Best FREE Vulnerability Scanner: Nessus Vs OpenVAS (Greenbone)

00:19:47
https://www.youtube.com/watch?v=sEzN2U4Pqcs

Summary

TLDRThe video provides a detailed examination of two prominent vulnerability scanners: Nessus and OpenVAS (also known as Greenbone). It starts by explaining the difference between vulnerability scanners, patch scanners, and penetration tests. Both tools are compared based on features, limitations, ability to detect vulnerabilities, and user experience. Nessus, owned by Tenable, offers a free version called Nessus Essentials, which is easy to use and limits scanning to 16 hosts. OpenVAS, developed by Greenbone, presents more confusion due to its various versions and renaming but allows unlimited host scanning in its free versions. The analysis shows Nessus has a more intuitive user interface and is better at identifying a larger number of vulnerabilities, though it sometimes produces false positives. The video concludes with practical reviews, showing how each tool performs in detecting vulnerabilities on outdated systems (Drupal appliance) and current setup environments. Nessus detected more high and critical vulnerabilities but also had some false positives, while Greenbone missed certain vulnerabilities but avoided false positives. The decision on which to use may depend on the number of hosts needing scans, with Nessus recommended for up to 16 hosts and Greenbone for larger networks.

Takeaways

  • πŸ” Vulnerability scanners help find security gaps before hackers do.
  • πŸ› οΈ Nessus and OpenVAS are leading vulnerability scanners with free versions.
  • πŸ” Nessus Essentials limits scanning to 16 hosts, but is user-friendly.
  • πŸ–₯️ OpenVAS allows more extensive host scanning but has a less intuitive interface.
  • βš–οΈ Nessus tends to detect more vulnerabilities but may show false positives.
  • πŸ”§ Greenbone is unlimited in host scans; better for larger networks.
  • πŸ’» OpenVAS/GVM can be run on Kali Linux for long-term use.
  • πŸ“Š In tests, Nessus found more critical vulnerabilities than Greenbone.
  • 🚨 Beware of companies offering vulnerability scans as full penetration tests.
  • πŸ’‘ Understanding and fixing vulnerabilities is key to strong security.

Timeline

  • 00:00:00 - 00:05:00

    The video introduces the importance of vulnerability scanners such as Nessus and OpenVAS (or Greenbone). Vulnerability scanners help identify security gaps before hackers can exploit them. It clarifies the difference between patch scanners, vulnerability scanners, and penetration tests, emphasizing that a vulnerability scanner looks for known problems, whereas penetration testers use creative techniques. The video warns about scammers charging for penetration tests when only running vulnerability scans, then introduces Nessus and OpenVAS, including their history and the differences between their free versions. Nessus Essentials limits scans to 16 hosts but is otherwise feature-rich, while Greenbone offers options like Enterprise Trial and Source Edition without host limits, though with different feed sources for vulnerabilities.

  • 00:05:00 - 00:10:00

    Greenbone's user experience is described as functional but less intuitive compared to Nessus, which guides users better through scan setups and reports, making it friendlier for novices. The video tests Nessus and Greenbone on an outdated Drupal server to compare their detection capabilities. Both identify numerous vulnerabilities, but neither is perfect. Greenbone slightly outperforms standard Nessus scans in terms of coverage, whereas Nessus in paranoid mode detects more vulnerabilities but also false positives. The video hints at Nessus's effectiveness in user experience but regards this specific test as inconclusive in terms of overall performance.

  • 00:10:00 - 00:19:47

    The video continues testing Nessus and Greenbone on up-to-date systems, including Red Hat, Rocky Linux, and Windows servers, to see if they can detect intentionally introduced vulnerabilities. Nessus outperforms Greenbone significantly, discovering vulnerabilities that Greenbone misses, especially high and critical ones. However, Nessus also generates a few false positives, particularly due to its struggle with differentiating between standard and Red Hat's altered packages. The video concludes that for fewer than 16 hosts, Nessus is preferable for its coverage and user experience, while Greenbone is suited for larger networks without host limits. Both tools are stated as significantly beneficial over not implementing any vulnerability scanning.

Mind Map

Video Q&A

  • What is a vulnerability scanner?

    A vulnerability scanner is a tool that checks devices on your network for known security problems that hackers might exploit, unlike patch or penetration tests.

  • What are Nessus and OpenVAS?

    Nessus and OpenVAS (also known as Greenbone) are two popular vulnerability scanners, with free versions available for detecting potential security gaps in networks.

  • What is the primary limitation of the free version of Nessus?

    The free version of Nessus, known as Nessus Essentials, is limited to scanning a total of 16 hosts.

  • How does the Greenbone Source Edition differ from the Enterprise Trial?

    Greenbone Source Edition is open source and can be installed on other Linux distributions with no platform update issues, whereas the Enterprise Trial is a virtual appliance with certain limitations on updates.

  • Which tool has a better user interface according to the video?

    The video suggests that Nessus has a better, more user-friendly interface compared to Greenbone.

  • Which vulnerability scanner detected more actual vulnerabilities in the advanced test setup?

    Nessus detected more actual vulnerabilities in the advanced setup compared to Greenbone, though it did register some false positives.

  • What does the video recommend if you have more than 16 hosts to scan?

    If you have more than 16 hosts to scan, the video recommends using Greenbone, as Nessus Essentials has a limit of 16 hosts.

  • Why does the video mention 'paranoid mode' in Nessus?

    Paranoid mode in Nessus increases the likelihood of detecting more vulnerabilities but also increases the chance of false positives.

  • Can Greenbone run continuously without limitations?

    Yes, you can run Greenbone without limitations on the number of hosts, especially if using the Greenbone Source Edition.

  • What is the key takeaway about vulnerabilities and their exploitable nature?

    The video demonstrates the importance of vulnerability detection by showing how these vulnerabilities can be exploited to completely own a system.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en-GB
Auto Scroll:
  • 00:00:00
    Hackers are really good at finding tiny gaps in your security,
  • 00:00:04
    therefore a great way to protect yourself is for you to find the gaps first!
  • 00:00:08
    That's where vulnerability scanners come in.
  • 00:00:11
    They can automatically assess the devices on your network and find the gaps hackers might try to exploit.
  • 00:00:17
    Two of the most popular tools for this are Nessus and OpenVAS, also known by the name Greenbone.
  • 00:00:23
    Both of them have free versions that anybody can use, so the question is: which should you install?
  • 00:00:30
    Welcome back to the Pro Tech Show!
  • 00:00:32
    Before looking at these two tools, a quick note about what vulnerability scanners are;
  • 00:00:37
    and more to the point, what they are not;
  • 00:00:39
    because some companies are taking advantage of a general lack of knowledge to rip people off.
  • 00:00:44
    Patch scanners are not vulnerability scanners.
  • 00:00:47
    Missing updates can result in vulnerabilities, that's true,
  • 00:00:51
    but not all vulnerabilities can be fixed with an update.
  • 00:00:54
    Many vulnerabilities are not caused by unpatched software, but by poor configuration choices.
  • 00:01:00
    Sometimes an update will be released to fix a vulnerability;
  • 00:01:03
    but because it has the potential to cause issues for legacy systems
  • 00:01:06
    the fix will not be enabled automatically.
  • 00:01:09
    Patch scanners that present missing patches as vulnerabilities
  • 00:01:11
    will tell you it has been resolved as soon as the update is installed,
  • 00:01:15
    but the reality is you're still at risk.
  • 00:01:17
    Another thing that isn't a vulnerability scan is a penetration test,
  • 00:01:21
    although a vulnerability scanner might be used in a pentest.
  • 00:01:24
    A vulnerability scanner is a tool that checks for a list of known problems that hackers can exploit.
  • 00:01:29
    A penetration test involves a skilled human applying their brain to look for less obvious ways in.
  • 00:01:34
    An analogy: a vulnerability scan checks your door is locked,
  • 00:01:38
    your windows are secure, and you haven't left a key under your mat.
  • 00:01:41
    A pentester does that... but also dresses up as a gas man,
  • 00:01:45
    goes to see your neighbour, and asks if they have the spare key because they need to service your meter.
  • 00:01:49
    There are companies out there who are charging people for a full penetration test
  • 00:01:53
    but all they're doing is clicking a button to run an automatic vulnerability scan.
  • 00:01:57
    Be warned, the scammers are out there; but vulnerability scans are what we're concerned with here,
  • 00:02:02
    so when it comes to clicking that button... whose button should you click?
  • 00:02:06
    Let's introduce our two contenders: Nessus and OpenVAS.
  • 00:02:10
    These two are related. In fact the entire vulnerability scanning market is pretty incestuous.
  • 00:02:15
    In the beginning there was Nessus, and it was open source, until it wasn't.
  • 00:02:20
    What happens when an open source project suddenly switches gears and goes proprietary?
  • 00:02:24
    Someone forks it.
  • 00:02:25
    The fork was called GNessUs.
  • 00:02:28
    It was a horrible name and a bit too close to the original, so it got renamed to OpenVAS -
  • 00:02:32
    the Open Vulnerability Assessment Scanner.
  • 00:02:35
    It has since been renamed again to Greenbone Vulnerability Management,
  • 00:02:38
    making reference to Greenbone, the company that develops it;
  • 00:02:41
    but the name OpenVAS is so well known that it still hangs around
  • 00:02:44
    and these days the names Greenbone and OpenVAS get used pretty much interchangeably.
  • 00:02:49
    What might be interesting to know is that although there are lots of other vulnerability scanners out there,
  • 00:02:54
    if you look closely, most of them are actually running OpenVAS under the covers.
  • 00:02:59
    In fact, I could have called this video Nessus Vs.
  • 00:03:02
    Everything,
  • 00:03:03
    and it wouldn't have been all that far from the truth!
  • 00:03:05
    Both Tenable (the company behind Nessus) and Greenbone (the company behind OpenVAS)
  • 00:03:10
    produce commercial products with free versions.
  • 00:03:12
    It's the free versions we're focusing on, so let's compare their limitations.
  • 00:03:17
    Nessus is pretty straightforward.
  • 00:03:18
    The free version is called Nessus Essentials.
  • 00:03:21
    Disregarding the compliance and infrastructure as code scanning features of paid versions,
  • 00:03:25
    and focusing on traditional vulnerability scanning,
  • 00:03:28
    the primary limitation of the free version is that scans are limited to a total of 16 hosts.
  • 00:03:33
    Other than that, you're not really limited in features,
  • 00:03:36
    you just can't scan more than 16 things with it and you won't get free technical support.
  • 00:03:40
    OpenVAS is a little more confusing because they keep renaming things.
  • 00:03:44
    Greenbone Enterprise is the paid version.
  • 00:03:47
    It comes as a physical or virtual appliance,
  • 00:03:49
    and is a self-contained Linux distribution with commercial support.
  • 00:03:52
    There are two free editions.
  • 00:03:54
    The Greenbone Enterprise Trial is a virtual appliance based on Greenbone Enterprise.
  • 00:03:59
    The Trial version receives vulnerability definitions from the Greenbone Community Feed,
  • 00:04:03
    but not the Greenbone Enterprise Feed.
  • 00:04:06
    The Enterprise Feed adds detections for more products,
  • 00:04:08
    though what is and isn't included in the Community Feed seems a bit inconsistent.
  • 00:04:13
    Officially, the Community Feed covers "home application products"
  • 00:04:17
    and the Enterprise Feed covers "enterprise products",
  • 00:04:19
    but the Community Feed has detected plenty of server vulnerabilities
  • 00:04:23
    so I guess the developers think most people run servers at home?
  • 00:04:26
    I suppose the kind of people who run vulnerability scanners may well do,
  • 00:04:29
    but hey, a lot of what I run at home would be considered to be part of the Enterprise Feed,
  • 00:04:33
    so I have no idea where the line is here.
  • 00:04:35
    The Enterprise Trial edition has one more limitation to be aware of.
  • 00:04:38
    Although it receives updates for vulnerability definitions,
  • 00:04:42
    the Greenbone platform itself does not receive updates.
  • 00:04:45
    Ironically, over time, your Greenbone Enterprise Trial appliance will itself become a vulnerability.
  • 00:04:52
    Besides that, you can run it indefinitely.
  • 00:04:54
    You can get a time-limited trial of the Enterprise Feed,
  • 00:04:57
    but the appliance itself will run forever using the Community Feed
  • 00:05:01
    with no limit on the number of hosts you can scan.
  • 00:05:03
    There is another free edition, though, and that's Greenbone Source Edition.
  • 00:05:07
    The Source Edition is distributed as open source code.
  • 00:05:10
    It's basically the same as the Enterprise Trial,
  • 00:05:12
    but instead of being an appliance you can install it on another distro
  • 00:05:15
    and you don't have any issues with installing updates.
  • 00:05:18
    In terms of limitations: it uses the Community Feed
  • 00:05:21
    and there is no binary version provided,
  • 00:05:23
    so you have to either compile the code yourself
  • 00:05:25
    or use a distro that already does so.
  • 00:05:27
    Kali Linux is a good option.
  • 00:05:29
    They provide Greenbone Source Edition binaries within their standard repos,
  • 00:05:32
    and that's what I used for this video.
  • 00:05:34
    To confuse matters, you may also come across the Greenbone Community Edition.
  • 00:05:38
    Community Edition is what the Enterprise Trial used to be called.
  • 00:05:42
    They renamed it to better reflect the intention of it being a trial for the commercial product.
  • 00:05:46
    The problem is that when links to Community Edition suddenly redirected to Enterprise Trial
  • 00:05:51
    people got the wrong idea and thought Greenbone had done a Nessus and closed the source.
  • 00:05:55
    To clear up the confusion the name Community Edition has been resurrected,
  • 00:05:59
    but now it's an alternative name for the Source Edition.
  • 00:06:02
    But this means that depending on what link you follow,
  • 00:06:05
    something called Community Edition might take you to either the Enterprise Trial or to the Source Edition.
  • 00:06:11
    If you want to test Greenbone, the quickest way to get up and running is to download the Enterprise Trial.
  • 00:06:16
    If you want to run it long-term as your vulnerability scanner of choice
  • 00:06:19
    I'd instead recommend downloading Kali Linux and installing the source version from the repo.
  • 00:06:24
    That way you aren't locked out of platform updates, and you don't have to compile anything yourself.
  • 00:06:28
    Ok, now we know what's what, let's take a look at the user experience.
  • 00:06:32
    This one is a pretty clear win for Nessus in my book.
  • 00:06:35
    Greenbone's user interface is best described as "functional".
  • 00:06:39
    I mean it works, it's just not going to win any beauty competitions.
  • 00:06:42
    How much does this matter though?
  • 00:06:44
    Well, there's an element of personal preference here.
  • 00:06:46
    It works, and it provides the same information;
  • 00:06:49
    but Nessus does a better job of walking you through the setup of a scan,
  • 00:06:53
    with the options presented in a logical and digestible way.
  • 00:06:55
    With Greenbone, they're all there, somewhere, possibly in a different part of the interface,
  • 00:07:00
    or in a massive list of text.
  • 00:07:02
    Once you've run a scan, it's a similar story.
  • 00:07:05
    Both give you the same information, and both have ways to create and save filters.
  • 00:07:09
    Nessus does a few things more nicely, like grouping similar vulnerabilities together
  • 00:07:13
    and pulling out some remediation actions.
  • 00:07:15
    With Nessus, it's easier for a novice to spot the low-hanging fruit
  • 00:07:18
    that you probably want to tackle first after running a scan.
  • 00:07:21
    Although Greenbone is perfectly functional, the interface is dated and less easy to use.
  • 00:07:25
    Moving on from ease of use, how good are they at detecting vulnerabilities?
  • 00:07:30
    I have a couple of different scenarios to test this.
  • 00:07:32
    The first is what I'm going to call the "kill it with fire" scenario.
  • 00:07:36
    For this, I've downloaded the Turnkey Linux Drupal appliance.
  • 00:07:39
    This is a prepackaged LAMP stack with Drupal installed.
  • 00:07:42
    Basically, you mount or burn an ISO, run through a simple install wizard,
  • 00:07:46
    and you have a server running Drupal.
  • 00:07:48
    It's designed to get you up and running with minimal effort and minimal knowledge.
  • 00:07:52
    The version I've downloaded is an old one.
  • 00:07:54
    It's several years out of date and uses an end-of-life version of Drupal
  • 00:07:58
    running on an end-of-life version of Debian.
  • 00:08:01
    From a security perspective, it's a mess.
  • 00:08:04
    Sadly, this is something I do come across,
  • 00:08:06
    either because the web developer doesn't know anything about the platform their site runs on,
  • 00:08:10
    other than they click a button and website happens;
  • 00:08:12
    or because they handed over a perfectly functioning system to someone who never bothered to maintain it.
  • 00:08:17
    Pointing Nessus and Greenbone at this appliance turns up literally hundreds of vulnerabilities.
  • 00:08:22
    They use a similar scoring system to rate the severity of the vulnerabilities,
  • 00:08:25
    but Greenbone doesn't have a critical category.
  • 00:08:28
    A 10 out of 10 is still discounted as "high".
  • 00:08:30
    Looking at the raw numbers, you might think Nessus has performed better.
  • 00:08:33
    But in a case like this, the raw numbers don't really matter.
  • 00:08:37
    Whether your end-of-life Drupal install has 20 high severity vulnerabilities or 40
  • 00:08:42
    doesn't make any difference the action you need to take.
  • 00:08:44
    What's more interesting is the types of vulnerabilities each product has detected,
  • 00:08:48
    so let's break those down.
  • 00:08:50
    From the results here it's clear that neither solution was perfect,
  • 00:08:53
    with each missing a few items, although Greenbone did manage marginally better in terms of coverage.
  • 00:08:57
    I should note that Greenbone did log the untrusted SSL certificate,
  • 00:09:00
    but it didn't consider it to be a problem.
  • 00:09:02
    Nessus is working with its hands tied a little though.
  • 00:09:05
    We can change this option to have it run in paranoid mode.
  • 00:09:08
    That improves your chances of detecting vulnerabilities
  • 00:09:11
    but it does increase the likelihood of false positives.
  • 00:09:14
    If we do that, it finds a bunch more vulnerabilities,
  • 00:09:17
    but these ones are incorrect.
  • 00:09:19
    These are false positives. The target is not actually vulnerable to them.
  • 00:09:23
    For this test, I'd call it a draw.
  • 00:09:25
    Greenbone performed slightly better than the standard Nessus scan, but it's close.
  • 00:09:30
    Nessus outperformed Greenbone in terms of real detections when running in paranoid mode,
  • 00:09:34
    but it did so at the cost of introducing false positives.
  • 00:09:37
    Let's be honest though: this one was a sitting duck.
  • 00:09:40
    You're not going to run a vulnerability scan on something like this to find out if it's vulnerable.
  • 00:09:45
    You're either doing it because you've inherited a network and don't know what's on it,
  • 00:09:48
    or to gather evidence to convince management that they really need to spend some money.
  • 00:09:53
    Our next test is going to be more of a challenge.
  • 00:09:56
    It consists of a Red Hat server, a Rocky Linux server, and a Windows server;
  • 00:10:00
    all configured as a basic web and database stack.
  • 00:10:03
    Unlike the Drupal box, these are all running the latest versions of their respective software,
  • 00:10:07
    and I've installed all available patches from their native update service -
  • 00:10:11
    DNF and Rocky and RHEL's case, and Windows Update in the other.
  • 00:10:14
    I haven't performed any configuration to harden these servers, though;
  • 00:10:17
    and this is where vulnerability scanners are really useful.
  • 00:10:21
    A lot of admins would deploy this, run the updater, and consider it job done;
  • 00:10:25
    but is there more I could do to secure it?
  • 00:10:27
    Are the out-of-the-box defaults good enough?
  • 00:10:30
    What if I brought a few bad habits to the configuration?
  • 00:10:33
    To test our scanners I've added a few settings that are not good practice and will introduce vulnerabilities.
  • 00:10:38
    On Windows I've disabled Network Level Authentication for Remote Desktop,
  • 00:10:43
    which isn't exploitable itself,
  • 00:10:44
    but it does remove a layer of protection that may make other vulnerabilities easier to attack.
  • 00:10:49
    Another thing I've done is I've edited the SQL Express service's executable path to remove the quotes.
  • 00:10:55
    The reason for the quotes is to make it clear that this is a single string of text and the spaces are part of it.
  • 00:11:01
    If I remove the quotes, it will still work, but only because Windows has a guess at it.
  • 00:11:05
    Taken literally, this actually means
  • 00:11:07
    "Run a file called program, located on the C drive, and give it this as a list of parameters."
  • 00:11:12
    There is no file called program, so Windows assumes it's a mistake and figures out the correct path;
  • 00:11:17
    but if I did manage to place a file on the C drive called "program.exe"
  • 00:11:22
    that would be more correct; and Windows would run it instead,
  • 00:11:26
    under the identity of and with any privileges held by the service account.
  • 00:11:30
    The SQL service was configured correctly
  • 00:11:32
    but this is actually a common problem when software gets installed without adding the quotes
  • 00:11:36
    because the vendor wasn't paying due attention.
  • 00:11:38
    The software works, but it introduces a privileged escalation vulnerability.
  • 00:11:43
    On the Red Hat server I'm adding a similar and also very common misconfiguration.
  • 00:11:47
    I'm adding a cron job that calls DNF.
  • 00:11:49
    This is a fairly pointless cron job given DNF Automatic and makecache exist.
  • 00:11:53
    It's just an example.
  • 00:11:55
    The mistake is I have not provided an absolute path to the DNF executable.
  • 00:11:59
    It should be this.
  • 00:12:01
    Without the full path, how does Linux know where to find the file?
  • 00:12:05
    The answer, as many of you will know, is it searches the directories in the PATH environment variable.
  • 00:12:10
    Just like the Windows service account, this is imprecise;
  • 00:12:14
    and it introduces an opportunity for privileged escalation.
  • 00:12:17
    If an attacker can slip a file with the same name into a folder that's early in the search path than the real one,
  • 00:12:22
    then Linux will run it.
  • 00:12:23
    This last little misconfiguration I've added is setting the SUID permission on the "find" file.
  • 00:12:28
    The SUID permission, short for Set owner User ID,
  • 00:12:31
    causes the file to execute under the user context of the file's owner rather than the person who actually ran it.
  • 00:12:38
    There are times this can be useful, and several executables on a typical Linux system rely on it,
  • 00:12:43
    but you need to be really careful with it because it effectively grants temporary permissions you wouldn't otherwise have.
  • 00:12:50
    Setting it on the "find" file might appear harmless.
  • 00:12:52
    If you forget to run "find" with sudo, it might throw loads of permissions errors.
  • 00:12:56
    It's owned by root, so SUID lets it run as root;
  • 00:12:59
    and you're just looking for files, you're not executing anything... right?
  • 00:13:04
    Well, "find" can be manipulated to spawn a shell; and that shell keeps the permissions of the user running "find".
  • 00:13:11
    "Find" with SUID set runs as root, so now an unprivileged user account has a way to access a root shell and take control of the system.
  • 00:13:18
    That's why this is bad.
  • 00:13:20
    The final trap we've set for our vulnerability scanners is Rocky Linux.
  • 00:13:24
    Rocky is a RHEL rebuild. It's built from the source code of Red Hat Enterprise Linux, so it should be the same.
  • 00:13:29
    One of the challenges of looking for vulnerabilities on Linux is that the same version of the same program on different distributions can be different.
  • 00:13:37
    Red Hat, for example, will often backport security fixes to older versions of software the original owner has stopped supporting.
  • 00:13:43
    So the public instance of application X version Y might have a vulnerability, but application X version Y distributed by Red Hat could be perfectly safe.
  • 00:13:52
    Vulnerability scanners therefore need to not only look at the software that's installed on Linux, but also take into account its origin.
  • 00:13:58
    Is this the original version, or is it Red Hat's version?
  • 00:14:02
    Red Hat has been around for nearly 30 years and is very well supported by vendors.
  • 00:14:07
    Rocky Linux has only been around for a couple of years, so although they're effectively the same there's a higher chance a vulnerability scanner might not pick up on it and could generate a false positive result.
  • 00:14:18
    How did our two contenders fare?
  • 00:14:20
    This time around, Nessus has found considerably more vulnerabilities than Greenbone.
  • 00:14:23
    Perhaps more importantly, it found high and critical vulnerabilities that Greenbone missed.
  • 00:14:27
    The numbers don't tell all though, so let's take a closer look at what each of them found.
  • 00:14:32
    First, the highs and criticals.
  • 00:14:33
    Nessus has found a bunch of vulnerabilities in SQL Express.
  • 00:14:37
    This is accurate.
  • 00:14:38
    I ran Windows Update, but the patches for SQL were not distributed by Windows Update.
  • 00:14:42
    This is a very common issue I come across in the real world.
  • 00:14:46
    A lot of applications automatically install SQL Express as a dependency.
  • 00:14:50
    When the admin runs Windows Update, it doesn't get patched.
  • 00:14:53
    When they patch the application that installed it, it doesn't update SQL either.
  • 00:14:57
    There are a lot of unpatched SQL Express instances on production systems for this reason.
  • 00:15:03
    The next high severity vulnerability Nessus has found is an unquoted service path.
  • 00:15:07
    That's a vulnerability I introduced by removing the quotes on the SQL service executable path.
  • 00:15:12
    The next one: WinVerifyTrust Signature Validation.
  • 00:15:15
    This is one of those opt-in fixes.
  • 00:15:17
    The update to resolve this vulnerability was released years ago and is included in current versions of Windows out-of-the-box;
  • 00:15:22
    but unless you set a registry value to explicitly activate it, the system will remain vulnerable.
  • 00:15:28
    The Sweet32 detection means you're using weak encryption.
  • 00:15:31
    Both this and the last one are there for compatibility reasons.
  • 00:15:34
    Fixing them might break something, so Windows leaves it up to you.
  • 00:15:38
    Unfortunately, most people don't know these are even a thing, so they remain vulnerable.
  • 00:15:42
    Now we're into medium severity detections and we have a couple picked up by Greenbone but not Nessus.
  • 00:15:47
    Both of these I will dispute, however.
  • 00:15:49
    The keyboard execution one is basically saying you can plug in a keyboard and use it to type.
  • 00:15:55
    Yeah, really?
  • 00:15:56
    That's kind of the point of a keyboard.
  • 00:15:58
    It's not entirely stupid.
  • 00:16:00
    What it's getting at is that it's vulnerable to plug-in devices like a USB Rubber Ducky that emulates a keyboard to send malicious keystrokes.
  • 00:16:07
    The suggested solution is to whitelist specific models of keyboard and have it block every other model,
  • 00:16:13
    but this isn't the most practical suggestion for most people.
  • 00:16:15
    Even if you went to the effort of manually whitelisting every single model of keyboard you might ever need to use,
  • 00:16:21
    and never use anything else, this is a highly targeted attack.
  • 00:16:25
    It requires a physical device to be plugged in.
  • 00:16:28
    These things cost money.
  • 00:16:29
    You can't just blind fire millions of them like a spam email.
  • 00:16:32
    If you're going to go to the effort of using one of these to attack someone
  • 00:16:35
    I don't think it's a stretch to say you could find out a model of keyboard they have and tell it to emulate that.
  • 00:16:40
    I don't consider the ability to plug in and use a keyboard a useful vulnerability detection.
  • 00:16:45
    It's normal functionality and the suggested mitigation is tenuous.
  • 00:16:48
    The next one has similar issues.
  • 00:16:50
    It's possible to enumerate RPC services remotely.
  • 00:16:53
    Without going too deep: yes, that's how they work.
  • 00:16:57
    I would agree it's an issue if it's accessible from the internet.
  • 00:17:00
    It can't be exploited, but it does give away information that a hacker could use to help shape their attack plan.
  • 00:17:06
    On an internal network, though; if you block this on a Windows server you basically block it from doing its job or being managed correctly.
  • 00:17:13
    It's a by-design function.
  • 00:17:16
    Nessus does pick up on this, but it logs it as an informational event.
  • 00:17:19
    It doesn't consider it a vulnerability, and unless it's exposed to the internet neither do I.
  • 00:17:23
    Next, both Greenbone and Nessus detect the HTTP TRACE function in Apache as a vulnerability.
  • 00:17:28
    Apache disputes this.
  • 00:17:29
    They say it's a valid part of the HTTP specification and you can't exploit the server using it.
  • 00:17:35
    They're right.
  • 00:17:35
    The abuse of this function actually has more to do with badly configured load balancers or weaknesses on old web browsers.
  • 00:17:41
    It's not Apache's fault, but disabling this function can reduce the overall risk to your network,
  • 00:17:46
    and it's highly unlikely you actually need it in a production system, so I'm ruling in favour of the vulnerability scanners on this one.
  • 00:17:52
    Whizzing through the next few medium detections, and most of them are fairly non-controversial.
  • 00:17:57
    This one I'd probably argue should be a low, as it's not exploitable and more indicative that there may be incomplete configuration.
  • 00:18:03
    This one is detected by Greenbone, but as a log event. It's not considered a vulnerability.
  • 00:18:08
    My opinion is that if it's exposed to end users or the internet, it's a problem.
  • 00:18:13
    If it's only accessible from a privileged location such as localhost when logged onto a server, it's less of an issue, but it'd still keep it as a low in that case.
  • 00:18:20
    These detections are false positives.
  • 00:18:22
    Greenbone has managed to avoid them, whereas Nessus has a couple even on its standard scan.
  • 00:18:27
    Nessus did fall for the Rocky Linux trap.
  • 00:18:30
    The Apache vulnerabilities it found were because it compared to the public version of Apache instead of the Red Hat version used by Rocky.
  • 00:18:36
    The other two were a similar story, but it miss-detected them on both Red Hat and Rocky.
  • 00:18:41
    Of my planted configuration issues, Greenbone missed all of them.
  • 00:18:45
    Nessus found the unquoted service path and the disabled Network Level Authentication on Windows, but it missed the SUID permission and the ambiguous cron job on Linux.
  • 00:18:54
    Neither is perfect, but I'd prefer to trade a couple of false positives for the additional vulnerabilities detected by Nessus in this example.
  • 00:19:01
    Overall, I'd look at it like this:
  • 00:19:03
    do you have more than 16 hosts?
  • 00:19:05
    If you don't, Nessus seems to provide the most coverage and the best user experience when comparing the free versions.
  • 00:19:12
    If you have more than 16 hosts, Nessus will hit a hard stop, but you can keep on using Greenbone as far as you want.
  • 00:19:19
    Of course, either of these options is much better than doing nothing.
  • 00:19:22
    You might be surprised at how many problems they find, and if you're not really convinced that vulnerabilities like this actually matter
  • 00:19:29
    I'll show you exactly why you need to care about it in this video, where I actively exploit one of them and completely own a target system.
  • 00:19:38
    You don't want this to be you, but you do want to like the video and subscribe to the channel;
  • 00:19:42
    and let me know in the comments if you want a deeper dive into either of these tools.
Tags
  • vulnerability scanner
  • Nessus
  • OpenVAS
  • Greenbone
  • security
  • network security
  • cybersecurity tools
  • patch scanner
  • penetration test