Dailydave mailing list archives
Re: Nessus + Authentication = Root?
From: Ron Gula <rgula () tenablesecurity com>
Date: Sun, 11 Sep 2005 20:01:14 -0400
At 06:30 PM 9/11/2005, Dave Aitel wrote:
Perhaps some testers are not smart enough to use a restricted access domain administrator account? I know Tenable is on this list - what's the story on this stuff?
Not sure exactly what you are looking for, but we added this feature about a year ago. Both Nessus and NeWT can make use of SSH to log into a UNIX host and basically run shell commands which we use to perform patch audits. The Windows functionality (for domain, not SSH) has been in Nessus and NeWT much longer. Tenable doesn't have an exact count on which plugins are used by the end users, since both the host and network checks are part of one plugin distribution. However, we've seen enough chatter on the mailing lists and bug fix reports and feature requests (when are you going to support my flavor of UNIX?) to know that people are using this stuff. As for the security of this in general: - we still get requests to use Telnet instead of SSH. - we strongly urge people not to user user/pass for SSH as all an evil doer needs to do is run a fake SSH server and wait for the magic user/pass to come to him - if Nessus has credentials and you break into that server, you can get the credentials. Mostly though, if someone outside of IT is lucky enough to get credentials, they seem to be practicing decent security and locking down the box. - we've gotten requests to someway encrypt the config file (but strangely not the results of a scan) of Nessus to add more protection to a casual compromise of a Nessus scanner. - Support for Kerberos auth for SSH is there too. Comments in general: - For the SSH audits, you don't need root to check patch installs. I didn't address much of the Windows side of this, but you need an admin account to do the same thing in Microsoft land well. - This is part of Tenable's overall strategy to detect vulnerabilities in a large enterprise. If you have credentials, then you have a very low impact and low false positive check. If you don't, you may be able to scan with one or more scanners. If you can't scan that often or not at all, you can run our sniffer, NeVO, and get very good vulnerability data in real time, but just based on the network traffic. - Nessus isn't the only scanner doing this. Almost everyone has been doing the Windows domain "remote" host scan for a long time, but we've seen some of the more popular MSPs and scanner products (not based on Nessus) start to do SSH leveraged scans. - The ability to correctly configure SSH pub/private trust relationships seems to separate some men from the boys. - The ability to convince your manager/IT staff/girlfriend for an SSH key also seems to separate some men from the boys. Ron Gula, CTO Tenable Network Security
Current thread:
- Nessus + Authentication = Root? Dave Aitel (Sep 11)
- Re: Nessus + Authentication = Root? Ron Gula (Sep 11)
- Re: Nessus + Authentication = Root? Dave Aitel (Sep 13)
- Re: Nessus + Authentication = Root? Nicolas Pouvesle (Sep 13)
- Re: Nessus + Authentication = Root? Dave Aitel (Sep 13)
- Re: Nessus + Authentication = Root? Ron Gula (Sep 11)