Horton Hears A Host! – Part 3

By August 31, 2016 Cybersecurity

Welcome to the third post in our multi-part Seusstastic series on the real threats that face home networks, where we apply real-world enterprise grade protections to keep ourselves safe in the connected world.

If you haven’t read part 1 or part 2, I highly recommend you take a few minutes and do so. We’ve covered how cyber thieves are constantly testing and scanning for vulnerabilities and what you can do to start acting like the bad guy – finding the systems on your network. We left you with the following point: devices that we previously would never have imagined to exist on a network are becoming mainstream. All devices should be carefully inspected periodically and tested frequently to ensure that they are not leaving your network vulnerable.

So how do you do the inspection part?  In this final post of this series we’re going to cover the steps you take to scan your home network to see what devices are vulnerable or could be better managed to reduce your risk?

Start with that fairly good listing of the hosts in your environment. That’s your target for scanning. There are several really good options out there, which run the gamut from a price and feature standpoint:

  • Nessus
    • Published by:  Tenable Security
    • License:  Commercial
    • Free Option:  7 day trial, limited to 16 hosts
  • Nexpose
    • Published by: Rapid7
    • License:  Commercial
    • Free Option:  Community Edition, limited to 32 hosts
  • OpenVAS
    • Published by:  OpenVAS Community (Open Source)
    • License:  GNU GPLv2
    • Interesting Fact:  Code was forked from the Nessus product before that tool’s source code was closed to the public.

For the purposes of this discussion, we’ll focus on OpenVAS to support the open source community, give a nod to its very valid place in this somewhat crowded field of behemoths, and afford you the ability to scan your whole network, no matter how many hosts you have.  The process is fairly straightforward.

  1. Install Kali Linux
  2. Install (via Apt) OpenVAS, OpenVAS-cli, OpenVAS-Manager, OpenVAS-Scanner and Greenbone-Security-Assistant (if you want the GUI)
  3. Run OpenVAS-Setup
  4. Save the password that it generates the first time that script runs
  5. Log into the GSA @ 127.0.0.1:9392 with user: admin and the password that was provided from the previous script (I usually change the password here)
  6. Create a target from your Nmap output
  7. Create a task from your newly created target
  8. Run your scan
  9. Review your vulnerabilities

Pretty straightforward, huh? Actually those 9 steps could take the better part of a few hours if you are new to the process. Depending on the number of hosts and intensity of the scan, it could take the better part of a day. A lot is happening at each step. During step 3, for instance, the script that you are running is going out to the Internet and pulling down all of the scripts and vulnerability tests that will be run against each host. There is a national vulnerability database that maintains an up-to-date listing of computer vulnerabilities and the tests that can be run to detect if a machine is susceptible to any of them. Suffice to say, a lot of this process is simplified thanks to some great folks out there who care deeply for Information Security. In step 8 the OpenVAS scanning engine is tasked with interrogating the target list of hosts.  This can be seen if you run a command like, watch -n .5 ‘ps -eF | grep openvas’ . This command will show you in a tree hierarchical structure all of the tests that are currently being executed by host IP address. The number of concurrent tests and number of concurrent hosts under test are configurable in the task creation step. The default is 4 tests and 20 hosts – which is a lot of network traffic!

This just scratches the surface for vulnerability scanning and covers only one of the automatic scanner tools. I highly recommend you download and explore the other options and search for additional tools that may exist. I recently read about a tool built for the Raspberry Pi that runs a network scanner as soon as you plug it in. There is no configuration necessary. I haven’t tried it but it sounds very cool.

A host’s a host, no matter how small…  It is really important to know all of the hosts that you have deployed throughout your network. Failure to acknowledge their presence, understand their configuration, and protect them from unintended exposure to the Internet could unfortunately really hurt you and your network. The reason for this is that the bad guys are looking for just a single way in – a single simple way that they can establish some control over an entry point which can be leveraged as a jump point to other, perhaps more interesting or valuable hosts on your network. Maybe that IP-based baby video monitor doesn’t have a whole lot of value to anyone, but that camera is a small computer with the potential to run code which can be used to access your home computer where you file your income taxes. So take a page from Horton who would agree that “a host’s a host no matter how small” and treat that baby monitor with the same significance that you would treat your desktop with your taxes.

Lastly, in the spirit of any cautionary tale, remember that you must either own or receive explicit permission from the owner of any network you wish to scan. That is absolutely paramount. Otherwise, you might be breaking the law.

Jeremy Wheeler

Author Jeremy Wheeler

Jeremy Wheeler is an information technology solutions leader with 10+ years of extensive experience spanning government systems engineering, data analysis, HR systems management, project management, custom application/database development and information security analysis. At Alpine Cyber Solutions Jeremy is a solutions architect who assists customers with establishing security programs, performing vulnerability risk assessments and executing penetration tests. Jeremy is a graduate of Philadelphia University and The George Washington University with a masters degree in Systems Engineering.

More posts by Jeremy Wheeler