Nessus - NASL

Marmagna Desai[592- Project]

2

Agenda• Introduction

– Nessus– Nessus Attack Scripting Language [ N A S

L]• Features

– Nessus– NASL

• Testing Environment• Test Result• Conclusion

3

Introduction - Nessus

• Nessus:– Remote Vulnerability Scanner– Remote Data Gathering , Host Identification,

Port Scanning are the main purposes of using this tool.

– Client/Server Setup.• Server – UNIX Based

• Client – Windows and UNIX Based.

– Open Source, Highly flexible, Harmless.

4

Introduction - NASL

• NASL– Scripting Language used by Nessus to form Attacks to

detect vulnerability.– Garantees

• Will not send packets to any other hosts than target• Will execute commands on only local systems.

– Optimized built-in fuctions to perform Network related tasks.

• [e.g. Socket operations, open connection if port is open, forge IP/TCP/ICMP etc. Packets ]

– Rich Knowledge Base [KB], which provides ability to use results of other scripts to use in custom script.

5

Features - Nessus

• Plug-in Architecture– Security Tests are as external Plugins, easy to

add / modify tests without reading source code of Nessus.

• Security Vulnerability Database– Database is updated Daily Bases, keeps record

of latest security holes.• Client-Server Architecture

– Server: Performs Attacks– Client: Front-end– Both can be located at different machines

6

Features - Nessus

• Can Test unlimited amount of hosts in each scan.– Depending on the power of Server, scan can be

performed on any range of hosts.• Smart Service Recognition.

– Doesn't believe on fixed port for particular service.

– Checks all ports for specific vulnerability.• Non-Destructive.

– The option is given to choose all non-destructive scripts to run for scanning, Nessus will rely only on banner information.

7

NASL Example

# This script was written by Noam Rathaus <noamr@securiteam.com> #if(description) {

script_id(10326);script_version ("$Revision: 1.12 $"); script_cve_id("CAN-2000-0047"); name["english"] = "Yahoo Messenger Denial of Service attack";

script_name(english:name["english"]); desc["english"] = " It is possible to cause Yahoo Messenger to crash by sending a few bytes of garbage into its listening port TCP 5010. Solution: Block those ports from outside communication Risk factor : Low"; script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam"); family["english"] = "Denial of Service";

script_family(english:family["english"]; exit(0);}

8

NASL - Example

# # The script code starts here # if (get_port_state(5010)) {

sock5010 = open_sock_tcp(5010); if (sock5010) {

send(socket:sock5010, data:crap(2048)); close(sock5010); sock5010_sec = open_sock_tcp(5010);if ( !sock5010_sec ) {

security_hole(5010); } else close(sock5010_sec);

} }

9

NASL Experiment

Remote Host: socr.uwindsor.ca

if(description){

script_name(english:”Marmagna's Trivial Scanner”);

script_description(english:”This script is part of Project”);

script_summary(english:”Port Range is 1-1024”);

script_family(english:”windows”);

script_copyright(english:”Marmagna[101282813]”);

exit(0);

}

10

NASL - Experiment

#Actual Script Starts Here#

for(i=1;i<-1024;i++){soc = open_sock_tcp(i);

if(soc){data = receive(socket:soc, length:200);

display(data+”\n”);

display(i+”\n”);

security_warning(data:”port is open”);

}

}

11

Output Gathered

desai8@socr:~/nessus/lib/nessus/plugins$nasl -t socr.uwindsor.ca marmagna.nasl

**WARNING : Packet forgery will not work

**As NASL is not running as Root

7 port is open

21 port is open : 220 ProFTPD 1.2.8 Server(SOCR) [socr.uwindsor.ca]

22 port is open: SSH-1.99-OpenSSH_3.7.1p2

23 port is open: ...........#..

25 port is open: 250 socr.uwindsor.ca ESMTP Sendmail 8.12.10/8.12.10; Thu, 19 Feb 2004 19:03:33 -0500

37 port is open: ...W

110 port is open: +OK Qpopper (version 4.0.4) at socr.uwinsor.ca starting.

12

Output Continued...113 port is open:

143 port is open: OK [CAPABILITY IMAP4RAV1 LOGIN-REFERRALS STARTTLS AUTH = LOGIN] localhost

443 port is open:

993 port is open:

995 port is open:

SOCR IS VULNERABLE....!!!!!!

13

Testing Environment

• Download:– Best and Easy way:

• Make sure Lynx is instsalled and Execute:– Lynx -source http://install.nessus.org | sh

• It will download and install NESSUS-CLIENT, SERVER and NASL libraries.

– Easy way:• Download script:

– Nessus-installer.sh from:

– http://ftp.nessus.org/nessus/nessus-0.10a/nessus-installer/

• Execute : sh nessus-installer.sh

14

Testing Environment

• Immediate Step: [Server Side]

• Creating a User:– Execute : “nessus-adduser” – Create Username, Authentication

[password/Cert] and Rules for User.

• Execute “nessusd” as Daemon on UNIX machine.

• The server is ready.

NOTE: For nessusd options please view “man nessusd”

15

Testing Environment

• Nessus Server &Client– 137.207.234.136:1241

• Authentication used:– Password– “nessus-mkcert” will

generate X.509 Cert.• Remote Host Scanned:

– 137.207.234.50

16

Testing Environment

• Plugin– Scan is enabled for

all possible plugins.– “upload-plugin”

gives you to add plugin from local database.

– Dependancies can be set enabled while scanning.

17

Testing Environment

• Scanning Options– Port Range– Consider

Unscanned ports as closed. [firewall]

– Which Port Scanner to use. [nmap etc.]

– How many hosts and plugings be scanned at a time.

18

Testing Environment

• Target Section– 137.207.234.50– 137.207.234.1-50– 137.207.234.1/24– //arunita2

• A single IP,A range of IP,CIDR,Hostname

19

Test Result[137.207.234.50]

• Security Holes:– 2 security holes have been found

• Warnings: – 16 security warnings have been found

• Notes – 22 security notes have been found

The holes, warnings and notes are defined by plugin writer:

20

Descriptive Report

• Vulnerability found on port http (80/tcp)

The remote WebDAV server may be vulnerable to a buffer overflow whenit receives a too long request.

An attacker may use this flaw to execute arbitrary code within the Local System security context.

*** As safe checks are enabled, Nessus did not actually test for this*** flaw, so this might be a false positive

Solution : See http://www.microsoft.com/technet/security/bulletin/ms03-007.aspRisk Factor : HighCVE : CAN-2003-0109BID : 7116Other references : IAVA:2003-A-0005Nessus ID : 11412

21

Result

• Graphical Report– This Pie-chart

classifies security risks in LOW, MEDIUM and HIGH.

– Classifications are defined by script-writers.

22

Result

• Graphical Report...– Here number of

security holes are plotted wrt dangerous services.

– In my test, only 1 hole is found per service.

23

Result

• Graphical Report...– Major Services are

plotted against number of holes found.

– The ports on which gathered data is not showing any information, are marked as “Unknown”

24

Conclusion

• Nessus's Report Generation is the most interesting feature.

• Vulnerabilities are classified on the bases of risk-factor, NOT os or protocol. - better for SysAdmin.

• One of the most flexible, opensource and powerful vulnerability scanner.

“Nessus Network Security Scanner offers a free and extremely thorough way to scan your network for vulnerabilities. This cross-platform utility offers an

overwhelming number of configuration and scanning options.”- PC Magazine

25

Reference

• http://www.nessus.org/

• http://www.securityfocus.com/infocus/1741

• http://www.securityfocus.com/infocus/1753

• http://www.nessus.org/doc/nasl.html

• http://www.pcmag.com/article2/0,4149,1400321,00.asp

Thank You

Questions!!