CategorySecurity

Tenable.SC license renewal headache – things to keep in mind when renewing

First year of Tenable usage was coming to an end. Nessus scanners/Managers and Tenable.SC all notified me that their licenses are about to expire. Contacted the company selling tenable in the region, got the licenses extended.

New license expiry date popped into the tenable support site, was wondering if the different instances would auto update their licenses. Looked at the scanners and managers – all was fine and licenses were extended. So I was happy problem solved, at least so I thought.. But I had missed one place, the SC, as I assumed that all their software/licenses would work the same way and didn’t waste any more time looking at the licenses.

A few weeks pass and suddenly I cannot log into the SC any more “with invalid license” error popping up when I try and log in. As it turned out – never assume that a vendors products all work the same way. When going to the admin interface of the SC I discover that the license states that its expired. Logged into the tenable support website to check on the license status all is supposed to be fine.

After that had a little chat with support – as it turns out licenses for Tenable.SC can be renewed in multiple ways. In one case your license is extended and the other just superseded so you need to re-download the license key file and upload it to your SC for it to start working again..

During the period the license was expired the scan data was not imported (rejected with an error by the SC). Fortunately it could be re-processed in the scan results list, but all the data ended up having the discovery date set as the manual re-processing date.. A minor inconvenience/integrity issue, but at least all the info still exists.

Check Point to Cisco ASA IKEv2 VPN with SHA-256 “no proposal chosen” – Timed out

When creating a VPN tunnel between Cisco ASA 9.x and Check Point firewalls using IKE v2 and integrity checks better than SHA1 you might run into a small issue where Phase 1 comes up with no issue and on Phase 2 see time outs in the Check Point logs.

After seeing time out, you enable VPN debugging and you see in the ikev2.xmll log “No Proposal Chosen” message coming from the ASA side. Then you and compare the the crypto configurations on both sides and see that they are identical. If that is the case, there might be a pseudo-random function (“prf”) mismatch. To get around it you should try the following command on the Cisco side:

prf sha

It’s only doable on Cisco side, as Check Point doesn’t let you change this value. That was supposedly the only change made on the peer gateway by the Cisco admin after which the tunnel came up.

Tenable.SC and Nessus Scanner updates activation

When installing Tenable.SC it asks for a activation key and installation continues. Then you install your Nessus scanner and during the install point it to the SC and it shows that its license is managed by Tenable.SC. Now that you have everything installed and up and running right? Wrong..

Updates for the plugins are not working yet, as for that you need to enter a separate license key. You need to log in to your Tenable Community account go to Your products and find the Tenable.sc activation key.

You need to insert that key into your Tenable.SC when logged into it as and administrator (not the scanning account). You need to navigate in the menu to System > Configuration > License and click on “Nessus Scanner” and paste the activation key you found on the Support site into there and press Register. After that your Tenable.SC and Nessus will be able to update their plugins and feeds.

Getting Tenable.SC working with Nessus Agents

What do Nessus Agents do

Nessus Agent is a lightweight piece of software that You can install on a host to do patch management and vulnerability/compliance checking with out having some central server with credentials logging into every machine you have. For example the Nessus Credentialed scans. Instead the agent software just reports back to the central server and keeps polling to see if any commands have been given.

Nessus Agent can run patch level/vulnerability scan/malware scan or configuration compliance checks.

Requirements

I assume that when thinking about Nessus Agent based scans with Tenable.sc You already have a Tenable.SC license and working installation.

Tenable.SC needs to have access to the TCP port 8834 on the Nessus Manager.

Nessus Manager preferrably has internet access to download updates and activate the license.

Nessus Agents need access to the TCP port 8834 on the Nessus Manager.

Licensing hassle

In order to get Nessus Agents info into Tenable.SC there are some extra steps You need to take besides the Tenable.SC and Nessus Scanner installation. You actually also need to install Nessus Manager to get Agents working. Regular Nessus scanners haven’t got the ability to work with Agents.

To actually get Nessus Manager, it turned out to be a bit of a hassle. As it turns out, although the software comes with the Tenable.SC license, You actually need to ask for it separately. After a short e-mail exchange with support and some signed documents later, You will actually get Nessus Manager license added to your Tenable account.

The installation

After You get the license key, download the regular “Tenable Core + Nessus” software from https://www.tenable.com/downloads/tenable-appliance and install the VM. The install will be the same as for regular Nessus Scanner.

After having set up the VM open Your web browser and go to the appliance web page https://nessus-manager-ip-here:8834/, then the wizard will open. From there select Nessus Manager instead of Nessus Scanner and insert the license key when prompted. The setup will also ask for you to create an account for you self.. It will take a while for the wizard to download and compile all the needed components. After it completes you have a ready working Nessus Manager.

After the wizard completes, login to the the Appliance with the account You created during the wizard. First thing You need to do is create a “group” for the agents. IE for your web servers call it “Web Servers” or for Client PC’s call it “Client PC’s”. After having created the groups you now can proceed to linking your Agents.

To install the agents first You need to download the proper Agent software from https://www.tenable.com/downloads/nessus-agents. Installation is quite straight forward. As an example on a 64bit Centos7 machine, it would go like this:

  • Copy the Agent to the machine
  • Elevate privileges to root or use sudo
  • Install the agent by issuing the “rpm -i NessusAgent-7.5.1-es7.x86_64.rpm” command. You should get the following output:
    warning: NessusAgent-7.5.1-es7.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1c0c4a5d: NOKEY
    You must first start Nessus Agent by typing /bin/systemctl start nessusagent.service
    To link this agent to the Nessus Manager, use the ‘/opt/nessus_agent/sbin/nessuscli agent’ command.
    Type ‘/opt/nessus_agent/sbin/nessuscli agent help’ for more info.

Next you need to link Your agent to the Nessus Manager. In order to do that copy the “Linking Key” from Nessus Manager, which can be found at the Agents page in the “Linked Agents” section. After having found the key you can create your linking command on your client. Which is looks something like this:
/opt/nessus_agent/sbin/nessuscli agent lin/opt/nessus_agent/sbin/nessuscli agent link –key=”your-linking-key” –host=”your-nessus-manager-address” –port=8834 –groups=”Web Servers”

After issuing the previous command on the client it should now show up in the linked agents list where You got the linking key from. After having linked the agent to the manager you also need to start the service as was mentioned in the output from the rpm.

It will take a bit of time for the agent to come online. I initially thought something was broken. But it actually took ~5min for the client to go into the “initializing state” for a bitand then again offline. But after being in the initializing state the list started showing some more inf about the client, not only IP address. After that it stay’s offline again for some time, for me it was something like 15-20min and then the host started showing up as online. During that period might as well link the Nessus Manager and Tenable.SC.

Linking Nessus Manager and Tenable.SC goes is the same as with regular Nessus Scanner.

Running your first Agent scan

After having linked Your agents to Nessus Manager and Nessus Manager to Tenable.SC You can now define and run Agent scans.

Unlike how scanning works with Tenable.SC and Nessus Scanner, the agent scan needs to be defined and run on Nessus Manager instead. Tenable.SC only imports the reports actually although the button says run scan.

So you need to log in to Nessus Manager and under scans you should create a new scan. For every scan you need to select a group that the scan gets run on and also the interval if you want it to be a recurring one.

A lot of companies leak internal DNS/information system info to 3rd parties

One thing I have noticed while auditing different “internal use only” systems, that are not available online. Is that although they are offline, their existence is freely sent to Google with their URL’s/IP addresses.

Namely a lot of developers tend to integrate something provided by Google or by some other vendor, be it some java script or fonts. As an example when you include some css provided by Google – every time someone loads an internal application, Google gets a request from the clients web browser which also includes the referring URL.
Just example of outbound request headers from a web-page including some style sheet info provided by Google:

host: fonts.googleapis.com
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
 Accept: text/css,/;q=0.1Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate, br
 Connection: keep-alive
 Referer: https://someportal.corp.inernal/css/main.css

The “referer” header can be easily be harvested from logs. So next time including external resources think about it if you want a 3rd party to know about your internal things.

Even Yahoo is not able to keep track of it’s SSL certificates expiration

I have always thought that the “Internet Giants” have proper monitoring and procedures in place to keep track of their SSL certificates expiration dates. But as it turns out Yahoo does not.

In some instances of Yahoo advertisements they are still using a certificate that expired over a month ago. Today (07.08.2019) I am still at random getting an error about Yahoos advertisements certificate being expired:

WhatsApp used to interact with ATMs in Brazil

Happened upon a interesting article today – https://www.zdnet.com/article/banco-do-brasil-launches-cash-withdrawals-via-whatsapp/. As URL already states they are enabling users to withdraw cash from ATM’s via WhatsApp.

Basically what they say is that, the user needs to add a chatbot to their contact list and ask it for money. Then the chatbot gives them a “key” that is valid for a day. Although the service has a 80$ transaction limit, it still feels like a bad idea to me. I can already feel the new “malware wave” coming that tries to exploit this thing on the phones.

When thinking about this service, I really would love to see the analysis they made to say this is a really secure thing to do. How is this channel secured? How are they protecting people against “theft via malware”? I feel like I need to do some research in to that.

Malware campaigns are going even after the smaller “markets”

Yesterday I happened to read a warning by the Estonian police, that there is a new malware campaign. The fact that there is a malware campaign going on is not news to anyone. But what actually caught my attention was the translation quality on the phishing sites.

The warning had a screenshot of a site spreading malware was the classic your computer is infected with a virus scam, but for smart phones. Sites like that have been used for a long time. But the quality of translation has been really bad for those sites. This time the message had quite good quality and a lot of people might actually fall for it.

The message there basically stated that the user had visited a site containing malware or porn and might be infected with a virus. It also contained a threat that your ISP will block your internet access. They have scripted the ISP part, so that they try to get the ISP name from your IP address.

Besides the rise of quality of the phishing text and translation based on the localization info, a lot of the phishing sites have also moved on to using HTTPS. Malware sites have started using certificates that are accepted by web browsers making them a bit harder to detect by unsuspecting users.

It is the first time in years I felt like doing a refresher to my parents on recognizing malicious sites.

No more digital privacy in Australia

As it turns out the Australian House of Representatives has actually passed the “Telecommunications Assistance and Access Bill”. It is basically an anti-privacy bill that should come in to effect as a law early in 2019. It basically requires tech companies to provide access to users encrypted data to law enforcement agencies. Talk of similar laws has been around for a long time already, but no one had actually passed such laws.

Although quite a few people are calling it an anti-encryption bill, it actually doesn’t require the weakening of end to end encryption in the applications/services. What they require is that access to unencrypted data be provided in from the end devices or from some other point where the data is in plain text form. In that sense it is a bit better than other anti-privacy laws that I have heard of. They have acknowledged that weakening the encryption would grant anyone access to the data. But is forcing tech companies to make call-home features or back-doors to everything better? I think that it is a bit better than having weak encryption.

But I also think that such anti-privacy features can still be abused by hackers. As soon as you add a back-door, there is a risk that someone could get access to it and abuse it. There is no guarantee that only the legitimate users would get access to it. And as always it is said that the features would be only used when necessary. So they are trying to say that it wouldn’t be an all-out spying campaign on all the users all the time. But then the good old question comes to mind. How can you be sure that they are not spying on everyone? Simple, you can’t be. As soon as the possibility of eavesdropping exists there is no guarantee of privacy.

What’s up with all the bad passwords out there

A bit over a week ago the list of the worst passwords of the year (2018) was released by SplashData. You can review it yourself at https://www.teamsid.com/100-worst-passwords-top-50/.

After having a look at it I found myself amazed at the people’s choices of password. It just baffles me that people are still using passwords like “password” or “1234” as their password and when websites require longer passwords they just keep counting up the numbers instead of “1234” its now “12345678..”.

Do people still actually think that their passwords don’t matter? That no one will guess their username and password? By now almost everybody must have heard of the constant take overs of peoples social media accounts through simple password guessing. If not that, then people surely must have already come in contact with some one trying to log in to their account at some point – warnings at Gmail or similar services. Surely that should make people think.

In order for a password to resist simple brute force attacks it doesn’t have to be too complicated and something that is hard to remember like “x1Ds$!abFrdc?”. You can just your favorite quote from somewhere, which would be very easy to remember and much more secure than the ones on the list. To be a bit on the safer side you can add something to the beginning or ending of it. That would just be a precaution against some attackers that actually do some research on you. So that it wouldn’t happen that an attacker sees that The Simpsons is your favorite TV-show and would guess that your password is “Eatmyshorts!”

© 2020 HuxxIT

Theme by Anders NorénUp ↑