About Nessus - PowerPoint PPT Presentation

1 / 52
About This Presentation
Title:

About Nessus

Description:

The Simplest installation method is using the Lynx automatic install ... can be written in most any language but usually are written in the Nessus Attack ... – PowerPoint PPT presentation

Number of Views:1862
Avg rating:3.0/5.0
Slides: 53
Provided by: iccSk
Category:
Tags: nessus | projects

less

Transcript and Presenter's Notes

Title: About Nessus


1
About Nessus
  • ??? 2005.07.14.Thu
  • ??? ? ? ? hedwig_at_skku.edu
  • ?????? HIT Lab. (031-299-4610)

2
Contents
  • Introduction
  • Installation
  • Setup
  • Using Nessus
  • Scaning
  • Reports
  • Features
  • Appendix
  • Reference

3
Introduction
  • Introduction to Nessus
  • Nessus is an excellent tool that will
  • greatly aid your ability to test and
  • discover known security problems

4
Introduction (1/3)
  • Nessus is the world's most popular open-source
    vulnerability scanner
  • Used in over 75,000 organizations world-wide
  • The "Nessus" Project was started by Renaud
    Deraison in 1998 to provide to the internet
    community a free, powerful, up-to-date and easy
    to use remote security scanner
  • Endorsed by professional information security
    organizations such as the SANS Institute
  • http//www.nessus.org/about/

5
Introduction (2/3)
  • Nessus is not just scanner
  • Designed automate the testing and discovery of
    known security problems
  • Just like Hacker
  • Nessus is public domain program
  • Released under the GPL(GNU Public Lisence)
  • Complex and few article exist
  • To direct the new user through the intricacies of
    how to install and use it

6
Introduction (3/3)
  • Nessus is in client server technology
  • Server performs the actual testing while the
    client provides configuration and reporting
    functionality
  • Clients are available for both Windows and Unix
  • Server
  • Receive contents of clients setting security
    checking
  • Execute an object system(network)
  • Server - Client
  • Network packet transmission (cipher layer)

7
Installation
  • Download compile package
  • SSL Authentication

8
Installation (1/3)
  • Installed version of Unix system
  • Prior installation of several programs
  • Nmap(port scanners), Hydra(weak password tester),
    Nikto(cgi/.script checker), GTK(GIMP)
  • Greatly enhance Nessus scanninng ability
  • The Simplest installation method is using the
    Lynx automatic install
  • rpm -ivh lynx --nodeps
  • Lynx source http//install.nessus.org sh
  • May be snatch, weak in network security

9
Installation (2/3)
  • Package download
  • nessus-libraries-2.2.4.tar.gz
  • libnasl-2.4.4.tar.gz
  • nessus-core-2.4.4.tar.gz
  • nessus-plugins-2.4.4.tar.gz
  • http//www.nessus.org/download/
  • Package compile install
  • tar zxvf package name
  • ./configure
  • make
  • make install
  • ldconfig (apply activate library)

10
Installation (3/3)
  • Add a local user to Nessus
  • /usr/local/sbin/nessus-adduser
  • Authentication (pass/cert) pass
  • A certificate also nees to be generated
  • To be used to encrypt the traffic between the
    client and server (SSL Authentication)
  • usr/local/sbin/nessus-mkcert

11
Setup
  • Updating plug-in
  • Server/Client setting

12
Setup (1/3)
  • First, update plug-ins
  • What is a plugin ? Every security check in Nessus
    is coded as a plugin a simple program which
    checks for a given flaw.
  • Plug-ins can be written in most any language but
    usually are written in the Nessus Attack
    Scripting Language(NASL)
  • NASL plug-ins typically test by sending very
    specific code to the target and comparing the
    results against stored vulnerable values
  • Typically after a new vulnerability is released
    to the public, someone in the Nessus community
    writes a NASL plug-in, releases it to the public
    and submits
  • nessus-update-plugins

13
Setup (2/3)
  • Launch nessus daemon (server)
  • /usr/local/sbin/nessusd -D
  • ps ef grep nessusd
  • Ready for launching client
  • root exit
  • login id user (UNIX id nessus id)
  • user startx

14
Setup (3/3)
  • Execute Nessus Client
  • nessus
  • Enter the server IP, user name, password
    (nessus-adduser)

15
Using Nessus
  • (Default) rough scanning
  • Sample report
  • Demonstaration (tab by tab)

16
Using Nessus Nessusd host (1/12)
  • New session setup
  • Server IP(Nessusd Host), Port
  • Login(user name), Password
  • Process of Login
  • SSL paranoia
  • Certification

17
Using Nessus Plug-ins (2/12)
  • Choosing dangerous/non-dangerous plug-ins
    (category)
  • Dangerous/Denial Of Service(DOS)
  • Actually perform a DOS attack and crash system
  • Enable all but dangerous plug-ins
  • Sometimes even a non-dangerous plug-in can
    crash software
  • Plug-ins are sending non-standard data, there is
    always the risk, albeit rare

18
Using Nessus Plug-ins (3/12)
  • Select plug-in tab
  • Selected scanning plug-in
  • Bug or hole that Nessus can detect
  • Enable all option is general selection
  • Plug-in selection
  • Using the UNIX GUI
  • Later, its important

19
Using Nessus Credentials (4/12)
  • What is Credentials?
  • Someone's credentials are their previous
    achievements, training, and general background,
    which indicate that they are qualified to do
    something
  • New to 2.2.4 version
  • Stores credentials in plain text
  • SSH(secure shell)
  • SMB(server message block)

20
Using Nessus Scan option (5/12)
  • Port range(1-65535), multiple service
  • of hosts to test at the same time 20
  • of checks to perform at the same time
    4(below)
  • scanning techniques
  • Nmap, tcp connect() scan

21
Using Nessus Target (6/12)
  • Identify targets
  • Can be specified as a single IP address, as a
    subnet or as a range of IP addresses
  • Testing server IP
  • 127.0.0.1(localhost)
  • 10.10.10.10(logical groups)

22
Using Nessus User (7/12)
  • Specification of user information
  • User password, user based rules
  • Rules of scanning methods
  • Ex. Reject 10.163.156.5

23
Using Nessus Prefs. (8/12)
  • Advanced Plugins preference
  • Pattern of scanning (important)
  • Ping option
  • TCP ping, ICMP ping
  • TCP scanning technique
  • connect(), SYN scan
  • Timing policy
  • from insane to sneaky
  • RTT
  • Login configuration
  • HTTP, FTP, POP3, etc.
  • Later, its important option

24
Using Nessus KB (9/12)
  • KB Knowledge Base
  • Remember former scanning result, user security
    information
  • Eliminate duplication
  • plug-in

25
Using Nessus Credit (10/12)
  • Credits of Nessus projects
  • Author(developer) information

26
Using Nessus Scanning (11/12)
  • Start a scan
  • Nessus can and will pinpoint problems and provide
    solutions. However, misused it can and will crash
    systmes, cause the loss of data
  • First scan be against your own isolated test
    system

27
Using Nessus Reports (12/12)
  • Nessuss Strong Report
  • Subnet Host Port and Serverity Security
  • Security Note, Security Warning, Security Hole
  • Save report

28
Scanning
  • Wise parameter choices
  • Pref. Detail of ping, scanning
  • Plug-in option

29
Scaning Think first (1/6)
  • Different purpose of scanning
  • Verifying hardening procedures
  • Inventorying vulnerabilities
  • Searching for worms/virus
  • A true penetration test determining
  • Basic information needed to start a scan
  • IP address or subnets of targets
  • Production/non-production
  • Authorized time to perform scans
  • Permission from system owner

30
Scanning Host identification (2/6)
  • Prefs. Tab - Ping option
  • ICMP(Internet Control Message Protocol) ping
  • If an IP address is active or not (request/echo
    reply)
  • ICMP doesnt respond pings, no further tests will
    be run
  • Filtered by firewalls or routers
  • Cf. Traceroute (TTL/ICMP)
  • TCP ping
  • Quickly scanning an Internet facing
  • firewalled subnet

31
Scanning Port scan (3/6)
  • Port scanning
  • Nessus only runs vulnerabilities against ports
    found to be open, the choice of ports to snac is
    critical
  • each port is tied to a specific applicagion
  • Cover the well-known ports which applications
    normally use and oprts that some Trojans use
  • Ports are changed from their default to hide
    them, Nessus has a plug-in called services. The
    services plug-in does a fantastic job of
    identifying the actual program bound to each
    port!
  • UDP scanning is possible as well
  • NMAP does include a UDP scan

32
Scanning Port scan (4/6)
  • Types of Scanning
  • A connect() scan is less likely to crash targets
    (basic)
  • A SYN scan is a bit more stealthy and harder to
    block
  • Timing option of Scanning
  • from insane to sneaky
  • Insane is generally too fast to be useful
  • Sneaky is very stealthy but requires som time

33
Scanning Plug-in selection (5/6)
  • Appropriate plug-in subset
  • http//www.nessus.org/plugins/index.php?viewall
  • Obvious plug-in choice
  • Dangerous plug-ins test for vulnerabilities by
    attempting to DOS the machine
  • Safe Cheks test for DOS
  • vulneralilities through passively
  • gathering info such as software version
  • Some Nessus plug-ins need
  • administrator access to analyze
  • the system more in-depth
  • Pref. tab - Login configuration
  • Ex. Pop2 overflow need a valid account

34
Scanning Other Issues (6/6)
  • Honeypot deployments
  • Originally, deceive a hacker, spam, virus, etc.
  • Fake system designed to slow or confuse a scanner
  • Labrea tarpit http//labrea.sourceforge.net/
  • Nessus has Labrea scanner (scan options)
  • Server placement
  • Unencumbered connection to the Internet for the
    Nessus server is crucial
  • To see how a vulnerability scan work
  • /usr/local/lib/nessus/plugins (.nasl scpirt file)

35
Reports
  • Interpret the reports
  • Elimination any false positives
  • Finding a solution for vulnerability

36
Reports Generation (1/4)
  • Arranged in a hierarchical fashion
  • Automatically displayed upon completion of the
    scan
  • Export function
  • NessusWX CSV, NSR, NBE, SQL etc.
  • Unix GUI XML, HTML, NBE, LaTex, Text, HTML with
    Pies and Graphs
  • Diff. function

37
Reports Potential confusion (2/4)
  • Confusion stem from the result of similar
    vulnerability notifications
  • Two items exist totally independent of each other
  • The same named vulnerability produces different
    results in different environment
  • Few vulnerabilities to which no exploit, patch or
    workaround exists

38
Reports False positives (3/4)
  • Plug-in is only testing for a software version
    number
  • Safe check option sometimes raises false
    positives
  • Unexpected but otherwise valid resuls being sent
    back
  • HTTP 404 error
  • OS and software detection in Nessus isnt perfect
  • Cross-platform development

39
Reports Finding solution (4/4)
  • Nessus report will often include a link to a
    patch or a reference to a patch or workaround
  • Useful reference numbers
  • Bugtraq ID(BID)
  • Common Vulnerability
  • Exposure(CVE)

40
Features
  • Architecture
  • Unique features

41
Features Security level (1/5)
  • Up-to-date security vulnerability database
  • Updated on a daily basis, GNU General Public
    License(GPL)
  • Retrieved with the command nessus-update-plugins
  • RSS feed of all the newes check, CVS
  • http//cvs.nessus.org
  • Remote AMD local security
  • detect the remote flaws of the hosts on your
    network

42
Features Architecture (2/5)
  • Client server technology
  • Each user of the whole network can use only one
    nessusd server to scan vulnerability
  • Each user has own configuration/environment
  • Plug-ins
  • 8252 plugins (now) be recorded .nessusrc file
  • Each security test is written as an external
    plugin
  • NASL can be read and modified (script structure)
  • NASL
  • Nassus Attack Scriptin Language
  • Plug in coded by C Language, similar to C
  • Lots of internal function ftp_log_in(), http_get()

43
Features Unique features (3/5)
  • Smart service recognition
  • Nessus does not believe that the target hosts
    will respect the IANA assigned port numbers
  • Multiples services
  • Full SSL support
  • https, smpts, imaps
  • PKI-fied environment (Public Key Infrastructure)
  • Non-destructive OR thorough
  • Non-destructive security audit
  • Throw everything you can at a remote host

44
Features Open-Source (4/5)
  • The biggest user base
  • Get the best feedback
  • Reliable, non destructive, not prone to false
    positives
  • Proven maturity
  • Open bug tracking system
  • Easy-to-reach developers
  • http//www.nessus.org/features/

45
Features Method (5/5)
  • Check network system by the newest hacking
    technique
  • Thats why we off DOS plug-in
  • Usage of Detect specific your systems
    vulnerability
  • Log also reported as well as GUI report
  • tail -f /var/log/messages (syslogd)

46
Appendix
  • - Fine parts(option) set up

47
Appendix Nessusd (1/4)
48
Appendix Nessusd (2/4)
  • -C, --change-pass-phrase
  • /nessus/etc/nessus/nessusd.private-keys

49
Appendix Nessusd (3/4)
  • Server configuration file
  • nessusd.conf has ltkeywordgtltvaluegt

50
Appendix Nessus (4/4)
  • Bessus command line interface
  • Has lots of optional selection
  • But, basically and widely used to GUI(GTK)
  • Nessus Win32 Client
  • Exists called NessusWX
  • http//nessuswx.nessus.org/
  • NessusWX is a client program
  • for Nessus security scanner
  • which is designed specially
  • for Windows platform

51
Reference
  • Nessus Open Source Vulnerability Scanner Project
  • http//www.nessus.org/
  • Security White Papaers and Articles
  • http//www.securitydocs.com/
  • Introduction to Nessus (by Harry Anderson)
  • http//www.securityfocus.com/print/infocus/1741
  • Nessus, Part 2Scanning
  • http//www.securityfocus.com/print/infocus/1753
  • Nessus, Part3Analysing
  • http//www.securityfocus.com/print/infocus/1759
  • About Firewall Network Security
  • ???, ????, 2002
  • Redhat ??? 9.X ???? ? ??
  • ???, ??, 2003

52
Thank you
  • Q A
Write a Comment
User Comments (0)
About PowerShow.com