, or you don’t have rights to login.
  • 24786: Nessus Windows Scan Not Performed with Admin Privileges
    • Great!  You logged in, but not with Admin rights.  That’s a problem.  Look at 10394 (above) to make sure your scanned logged in with the right account and then make sure your account has admin rights.
  • 26917: Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry
    • This can trigger on a few occasions, but check to see if you have admin rights, and that the Remote Registry service is not disabled.  If it’s set to Manual, then you need to start the service with the preference as mentioned above.

Things that are not Nessus

  • smbshell
    This is a handy little utility that Tenable put out.  It can really help diagnose troublesome login issues.  You can download/read about how to use it at the link above.
  • nmap
    If you’re not familiar with nmap… get familiar with it.  Like you’ll dog-sit for a nmap developer for a year kind of familiar.  Use this to make sure that the proper ports are open… run it from the target, run it from the scanner, run it random places in-between.  Nothing is more frustrating then troubleshooting a login issue for 3 months to realize that there was a rule set on a router that they ‘forgot’ about that blocked TCP 139/445 inbound.  Sigh.
  • Windows Event Viewer
    Don’t forget about the Event Viewer of your target – especially the Security log.  If this doesn’t show any events for failed or successful authentication, then you’re never actually reaching the host.  Maybe-perhaps-fix-that.
  • File/Print Sharing
    This needs to be enabled on your target.  This is how remote SMB authentication to Windows clients works.  For production networks, this should probably be restricted for your scanners/specific accounts.

Common Issues

  • Accounts
    • The username and/or password is wrong in the scanner or wrong on the target.
    • The account is locked out (local or ldap/AD)
    • The account is AD, but no domain was supplied with the scan.
  • Target
    • File/Print Sharing is not enabled.
    • The ‘insert name here’ host firewall is blocking the scan.
    • The ‘insert name here’ host ‘Security Suite’ is blocking the scan.
    • Proper services are not configured (winreg)
    • The account is not actually on the target
    • The host lost it’s trust relationship with the domain (you have bigger problems)
  • Scanner
    • The scanner is setup on Windows XP (or another Windows client OS).  Go back and read Part 1.  Fix.  Come back.
    • Local firewall that is blocking outbound connections
    • Not powerful enough. (Have at least 2 GB of RAM – if the system can support 2GB RAM, other specs are in line.)
  • Network
    • Router/Firewall/Switch rules that block your traffic.
    • Improperly tuned IPS devices.
    • Overloaded network equipment (If your switch is more than 6 years old.  Replace it.  Revisit this page.)
  • Other
    • Network/Host admins that are not informed about what you’re doing and block/futz with your traffic.
    • Gremlins/Demons.  (I can’t help you with this one – I only know an old priest).
Posted in Nessus, Vulnerabilities | Comments Off

Validating Credentialed Nessus Scans (Part 1)

Posted on April 4, 2012 by Seth

Authenticated Nessus scans are good.  For many reasons.

That said, when they fail, it can be difficult to figure out WHY they fail.  This will be the first in a 3 part series of troubleshooting credentialed scans (Part 2).  Today’s post about what you’ll need to do this troubleshooting.

Nessus

Yes, you will need a copy of Nessus.  You don’t need the professional feed, but it can be quite useful if you have to end up calling Tenable Support for something specific.  Version 4.4 or above.

Scanner

Surprise, you need something to run Nessus on.  You can run Nessus on almost any platform, but for troubleshooting purposes I highly recommend one of the Unix flavors.  Stay away from Windows (just makes it more complicated in my opinion).

Target(s)

You should have a test network. I’ll say it again.  HAVE A TEST NETWORK.  It should have a variety of machines in it that match the settings in your production network.  It doesn’t have to be a separate VLAN/subnet, but know what you’re scanning.  The various versions of Windows can all be slightly different, so have targets representative of your actual scan ranges.  You should also have access to the machines in question, RDP or physical works best, but console works too.

Support

If you are not the admin of the machines you’re scanning, have their contact information.  Have their permission.  Depending on the target, schedule the scans with the system owner so they don’t impact other activities (though this might be for naught if YOU HAVE A TEST NETWORK (ok ok, rant done).

Documentation.  Have offline copies, but they update this stuff often.

It should also go without saying – Internet access.  While this series will try to cover the major issues you may run into, there are bound to be items that I miss.  Google your errors.  Post on the Tenable Discussion Forum.  Send me your solutions. :)

Other Tools

Your scanner should have the following tools installed on it, aside from Nessus.  (All of these have Windows/Unix versions if you ignored my advice above)

  • nmap
  • netcat
  • smbshell (link)
  • smbclient (‘nix only)
  • SSH Client
  • stunnel
  • Telnet Client
  • Wireshark/tcpdump
Posted in Nessus, Vulnerabilities | Comments Off

Antivirus policies for specific types of hosts

Posted on February 17, 2011 by Seth

This was also posted on Pauldotcom here. ~ Seth

In many enterprise environments business needs for performance often trump security (Ok, more often then not). A good example of this is Exchange Administrators getting grumpy about your AV client causing too much of a performance impact on the back-end servers. Depending on the political weight and structure of your position/group, this argument usually ends in one of two ways. Either AV gets put on the box and the Exchange Admins live with the performance hit, or you live without AV on the Exchange server.

Antivirus products can also cause havoc with some products if they detect something and try to remove it. Sure, that string of text may have been similar to a virus from 1997, but the fact that your AV client decided to delete the database in which it was written, well that’s a problem.

Luckily, there is a middle ground.

Most enterprise level antivirus solutions allow you to implement specific policies for groups of computers. The problem exists with knowing how and what to implement as well as when to realize that it can’t solve your problem.

Most software vendors provide (or will provide when asked) a list of specific files/folders to exclude that may have undesired effects on their product. An example using Exchange is provided below.

Microsoft Exchange:
Exclude the following directories:

  • %Program Files%\Exchsrvr\MDBData*.*
  • %Program Files%\Exchsrvr\Mtadata*.*
  • %Program Files%\Exchsrvr\Server_Name.log
  • %Program Files%\Exchsrvr\Mailroot*.*
  • %Program Files%\Exchsrvr\Srsdata*.*
  • %System Root%\System32\Inetsrv*.*
  • %Program Files%\Exchsrvr\IMCData*.*

If your AV software has a web application component, it also may be a good idea to disable monitoring on the ports that Exchange uses, especially HTTP, POP3, IMAP, and all the various secure forms of those protocols.

For more information, see the Microsoft documentation here: File-Level Antivirus Scanning on Exchange 2010 and Overview of Exchange Server 2003 and antivirus software.

Some additional rules for various server types are below.

Backup Servers:

  • Exclude the install directory¬†of the backup software
  • Exclude any Backup to Disk locations if they are local to a client
  • Disable On-Access scanning during backups (or disable scan on file read/open; only scan on write/execution)

Database Servers:

  • Install directory for database (Ex: C:\Program Files\Oracle)
  • Database files themselves (Ex: .DB files)
  • If accessed remotely, disable scanning on the port(s) that the database is accessed from

Terminal/Citrix Servers:

  • Disable GUI loading (so each logged in user doesn’t start a new process that isn’t needed)
  • Disable all interaction with the client (have it default to strict cleaning, no popups etc. Chances are the user won’t have rights/knowledge on how to deal with it anyway, and it could hang the client if it’s waiting on a user to take action on a file.

Basically you want to exclude directories, files (or file extensions), and ports that get modified a lot.¬†This will bog down the AV client’s scanning and bring the system to a crawl. You’ll have to look at each OS and specific applications that are running on your network (this is a good chance for some software inventory and control – no web browsing or email checking on servers), as well as the limitations and features of your specific AV client.

Keep in mind that this approach will not solve all problems and can create it’s own. When creating policies keep in mind that you can’t (and shouldn’t) create unique policies for every host on your network, this will become quickly impossible to manage. There also is a place of diminishing returns when configuring an AV client. If you’re excluding more than you are scanning for performance concerns, it might be a good idea to forget the AV and focus on network segmentation and continuous monitoring of the host.

Putting together a set of comprehensive AV policies for your organization can be an excellent step towards better network security, just don’t forget the idea of a layered defense; antivirus can’t solve everything!

Posted in Malware, Policy, Real World, Windows | Comments Off

SNMP for fun and profit!

Posted on September 3, 2010 by Seth

Because you never turn off SNMP.. right?

This is a pretty good article over here on Attack Vector about basics of using SNMP to further your pentest and/or using your manager’s personal networked printer against them.

Most network infrastructure devices have snmp turned on.  Most are using version 1 or 2 (much easier to get around), and most have default stings setup.  If this isn’t already mitigated by NAC or some other compensating control, you maybe should look into locking it down on your network.

Aside from information disclosure (and modifying data on these devices if you have the private string), it might not seem like a big deal, right?  Well, perhaps.  But I seem to remember (and have a perl script or two for proof) a talk from Shmoocon 2009 about implementing a DOS attack with a single open SNMP device.  Ever had your site brought down by a network printer halfway across the world?   So not only is your own infrastructure at risk, but now I (evil hat on) have a tool to attack your competitors from your network.  And they’re being attacked from your printer/apc/switch/any device with snmp turned on.

Try explaining to your boss why his copier was hacked and bring down yours/others networks.  Fun times!

Posted in Real World | 1 Comment

Cyber Security Awareness Month Ideas?

Posted on August 11, 2010 by Seth

So I saw the recent post on ISC about the upcoming Cyber Security Awareness Month in October.  It’s already prompted some discussion at work that looks like it’ll have a productive end, and I’ve also got a SANS class starting around that time.

I’d like to incorporate it into my class, but I’m looking for ideas on how to do it.  (I also plan on posting everything here, so you don’t have to be in the SANS class to get it, but I won’t stop you from registering. :) ) So far, I’ve come up with the items below.

  • Teaching Others to Stay Safe Online - Kind of a how to; it’s always better to understand something if you have to teach it, they’re going to be learning the GSEC material, could bundle it together.  Plus; who doesn’t want their friends/family to not be safe online?  Sure saves you time in IT support calls. :)
  • Avoiding Social Engineering – To an extent, it’s not possible, but most of us won’t even realize that we’re being engineered to do something we normally wouldn’t want to do.  This would educate on different methods and how to detect, avoid, and use for good, not evil.  Ok, maybe some evil.
  • Mac Security – So I talk about it here quite a bit, but for those of us in the InfoSec industry it’s not something we talk about often or even at all, aside from getting into turf wars about which platform is better.  Mac’s are just as vulnerable as PC’s.  Surprise. :)

Additional ideas?  I’m not keen on doing stuff that’s already been done, but would like to help educate on something that isn’t often thought of.  Post in the comments!

Posted in Mac, News, Real World, SANS | 1 Comment

Application whitelisting, good or bad?

Posted on August 4, 2010 by Seth

(This was a draft that’s been hiding for a few months, but it’s still relevant, even if the initial post it references is 3 months old.)

So whitelisting has been brought up again. Those of you familiar with Marcus Ranum will know that he’s in favor of it. And I’ve mentioned him quite a few times on this blog already.

The upside of (application) whitelisting:

  • You don’t necessarily have to combat every new threat with updates.
  • Whitelists are inherently smaller than blacklists, thus easier to maintain.
  • You have control over what runs on the system.
  • Effectiveness + Simplicity + Control = Good Security

The downside of (application) whitelisting:

  • It will only serve to force a new attack vector. Like happened with firewalls, malicious traffic is often now seen on ports that are allowed (53, 80, 443). Malicious applications will inject/pose/replace/eat valid applications that are allowed.
  • Who decides what is allowed? Users are dumb and will allow everything. Vendors cannot be trusted. Companies have business practices that will force them to allow insecure programs.
  • Users will hate it. People want the freedom to do what they want with what they use/own (or at least they want that impression).

Now before I get assaulted, I know there are some faults in the downsides listed above. A new attack vector for example. There are always new attack vectors, and we already see this one in the wild today. My point is that it won’t be a “fix it all” solution and whoever implements it will invariably tout it as such.

Also to the “Users will hate it” comment, you may point out that Apple and many other vendors have done something similar. Apple for example is essentially whitelisting applications that are able to run on the iPhone. They must be approved by Apple first, and Apple has the ability/(right?) to remotely disable them at any time. The key here is that the average user doesn’t realize this, and doesn’t care. They’ve got a huge list of applications of which to choose from and almost unlimited possibility with those additional features. Sure, you’ve got the select few who “jailbreak” their phone to get something specific to run on it, or just to spite Apple, but they’re the minority.

I’m curious to know what the rest of the community thinks about application whitelisting. Good? Bad? Indifferent?  Did I miss any major benefits or pitfalls?

Posted in Mac, Malware, Real World, Uncategorized | 3 Comments

GSEC Mentor Session in Sept – Germantown, MD

Posted on July 28, 2010 by Seth

Found a fun email in my mailbox this morning.

Starting September 21st, SANS will be running Security Essentials in Germantown, MD.  This course will be taught by SANS Mentor Seth Matheson.

For complete event details visit http://www.sans.org/info/60983.

Security Essentials teaches you the language and underlying theory of computer security that are essential for effective performance if you have responsibility for security systems and/or organizations.

This course is endorsed by the Committee on National Security Systems (CNSS) NSTISSI 4013 Standard for Systems Administrators in Information Systems Security (INFOSEC).

It also fulfills the DOD 8570 requirements. http://www.sans.org/8570.

Event Information:
Dates: September 21 – November 23, 2010 (Class meets once a week from
6:30-8:30PM on Tuesdays)

CPEs: 36

GIAC Certification: GIAC Security Essentials Certification (GSEC) This class certification is one of the information assurance certifications
listed on the DoD Information Assurance Directive 8570 list, http://www.sans.org/info/35564.

Tuition: $2695, which is a $400 savings when you register early at
http://www.sans.org/info/60983

For group discounts please contact mentor@sans.org.

What is the SANS Mentor Program: http://www.sans.org/info/57693

The SANS Mentor Program offers you local, live training over the course of several weeks. This format allows students to understand, apply and digest the material each week and return with any questions at the next class session. Mentor classes are smaller classes which gives students the opportunity to directly interact with each other and the Mentor in a hands-on environment.

With local training from a SANS Mentor you save on travel expenses, time away from work, family and save on average 25% on the tuition cost. If you have a limited training budget this SANS Mentor class will get you the knowledge you need at savings you can use.

If this sounds like the kind of local, live training you can use please register today at http://www.sans.org/info/60983.

So the answer is YES!  I really want to go take one of those awesome SANS classes with that really smart guy who also happens to be funny, articulate and devilishly handsome! (1)

I hear he also has really cool hats.

Seriously, if you’re interested let me know.  Depending on the situation, I may be able to get you additional discounts aside from the early-bird registrations.

(1) That second to last bit may be subjective to each individual’s preferences.  And yes, I’m referring to ‘devilishly’.
Posted in Real World, SANS | Comments Off

About the BOF at #SANSFIRE: Mac Security

Posted on June 8, 2010 by Seth

So I’ve gotten a few questions about what the Mac Security BOF (Birds of a Feather – SANS event that’s essentially a discussion on a given talk by SANS attendees for SANS attendees) is about on Thursday night.  So I’ll give a quick summary below.

Securing the Forgotten Asset: Mac Security

Mac’s are becoming more and more popular in the enterprise.  In some cases, they’re one-off’s; only a few C-level folks have them cause IT can’t say no.  In other cases, they might make up entire departments or even a majority of your user’s desktops.

The current IT mindset is that Mac’s are secure out of the box.  They don’t get malware and don’t have to worry about passwords or anything else because they don’t interface with modern networks anyway.  End-users are switching to them from Windows PC’s because they largely don’t have the same technical controls and software requirements as PC’s and are viewed as less of a hassle and easier to use.

Unfortunately, the Mac platform is far from secure.  Sure there are a lot of things that are done right, but the attackers know that they’re becoming more and more popular and that they have almost no oversight by IT/Security.  What does this mean?  Gold mine for the attackers; a user who doesn’t think his machine can be hacked, a machine that doesn’t have proper security controls, and an IT department that isn’t aware of the risks or how to deal with them.  How do we defend against this and close this often forgotten hole in our infrastructure?

So I’m open to where this discussion leads; the above is merely a starting point.  If you’ve got further ideas or questions, please let me know.

Posted in Mac, Real World, SANS | 1 Comment

Day 1 – GWAPT

Posted on June 7, 2010 by Seth

So aside from the multitude of updates today (Safari, iTunes, iPhone, etc etc), and fun releases (Josh Wright and WiMAX hacking), my brain is a little melted.

Just spent a day with Kevin Johnson and SEC542.  Good material, great teaching style, and the guy is fricking hilarious (ask him about NoScript).  Lots of similarities to SEC560; but that’s to be expected I guess.

Finished the day with beer and pizza with some SANS folks.  Aside from the 2 hr round trip commute, it’s been a good day.  Bed time.

Posted in SANS, Web Attacks | Tagged | Comments Off

SANSFIRE 2010!

Posted on June 6, 2010 by Seth

Well that time of year is upon us again.  No, I’m not talking about summer, your local DC heat wave of wetness, or my angry time of the month.  SANSFIRE.

It’s a yearly IT Security conference held in Baltimore each year around this time by the crazy folks at SANS.  A good place to pick up a bit of knowledge about being a packetninja or  have a beer with some fun people.

For those of you attending; look for a BOF sometime this week about how to protect that network asset that everyone seems to forget (Mac Security in the Enterprise; yes it can be done and it should be!).

Posted in Real World | Comments Off