Author Archives: Alexander Leonov

About Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven't used Telegram yet, give it a try. It's great. You can discuss my posts or ask questions at @avleonovchat. А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

When a free scanning service detects vulnerabilities better

4 Replies

When a free scanning service detects vulnerabilities better. We all want to have a reliable and efficient Vulnerability Scanner. This scanner should be able to find any vulnerabilities immediately, as soon as the information about them is published. And, to be honest, no one wants to research how the scanner do it. Really. It’s not our job. We purchased the product, we trust the vendor and if this product does not work as we would like, it is a vendor’s problem. Is that right?

Not really. If we do not properly recognize the condition of our infrastructure and do not properly assess the risks, because of this vendor’s faults, this would be our problem. It’s relatively easily to find out that some detected vulnerabilities from scanning report are false positives, what if scanner didn’t find an existing vulnerability? How would you even know this happened?

That’s why we still have to understand how the scanners work, to watch the watcher.

A recent example. CVE-2016-2107: OpenSSL AES CBC cipher information disclosure.

upd. For this vulnerability Tenable released addition detection plugin: “Use multiple vulnerability scanners in the name of good”.

HT Bridge detects CVE-2016-2107 vulnerability, Nessus not

This vulnerability may be detected by free vulnerability scanning services and practically could not detected by Nessus via unauthenticated scanning. You can see on the screenshots how we have scanned the same host with Nessus and free service by High-Tech Bridge. And Nessus did not detect CVE-2016-2107.

Continue reading

Retrieving scan results through Nessus API

27 Replies

Retrieving scan results through Nessus API. In this first article about Nessus API I want to describe process of getting scan results from Nessus.

Of course, it’s also great to create and run scans or even create policies via API. But to be honest, in practice, you may need this functionality rarely. And it’s easier to do it manually in GUI. On the other hand, sometimes it very efficient to create automatically some specific scan task for specific group of hosts using existing (inventory) scan results. But we will talk about this topic next time (Upd. I wrote post about scan creation “Nessus API for hosts scanning“).

Nessus API

Now, imagine that we have configured regular Nessus scans. And we want to get this scan results on a regular basis to make some analysis and maybe create some tickets in Jira.

As usual, I will use curl for all examples, because it is easy to read and easy to test in any Linux terminal.

Starting from Nessus v.6 the API manual is built in GUI: https://<scanner_ip>:8834/api#
Continue reading

Making vulnerable OpenSSL scanning target

1 Reply

Making vulnerable OpenSSL scanning target. OpenSSL vulnerabilities appear regularly. Sometimes it is difficult to find out whether your vulnerability scanner can effectively detect specific vulnerability.

In fact, the only way to find this out is to scan a vulnerable host. Without this knowledge, it is dangerous to start a huge network scanning. You never know, the scanner did not find a vulnerability, because the infrastructure is safe or it wasn’t able to do it.

Let’s make the simplest stand: CentOS host with Apache and a self-signed OpenSSL certificate.

Vulnerable OpenSSL stand

Continue reading

PHDays VI: The Standoff

3 Replies

PHDays VI: The Standoff. A week ago I was at PHDays (Positive Hack Days) 2016 conference. For those who don’t know, there are two main events for security practitioners in Russia: PHDays in May and ZeroNights in November. Day-Night. Like this play on words. =)

phdays_logo

So, it was my 6th PHDays. I visited them all. But on this one for a first time I was as an ordinary visitor and not from organizers side. To be honest, I have never participated in organizing of PHDays, and just seen the final result. So, nothing changed much for me. As usual, organization was at very high level. And it’s not just my opinion, but the opinion of many participants.

Sad things first. And they are likely sad only for me. You know my passion to vulnerability assessment/management systems and scanners. So, despite the fact that Positive Technologies are the organizers of this event and Maxpatrol is still their’s flagman product, it was hard to hear anything related to vulnerability assessment/risk assessment/threat intelligence on PHDays. Isn’t it strange? Could you imagine this at Qualys QSC or Tenable event? Nothing much about critical controls and IT compliance in general.

It’s clear that vulnerability assessment is not already in trends in Russia. All are crazy about SIEM and slightly less about Anti-APT and SCADA security. Sad, but true.

Anyway, I have seen many interesting presentations about honeypots, computer forensics, machine learning and security startups. I also visited a SIEM roundtable with representatives of Positive Technologies, First Russian SIEM (RuSIEM), ArcSight, IBM Qradar, Splunk, and Cisco Systems. More details under the cut.

Continue reading

SteelCloud ConfigOS

1 Reply

SteelCloud ConfigOS. Sometimes LinkiedIn shows me an interesting advertising. For example, today I watched a  recorded demo of SteelCloud ConfigOS. It is a proprietary tool that performs automated DISA STIGs compliance checking for RHEL or Windows  and provides automated remediation.

Well, as it works automatically, it  won’t make custom SELinux configuration for you, for example. In the other hand, this software is for the US military and related organizations, where everything should be highly standardized.

Scan running

scan_running

Continue reading

Tenable Nessus: registration, installation, scanning and reporting

20 Replies

Tenable Nessus: registration, installation, scanning and reporting. It’s a bit strange that I wrote in this blog about some relatively exotic vulnerability management solutions and not about the one I use every day. It is, of course, Nessus. The legend of vulnerability scanners. It would be fair to say that Nessus has become a synonym for vulnerability scan itself as Xerox for photocopy. First version of Nessus was developed by Renaud Deraison in 1998 as a free and open-source product. In October 2005 the license was changed to proprietary. The last version of GPL source codes became the base for the great open source vulnerability scanner – OpenVAS (btw, see my post “openvas_commander for OpenVAS installation and management”).

Nessus Vulnerability Scan Results

I am glad that Tenable still keeps Nessus mostly in UNIX-way. Nessus is a vulnerability scanner and makes one thing good – finds vulnerabilities on network hosts. If you need dashboards, advanced user management, advanced reporting capabilities, etc. use Tenable Security Center that works above the Tenable separate products: Nessus, Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE).

nessus download page

Continue reading

Vulnerability Management in APAC

Leave a reply

Vulnerability Management in APAC. Tenable Network Security published Forrester report on Vulnerability Management in APAC (China: 25%, Singapore: 25%, Japan: 25%, ANZ: 25%). Everything is pretty bad. The majority of the respondents scan their systems periodically (annually). Key challenges: the difficulty of remediation and prioritization. It seems that 30% respondents don’t even have automatically updatable Security Content in their VM solution.
Forrester Vulnerability Management in APAC