Forwarded from: Jay D. Dyson <jdysonat_private> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Courtesy of Renaud Deraison (forwarded with permission). I believe this should be given wide dissemination to dispel the rumors that flew around CanSecWest. -Jay - ---------- Forwarded message ---------- Date: Wed, 8 May 2002 16:50:09 +0200 From: Renaud Deraison <deraisonat_private> To: nessusat_private Subject: "Nessus calls home" Hi, I attended CanSecWest last week and I was told there were rumors of people complaining about Nessus "calling home" when doing a scan. In order to clear the confusion, here's a small explanation of what Nessus does, followed by a short poll asking you what you'd prefer it to do. First, let me emphasizes something : Nessus does *not* call home. It never does, never did and never will. However, the checks have a side effect that may have the naughty side effect to sending some packets to nessus.org, which can make people think I have the ability to monitor their scans - here's the list : 1. SMTP checks Several SMTP checks send an email coming from are going to nessusat_private (also test_1at_private and test_2at_private). These checks are mostly used for bounce or old sendmail attacks. With these checks, the expected behavior of the MTA is either to send a 50x error code or to fail to the attack. Under some rare circumstances however, the mail may be bounced back to nessusat_private, which is a non-existing mailbox on mail.nessus.org. So if I were to spy on my users, one could imagine I'd grep "nessusat_private" in /var/log/maillog and see who's using Nessus. I don't do that, but I admit it could be done. Why do I use "nessusat_private" ? Well, for the relay checks, it sounded good to use a really existing mail domain, so that half smart mailer which do some DNS checks on email address would not reject the mail for the sole reason the email domain is not valid. I was suggested to use example.com, but there's no MX for that domain, so I don't like it. 2. Proxy check A proxy check attempts to establish a connection to www.nessus.org. As for relaying, the point here is to see if we can use the remote proxy to connect to an outside web server. So if I were naughty, I could attempt to differentiate the requests going to www.nessus.org and find out which one were coming from an open proxy, then use that proxy to get my pr0n. Note that in all these cases, even I was bersek, I would not get the results of the scan or even know what other hosts you're testing on your network. I understand however that people may think that means Nessus is "phoning home". Once again, this is not the purpose - I just use the nessus.org domain in some checks because these checks require a valid third party domain (and if I was to change that to microsoft.com or something that does not belong to me, it might be unpopular). Note that these choice make the detection of Nessus quite easier for IDSes. I can change that to www.example.com, I did not know this website existed until last week. So now, this is poll time (please reply privately) : - - Do that issue bothers you ? - - If it does, would you feel safer if Nessus was using example.com as a domain ? (even though it may mean weaker tests as example.com has no MX record). Or would you prefer to have the ability to select the domain name yourself manually ? (with the option defaulting to nessus.org or example.com) -- Renaud -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE82cAnGI2IHblM+8ERArqyAJ0cBNhg69mwz3dwls5DaV5QqvAzlACfb10u +lmCLCIAPsOTMSURibV13hk= =C7BR -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu May 09 2002 - 03:23:23 PDT