As a penetration tester, vulnerability scanners are an important tool for me. They do the tedious and boring work of checking for known vulnerabilities that should have been fixed before I started, but inevitably are not.
For this, I need a scanner that is not only capable of finding these vulnerabilities, but perhaps even more importantly, does so reliably. And this is where I have to go on a bit of a rant! 🤬
1/ 🧵
One of the most widely used scanners is #Nessus, and many of its plugins have terrible specificity (they are prone to false positives).
One plugin I had to deal with today is plugin 137702. It finds systems vulnerable to #Ripple20, a set of 19 vulnerabilities in the Treck TCP/IP stack discovered in 2020. These vulnerabilities are a serious security risk if present, but should have been fixed in most systems by now.
2/ 🧵
That however didn't stop Nessus from reporting hundreds of vulnerable servers in a scan I was analyzing today. A deeper look into the code of the plugin revealed why: It checks whether a system uses the Treck TCP/IP stack, excludes four versions of a single product known to use it, and simply reports everything else as vulnerable. 🤯
3/ 🧵
This is a fucking joke! This is a scan that I can run two weeks after the vulnerability is discovered to understand the extent of the problem, but not four years later. And Nessus even updated this plugin last year without realizing that it is completely useless. If a vulnerability has been fixed for four years, a scanner has to assume a system is patched unless it has at least some vague indication that it might not be. I can't believe they charge 5k for this shit!
4/4 🧵
Another #Nessus gem: plugin 58601
This plugin checks for two vulnerabilities from 2008. It's triggered by the header "X-Powered-By : ASP.NET". 🤦
Nessus: "It is not possible to determine the version from the header, so this may be a false positive."
O RLY? In fact, I would say it is almost certainly a false positive. Every single time.
Konstantin Weddige