Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Nessus
Nessus is a port-scanning vulnerability scanner. Nessus provides a scripting language to write additional tests. This section will give an overview of Nessus, discuss obtaining and installing it, and provide an introduction to its use.
Nessus was written by Renaud Deraison, with a number of other contributors. It is available from http://www.nessus.org.
Nessus is a client-server pair of applications. Nessusd is the server. It runs as a daemon and is responsible for conducting all the tests. Nessus is a GTK+-based client application. It is responsible for providing the user with a convenient user interface.
Nessus begins scanning a host by conducting a port scan to see what avenues are available for attack. It relies on nmap for this functionality. When it has determined which ports it can look at, Nessus scans for known vulnerabilities. It uses plugins written in C or in the Nessus Attack Scripting Language (NASL) to carry out these tests. (Writing scripts in NASL is briefly covered later in this section.)
Getting and Installing Nessus
There are two major steps involved in getting Nessus to run on your system. First, you must obtain and build the software. After the software has been built, it needs to be installed and set up. This section covers both steps.
Getting and Building Nessus
Nessus is not hard to build, but there are four packages that you must download and build in the proper order:
Nessus-libraries
libnasl
Nessus-core
Nessus-plugins
Each of these packages follows the typical configure, make, make install pattern of building free software. Make sure you build and install the packages in the proper order and you will save yourself a good bit of grief.
Installing Nessus
Having completed the make install to install the programs and libraries, you can start Nessusd. The first time you start it, you need to go through an extended set up by starting with the nessus-adduser command, as shown in Listing 2.
Listing 2 Adding a Nessus User
[root@cherry /root]# nessus-adduser Using /var/tmp as a temporary file holder Add a new nessusd user ---------------------- Login : nessus Authentication method (cipher/plaintext) [cipher] : Source restriction ------------------ You can, if you will, configure this account so that it can only be used from a given host or subnet. For instance, you may want nessus to be able to connect to this nessusd server only from his work machine. Please enter the host (or subnet) nessus is allowed to connect from. A blank entry will allow him to connect from anywhere The entry format must be an IP address followed by an optional netmask. Hostnames are *not* accepted Examples of valid entries : 192.168.1.5 192.168.1.0/24 192.168.1.0/255.255.255.0 Invalid entry : prof.fr.nessus.org Source host or network [anywhere] : One time password : foobarbaz User rules ---------- nessusd has a rules system which allows you to restrict the hosts that nessus has the right to test. For instance, you may want him to be able to scan his own host only. Please see the nessus-adduser(8) man page for the rules syntax Enter the rules for this user, and hit ctrl-D once you are done : (the user can have an empty rules set) Login : nessus Auth.method : cipher,can connect from anywhere One time password : foobarbaz Rules : Is that ok ? (y/n) [y] user added. [root@cherry /root ]#
This example shows a very vanilla install. Any user can connect to the Nessus account using 'foobarbaz' as a password. After connected, you can use Nessus to scan any host.
With a Nessus user added, you can start the Nessus daemon like this:
[root@cherry /root]# nessusd &
Nessus at Work
Nessus, like any other security tool, cannot be run just once to make your network secure. Ideally, you should run Nessus on a regular basis (perhaps weekly or biweekly), and again after any change has been made to your network.
Running Nessus from inside your network is important to help ensure the internal security of your hosts. It should also be run from an external host in order to get a real world picture of how things look from a cracker's perspective.
In this section, we'll look at just the internal scan of a single host in our internal network. Coverage includes running Nessus, saving and reading reports, and extending Nessus by writing tests in NASL.
Running Nessus
The first time Nessus is run, you need to configure your user. Nessus brings up a splash screen showing that it is building a key pair for your client, then a window where you can enter your pass phrase. If you are running Nessus for the second or later time, it just asks for your pass phrase.
After entering your pass phrase, Nessus brings up a login window for connecting to Nessusd (see Figure 3).
){kind=link}
Figure 3 The Nessus login window.
This is also the main window for Nessus. The tabs that run across the top of the window provide access to additional functionality.
After you've logged in to Nessusd, you're automatically moved into the Plugins tab. Click the Enable All button to do a full scan or select and deselect scans manually by using the buttons on the left side of the window. Clicking the name of the scan family in the upper pane of the Plugins tab will bring up a list of individual scans in the lower pane (see Figure 4).
){kind=link}
Figure 4 Nessus Plugins tab.
Having selected the scans you want to run, you can select your target. Move to the Target selection tab and enter your requested target (this could be a single host or a list of hosts). I've selected just a single host at 192.168.1.20 (see Figure 5).
){kind=link}
Figure 5 Nessus Target tab.
Now you can run the scan. Just click the Start the Scan button at the button of the window. The scan will take a while to run, so this might be a good time to go off and catch up on your email. You can watch the progress of your scan by watching the portscanning/attack status window (see Figure 6).
){kind=link}
Figure 6 The Nessus portscanning/attack status window.
When Nessus has completed its scan, it brings up a report window. Clicking the hostname or IP address brings up a cascading list of potential vulnerabilities on that host. In Figure 7, I've expanded a listed vulnerability to show the kind of detail Nessus is able to display.
){kind=link}
Figure 7 A Nessus report.
Saving and Reading Reports
Typically, you should save reports of scans so that you can keep a trail of what potential vulnerabilities show up in your network and when they do.
You can save a report by clicking the Save As button. Make sure that you use a consistent naming scheme and that you can readily interpret the names. Something like <hostname>-<date>.nsr is probably good. Depending on the number of hosts in your network, you might find that you need to keep subdirectories for LANs, for kinds of machines, and/or for time periods that you run the scans. In general, find the right level of organization for yourself and stick with it.
Going back to review an old scan report is easy. You just need to click the Load Report button at the bottom of the main window. This brings up a selection box for you to select the report you want to view. After you've loaded the report, it comes up in a report window.
Writing NASL Scripts
NASL scripts are fairly easy to write, but there are a number of tricks to getting them right. This section is not intended to be a complete tutorial. It should be enough for you to get your feet wet though. Please read the NASL guide and man page that come with the libnasl source for more details.
NASL is a C-like language, without a lot of the overhead. Variables need not be declared, nor are they typed (that you need to care about at least). If you need to use a variable, just do it:
myhostname = "cherry";
If you want to use a number, you can enter it in binary, decimal, or hex. NASL will take care of the conversion for you. If you're using a string, be aware that NASL will not interpolate special characters unless you tell it to:
a = "foo\nbar\nbaz"; # this equals "foo\nbar\nbaz"
a =string("foo\nbar\nbaz"); # this equals "foo"
# bar
# baz
As you can guess from the previous example, each line of comments is preceded with the # symbol. There are no multiline comments in NASL. You can define your own functions in NASL like this:
function sqr(n)
{
return(n*n);
}
display("5 squared is ", sqr(5), "\n");
NASL provides the standard C operators *, /, %, +, -, |, and & (although it doesn't yet provide precedence for them). NASL also provides two additional operators. The 'x' operator repeats a function n times; for example, this will execute the display function 5 times:
display("a line of text\n" x 5;
The '><' operator functions like the grep command. It returns true if a string on the left of the operator appears in the string on the right.
a = "foo";
b = "Don't be a fool";
if (a ><b) {
display(a, " is contained in ", b, "\n");
}
As an example, check the greeting message sent by the mailer daemon. All the internal hosts should be running qmail, so if someone is running Sendmail you want to know about it. The NASL script is shown in Listing 3.
Listing 3 A NASL Script
1. if(description)
2. {
3. script_name(english:"sendmail message check");
4. script_description(english:"This script looks for sendmail");
5. script_summary(english:"connects on remote port 25");
6. script_category(ACT_GATHER_INFO);
7. script_family(english:"Administration toolbox");
8. script_copyright(english:"Copyright Pat Eyler, licensed under GPL");
9. script_dependencies("find_services.nes");
10. exit(0);
11. }
12.
13. # get the smtp port from the knowledge base
14. port = get_kb_item("Services/smtp");
15.
16. # if we couldn't find the smtp port in the knowledge base, set it
17. # to the standard
18. if(!port) port = 25;
19.
20. # warn is FALSE unless Sendmail is running
21. warn = 0;
22.
23. # check the knowledge base to see if the port is running
24. if(get_port_state(port))
25. {
26.
27. # open a connection to the smtp port
28. soc = open_sock_tcp(port);
29. if(soc)
30. {
31.
32. # grab the first 200 bytes of data from our connection
33. data = recv(socket:soc, length:200);
34.
35. # look for "Sendmail" in the data, and set warn to TRUE
36. # if it is
37. if("Sendmail" >< data) warn = 1;
38.
39. }
40.
41. # clean up our connection
42. close(soc);
43. }
44.
45. # do this only if we found Sendmail
46. if(warn)
47. {
48. report = "Host is running Sendmail,not qmail.";
49. security_warning(port:25, data:report);
50. }
51.
52. #
53. #Check for Sendmail running instead of qmail
54. #
55.
56. # start by building a description of this script
While the example script above is heavily commented, it might be worth pointing some things out. In line 24, we used get_port_state. This function returns a Boolean FALSE value if the port is known to be closed. If the port is known to be open or has not been tested, the function returns a Boolean TRUE value. We also used conditional logic (the if statements) to control the flow of the script. NASL also provides looping logic with both for and while statements. Also note how values were assigned to variables being passed to functions in lines 33 and 49. The basic form is
function(variable:value);
Because Nessus runs your script for each host (assuming that you've selected it), and has a number of other scripts to run as well, it is important that you make your scripts as efficient as possible. NASL makes some provisions for doing this by allowing scripts to share information through a knowledge base. There are two examples of this in the script shown in Listing 3.