00:00:00
Hackers are really good at finding tiny gaps in your security,
00:00:04
therefore a great way to protect yourself is for you to find the gaps first!
00:00:08
That's where vulnerability scanners come in.
00:00:11
They can automatically assess the devices on your network and find the gaps hackers might try to exploit.
00:00:17
Two of the most popular tools for this are Nessus and OpenVAS, also known by the name Greenbone.
00:00:23
Both of them have free versions that anybody can use, so the question is: which should you install?
00:00:30
Welcome back to the Pro Tech Show!
00:00:32
Before looking at these two tools, a quick note about what vulnerability scanners are;
00:00:37
and more to the point, what they are not;
00:00:39
because some companies are taking advantage of a general lack of knowledge to rip people off.
00:00:44
Patch scanners are not vulnerability scanners.
00:00:47
Missing updates can result in vulnerabilities, that's true,
00:00:51
but not all vulnerabilities can be fixed with an update.
00:00:54
Many vulnerabilities are not caused by unpatched software, but by poor configuration choices.
00:01:00
Sometimes an update will be released to fix a vulnerability;
00:01:03
but because it has the potential to cause issues for legacy systems
00:01:06
the fix will not be enabled automatically.
00:01:09
Patch scanners that present missing patches as vulnerabilities
00:01:11
will tell you it has been resolved as soon as the update is installed,
00:01:15
but the reality is you're still at risk.
00:01:17
Another thing that isn't a vulnerability scan is a penetration test,
00:01:21
although a vulnerability scanner might be used in a pentest.
00:01:24
A vulnerability scanner is a tool that checks for a list of known problems that hackers can exploit.
00:01:29
A penetration test involves a skilled human applying their brain to look for less obvious ways in.
00:01:34
An analogy: a vulnerability scan checks your door is locked,
00:01:38
your windows are secure, and you haven't left a key under your mat.
00:01:41
A pentester does that... but also dresses up as a gas man,
00:01:45
goes to see your neighbour, and asks if they have the spare key because they need to service your meter.
00:01:49
There are companies out there who are charging people for a full penetration test
00:01:53
but all they're doing is clicking a button to run an automatic vulnerability scan.
00:01:57
Be warned, the scammers are out there; but vulnerability scans are what we're concerned with here,
00:02:02
so when it comes to clicking that button... whose button should you click?
00:02:06
Let's introduce our two contenders: Nessus and OpenVAS.
00:02:10
These two are related. In fact the entire vulnerability scanning market is pretty incestuous.
00:02:15
In the beginning there was Nessus, and it was open source, until it wasn't.
00:02:20
What happens when an open source project suddenly switches gears and goes proprietary?
00:02:24
Someone forks it.
00:02:25
The fork was called GNessUs.
00:02:28
It was a horrible name and a bit too close to the original, so it got renamed to OpenVAS -
00:02:32
the Open Vulnerability Assessment Scanner.
00:02:35
It has since been renamed again to Greenbone Vulnerability Management,
00:02:38
making reference to Greenbone, the company that develops it;
00:02:41
but the name OpenVAS is so well known that it still hangs around
00:02:44
and these days the names Greenbone and OpenVAS get used pretty much interchangeably.
00:02:49
What might be interesting to know is that although there are lots of other vulnerability scanners out there,
00:02:54
if you look closely, most of them are actually running OpenVAS under the covers.
00:02:59
In fact, I could have called this video Nessus Vs.
00:03:02
Everything,
00:03:03
and it wouldn't have been all that far from the truth!
00:03:05
Both Tenable (the company behind Nessus) and Greenbone (the company behind OpenVAS)
00:03:10
produce commercial products with free versions.
00:03:12
It's the free versions we're focusing on, so let's compare their limitations.
00:03:17
Nessus is pretty straightforward.
00:03:18
The free version is called Nessus Essentials.
00:03:21
Disregarding the compliance and infrastructure as code scanning features of paid versions,
00:03:25
and focusing on traditional vulnerability scanning,
00:03:28
the primary limitation of the free version is that scans are limited to a total of 16 hosts.
00:03:33
Other than that, you're not really limited in features,
00:03:36
you just can't scan more than 16 things with it and you won't get free technical support.
00:03:40
OpenVAS is a little more confusing because they keep renaming things.
00:03:44
Greenbone Enterprise is the paid version.
00:03:47
It comes as a physical or virtual appliance,
00:03:49
and is a self-contained Linux distribution with commercial support.
00:03:52
There are two free editions.
00:03:54
The Greenbone Enterprise Trial is a virtual appliance based on Greenbone Enterprise.
00:03:59
The Trial version receives vulnerability definitions from the Greenbone Community Feed,
00:04:03
but not the Greenbone Enterprise Feed.
00:04:06
The Enterprise Feed adds detections for more products,
00:04:08
though what is and isn't included in the Community Feed seems a bit inconsistent.
00:04:13
Officially, the Community Feed covers "home application products"
00:04:17
and the Enterprise Feed covers "enterprise products",
00:04:19
but the Community Feed has detected plenty of server vulnerabilities
00:04:23
so I guess the developers think most people run servers at home?
00:04:26
I suppose the kind of people who run vulnerability scanners may well do,
00:04:29
but hey, a lot of what I run at home would be considered to be part of the Enterprise Feed,
00:04:33
so I have no idea where the line is here.
00:04:35
The Enterprise Trial edition has one more limitation to be aware of.
00:04:38
Although it receives updates for vulnerability definitions,
00:04:42
the Greenbone platform itself does not receive updates.
00:04:45
Ironically, over time, your Greenbone Enterprise Trial appliance will itself become a vulnerability.
00:04:52
Besides that, you can run it indefinitely.
00:04:54
You can get a time-limited trial of the Enterprise Feed,
00:04:57
but the appliance itself will run forever using the Community Feed
00:05:01
with no limit on the number of hosts you can scan.
00:05:03
There is another free edition, though, and that's Greenbone Source Edition.
00:05:07
The Source Edition is distributed as open source code.
00:05:10
It's basically the same as the Enterprise Trial,
00:05:12
but instead of being an appliance you can install it on another distro
00:05:15
and you don't have any issues with installing updates.
00:05:18
In terms of limitations: it uses the Community Feed
00:05:21
and there is no binary version provided,
00:05:23
so you have to either compile the code yourself
00:05:25
or use a distro that already does so.
00:05:27
Kali Linux is a good option.
00:05:29
They provide Greenbone Source Edition binaries within their standard repos,
00:05:32
and that's what I used for this video.
00:05:34
To confuse matters, you may also come across the Greenbone Community Edition.
00:05:38
Community Edition is what the Enterprise Trial used to be called.
00:05:42
They renamed it to better reflect the intention of it being a trial for the commercial product.
00:05:46
The problem is that when links to Community Edition suddenly redirected to Enterprise Trial
00:05:51
people got the wrong idea and thought Greenbone had done a Nessus and closed the source.
00:05:55
To clear up the confusion the name Community Edition has been resurrected,
00:05:59
but now it's an alternative name for the Source Edition.
00:06:02
But this means that depending on what link you follow,
00:06:05
something called Community Edition might take you to either the Enterprise Trial or to the Source Edition.
00:06:11
If you want to test Greenbone, the quickest way to get up and running is to download the Enterprise Trial.
00:06:16
If you want to run it long-term as your vulnerability scanner of choice
00:06:19
I'd instead recommend downloading Kali Linux and installing the source version from the repo.
00:06:24
That way you aren't locked out of platform updates, and you don't have to compile anything yourself.
00:06:28
Ok, now we know what's what, let's take a look at the user experience.
00:06:32
This one is a pretty clear win for Nessus in my book.
00:06:35
Greenbone's user interface is best described as "functional".
00:06:39
I mean it works, it's just not going to win any beauty competitions.
00:06:42
How much does this matter though?
00:06:44
Well, there's an element of personal preference here.
00:06:46
It works, and it provides the same information;
00:06:49
but Nessus does a better job of walking you through the setup of a scan,
00:06:53
with the options presented in a logical and digestible way.
00:06:55
With Greenbone, they're all there, somewhere, possibly in a different part of the interface,
00:07:00
or in a massive list of text.
00:07:02
Once you've run a scan, it's a similar story.
00:07:05
Both give you the same information, and both have ways to create and save filters.
00:07:09
Nessus does a few things more nicely, like grouping similar vulnerabilities together
00:07:13
and pulling out some remediation actions.
00:07:15
With Nessus, it's easier for a novice to spot the low-hanging fruit
00:07:18
that you probably want to tackle first after running a scan.
00:07:21
Although Greenbone is perfectly functional, the interface is dated and less easy to use.
00:07:25
Moving on from ease of use, how good are they at detecting vulnerabilities?
00:07:30
I have a couple of different scenarios to test this.
00:07:32
The first is what I'm going to call the "kill it with fire" scenario.
00:07:36
For this, I've downloaded the Turnkey Linux Drupal appliance.
00:07:39
This is a prepackaged LAMP stack with Drupal installed.
00:07:42
Basically, you mount or burn an ISO, run through a simple install wizard,
00:07:46
and you have a server running Drupal.
00:07:48
It's designed to get you up and running with minimal effort and minimal knowledge.
00:07:52
The version I've downloaded is an old one.
00:07:54
It's several years out of date and uses an end-of-life version of Drupal
00:07:58
running on an end-of-life version of Debian.
00:08:01
From a security perspective, it's a mess.
00:08:04
Sadly, this is something I do come across,
00:08:06
either because the web developer doesn't know anything about the platform their site runs on,
00:08:10
other than they click a button and website happens;
00:08:12
or because they handed over a perfectly functioning system to someone who never bothered to maintain it.
00:08:17
Pointing Nessus and Greenbone at this appliance turns up literally hundreds of vulnerabilities.
00:08:22
They use a similar scoring system to rate the severity of the vulnerabilities,
00:08:25
but Greenbone doesn't have a critical category.
00:08:28
A 10 out of 10 is still discounted as "high".
00:08:30
Looking at the raw numbers, you might think Nessus has performed better.
00:08:33
But in a case like this, the raw numbers don't really matter.
00:08:37
Whether your end-of-life Drupal install has 20 high severity vulnerabilities or 40
00:08:42
doesn't make any difference the action you need to take.
00:08:44
What's more interesting is the types of vulnerabilities each product has detected,
00:08:48
so let's break those down.
00:08:50
From the results here it's clear that neither solution was perfect,
00:08:53
with each missing a few items, although Greenbone did manage marginally better in terms of coverage.
00:08:57
I should note that Greenbone did log the untrusted SSL certificate,
00:09:00
but it didn't consider it to be a problem.
00:09:02
Nessus is working with its hands tied a little though.
00:09:05
We can change this option to have it run in paranoid mode.
00:09:08
That improves your chances of detecting vulnerabilities
00:09:11
but it does increase the likelihood of false positives.
00:09:14
If we do that, it finds a bunch more vulnerabilities,
00:09:17
but these ones are incorrect.
00:09:19
These are false positives. The target is not actually vulnerable to them.
00:09:23
For this test, I'd call it a draw.
00:09:25
Greenbone performed slightly better than the standard Nessus scan, but it's close.
00:09:30
Nessus outperformed Greenbone in terms of real detections when running in paranoid mode,
00:09:34
but it did so at the cost of introducing false positives.
00:09:37
Let's be honest though: this one was a sitting duck.
00:09:40
You're not going to run a vulnerability scan on something like this to find out if it's vulnerable.
00:09:45
You're either doing it because you've inherited a network and don't know what's on it,
00:09:48
or to gather evidence to convince management that they really need to spend some money.
00:09:53
Our next test is going to be more of a challenge.
00:09:56
It consists of a Red Hat server, a Rocky Linux server, and a Windows server;
00:10:00
all configured as a basic web and database stack.
00:10:03
Unlike the Drupal box, these are all running the latest versions of their respective software,
00:10:07
and I've installed all available patches from their native update service -
00:10:11
DNF and Rocky and RHEL's case, and Windows Update in the other.
00:10:14
I haven't performed any configuration to harden these servers, though;
00:10:17
and this is where vulnerability scanners are really useful.
00:10:21
A lot of admins would deploy this, run the updater, and consider it job done;
00:10:25
but is there more I could do to secure it?
00:10:27
Are the out-of-the-box defaults good enough?
00:10:30
What if I brought a few bad habits to the configuration?
00:10:33
To test our scanners I've added a few settings that are not good practice and will introduce vulnerabilities.
00:10:38
On Windows I've disabled Network Level Authentication for Remote Desktop,
00:10:43
which isn't exploitable itself,
00:10:44
but it does remove a layer of protection that may make other vulnerabilities easier to attack.
00:10:49
Another thing I've done is I've edited the SQL Express service's executable path to remove the quotes.
00:10:55
The reason for the quotes is to make it clear that this is a single string of text and the spaces are part of it.
00:11:01
If I remove the quotes, it will still work, but only because Windows has a guess at it.
00:11:05
Taken literally, this actually means
00:11:07
"Run a file called program, located on the C drive, and give it this as a list of parameters."
00:11:12
There is no file called program, so Windows assumes it's a mistake and figures out the correct path;
00:11:17
but if I did manage to place a file on the C drive called "program.exe"
00:11:22
that would be more correct; and Windows would run it instead,
00:11:26
under the identity of and with any privileges held by the service account.
00:11:30
The SQL service was configured correctly
00:11:32
but this is actually a common problem when software gets installed without adding the quotes
00:11:36
because the vendor wasn't paying due attention.
00:11:38
The software works, but it introduces a privileged escalation vulnerability.
00:11:43
On the Red Hat server I'm adding a similar and also very common misconfiguration.
00:11:47
I'm adding a cron job that calls DNF.
00:11:49
This is a fairly pointless cron job given DNF Automatic and makecache exist.
00:11:53
It's just an example.
00:11:55
The mistake is I have not provided an absolute path to the DNF executable.
00:11:59
It should be this.
00:12:01
Without the full path, how does Linux know where to find the file?
00:12:05
The answer, as many of you will know, is it searches the directories in the PATH environment variable.
00:12:10
Just like the Windows service account, this is imprecise;
00:12:14
and it introduces an opportunity for privileged escalation.
00:12:17
If an attacker can slip a file with the same name into a folder that's early in the search path than the real one,
00:12:22
then Linux will run it.
00:12:23
This last little misconfiguration I've added is setting the SUID permission on the "find" file.
00:12:28
The SUID permission, short for Set owner User ID,
00:12:31
causes the file to execute under the user context of the file's owner rather than the person who actually ran it.
00:12:38
There are times this can be useful, and several executables on a typical Linux system rely on it,
00:12:43
but you need to be really careful with it because it effectively grants temporary permissions you wouldn't otherwise have.
00:12:50
Setting it on the "find" file might appear harmless.
00:12:52
If you forget to run "find" with sudo, it might throw loads of permissions errors.
00:12:56
It's owned by root, so SUID lets it run as root;
00:12:59
and you're just looking for files, you're not executing anything... right?
00:13:04
Well, "find" can be manipulated to spawn a shell; and that shell keeps the permissions of the user running "find".
00:13:11
"Find" with SUID set runs as root, so now an unprivileged user account has a way to access a root shell and take control of the system.
00:13:18
That's why this is bad.
00:13:20
The final trap we've set for our vulnerability scanners is Rocky Linux.
00:13:24
Rocky is a RHEL rebuild. It's built from the source code of Red Hat Enterprise Linux, so it should be the same.
00:13:29
One of the challenges of looking for vulnerabilities on Linux is that the same version of the same program on different distributions can be different.
00:13:37
Red Hat, for example, will often backport security fixes to older versions of software the original owner has stopped supporting.
00:13:43
So the public instance of application X version Y might have a vulnerability, but application X version Y distributed by Red Hat could be perfectly safe.
00:13:52
Vulnerability scanners therefore need to not only look at the software that's installed on Linux, but also take into account its origin.
00:13:58
Is this the original version, or is it Red Hat's version?
00:14:02
Red Hat has been around for nearly 30 years and is very well supported by vendors.
00:14:07
Rocky Linux has only been around for a couple of years, so although they're effectively the same there's a higher chance a vulnerability scanner might not pick up on it and could generate a false positive result.
00:14:18
How did our two contenders fare?
00:14:20
This time around, Nessus has found considerably more vulnerabilities than Greenbone.
00:14:23
Perhaps more importantly, it found high and critical vulnerabilities that Greenbone missed.
00:14:27
The numbers don't tell all though, so let's take a closer look at what each of them found.
00:14:32
First, the highs and criticals.
00:14:33
Nessus has found a bunch of vulnerabilities in SQL Express.
00:14:37
This is accurate.
00:14:38
I ran Windows Update, but the patches for SQL were not distributed by Windows Update.
00:14:42
This is a very common issue I come across in the real world.
00:14:46
A lot of applications automatically install SQL Express as a dependency.
00:14:50
When the admin runs Windows Update, it doesn't get patched.
00:14:53
When they patch the application that installed it, it doesn't update SQL either.
00:14:57
There are a lot of unpatched SQL Express instances on production systems for this reason.
00:15:03
The next high severity vulnerability Nessus has found is an unquoted service path.
00:15:07
That's a vulnerability I introduced by removing the quotes on the SQL service executable path.
00:15:12
The next one: WinVerifyTrust Signature Validation.
00:15:15
This is one of those opt-in fixes.
00:15:17
The update to resolve this vulnerability was released years ago and is included in current versions of Windows out-of-the-box;
00:15:22
but unless you set a registry value to explicitly activate it, the system will remain vulnerable.
00:15:28
The Sweet32 detection means you're using weak encryption.
00:15:31
Both this and the last one are there for compatibility reasons.
00:15:34
Fixing them might break something, so Windows leaves it up to you.
00:15:38
Unfortunately, most people don't know these are even a thing, so they remain vulnerable.
00:15:42
Now we're into medium severity detections and we have a couple picked up by Greenbone but not Nessus.
00:15:47
Both of these I will dispute, however.
00:15:49
The keyboard execution one is basically saying you can plug in a keyboard and use it to type.
00:15:55
Yeah, really?
00:15:56
That's kind of the point of a keyboard.
00:15:58
It's not entirely stupid.
00:16:00
What it's getting at is that it's vulnerable to plug-in devices like a USB Rubber Ducky that emulates a keyboard to send malicious keystrokes.
00:16:07
The suggested solution is to whitelist specific models of keyboard and have it block every other model,
00:16:13
but this isn't the most practical suggestion for most people.
00:16:15
Even if you went to the effort of manually whitelisting every single model of keyboard you might ever need to use,
00:16:21
and never use anything else, this is a highly targeted attack.
00:16:25
It requires a physical device to be plugged in.
00:16:28
These things cost money.
00:16:29
You can't just blind fire millions of them like a spam email.
00:16:32
If you're going to go to the effort of using one of these to attack someone
00:16:35
I don't think it's a stretch to say you could find out a model of keyboard they have and tell it to emulate that.
00:16:40
I don't consider the ability to plug in and use a keyboard a useful vulnerability detection.
00:16:45
It's normal functionality and the suggested mitigation is tenuous.
00:16:48
The next one has similar issues.
00:16:50
It's possible to enumerate RPC services remotely.
00:16:53
Without going too deep: yes, that's how they work.
00:16:57
I would agree it's an issue if it's accessible from the internet.
00:17:00
It can't be exploited, but it does give away information that a hacker could use to help shape their attack plan.
00:17:06
On an internal network, though; if you block this on a Windows server you basically block it from doing its job or being managed correctly.
00:17:13
It's a by-design function.
00:17:16
Nessus does pick up on this, but it logs it as an informational event.
00:17:19
It doesn't consider it a vulnerability, and unless it's exposed to the internet neither do I.
00:17:23
Next, both Greenbone and Nessus detect the HTTP TRACE function in Apache as a vulnerability.
00:17:28
Apache disputes this.
00:17:29
They say it's a valid part of the HTTP specification and you can't exploit the server using it.
00:17:35
They're right.
00:17:35
The abuse of this function actually has more to do with badly configured load balancers or weaknesses on old web browsers.
00:17:41
It's not Apache's fault, but disabling this function can reduce the overall risk to your network,
00:17:46
and it's highly unlikely you actually need it in a production system, so I'm ruling in favour of the vulnerability scanners on this one.
00:17:52
Whizzing through the next few medium detections, and most of them are fairly non-controversial.
00:17:57
This one I'd probably argue should be a low, as it's not exploitable and more indicative that there may be incomplete configuration.
00:18:03
This one is detected by Greenbone, but as a log event. It's not considered a vulnerability.
00:18:08
My opinion is that if it's exposed to end users or the internet, it's a problem.
00:18:13
If it's only accessible from a privileged location such as localhost when logged onto a server, it's less of an issue, but it'd still keep it as a low in that case.
00:18:20
These detections are false positives.
00:18:22
Greenbone has managed to avoid them, whereas Nessus has a couple even on its standard scan.
00:18:27
Nessus did fall for the Rocky Linux trap.
00:18:30
The Apache vulnerabilities it found were because it compared to the public version of Apache instead of the Red Hat version used by Rocky.
00:18:36
The other two were a similar story, but it miss-detected them on both Red Hat and Rocky.
00:18:41
Of my planted configuration issues, Greenbone missed all of them.
00:18:45
Nessus found the unquoted service path and the disabled Network Level Authentication on Windows, but it missed the SUID permission and the ambiguous cron job on Linux.
00:18:54
Neither is perfect, but I'd prefer to trade a couple of false positives for the additional vulnerabilities detected by Nessus in this example.
00:19:01
Overall, I'd look at it like this:
00:19:03
do you have more than 16 hosts?
00:19:05
If you don't, Nessus seems to provide the most coverage and the best user experience when comparing the free versions.
00:19:12
If you have more than 16 hosts, Nessus will hit a hard stop, but you can keep on using Greenbone as far as you want.
00:19:19
Of course, either of these options is much better than doing nothing.
00:19:22
You might be surprised at how many problems they find, and if you're not really convinced that vulnerabilities like this actually matter
00:19:29
I'll show you exactly why you need to care about it in this video, where I actively exploit one of them and completely own a target system.
00:19:38
You don't want this to be you, but you do want to like the video and subscribe to the channel;
00:19:42
and let me know in the comments if you want a deeper dive into either of these tools.
![Developments in DAR-AL-ISLAM [AP World Review—Unit 1 Topic 2]](https://ruhnrawpgxrzdrgaohnf.supabase.co/storage/v1/object/public/images/video/O9P1TaBnhg8/thumbnail.jpg)
