About Nessus - PowerPoint PPT Presentation

1 / 52

About This Presentation

Title:

About Nessus

Description:

The Simplest installation method is using the Lynx automatic install ... can be written in most any language but usually are written in the Nessus Attack ... – PowerPoint PPT presentation

Number of Views:1858

Avg rating:3.0/5.0

Slides: 53

Provided by: iccSk

Category:

more less

Transcript and Presenter's Notes

Title: About Nessus

1
About Nessus

??? 2005.07.14.Thu
??? ? ? ? hedwig_at_skku.edu
?????? HIT Lab. (031-299-4610)

2
Contents

Introduction
Installation
Setup
Using Nessus
Scaning
Reports
Features
Appendix
Reference

3
Introduction

Introduction to Nessus
Nessus is an excellent tool that will
greatly aid your ability to test and
discover known security problems

4
Introduction (1/3)

Nessus is the world's most popular open-source
vulnerability scanner
Used in over 75,000 organizations world-wide
The "Nessus" Project was started by Renaud
Deraison in 1998 to provide to the internet
community a free, powerful, up-to-date and easy
to use remote security scanner
Endorsed by professional information security
organizations such as the SANS Institute
http//www.nessus.org/about/

5
Introduction (2/3)

Nessus is not just scanner
Designed automate the testing and discovery of
known security problems
Just like Hacker
Nessus is public domain program
Released under the GPL(GNU Public Lisence)
Complex and few article exist
To direct the new user through the intricacies of
how to install and use it

6
Introduction (3/3)

Nessus is in client server technology
Server performs the actual testing while the
client provides configuration and reporting
functionality
Clients are available for both Windows and Unix
Server
Receive contents of clients setting security
checking
Execute an object system(network)
Server - Client
Network packet transmission (cipher layer)

7
Installation

Download compile package
SSL Authentication

8
Installation (1/3)

Installed version of Unix system
Prior installation of several programs
Nmap(port scanners), Hydra(weak password tester),
Nikto(cgi/.script checker), GTK(GIMP)
Greatly enhance Nessus scanninng ability
The Simplest installation method is using the
Lynx automatic install
rpm -ivh lynx --nodeps
Lynx source http//install.nessus.org sh
May be snatch, weak in network security

9
Installation (2/3)

Package download
nessus-libraries-2.2.4.tar.gz
libnasl-2.4.4.tar.gz
nessus-core-2.4.4.tar.gz
nessus-plugins-2.4.4.tar.gz
http//www.nessus.org/download/
Package compile install
tar zxvf package name
./configure
make
make install
ldconfig (apply activate library)

10
Installation (3/3)

Add a local user to Nessus
/usr/local/sbin/nessus-adduser
Authentication (pass/cert) pass
A certificate also nees to be generated
To be used to encrypt the traffic between the
client and server (SSL Authentication)
usr/local/sbin/nessus-mkcert

11
Setup

Updating plug-in
Server/Client setting

12
Setup (1/3)

First, update plug-ins
What is a plugin ? Every security check in Nessus
is coded as a plugin a simple program which
checks for a given flaw.
Plug-ins can be written in most any language but
usually are written in the Nessus Attack
Scripting Language(NASL)
NASL plug-ins typically test by sending very
specific code to the target and comparing the
results against stored vulnerable values
Typically after a new vulnerability is released
to the public, someone in the Nessus community
writes a NASL plug-in, releases it to the public
and submits
nessus-update-plugins

13
Setup (2/3)

Launch nessus daemon (server)
/usr/local/sbin/nessusd -D
ps ef grep nessusd
Ready for launching client
root exit
login id user (UNIX id nessus id)
user startx

14
Setup (3/3)

Execute Nessus Client
nessus
Enter the server IP, user name, password
(nessus-adduser)

15
Using Nessus

(Default) rough scanning
Sample report
Demonstaration (tab by tab)

16
Using Nessus Nessusd host (1/12)

New session setup
Server IP(Nessusd Host), Port
Login(user name), Password
Process of Login
SSL paranoia
Certification

17
Using Nessus Plug-ins (2/12)

Choosing dangerous/non-dangerous plug-ins
(category)
Dangerous/Denial Of Service(DOS)
Actually perform a DOS attack and crash system
Enable all but dangerous plug-ins
Sometimes even a non-dangerous plug-in can
crash software
Plug-ins are sending non-standard data, there is
always the risk, albeit rare

18
Using Nessus Plug-ins (3/12)

Select plug-in tab
Selected scanning plug-in
Bug or hole that Nessus can detect
Enable all option is general selection
Plug-in selection
Using the UNIX GUI
Later, its important

19
Using Nessus Credentials (4/12)

What is Credentials?
Someone's credentials are their previous
achievements, training, and general background,
which indicate that they are qualified to do
something
New to 2.2.4 version
Stores credentials in plain text
SSH(secure shell)
SMB(server message block)

20
Using Nessus Scan option (5/12)

Port range(1-65535), multiple service
of hosts to test at the same time 20
of checks to perform at the same time
4(below)
scanning techniques
Nmap, tcp connect() scan

21
Using Nessus Target (6/12)

Identify targets
Can be specified as a single IP address, as a
subnet or as a range of IP addresses
Testing server IP
127.0.0.1(localhost)
10.10.10.10(logical groups)

22
Using Nessus User (7/12)

Specification of user information
User password, user based rules
Rules of scanning methods
Ex. Reject 10.163.156.5

23
Using Nessus Prefs. (8/12)

Advanced Plugins preference
Pattern of scanning (important)
Ping option
TCP ping, ICMP ping
TCP scanning technique
connect(), SYN scan
Timing policy
from insane to sneaky
RTT
Login configuration
HTTP, FTP, POP3, etc.
Later, its important option

24
Using Nessus KB (9/12)

KB Knowledge Base
Remember former scanning result, user security
information
Eliminate duplication
plug-in

25
Using Nessus Credit (10/12)

Credits of Nessus projects
Author(developer) information

26
Using Nessus Scanning (11/12)

Start a scan
Nessus can and will pinpoint problems and provide
solutions. However, misused it can and will crash
systmes, cause the loss of data
First scan be against your own isolated test
system

27
Using Nessus Reports (12/12)

Nessuss Strong Report
Subnet Host Port and Serverity Security
Security Note, Security Warning, Security Hole
Save report

28
Scanning

Wise parameter choices
Pref. Detail of ping, scanning
Plug-in option

29
Scaning Think first (1/6)

Different purpose of scanning
Verifying hardening procedures
Inventorying vulnerabilities
Searching for worms/virus
A true penetration test determining
Basic information needed to start a scan
IP address or subnets of targets
Production/non-production
Authorized time to perform scans
Permission from system owner

30
Scanning Host identification (2/6)

Prefs. Tab - Ping option
ICMP(Internet Control Message Protocol) ping
If an IP address is active or not (request/echo
reply)
ICMP doesnt respond pings, no further tests will
be run
Filtered by firewalls or routers
Cf. Traceroute (TTL/ICMP)
TCP ping
Quickly scanning an Internet facing
firewalled subnet

31
Scanning Port scan (3/6)

Port scanning
Nessus only runs vulnerabilities against ports
found to be open, the choice of ports to snac is
critical
each port is tied to a specific applicagion
Cover the well-known ports which applications
normally use and oprts that some Trojans use
Ports are changed from their default to hide
them, Nessus has a plug-in called services. The
services plug-in does a fantastic job of
identifying the actual program bound to each
port!
UDP scanning is possible as well
NMAP does include a UDP scan

32
Scanning Port scan (4/6)

Types of Scanning
A connect() scan is less likely to crash targets
(basic)
A SYN scan is a bit more stealthy and harder to
block
Timing option of Scanning
from insane to sneaky
Insane is generally too fast to be useful
Sneaky is very stealthy but requires som time

33
Scanning Plug-in selection (5/6)

Appropriate plug-in subset
http//www.nessus.org/plugins/index.php?viewall
Obvious plug-in choice
Dangerous plug-ins test for vulnerabilities by
attempting to DOS the machine
Safe Cheks test for DOS
vulneralilities through passively
gathering info such as software version
Some Nessus plug-ins need
administrator access to analyze
the system more in-depth
Pref. tab - Login configuration
Ex. Pop2 overflow need a valid account

34
Scanning Other Issues (6/6)

Honeypot deployments
Originally, deceive a hacker, spam, virus, etc.
Fake system designed to slow or confuse a scanner
Labrea tarpit http//labrea.sourceforge.net/
Nessus has Labrea scanner (scan options)
Server placement
Unencumbered connection to the Internet for the
Nessus server is crucial
To see how a vulnerability scan work
/usr/local/lib/nessus/plugins (.nasl scpirt file)

35
Reports

Interpret the reports
Elimination any false positives
Finding a solution for vulnerability

36
Reports Generation (1/4)

Arranged in a hierarchical fashion
Automatically displayed upon completion of the
scan
Export function
NessusWX CSV, NSR, NBE, SQL etc.
Unix GUI XML, HTML, NBE, LaTex, Text, HTML with
Pies and Graphs
Diff. function

37
Reports Potential confusion (2/4)

Confusion stem from the result of similar
vulnerability notifications
Two items exist totally independent of each other
The same named vulnerability produces different
results in different environment
Few vulnerabilities to which no exploit, patch or
workaround exists

38
Reports False positives (3/4)

Plug-in is only testing for a software version
number
Safe check option sometimes raises false
positives
Unexpected but otherwise valid resuls being sent
back
HTTP 404 error
OS and software detection in Nessus isnt perfect
Cross-platform development

39
Reports Finding solution (4/4)

Nessus report will often include a link to a
patch or a reference to a patch or workaround
Useful reference numbers
Bugtraq ID(BID)
Common Vulnerability
Exposure(CVE)

40
Features

Architecture
Unique features

41
Features Security level (1/5)

Up-to-date security vulnerability database
Updated on a daily basis, GNU General Public
License(GPL)
Retrieved with the command nessus-update-plugins
RSS feed of all the newes check, CVS
http//cvs.nessus.org
Remote AMD local security
detect the remote flaws of the hosts on your
network

42
Features Architecture (2/5)

Client server technology
Each user of the whole network can use only one
nessusd server to scan vulnerability
Each user has own configuration/environment
Plug-ins
8252 plugins (now) be recorded .nessusrc file
Each security test is written as an external
plugin
NASL can be read and modified (script structure)
NASL
Nassus Attack Scriptin Language
Plug in coded by C Language, similar to C
Lots of internal function ftp_log_in(), http_get()

43
Features Unique features (3/5)

Smart service recognition
Nessus does not believe that the target hosts
will respect the IANA assigned port numbers
Multiples services
Full SSL support
https, smpts, imaps
PKI-fied environment (Public Key Infrastructure)
Non-destructive OR thorough
Non-destructive security audit
Throw everything you can at a remote host

44
Features Open-Source (4/5)