1 nessus - nasl marmagna desai [592- project]. 2 agenda introduction –nessus –nessus attack...
TRANSCRIPT
Nessus - NASL
Marmagna Desai[592- Project]
2
Agenda• Introduction
– Nessus– Nessus Attack Scripting Language [ N A S
L]• Features
– Nessus– NASL
• Testing Environment• Test Result• Conclusion
3
Introduction - Nessus
• Nessus:– Remote Vulnerability Scanner– Remote Data Gathering , Host Identification,
Port Scanning are the main purposes of using this tool.
– Client/Server Setup.• Server – UNIX Based
• Client – Windows and UNIX Based.
– Open Source, Highly flexible, Harmless.
4
Introduction - NASL
• NASL– Scripting Language used by Nessus to form Attacks to
detect vulnerability.– Garantees
• Will not send packets to any other hosts than target• Will execute commands on only local systems.
– Optimized built-in fuctions to perform Network related tasks.
• [e.g. Socket operations, open connection if port is open, forge IP/TCP/ICMP etc. Packets ]
– Rich Knowledge Base [KB], which provides ability to use results of other scripts to use in custom script.
5
Features - Nessus
• Plug-in Architecture– Security Tests are as external Plugins, easy to
add / modify tests without reading source code of Nessus.
• Security Vulnerability Database– Database is updated Daily Bases, keeps record
of latest security holes.• Client-Server Architecture
– Server: Performs Attacks– Client: Front-end– Both can be located at different machines
6
Features - Nessus
• Can Test unlimited amount of hosts in each scan.– Depending on the power of Server, scan can be
performed on any range of hosts.• Smart Service Recognition.
– Doesn't believe on fixed port for particular service.
– Checks all ports for specific vulnerability.• Non-Destructive.
– The option is given to choose all non-destructive scripts to run for scanning, Nessus will rely only on banner information.
7
NASL Example
# This script was written by Noam Rathaus <[email protected]> #if(description) {
script_id(10326);script_version ("$Revision: 1.12 $"); script_cve_id("CAN-2000-0047"); name["english"] = "Yahoo Messenger Denial of Service attack";
script_name(english:name["english"]); desc["english"] = " It is possible to cause Yahoo Messenger to crash by sending a few bytes of garbage into its listening port TCP 5010. Solution: Block those ports from outside communication Risk factor : Low"; script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam"); family["english"] = "Denial of Service";
script_family(english:family["english"]; exit(0);}
8
NASL - Example
# # The script code starts here # if (get_port_state(5010)) {
sock5010 = open_sock_tcp(5010); if (sock5010) {
send(socket:sock5010, data:crap(2048)); close(sock5010); sock5010_sec = open_sock_tcp(5010);if ( !sock5010_sec ) {
security_hole(5010); } else close(sock5010_sec);
} }
9
NASL Experiment
Remote Host: socr.uwindsor.ca
if(description){
script_name(english:”Marmagna's Trivial Scanner”);
script_description(english:”This script is part of Project”);
script_summary(english:”Port Range is 1-1024”);
script_family(english:”windows”);
script_copyright(english:”Marmagna[101282813]”);
exit(0);
}
10
NASL - Experiment
#Actual Script Starts Here#
for(i=1;i<-1024;i++){soc = open_sock_tcp(i);
if(soc){data = receive(socket:soc, length:200);
display(data+”\n”);
display(i+”\n”);
security_warning(data:”port is open”);
}
}
11
Output Gathered
desai8@socr:~/nessus/lib/nessus/plugins$nasl -t socr.uwindsor.ca marmagna.nasl
**WARNING : Packet forgery will not work
**As NASL is not running as Root
7 port is open
21 port is open : 220 ProFTPD 1.2.8 Server(SOCR) [socr.uwindsor.ca]
22 port is open: SSH-1.99-OpenSSH_3.7.1p2
23 port is open: ...........#..
25 port is open: 250 socr.uwindsor.ca ESMTP Sendmail 8.12.10/8.12.10; Thu, 19 Feb 2004 19:03:33 -0500
37 port is open: ...W
110 port is open: +OK Qpopper (version 4.0.4) at socr.uwinsor.ca starting.
12
Output Continued...113 port is open:
143 port is open: OK [CAPABILITY IMAP4RAV1 LOGIN-REFERRALS STARTTLS AUTH = LOGIN] localhost
443 port is open:
993 port is open:
995 port is open:
SOCR IS VULNERABLE....!!!!!!
13
Testing Environment
• Download:– Best and Easy way:
• Make sure Lynx is instsalled and Execute:– Lynx -source http://install.nessus.org | sh
• It will download and install NESSUS-CLIENT, SERVER and NASL libraries.
– Easy way:• Download script:
– Nessus-installer.sh from:
– http://ftp.nessus.org/nessus/nessus-0.10a/nessus-installer/
• Execute : sh nessus-installer.sh
14
Testing Environment
• Immediate Step: [Server Side]
• Creating a User:– Execute : “nessus-adduser” – Create Username, Authentication
[password/Cert] and Rules for User.
• Execute “nessusd” as Daemon on UNIX machine.
• The server is ready.
NOTE: For nessusd options please view “man nessusd”
15
Testing Environment
• Nessus Server &Client– 137.207.234.136:1241
• Authentication used:– Password– “nessus-mkcert” will
generate X.509 Cert.• Remote Host Scanned:
– 137.207.234.50
16
Testing Environment
• Plugin– Scan is enabled for
all possible plugins.– “upload-plugin”
gives you to add plugin from local database.
– Dependancies can be set enabled while scanning.
17
Testing Environment
• Scanning Options– Port Range– Consider
Unscanned ports as closed. [firewall]
– Which Port Scanner to use. [nmap etc.]
– How many hosts and plugings be scanned at a time.
18
Testing Environment
• Target Section– 137.207.234.50– 137.207.234.1-50– 137.207.234.1/24– //arunita2
• A single IP,A range of IP,CIDR,Hostname
19
Test Result[137.207.234.50]
• Security Holes:– 2 security holes have been found
• Warnings: – 16 security warnings have been found
• Notes – 22 security notes have been found
The holes, warnings and notes are defined by plugin writer:
20
Descriptive Report
• Vulnerability found on port http (80/tcp)
The remote WebDAV server may be vulnerable to a buffer overflow whenit receives a too long request.
An attacker may use this flaw to execute arbitrary code within the Local System security context.
*** As safe checks are enabled, Nessus did not actually test for this*** flaw, so this might be a false positive
Solution : See http://www.microsoft.com/technet/security/bulletin/ms03-007.aspRisk Factor : HighCVE : CAN-2003-0109BID : 7116Other references : IAVA:2003-A-0005Nessus ID : 11412
21
Result
• Graphical Report– This Pie-chart
classifies security risks in LOW, MEDIUM and HIGH.
– Classifications are defined by script-writers.
22
Result
• Graphical Report...– Here number of
security holes are plotted wrt dangerous services.
– In my test, only 1 hole is found per service.
23
Result
• Graphical Report...– Major Services are
plotted against number of holes found.
– The ports on which gathered data is not showing any information, are marked as “Unknown”
24
Conclusion
• Nessus's Report Generation is the most interesting feature.
• Vulnerabilities are classified on the bases of risk-factor, NOT os or protocol. - better for SysAdmin.
• One of the most flexible, opensource and powerful vulnerability scanner.
“Nessus Network Security Scanner offers a free and extremely thorough way to scan your network for vulnerabilities. This cross-platform utility offers an
overwhelming number of configuration and scanning options.”- PC Magazine
25
Reference
• http://www.nessus.org/
• http://www.securityfocus.com/infocus/1741
• http://www.securityfocus.com/infocus/1753
• http://www.nessus.org/doc/nasl.html
• http://www.pcmag.com/article2/0,4149,1400321,00.asp
Thank You
Questions!!