Tenable NNM: Old Chrome User-Agent Beaconing out of my Network – was I Hacked? (a Threat-Hunting Story)


So as a Tenable Partner we have a Lab-License for the Tenable Product Suites which we often use to test new Products, Features, Updates and recreate issues in the Lab for further analysis. For this reason I was again setting up a Nessus Network Monitor in my Home Network with Mirrored Traffic from a Switch Uplink.

If you want to perform cheap and rasy Port-Mirroring at home you don’t have to rob a Cisco Dealer! Netgear offers cheap and functional switches that worked pretty good in my HomeNetwork so far.

With the Netgear GS108E you can grab a 40€ 8-Port Gigabit switch – which is Manageable and lets you just specify the port mirror in a Webinterface – on Amazon.

And with the Netgear GS110EMX you even get 2x 10G-Ports for 217€ – again with a Simple Webinterface for Portmirror Setup – on Amazon.

Please Note that I don’t want/get any incentives if you go to those Amazon links! They are just for your reference and you can buy elsewhere and chose other manageable Switches as well!

Also of course those are consumer Grade switches not intended for Enterprise Usage! I however find the value exceptional for Home Lab Port-Mirror Setups!

Just for reference – I set up the Mirror for the Switches Uplink Port which goes to another story of my house where the Internet Router is located. As there is other Stuff Connected on that level as well the Port-Mirror was not perfect, but I was not looking for a perfect setup, just some traffic to test on and play arround with.

The Perfect placement for a Nessus Network Monitor would be directly on the Internet Breakout (internal Side of the Router or Firewall to reduce Noise) and additional Sensors/Nessus Network Monitors in front of Sensitive Systems or VLAN choke Points – for example Production VLAN Uplinks.

The Evil Outdated Chrome User-Agent

When I got the Nessus Network Monitor set up and traffic mirrored I was greeted with a couple of interesting Vulnerabilities:

Vulnerability Overview for a Specific Host in NNM

I know the System! Its my *cough* Windows HomeServer 2011 installed on a neat HP MicroServer N36L (wildly outdated, but new versions are available). As Windows HomeServer 2011 is long out of support this is a horrible system to have running! And I thought I probably now have the kick in the ass to do it quickly!

But let me back up – at first glance I was recognizing outdated Browser and Chrome Vulnerabilities captured by Nessus Network Monitor. A couple of years ago I had an old Android tablet in my gym for playing music. All separated away in an IoT WiFi Network that is limited by ACL’s to only access the Internet.

This tablet was running old vulnerable Versions of Chrome as well, but as I only used it for Spotify and not browsing the web at all I let it slide…

The thing is: I replace that Android tablet with an (old and yet again vulnerable) iPad i had left over. So I looked into it and as you can see above identified the Chrome coming from my Windows Home Server 2011 *cough-again*

Before hunting for the old Chrome Installation (and btw – what is it doing accessing the Internet without me using it?!?!) I took a Peak at a specific Plugin Output to identify the exact Chrome Version:

The Plugin Output of the Plugin 4645 – Google Chrome Version Detection

A specific Chrome Version Number in the User-Agent is pretty good indicator its Chrome. But Version 47 is really old…

One of the Chrome Vulnerability Plugins (9083) that you can see on the Right was reporting CVE IDs from 2016 so it was probably even Older!

Googling it you will find references pointing to a release in Dec 2015.

This got me a bit worried: I dont run old Browser Versions on Computers that are quite capeable to Updateing and Running the newest Browser Versions.

Also I have all Browsers on Auto-Update – but then Again, a forgotten Browser that was never Used could lurk in an old Version on my Homeserver….

The Part where I got worried

Mhhh… Never beeing used equals old version.
User-Agent beaconing out to the Internet equals usage…

I got really worried when I connected to the system and:

THERE WAS NO CHROME! 🙀 :shockedcatfaceemoji:

I need to replace this system….

This got me thinking that when I would let Malware beacon out I would use a commonly used User-Agent to mask my C&C traffic to the Internet! Overdoing this by choosing far to old or non-existing User-Agents is stuff that happens! Also as this system has been running for years this could be an indicator of a really old compromise.

Now I was at a loss! I feared Malware compromise but I did not know what process called out to the Internet…

Ofcourse there is plenty of options with windows to investigate this but out of the box if you have not set up anything prior I found out it is pretty hard to investigate this!

This is when I hat to learn again that Incident Response works far better if you plan ahead and deploy tools and logging prior to an incident!

Let the Hunt begin

But as I had a Nessus Network Monitor deployed I had at least some logging capabilities now!

Sadly out of the Box you only get the vulnerability Plugins that triggered in the GUI but it is possible to Log a detailed Realtime feed of all Plugins Triggering with some more Information than beeing displayed in the Webinterface.

You can set up this realtime-logs.txt file in the Webinterface Settings:

Logging Realtime Events with NNM to Disk

This will create a plain Logfile on the Disk of the NNM system.
Please note that I created a lot of the screenshots while writing this Blogpost so Timestamps will not be in Sync with the “Incident Timeline” but show the points they are created for.


I grepped this file for “Chrome/47” to get an Idea how, when and where the Strange old Chrome User-Agent was beeing used:

Timestamps and Realtime Events with IPs and Ports

This was weird – Internal and External Traffic!

Also you can see specific beaconing patterns – short requests with hours of delay in between.

I was again freaked out by Google Hits to the external IP Adress and the Random GET URI Parameter!

Oh Noes – IP on Abuse Lists ?!

If you google for the HTTP GET URI you will also find some Inconclusive Malware Analysis matching at least parts of the string….

Needing a Break to think

This is when I against all Forensic Best-Practices took offline the Server and Checked it offline with an Anti Virus scanner via c’t desinfect 2019.

I am in no way saying that AV is the solution for this nor did I have any hope that AV would give me a positive signal that the system was not compromised. However as I needed a break I decided that AV could at least give me a signal if the system got compromised 3 ways sideways and filled with bad stuff.

So AV will not give me piece of mind, but if it finds stuff i know I have a problem.

And I did not necessarily needed the break because I was exhausted but because I had registered for a Blackhills Infosec Webcast about Sysmon and Applocker that was beginning to start and could be watched by an Hour of Crosstrainer in my Gym!

You know there is even a name for the phenomena when you see stuff exactly in the right moment. Like when you buy a new car and start seeing them on the road everywhere all of a sudden.

Its called: the Baader-Meinhof phenomenon

I am telling you this because Sysmon probably is the answer to finding out which process is beaconing out at the timestamp when it is beeing logged by Nessus Network Monitor!

Check out the Blackhills Infosec Webcasts:

The AV came back clean and more Logging was required – as well as a good nights sleep!

The Webcast about Sysmon and Applocker was very informative and Syslog was exactly the answer I needed! I was thinking about another Tool from the Sysinternals Suite – tcpview – however I know how big these logs become and Syslog seems pretty awesome and something I have to deploy on all my Windows Machines anyhow soon!

As stated in the Blackhills Infosec webcast you can directly start with a proper XML from @SwiftOnSecurity which you can get in his Github.

So I set my trap – if I was compromised for years I could probably sleep another night over it – and Installed Sysmon and tailed my NNM realtime log.

Not everything goes according to plan!

This morning (August 16th) I woke up and ofcourse again there was an Old Chrome beaconing out (which was already shown above):

A fresh beacon in the morning vertreibt Kummer und Sorgen

So I checked the Sysmon log and was greeted with no matching log:

No matching logevent

Little sidestory: When I set up Sysmon I verified that date/time stamps where close enough to each other on the NNM host and the Windows Server to be able to correlate Events properly based on Time.

Ofcourse I found out that the ESXi in my Lab was not able to ntp out and time was off for 15 Minutes…

Let that be a lesson to never skip on proper basic Setup in productive environments – it will always bite you in the ass in case of an incident!

Luckily this was only my lab which I don’t even run continuously so I have somewhat of a lame excuse and I promise that I always check the basics in productive Setups that I perform!

All of this however doesn’t change the fact that I don’t have a matching event in Sysmon… I also searched for the destination IP but got nothing….

Finally the Conclusion

What got me to the conclusion was that the beacon was internal and the destination IP of the becaon (and a couple of inbetween) was my LG Smart TV which is ofcourse joined to my Network to Stream Netflix!

Thats when i remembered that Windows Home Server does have some UPNP Streaming stuff going on and also that I have Plex Server running on the Windows System and a Plex App on the TV.

After getting no Google Results to Windows HomeServer 2011 and the User-Agent in question I stumbled over Plex in some Google results.

Low and behold – The Villain:

The Villain was caught red handed!

Not Everything is resolved but I dont think I got hacked anymore….

So I should still get to the bottom of why the fuck Plex is beaconing to the Internet and my Smart TV with 4 year old Chrome User-Agent strings – probably because they are embedding horrible old code for some reason – but I am now certain that I was not hacked….

At least …. 99% …. somewhat…. lets not talk about paranoia….

Kthxbye! :-)

Posted in miscellaneous

WordPress.com forces you to use SMS-2FA

So im using wordpress.com as I definetly dont want the burden of running one of the most hacked CMS myself!

Now that I finally found out that you can securely configure your PayPal with TOTP 2FA I revisited all my other Accounts with SMS-2FA activated.

I still stand behind using SMS-2FA is better than no 2FA at all but if proper OTP-2FA or U2F is available then SMS-2FA really becomes a Security-Downgrade…

So I contacted @wordpressdotcom and fot the following responses:

So I guess it boils down to saving money/earning more money is more important for them than security which might bite them in the ass at some point…



Posted in miscellaneous

PayPal now Supports proper OTP 2FA Apps – but no Recovery Codes and no U2F!

In 2013 I published the Blogpost:

Paypal – How to not implement 2-Factor-Authentication

Since then Paypal had a lot hits and misses with 2FA as you can find in countless blogposts out there.

I cannot tell you when exactly but at some point in the last 2 years PayPal managed to implement support for proper 2FA OTP Apps like Google Authenticator, Authy, Lastpass Authenticator, YubiKey OTP to name only a few!

You can set this up by logging into the PayPal website and Navigating to the Security Settings:

It is now finally also possible to remove SMS-2FA entirely which is a good idea when securing your money!:

If your Mobilephone number is still listed there add a “Third-party code generator App” switch it to your primary device and remove the mobile number!

Im always of the mindset that SMS-2FA is better than no 2FA at all, but its not state of the art and has proven easily breakable by sim-swapping!

No U2F – Will PayPal ever Support it?

So before we preaise PayPal that they managed to implement TOTP properly in their website (btw, they don’t offer recovery codes when setting up 2FA….) lets note that it is 2019 and U2F and Cheap Tokens like Yubikeys and even Cheaper U2F Only Tokens are now Available and will prevent phishing of your second factor!

Read up on how U2F will prevent a MITM Website to steal your 2nd Factor on Wikipedia!

So definitely switch over your PayPal Account to an OTP App like Authy and deactivate SMS-2FA but beware that you still have to be carefull that you dont enter your Login-Credentials + 2FA Code into a Phishing Site!

Posted in miscellaneous | Tagged , , , , ,

Tenable Nessus Agents: Deploying Trusted Certificate for Nessus Manager on Virtual Appliance

If you want to deploy Nessus Agents in an OnPremise Nessus Manager Setup you have to make sure Nessus Manager has a Certificate which is trusted by the Clients OS and that Nessus Manager trusts the Clients Computer certificates.

With the default self-signed Certificate Linking of Agents will not work. You might have found this out during Agent Linking and seen some kind of ssl error like this:

[07/Apr/2017:11:57:47 +0100] [error] [msscan] Connection to manager for 'jobs?distro=es6-x86-64&platform=LINUX&sleep_time=10&ui_version=6.9.3' failed with code 0 [Connection to shared-nessusmanager:7021 failed with an ssl error] -- Last connection was Mon, 20 Feb 2017 18:51:18 GMT

Source: https://community.tenable.com/s/article/Connection-issues-with-a-new-Nessus-Agent-install

Nearly every environment i encounter has similar parameters:

  • A Windows Domain
  • Mainly Windows Clients and Servers
  • A Windows Certificate Authority (CA)
  • Nessus Manager Running on Linux or Tenable Virtual Appliance which is Based on Linux

If you want to deploy Agents in a similar environment and are not Certificate Savy the following guide to deploy a Trusted Certificate on your Nessus Manager might help you!

Create a PrivateKey and CSR for your Nessus Manager

First we need a PrivateKey for the Webserver. If you do not know why read up on PKI!

The easiest way to do this, especially if you want to chose a custom Hostname for the certificate is with openssl on a Linux or macOS host! It will be possible on a Windows  host as well (google it) and there are also Websites out there that provide this as a service but you should always think about whom you trust to share your private keys with!

openssl genrsa -out hostname.key 2048

Note: the Name of the output file is arbitrary! But it makes sense to call it like the hostname to not mix stuff up!

Important: Do net send out this private Key ever! Just like a private key for SSH a private key for a Webserver Certificate should never be made public!

Important2: RSA is coming under criticism lately – there are newer and better encryption systems than RSA. This discussion is not part of this blogpost but feel free to reasearch alternatives to RSA private Keys!  Also you have to decide if 2048 bits are Strong enough for your environment. Best you read up on your companies Security Guidelines regarding Certificates!

Now that you have a private key you can create the CSR (Certificate Signing Request) that you can then send on to the CA Administrator of the Windows Domain:

openssl req -new -sha256 -key hostname.key -out hostname.csr

You will be asked a couple of questions on what Data should be present in the Certificate with the most important one being the Hostname.

Note: This will create a CSR without an AltSubjectName which is nowadays required by Chrome. So if you want a Certificate that is trusted in Google Chrome (the Nessus Agents wont care!) you have to awkwardly pass on the SubjectAlternateName via a config file as for example described here.

Again: Never send out the Private Key alongside the CSR! Only the CSR itself!

If you ever want to check the content of a CSR, for example to check if the SubjectAlternateName was included properly you can use the following command:

openssl req -text -noout -verify -in hostname.csr

Request a Signed Certificate Chain from the Windows Domain CA Administrator

A lot of companies are running Windows CA’s. Send the generated .csr (not the key!) to the CA Admin and request specifically that they create:

  • A p7b Certificate Chain in base64 Encoded format!

The default under Windows is often Binary encoded which will not be compatible with the next steps. In the end if you are an OpenSSL/Certificate expert you can convert nearly any format to any other format, however if you are an expert you probably would not read this article, so make sure you get a base64 encoded p7b Chain!

Convert the p7b Chain in individual separate Certificates

The p7b file will contain the entire chain in a Single file which will look / start like this:

$ head hostname.p7b


To feed this chain to the Tenable Virtual Appliance and a lot of Linux Setups you have to split this chain up in individual certificate files with the following command:

openssl pkcs7 -print_certs -in hostname.p7b -out hostname-chain.cer

The resulting .cer file will include 2-3 (possibly even more) separate Certificates depending on how long the Chain is (how many subCAs there are in between the RootCA and the Server Cert).

This will look like this:




Split this Textfile in 3 separate textfiles each time after —-END CERTIFICATE—–. The Subject and Issuer lines above the Certificate and the Commands (Begin/End) can stay in the files to make it easier to identify the content of the file for a human.

Save the three textfiles as:

  • hostname.cer (the server certificate)
  • subca.cer (if a subca was present)
  • rootca.cer (always has to be present – it has signed the cert!)

Note that you actually have a fourth file: hostname.key which is the matching private key for the server certificate.

Install the Certificate

Now that you have all the required files you can go ahead and install the Server Certificate:

On The legacy tenable Virtual Appliance

See:  https://docs.tenable.com/appliance/4_8/Content/4.8_GuideTopics/CertificateManagement.htm?Highlight=certificate 

Navigate to Applications -> Nessus -> and Scroll Down to the Certificate Settings:


Now provide the four files (Intermediate Certificates = SubCA Certificates).

Note: If there is more than one SubCA/IntermediateCA dont split the SubCA Chain, leave all SubCA certificates in one file to be uploaded here!

After providing the four files and clicking Install Server Certificates you will see a green Success Message at the top of the screen, and this Dialoge will show the newly installed certificates information.

Important: Note down the “Not Valid After” Date somewhere, best you set a reminder in you calendar, als your entire Agent Setup will stop to work if you let the Certificate expire! Best will be you keep the four files save and 4 weeks before the expiration date you create a new Set of files / server certificate and replace the old one. If you make a mistake you can always quickly roll back to the old files and troubleshoot what you did wrong.

You still have to do one last step! The Nessus Manager will also verify the Clients Computer Certificate which is also signed by the Windows CA. However you have to specify the RootCA as trusted for this separately in the lower section of the above already shown dialogue:


Here you only have to provide the RootCA Certificate which is the same one from the four files you created above!

Note: This is basically just the public Certificate of the RootCA which can be found publicly everywhere on the Domain! It will help Nessus Manager to validate the trust for the Clients Computer Certificate.

On The new tenable Core Virtual Appliance

See: https://docs.tenable.com/tenablecore/Nessus/Content/TenableCore/ServerCertificate.htm

The Steps are basically the same why I will not post another set of screenshots here. Just follow the guide above and upload the four files and also the trusted CA again:


Important: Make sure to notice that the Core Appliance also keeps two different sets of Certificates (one for the Core Appliances Webinterface on Port 8000 and one for Nessus Manager on Port 8834). Make sure to upload it at least to the Nessus Manager Configuration but feel free to also deploy it to the Core Appliance Webinterface.

Thats it!

If this helped at least one person struggling out there im happy! Feel free to ask questions in the comments below if you encounter an issue with this guide and I will be happy to advance it where necessary!


Posted in tenable | Tagged , , , , ,

Setting up macOS to enable API&Python related Stuff – the BREW way

Most people will either use:

  • Windows (you’re on your own buddy!)
  • Linux (you probably already have everything you need installed already!)
  • macOS (you’ve got a Terminal but all programs are old….)

So if you are using a macOS you kinda have a Terminal running Bash (for now) by default but all programs are horribly old and wont get you far!

There are gazillions of different paths you can take to get decent python and pip Versions and Updated Versions of other tools running!


I will describe just one of them: the BREW way. Taken from the Documentation:

Homebrew is the easiest and most flexible way to install the UNIX tools Apple didn’t include with macOS.

The good thing: Homebrew will just conveniently install up to date UNIX tools beside the default apple built in tools without touching or removing them! So you can keep the default BASH and python from macOS but also install recent versions beside them in your profile and use them whenever you feel like it!

If you are familiar with brew chances are you already have it installed on your macOS! If not don not just blindly pull install scripts from the Internet and hope they wont own you!

Read up a bit! Ask Professionals with Macs if they use brew and if the trust it! Do some research about what you are going to do!

If you can and have the time you might even want to dig through the brew Installer Script before installing it!

If you are paranoid: download the brew installer script manually from the github repository before feeding it to ruby! Make sure its the same as in github before Installing it to verify it has not been tempered with during download!

After you have installed homebrew you will use two commands often:

brew update

…to update your installed brew packages…

brew install PACKAGE

…to install a new UNIX tool.

Note: Homebrew will not replace the default macOS programs in your path! So if you for example installed Bash v4.x via Homebrew macOS will not launch Bash v4.x when you launch a terminal!

But you can always spawn a Bash v4.x instance by calling it from its installation directory:


Install bash & python & pip & pyTenable

Install Bash

First of I would recommend to install a recent Version of Bash to be able to run all bash scripts you encounter (there are scripts that will not work with macOS old Version of bash!

brew install bash

Note: Remember as stated above that you have to drop into this new Version of Bash 4.x by calling it directly:


Install Python, pip & pyTenable API Wrapper

When you have successfully installed Homebrew and played around with updating it and all installed packages you can continue installing python and the pyTenable API Wrapper:

brew install python

will install python (Version 2 and 3 including pip for both versions).

pip3 install pyTenable

will install the pyTenable API Wrapper.

Note: As there is no pip3 command on macOS by default the pip3 installer will automatically be in your path and no dedicated calling form /usr/local/bin is required.


Thats it!

You are now able to use recent versions of Bash4, python2, python3, pip2, pip3 and pyTenable!

Posted in tenable | Tagged , , , , ,

pyTenable Python API Wrapper

Not all Infosec Professionals are Programmers by trade. I encourage anyone working in Infosec to learn as much programming as possible but there are still a lot of Jobs that don’t require in depth Programming and Programming-Architecture Skills.

If you are like me and know your way around Python Scripts and the small Program here and there you might appreciate a simplified API Wrapper for the Tenable RESTful APIs located here:


And its documentation located here: https://pytenable.readthedocs.io/en/latest/

Some of the Scripts and Examples I will post here will be based on the pyTenable API Wrapper.

Please Note: you don’t have to use this, you can always look at the functionality and implement it completely without this wrapper on your own!

Feel free to get inspired by my examples but always:

  • Check if they fit your needs or need to be edited!
  • Review their functionality and never use them in production without testing them prior in lab or uncritical environment!
  • Alter, edit and advance them!
Posted in tenable | Tagged , ,

New Life in an old Blog!

I started this Blog to document and share my experience with and around Checkpoint Firewalls.

Since then I have switched Jobs and have not touched a Checkpoint Firewall in years!

However I became a Tenable-Partner and touched and built a lot of Tenable Setups (mostly SecurityCenters) so I have gathered a lot of Knowledge and BestPractices KnowHow around Tenable’s Product suites.

So stay tuned for new Life in this old blog and regular updates around Tenable’s products and API automation.

Posted in miscellaneous, tenable | Tagged

Assemble your own affordable Treadmill Desk!

Ever since I listened to Neal Stephenson’s Book Reamde I wanted to get a Treadmill Desk!

A long time I thought you need to buy expensive Ones for a couple thousand Dollars like the Uplift Desk ones.

Now I found out that you can assemble a decent one for just 550 Euros with:

  • Ikea Desk SKARSTA – 199€
  • And a Cheap LONTEK Treadmill from Rakuten – 350€

The result looks decent and works like a charm:


If you don’t think you can work effectively while walking please go and try out somewhere! It works pretty well and your are not sitting the entire day!

I know this sounds a lot like Advertisement but all links above are without any affiliation and I just want to share my experience with the Desk!


Posted in miscellaneous

Published my Second Book: Penetration Testing mit mimikatz


since beginning of July 2019 my new Book “Penetration Testing mit mimikatz” is available directly from the Publisher mitp and the usual Shops like Amazon!

Bildschirmfoto 2019-06-06 um 18.27.41 Kopie

Keep on Roasting!


Posted in Books

I am the Evil!

Update July 30th 2018: seems that Microsofts SmartScreen Team fixed this swiftly after my review request. So props to Microsoft. Misclassifications can happen – a swift and productive response is all one can ask for!

Microsoft seems to be thinking I am Evil…

I just want to assure everyone that I am not hosting any kind of malware on my site and do not collect any personal information in my Blog.

This blog is purely to write about IT Security related topics and to publish my CV.

The WordPress is hosted and beeing kept up to date by wordpress.com and uses no custom Plugins on my part – so a basic vanilla wordpress.com Blog.

I cannot vouch for wordpress.com’s hosting but I think that a wordpress focused professional hoster will keep the best patchlevel possible for wordpress.

I imagine some overeager Proxy Admin saw evil haxing Tools and reported my site as malicious. I already requested a reevaluation from Microsofts SmartScreen Team and hope this will get resolved quickly!


Bildschirmfoto 2018-07-27 um 12.15.55

Posted in miscellaneous