[unisog] SUMMARY: Vulnerability Scanners

Rodrigues, Philip phil.rodrigues at uconn.edu
Fri Jan 30 01:44:35 GMT 2004

>What I would really like to do is to get a set of nessus plugins that
>     A. test for well know common problems
>     B. have low false +ve rates
>     C. are quick to run.
Lina Pezzella, my resident student scanning expert, uses these plugins in our regular, automated scans:
11835 - Microsoft RPC Interface Buffer Overrun (KB824146)
11890 - Buffer Overrun in Messenger Service (real test)        
10673 - Microsoft's SQL Blank Password
10195 - Usable Remote Proxy
10483 - Unpassworded PostgreSQL
10343 - MySQLs accepts any password
10332 - Writeable FTP Directories
10481 - Unpassworded MySQL
10404 - SMB log in as users - checks for blank/same as user passwords

She goes on to say:
"Many of these plugins have dependencies, but a "result" hit on a dependency can be filtered when they are uploaded to a sql server.  Of course, once the results are in a sql database, all forms of web reports can be automatically generated.  Send everyone to http://hogwash.uits.uconn.edu/?page=/nessus.html for the extremely complete command-line nessus howto.  Sample config files are up there."

We trust 11835 and 11890 so much we are starting to automate network blocks based on their results, and will eventually use them to test for pre-network registration cleanliness.  I keep wanting to sum up our recent efforts on this front so maybe I will try to do that soon. :-)
Lina can be reached at security at uconn.edu.  I think we are genereally happy to help with .edu Nessus scanning questions.

	-----Original Message----- 
	From: Russell Fulton [mailto:r.fulton at auckland.ac.nz] 
	Sent: Thu 1/29/2004 6:43 PM 
	To: unisog at sans.org 
	Subject: Re: [unisog] SUMMARY: Vulnerability Scanners

	> I ignored people using nmap and specific exploits or specialized
	> scanners for specific vulnerabilities. However, this seems to be an
	> almost universal practice -- to some extent, it seems like people don't
	> totally trust the large scale tools to catch specific vulnerabilities
	> that are common as much as they trust single purpose tools.
	In my case it is a matter of time.  I can run a specific tool across our
	class B in an hour and get a report (usually on line per host or
	vulnerable host) which I can then process automatically so a faculty IT
	manager gets a single email listing all the machines in his area that
	need attention.
	In contrast we recently had a network audit done by an out side firm.
	They ran nessus over parts of our network infrastructure and presented
	us with about 30 pages of crap which alarmed our managers until I
	explained that nearly everything that was raised were issues that we
	knew about and had decided to live with.  This isn't a problem with
	nessus, just in the way it was used (abused?) but it highlights the
	problems with using generic scanners on large open networks without
	first doing a lot of work to narrow the scans down (or alternatively a
	lot of work afterwards sorting the wheat from the chaff).
	What I would really like to do is to get a set of nessus plugins that
	     A. test for well know common problems
	     B. have low false +ve rates
	     C. are quick to run.
	I would then be happy to run this over the whole network.
	Unfortunately I have never had the time to investigate this thoroughly
	Cheers, Russell

More information about the unisog mailing list