Passive Vulnerability Scanning
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Passive Vulnerability Scanning

  1. #1
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185

    Passive Vulnerability Scanning

    Hello,

    I conduct internal Pen Testing for my organization and one factor of the testing is doing vulnerability scanning using Nessus. Sometimes that can be too agressive on the servers being scanned causing compliants of the users. (Please save the "If the servers are vulnerable to scans, they are too vulnerable period" comments. )

    I was just wondering what some of your opinions were on "Passive Vulnerability Scanning". If you have used it, how successful it was, etc.

    Currently I am considering Tenable's NeVO. http://www.tenablesecurity.com/products/nevo.shtml but am open for suggestions for alternate solutions.

    Any advice you could give would be great.

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You probably already know this but I'll say it anyway....

    Pen testing is an inexact art at best. Unless you can reproduce exactly the config of the box to be tested and test the pen test against it then you will always get "random" results. The problem is that if you know the exacy config of the box then a pen test is "cheating".

    Catch 22..... Your staff and managers need to understand this. If you disaffect a server's funcionality while carrying out authorized tests against it then it is a fact of life. If the users get pissy because you do then they need to understand it too. Why? Because the risk analysis dictates that this testing _must_ be done. If the risk analysis does not dictate that it _must_ be done then you shouldn't be doing it....

    Not much help to you I'm sure.... But it might help someone else.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    I love that response:

    If you disaffect a server's funcionality while carrying out authorized tests against it then it is a fact of life.
    You are preaching to the choir Tiger! That is the problem EXACTLY! However, they use this as an excuse for us not to do the pen testing. (Fill in your reasons here: _____)

    With that said, if I were to be able to do the vuln. analysis WITHOUT impacting the servers, they have no complaints. Additionally, we (the pen testers) do not come off as jerks or just another thing in the way of their "progress".

    I do appreciate your reply and it helps me drive my point.

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    "Progress" is a personal and insular thing. They can make progress but if that progress puts them at risk that may be unacceptable.... But then again it might not.... The fact they employed you for this task _implies_ they are interested in progress without problems.... But, at the same time, that could be "mouth music" so that they conform to your industry's regulations. That being the case, you are getting some "real-world" experience.... live it - love it - move on when you get a better offer...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    ...live it - love it - move on when you get a better offer...
    LOL - Thanks for the advice.

    All side topics aside, I am curious about Passive Vulnerability Scanning. If anyone has any advice on this, I would like to hear it.

    Thanks,
    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  6. #6
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    I'm definitely no expert in this field, but I have read a few things on this - draw your own conclusions:

    From Tenable: http://www.tenablesecurity.com/image...ng_tenable.pdf

    From ComputerWorld: http://www.computerworld.com/securit...,99997,00.html

    As Tenable and others note, passive scanning does not give a total picture of your enterprise, but "you to assess the vulnerability[ies] of your software without interfering with the client or server" (ComputerWorld) and "...very interesting information about the security profile of a monitored network, but this is no means a 'total' view of network security." (Tenable Security).

    Here's a blog entry on discussing active versus passive: http://blog.ncircle.com/archives/200...n_passiv_1.htm

    ...
    ..
    .

    I, myself do not have an opinion about this just yet, but just wanted to provide what I found so far.

    And yes, I used Google
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    In many ways passive vulnerability scanning is a silly concept.... Why?

    Well... Passively I can tell that you are running IIS 5, (or whatever), so therefore you are potentially exploitable by vulnerability X. But, the target might be running URLScan which will block the .exe request you make. Unless you make a fake .exe request that shows URLScan is running you _could_ conclude that the server is vulnerable to a request for an exe file..... Stupid example, I know, but the point is that unless you try an exploit you will never really know if it might work. While URLScan might not be running how would you know that properly implemented ACL's would nullify the exploit unless you try it?

    Catch sent me a personal message saying that it is common practice to send the entire setup of the target to the pen testers and old me that I was wrong for saying that this is "cheating". It absolutely _is_ cheating..... Why?

    Because doing so focuses the pen tester on the known rather then forcing them to discover it for themselves and be creative in the meantime - If you want a thorough job you need to force them to be creative....

    Passive pen-testing, in my opinion, is a lot like masturbation. It feels good, it "gets the job done", but in the end it is your imagination and your own hand. If you _really_ want to be penetrated properly, be coy.... Let them get there on their own... It makes them be smart, creative and, eventually, you will be more satisfied with the "service", if you know what I mean....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    Catch sent me a personal message saying that it is common practice to send the entire setup of the target to the pen testers and old me that I was wrong for saying that this is "cheating". It absolutely _is_ cheating..... Why?
    I can speak from my own experiance by saying that we ask for the O/S so it saves us time. ...but it isnt just the O/S we are asking for. It includes IP address, machine types, names, network diagrams, etc.

    There are occasions when we will have to finish a Pen test of a site (ave = 30 servers) in a week. We dont want to waste our time looking up crap that any idiot skiddy can do. Lets face it, who cant do a simple O/S fingerprint? That is why the big man above (Fyodor) invented Nmap!

    Passive pen-testing, in my opinion, is a lot like masturbation.
    I agree, passive pen-testing is not a the best way to do it. However, (much like masturbation) it gets the job done. Sometimes the lady (the server or client) doesnt want to get bothered because they have a headache or too much to do. Either way, I don't care, I gotta get a job done and I need to do it by any means.

    My point is, if I can do that without intruding (or causing a problem which could cost my company money) that is a step I am willing to take!! In the end, I don't want to bother my client because I am there to help, not hurt!

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I don't want to bother my client because I am there to help, not hurt!
    Don't get me wrong.... I fully understand and sympathize with your dilemma and frankly I don't consider the OS, IP, etc. information as cheating. Like you point out you are really expediting the process. The problem comes with the target itself. There will always be something about a target that the client may omit or be unaware of and you can passively test 1000 servers that you are told are configured identically and then you will come across one where someone replaced the NIC with one from a different manufacturer - hence a different driver - and that little attempt to putz with the web service, (that you have done 1000 times), causes a DoS at the NIC because the driver is slightly flawed. Not your fault, not the customers fault... Possibly not even the NIC manufacturer's fault.... But it is a fact of life that makes any attempt to determine the security stance of a production server passively a risk.

    Simply put the moment you direct packets towards a server or workstation you threw "passive" out of the window - you "touched" the asset. Am I communicating my thoughts lucidly here?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    Simply put the moment you direct packets towards a server or workstation you threw "passive" out of the window - you "touched" the asset. Am I communicating my thoughts lucidly here?
    I understand fully what you are saying. You can't do a full "penetration" test without "penetrating" the server. You HAVE TO touch it somehow. My only question was on Vulnerability analysis. Nessus can be burdensome on the servers at times and I would like an alternative for certain occations.

    Tiger - I catch what your saying fully and appreciate it just as well!

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides