No ace sysadmin should be without Nessus, it’s the utility of choice for
hardcore security scanning. Nessus is based on nmap, the excellent port
scanner by Fyodor. Primarily authored by Renaud Deraison, it adds a nice
graphical interface and loads of attack functions.
A nice use for that elderly Pentium sitting around getting in the way is to
turn it into a security-monitoring box. There are a wealth of good free
network utilities that run on Unix/Linux, give that old PC a useful job to
do.
Getting Nessus ready to use is a two-step process: install the server,
configure the client. The client, nessus, is the user interface to the
server, nessusd. Nessus is multi-user, users are managed with access control
lists. It runs either in X, or from the console. Nmap is required, and the
Gtk toolkit for running Nessus in X. OpenSSL is not required, but is
recommended for communication between the client and server, and for testing
SSL services. A good Windows client is available, NessusWX; both the *nix and
Windows versions are licensed under the GPL.
Installation
Installation is straightforward, download the tarballs, and install in this
order:
- nessus-libraries
- libnasl
- nessus-core
- nessus-plugins
Be sure to verify the MD5SUM signatures- md5sum –check filename. If
you want to run Nessus only from the command line, set this up during
configuration of nessus-core:
$ ./configure –disable-gtk
I prefer the Gtk version, the graphical interface is a real time-saver.
Compiling nessus-libraries with –enable-cipher
will cause Nessus
to generate a private key, to encrypt communications between the server
and client. This is not the same as using OpenSSL- don’t use both. The key
can be protected with a password.
After installation and key generation, set up the user database and
permissions. If it’s just you, this will be easy. Use allow-deny rules to
control what network segments users can access. Nessus is a powerful,
potentially dangerous tool, don’t let your minions fool around unfettered on
your network.
The configuration file in /usr/local/etc/nessus/nessusd.conf usually works
without editing. Have a look at it to make sure it puts things where you want
them. Once everything looks right, start nessusd:
# nessusd -D
Yes, you read that right, run it as root. As Nessus does not run as a public
service, and has all kinds of built-in security, it’s probably OK. The
nervous can fiddle with chroot. Now set up the client, type nessus at
the prompt. Do this on the same machine nessusd is on if you like. It will
ask first for the key password, if you set one. Enter it, then click ‘login’,
and away you go. #1 login failure reason: not having a user account on the
server. Windows users need to install the client software separately.
Running Scans
The tabbed interface is well-thought out and logically organized. Select the
tests you want by clicking checkboxes, and typing additional options, such as
IP addresses and port ranges. Nessus supports CIDR notation, if you’re still
resisting using it, it’s high time to learn. Once the scan starts, it
displays in real-time, and also logs everything.
Extending Nessus
Nessus performs over 700 security checks. It is aggressive, using it to poke
around other people’s networks will get you in trouble. Nessus not only
probes for banners, it simulates various protocols by fibbing. It will
pretend to be a Web server, or a SMB client, or FTP, or whatever server it is
testing. It finds trojans and backdoors, and tests for CGI weaknesses. Some
scans will slow down network traffic, or even cause crashes. There is a ‘safe
scan’ option, it only reads banners. This is usually not reliable, after all,
what network admin worth her salt permits truthful banners? And ‘safe scan’
does not test for vulnerabilities, which is the main purpose of Nessus. So it
may take some trial and error to craft a scan that won’t create problems.
Nessus is most untrusting, it does not assume that standard services will
adhere to IANA port numbers, but will recognize services running on
non-standard ports. For example, your Webmaster gets squirrely and runs http
on port 31337- Nessus will know, and report it.
The heart of Nessus is its vast collection of plugins. The Nessus team
created a scripting language called NASL: Nessus Attack Scripting Language.
Plugins can be written in any language, NASL is preferable for these
reasons:
- a NASL script will not send any packet to a host other than
the target host
- it will not execute any commands on your local system
- simple enough to learn quickly, so that anyone can write custom plugins
- The user never needs to touch the core Nessus code.
Here’s a wee sampling of the available plugins:
- Back Orifice
- PC Anywhere
- Deep Throat
- Code Red
- VNC
- WinSatan
- /cgi-bin/get32.exe
- Is /scripts/ listable?
- Tortures the arguments of the remote CGIs
- various Denial of Service tests
- attempts to log in using rsh
- remote root exploits
Reports
Reporting is one of Nessus’ strongest features. At the conclusion of a scan,
a summary is displayed, with problems highlighted. Reports can be displayed
in five different formats, from plain old boring ASCII to jazzy colored pie
charts.
Vulnerability-auditing needs to be done on a regular basis. It carries some
risks, such as slowing network operations down, or even causing hosts to
crash. Don’t forget to look for threats from within, as well as without. The
most time-consuming part is reviewing the logs, Nessus can fill up dozens of
pages without even trying hard. It does a good job of finding and reporting
trouble spots all on its own, still, there’s no substitute for human eyeballs
on the raw data. The current version of Nessus implements ‘diff scans’; only
the differences between a new scan and an old one are displayed. Differential
scans are still considered experimental.
Another useful, and still-experimental feature is detached scans. This runs
the scans in the background, there is no real-time display. Scans can be
timed to run continuously, over and over, or periodically, at set intervals.
Reports are emailed to the admin only where there is trouble. A cron job
automatically keeps Nessus patched and up-to-date. This is a rather
unrealistically optimistic scenario at the moment, but Nessus development and
maintenance is active, so it could be a dependable reality in the near
future.
Resources
Nessus mail list
Nessus
