Home
Join

14 Replies

  • OpenVAS ?

    https://www.greenbone.net/en/testnow/Opens a new window

    I tihnk they call the free version now  Greenbone Source Edition (GSE) ? 

    THE GCE  (Community edition) is now called GSM TRIAL. It’s just the name and doesn’t involve a limited “trial period” in any way.

    Clear as mud....

    Pepper graySpice (9) flagReport
    4 found this helpful thumb_up thumb_down
  • Greenbone is free. You need to be able/willing to read directions and make educated guesses to get it running and updating regularly. Once you do, it's excellent.

    Basically, it has a database of CVEs and runs them against your devices.

    In one case, it found a CVE hiding in an old, old version of PowerChute UPS software that was installed on a server but not being used. We'd forgotten it was ever there. Very slick.

    Pepper graySpice (11) flagReport
    4 found this helpful thumb_up thumb_down
  • You might also take a look at Bloodhound. Pretty awesome tool looking for paths the "game over".  From the below blog site:

    "After collecting AD data using one of the available ingestors, BloodHound will map out AD objects (users, groups, computers, …) and accesses and query these relationships in order to discern those that may lead to privilege escalation, lateral movement, etc."

    https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-domains/

    Pepper graySpice (6) flagReport
    2 found this helpful thumb_up thumb_down
  • I also vouch for GVM, formerly OpenVAS, but if you have a budget also look at Nessus.

    Pepper graySpice (7) flagReport
    4 found this helpful thumb_up thumb_down
  • Also, as far as tightening up security prior to the audit, I can give you the method used on our network to gain domain admin privs by the auditors, in case this helps you.

    • At least one MFC printers had a default password set on it
    • MFC printers have a domain account configured in them to be able to scan to a network share
    • Auditors redirected the printer to send authentication to their computer and captured the hash of the user
    • They used this account to log in to the network share that houses our MDT images
    • They extracted the local admin password baked into the image to then elevate locally on an admin computer
    • They then got the hash of a local admin (game over)

    Obviously a lot of bad practices there and lessons learned:

    1. We set passwords on all printers
    2. We created a management network that only carried management traffic, so no admin level passwords are transiting the user network
    3. We implemented LAPS to randomize all local admin passwords
    4. Implemented auto-updating of core applications and browsers
    5. We added port-based ACLs to valuable assets that could not be placed on the management network (eg printers)
    6. Tightened up local firewalls on all workstations and servers
    7. Forced NLA security on all RDP connections via GP
    8. Enabled SMB hardening via GP
    9. Disabled SMB1 globally
    10. Increased auditing, logging and reporting efforts (eg failed logins, new domain users created, privilege elevations, etc)
    11. Implemented application whitelisting for all user writable locations and graylisting for known LOLBINs
    12. Implemented canary files and tripwire notifications (eg honeypots)
    Pepper graySpice (9) flagReport
    4 found this helpful thumb_up thumb_down
  • another vote for greenbone I am very happy with it the free version does pretty much everything you would need. I have always ran it in virtualbox.

    2 found this helpful thumb_up thumb_down
  • Hey OP - You're free to give our Falcon Spotlight Vulnerability Management a whirl with our free trial: https://www.crowdstrike.com/products/security-and-it-operations/falcon-spotlight-vulnerability-manag...Opens a new window

    It actually provides an immediate, scanless solution for comprehensive vulnerability assessment, management, and prioritization for IT analysts.

    Here's a data sheet to get the full scope of the solution: https://www.crowdstrike.com/wp-content/uploads/2020/03/falcon-spotlight-data-sheet.pdfOpens a new window

    Hope that helps with your search!

    Was this post helpful? thumb_up thumb_down
  • I am currently using ManageEngine's Vulnerability Scanner. I can say that it was enlightening the first time we scanned the network.

    Was this post helpful? thumb_up thumb_down
  • itaintbroke wrote:

    I am currently using ManageEngine's Vulnerability Scanner. I can say that it was enlightening the first time we scanned the network.

    What was the cost?

    Was this post helpful? thumb_up thumb_down
  • Nessus is fantastic if you have plenty of money to spend. If not, Greenbone would work just fine.

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Do you by chance use Office 365 with a Premium or E3 license? If you do you have access to the paid version of MS defender and it reports this info also for managed machines.  Its a little different in that its an installed agent so it has an insiders view so to speak where as a scanner like everyone is discussing above would have to get through endpoint firewalls to gather this sort of data.

    Pepper graySpice (2) flagReport
    Was this post helpful? thumb_up thumb_down
  • I'm curious as to why you are looking for a tool to run before the vendor you hired runs their tool. It sounds like your goal is to get a good score to impress the boss. Shouldn't the goal be to have a secure network? I don't mean to be critical but this is something I've seen over and over at places I've worked. Rather than have good processes and procedures to clean up old versions of things, to rotate passwords, to have a schedule for patching everything, etc., IT shops undertake a flurry of activity right before an assessment to get a good score. Then they fall back into old habits until right before the next assessment. I'm just trying to encourage IT professionals to continuously improve their skills, their knowledge, and their approach.

    Pepper graySpice (3) flagReport
    Was this post helpful? thumb_up thumb_down
  • gregdrauch wrote:

    I'm curious as to why you are looking for a tool to run before the vendor you hired runs their tool. It sounds like your goal is to get a good score to impress the boss. Shouldn't the goal be to have a secure network? I don't mean to be critical but this is something I've seen over and over at places I've worked. Rather than have good processes and procedures to clean up old versions of things, to rotate passwords, to have a schedule for patching everything, etc., IT shops undertake a flurry of activity right before an assessment to get a good score. Then they fall back into old habits until right before the next assessment. I'm just trying to encourage IT professionals to continuously improve their skills, their knowledge, and their approach.

    Making a weekly\monthly\quarterly\yearly maintenance check lists that you do on a re-occurring schedule is a great way to avoid falling into bad habits and make sure you get routine things done

    Pepper graySpice (6) flagReport
    Was this post helpful? thumb_up thumb_down
  • Nessus Pro is fairly cost effective, but you could simply sign up for a free Tenable.IO trial and test that out for 14 days. You can be up and running scans inside an hour, the only functional limitation is the 150 asset license.

    Was this post helpful? thumb_up thumb_down

Read these next...