Passive Vulnerability Scanning

So I recently watched a webcast provided by Rapid7. It was called “Ironclad vulnerability Management: Why Scanning Doesn’t Cut it.” I saw vulnerability management and was immediately interested. It all goes along with the interest grabbing title technique of stating something is not good enough, or something is bad. I figured this is Rapid7 so they will most likely discuss how validation is needed in addition to scanning.

During and after watching the webcast, what stood out to me was how Passive Vulnerability scanning is not ideal and may even not cost efficient or too much work to be worth it. Specifically stating that there were too many events and false positives to deal with. I immediately thought, they are slamming one of their main competitors, Tenable Security. Tenable Security, the makers of Nessus, :D have a product called PVS or passive vulnerability scanner. In the webcast, the guest stated that they trialed a passive scanner and that it didn’t provide much value.

These types of competitive webcasts are familiar even from the other side. Tenable had a Nessus vs. Qualys webcast not too long ago. Sales tactics in full effect.

So I just want to give my perspective on PVS in the entire Vuln Mgt life cycle.

Vuln scanning is great. Vuln scanning with credentials for patch verification is greater. Exploitation to validate vuln scan findings is even better. Rapidly fixing all these findings on a continuous basis is the best.

Passive vulnerability scanning is not really scanning at all. It is monitoring. It is sniffing packets, nothing more. Its basically wireshark or tcpdump. Tenable PVS basically looks at those packets it sniffs, and as Snort would, detects things. Unlike Snort though, PVS detects signs that a system is vulnerable. If an old Firefox browser surfing the web is sniffed and headers detected, PVS could tell you your browser is vulnerable to some Firefox vuln, and needs to be updated. Sure many of these PVS events could be false positive, because a lot of times these headers can be incorrect. Such as an apache header, that is configured to display the wrong version of Apache on purpose. PVS would trigger a false positive. So no matter what the sales pitch, PVS is limited.

On the other side, some things PVS can do is, as the speaker in the webinar stated, help you monitor traffic you can’t run active scanning on. Sure it’s still limited, but it’s something. Also PVS can help you identify new systems as they come up and generate traffic on the network. New systems that maybe you don’t have configured to scan in your IP ranges. Maybe new IPs that are firewalled off and your scans returns 0 results for. So PVS is good for something and not a complete waste. Also, PVS in Tenable’s implementation can be combined with Nessus scans using Security Center. This way you can view PVS data with Nessus data and validate both results. Another thing PVS can do is detect potentially compromised systems using plugins looking for traffic to malicious sites. This is similar to IDS or even what Sourcefire used to call RNA. Now called FireSight.

In the webinar, an excellent question was asked. “Does Rapid7 have a PVS technology?” The answer is No, but they work with Sourcefire and could help customers that way. I would say that Sourcefire’s FireSight is not exactly the same as Tenable’s PVS. Sourcefire FireSight, focuses a lot on finding data on endpoints like OS version, even app versions so that it can be used to tune IPS/IDS rules. Tenable’s PVS is used to find vulnerabilities, to take remediation action on. So while they both use packet sniffing techniques, the end results are a bit different.

Finally, my intention for this post is to clarify some fear that may have been transmitted in the webinar by saying that PVS has very little value. I don’t recall Tenable calling it the best tool ever, so be aware of that side of the coin as well. Every tool has its uses, and Rapid7 has a very good suite of tools, as does Tenable. Take a look at all of them and make the decision.

My personal preference, of which parts can be found in my twitter history and previous blog posts, is to use Nessus and import results to Metasploit. Also use PVS to fill in any gaps. On the IDS/IPS side, Sourcefire IPS and FireSight is a great combination. I will even run wireshark on my desktop. Thats 3 packet capturing tools in total. :)

Configuration Benchmark auditing with Nexpose and Nessus

EDIT: Something just realized and confirmed by Rapid7 is that Nexpose does not currently support Cisco, Solaris, nor Oracle config auditing. So the breadth of platforms Nexpose can audit is limited in comparison.

Intro: A history/disclaimer before getting into this post. I have extensive experience with Nessus and more so, the enterprise solution from Tenable Called Security Center.

I have had Demos from Rapid7 and have ran trial version of the Nexpose VM appliance, as well as a Trial of Nexpose installed on Windows.

As far as vulnerability scanning experience in general, I have extensive experience with nmap and IBM ISS Internet Scanner/Enterprise scanner. Just fyi.

With that said, I don’t want to necessarily give recommendations as to what scanner to purchase. Purpose of this post is to just provide the facts based on my experience. Feel free to correct me with comments or via twitter.

So lets begin!

Nessus: List of capabilities from Tenable can be found on their site, here. You will see the Standards-based audits, such as CIS, DISA STIG, NIST, PIC and more.

Tenable does include tutorial videos on how things work. Paul Asadoorian and Co. do a good job with these. Here is one pertaining to Config auditing.

I need to run CIS and DISA STIG config audits on Win2k8, Cisco firewall, router and switches, Solaris and Oracle databases. I also need the ability to modify a CIS audit benchmark, but not just the values, such as 3 minutes for session timeouts, but add additional baseline checks.

These benchmarks to be used in Nessus are in .audit format. This is proprietary to Nessus and is a text file that you import into the Nessus tool and you can include this into a Nessus scan policy. This way you can scan for vulnerabilities and also config benchmarks in a single scan job. Pretty easy and simple. Only complication is if you need to modify the benchmark checks, you will have to understand the .audit file and edit it in notepad++ or whatever editor of your choice. My thoughts are it would be pretty nice and easier to have a gui tool to make these policy creations or editing.

Here is an example of a .audit file benchmark check: (from Tenable documentation)

description: "xp_cmdshell option"
info: "The xp_cmdshell extended stored procedures allows exe
cution of host
executables outside the controls of database access permissions and may be
exploited by malicious users."
info: "Checking that the xp_cmdshell stored procedure is set to '0'"
sql_request: "select value_in_use from sys.configurations where
name = 'xp_cmdshell'"
sql_expect: "0"

This particular check is pretty easy to understand, but there can be more complicated ones and what if you need to add a custom baseline policy from scratch? Of course documentation is your friend, but a gui tool still may make it a lot easier. A year ago I posted on the Tenable discussions forum, asking if they planned putting in a gui for benchmark compliance policies. They have been looking into the possibility but have some concerns. You can read the discussion here:
I would be very interested in hearing feedback from Nessus customers on their views based on their experience with Nessus .audit file customization and if a gui would benefit.

Nexpose: List of capabilities for Nexpose performing config benchmarking can be found here. The page states Nexpose covers CIS, FDCC, USGCB and SCAP. I was worried seeing that many other standards were missing from this list. During my exposure to a vendor demo of the product, I noticed some lacking of these capabilities also, but was assured that future releases would provide more coverage. Now, when I downloaded the trial, I noticed that there is a capability to upload benchmark audit policy to Nexpose, so that solves any standards issues, as long as you have access to xccdf and oval XML files to be imported into Nexpose. DISA STIG have these at their website. CIS XML files are available as well to paying members via their website.

So looking at the gui Policy Configuration editor, I am quite impressed. It is a folder hierarchy view and gives the ability to modify values, but not so much the ability to add values. Here is a screen shot of a specific rule:


You can upload your own custom benchmark policies into Nexpose, so as long as you create or modify SCAP xccdf/oval files. I had a good discussion with rpoppa from Rapid7 on their Security Street community site about this:

I will say, it does seem easier to edit/create a Nessus .audit file than mess with xccdf/oval files. More on this later. My question for Nexpose customers is how useful do you find the policy manager that gives you a gui to edit/modify values to audit compliance with. Is it of great benefit or is it rarely used? Are the default CIS or FDCC policies are the only ones mostly used by customers and little customization actually done?

Nexpose as well as Nessus, can scan for vulns and baseline compliance in the same scan. The view of the results is pretty good and exportable if needed, just as in Nessus.

Now back to editing xccdf/oval policies for use in either converting to a Nessus .audit file or importing directly into Nexpose Policy editor. I was searching for a gui editor and found one from a reputable source, Mitre. Take a look here.
You may want to try it and see how it works. I tried it out briefly but hope to soon work with it more intensively. It makes the xml files easier to read and edit. It is good to have an understanding of how xccdf/oval work. There are often 2 files that reference each other, so it can get pretty advanced. My idea for this tool would be to open xccdf/oval files edit and customize them to customer needs, then save them. From there I can either convert them to a .audit file for Nessus(Tenable has a tool for this conversion) or directly import them into Nexpose. This would of course make the Nexpose Policy editor gui, not needed, because all the editing was done on the xccdf/oval files.

So in conclusion, Nessus and Nexpose provide very good vulnerability scanning solutions. Benchmark compliance auditing is more indepth and granular type of scanning. Both of these tools have these capabilities but may be at different levels of maturity. They seem to also have different approaches. So based on your preference, you can either work with relatively easy to edit .audit files with a text editor to use with Nessus or a nice gui policy editor in Nexpose, but customize prior using xccdf/oval editors. Hopefully this post is informative and helpful. I know its not fully complete, as I would like to further test scans on a variety of platforms with different standards/policies. Maybe a blog post to follow up with be needed.

Thanks for visiting. Security Podcast Episode 4

We are back in the podcast groove. Inspired by latest pauldotcom episode where he says he will create a blog post or information on how to create a podcast from his experience. He also says that the more infosec podcasts the better.

So topics are:

- Bsides Puerto Rico – Apr 5 and 6.
- How ISPs get you for torrenting copyright materials. Courtesy Danny from Austin Hacker Space.
- Identifying spam email and its source Podcast ep4


BSides Puerto Rico = Success

So I was glad to get an acceptance to my submitted CFP to the first edition of BSides Puerto Rico. I had never been, so I was excited to know the Island and meet some local infosec people. We started off with rocky beginnings in Miami, when the copilot forgot he was flying and didn’t come to work. So we were delayed about an hour I believe, but eventually took off.

The conference had some interesting talks. Royce Davis started it off with some good info on owning systems without getting shell. Passing hashes and some metasploit modules that he wrote. Carlos Perez also gave a good rant on security in general. He talked about some good points on sticking with the basics that I touched a bit on my presentation.

Then Jose Hernandez and I got the privilege of being on the Pauldotcom Espanol podcast with Carlos. We talked about our background and what we presented and current challenges and viewpoints of infosec.

My presentation was fun and a good overall experience. Here are the slides:
BSidesPR Preso

They had video cameras at the con, so hopefully they publish that soon as well.

I hope that all the locals enjoyed the conference and help the community grow in Puerto Rico so this conference can continue to grow.

Special thanks to all the organizers and volunteers and sponsors who help made this conference possible.
Jose Quinones
Jose Arroyo
Carlos Perez
and all the others.

Thanks also for all those that attended.