Nessus - Remote Security Scanner

ugliestharrasΛογισμικό & κατασκευή λογ/κού

4 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

207 εμφανίσεις

Marmagna Desai



1

Nessus
-

Remote Security Scanner

NASL
-

Nessus Attack Scripting Language







Introduction


Nessus is Remote Vulnerability scanner, which is capable to look for security bug in software installed in
remote host. It is
open source
, easy to use and very powerful tool for checking for
vulnerabilities

and
security holes. Remote Data
Gathering, Host Identification, Port Scans are some of the main purposes of
using this tool. This tool can be installed on UNIX systems and using it any Operating System can be
scanned. Though recently The Tenable Networks Inc. has developed commercial ver
sion of Nessus
called, NeWT. Though window based client is available for UNIX based Nessus server.


NASL is Nessus Attack Scripting Language: Which is specially
designed

and optimized for Nessus. Its
main purpose is to allow user to perform a given security test on remote machine without worrying about
the Operating System level complexities. It is effective, very easy and perl
-
like language. It has advance
features like
Packet forging (IP
, TCP, ICMP, UDP

etc), socket operation (open
, close, recv, send
), and
application
specify

library
functions

(ftp_log_in, telnet_init etc) which are tremendous helpful in writing
security check for Nssus.


In this report, I will be discus
sing short Installation procedure for Nessus Scanner, Features of Nessus,
Most Frequently Used NASL functions and Testing of Nessus/NASL.



Features:

Marmagna Desai



2


As stated above nessus performs several tasks like Data Gathering, Port scans and Host/Software
Identific
ation, this part of report will discuss them.
And the

peculiar features of nessus which set it apart
will be explored.


Data Gathering
-

It is useful to identify the point of view of scanning at initial stage. System Hardening,
Penetration testing, Vulner
ability Test, System Management etc are the different point of view for which
Scanning is done. Hence data gathered by scan depends highly on these parameters. Some basic
information is required before scanning any particular host:


A
] IP address or Subne
t of Target

b] Production or Non
-
Production

c] Authorized Time to Perform Scan

d] Permission for System Owner


There are high chances of crashing any system while scanning. Nessus
employs

number of methods to
reduce the chances of crashing the system. Thou
gh due to large number of vulnerabilities and crashing
and hang outs are still active.


Port Scanning
-

Stealth, Speed and Accuracy are major factor to balance when port scanning. There are
two most commonly used type of
scans:

connect (
) and SYN scans. Ne
ssus provides both of these
scanning facilities with options of using NMAP with it.
Connect (
) scan is basic
one;

it attempts to
establish a connection to open port. It isn't very stealth but it is fast and accurate. A SYN scan is bit
stealth and hard to b
lock because it starts but doesn't complete the TCP handshaking. Generally,
Nessus's built
-
in port scan works well. Though it has some limitations.

NMAP is considered best scanning tool.


Marmagna Desai



3

Plug
-
ins
-

After Nessus performs a port scan, it runs the services p
lug
-
in which identifies which server
program running on each open port. Based on the service plug
-
in output Nessus choose the subset of
plug
-
in to run. This identification is not accurate only for standard ports, but service plug
-
in also identifies
service

running on unknown or
less known

ports.


Following are the Top
-
10
plug
-
in

and their
categories

used in Nessus scan:


Backdoor, CGI abuse, Denial of Service, Finger Abuses, FTP, Gain a shell remotely, Gain a root
remotely, Netware, NIS etc.

1. Microsoft RPC Interface Buffer Overrun

2. SMB login

3. Buffer Overflow in workstation Service

4. Default community names of SNMP agents

5. Using NETBIOS to retrieve information on windows host.

6. Microsoft
front
-
page

exploits

7. IIS
-

WebDAV Overrun

8.

ASN.1 parsing vulnerabilities

9. ICMP timestamp

10
. Remote

Host replies to SYN+FIN


Here some of the main features of Nessus are discussed:



1.

Intelligent Scanning



Nessus will not consider that a given service ruls always on a fixed port.





i.e. If http server is being run on port 1234, Nessus will still look for http



server on port 1234 and if the port is open, Nessus will reveal it. The most



important feature is, Nessus will not determine a security vulnerability just

Marmagna Desai



4



by

considering version number of service, but
actually

try to exploit the




vulnerability.



2.

Modular Architecture



Client/server

architecture allows flexibility to deploy the scanner (server) and



GUI (client) in multiple configurations reducing mana
gement costs.



3.

Plug
-
in Architecture



Each security test is written as an external plug
-
in to Nessus. Thus new
plug
-
in




can be easily written and added to nessus without reading and understanding



internal

structure of nessusd server.



4.

CVE
compatible



Each
plug
-
in

links to CVE for administrator to have further
information

on public



vulnerabilities. There are also links to CERT,
Bug track

ID and possible



patch/solution.



5.

NASL



A special language designed and optimized for Nessus S
ecurity Scanner.



[More info further in report]



6.

Up
-
To
-
Date Security Vulnerability Database



Most recent
vulnerably

are added and managed in to database.

"nessus
-
update
-
plug
-
in
" command is provided to update the local database which is
updated on da
ily bases.



7.

Scanning Unlimited amount of Hosts

Marmagna Desai



5



Theoretically

Nessus can scan unlimited amount of host for specific set of



vulnerabilities simultaneously.






8.

Reports



Nessus has great feature of report generation. It can generate report in


XML
, HTML, LaTeX, Text

of PDF

format
. It gives pie
-
charts, graphs and other
g
raphical representations of vulnerabilities found on the system.

Also Nessus Reports
sort the vulnerability in High, Medium and Low risks. They are nicely presented.


Download
-

Installation



There are many ways to download this Tool. Though there is ONLY one website which provides all kind
of resources regarding tool. It is http://www.nessus.org


Best way to Download nessus on UNIX system
:

Nessus
-
Server, Nessus
-
Client and NASL


[If

System is directly connected to Internet and "lynx" is
installed]


Run this command....
and Expect

a Magic!

lynx
-
source http://install.nessus.org | sh


Note: Do NOT run this as ROOT.
-

It is Risky! DNS may be Poisoned and system may run arbitrary cod
e.

Second Best way to
Download

nessus on UNIX system
:
Nessus
-
Server, Nessus
-
Client and NASL


Download "nessus
-
installer.sh" from website:
http://ftp.nessus.org/nessus/nessus
-
.0.10a/nessus
-
installer/


and run:






sh nessus
-
installer.sh




Third and Most Boring Way:


N
essus is formed by following parts: nessus
-
libraries, libnasl,
and nessus
-
core and nessus
-
plug
in
.

Marmagna Desai



6

Download all of these from

http://ftp.nessus.org/nessus/nessus
-
2.0.10a/src/

and untar all the files in /usr/local directory.

Run the magic commands for all of them:


. /
configure

make

make install
[As

root]


NOTE: Make sure that /usr/local/lib is in /etc/
ld.so.conf
--
> Linux


Immediate Steps
-

Server Side


Create a User:

Nessusd Server has its own User Database, each having their own restrictions. A new user must be
created in order to use nessusd server and perform remote scanning.


Following is the typical setup:


# nessus
-
adduser


Addition of a new nessusd user

--------
-------------------------------------


Login: marmagna

Authentication :( pass
/cert) [pass
]:

pass

Password: secret


User rules

----------------


nessusd has a rule system which allows you to restrict the hosts that marmagna

the right to test. For
instance

you may allow him to scan his own host only.


Please see the nessus
-
adduser (
8) man page for rules syntax


Enter the rules for this user, and hit ctrl + D once you are
done:


deny davinci.newcs.uwindsor.ca

accept 137.207.234.136

default deny


Login


:

marmagna

Password

:

secret

Marmagna Desai



7

DN


:


Rules


:



Is that ok (y/n
)?
[y] y


user added.


After creating the user for nessus daemon. You can also create X.509 Certificate for authentication
purpose
, which will be asked to accept or deny on the time of
logging

to
Nessus
-
Client.


NASL
-

Nessus Attack Scripting Language


NASL is Nessus Attack Scripting Language: Which is specially
designed

and optimized for Nessus. Its
main purpose is to allow user to perform a given security test on remote machine without worrying a
bout
the Operating System level complexities NASL allows to forge IP/TCP/ICMP etc packet easily. Also it
provides easy way to tests WEB and FTP servers. Though NASL
guarantee

that NASL:


1. Will not send any packet to host other than target host.

2. Will
not execute any commands on Local Machine.

NASL is not a powerful
language;

it is a quick and easy to use scripting language just for writing security
tests. Hence it is not wise to expect, complex application development using NASL.

Here the sample code i
s given which is a typical NASL script:


if (
description
) {


script name (
english:"Marmagna Desai's Trivial Port Scanner");

script description (
english:"This script is made for 592
projects
");

script_summary(english:"scans Ports ranging 1
-
1024 on Remote Host");

script_category(ACT_GATHER_INFO);

script_family(english:"Windows");

script_copyright(english:"Marmagna[101282813]");

exit(0);

}


#

# The actual Script start from here on...

# Marmagna.nas
l

#

Marmagna Desai



8


for(i=1;i<=10000;i++){


soc = open_sock_tcp(i);


if(soc){



data = recv(socket:soc,length:200);


display(data+"
\
n");


display(i+"
\
t");


security_warning(data:"port is open");


}

}



The OUTPUT gathered on http://socr.uwindsor.ca



desai8@socr:~/nessus/lib/nessus/plugins$ nasl
-
t socr.uwindsor.ca marmagna.nasl

** WARNING : packet forgery will not work

** as NASL is not running as root


7 port is open

**************

21 por
t is open

220 ProFTPD 1.2.8 Server (SOCR) [socr.uwindsor.ca]

**************

22 port is open

SSH
-
1.99
-
OpenSSH_3.7.1p2

**************

23 port is open

..... ..#..'**************


25 port is open

220 socr.uwindsor.ca ESMTP Sendmail 8.12.10/8.1
2.10; Thu, 19 Feb 2004 19:03:33
-
0500

**************

37 port is open

...W**************


110 port is open

+OK Qpopper (version 4.0.4) at socr.uwindsor.ca starting.

**************


113 port is open

**************

143 port is open

* OK [CAPABILITY IMAP4REV1 LOGIN
-
REFERRALS STARTTLS AUTH=LOGIN] localhost IMAP4rev1
2002.336 at Thu, 19 Feb 2004 19:03:42
-
0500 (EST)

**************


443 port is open

**************


587 port is open


220 socr.uwindsor.ca ESMTP Sendmail 8.12.10
/8.12.10; Thu, 19 Feb 2004 19:03:49
-
0500

Marmagna Desai



9

**************


993 port is open

**************

995 port is open


This is very trivial port scanner. It established TCP
connect
() to a port starting from 1 to 1000. If it is able
to connect, scripts gat
hers 200 bytes of the response obtained from the remote host. NASL provides
following interesting network related
factions
:

open_sock_tcp, open_sock_udp, forge_ip_packet, forge_udp_packet, send_packet, recv, recv_line,
get_ip_element,

set_ip_element, this_
host, get_host_name, telnet_init, ftp_log_in etc.


These are
highly

used functions in professional scripts written for security test on remote systems. The
details of these functions

can be obtained from the original NASL

Guide. [ Please see reference].

In

Nessus environment e
ach host is associated to an internal knowledge base, which contains all the
information gathered by the tests during the scan

The status of the ports, for instance, is in fact written
somewhere in the knowledge base.

Here is an examp
le of KB item:

e.g. S
ervices/
SMTP

is very likely to have the value
25
.


Services'' category
co
ntains the port numbers associated to each known service.


T
here are two functions regarding the knowledge base. The
get_kb_item(<name>)

function will return the
value of the knowledge base item
<name>
.

The function
set_kb_item(name:<name>, value:<value>)

will mark the new item
<name>

of value
<value>

in the knowledge

base.

Testing Environment:

The environment for testing NASL script as plug
-
in on Nessus is as follows:

1.

Nessusd Server: IP: 137.207.234.136

: 1241

[localhost]

Nessus Client

: IP: 137.207.234.136

[localhost]

Marmagna Desai



10


2.

R
emote Host Scanned for Vulnerability:

IP: 137.207.234.50

[NOTE: I have intentionally not

scanned any Production Machine. The port I am using for the
server “nessusd” is 1241. And I have option for authentication process: password or Certificate. I
have cho
sen password option. Though I could generate Certificate for user called “marmagna”
using “nessus
-
mkcert” command as Root user.




3.

List of Vulnerabilities and

Exploit Family:

Marmagna Desai



11



NOTE:

I have enabled all the plug
-
in using Enable All for this scan.

This section is the most important
option. Here Upload plug
-
in button is given. This can be used to upload the local database of plug
-
ins
from centeral repository of plugins.






4.

Scanning Option:

Marmagna Desai



12



NOTE:

I am scanning port # 1
-
10000 on the remote host 137.207.234.50








5.

Target Selection:

Marmagna Desai



13


Ta
r
get can
use the followin
g options:

137.207.234.50





A single IP address.

137.207.234.1
-
5
0



A range of IP addresses.

137.207.234.
1
-
137.207.234.
254

Another range of IP addresses.

137.207.234.1
/24

Again a range of IP addresses in

CIDR

notation.


//arunita2”

A hostname in Full Qualified Domain Name notation. A
hostname (as long as it is resolvable on the server).

Any combination of the forms
separated

by a comma.




Test Result:


Marmagna Desai



14

I have generated the report of the scan using HTML with pie charts
and graphical presentations. The
attached floppy has all the files under: 137.207.234.50 directory. “Index.html” is the main page. I will try to
summarize the result here:

Security Holes: Warnings: Notes on host 137.207.234.50: The holes, warnings and note
s are

defined by plug
-
in writer:



2 security holes have been found




16 security warnings have been found




22 security notes have been found



Graphical Summary:

This is the most interesting part of reporting. Following are the graphical presentation of Security Risks,
Most dangerous Services on Network and Services that are present in the Network:



Marmagna Desai



15






Marmagna Desai



16

The second part of Report contains the description of host specific security risks, vulnerability foun
d on
the specific host, Risk factor, CVE number, Bug Track ID, other references and solution/patch of the
vulnerability.


One example of such Vulnerability found on 137.207.234.50 is:

Vulnerability found on port http (80/tcp)


The remote WebDAV server may
be vulnerable to a buffer overflow when

it receives a too long request.


An attacker may use this flaw to execute arbitrary code within the

Local System security context.


*** As safe checks are enabled, Nessus did not actually test for this

*** flaw, so
this might be a false positive


Solution : See
http://www.microsoft.com/technet/security/bulletin/ms03
-
007.asp

Risk Factor : High

CVE :
CAN
-
2003
-
0109

BID :
7116

Other references : IAVA:2003
-
A
-
0005

Nessus ID :
11412


Here all the detail of specific vulnerability found on the host is described. For studying all the information
of scanning result please view the index.html file in the directory given on floppy.









Marmagna Desai



17

References:


These are some of the references I have used to download, configure, test and studying the tool,
NESSUS.

1.

http://nessus.org/

2.

http://www.securityfocus.com/infocus/1741

3.

http://www.securityfocus.com/infocus/1753

4.

http://www.nessus.org/doc/nasl.html

5.

http://www.pcmag.com/article2/0,4149,1400321,00.asp




Conclusion:





This project gives a

pie on the working of Nessus in the field of Network Security. As reports show the
scanned ports and identified vulnerabilities are classified just the way any System Administrator would
love to have. In contrast to other Scanners, Nessus doesn’t classify

vulnerabilities on the bases of their
nature, OS or protocol


in Report Generation. Hence this t
ool is very useful for auditing and scanning
production systems. The NASL, is other power of Nes
sus. It is fast and easy
-
to
-
use scripting language ,

optimized

for Nessus. This report has explored all of these features of Nessus and given the beautiful
report on the scan.

“Nessus Network Securit
y Scanner offers a free and extremely thorough way to scan
your network for vulnerabilities. This cross
-
platform utility offers an overwhelming
number of configuration and scanning options.”









-

PC Magazine