Posts Tagged ‘nexpose’

Why Would I Whitelist My ASV?

I came across this again and figured I’d post it as reference for future conversations. This many times is hard for folks to wrap their head around which I can completely understand. “An attacker isn’t going to have white listed access…”

The deal is no matter how good your vuln scanner is theres no replacement for human intelligence. Not to mention as PCI describes… technology SNAFU’s.


Perform a Scan without Interference from IDS/IPS

“In order to ensure that reliable scans can be conducted, the ASV scan solution must be allowed

to perform scanning without interference from intrusion detection systems (IDSs) or intrusion

prevention systems (IPSs). Such “active” protection systems may react differently to an

automated scanning solution than they would react to a targeted hacker attack, which could

cause inaccuracies in the scan report. ” PCI DSS, v1.2 ASV Program Guide Reference, v1.0 March 2010




Vulnerability Scanning Over VLANs

VLAN trunking has a number of benefits in an enterprise environment from cost and configuration reduction to security enhancements. VLAN trunking utilizes additional frame encapsulation in the IEEE 802.1Q format which contains guidance on where the traffic should be routed. This enables a single host to route traffic to various segments without needing multiple physical interfaces. In addition VLAN Trunking can allow devices to be logical grouped verse physical grouping allowing devices to be moved without requiring overhead with making additional configuration. Aside from the configuration benefits VLAN’s also make ARP Spoofing and ARP Poisoning much more difficult for an attacker.

The first requirement is to make sure you can route traffic properly, is a virtual or physical device that will tag the Ethernet frames with the 802.1Q tag. VLAN tagging can be done through a number of methods such as a virtual host (such as ESX) or by installing an 802.1Q support package at the OS level.
Below I’ve outlined two methods which will enable your NeXpose instance to recognize your currently configure VLAN/VDOM segments. Keep in mind that the target environment must have the drivers necessary to support 802.1Q in order to route traffic.
VMwares ESX server support 3 different methods for VLANing which can be found here.

*Make sure you confirm that there is not identical IP’s used in the various VLANs. If this is the case, it is recommended that additional engines are used to differentiate the segments.

The easiest method to install the vlan package is by using apt-get: apt-get install vlan This will install both the driver and the module needed. Additionally, it makes the module persistent across reboots.

If you need to install the package manually, then download the appropriate package for your kernel, OS, and hardware. This is tutorial will focus on Ubuntu 8.04 aka Hardy (currently the standard R7 Appliance build).You can select the appropriate VLAN package here.

After you get the dep package onto the machine you just run the following command to install it:
dpkg -i vlan_1.9-3_amd64.deb
You will need to load the module by hand using:
modprobe 8021q
Additionally, you will need to make the module persistent across reboots.
echo 8021q >> /etc/modules
Now that the driver and module have been installed and loaded, you can configure your VLANs. There are tools such as vconfig that can be used to configure the VLAN’s however its easy enough to do it manually.
You can locate your interfaces file here:
The sub-interfaces method is used here (as its the traditional Linux convention however we could have just as well used vlan2, vlan3, etc. instead. If you have an internal schema that you define your vlans you should keep this consistant.
The VLAN’s do NOT need gateway’s entry defined. They will use the physical adapters gateway. The physical adapter will handle the vlan’s accordingly. There should only be 1 gateway, either associated with the physical interface or associated to a virtual interface.
VLAN’s are a switching functions and as such, operate at Layer 2 of the OSI Model. Therefore, in order to route packets between VLAN’s, a Layer 3 Router will be needed. It is assumed that if you are currently running 802.1Q this won’t be a problem.
To check the VLAN use:

cat /proc/net/vlan/eth0.2 or cat /proc/net/vlan/config

Below is a sample what your interfaces file should look like when completed:

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

auto lo

iface lo inet loopback

# PRIMARY physical interfaces(s)

auto eth0                   #First Physical Interface

iface eth0 inet dhcp        #Settings for DHCP


#iface eth0 inet static     #Settings for Static IP

#address           #Static IP

#netmask      #Static Netmask

#gateway           #Static Gateway

#auto eth1                  #Second Physical Interface

#iface eth1 inet dhcp       #Settings for DHCP

# VLAN interface(s)


auto eth0.2                 #Virtual Interface for VLAN2

iface eth0.2 inet static    #Settings for Static IP

address         #Static IP

netmask       #Static Netmask

vlan_raw_device eth0        #Associate virtual interface with physical device


auto eth0.3                 #Virtual Interface for VLAN2

iface eth0.3 inet static    #Settings for Static IP

address         #Static IP

netmask       #Static Netmask

vlan_raw_device eth0        #Associate virtual interface with physical device

March Patch Tuesday Roundup

Since Microsoft is on this new staggered pattern of releases, we can expect a feast or famine every other month…so get used to it. Depending on what side of the desk you sit on you can adjust the context. With that being said, this month’s release brought us 3 patches addressing 4 vulnerabilities. I think we were all expecting to see the MHTML protocol handler issue resolved, however it didn’t make the cut. Make sure IE is in restricted mode or at least you’re restricting ActiveX and Active Scripting for your users until the fix is released. This vulnerability is already being leveraged for geo-political warfare according to Google.

The honorable mention of this release goes to MS11-015. MS11-015 is classified as the only “Critical” update this release.


This vulnerability is exposed when the Stream Buffer Engine (SBE) trys to parse “.dvs-ms” files. This limitation will allow any of your IE users to be remotely exploited when using Windows Media Center or Media Player to play these files. You can expect social engineering vectors to be used here… emails pointing to a DVS file or an iFrame rendering one.

MS11-016 – CVE-2010-3146 & MS11-017 CVE-2011-0029

The last two I won’t spend too much time on them, as they fall in line with the not so surprising DLL Hijacking exposures we’ve been seeing from Microsoft. You’ll also see them called “binary planting vulnerabilities”…at the end of the day they’re the same issue. HD has a great post detailing the characteristics of this exposure here.

Below is the official breakdown of the March 2011 Patch Tuesday Release:

MS11-015/KB2510030 – Critical (XP, Vista, 7)/Important (2008 R2) Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030) This security update resolves one publicly disclosed vulnerability in DirectShow and one privately reported vulnerability in Windows Media Player and Windows Media Center. The more severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. In all cases, a user cannot be forced to open the file; for an attack to be successful, a user must be convinced to do so. **PATCH ASAP**

MS11-016/KB2494047 – Important (Microsoft Groove 2007): Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062) This security update resolves a publicly disclosed vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user opens a legitimate Remote Desktop configuration (.rdp) file located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

MS11-017/KB2508062 – Important (CP, Vista, 7, 2003, 2008, 2008 R2): Vulnerability in Microsoft Groove Could Allow Remote Code Execution (2494047) This security update resolves a publicly disclosed vulnerability in Microsoft Groove that could allow remote code execution if a user opens a legitimate Groove-related file that is located in the same network directory as a specially crafted library file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Until next time….

Intelligence Meets Automation – [Enter] JESS

For as long as I’ve been at R7, we’ve struggled with articulating the power JESS has on the assessment process. The ability to emulate human function is priceless when trying to identify exposures.

JESS has one of the more compelling stories in the evolution of multi-layered assessment. The ability for NeXpose to take information found real-time and action on it is game changing. Below Ernest Friedman-Hill demonstrates the AI engine at very basic but consumable level.


NeXpose Policy Files?

The ‘Pose ships with a number of policy checks that are pre-defined however can be modified. Many times this functionality is overlooked because the majority of the templates disable these checks by default. You can always enable them and use the “Exhaustive” scan template if you forget the syntax. There are a number of policy checks shiped, but I will focus on the most extensible.

The policy information is best found by viewing the file directly. You will see there are a number of checks here, but more advanced users typically utilize it as a framework. These files can be customized and used to harden  devices or enforce internal policy on Windows, Oracle and Domino.

If you have an organization specific policy that need to be enforce, custom vulnerability checks may be necessary. For example…”Here at Acme having USB drives enabled is a violation of our security policy”. A check would be written to identify this scenario creating a positive or negative condition. On the reporting side the policy report would present a conform or violate on the policy.

NeXpose Scan Template Syntax

To customize the predefined policy use the below syntax. Before you kick  off your scan, off make sure credentials are added.

Windows Policy

Workstation policy file name – basicwk.inf


Domain controller policy file name – basicdc.inf

Oracle Policy


Domino Policy


The Files Are In The Computer…

If you want to review the predefined policies or create your own, the policy files can be found below.







NeXpose Troubleshooting – Grepin’ Logs

As much as I would love to say NeXpose never has issues the reality is,its software. In many cases NeXpose will encounter an unfavorable response from a target or a peer will drop the connection when being probed. While trying to isolate errors, the ability to search through multiple logs at the same time is priceless. [Enters] grep!

I’ve outlined a number of key search phrases that can be used to isolate specific issues.

I recommend the below command to pipe the search findings to a text file for review. If you would just like the output of the search printed to your screen, then replace “ > out.txt” with “| less”. After going into the appropriate log folder (mentioned in my 1/13/10 post) the below string can be used:

grep [search term] ./[log directory]/ns* > out.txt

**Keep in mind that Linux is case sensitive**

  • Identify where external/remote scanning starts :

“Connecting to NSE”

  • Identify where a local scan starts

“Scan started”

  • Policy issues :

“nexpose is running as”

  • Serial Number  *This search is used in the NSC log


  • Fingerprint

“Starting fingerprinting”

  • Finished scan *The search is used in the NSE log

“Completed in”

  • Remote Engine Issues *This command is used in the NSC log

“Failure communicating with NSE”

  • Memory Error *This search is used in the NSE log


  • Java Heap Space Error

“Java heap space”

  • GC Memory Error

“GC overhead limit exceeded”

  • Find if scan stopped or started

a)  “(userID)” – find the specific user that started or stopped the scanner

b)  “<>” –  find if a scan was stopped or started

  • Beginning of Scan Configuration *This command is used in the NSC log (helpful to find the list of sites)

“Scan configs” – This can be used this to find where the config ids start. You should being reading from Using it with grep will show the beginning of the scan configuration. It’s better to search for it in a program like notepad++ where we can begin to view the ids themselves after it.

  • Search config Site by site


  • IP’s in a site

“range from=”

  • Starting Scan *This command is used in the NSC log

“job JobID”

  • Scan Stopped


  • Look for connection to remote engines

“Updating remote scan engines”

  • Look for recent successful connection to host

“Scan engine is current”

  • Find complete scans

“completed in”

  • If engine is shutdown

“stopped: Scan Engine Shutdown”

  • Web service shutting down *This command is used in the NSC log

“HTTPServerMain shutting down…”

  • Null Pointer


  • Update issue *The search is used in the NSE log


  • Alert delivery failure

“Failed to deliver”

  • Export issue

“Generating report: Database Export”

Attack Sites – Vulnerability Testing

When trying new exploits or testing new tools, creating the environment can be quite time consuming. Finding a suitable host, installing all the guests and making machines vulnerable to specific attacks is a pain in the a$$.  The reality is…This is not that difficult but it IS time consuming. Last time I had to do it, it involved me downloading and installing DVL and Metasploitable, then finding Vista and W2k3 installs and tearing them down. I feel your pain …

I’ve included a few links to vulnerable machines that can be installed locally above. I’ve also include a list of vulnerable test sites that will save you the setup time all together for certain attacks. (TLS, DoS, TCP Seq Aprox. CVE-2004-0230) – Last Tested Thu Nov 18 2010 – (Blind SQLi, XSS, DoS, FTP Exposures) – Last Tested Tues Feb 8 2011 – (OpenSSL, SQLi,PHP, Apache CVE-2010-0425 & CVE-2006-3747) – Last Tested Thu Dec 16 2010 – (Apache, PHP, OpenSSL) – Last Tested Sun Jan 16 2011 – (Apache, SSHv1, TRACE &  WebDAV) – Last Tested Sun Jan 16 2011

NeXpose Logging

I was working with a well known defense contractor yesterday and there was a number of questions about activity tracking.  In any consulting engagement or government assessment, being able to say where you were and when you were there is mandatory. With that being said, I thought it would be valuable to know the location of the ‘Pose log files.  I’ve included the various logs that NeXpose generates below.

The logs reside off of the base directory which is below using a default installation:

sudo /opt/rapid7/nexpose

  • nsc.log-> Tracks all console activity such as when scans are stopped or started and console errors. (nsc/logs)
  • nse.log-> This tracks the details of the scan progress such as the checks that are run and what was checked. (nsc/logs)
  • um_log -> These track what users login and when their session frees. (nsc/logs)
  • access_log -> Tracks all HTTP requests made with the UI. (nsc/logs)
  • tomcat.log –> Logs runtime information on the HTTP server the UI uses. (nsc/logs/tomcat)
  • nxpgsql.log –> Logs high level database activity. (nsc/nxpsql/nxpgsql)

The NSC and NSE logs will be more granular by enabling verbose logging. Keep in mind that this dramatically increases your log size so watch out for you HDD space.

Administration>>NeXpose Security Console “Manage”>>Logging>> Enable Verbose Logging

January Patch Tuesday Roundup

So I know we all were hoping to see a fix for some of this Windows Graphic Rendering Engine nastiness…but no go. For now, you’ll need to resort to the good ol’ FixIt option or if you wanna get your hands dirty, you can modify the ACL on shimgvw.dll directly.

Either way, if you’re running IE you’ll have to patiently wait for the official patch release.

So this monthly patch was lean-n-mean. This month Microsoft released (2) bulletins, addressing (3) vulnerabilities. One of which is pretty hardcore – expect to see active exploitation, while the other takes a lot more finesse for an attacker.

Pure Evil: MS11-002 addresses 2 privately reported vulnerabilities(CVE-2011-0026 & CVE-2011-0027).  Both target the way Microsoft Data Access Components validate memory allocation. Essentially an attacker could provoke a user into going to a website, in which a process to target MDAC can be executed. This would allow the attacker to take control of the target under the user’s permissions. With that being said, your standard users are less of a concern. Your CEO that demanded Admin privileges? Well, thats another story =)

Kinda Evil: MS11-001 address a publicly disclosed vulnerability that effects Windows Backup Manager (CVE-2010-3145). So “001″ is not just another “Important” patch, it marks a seemingly predictable trend of DLL-loading vulnerabilities. I’m not quite sure what that’s all about, but its definitely notable.  So whats “001″ all about? In order to exploit this, the user would have to knowingly accept a backup file from a 3rd party or visit an untrusted remote file system. If your users are doing these types of things, a patch is the least of your worries :- | The other element that makes this exposure have less B-A-N-G is that it only affects Windows Vista.

Below is the official breakdown of the January 2011 Patch Tuesday Release:

MS11-002/KB294871Critical (Windows XP,Vista,Win7,2003,2008 *Server Core): This security update resolves two privately reported vulnerabilities in Microsoft Data Access Components. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be affected less than users who operate with administrative user rights.

MS11-001/KB294871 – Important (Windows Vista): This security update resolves a publicly disclosed vulnerability in Windows Backup Manager. The vulnerability could allow remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the legitimate file from that location, which in turn could cause Windows Backup Manager to load the specially crafted library file. **Patch ASAP**

Until next time…Happy Patching!

Customizing NeXpose Service Fingerprints

I was working with a large Bulk Energy Provider who was tasked per NERC to regularly identify all listening services on all “Critical Cyber Assets”. This seems like a fairly simple task however in most SCADA environments, services will orphan or fail with the list bit of probing.  Let’s be frank…most control systems just don’t like packets thrown at them.

To take it a step further he also wanted to do a full vulnerability scan against the target services that were known to be stable.  After identifying a list of services/ports that would fail when probed, we were able to accomplish this task in a single pass.

The caveat in this specific scenario was that the customer was using a SCADA template, which utilizes a few different approach methods then the standard template set. If you’re not using NeXpose to scan sensitive devices such as RTU‘s, a basic template can be used to label services running on non-standard ports or services label as “unknown”.

I’ve outline the steps below…

1.Copy your default-properties file located /opt/rapid7/nexpose/plugins/java/1/NetworkScanners/1

sudo cp

2.Edit the default services file.

Use your favorite text editor and edit the ports adding the name that you would like to appear as the service label.

sudo nano

3. Once saved, return to the NeXpose console to edit the template that will be used for the scan. Create a copy of the template you will be using for the scan.

4. Type in the name of your copied default-properties file into the “Default Service Names File” section.

5. Create your site using the newly created scan template and launch your scan.

The results from your scan can be now grouped in the Assets Tab under Services. You also can use the Audit Report to present all devices running the specific service fingerprint.