Re: Nessus + Authentication = Root?

[Ron Gula <rgula () tenablesecurity com>]

At 06:30 PM 9/11/2005, Dave Aitel wrote:
> Perhaps some testers are not smart enough to use a restricted access 
> domain administrator account? I know Tenable is on this list - what's the 
> story on this stuff?

Not sure exactly what you are looking for, but we added this
feature about a year ago. Both Nessus and NeWT can make use
of SSH to log into a UNIX host and basically run shell commands
which we use to perform patch audits. The Windows functionality
(for domain, not SSH) has been in Nessus and NeWT much longer.

Tenable doesn't have an exact count on which plugins are used
by the end users, since both the host and network checks are
part of one plugin distribution. However, we've seen enough
chatter on the mailing lists and bug fix reports and feature
requests (when are you going to support my flavor of UNIX?)
to know that people are using this stuff.

As for the security of this in general:

- we still get requests to use Telnet instead of SSH.

- we strongly urge people not to user user/pass for SSH as all
  an evil doer needs to do is run a fake SSH server and wait
  for the magic user/pass to come to him

- if Nessus has credentials and you break into that server,
  you can get the credentials. Mostly though, if someone outside
  of IT is lucky enough to get credentials, they seem to be
  practicing decent security and locking down the box.

- we've gotten requests to someway encrypt the config file
  (but strangely not the results of a scan) of Nessus to add
  more protection to a casual compromise of a Nessus scanner.

- Support for Kerberos auth for SSH is there too.

Comments in general:

- For the SSH audits, you don't need root to check patch installs.
  I didn't address much of the Windows side of this, but you need
  an admin account to do the same thing in Microsoft land well.

- This is part of Tenable's overall strategy to detect
  vulnerabilities in a large enterprise. If you have credentials,
  then you have a very low impact and low false positive check.
  If you don't, you may be able to scan with one or more scanners.
  If you can't scan that often or not at all, you can run our
  sniffer, NeVO, and get very good vulnerability data in real
  time, but just based on the network traffic.

- Nessus isn't the only scanner doing this. Almost everyone has
  been doing the Windows domain "remote" host scan for a long
  time, but we've seen some of the more popular MSPs and scanner
  products (not based on Nessus) start to do SSH leveraged scans.

- The ability to correctly configure SSH pub/private trust
  relationships seems to separate some men from the boys.

- The ability to convince your manager/IT staff/girlfriend for
  an SSH key also seems to separate some men from the boys.

Ron Gula, CTO
Tenable Network Security