Transcript Nessus

Nessus - NASL
Marmagna Desai
[592- Project]
1
Agenda
• Introduction
– Nessus
– Nessus Attack Scripting Language [ N A S L]
• Features
– Nessus
– NASL
• Testing Environment
• Test Result
• Conclusion
2
Introduction - Nessus
• Nessus:
– Remote Vulnerability Scanner
– Remote Data Gathering , Host Identification,
Port Scanning are the main purposes of using
this tool.
– Client/Server Setup.
• Server – UNIX Based
• Client – Windows and UNIX Based.
– Open Source, Highly flexible, Harmless.
3
Introduction - NASL
• NASL
– Scripting Language used by Nessus to form Attacks to
detect vulnerability.
– Garantees
• Will not send packets to any other hosts than target
• Will execute commands on only local systems.
– Optimized built-in fuctions to perform Network related
tasks.
• [e.g. Socket operations, open connection if port is
open, forge IP/TCP/ICMP etc. Packets ]
– Rich Knowledge Base [KB], which provides ability to use
results of other scripts to use in custom script.
4
Features - Nessus
• Plug-in Architecture
– Security Tests are as external Plugins, easy to
add / modify tests without reading source code of
Nessus.
• Security Vulnerability Database
– Database is updated Daily Bases, keeps record
of latest security holes.
• Client-Server Architecture
– Server: Performs Attacks
– Client: Front-end
5
– Both can be located at different machines
Features - Nessus
• Can Test unlimited amount of hosts in each scan.
– Depending on the power of Server, scan can be
performed on any range of hosts.
• Smart Service Recognition.
– Doesn't believe on fixed port for particular
service.
– Checks all ports for specific vulnerability.
• Non-Destructive.
– The option is given to choose all non-destructive
scripts to run for scanning, Nessus will rely only
on banner information.
6
NASL Example
# This script was written by Noam Rathaus <[email protected]> #
if(description) {
script_id(10326);
script_version ("$Revision: 1.12 $");
script_cve_id("CAN-2000-0047");
name["english"] = "Yahoo Messenger Denial of Service attack";
script_name(english:name["english"]);
desc["english"] = " It is possible to cause Yahoo Messenger to crash by
sending a few bytes of garbage into its listening port TCP 5010. Solution:
Block those ports from outside communication Risk factor : Low";
script_copyright(english:"This script is Copyright (C) 1999
SecuriTeam"); family["english"] = "Denial of Service";
script_family(english:family["english"];
exit(0);
}
7
NASL - Example
# # The script code starts here #
if (get_port_state(5010)) {
sock5010 = open_sock_tcp(5010);
if (sock5010) {
send(socket:sock5010, data:crap(2048));
close(sock5010);
sock5010_sec = open_sock_tcp(5010);
if ( !sock5010_sec ) {
security_hole(5010);
} else close(sock5010_sec);
}
}
8
NASL Experiment
Remote Host: socr.uwindsor.ca
if(description){
script_name(english:”Marmagna's Trivial
Scanner”);
script_description(english:”This script is part of
Project”);
script_summary(english:”Port Range is 1-1024”);
script_family(english:”windows”);
script_copyright(english:”Marmagna[101282813]”);
exit(0);
}
9
NASL - Experiment
#Actual Script Starts Here#
for(i=1;i<-1024;i++){
soc = open_sock_tcp(i);
if(soc){
data = receive(socket:soc, length:200);
display(data+”\n”);
display(i+”\n”);
security_warning(data:”port is open”);
}
}
10
Output Gathered
desai8@socr:~/nessus/lib/nessus/plugins$nasl -t socr.uwindsor.ca
marmagna.nasl
**WARNING : Packet forgery will not work
**As NASL is not running as Root
7 port is open
21
port is open : 220 ProFTPD 1.2.8 Server(SOCR)
[socr.uwindsor.ca]
22
port is open: SSH-1.99-OpenSSH_3.7.1p2
23
port is open: ...........#..
25 port is open: 250 socr.uwindsor.ca ESMTP Sendmail
8.12.10/8.12.10; Thu, 19 Feb 2004 19:03:33 -0500
37 port is open: ...W
110 port is open: +OK Qpopper (version 4.0.4) at
socr.uwinsor.ca starting.
11
Output Continued...
113 port is open:
143 port is open: OK [CAPABILITY IMAP4RAV1 LOGIN-REFERRALS
STARTTLS AUTH = LOGIN] localhost
443 port is open:
993 port is open:
995 port is open:
SOCR IS VULNERABLE....!!!!!!
12
Testing Environment
• Download:
– Best and Easy way:
• Make sure Lynx is instsalled and Execute:
– Lynx -source http://install.nessus.org | sh
• It will download and install NESSUS-CLIENT,
SERVER and NASL libraries.
– Easy way:
• Download script:
– Nessus-installer.sh from:
– http://ftp.nessus.org/nessus/nessus-0.10a/nessusinstaller/
• Execute : sh nessus-installer.sh
13
Testing Environment
• Immediate Step: [Server Side]
• Creating a User:
– Execute : “nessus-adduser”
– Create Username, Authentication
[password/Cert] and Rules for User.
• Execute “nessusd” as Daemon on UNIX
machine.
• The server is ready.
NOTE: For nessusd options please view “man nessusd”
14
Testing Environment
• Nessus Server &Client
– 137.207.234.136:1241
• Authentication used:
– Password
– “nessus-mkcert” will
generate X.509 Cert.
• Remote Host Scanned:
– 137.207.234.50
15
Testing Environment
• Plugin
– Scan is enabled for
all possible plugins.
– “upload-plugin”
gives you to add
plugin from local
database.
– Dependancies can
be set enabled while
scanning.
16
Testing Environment
• Scanning Options
– Port Range
– Consider
Unscanned ports as
closed. [firewall]
– Which Port Scanner
to use. [nmap etc.]
– How many hosts
and plugings be
scanned at a time.
17
Testing Environment
• Target Section
– 137.207.234.50
– 137.207.234.1-50
– 137.207.234.1/24
– //arunita2
• A single IP,A range
of
IP,CIDR,Hostname
18
Test Result
[137.207.234.50]
• Security Holes:
– 2 security holes have been found
• Warnings:
– 16 security warnings have been found
• Notes
– 22 security notes have been found
The holes, warnings and notes are defined by
plugin writer:
19
Descriptive Report
•
Vulnerability found on port http (80/tcp)
The remote WebDAV server may be vulnerable to a buffer
overflow when
it receives a too long request.
An attacker may use this flaw to execute arbitrary code within the
Local System security context.
*** As safe checks are enabled, Nessus did not actually test for
this
*** flaw, so this might be a false positive
Solution : See
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
Risk Factor : High
CVE : CAN-2003-0109
BID : 7116
Other references : IAVA:2003-A-0005
Nessus ID : 11412
20
Result
• Graphical Report
– This Pie-chart
classifies security
risks in LOW,
MEDIUM and HIGH.
– Classifications are
defined by scriptwriters.
21
Result
• Graphical Report...
– Here number of
security holes are
plotted wrt
dangerous services.
– In my test, only 1
hole is found per
service.
22
Result
• Graphical Report...
– Major Services are
plotted against
number of holes
found.
– The ports on which
gathered data is not
showing any
information, are
marked as
“Unknown”
23
Conclusion
“Nessus Network Security Scanner offers a free and extremely thorough way to
scan your network for vulnerabilities. This cross-platform utility offers an
overwhelming number of configuration and scanning options.”
- PC Magazine
• Nessus's Report Generation is the most
interesting feature.
• Vulnerabilities are classified on the bases
of risk-factor, NOT os or protocol. - better
for SysAdmin.
• One of the most flexible, opensource and24
powerful vulnerability scanner.
Reference
•
•
•
•
•
http://www.nessus.org/
http://www.securityfocus.com/infocus/174
1
http://www.securityfocus.com/infocus/175
3
http://www.nessus.org/doc/nasl.html
http://www.pcmag.com/article2/0,4149,14
00321,00.asp
25
Thank You
Questions!!
26