Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

Tracking software versions using Nessus and Splunk

5 Replies

Tracking software versions using Nessus and Splunk. Let’s say you have already exported scan results from Nessus or Tenable SecurityCenter to Splunk using HTTP event connector, or in some other way. And you see that some critical software vulnerability was published. For example, this month Jira critical vulnerability. How to find out, do we have vulnerable servers in our infrastructure or not?

Nessus plus Splunk

Of course we can start a new Nessus scan to detect vulnerable hosts. However, Nessus plugin for this particular vulnerability may be released with a big latency and you will not find this vulnerability in your scans. So, it’s may be faster just to search for detected Jira servers in available scan results using Splunk searching mechanism.

Continue reading

Somebody is watching you: IP camera, TV and Emma Watson’s smartphone

Leave a reply

Somebody is watching you: IP camera, TV and Emma Watson’s smartphone. Today I want to talk today about privacy in a most natural sense. You probably have an internet-connected device with camera an microphone: smartphone, tablet, smart TV, ip camera, baby monitor, etc.

– Can it be used to record video/audio and spy on you?
– Of course, yes!
– Only government and device vendor has resources to do it?
– Not really

Somebody is watching you

The sad truth is: most of internet-connected devices have security problems, and, unlike traditional desktops and servers, it’s much harder to patch them. Even if the vendor fixed the issue. The customers, average people, just don’t bother themselves to do it. Each week it’s become easier to access user data and even get full control over device. Hackers and pranksters may do it just for lulz, because they can.

Let’s see it on concrete examples.

Continue reading

Tenable.IO VM: connected scanners and asset UUIDs

3 Replies

Tenable.IO VM: connected scanners and asset UUIDs. I have already wrote earlier about new features of Tenable.io VM cloud vulnerability scanner. In this post, I would like to show how Tenable.io cloud service works with Nessus scanner deployed inside your network. Spoiler! Everything is very different from Nessus and Tenable SecurityCenter.

Nessus registration process

I also would like to demonstrate how Nessus creates Asset IDs (Tenable UUIDs) on the the host during authenticated scanning and how can we get this IDs from the scan results.

Continue reading

Vulners Subsriptions and Apache Struts RCE

Leave a reply

Vulners Subsriptions and Apache Struts RCE. If you work in IT Security Department of any large software developing company, you were probably searching for Apache Struts in your environment on this week.

And it’s all because of CVE-2017-5638:

Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON.
In a blog post published Monday, Cisco’s Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts

This is a good example, that shows the usefulness of the Vulners.com service.

Just open cvelist:CVE-2017-5638 query and you will see all the objects related to this issue. This request works even before this CVE number appear on NVD and Mitre databases!

Vulners Apache Struts2 RCE

Here are: description of the vulnerability from The Hacker News, manual on how to use this vulnerability to gain server access from myhack58, Nessus local windows and remote cgi detection plugins.

Continue reading

Selenium, SikuliX and Social Network posting

2 Replies

Selenium, SikuliX and Social Network posting. The last post was about SikuliX. It’s fair to say that it’s not optimal for web applications automation. For such applications, it’s better to use something, that will natively work with your web-browse. The first solution that comes to mind is, of course, Selenium.

Selenium is a portable software-testing framework for web applications. Selenium provides a record/playback tool for authoring tests without the need to learn a test scripting language.

This app is released under the Apache 2.0 license and is a very common tool for Quality Assurance (QA). It can be also used in Information Security. For example, you can upload Selenium scripts in Qualys WAS (Web Application Scanner)  to help scanner in performing some complex operations, for example in authentication on the website.

Selenium Upload script in Qualys

Selenium is available in a form of two products: Selenium WebDriver for some hardcore automation and web-browser plugin Selenium IDE, which will help you to create and run scripts. I chose Selenium IDE.

Selenium types

Continue reading

Gartner’s view on Vulnerability Management market

2 Replies

Gartner’s view on Vulnerability Management market. Not so long time ago Gartner’s report “Vulnerability Management an essential piece of the security puzzle” has become publicly available. Now you can read it for free by filling out a questionnaire on F-Secure website.

Gartner VM Market Guide

At the bottom of the document there is a reference to Gartner G00294756 from 05 December 2016. This document is quite fresh, especially for not very dynamic VM market ;-), and pretty expensive. Thanks for F-secure, we can read it now for free. If you are wondering why this anti-virus company is sponsoring Gartner VM reports: year ago they have bought Finnish VM vendor nScence, and I even did a small review of this product (F-Secure Radar Vulnerability Management solution, F-Secure Radar basic reporting, F-Secure Radar ticketing, F-Secure API for scanning).

Talking about the document, I would like, firstly, to thank Gartner. Do you know who writes most articles about VM? Of course, VM vendors. And we all understand that their main goal is to promote their own products. Reports of independent consulting firms, primarily IDC, Forrester and Gartner, allow us to get some balanced view from the side. It is very important.

Here I would like to comment some theses of the text.

Continue reading

Vulners.com and ranges of dates

Leave a reply

Vulners.com and ranges of dates. I have already wrote earlier how to automatically retrieve data from the Vulners.com vulnerability database: if you need objects of some particular type, it’s better use Collection API, if you want to get different types of objects using advanced queries, your choice is Search API v.3.

But what if we want to get, not all the objects, but only new or modified ones in a some date range? How can we do it in Vulners?

Vulners.com date ranges

Search queries

Each object in Vulners (vulnerability, patch, bulletin, etc.) has a publication date, and modification date. You can see it if you open some Vulners object in json format, for example CVE-2017-6301:

        "published": "2017-02-23T23:59:00",
        "modified": "2017-02-24T14:45:17",

Continue reading