We're holding a fundraising event for Breast Cancer Research from 10 AM to 6PM EDT on Friday, August 31st. Our 300th Episode will feature a cornucopia of special guests, tech segments, and roundtable discussions!

Please visit the official Episode 300 web page for more information, including guests on our all-star line-up, technical segments and more! Episode 300 of PaulDotCom Security Weekly is a mini-con waiting for your virtual participation!

Sit back and enjoy the show live and participate int eh live chat on our Ustream channel:

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand and Mike Perez.

As most of you know I work for Tenable Network Security, so my opinions about vulnerability scanners are biased (to say the least). However, the goal of this article is not to recommend or suggest which security software or solution you should purchase. The goal is not to tell you which vulnerability scanner is better or worse than the next. The goal of this article is to tell you the proper way to configure Nessus when doing a comparison and some things to take into consideration when evaluating vulnerability scanning products.

Comparisons (such as this one titled Nessus, OpenVAS and Nexpose VS Metasploitable) often garner a lot of attention, but lack some of the details required to offer a fair comparison. For example, many comparisons will use the built-in scan policies to scan just one host and compare the results with another tool's report. This really isn't a good test of the scanners capabilities. For example, the "External Network Scan" policy used in Nessus during a recent comparison is tuned to scan multiple hosts exposed to the Internet, NOT one single host.

If you are going to scan just one host, or a small subset of hosts in a lab or pre-production systems, consider the following Nessus scan policy settings:

• Safe Checks - Nessus tries its best not to cause any adverse affects on your systems and/or network. Therefore the "Safe Checks" options is selected by default when you create a scan and enabled on all of the default scan policies. Safe checks changes the behavior of several hundred or more plugins to "play nice". If you are scanning one, or even a few non-production hosts, in a lab environment its best to turn off Safe Checks.
• Thorough Tests (slow) - Causes various plugins to “try harder” and dig deeper into the system to detect a vulnerability and expand the scope of the search for said vulnerability. For example, when looking through SMB file shares, a plugin can analyze 3 levels deep instead of 1.
• Experimental Scripts - Exactly what you would think it means, plugins that are considered "experimental" are enabled. Plugins will also use this to enable certain functionality, but only when the user has selected this option.
• Follow Dynamic Links - Tell Nessus to spider each web site it encounters, adding the entries to the Knowledge base for other plugins to use and find more vulnerabilities (especially the web application testing plugins).
• Report Paranoia - When set to "Paranoid" it will cause Nessus to add results to the report that have a higher risk of being a false positive. By default this is set to normal to avoid generating potential false positives.
• Test SSL based services - When set to "All", every service is tested for SSL capabilities.
• Credentials - When scanning just one host its very easy to add credentials. In the case of Metasploitable, it is based on Ubuntu and Nessus has an entire plugin family for that distribution which will detect locally missing security patches.

To make things easier for folks, I've created a policy that you can download and import into Nessus called "Full Thorough Scan (slow)" which implements all of the above settings (and more). It carries the following warning:

"Please use this policy with caution. Consider this a scan with the safety set to "off". It may crash targets. It may contain false positives. The controls in place to regulate crashes and false positives have been disabled. It may take a long time to run. Do not run this against large numbers of hosts unless you have time. Consider this a policy to use in your lab when testing a host or two. You have been warned!"

I should also note that this is a policy I created on my own, and is not an official scan policy from Tenable. I used the above policy, configured the credentials for Metasploitable (msfadmin/msfadmin) and ran a Nessus scan. Some interesting results:

• Using result filtering and displaying only exploitable vulnerabilities, I found 46
• There are 14 vulnerabilities exploitable by CANVAS and associated exploit packs, 19 exploitable by Core IMPACT and 33 exploitable by Metasploit
• Nessus did in fact find a vulnerable ProFTPD server running on port 2121 and the Unreal IRCd Backdoor
• There are 166 vulnerabilities due to missing patches (A few of which are only exploitable by Core IMPACT and related to privilege escalation)
• CANVAS is listed as having the only exploit for a Samba RPC Buffer Overflow (CVE-2012-1182)
• The web application fuzzer in Nessus found a command execution vulnerability in Twiki (previously discovered, but seems to have never been assigned an official CVE entry)

I won't post my results here, as I want you as the user (or "evaluator") to go try it for yourself. I also suggest trying to scan something like Metasploitable (which I used version 2.0 downloaded from here) using the options and techniques you typically use. Then try a scan with the policy provided and compare the results.

Another important aspect to consider (arguably the most important) is that comparing vulnerability scanners in this manner is greatly limited in scope. It does not test, or take into consideration, all of the other features offered by the various tools. These other features could really help you do your job and improve the security of your organization! For example, Nessus now integrates with patch management systems, detects hosts participating in a botnet, identifies malicious processes and collects vulnerability data on mobile devices. Make sure these features factor into your evaluation and/or comparison.

In this episode we mix together Chuck Norris and Tesla. We get... Awesome.

Links for this episode:

WOW Hack

Awesome Airport Hack

Tesla Rocks

Video Feeds:

Be sure not to miss the meat related remarks, jokes and innuendos when Wade Alcorn of the Browser Exploitation Framework Project (BeEF) appears on Episode 299 of PaulDotCom Security Weekly. Come participate in our IRC channel or sit back and enjoy it live via our Ustream channel:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or if you prefer, visit the Episode 299 show notes page.

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand and Mike Perez.

In this episode we delve into the subtle issues of bronies, being a god on Linux and DropBox fail.

>

Links for this episode:

DropBox Hack

New Linux Privilege Escalation

New Windows Testing Tool

Video Feeds:

Blackhat, BSides & Defcon Round-up:

Episode 297 Show Notes

Episode 297 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Carlos Perez presents a tech segment on pivoting with Metasploit:

Episode 297 Show Notes

Episode 297 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

I stumbled upon something the other day that i think will be critical for most penetration testers. Chances are, you run many VMs which are responsible for carrying out a variety of tasks during a penetration test. Linux for attacking, Windows for reporting/attacking, etc. whatever. I use a windows box to do my reporting, because, lets face it, Office for Mac sucks and I have more Microsoft Office licenses then I know what to do with. Therefore, I eventually need to move all of the files and data from my many other VM's to an encrypted vault on my Windows VM for consolidation, screenshot editing, etc.


Last week I was finishing up a test and conducting some routine clean-up of my Windows reporting VM. As a part of my regular clean-up, I conducted a search for .DS_Store files on the Windows VM local disk. This helps me identify items transferred from my Mac that I may have missed. While I fully expected a few instances of the file to be found in the mounted, encrypted volume and maybe in a folder or 2 on the primary drive, what I saw alarmed me. Several dozen instances of the .DS_Store file in various folders underneath c:\Users\[username]\AppData\Local\Temp\VMwareDnD\. In order for the .DS_store file to be in that location, either my Mac must have somehow accessed the folder and left it behind, or it was copied there from my Mac by something else. When I investigated further, what I found was the worst case scenario. A cache of all the files I had copied from the host and other VMs to the Windows VM, in raw form, fully accessible. Ummm, WTF, right? Wait, don't check yours yet, just give me a second to finish.

While most computer users would say, "So what? Now I have an unintentional backup of my data." I say, "Crap, why is there client data sitting on my drive in an unencrypted form!?" The answer is, there shouldn't be. I think we can all understand why files would need to be cached to support the VMWare Tools drag-and-drop feature, but why the persistence? Why not have the temporary files go to the bit bucket immediately following the copy process? Why are files several months old still there? What could possibly be the need? Unfortunately, I could not track down any official documentation of why the files persist. What I was able to find were several other examples of people experiencing the same issue. Apparently, according to the guy that wrote this, he had asked the question on the VMware Community forums and was told by a VMware technician that they are supposed to be removed upon reboot. (The forum thread link was dead, so I'm taking his word for it.) However, I found many instances where this was also not the case, and in testing, my files persisted reboot.

But even if the files did disappear on reboot, how often do we reboot our VMs? I can sometimes go weeks or months, pausing and unpausing, before an update forces me to reboot. So what's really going on here? Is this a bug? I don't know. But what I do know is that anytime I copy sensitive data to a VM, I clear out that folder to make sure I exercise due diligence in protecting my client's data. I recommend you do the same.

I realize that this may not be relevant to everyone. I'm sure some of you use alternative products. Encrypting your entire VM may reduce the risk shown here as well, depending on how its implemented. But I can hear some of you saying, "Silly lanmaster, I use VMware, but I don't use Windows VMs. I'm an all Linux shop. This doesn't apply to me." Au contraire mon frere. Take a look at /tmp/VMwareDnD... No VMware user is safe.

In this episode we figure out why John is in the middle of Alaska.

BTW, I know the video is not great. It is what I get when I have to do this in an Airport after being in the woods for 5 days.

But I have to get away from Paul every once in a while… And he hates bears.

Links for this episode:

Australian ISP Leak

New Security Testing tool

This just in… People dont patch.

Video Feeds:

Still recovering from BlackHat and DefCon, the crew sober up to record Episode 298 of PaulDotCom Security Weekly with Kevin Finisterre, Senior Research Consultant with Accuvant. Come participate in our IRC channel or sit back and enjoy it live via our Ustream channel:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or if you prefer, visit the Episode 298 show notes page.

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand and Mike Perez.