$Cambridge: hermes/doc/talks/2009-11-nessus/Notes,v 1.2 2009/11/06 09:28:00 dpc22 Exp $ Rough overview of talk ====================== Background ========== Old probing suite History Problems Limited number of tests Unix bias, reflecting developers Hand crafted: Only real alternatives Satan/Saint. Made sense in 1999, not in 2009 Review of vulnerability scanners ================================ Nessus obvious choice from 2000 to 2005 Reputation head and shoulders above anything else Closed source in 2005: OpenVAS fork of Nessus v2 code Honourable mention to nmap for port scanning. Nessus can use nmap as port scanner, no real advantages. Nessus vs OpenVAS ================= Nessus: $1200 per year per scanner. 30k plugins IPv6 support Nessus v4 4 x faster (single giant multithreaded process). Get commerical support for false positive problems. Value of support still to be determined OpenVAS free: 15k plugins (approx 7k Nessus plugins released under GPL). Less useful results (misses a lot stuff that Nessus picked up). More obvious false positives. Doesn't appear to be gaining traction: hobbyist project Eventually chose Nessus: May review this decision if OpenVAS improves: output 100% compatible. Example plugin (2 slides, plus one for output) ============== NASL scripting language: Sandbox environment: can only poke at Vaguely PHP syntax. Rather limited/ad hoc. Main advantage is existing plugins library. /* ====================================================================== */ Current Probing schedule ======================== 131.111.0.0/18 Monday 131.111.64.0/18 Tuesday 131.111.128.0/18 Wednesday 131.111.192.0/18 Thursday 172.16.0.0/14 Monday 172.20.0.0/14 Tuesday 172.24.0.0/14 Wednesday 172.28.0.0/14 Thursday 128.232.128.0/17 Friday 192.153.213.0/24 Friday 193.60.80.0/20 Friday 2001:630:200::/48 Friday Split main CUDN into four equal sided chunks. Odds and ends on Friday. Five day probing schedule, much better than expected. Test starts at 09:30. Mostly finished by 16:30 - slowscan list (> 5k) - Have blacklisted very slow hosts (> 20k secs) Optional Email messages summarising results: - not currently sending notifications before probing starts The scan ======== Scans hosts listed in Jackdaw IP register database Was originally doing exhaustive scan of our address space - picks up unregistered hosts. Doesn't work with IPv6! Ping test: ICMP ping (ICMP echo request) TCP SYN ping (TCP connections to 30 commonly used ports) TCP Portscan of 4500 commonly used ports Runs 31,500 plugins, building knowledge base as it goes. - Plugin ids in range 10,000 to 41,500 - 30k figure a bit of a red herring as 80% are local "credentialled" scans - will cover credentialled scans at the end. - List of plugins updated once a week. Plugins GPG signed by Tenable. Output dumped into database when probing finished for the day. Obsolete results marked as expired, not removed immediately. Raw output is unstructured and very verbose compared to old probing suite I have assigned risk factors so they can be filtered, summarised Nessus classify plugins into 11 categories, 47 families My experience classification not much use for remote scans /* ====================================================================== */ Web Interface to results ======================== Interface influenced by (abandoned) Inprotect tool. Risk factors Summary screens. Black lists. Access controls. (No silly trend graphs, at least not yet) Requirements: Designed to scale to 50k hosts, delegated management Lots of materialised views to speed Postgres along. Linked to Raven + IPregister database. History for each IP address: Track new vulnerabilities Can get at old/expired vulnerabilities. Apache/mod_perl/Mason + Postgres database First pass was Groovy on Grails. Native IP address objects User interface (live demo?) =========================== Default page Summary pages for one access Hosts Ports Plugins Show some sample results for hosts: Half a dozen examples of the sort of things Nessus is looking for Good results False positives Blacklists ========== Blacklisting hosts IP address Netblock/Instid/Domain Plugins blacklist Promoting plugins blacklist Scan options ============ Options tab: Safe checks CGI scanning/Web application tests Scan fragile devices: Printers/Netware Queue host for immediate rescan Can take a few hours to complete /* ====================================================================== */ Access control for managers =========================== IP register database has MZONES (InstID) - each IPv4 address belongs to an MZONE (possibly more than one?) - each IPv6 subnet belongs to an MZONE - each domain (e.g: csi.cam.ac.uk) registered against MZONE Each MZONE has list of updaters: Managers for probing suite Can add extra managers through Web interface Results aren't secret (anyone could run Nessus scanner) Are at least a little sensitive. Access control for users ======================== Access to individual hosts ENDUSER and SYSADMIN fields might include CRSids or email addresses - Not designed for this purpose! - Institution Managers can add to access list ENDUSER/SYSADMIN tied to hostname rather than IP address: Access should get revoked automatically when IP address recycled. /* ====================================================================== */ Future work =========== Better summary pages would be nice Open to ideas Credentialled scans 80% of Nessus plugins designed to run on remote systems Results much more reliable than remote view SSH to Unix platforms (including MacOS X) SSH key pair. Target account doesn't have to be root SMB to Windows platforms: Various challenge response schemes involving username + password NTLMv2 default, preferred Target account has to be admin (or at least have readonly access to all) Big security concern! Q: What do COs think about opt in credentialed scan?