"Nessus calls home"? Facts of the matter.

[InfoSec News <isn () c4i org>]

Forwarded from: Jay D. Dyson <jdyson () treachery net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Courtesy of Renaud Deraison (forwarded with permission).

I believe this should be given wide dissemination to dispel the rumors
that flew around CanSecWest.  -Jay


- ---------- Forwarded message ----------
Date: Wed, 8 May 2002 16:50:09 +0200
From: Renaud Deraison <deraison () nessus org>
To: nessus () list nessus org
Subject: "Nessus calls home"

Hi,

I attended CanSecWest last week and I was told there were rumors of people
complaining about Nessus "calling home" when doing a scan. 

In order to clear the confusion, here's a small explanation of what Nessus
does, followed by a short poll asking you what you'd prefer it to do. 

First, let me emphasizes something : Nessus does *not* call home. It never
does, never did and never will. 

However, the checks have a side effect that may have the naughty side
effect to sending some packets to nessus.org, which can make people think
I have the ability to monitor their scans - here's the list : 


1. SMTP checks

Several SMTP checks send an email coming from are going to
nessus () nessus org (also test_1 () nessus org and test_2 () nessus org). These
checks are mostly used for bounce or old sendmail attacks. With these
checks, the expected behavior of the MTA is either to send a 50x error
code or to fail to the attack. Under some rare circumstances however, the
mail may be bounced back to nessus () nessus org, which is a non-existing
mailbox on mail.nessus.org. So if I were to spy on my users, one could
imagine I'd grep "nessus () nessus org" in /var/log/maillog and see who's
using Nessus. I don't do that, but I admit it could be done. 

Why do I use "nessus () nessus org" ? Well, for the relay checks, it sounded
good to use a really existing mail domain, so that half smart mailer which
do some DNS checks on email address would not reject the mail for the sole
reason the email domain is not valid. I was suggested to use example.com,
but there's no MX for that domain, so I don't like it. 


2. Proxy check

A proxy check attempts to establish a connection to www.nessus.org. As for
relaying, the point here is to see if we can use the remote proxy to
connect to an outside web server. So if I were naughty, I could attempt to
differentiate the requests going to www.nessus.org and find out which one
were coming from an open proxy, then use that proxy to get my pr0n. 


Note that in all these cases, even I was bersek, I would not get the
results of the scan or even know what other hosts you're testing on your
network.

I understand however that people may think that means Nessus is "phoning
home". Once again, this is not the purpose - I just use the nessus.org
domain in some checks because these checks require a valid third party
domain (and if I was to change that to microsoft.com or something that
does not belong to me, it might be unpopular). Note that these choice make
the detection of Nessus quite easier for IDSes. 

I can change that to www.example.com, I did not know this website existed
until last week. 


So now, this is poll time (please reply privately) : 

- - Do that issue bothers you ?
- - If it does, would you feel safer if Nessus was using example.com
  as a domain ? (even though it may mean weaker tests as example.com
  has no MX record). Or would you prefer to have the ability to select
  the domain name yourself manually ? (with the option defaulting to
  nessus.org or example.com)

                                -- Renaud

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE82cAnGI2IHblM+8ERArqyAJ0cBNhg69mwz3dwls5DaV5QqvAzlACfb10u
+lmCLCIAPsOTMSURibV13hk=
=C7BR
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.