Home

Nessus Credential Checks for Unix and Windows

1. Configuring Nessus for Windows Logins Nessus User Interface E https locahost 8834 nessus6 html Nessus Open a web browser and connect to the Nessus scanner user interface as seen above and click the Policies tab Create a new policy or edit an existing policy and select the Credentials menu on the top Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 17 Select Windows from the Host drop down menu on the left as shown below New Policy Advanced Scan Policy Library gt Settings Credentials Compliance CREDENTIALS Cloud Services Database Host SNMPv3 Windows Miscellaneous Mobile Patch Management Plaintext Authentication Plugins ACTIVE CREDENTIALS Windows Username Authentication method Password Password Domain Global Settings Never send credentials in the clear Do not use NTLMv1 authentication L Start the Remote Registry service during the scan Enable administrative shares during the scan Specify the SMB account name password and optional domain Note that if you choose LM Hash or NTLM Hash you must provide the hash instead of the password Windows Username Authentication method Global Settings s s O O Copyrigh
2. The NTLM authentication method introduced with Windows NT provided improved security over Lanman authentication However the enhanced version NI LMv2 is cryptographically more secure than NTLM and is the default authentication method chosen by Nessus when attempting to log into a Windows server SMB Signing SMB signing is a cryptographic checksum applied to all SMB traffic to and from a Windows server Many system administrators enable this feature on their servers to ensure that remote users are 100 authenticated and part of a domain It is automatically used by Nessus if it is required by the remote Windows server Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 6 SPNEGO The SPNEGO Simple and Protected Negotiate protocol provides Single Sign On SSO capability from a Windows client to a variety of protected resources via the users Windows login credentials Nessus supports use of SPNEGO with either NTLMSSP with LMv2 authentication or Kerberos and RC4 encryption SPNEGO authentication happens thorugh NTLM or Kerberos authentication and nothing needs to be configured in the Nessus policy Kerberos Nessus also supports the use of Kerberos authentication in a Windows domain To configure this the IP address of the Kerberos Domain Controller actually the IP address of the Windows Active Directory Server mus
3. Here you will add the Nessus Local Access group to the Nessus Scan GPO policy and put them in the groups you wish them to use e Right click Nessus Scan GPO Policy then select Edit e Expand Computer configuration Policies Windows Settings Security Settings Restricted Groups e Inthe Left pane on Restricted Groups right click and select Add Group Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 15 Step 4 Nessus In the Add Group dialog box select browse and type Nessus Local Access and then click Check Names Click OK twice to close the dialog box Click Add under This group is a member of Add the Administrators Group Click OK twice Ensure proper ports are open in the firewall for Nessus to connect to the host uses SMB Server Message Block and WMI Windows Management Instrumentation for this we need to make sure that the Windows Firewall will allow access to the system Allowing WMI on Windows Vista 7 8 2008 2008R2 and 2012 Windows Firewall Right click Nessus Scan GPO Policy then select Edit Expand Computer configuration Policies Windows Settings Windows Firewall with Advanced Security Windows Firewall with Advanced Security Inbound Rules Right click in the working area and choose New Rule Choose the Predefined option and select Windows Managem
4. If an SSH known_hosts file is available and provided as part of the Global Settings of the scan policy in the known_hosts file field Nessus will only attempt to log into hosts in this file This can ensure that the same username and password you are using to audit your known SSH servers is not used to attempt a log into a system that may not be under your control 11 The most effective credentialed scans are those when the supplied credentials have root privileges Since many sites do not permit a remote login as root Nessus users can invoke su or sudo with a separate password for an account that has been set up to have su or sudo privileges An example screen capture of using sudo in conjunction with SSH keys follows For this example the user account is audit which has been added to the etc sudoers file on the system to be scanned The password provided is the password for the audit account not the root password The SSH keys correspond with keys generated for the audit account Username Authentication method Private key Elevate privileges with sudo user sudo password Location of sudo directory Global Settings known_hosts file Preferred port Client version my private key X Only RSA and DSA OpenSSH keys are supported Add File OpenSSH_5 0 If you are using Kerberos y
5. VMware ESX SOAP API X 509 Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc Plugins ACTIVE CREDENTIALS VMware vCenter SOAP API vCenter Host vCenter Port 443 Username REQUIRED Password HTTPS E Verify SSL Certificate v 21 Specify the VMware ESXi user name password enable or disable HTTPS and check whether or not you wish to verify the SSL certificate of the VMware ESXi server if using HTTPS At this point click on Save at the bottom of the window and configuration will be complete The new scan policy will be added to the list of managed scan policies For more details on scanning virtual machines see the Tenable document Nessus and Scanning Virtual Machines Detecting when Credentials Fail If you are using Nessus to perform credentialed audits of Unix or Windows systems analyzing the results to determine if you had the correct passwords and SSH keys can be difficult Nessus users can now easily detect if their credentials are not working Tenable has added Nessus plugin ID 21745 to the Settings plugins family This plugin detects if either SSH or Windows credentials did not allow the scan to log into the remote host When a login is successful this plugin does not produce a result The following is an example report that was produced from trying to log into
6. 2008R2 and 2012 Windows Firewall ccccceeceeeeeeeeeeeeeaeees 16 SUE SE r E a D EI O A E A E A O E O T A E I E A E 16 Configuring Windows 2008 Vista and 7 1ccccsccccseecccsecccsusecsseecesucessseecssueessaeeessueessuseesaeessueesssesessueesseessaees 16 Configuring Nessus for Windows LOGINS voiiisioce os cade zeccerecasscodenzcexanecasseadeadeocnescusscddendecnnescudseidendicunssiemscideseleweys 17 NESSUS OTe ah iL CE nt men ae mE OORREaT E ee ne ee ee ee ee 17 Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc Configuring Nessus for VMware ESXi and vCenter Local Security Checks ccccceccseceeeeeeeeeeeeeeeeeaeeeaaes 20 Nessus User Interface ou ccc ceccceccceccceecceccueecuecsuecseuessueseueseeessnessuesenessuessnessnessnessuessecssnesseessnesseesneseesseeses 20 POLE CING when Credentials Fall ssssiuiaiinisitiiita iiaa ata iaaa a aaa aaraa aaa ilaa iaai iaaiiai 22 PODIS O a E T ee 22 SMTA OIE oD a 24 Why should secure my scanner eceiccicevecsncccsiscntdcwadeasasseneesdiarsderncasecstiedapencassseusddededemnecesuesadancacbcurasdanniaendess 24 What does it mean to lock down a SCANNES cc cece seccecceeeeeeeceecceeeceeeceeeceeecsueceeecsueceuessuessuessuetseesseeseeeseees 24 Secure Implementation of Unix SSH Audits 0 cccccecescseceseeeecceececeeeescseecceeessceneccseeescenscceeee
7. a remote machine with the incorrect username or password with Nessus Credentialed ntem NEB CURRENT RESULTS NOVEMBER 12 2014 Hosts gt 172 0meummm gt Vulnerabilities Authentication Failure Local Checks Not Run gt Plugin Details Severity Info Description i ID 21745 Local security checks have been disabled for this host because either the credentials supplied in the scan Version Revision 1 17 policy did not allow Nessus to log into it or some other problem occurred Type es Family Settings Solution Published 2006 06 23 Modified 2013 05 23 Address the problem s so that local security checks are enabled Output Risk Information It was not possible to log into the remote host via smb invalid Risk Factor None credentials Port Hosts N A 172 cee A Troubleshooting Q How do we know if the local scan is working A Unless you have a 100 patched server any local scan will likely return some sort of patch information Depending on the operating system it will also return a variety of information audits It may also be useful to take Nessus out of the equation and test to make sure that the accounts and networks are configured correctly Using the simple Unix command id from the Nessus scanner run the following command ssh i home test nessus ssh_key nessus 192 1 1 44 id it Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus
8. ccccccccceececeeeeeceeeesaeeeeseeeeseaeessaeeesaeessaeeesees 10 Configuring Nessus for SSH Host BaSed Checks ccccceccccsececeeeeececesceeeesecesseeeeseueessaeeeseueesseeesseeeesaaees 10 Nessus USer Nen ICE erriren es EEE E A EE E E E eo rede E E EEEE 10 Using SSH Credentials with the Tenable SecurityCenter cccccccccccsececaeeeeceecesseeeeseeseseueesseeeessaeesseeesees 13 Credentialed Checks on Windows Platforms ccccecceseeeneeeneeensecenenensecnsecenseonsecesenenssonsenesesenes 14 EA E e EE AE A E E E E EAE E A E E EA E AAE EE 14 PEA 10 2 E E ES T S EE A E AA A T NON I AN 14 Enabling Windows Logins for Local and Remote Audits ccccccceeeceeeceeeseeeseeeseeseeseeeseeeseeeseeeseeesaeees 14 CONOUG a OCG ACC OUI airinn EEEE ER AE EEE EEE RE aF 14 Configuring a Domain Account for Authenticated Scanning sscccseeccsecccnsessusesauessenessusesaeesseessusesaessanes 15 Step 1 Creating a Security Gl OUD vaiscerccwesecpnvateterenosslesnnendadccmdaaacaaaead i AE E n EAA ENERE 15 Step 2 Greate GROUP ONC aerate secantacassnnataras enna vari donmesacendnattetdeeeoiian saan OETA n A SADR EE AATE AEEA 15 Step 3 Configure the policy to add the Nessus Local Access group aS AUMinistrators ccccccesseeceeeeeeeeeeees 15 Step 4 Ensure proper ports are open in the firewall for Nessus to connect to the host ccceecceeeeseeeeeeeeeeeees 16 Allowing WMI on Windows Vista 7 8 2008
9. from local attacks or configuration settings that could expose the system to external attacks that may not be detected from an external scan In a typical network vulnerability assessment a remote scan is performed against the external points of presence and an onsite scan is performed from within the network Neither of these scans can determine local exposures on the target system Some of the information gained relies on the banner information displayed which may be inconclusive or incorrect By using secured credentials the Nessus scanner can be granted local access to scan the target system without requiring an agent This can facilitate scanning of a very large network to determine local exposures or compliance violations Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc The most common security problem in an organization is that security patches are not applied in a timely manner A Nessus credentialed scan can quickly determine which systems are out of date on patch installation This is especially important when a new vulnerability is made public and executive management wants a quick answer regarding the impact to the organization Another major concern for organizations is to determine compliance with site policy industry standards such as the Center for Internet Security CIS benchmarks or legislation such as Sar
10. policy or edit an existing policy and select the Credentials menu on the top Note that communication between the Nessus server and the VMware ESXi and vCenter server use the native SOAP API for communication For running local security checks on ESXi select VMware ESX SOAP API from the Miscellaneous drop down menu at the top as shown below Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 20 New Policy Advanced Scan Policy Library gt Settings Credentials Compliance CREDENTIALS gt Cloud Services Database Host Miscellaneous IBM iSeries Palo Alto Networks PAN OS VMware vCenter SOAP API X 509 gt Mobile Patch Management gt Plaintext Authentication Plugins ACTIVE CREDENTIALS VMware ESX SOAP API Username Password Do not verify SSL Certificate Specify the VMware ESXi user name password and check whether or not you wish to verify the SSL certificate of the VMware ESXi server For running local security checks on vCenter select VMware vCenter SOAP API from the Miscellaneous drop down menu at the top as shown below New Policy Advanced Scan Policy Library gt Settings Credentials Compliance CREDENTIALS Cloud Services Database Host Miscellaneous ADSI IBM iSeries Palo Alto Networks PAN OS RHEV
11. version of the dynamic link library d11 on the remote host which is considerably more accurate Configuring a Local Account To configure a stand alone Windows server with credentials to be used that is not part of a domain simply create a unique account as an administrator Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 14 Make sure that the configuration of this account is not set with a typical default of Guest only local users authenticate as guest Instead switch this to Classic local users authenticate as themselves To configure the server to allow logins from a domain account the Classic security model should be invoked To do this follow these steps 1 Open Group Policy by clicking on start click Run type gpedit msc and then click OK 2 Select Computer Configuration gt Windows Settings gt Security Settings gt Local Policies gt Security Options 3 From the list of policies open Network access Sharing and security model for local accounts 4 Inthis dialog select Classic local users authenticate as themselves and click OK to save this This will cause users local to the domain to authenticate as themselves even though they are actually not really physically local on the particular server Without doing this all r
12. O tenable network security Nessus Credentialed Checks November 24 2014 Revision 38 Table of Contents Jaligers Ule O aeleeee esse ene ten tener tees eon ee Sosa ae ee ee ne ee eee eee ae ee eee eae ee eee eee ee aoe ee eee ee A otandards and OV OTH ONS cones uanioasctaarouencaatouersaatouencantoyersantowaboantouetsantonersantoueonnnatetosnouercenieuerstanoyetoniowneaits 4 Overview of Nessus Credentialed Checks a iccrieniscxisensencienraxinensseurionexinensenrieniexinensenrienexinenencionsaxinetans 4 a Ud 816 E Re OPER OTST Re CT Ne PONT ne One A Pen Ne one P A P Pre A E A Renae ree een A ee ee eee eee T 4 ACCESS LOVC ceciren ren ceseracnncten reanetirnenenctieesasetnensenentnertceieaessnovinesaneneninesieesas ckeseaanetferteactusenetaectancemenmoier 5 Tecnologies USOT ees Renee ee eee nee ene rra Erene RES aE E N en Ree ae eee eee ae re ee 5 Unix Systems and Network Devices 1 isccnvsdesnsercsdvencteccteeeratbcwsstedeendeeesnewnetxdgueterancuwakendcsetaasedianctude neti vadovaveladduederasicutses 5 Username and PaASSWOTA paseo cae ws eesesicnty aiece reeset uE AROE AE OE N ETE AEE E RSEN rT a aena 5 PODIO FIVC R N a ee E E EEE a EE eee eee n 6 Die E air E a a EE ee ee ee eee E A eee 6 PODET o ee E E a E eee A eee ee 6 VO OWS yS a a S ct E a E E E a A 6 PIMPIN e a a a A a a a S A E a A A E ndawene see 6 NTEM ANO NTEMY miorre ri EE A E a 6 SU es NN e T E E E 6 SPHE O a A a E E E S T KODO ea a ee a E ee ee ee eee eee eee 7 NTLMS
13. SP NT Lan Manager Security Support Provider and LMV2 cccccccccsseeeeeeeeeeeeeaeeeeeeeeeeeeeaaeseeeeeeeenaas 7 Windows Usernames Passwords and DOMAINS viseissecaticieceonteveuntivetwcinssetenuianismcissluneandanetadiedeatantdaaieurdeaberenniuslonens 7 VMware ESXi and vCenter sci ccvussavtinimisiniarsartiteguimeiialinidsdalvonetsduisiiaadsiipesnsaihtSedulinlvereaasisdsaabitiogesmaniceduedhideleaimioaiewiadliinesnsiainienws 7 Credentialed Checks on Unix Based Platforms cc cccceeeeeseceneeenseceseeeneeenseceneceaseenseneaesenseonsess 7 PP ONG NCS sassrcies saga neioned mein A arpa tadacnumrad armen ttsneniecignanawtadianans 7 COMNGUT ANON Reguremernts TOE SSH ersi ciate Eeen EEEE EE AEE EE E eee EEEE EERE 7 User NOC Soa rtenceesnd temas ncsenstien cairns oneedaactinridie oeaenadenttacndesdienarenecteed daccanecdenttanadediseasdaneteccdactoeactinteeaieareneguentees 8 Configuration Requirements for Kerberos cccccccccsecccsesecsseeecsusessauecssucessausesseessaeeesseessneessaueesseessaeeessneess 8 Enap SSA LOCalSGECuUrnY CeCe ON UND ocess iecrtecasncess in aien nine ie iNi A Nai 8 Generating SSH Public and Private Keys nn0annnaannannnnannnannnannnannnnnnnnnnnnnrnnnrnnnrnnnrnnnrnnnrrnnnrnnnrnnnrnnnrnnnrnne 8 Creating a User Account and Setting up the SSH Key wics ccrsimcaversoussetasincnvisemsevearencawvinemievnioveneminencevmuneue 8 ED E E A E E E E 9 Enabling SSH Local Security Checks on Network Devices
14. abling SSH Local Security Checks on Network Devices In addition to using SSH for local security checks Nessus also supports local security checks on various network devices Those network devices currently include Cisco IOS devices F5 networks devices Huawei devices Junos devices and Palo Alto Networks devices Network devices that support SSH require both a username and password Currently Nessus does not support any other forms of authentication to network devices See your appropriate network device manual for configuring SSH support Configuring Nessus for SSH Host Based Checks Nessus User Interface If you have not already done so secure copy the private and public key files to the system that you will use to access the Nessus scanner https locahost 8834 nessus6 html O Nessus O tenable Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 10 Open a web browser and connect to the Nessus scanner user interface as seen above and click on the Policies tab Create a new policy or edit an existing policy and select the Credentials menu on the top Select SSH from the Host drop down menu at the top as shown below Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessu
15. against Windows security to illicit hashes from computers for re use in attacking servers SMB Signing adds a layer of security to prevent these man in the middle attacks For Further Information Tenable has produced a variety of documents detailing Nessus installation deployment configuration user operation and overall testing These are listed here Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc Nessus 6 1 Installation and Configuration Guide step by step walk through of installation and configuration Nessus 6 1 User Guide how to configure and operate the Nessus User Interface Nessus Enterprise 6 1 User Guide how to configure and operate the Nessus User Interface for Nessus Enterprise Nessus Enterprise Cloud User Guide describes use of Nessus Enterprise Cloud and includes subscription and activation vulnerability scanning compliance reporting and Nessus Enterprise Cloud support Nessus v6 Command Line Reference describes the command line tools of Nessus Nessus Credentialed Checks for Unix and Windows information on how to perform authenticated network scans with the Nessus vulnerability scanner Nessus Compliance Checks high level guide to understanding and running compliance checks using Nessus and SecurityCenter Nessus Compliance Checks Reference comprehensive guide
16. are registered trademarks of Tenable Network Security Inc Make sure to use the IP address of the system that the trust relationship is configured with as well as the user account in this case user nessus If the command succeeds you will see the results of the id command as if it were run on your remote system On Unix audits the ssh_get_info nas1 script will report if the authentication was successful If SSH logins are not working you can increase the report_verbosity setting of your Nessus scan to Verbose This will show any error or diagnostic messages while this particular script is running For Windows audits the smb _login nasl and smb registry access nas1 scripts indicate if the login and password provided during the scan worked and if it was possible to read the remote registry The smb registry full access nas1 warns only if it was not possible to fully read the registry Looking at the results of host based checks for audits of a Windows server will show how the credentials worked In addition the hostlevel_check_failed nas1 script detects if either SSH or Windows credentials did not allow the scan to log into the remote host Q How do we know if the local scan is not working A On Windows systems login failure events will be generated at the server If a domain controller is in use the login failure events will be located there as well On Unix systems login failures will be present in the syst
17. banes Oxley SOX Gramm Leach Bliley GLBA or HIPAA Organizations that accept credit card information must demonstrate compliance with the Payment Card Industry Data Security Standards PCI DSS There have been quite a few well publicized cases where the credit card information for millions of customers was breached This represents a significant financial loss to the banks responsible for covering the payments and heavy fines or loss of credit card acceptance capabilities by the breached merchant or processor Access Level Credentialed scans can perform any operation that a local user can perform The level of scanning is dependent on the privileges granted to the user account that Nessus is configured to use Non privileged users with local access on Unix systems can determine basic security issues such as patch levels or entries in the etc passwd file For more comprehensive information such as system configuration data or file permissions across the entire system an account with root privileges is required Credentialed scans on Windows systems require that a full administrator level account be used Several bulletins and software updates by Microsoft have made reading the registry to determine software patch level unreliable without administrator privileges but not all of them Nessus plugins will check that the provided credentials have full administrative access to ensure they execute properly For example full administrative acc
18. dsa key pair Hi wer take Mie whehe a E sene eve Wseuws testy asc il aclec sel re home test Nessus ssh_key Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been Saved an home test Nessus ssh key Your public key has been saved in nome test Nessus ssh_ key pub The key fingerprint is 0O6 4a fd 76 ee 0f d4 e6 4b 74 84 9a 99 e6 12 ea ii Do not transfer the private key to any system other than the one running the Nessus server When ssh keygen asks you for a passphrase enter a strong passphrase or hit the Return key twice i e do not set any passphrase If a passphrase is specified it must be specified in the Policies gt Credentials gt SSH settings options in order for Nessus to use key based authentication Nessus Windows users may wish to copy both keys to the main Nessus application directory on the system running Nessus C Program Files Tenable Nessus by default and then copy the public key to the target systems as needed This makes it easier to manage the public and private key files Creating a User Account and Setting up the SSH Key On every target system to be scanned using local security checks create a new user account dedicated to Nessus This user account must have exactly the same name on all systems For this document we will call the user nessus but you can use any name Copyright 2014 Tenable Network Security Inc All rights rese
19. e the ability to run any command on the system On Unix systems this is known as root privileges While it is possible to run some checks such as patch levels with non privileged access full compliance checks that audit system configuration and file permissions require root access For this reason it is strongly recommended that SSH keys be used instead of credentials when possible Configuration Requirements for Kerberos If Kerberos is used sshd must be configured with Kerberos support to verify the ticket with the KDC Reverse DNS lookups must be properly configured for this to work The Kerberos interaction method must be gssapi with mic Enabling SSH Local Security Checks on Unix This section is intended to provide a high level procedure for enabling SSH between the systems involved in the Nessus credentialed checks It is not intended to be an in depth tutorial on SSH It is assumed the reader has the prerequisite knowledge of Unix system commands Generating SSH Public and Private Keys The first step is to generate a private public key pair for the Nessus scanner to use This key pair can be generated from any of your Unix systems using any user account However it is important that the keys be owned by the defined Nessus user To generate the key pair use ssh keygen and save the key in a safe place In the following example the keys are generated on a Red Hat ES 3 installation ssh keygen t dsa Generating public private
20. e the password will be stolen because the password itself is tunneled over the SSH connection Once the remote server is owned the attacker can replace the SSH daemon with their own which will log the passwords of incoming connections Secure Windows Audits If the option Only use NTLMv2 is disabled then it is theoretically possible to trick Nessus into attempting to log into a Windows server with domain credentials via the NTLM version 1 protocol This provides the remote attacker with the ability to use a hash obtained from Nessus This hash can be potentially cracked to reveal a username or password It may also be used to directly log into other servers Force Nessus to use NTLMv2 by enabling the Only use NTLMv2 setting at scan time This prevents a hostile Windows server from using NTLM and receiving a hash Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 24 NTLMv2 can make use of SMB Signing Ensure that SMB Signing is enabled on all of your Windows servers to prevent any server that obtains a hash from a Nessus scan to reuse it In addition make sure you enforce a policy that mandates the use of strong passwords that cannot be easily broken via dictionary attacks from tools like John the Ripper and LOphtCrack Note that there have been many different types of attacks
21. em logs such as var log messages unless a remote Kerberos controller is in use In addition the hostlevel_check_failed nas1 script detects if either SSH or Windows credentials did not allow the scan to log into the remote host Q What else can go wrong with my host checks A There are many things that can block access Some to consider include e Network firewalls that filter port 22 for SSH on Unix or port 445 for Windows e Host based firewalls that block connections to the mentioned ports e On Unix systems administrators that move SSH to ports other than 22 e Some host and network intrusion prevention systems prevent remote access e The machine you are scanning is not a Unix or Windows server and could be a printer router fax machine or video display device Q am testing SSH connections from the shell prompt of scan target hosts to the Nessus system to ensure proper connectivity find it experiences a delay as it connects why A This is most likely because the system is performing a DNS lookup when DNS is misconfigured If your site uses DNS contact your DNS administrator to address configuration issues Some issues that could cause problems include missing reverse lookup zones To test DNS lookups perform the following host IP_ADRR OF NESSUS SERVER If you have dig installed you can also check with Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are regi
22. emote users even real users in the domain will actually authenticate as a Guest and will likely not have enough credentials to perform a remote audit Note that the gpedit msc tool is not available on some version such as Windows 7 Home which is not supported by Tenable Configuring a Domain Account for Authenticated Scanning To create a domain account for remote host based auditing of a Windows server the server must first be Windows Server 2008 Server 2008 R2 Server 2012 Server 2012 R2 Windows 7 and Windows 8 and be part of a domain There are five general steps that should be performed to facilitate this scanning while keeping security in mind Step 1 Creating a Security Group First create a security group called Nessus Local Access e Log onto a Domain Controller open Active Directory Users and Computers e Create a security Group from Menu select Action gt New gt Group e Name the group Nessus Local Access Make sure it has a Scope of Global and a Type of Security e Add the account you will use to perform Nessus Windows Authenticated Scans to the Nessus Local Access group Step 2 Create Group Policy Next you need to create a group policy called Local Admin GPO e Open the Group Policy Management Console e Right click on Group Policy Objects and select New e Type the name of the policy Nessus Scan GPO Step 3 Configure the policy to add the Nessus Local Access group as Administrators
23. ent Instrumentation WMI from the drop down list Click on Next Select the Checkboxes for Windows Management Instrumentation ASync In Windows Management Instrumentation WMI In Windows Management Instrumentation DCOM In Click on Next Click on Finish Note You can later edit the predefined rule created and limit the connection to the ports by IP Address and Domain User so as to reduce any risk for abuse of WMI Linking GPO In Group policy management console right click on the domain or the OU and select Link an Existing GPO Select the Nessus Scan GPO Configuring Windows 2008 Vista and 7 When performing authenticated scans against Windows 2008 Vista or 7 systems there are several configuration options that must be enabled 1 Under Windows Firewall gt Windows Firewall Settings File and Printer Sharing must be enabled 2 Using the gpedit msc tool via the Run prompt invoke the Group Policy Object Editor Navigate to Local Computer Policy gt Administrative Templates gt Network gt Network Connections gt Windows Firewall gt Standard Profile gt Windows Firewall Allow inbound file and printer exception and enable it Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 16 3 While in the Group Policy Object Editor navigate to Local Computer Policy gt Admin
24. ess is required to perform direct reading of the file system This allows Nessus to attach to a computer and perform direct file analysis to determine the true patch level of the systems being evaluated One audit for SCAP compliance requires sending an executable to the remote host For systems that run security software e g McAfee Host Intrusion Prevention it may block or quarantine the executable required for auditing For those systems an exception must be made for the either the host or the executable sent Please note that Nessus will open several concurrent authenticated connections to carry out credentialed auditing to ensure it is done in a timely fashion Ensure that the host being audited does not have a strict account lockout policy based on concurrent sessions Technologies Used The challenge in running a credentialed scan is to automatically provide the privileged credentials to the scanner in a secure manner It would certainly defeat the purpose of scanning for security exposures if doing so would open an even greater exposure Nessus supports the use of several secure methods to solve this problem on a variety of platforms Unix Systems and Network Devices On Unix systems and supported network devices Nessus uses Secure Shell SSH protocol version 2 based programs e g OpenSSH Solaris SSH etc for host based checks This mechanism encrypts the data in transit to protect it from being viewed by sniffer programs Ne
25. istrative Templates gt Network gt Network Connections gt Prohibit use of Internet connection firewall on your DNS domain and ensure it is set to either Disabled or Not Configured 4 The Remote Registry service must be enabled it is disabled by default It can be enabled manually for continuing audits either by an administrator or by Nessus Using plugin IDs 42897 and 42898 Nessus can enable the service just for the duration of the scan Nessus has the ability to enable and disable the Remote Registry service For this to work the target must have the Remote Registry service set to Manual and not Disabled Windows User Account Control UAC can be disabled alternatively but that is not recommended To turn off UAC completely open the Control Panel select User Accounts and then set Turn User Account Control to off Alternatively you can add a new registry key named LocalAccountTokenFilterPolicy and set its value to 1 This key must be created in the registry at the following location HKLM SOFTWARE Microsoft Windows CurrentVersion Policies system LocalAccountTokenFilterPolicy For more information on this registry setting consult the MSDN 766945 KB In Windows 7 and 8 if UAC is disabled then EnableLUA must be set to 0 in HKEY LOCAL MACHINE Software Microsoft Windows CurrentVersion Policies System as well
26. ity to identify their biggest threats and enable them to respond quickly For more information please visit tenable com Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 26
27. missions Example From the system containing the keys secure copy the public key to system that will be scanned for host checks as shown below 192 1 1 44 is an example remote system that will be tested with the host based checks scp ssh_key pub root 192 1 1 44 home nessus ssh authorized keys You can also copy the file from the system on which Nessus is installed using the secure FTP command sftp Note that the file on the target system must be named authorized keys Return to the System Housing the Public Key Set the permissions on both the home nessus ssh directory as well as the authorized keys file chown R nessus nessus nessus ssh chmod 0600 nessus ssh authorized keys chmod 0700 nessus ssh Repeat this process on all systems that will be tested for SSH checks starting at Creating a User Account and Setting up the SSH Key above Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc Test to make sure that the accounts and networks are configured correctly Using the simple Unix command id from the Nessus scanner run the following command ssh i home test nessus ssh_key nessus 192 1 1 44 id uld 252 nessus gid 250 tns groups 250 tns it If it successfully returns information about the nessus user the key exchange was successful En
28. nix hosts and the private keys are installed under SecurityCenter a trust relationship is created such that a user can log into each of the hosts from the Nessus scanners If the security of the Nessus scanners is compromised new SSH public private key pairs must be produced Credentialed Checks on Windows Platforms Prerequisites User Privileges A very common mistake is to create a local account that does not have enough privileges to log on remotely and do anything useful By default Windows will assign new local accounts Guest privileges if they are logged into remotely This prevents remote vulnerability audits from succeeding Another common mistake is to increase the amount of access that the Guest users obtain This reduces the security of your Windows server Enabling Windows Logins for Local and Remote Audits The most important aspect about Windows credentials is that the account used to perform the checks should have privileges to access all required files and registry entries and in many cases this means administrative privileges If Nessus Is not provided the credentials for an administrative account at best it can be used to perform registry checks for the patches While this is still a valid method to determine if a patch is installed it is incompatible with some third party patch management tools that may neglect to set the key in the policy If Nessus has administrative privileges then it will actually check the
29. o username or password to test null sessions VMware ESXi and vCenter Nessus supports native SOAP API authentication methods for VMware ESXi which is a server that supports hypervisors Additionally Nessus supports local security checks for VMware vCenter which a management server for ESXi Credentialed Checks on Unix Based Platforms The process described in this section enables you to perform local security checks on Unix based systems e g Linux Solaris Mac OS X The SSH daemon used in this example is OpenSSH If you have a commercial variant of SSH your procedure may be slightly different To enable local security checks there are two basic methods that can be used 1 Use of a SSH private public key pair 2 User credentials and sudo access or credentials for su access Prerequisites Configuration Requirements for SSH Nessus 5 supports the blowfish CBC AESXXX CBC AES128 AES192 and AES256 3DES CBC and AES CTR algorithms Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 7 Some commercial variants of SSH do not have support for the blowfish algorithm possibly for export reasons It is also possible to configure an SSH server to only accept certain types of encryption Check your SSH server to ensure the correct algorithm is supported User Privileges For maximum effectiveness the SSH user must hav
30. old font such as gunzip httpd and etc passwd Command line options and keywords are also indicated with the courier bold font Command line examples may or may not include the command line prompt and output text from the results of the command Command line examples will display the command being run in courier bold to indicate what the user typed while the sample output generated by the system will be indicated in courier not bold Following is an example running of the Unix pwd command pwd fhome test Q Important notes and considerations are highlighted with this symbol and grey text boxes Tips examples and best practices are highlighted with this symbol and white on blue text Overview of Nessus Credentialed Checks Tenable s Nessus scanner is a very effective network vulnerability scanner with a comprehensive database of plugins that check for a large variety of vulnerabilities that could be remotely exploited In addition to remote scanning the Nessus scanner can also be used to scan for local exposures Purpose External network vulnerability scanning is useful to obtain a snapshot in time of the network services offered and the vulnerabilities they may contain However it is only an external perspective It is important to determine what local services are running and to identify security exposures
31. ou must configure a Nessus scanner to authenticate to a KDC Select Kerberos from the drop down menu as shown below Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 12 Username myuseraccount Authentication method Kerberos Password Key Distribution Center KDC KDC Port 88 KDC Transport ee Elevate privileges with Nothing Global Settings known_hosts file Add File Preferred port 22 Client version OpenSSH_5 0 The default KDC port is 88 and the default transport protocol is udp The other value for transport is tcp Last the Kerberos Realm name and IP address of the KDC are required At this point click on Save at the bottom of the window and the configuration will be complete The new scan policy will be added to the list of managed scan policies Using SSH Credentials with the Tenable SecurityCenter SSH credentials are used to obtain local information from remote Linux Unix Cisco IOS and other systems using SSH for connectivity for patch auditing or compliance checks The following is an example of the Add Credential screen when creating a SSH credential which i
32. r Real Time Compliance Monitoring outlines how Tenable s solutions can be used to assist in meeting many different types of government and financial regulations Tenable Products Plugin Families provides a description and summary of the plugin families for Nessus Log Correlation Engine and the Passive Vulnerability Scanner SecurityCenter Administration Guide Other online resources are listed below Nessus Discussions Forum https discussions nessus orq Tenable Blog http www tenable com blog Tenable Podcast http www tenable com podcast Example Use Videos http www youtube com user tenablesecurity Tenable Twitter Feed hitp twitter com tenablesecurity Please feel free to contact Tenable at support tenable com sales tenable com or visit our website at http www tenable com About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities reduce risk and ensure compliance Our family of products includes SecurityCenter Continuous View which provides the most comprehensive and integrated view of network health and Nessus the global standard in detecting and assessing network data Tenable is relied upon by more than 24 000 organizations including the entire U S Department of Defense and many of the world s largest companies and governments We offer customers peace of mind thanks to the largest install base the best expertise and the abil
33. rotocol In symmetric encryption the key used to encrypt the data is the same as the key used to decrypt the data Organizations deploy a KDC Key Distribution Center that contains all users and services that require Kerberos authentication Users authenticate to Kerberos by requesting a TGT Ticket Granting Ticket Once a user is granted a TGT it can be used to request service tickets from the KDC to be able to utilize other Kerberos based services Kerberos uses the CBC Cipher Block Chain DES encryption protocol to encrypt all communications The Nessus implementation of Kerberos authentication for SSH supports the aes cbc and aes ctr encryption algorithms An overview of how Nessus interacts with Kerberos is as follows e End user gives the IP of the KDC e nessusd asks sshd if it supports Kerberos authentication e sshd says yes e nessusd requests a Kerberos TGT along with login and password e Kerberos sends a ticket back to nessusd e nessusd gives the ticket to sshd e nessusd is logged in Windows Systems Nessus supports several different types of authentication methods for Windows based systems Each of these methods takes a username password and domain name sometimes optional for authentication LANMAN The Lanman authentication method was prevalent on Windows NT and early Windows 2000 server deployments It is not really used on newer Windows deployments but is retained for backwards compatibility NTLM and NTLMv2
34. rved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 8 Once the account is created for the user make sure that the account has no valid password set On Linux systems new user accounts are locked by default unless an initial password was explicitly set If you are using an account where a password had been set use the passwd 1 command to lock the account You must also create the directory under this new account s home directory to hold the public key For this exercise the directory will be home nessus ssh An example for Linux systems is provided below passwd 1 nessus cd home nessus mkdir ssh For Solaris 10 systems Sun has enhanced the passwd 1 command to distinguish between locked and non login accounts This is to ensure that a user account that has been locked may not be used to execute commands e g cron jobs Non login accounts are used only to execute commands and do not support an interactive login session These accounts have the NP token in the password field of etc shadow To set a non login account and create the SSH public key directory in Solaris 10 run the following commands passwd N nessus grep nessus etc shadow nessus NP 13579 cd export home nessus mkdir ssh it Now that the user account is created you must transfer the key to the system place it in the appropriate directory and set the correct per
35. s are registered trademarks of Tenable Network Security Inc New Policy Advanced Scan Policy Library gt Settings Credentials Compliance Plugins CREDENTIALS ACTIVE CREDENTIALS Cloud Services SSH Database Username REQUI RED SNMPv3 Authentication method public key v l Pri k REQUIRED Windows rivate key Add File l Only RSA and DSA OpenSSH keys are supported Miscellaneous Mobile Private key passphrase Patch Management Elevate privileges with Nothing X Plaintext Authentication Global Settings known_hosts file Add File Preferred port 22 Client version OpenSS _5 0 For the item SSH user name enter the name of the account that is dedicated to Nessus on each of the scan target systems It is set to root by default If you are using a password for SSH enter it in the password box If you are using SSH keys instead of a password recommended select public key from the Authentication method drop down For the item Private key click on the Add file button and locate the private key file that is associated with the public key above on the local system If you are using a passphrase for the SSH key optional enter it in the box labeled Private key passphrase 7J 19 Nessus and SecurityCenter users can additionally invoke su sudo su sudo Cisco enable k5login dzdo and pbrun with the Elevate privileges with field and a separate password
36. s selected from the Type drop down There is a field for entering the SSH user name for the account that will perform the checks on the target system along with either the SSH password or the SSH public key and private key pair The SSH key is selected using the Browse button next to the field There is also a field for entering the Passphrase for the SSH key if it is required In Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc 13 case of invalid or expired SSH keys use the Clear button to remove the current SSH keys available when a key is in use Select the appropriate Privilege Escalation method as needed Add Credential a we ssH lw Description Username Password Public Key Private Key Passphrase Privilege Escalation Various SSH credential sets may be created for selection in SecurityCenter scans SSH credential sets may be shared by Organizations groups users or designated for use by a single user When creating scans one SSH credential set may be assigned as needed SecurityCenter ships with several pre defined vulnerability policies that have all of the local checks enabled for each individual OS The SSH public private key pairs are managed by SecurityCenter and will be passed to each managed Nessus scanner Once these SSH public keys are configured for use on the desired U
37. sceeesceneescess 24 SCEE NONS ATON ae eee ee meee eee ene en eee ee re eee ee ee eet ee ee 24 elm lg til lee O 12 eee moment me meme rte nmen rrr Mane EOE 25 About Tenable Network Security cccccsssesessecesseceesesenseeeaseeeaseeeaseeeaseeeaseneaseeeaseseasesensesensesensens 26 Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc Introduction This paper describes how to perform authenticated network scans with Tenable Network Security s Nessus vulnerability scanner Authenticated network scans allow a remote network audit to obtain host based data such as missing patches and operating system settings Please email any comments and suggestions to support tenable com Nessus leverages the ability to log into remote Unix hosts via Secure Shell SSH For Windows hosts Nessus leverages a variety of Microsoft authentication technologies Note that Nessus also uses the Simple Network Management Protocol SNMP to make version and information queries to routers and switches Although this is a form of local checks it is not covered in this document This document also makes extensive references to Nessus but the basic concepts are also true for Tenable s SecurityCenter Standards and Conventions Throughout the documentation filenames daemons and executables are indicated with a courier b
38. ssus supports three types of authentication methods for use with SSH username and password public private keys and Kerberos Username and Password Although supported Tenable does not recommend using a username and password for authentication with SSH Static passwords are subject to man in the middle and brute force attacks when they have been in use over a long period of time For supported network devices Nessus will only support the network device s username and password for SSH connections Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc Public Private Keys Public Key Encryption also referred to as asymmetric key encryption provides a more secure authentication mechanism by the use of a public and private key pair In asymmetric cryptography the public key is used to encrypt data and the private key is used to decrypt it The use of public and private keys is a more secure and flexible method for SSH authentication Nessus supports both DSA and RSA key formats Digital Certificates Like Public Key Encryption Nessus supports RSA and DSA OpenSSH certificates Nessus also requires the user certificate which is signed by a Certificate Authority CA and the user s private key Kerberos Kerberos developed by MIT s Project Athena is a client server application that uses a symmetric key encryption p
39. stered trademarks of Tenable Network Security Inc 23 dig x IP_ADRR OF NESSUS SERVER If your site does not use DNS the following steps will bypass the attempt to perform DNS lookups 1 Editthe etc nsswitch conf file so that the hosts lines reads hosts files Note This may not be applicable to all OpenSSH releases 2 Add the IP name of the server running Nessus to the system s etc hosts file 3 Configure the remote OpenSSH server to not perform DNS lookups on a host by setting both UseDNS no in the sshd_config file for release 3 8 the default value is yes VerifyReverseMapping no Securing Your Scanner Why should I secure my scanner If you configure a Nessus scanner to use credentials to log into a Unix or Windows server your system will have credentials that could be leveraged by a malicious user To prevent this you must not only practice good security for the operating system your scanner is running on but you must also be aware how an adversary can trick the scanner into disclosing security information What does it mean to lock down a scanner The ideal Nessus scanner would be driven entirely from a system console and not accept any network connections from any remote host Such a system will be physically secured such that only authorized people are allowed access to it This server could further be restricted with an external firewall or switch that only allows it to scan specific net
40. t 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc Never send credentials in the clear Do not use NTLMv1 authentication Start the Remote Registry service during the scan Enable administrative shares during the scan 18 The Windows Kerberos options are similar to those in the SSH Kerberos section Username Authentication method Kerberos Password Key Distribution Center KDC KDC Port 88 KDC Transport _tep Domain Global Settings Never send credentials in the clear Do not use NTLMv1 authentication Start the Remote Registry service during the scan Enable administrative shares during the scan Copyright 2014 Tenable Network Security Inc All rights reserved Tenable Network Security and Nessus are registered trademarks of Tenable Network Security Inc At this point click on Save at the bottom of the window and configuration will be complete The new scan policy will be added to the list of managed scan policies 19 Configuring Nessus for VMware ESXi and vCenter Local Security Checks Nessus User Interface https locahost 8834 nessus6 html Open a web browser and connect to the Nessus scanner user interface as seen above and click the Policies tab Create a new
41. t be provided NTLMSSP NT Lan Manager Security Support Provider and LMv2 If an extended security scheme such as Kerberos or SPNEGO is not supported or fails Nessus will attempt to log in via NTLMSSP LMv2 authentication If that fails Nessus will then attempt to log in using NTLM authentication Windows Usernames Passwords and Domains The SMB domain field is optional and Nessus will be able to log on with domain credentials without this field The username password and optional domain refer to an account that the target machine is aware of For example given a username of joesmith and a password of my4x4mp13 a Windows server first looks for this username in the local system s list of users and then determines if it is part of a domain in there The actual domain name is only required if an account name is different on the domain from that on the computer It is entirely possible to have an Administrator account on a Windows server and within the domain In this case to log onto the local server the username of Administrator is used with the password of that account To log onto the domain the Administrator username would also be used but with the domain password and the name of the domain Regardless of credentials used Nessus always attempts to log into a Windows server with the following combinations e Administrator without a password e Arandom username and password to test Guest accounts e N
42. to Nessus Compliance Check syntax Nessus v2 File Format describes the structure for the nessus file format which was introduced with Nessus 3 2 and NessusClient 3 2 Nessus 5 0 REST Protocol Specification describes the REST protocol and interface in Nessus Nessus and Antivirus outlines how several popular security software packages interact with Nessus and provides tips or workarounds to allow the software to better co exist without compromising your security or hindering your vulnerability scanning efforts Nessus and Mobile Device Scanning describes how Nessus integrates with Microsoft Active Directory and mobile device management servers to identify mobile devices in use on the network Nessus and Scanning Virtual Machines describes how Tenable Network Security s Nessus vulnerability scanner can be used to audit the configuration of virtual platforms as well as the software that is running on them Strategic Anti malware Monitoring with Nessus PVS and LCE describes how Tenable s USM platform can detect a variety of malicious software and identify and determine the extent of malware infections Patch Management Integration document describes how Nessus and SecurityCenter can leverage credentials on the Red Hat Network Satellite IBM TEM Dell KACE 1000 and Microsoft WSUS and SCCM patch 25 management systems to perform patch auditing on systems for which credentials may not be available to the Nessus scanne
43. works Do not install personal firewall software directly on the Nessus scanner system Remember that Nessus can be configured to only scan specific networks This type of scanner is not that useful Consider allowing remote network access to the server Nessus supports HTTP connections to port 8834 by default A system firewall can be configured to only accept connections on port 8834 from valid Nessus clients If the box is to be administrated or operated remotely secure remote access can also be used On Unix the Secure Shell SSH protocol can be used Keep the SSH daemon up to date use strong passwords and or use stronger authentication techniques On Windows servers remote Terminal Services can be used to provide command and control over the services for Nessus Windows In both cases keep the system up to date and do not run unneeded network services Please refer to the Center for Internet Security CIS benchmarks for guidance on hardening systems Secure Implementation of Unix SSH Audits Never use SSH passwords to perform remote scans If you are scanning a network then all an adversary or malicious user would need to do is run a modified SSH daemon and record the attempted username and password Even if you are using a unique username and password combination for each host the use of static passwords is still vulnerable to exploitation If you log in to a server using a password in a system that has been compromised there s a chanc

Nessus Credential Checks for Unix and Windows

Contents

Download Pdf Manuals

Related Search

Related Contents