Nessus

Some screen shots to be added

About

Nessus

Nessus is a remote security scanner for Linux, BSD, solaris and other Unices that automates the testing and discovery of known security issues. It is plug-in-based, has a GTK interface, and performs over 1800 remote security checks. After scanning reports can be generated in HTML, XML, LaTeX, and ASCII text, with fix suggestions.

A nearly up-to-date database of vulnerability checks exists i.e. cert. Nessus Security Scanner's architecture differs from some scanners it uses a client/server model. The central server does the scanning and results can be distributed to administrative clients.The scanning engine is Unix-based, while the administrative consoles can be run under Windows or Unix X Windows. It has been said to be free, powerful, up-to-date , very fast, reliable and easy to use.

Nessus attempts to exploit vulnerabilities.and has a modular plugin architecture. The licence is LGPL, and is GNU.

Paid technical support is available from www.tenablesecurity.com, as well there is a community of Nessus developers. Nessus Security Scanner, is noted to be one of the priemier security scanners in many tests it was rated #1 although still failed to capture all exploits in some instances.

Nessus implements NASL (Nessus Attack Scripting Language), which allows for fine tuning of scans, vulnerability configuration checks, organization methods to monitor vulnerability announcements and limited or no flagging of false positives. NASL scripts support cross-references to third party vulnerability databases (i.e. CERT). Nessus knowledge base feature allows store multiple scans and do trend analysis on generated reports. .

Of course with time the bells and whistles are sure to come as well stronger os lockdown and verification a vr network topology fly thorugh full with 3d iconical representations and vivid sensory graphs perhaps going into rpg Cyberpunk of Shadowrun or the leylines of rifts Currently tools provide an easy point-and-click GUI, charts and graphs, and the ability to share data across sessions as well as file saving in a variety of formats.

Requirements&recomendations: a compiler, lexical parser and analyzer, and GNU m4. OpenSSL and the GTK were highly recommended. lynx

Operational Setup

Download sourcecode http://www.nessus.org/download.html or ftp ftp://ftp.nessus.org/pub/nessus/

MD5 checksums are provided. Utilities (nasl, a scripting language, nessus-adduser, nessus-build...). Each utility has a man page for the client and the server. More documentation(README, INSTALL...) or on the nessus website.

Note: Nessus provides an uninstall script to use after the first "./configure" in the nessus libraries package. Run this

script before typing "make". Do the same for each provided package (except running the uninstall script) and you're done.

typing "sh nessus-installer.sh" will auto-install the package. Just type "lynx -source http://install.nessus.org | sh" and

that's it, no execution as root.

Nessus installation

Install Nessus via Internet using the program Lynx. (Lynx is a web browser program which can be downloaded from

http://lynx.browser.org.)

Use the following command to install:

#lynx -source http://install.nessus.org | sh

*//Install Nessus using the script called nessus-installer.sh which is located under the directory nessus-installer/.

*//Use the *//following command:

#sh nessus-installer.sh

*//Download the compilation software package consisting of:

nessus-libraries-x.x.tar.gz

libnasl-x.x.tar.gz

nessus-core.x.x.tar.gz

nessus-plugins.x.x.tar.gz

*//(x represents the version of the software at the time.)

*//Untar and unzip all the files above using the command.

#tar xvfz nessus-libraries-x.x.tar.gz

#tar xvfz libnasl-x.x.tar.gz

#tar xvfz nessus-core.x.x.tar.gz

#tar xvfz nessus-plugins.x.x.tar.gz

*//Compile each file starting from nessus-libraries as follows:

#cd nessus-libraries

#./configure

#make

#make install

*//(For the last command, make install, you must be root to do so.)

*//Compile libnasl:

#cd libnasl

#./configure

#make

#make install

*//(For the last command, make install, you must be root to do so.)

*//Compile nessus-core:

#cd nessus-core

#./configure

#make

#make install

*//(For the last command, make install, you must be root to do so.)

*//Compile nessus-plugins:

#cd nessus-plugins

#./configure

#make

#make install

After all compilation has been done, there are two important files created, i.e., nessusd which is Nessus' server and nessus which is its client.

Using Linux, add path /usr/local/lib to the file /etc/ld.so.conf to incorporate Nessus' library (as compiled above) so that Nessus when started will be able to find its library.

Use the following command to update the new path.

#echo "/usr/local/lib" >> /etc/ld.so.conf

#ldconfig

Nessus usage

Create a new user account, specifying access privileges. Run the server daemon, nessusd. the first time you create a username and password by using the nessus-adduser command. With the nessus libraries package compiled with the "--enable-cipher" option, nessus generates a private key. This key can be protected with a passphrase. Options are outlined in the nessusd man page.

Create the user database and the corresponding rules. nessusd uses configuration file found in /usr/local/etc/nessus/nessusd.conf. Manual editing can be done.

script nessus-adduser located in /usr/local/sbin to generate a new account for a user.

THE SERVER

Fig. 1. In new user account creation specify a new user name

Fig. 2. Selecting the method to keep a password, plaintext or cipher(encrypted).

Fig. 3. Connection privilege, the default value is anywhere.

Fig. 4 The password is asked only once. You will use a passphrase after that.

Fig. 5. Network scan privilege, IP address or a subnet, other.Ctrl-D to finish the process. default is whole network. *See more in the manual pages nessus-adduser.

Fig. 6. Confirmation for data item correctness.

Fig. 7. Add-user process completed. y (yes), the new user is added to the system and the screen will show 'user-added'

nessusd has the configuration file /usr/local/etc/nessusd.conf which is used to adjust server user setting,We can use the command nessusd –s in Figure 8 to show up all configuration values on screen.

Fig. 8. Configuration values for server nessusd. to start nessusd login on Linux as root. The command to start the server is

shown in Figure 9.

Fig. 9. Starting server nessusd To check if the server is running, use the command like in Figure 10.

nessus &

Fig.10. Checking the opearation of nessusd server.

THE CLIENT

Nessus client configuration The client program client nessus is located in /usr/local/bin/nessus. Use the follwing command to start the client.

Fig.11. Starting the client program nessus.

The symbol & in the figure is starting the program in background mode. Note that the user who starts the client program uses

'user-name' snort on Linux.

Fig. 12. Specifying a passphrase. When a user starts the nessus client program the first time, Nessus creates a private key for the user according to 'user-name' on Linux, snort in this case. The 'user-name' on Linux matches the private key, which is one-to-one

relationship. Enter a passphrase for the key just created. Record it. The second line in the figure is confirmation for the passphrase.

Fig. 13. Nessus login window. Type "nessus &" in a shell. This opens the nessus setup window after asking for the above mentioned passphrase/password. This window provides you with 7 or 8 tabs.

THE SETUP TABS

The 1st tab "nessusd host" allows connection to the nessusd host by clicking on the "Log in" button. username must be in the user database.

Supply the IP address where nessusd is running, nessusd's port, and the encryption method used in communicating between a client, and the server. The server is running at address xxx.xxx.xxx.xxx at port 1241, which is Nessus' default port, keep the default if your client is the server. Twofish/ripemd160:3 is the encryption method.

Note that 'login-name' /'user-name' on Linux is snort. the first time logged the server will ask for the one-time password (as given in Figure 4). the server will bind 'login-name' with the private key of 'user-name' snort on Linux. 'login-name' and 'user-name's snort are the only logins.

Remember logins after the first the server will ask for passphrase (the private key )only one 'user-name' can have many 'login-name's god(username/root) has many humans(login-name) humans have one god monotheistically.

Fig. 14. One-time password window.

The server will then ask for the one-time password (which was selected at the time 'login-name' the Prefs tab),

Fig. 15. Plugin selection window.

The 2nd tab shows classes of scanning plugins clicking on the plugins will launch another window in the bottom part of the window displays some information about that plugin explaining what the plugin does.

There may be dangerous plugins (the ones able to crash a machine you can (de)select the plugins you would like for your vunrebility scans using the little squares on the right hand side of plugins. The plugins that can crash services/machines are shown by an exclamation point inside a yellow triangle and are disabled by default.

You can enable all the plugins by clicking on Enable all. Autoloading dependencies (running plugins depended upon by other plugins) is also disabled by default but can be enabled by clicking on Enable dependencies at runtime.

Fig. 16. Further details for the vulnerability: Anonymous FTP Enabled.

The 3rd tab allows you to define the way you will use nessus to scan the target host(s) or set network preferences for the plugins. (ping, HTTP, news, SMB, TCP evasion, SMTP, inetd, SSL, SOCKS, FTP, POP, IMAP, SNMP, LDAP, and so on.) You can fine tune the various scan options For example: Anonymous FTP Enabled additional details and suggestions for plugins or in pinging machines in a network, the user can ping using the TCP or ICMP protocol. Plugins can also be set to timeout.

Fig. 17. Plugin preference window.

The more information provided, the more intrusive the testing will be. For example, I may allow passworded ftp, but not want people with passwords to have write permission to upload files. If I provide a username and password in the FTP section, I may discover that I do actually have writable areas in my FTP tree.

Fig. 18. Scan options window.

The 4th tab allows you to define how nessus performs the port scanning portion of the run.and what port scanner to use, usually nmap. Some options include setting the port range scanned, specifying the # of hosts to scan at once, and detaching the client while scans are performed and then later emailing the scan details.

e.g., ports to scan (in the figure from port 1-15,000), the number of simultaneous scans (8 scans in the figure), the location for CGI scripts. nmap can be used for portscanning.

Fig. 19. Target selection window.

The 5th tab is the target of the scan.

The format for the Target(s) field includes:

Single IP: xxx.xxx.xxx.xxx

Range of IPs: xxx.xxx.xxx.xxx-yyy

Range of IPs spanning blocks: xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy

CIDR notation: xxx.xxx.xxx.xxx/yy

FQDN: www.my.domain

Bare hostname (must be resolvable by the Nessus server): www

*A comma separated list of any of the above

IPs from xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy:

to skip testing xxx.xxx.xxx.xxx entered:

reject xxx.xxx.xxx.xxx

default accept

Tweaking the scanning rules is done through the User tab. This format mirrors the nessus-adduser command. Adjusting the rules allows for specifying a broad range of addresses under the Target selection and then just denying select unwanted addresses. To enter a rule, type it into the Rules field and click on Add rule. The rules are added top down, so the first rule I entered will be the first rule read when the scans are run. To remove a rule, double click on it.

Select a target machine/subnet to scan. Use a comma ',' to separate the scan Hosts and IP addresses targeted.[xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, etc..] the same goes for network address with its netmask (xxx.xxx.xxx.xxx/yy). There's is a check box to perform a DNS zone transfer. For connecting to a DNS server, nessus will try to get the list of the hosts in this domain. The address, range of addresses, or hostnames to scan are specified in the 'Target selection' tab. Specify targets in the Target(s) field, or import a list of targets from a file by clicking on the 'Read file' button.

Fig. 20. User window.

The 6th tab allows the user to change his passphrase/password, or to delete his private key or other options using the Add-rule button.

Fig. 21. Credits window.

The 7th tab opens the credits window containing Nessus developers as well the version number as well as the website to find more information. This can be useful for notation or research purposes i.e. credits.

The 8th tab appears if you compiled nessus with the "--enable-save-kb" configure option. Kb for "knowledge base". This feature allows to using the results from previous tests.

Knowledge base archives information gathered about a tested host. During a scan, the knowledge base allows plugins to share any discovered information about the host. Using the knowledge base, saves time, bandwidth, and allows for the testing of new vulnerabilities. Knowledge base saving is disabled by default.

More on kb at www.nessus.org/doc/kb_saving.html

Fig. 22.1. Simultaneous scan status.

SCANNING

To start scanning the target network as specified in the target selection window click 'Start the scan' at the bottom of the window. When you start the scan, nessus opens a window displaying the scan status. For example, let's say you are testing a whole network, called 192.168.1.0/24. Eight machines (hosts) will be displayed at once, showing which plugin is used for which machine and a progress gauge. It looks like this:

Figure 22.1 shows the status of scanning a subnet whereas

Figure 22.2 shows scanning a single machine.

You can 'Stop' scanning using the button on the right hand side or click 'Stop the whole test' to stop everything. The factors for time consumption are various: # of hosts can increase time; the OSes; the network speed; the machine's roles (more or less open ports); the number of active plugins, and others. If you compiled nessus with the above mentioned "--enable-save-kb" configuration you can test in two other ways: the detached scans or the differential scans. The detached scans allows you to run background testing while the differential scans shows the differences between two scans. You'll find much more information about these features going to nessus documentation (www.nessus.org/doc).

Fig. 23. A scan result

The left window shows security alerts By clicking on each circle, more details is provided.

Fig. 24. Security risk piechart.

Nessus produces a graphic file index.html. This report is grouped into four sections, subnet, host, port, and severity

The piechart shows in percent the four categories of security risks, Low, Medium, High, and Serious and potential cures to exploits. The severity levels included notes (a light bulb icon), warnings (the exclamation point inside a triangle icon), and holes (an icon consisting of a red circle with a white bar through the center). The severity levels are fairly self explanatory, and each individual explanation provides quite a bit of detail.

Reports can suggest a solution for detected vulnerabilities. False positives are noted as such and can occur with patched versions of some daemons: a recently corrected vulnerability may be detected as a potential risk. Updates are made available to such instances readily..

nmap (2.53) may be erroneous when identifying the OS version. Differences such as 2.2.19 is detected as 2.2.14 etc... Some other OSes are not correctly identified such as AmigaOS beOS, MacOS X and QNX. New versions may produce bug fixes.

Reports can be saved as text, NSR, HTML, HTML with pies, allowing comparisons between two scans. Becoming familiar with nessus can be aided by watching system logs . Info can be found in /usr/local/var/nessus.

As is evident by scanning this one machine, each note, warning, and hole that Nessus flags could potentially be a false positive. It's best to read through the information Nessus provides and cross check with installed patches, modified banners, and other custom changes made to the system.

ABOUT THE PLUGINS

The Plugins contain scripts to check vunrebilities, e.g., backdoors, DoS, wide-open ports, etc. written in NASL (Nessus Attack Scripting Language) and can be found in /usr/local/lib/nessus/plugin. The user can also develop their own scripts by studying this language from http://www.nessus.org/doc/nasl.html. You cancontribute to the nessus project by writing plugins, New scripts can be obtained at http://cgi.nessus.org/plugins/ The plugins are what enables the discovery of a given vulnerability. There are over 756 plugins in nessus' database nearly 20 plugin families such as: backdoors; denial of service; gain root remotely etc.. Information on fixes is also provided.

CVE (Common Vulnerabilities and Exposures) is a huge information database available from http://cve.mitre.org

There you'll find all the details about known security risks. You can read the plugins in your /usr/local/lib/nessus/plugins directory. Nessus installs a script called nessus-update-plugins, which downloads and installs the latest tar ball of scripts for the installed version of Nessus. The Nessus server must have tar, gzip, and one of lynx, links, wget, or curl. You can Display the plugin names or install just a named plugin, or display the source code of a named plugin. Documentation exists for writing a test in C, as well as more information on NASL. Creation of custom tests for specific environments is possible as well.

Thanks currently go to Linux Freshmeat, Georges Tarbouriech, Banchong Harangsri, Nessus.org, Amy Rich and anyone else that deserve credit here. I would also note that compiling this introduction/tutorial has been interesting and the authors of other files have been thouroughly entertaining. This is an ongoing tutorial and really since I’m not a hacker/cracker nor a security expert I may be erroneous in some of the information provided. Hopefully with time I will be able to add to this introduction.

William Ashley

W_ashley@sympatico.ca

http://www.angelfire.com/retro2/w_ashley/billshomepage.htm

Useful links

SATAN

The main Nessus site

Additional Nessus programs and clients

The GNU GPL

Sunfreeware

OpenSSL

The main CERT (Computer Emergency Response Team) site

Homepage: