Category: sniffers

PCI Vulnerability Scans – Part II: PCI and Wireless

In my  previous PCI blog post we discussed risk level of vulnerabilities for PCI. In this blog post I will go over wireless requirements and how to detect rogue APs.

11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.
Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.

11.1.a Verify that the entity has a documented process to detect and identify wireless access points on a quarterly basis.

11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

_ WLAN cards inserted into system components

_ Portable wireless devices connected to system components

(e.g., by USB, etc.)

_ Wireless devices attached to a network port or network device

11.1.c Verify that the documented process to identify unauthorized wireless access points is performed at least quarterly for all system components and facilities.

11.1.d If automated monitoring is utilized (e.g., wireless IDS/IPS, NAC), verify the configuration will generate alerts to personnel.

11.1.e Verify the organizationʼs incident response plan (Requirement 12.9) includes a response in the event unauthorized wireless devices are detected.

PCI wants you to detect rogue access points. However there is a flaw here. PCI doesn’t require you to monitor your network for rogue access points. It just want you detect them quarterly…

Well, what if attacker deploy an AP after you run your quarterly scan? You will be vulnerable lots of networking attack for a 3 more months and you will think you’re secure since you have PCI certification… This is another example of why you should not think you are secure just because you have a certification…

Anyway, let’s return our subject. So we need to determine rogue AP quarterly. Himm. Let’s see. We can do this by scanning all wireless APs and comparing the BSSIDs (mac address) of the APs that have same SSID with our APs. If we see any AP that has our SSID but not in our asset, that AP is a rogue AP.

A. Windows

Go to Start, type powershell, on the blue screen of power shell run these two following commands:

Netsh wlan show networks mode=bssid -> To get all BSSIDs

Netsh wlan show networks mode=ssid-> To get all SSIDs

B. MAC

KisMAC is a free, open source wireless stumbling and security tool for Mac OS

You can download it at http://kismac-ng.org/

After you run the KisMAC, click Start Scan in the bottom right corner.

C. Linux

Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring

mode, and can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic (devices and drivers permitting).

Linux users can download Kismet at http://www.kismetwireless.net

Note: Please read the full manual, but for the quick starters, here is the bare minimal instruction to operate Kismet:

• Download Kismet from http://www.kismetwireless.net/download.shtml

• Run “./configure”. Pay attention to the output! If Kismet cannot find all the  headers and libraries it needs, major functionality may be missing. Most notably, compiling Kismet yourself will require the development packages and headers, usually called foo-dev or foo-devel.

• Make sure that all the functionality you need was enabled properly in configure. Almost all users will need pcap and libnl support for proper operation.

• Compile Kismet with “make”.

• Install Kismet with either “make install” or “make suidinstall”.

Note: you must read the “suid” installation and security” section of the Readme or your system may be insecure.

• If you have installed Kismet as suid-root, add your user to the “kismet” group

• Run “kismet”. If you did not install Kismet with suid-root support, you need to start it as root in nearly all situations. This is not recommended as it is

less secure than privsep mode, where packet processing is segregated  from admin rights.

• When prompted to start the Kismet server, choose “Yes”.

• When prompted to add a capture interface, add your wireless interface. In nearly all cases, Kismet will autodetect the device type and supported

channels. If it does not, you will have to manually define the capture type   (as explained later in this README).

• Logs will be stored in the directory created when you started using Kismet, unless it changed via the “logprefix” config file or “–log-prefix” startup option.

• READ THE REST OF THIS README. Kismet has a lot of features and a lot of configuration options. To get the most out of it, you must read all of

the documentation.

 

With these tools you can get all SSIDs and BSSIDs on your area (It is good idea to capture packets in different areas of your buildings so that you have better chance to detect any existed rogue APs.

 

Update: I have received couple of e-mail about PCI scope on wireless. Here is what PCI says about it:

“Wireless
If wireless technology is used to store, process, or transmit cardholder data (for example, point-of-sale transactions, “line-busting”), or if a wireless
local area network (WLAN) is connected to, or part of, the cardholder data environment (for example, not clearly separated by a firewall), the PCI
DSS requirements and testing procedures for wireless environments apply and must be performed (for example, Requirements 1.2.3, 2.1.1, and
4.1.1). Before wireless technology is implemented, an entity should carefully evaluate the need for the technology against the risk. Consider
deploying wireless technology only for non-sensitive data transmission.”

I believe it is pretty straight forward.  If there is no separation of wired/wireless networks with a firewall on your cardholder data environment you cannot think wireless network is out of your scope…

A Powerful Vulnerability Scanner: Nessus- Part II

In my last blog post, I mentioned about Nessus licenses and installation processes. Today, I would like to write about usage of Nessus.

Updating Plug-ins

After you register and activate the nessus server, it will start to download and then update the plugins. Plug-ins are kind of virus signatures.  Plug-ins test the common vulnerabilities on a machine. Nessus plugins are written on Nessus Attack Scripting Language (NASL). [It might be a good idea to have articles for how to write NASL too.]

nessus_Download

Updating plug-ins (for the first time) can take up to 20 minutes so be patient.

Client Configuration

Start Nessus Client  from Start->Applications->Tenable->Nessus Client.

Click the ‘+’ sign at the left. This will bring ‘Target Window’ where we can set which targets we want to scan.

nessus_client

We have 4 options that we can use the scan the network. The first one is single host. You can use the hostname or the IP address. (example.com or 123.4.5.67)

Second option is IP range. Basically, we can provide a valid ip range such as 192.168.0.1-192.168.0.254.

We can also scan a subnet by providing its network and subnet address. (Network Address: 192.168.0.0; Subnet mask: 255.255.255.0)

We can provide host names or IP we want to scan in a text file. This is beneficial if you already have the list of the machines you want to scan and don’t want to scan all the network.

Choose what ever option you like and then click ‘Save’.

Connecting to the Nessus Server

We will use ‘connection manager’ to connect to the Nessus server.

First, click the Connect button at the lower left side. It should bring connection manager.

Nessus_ConnectionManager

As you see, by default we can connect the localhost. (since I have running nessus server on the local machine I will use this option.) If we have our server on a different machine than local machine, then click plus sign at the bottom left side.

You can name the new connection and choose the authentication method you want. You can simply use password based authentication or SSL based authentication.

After you set up the connection, click ‘Save’. You should see a ‘New Certificate Window’ if you are connecting to the server first time. Click ‘Yes’ and login to the server.

Nessus_Certificate

Policies

Now, we need to add a new policy. Click the plus sign at the right side and save this policy as Default Policy. In this way, you will always have the default policy in the policy section.  Let’s create a more specific policy. We will scan a Linux server (CentOS) which has Apache and MySQL on it.

Plugin Selection

To create a new specific policy for our example, click the plus sign again and then hit ‘Plugin Selection’ tab. The server we are scanning is a CentOS Linux. So we don’t need to have Local Security Checks Plug-ins for Windows, Fedora, Redhat, Ubuntu and Debian. Uncheck all of these (Of course you will uncheck the ones except your OS). Same thing goes with IIS Webserver. Now, click Policy tab and save this Policy as Linux_CentOS Policy.

Important Note: The “Denial of Service” family contains some plugins (all of DoS plugins are enabled by default) that could cause outages on a corporate network if the “Safe Checks” option (Safe Check is also enabled by default-it is under the Options tab) is not enabled, but does contain some useful checks that will not cause any harm. The “Denial of Service” family can be used in conjunction with “Safe Checks” to ensure that any potentially dangerous plug-ins are not run. However, it is recommended that the “Denial of Service” family not be used on a production network.

Let’s start scanning by clicking ‘Scan now’ button at the below.

Reports

After scan completes, you can see the result under the ‘Report’ section.

Nessus_Report

Nessus found one medium and 8 low risks. Usually, you can ignore the low risk and you can ignore the medium risk for some cases.Orange color on a port number (in our example, it is port 80 ) means the highest risk is medium. Red means highest risk is a ‘high risk’ (!) and black means it is a ‘low risk’.

Nessus gives the important information about possible vulnerabilities. You will see Synopsis, Description, Solution, Risk Factor and Plugin Output on the report.

Nessus_Report2

We can sort the output based on Vulnerabilities, hosts, ports, IPs (one host can have more than one IP, right!) by using ‘View Template’ button on the lower right side.

We can export the report as html which is useful. We can also get CVE output and create an excel file if it is some thing you want. ( I prefer creating excel files using csv templates on Nessus, it makes my report more customizable)

Conclusion

In this blog post, we learned how to configure a Nessus client and connect it to a Nessus server,  how to scan networks, and how to read Nessus reports. In the next blog post(s), we look into more details about scanning progress and user management on Nessus.

A Powerful Vulnerabilty Scanner: Nessus- Part I

I will have some blog posts about Nessus. In this first one, I will mention general issues about it.

What is Nessus?

Nessus is a proprietary comprehensive vulnerability scanning software. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.

You can scan ports and see the things crackers can find to hack so you can take action before they do! There will be some examples later for the vulnerabilities we can find with Nessus.

I always think Nessus is kind of outbox scanner for remote stuff and usually it works in that way. However, it can find default password or weak passwords too.

If you are working on a vulnerability management project, I will recommend you to have another scanner for scanning in the boxes ( i.e vulnerabilities for the software running on the machines. I like  Sunbelt Network Security Inspector for this purpose)

Anyway, let’s check License options for Nessus.

Licenses: What are Licenses? Wasn’t Nessus GPL and free ?

It was free but in 2005 creator of  Nessus sold it to Tenable Network Security. Tenable still maintains  Nessus 2.0 under GPL. They closed the source code for the version 3.0 and higher.

Version 3.0 was the first one which was done by Tenable. It was running almost 5 times faster than v2.  V3 was popular too but having 3 licenses for one product makes users a little confused.

The first type of the licenses is ProfessionalFeed License. With this license, Tenable provides you support of the application. They also provide plugins for you earlier than other licenses.

Pricing for the ProfessionalFeed is based upon the number of Nessus scanners in use within your organization, consultancy or service. The cost is $1,200 per scanner per year.

You can buy ProfessionalFeed from here.

The other type of License is HomeFeed License. A HomeFeed is available for free to individual home users, and cannot be used by organizations or individuals professionally.

The last one is on demand. It allows you to evaluate the ProfessionalFeed by using the HomeFeed subscription commercially for 15 days. You may only perform such an evaluation once.

The on-demand evaluation does not give you access to the customer portal, nor to the features specific to the ProfessionalFeed but should be adequate to test Nessus. You can obtain an activation code here.

Installing and Activating Nessus

Installing Nessus is so straight forward. You can download it from this link. It can run on Linux, Windows and Mac.

For this blog post, I installed it on a windows machine.

After you set it up, don’t forget to activate it. (Remember, even non-professional use of nessus, you are  required to get it activated. (They will send you activation key via e-mail, just grab the key and paste on the dialog window)

How It Works

You need to understand how the software works before scanning the machines across the network.

The most important thing you need to know is Nessus is agentless scanner. What is agentless?

Well, some security software needs to be installed on each machine you scan. However, the way nessus works is different. It uses client/server architecture. There will be a client machine in which you can run the software and make configuration for the scan. There will also be a server, the machine which performs what you tell by using the client machine.

Server and client can be same machine. Don’t forget, you don’t need to pay for each client but you need to pay for each server you install (They are required to have different licenses)

Client/Server Architecture brings some flexibilities. The first one is remote scanning.

You can install the server inside of the network and run client from a remote place say your home. This is so helpful since you don’t need to deal with firewall or IDS issues which can effect the scanning result.

Second advantage is one machine is enough to run a scan for all the network. This is definitely time saving!

I will cover the usage and configuration of Nessus in the next blog post.