what is the required credentials for scanning a database server's vulnerabilities by using vulnerability assessment tools such as Rapid 7 Nexpose?
Asked
Active
Viewed 446 times
1
-
1this question is too broad - the credentials you need depend on your environment – schroeder May 29 '15 at 03:54
-
I don't know Nexpose, but I expect it's similar to SQuirreL, which can check for default passwords and a few config flaws with no creds, but needs a high privilege account to do the full audit. – paj28 May 29 '15 at 10:15
1 Answers
0
There are two general types of tools out there (and I realize I'm over-simplifying the matter), which I'll call penetration tools and risk analysis tools. We might also refer to them by other names, such as prevention tools and mitigation analysis tools, which has a similar meaning in most cases. Prevention covers preventing an attack, and mitigation refers to minimizing the impact of a successful attack.
Penetration tools cover session spoofing, cross-site scripting, exploit checking, SQL injections, privilege escalation, and so on. All of these attacks should be performed from the perspective of an unprivileged user, so no credentials should be specified at all (or possibly a guest user or basic user with limited privileges). After all, if you log a tool in as "root", it has already penetrated the system, thus negating the purpose of the tests. There's no need to "test" how much damage root can do, because everyone knows (or should know) that once root is compromised, the entire server is unreliable until it's been fully re-secured physically and in offline mode.
The second class of tools, risk analysis, aim to cover the impact of what happens after penetration has occurred. For example, if there's an SQL injection vulnerability, such a test would show if you can then trick the system into dumping every user name and password. These tools may require administrative or non-administrative credentials, if only to analyze the risk of a compromised account or direct database access.
The specific tools you're using should tell you what each test does, and what type of credentials the test will require. Providing the wrong credentials, or providing credentials when none should be given, will invalidate the results of the test.
This is something that you will need to sit down and logically think out for each test you're going to perform. Ask questions like "does this test attempt to gain access to the system?" or "does this test check the structure of my databases?" If the test is about gaining access, it shouldn't require credentials. If the test is about analyzing what happens after penetration, credentials are probably required.
As a final word of advice, if you don't feel qualified to run these tools, or you don't know, for sure, what a tool does, consult an expert. The only stupid questions are those left unasked. While a forum like IS SE is a great place to get answers to hard-pressed questions, you'll probably find that a 10 minute dialogue between someone with more experience with a particular tool or test will have far greater impact than a forum like this, where questions appear and are eventually answered.
The rule of thumb here is that if a question is particularly broad, you should expect to have to ask many questions, which means a chat is in order. IS SE provides a chat room, which I suggest you visit, as well as many other places where you could find people with experience in the matter, such as IRC or even the support personnel of the tools you're using.
phyrfox
- 5,724
- 20
- 24