Tenable Blog

XSLT Reporting

A new feature in Nessus 4 is the ability to use XSLT stylesheets to create custom reports. The stylesheets read the .nessus XML file and allow you to create a number of different report styles, such as HTML and CSV, as well as extract or sort specific data from the scan results. Nessus 4 comes with several built-in stylesheets that can sort results and display a report based on several criteria, including:

• Sort By CVE
• Sort By IP Address
• Sort By Port
• Sort By Vulnerability

You can use this feature in conjunction with the report filtering to more easily create custom reports.

Nessus Scanning Through Firewalls

A number of factors can inhibit a successful Nessus scan: busy systems, congested networks, hosts with large amounts of listening services and legacy systems with poor performance all contribute to scan failure(s). However, firewalls (or other types of filtering devices) are one of the major causes of slow or inaccurate scans. Firewalls are essential for an organization’s perimeter protection and internal network segregation. Host-based firewalls are now common on both Linux and Windows systems. Scanners can be placed on network segments behind a firewall to avoid these problems, but this may not be feasible in your network, create extra burden moving a scanner around and is ineffective against host-based firewalls. Even if you allow the scanner's IP address through the firewall, connection tracking and stateful inspection can interfere with the scan. There are two strategies for dealing with firewalls when using Nessus to perform internal or external vulnerability scans.

The Tenable research team has been steadily working on creating accurate checking for Conficker infected hosts. Over the weekend researchers Felix Leder and Tillmann Werner of the University at Bonn released details on how to detect Conficker using network-based checks. This checking methodology was used as a basis for Nessus plugin 36036 as well as the Nmap NSE script created for the same purpose.

Many of today's latest worms and viruses are using interesting methods to propagate across the network. For example, the Conficker.A / Downadup worm sets up a web server for victims to connect to and download a copy of the malware. What I find interesting about this method is that no matter what request is made to the HTTP server, it responds with a Microsoft executable file. Nessus detects such an HTTP server with plugin id 35322 "HTTP Backdoor Detection":

Getting In The Middle

Un-patched and out-of-date software is a common attack vector for penetration testers and attackers alike. Applications such as Adobe Reader and Microsoft Office are popular targets due to their widespread use on Windows systems and user’s willingness to click on just about anything. They both have the ability to perform self-updates, similar to the operating system, but limited to one particular software package. However, what happens when the software update process itself is insecure? Enter a program called "evilgrade", which exploits this process to install software of an attacker's choosing. For this attack to succeed, the victim machine must be the victim of a Man-In-The-Middle (MITM) attack.