Impact of scanning on the web server

Hello everyone!
I really need help understanding Greenbone scanning mechanisms.
I use Greenbone with Greenbone Security Assistant version 22.9.1.
The thing is that at the moment I have a task to minimize the impact of scanning on web services. How I check this: I set up a web server on nginx, published a simple page on port 80, and scan this server using various combinations of NVTs. After each scan, I analyze the access.log file to understand how many requests were received by the server during the scan, and compare this with the settings of vulnerability families and individual vulnerabilities within these families used in this scan.
In addition, specially made vulnerable databases are also active on my server to clearly see the result of vulnerability detection. List of ports bound to scan target: 80, 135, 443, 1433, 1434, 1521, 1522, 3306, 4022, 5432, 5601, 6379, 9042, 9142, 9160, 9200, 9300, 27017, 27018, 27019.
I noticed that enabling some vulnerabilities in Greenbone scan settings significantly increases the number of requests to the web server. For example, during the first check I selected the following vulnerabilities:

  • from the Databases family: PostgreSQL Trust Authentication Enabled (PostgreSQL Protocol) 1.3.6.1.4.1.25623.1.0.145872, Redis Server No Password 1.3.6.1.4.1.25623.1.0.105291 and Unprotected MongoDB Service 1.3.6.1.4.1.25623.1.0.105235;
  • from the Default Accounts family: Microsoft SQL (MSSQL) Server Blank Password (TCP/IP Listener) 1.3.6.1.4.1.25623.1.0.10673, MySQL / MariaDB Default Credentials (MySQL Protocol) 1.3.6.1.4.1.25623.1.0.103551, PostgreSQL Default Credentials (PostgreSQL Protocol) 1.3.6.1.4.1.25623.1.0.103552, PostgreSQL No Password Protection (PostgreSQL Protocol) 1.3.6.1.4.1.25623.1.0.103798 and Redis Server Default Password (Redis Protocol) 1.3.6.1.4.1.25623.1.0.105289;
  • in the Port scanners settings, OpenVAS TCP scanner is selected.

A check with these settings yielded only 75 entries in the web server log (although it is unclear why the web server was accessed at all when performing the above-described checks).
I performed the second check by adding to the configuration above only one vulnerability from the Default Accounts family: Zabbix Default Guest Account (HTTP) 1.3.6.1.4.1.25623.1.0.106180, after which I received 5364 requests to the web server.
I also noticed that adding such vulnerabilities as, for example, database server EOL detection to the check also causes an inexplicably large volume of requests to the web server.
Initially, I expected that Greenbone would perform only those checks that I noted, but now it seems to me that it performs some additional checks that I do not need.
Why is this happening? How do I know which check will cause Greenbone to contact the web server and which won’t?

Hello, and welcome to this community forums.

The seen behavior is actually expected and a default behavior of the scanner:

Internally the scanner is maintaining a “Dependency Chain” (defined in the VTs / .nasl files by a script_dependencies() tag / definition within those).

Taking the mentioned Zabbix Default Guest Account (HTTP) 1.3.6.1.4.1.25623.1.0.106180 as an example. If the file 2016/gb_zabbix_guest_account.nasl on the file system is inspected the following can be seen:

  script_dependencies("gb_zabbix_http_detect.nasl", "gb_default_credentials_options.nasl");

If looking at gb_zabbix_http_detect.nasl then the following as well:

  script_dependencies("find_service.nasl", "no404.nasl", "webmirror.nasl", "DDI_Directory_Scanner.nasl", "gb_php_http_detect.nasl", "zabbix_detect.nasl", "global_settings.nasl");

and so on.

These dependencies exists because e.g. the Zabbix Web GUI / Interface might be “running” / installed on some arbitrary folder on the target system which needs to be identified previously (by “spidering” the web page which is probably causing the majority/most of these 5364 requests).

If you would like to disable the default behavior of the scanner you would need to set the scanner setting / preference (please look at the documentation / man page of the scanner for more info) auto_enable_dependencies to no.

In this case you would need to maintain the dependencies in your scan config on your own (e.g. to exclude the two webmirror.nasl or DDI_Directory_Scanner.nasl) with the risk (which needs to be accepted by you) of decreased product / vulnerability detection coverage.

3 Likes

And a related note to this:

I’m not part of the scanner team but AFAICT this is a not really supported port scanner included directly within the scanner. The suggested port scanner is the default Nmap (NASL wrapper) OID: 1.3.6.1.4.1.25623.1.0.14259 one.

2 Likes