ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    So you want to build a Security Program? Part 1 - Vulnerability Scanning

    Scheduled Pinned Locked Moved IT Discussion
    72 Posts 13 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • IRJI
      IRJ @momurda
      last edited by

      @momurda said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

      I have installed using the hyperv image on my workstation. Have run a scan.
      The scan results don't make any sense.
      It is showing I am running about 10 different insecure versions of linux kernel, none of which I am running on the machine I scanned.
      0_1498164745454_18784078-6253-4249-812b-2d0080ce5b85-image.png
      Above is a snippet of a pdf report of the scan showing me a list of kernels which are not on this server as far as I know.
      uname -r
      returns
      0_1498164802671_93cf14bc-7db8-4554-8f84-e0b3bd49b518-image.png

      I've seen this before when credentials don't work and a vulnerability scanner has to guess the OS version. Are you sure the credentials worked on that first scan?

      IRJI 1 Reply Last reply Reply Quote 0
      • IRJI
        IRJ @IRJ
        last edited by

        @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

        @momurda said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

        I have installed using the hyperv image on my workstation. Have run a scan.
        The scan results don't make any sense.
        It is showing I am running about 10 different insecure versions of linux kernel, none of which I am running on the machine I scanned.
        0_1498164745454_18784078-6253-4249-812b-2d0080ce5b85-image.png
        Above is a snippet of a pdf report of the scan showing me a list of kernels which are not on this server as far as I know.
        uname -r
        returns
        0_1498164802671_93cf14bc-7db8-4554-8f84-e0b3bd49b518-image.png

        I've seen this before when credentials don't work and a vulnerability scanner has to guess the OS version. Are you sure the credentials worked on that first scan?

        Nvm reading comprehension helps.. Lol

        1 Reply Last reply Reply Quote 0
        • IRJI
          IRJ
          last edited by

          Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.

          dafyreD 1 Reply Last reply Reply Quote 1
          • dafyreD
            dafyre @IRJ
            last edited by

            @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

            Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.

            A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.

            Have you tried throwing more CPU cores at OpenVAS instead of / in addition to RAM?

            I ran it on 4GB RAM / 4 CPU Cores for ~30 Servers and got reasonable performance out of it.

            IRJI 3 Replies Last reply Reply Quote 1
            • IRJI
              IRJ @dafyre
              last edited by

              @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

              @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

              Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.

              A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.

              Have you tried throwing more CPU cores at OpenVAS instead of / in addition to RAM?

              I ran it on 4GB RAM / 4 CPU Cores for ~30 Servers and got reasonable performance out of it.

              How long did it take to complete on 30+ servers?

              dafyreD 1 Reply Last reply Reply Quote 0
              • IRJI
                IRJ @dafyre
                last edited by

                @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.

                A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.

                Have you tried throwing more CPU cores at OpenVAS instead of / in addition to RAM?

                I ran it on 4GB RAM / 4 CPU Cores for ~30 Servers and got reasonable performance out of it.

                Yes I have, but part of my bias is total time of scans compared to other solutions. I bet a Nessus scanner with 1GB of ram on 2 cores would finish in less than half the time. So I am comparing efficiency here.

                1 Reply Last reply Reply Quote 0
                • dafyreD
                  dafyre @IRJ
                  last edited by

                  @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                  @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                  @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                  Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.

                  A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.

                  Have you tried throwing more CPU cores at OpenVAS instead of / in addition to RAM?

                  I ran it on 4GB RAM / 4 CPU Cores for ~30 Servers and got reasonable performance out of it.

                  How long did it take to complete on 30+ servers?

                  I don't rightly remember an exact number, but I want to say an hour or three running the full, no-holds-barred scans. (I crashed a vulnerable server a time or two with it, ha ha!)

                  1 Reply Last reply Reply Quote 0
                  • IRJI
                    IRJ @dafyre
                    last edited by

                    @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                    @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                    Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.

                    A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.

                    Yes, but in addition to the vulnerability scans you are going to see special scans depending on what they find. If I find a wordpress site, you better believe I am kicking off wpscan to look for weaknesses. If I know it is a DB server, I am going to try some SQL and oracle scans. You get the point.

                    So don't forget to run those type of scans with information you can gather from a non-credentialed scan.

                    dafyreD 1 Reply Last reply Reply Quote 2
                    • dafyreD
                      dafyre @IRJ
                      last edited by

                      @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                      @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                      @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                      Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.

                      A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.

                      Yes, but in addition to the vulnerability scans you are going to see special scans depending on what they find. If I find a wordpress site, you better believe I am kicking off wpscan to look for weaknesses. If I know it is a DB server, I am going to try some SQL and oracle scans. You get the point.

                      So don't forget to run those type of scans with information you can gather from a non-credentialed scan.

                      Does OpenVAS do this now? I don't recall that it did before (admittedly, it has been a while since I've used it.

                      IRJI 1 Reply Last reply Reply Quote 0
                      • IRJI
                        IRJ
                        last edited by

                        For anyone that wants to test OpenVAS on something that is not remotely production and see OpenVAS light up like a christmas tree, OWASP has a very vulnerable VM you can download.

                        https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

                        1 Reply Last reply Reply Quote 1
                        • IRJI
                          IRJ @dafyre
                          last edited by

                          @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                          @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                          @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                          @IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                          Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.

                          A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.

                          Yes, but in addition to the vulnerability scans you are going to see special scans depending on what they find. If I find a wordpress site, you better believe I am kicking off wpscan to look for weaknesses. If I know it is a DB server, I am going to try some SQL and oracle scans. You get the point.

                          So don't forget to run those type of scans with information you can gather from a non-credentialed scan.

                          Does OpenVAS do this now? I don't recall that it did before (admittedly, it has been a while since I've used it.

                          No. Most of those tools are available in Kali, but I prefer to use Ubuntu and install what I need.

                          1 Reply Last reply Reply Quote 1
                          • DustinB3403D
                            DustinB3403
                            last edited by

                            So I've been using OpenVAS for a while now, and the results are enlightening. One question though is how do I make sure my the NVT's are current?

                            I tried running openvasmd --update && openvasmd --rebuild from a shell and was told that openvasmd isn't recognized

                            1 Reply Last reply Reply Quote 0
                            • stacksofplatesS
                              stacksofplates
                              last edited by

                              So @IRJ I wasn't sure where else to put this. Do you give root access to your vulnerability scanners? Just a conversation I've been having with some people here.

                              IRJI 1 Reply Last reply Reply Quote 0
                              • IRJI
                                IRJ @stacksofplates
                                last edited by

                                @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                So @IRJ I wasn't sure where else to put this. Do you give root access to your vulnerability scanners? Just a conversation I've been having with some people here.

                                Unfortunately they need root to scan according to tenables documentation. You can set a specific login window for that account to correlate with your scan. That way it isn't abused anywhere besides during the scan window. Not really 100% secure, but it's better than leaving it wide open.

                                stacksofplatesS 1 Reply Last reply Reply Quote 0
                                • stacksofplatesS
                                  stacksofplates @IRJ
                                  last edited by stacksofplates

                                  @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                  @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                  So @IRJ I wasn't sure where else to put this. Do you give root access to your vulnerability scanners? Just a conversation I've been having with some people here.

                                  Unfortunately they need root to scan according to tenables documentation. You can set a specific login window for that account to correlate with your scan. That way it isn't abused anywhere besides during the scan window. Not really 100% secure, but it's better than leaving it wide open.

                                  Ya we do SCAP with the RedHat SCAP tool. We don't control the Nessus box so we weren't going to give up root access, and they are essentially just checking patch levels.

                                  What I don't get is why they need root access. If there is a vulnerability, it has to be able to be seen/leveraged from an unprivileged account. Sure you can see vulnerabilities when you log in as root, because you are the vulnerability. I think it's kind of pointless.

                                  IRJI 1 Reply Last reply Reply Quote 0
                                  • IRJI
                                    IRJ @stacksofplates
                                    last edited by

                                    @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                    @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                    @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                    So @IRJ I wasn't sure where else to put this. Do you give root access to your vulnerability scanners? Just a conversation I've been having with some people here.

                                    Unfortunately they need root to scan according to tenables documentation. You can set a specific login window for that account to correlate with your scan. That way it isn't abused anywhere besides during the scan window. Not really 100% secure, but it's better than leaving it wide open.

                                    Ya we do SCAP with the RedHat SCAP tool. We don't control the Nessus box so we weren't going to give up root access, and they are essentially just checking patch levels.

                                    What I don't get is why they need root access. If there is a vulnerability, it has to be able to be seen/leveraged from an unprivileged account. Sure you can see vulnerabilities when you log in as root, because you are the vulnerability. I think it's kind of pointless.

                                    You can do an external uncredentialed scan against a box and only see a few vulnerabilities. It doesn't mean the box only has those vulnerabilities. A skilled hacker could try common exploits against the box and possibly breach it. Another possibility is they are using their own scripts against the box instead of what you'd see with an out of the box scanner.

                                    stacksofplatesS 1 Reply Last reply Reply Quote 1
                                    • stacksofplatesS
                                      stacksofplates @IRJ
                                      last edited by

                                      @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                      @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                      @irj said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                      @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                      So @IRJ I wasn't sure where else to put this. Do you give root access to your vulnerability scanners? Just a conversation I've been having with some people here.

                                      Unfortunately they need root to scan according to tenables documentation. You can set a specific login window for that account to correlate with your scan. That way it isn't abused anywhere besides during the scan window. Not really 100% secure, but it's better than leaving it wide open.

                                      Ya we do SCAP with the RedHat SCAP tool. We don't control the Nessus box so we weren't going to give up root access, and they are essentially just checking patch levels.

                                      What I don't get is why they need root access. If there is a vulnerability, it has to be able to be seen/leveraged from an unprivileged account. Sure you can see vulnerabilities when you log in as root, because you are the vulnerability. I think it's kind of pointless.

                                      You can do an external uncredentialed scan against a box and only see a few vulnerabilities. It doesn't mean the box only has those vulnerabilities. A skilled hacker could try common exploits against the box and possibly breach it. Another possibility is they are using their own scripts against the box instead of what you'd see with an out of the box scanner.

                                      We do credentialed but not privileged. I just don't trust another team to have root access to our stuff. Admins don't even have permission to log into the servers. It's all forced through Tower. Root access is disabled on both console logins and SSH and I get real time notifications for events. To me, I think I'd be going backwards if I gave them root access. If I owned the Nessus box it would be 100% different, but since it's a different team I don't trust it.

                                      1 Reply Last reply Reply Quote 0
                                      • stacksofplatesS
                                        stacksofplates
                                        last edited by stacksofplates

                                        I don't have permission to change things on their Nessus system. So I think it's more important that they don't have permissions on mine. If we had to do something, I would craft a sudoers file for them vs just give them root/sudo for everything.

                                        dafyreD 1 Reply Last reply Reply Quote 1
                                        • dafyreD
                                          dafyre @stacksofplates
                                          last edited by

                                          @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                          I don't have permission to change things on their Nessus system. So I think it's more important that they don't have permissions on mine. If we had to do something, I would craft a sudoers file for them vs just give them root/sudo for everything.

                                          If they're doing real pen testing, they don't need root access to stuff. Hack the box and tell me how you got in!

                                          stacksofplatesS IRJI 2 Replies Last reply Reply Quote 2
                                          • stacksofplatesS
                                            stacksofplates @dafyre
                                            last edited by

                                            @dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                            @stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

                                            I don't have permission to change things on their Nessus system. So I think it's more important that they don't have permissions on mine. If we had to do something, I would craft a sudoers file for them vs just give them root/sudo for everything.

                                            If they're doing real pen testing, they don't need root access to stuff. Hack the box and tell me how you got in!

                                            Right.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 2 / 4
                                            • First post
                                              Last post