Tenable Blog

Port Scanning Never Dies

While information security threats constantly evolve from client-side attacks to web application vulnerabilities, there is one activity that is always effective: port scanning. Determining if a port is open or closed is a critical step in the discovery process associated with successfully attacking systems. For example, if port 80 or 443 is not open, it is likely there will not be a public web site associated with that system. Of course, this leads into service identification, which detects web servers listening on non-standard ports. However, you must be able to test if a port is open in the first place before you can determine which service may be running. Therefore, port scanning maintains its position as a necessary practice, even when referencing client-side attacks that can turn the remote client systems into port scanners using JavaScript.

Given the importance of port scanning, I want to cover some of the features and functions of the various port scanners included in the Nessus vulnerability scanner. The Nessus port scanner system has three network-based port scanners:

• TCP Scanner - The TCP scanner sends sequence of packets to initiate a full TCP connect to the target hosts, completing the TCP three-way handshake each time. The TCP port scanner uses a balance of speed and accuracy while using logic to tune itself as the scan progresses. The TCP scanner does not operate on Windows and Mac OS due to operating system limitations, so Nessus initiates the SYN scanner on these systems instead. However, when Nessus is installed on Linux it will implement a full-connect scanner in user space (i.e., without requiring root-level privileges). Early versions of the scanner consisted of a couple of pages of C source code. Over time it has grown in features and complexity to handle many different situations and types of networks. The TCP scanner will dynamically estimate the RTT (Round Trip Time) and make multiple passes on unresponsive ports to determine if there was a problem during the initial attempt. The TCP scanner will also read banners for some services and place this information, along with the open ports, in the Nessus knowledge base where the service identification routine and plugins can find the list of open ports for each host.

Tenable is pleased to announce the release of Nessus 4.4.1! This is a point release (moving from 4.4.0 to 4.4.1), containing several enhancements and minor bug fixes.

From a user perspective, there is a new feature that allows the SYN scanner to be selectively throttled. A new setting, nessus_syn_scanner.global_throughput.max can be added to the nessusd.conf file. The option sets the maximum number of packets per second that Nessus will send during a SYN port scan (regardless of how many hosts are scanned in parallel).

It's 4:55 PM on a Friday and you are looking forward to an enjoyable dinner with your family. Your Blackberry starts buzzing from across your desk while your inbox starts filling up with alerts from your SecurityCenter along with frantic emails from Human Resources. It seems a disgruntled employee named Jack Black quit today and nobody remembered to tell the IT group to disable his accounts until after important files started disappearing. Suddenly, you are stuck in Incident Response mode, gathering data on the user's activities. Do you cancel your reservations?

Fortunately, you have deployed Tenable Network Security's Unified Security Monitoring products, and have a wide array of resources[1] at hand to streamline the response process. These resources include SecurityCenter, the Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). At a high level, what can these resources do for you?

SecurityCenter

SecurityCenter provides a unified view of both vulnerability and event data along with the alerting, ticketing and reporting required for thorough user forensics.

Passive Vulnerability Scanner

PVS not only tracks vulnerabilities, but logs user and network activities detected in real-time on the wire. These activities include:

Welcome to the Tenable Network Security Podcast - Episode 70

Hosts: Paul Asadoorian, Product Evangelist and Carlos Perez, Lead Vulnerability Researcher

Announcements

• Several new blog posts have been published this week, including:
  • Microsoft Patch Tuesday Roundup - February 2011
  • Tenable All-Star Showcase - Atlanta - February 22



• Tenable will be at the upcoming RSA conference next week. Please stop by our booth (#729)!


• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Honeynet Project Releases PhoneyC - Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.

Welcome to the Tenable Network Security Podcast - Episode 69

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, and Carlos Perez, Lead Vulnerability Researcher