Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Nessus - NASL Marmagna Desai [592- Project] 1 Agenda • Introduction – Nessus – Nessus Attack Scripting Language [ N A S L] • Features – Nessus – NASL • Testing Environment • Test Result • Conclusion 2 Introduction - Nessus • Nessus: – Remote Vulnerability Scanner – Remote Data Gathering , Host Identification, Port Scanning are the main purposes of using this tool. – Client/Server Setup. • Server – UNIX Based • Client – Windows and UNIX Based. – Open Source, Highly flexible, Harmless. 3 Introduction - NASL • NASL – Scripting Language used by Nessus to form Attacks to detect vulnerability. – Garantees • Will not send packets to any other hosts than target • Will execute commands on only local systems. – Optimized built-in fuctions to perform Network related tasks. • [e.g. Socket operations, open connection if port is open, forge IP/TCP/ICMP etc. Packets ] – Rich Knowledge Base [KB], which provides ability to use results of other scripts to use in custom script. 4 Features - Nessus • Plug-in Architecture – Security Tests are as external Plugins, easy to add / modify tests without reading source code of Nessus. • Security Vulnerability Database – Database is updated Daily Bases, keeps record of latest security holes. • Client-Server Architecture – Server: Performs Attacks – Client: Front-end 5 – Both can be located at different machines Features - Nessus • Can Test unlimited amount of hosts in each scan. – Depending on the power of Server, scan can be performed on any range of hosts. • Smart Service Recognition. – Doesn't believe on fixed port for particular service. – Checks all ports for specific vulnerability. • Non-Destructive. – The option is given to choose all non-destructive scripts to run for scanning, Nessus will rely only on banner information. 6 NASL Example # This script was written by Noam Rathaus <[email protected]> # if(description) { script_id(10326); script_version ("$Revision: 1.12 $"); script_cve_id("CAN-2000-0047"); name["english"] = "Yahoo Messenger Denial of Service attack"; script_name(english:name["english"]); desc["english"] = " It is possible to cause Yahoo Messenger to crash by sending a few bytes of garbage into its listening port TCP 5010. Solution: Block those ports from outside communication Risk factor : Low"; script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam"); family["english"] = "Denial of Service"; script_family(english:family["english"]; exit(0); } 7 NASL - Example # # The script code starts here # if (get_port_state(5010)) { sock5010 = open_sock_tcp(5010); if (sock5010) { send(socket:sock5010, data:crap(2048)); close(sock5010); sock5010_sec = open_sock_tcp(5010); if ( !sock5010_sec ) { security_hole(5010); } else close(sock5010_sec); } } 8 NASL Experiment Remote Host: socr.uwindsor.ca if(description){ script_name(english:”Marmagna's Trivial Scanner”); script_description(english:”This script is part of Project”); script_summary(english:”Port Range is 1-1024”); script_family(english:”windows”); script_copyright(english:”Marmagna[101282813]”); exit(0); } 9 NASL - Experiment #Actual Script Starts Here# for(i=1;i<-1024;i++){ soc = open_sock_tcp(i); if(soc){ data = receive(socket:soc, length:200); display(data+”\n”); display(i+”\n”); security_warning(data:”port is open”); } } 10 Output Gathered desai8@socr:~/nessus/lib/nessus/plugins$nasl -t socr.uwindsor.ca marmagna.nasl **WARNING : Packet forgery will not work **As NASL is not running as Root 7 port is open 21 port is open : 220 ProFTPD 1.2.8 Server(SOCR) [socr.uwindsor.ca] 22 port is open: SSH-1.99-OpenSSH_3.7.1p2 23 port is open: ...........#.. 25 port is open: 250 socr.uwindsor.ca ESMTP Sendmail 8.12.10/8.12.10; Thu, 19 Feb 2004 19:03:33 -0500 37 port is open: ...W 110 port is open: +OK Qpopper (version 4.0.4) at socr.uwinsor.ca starting. 11 Output Continued... 113 port is open: 143 port is open: OK [CAPABILITY IMAP4RAV1 LOGIN-REFERRALS STARTTLS AUTH = LOGIN] localhost 443 port is open: 993 port is open: 995 port is open: SOCR IS VULNERABLE....!!!!!! 12 Testing Environment • Download: – Best and Easy way: • Make sure Lynx is instsalled and Execute: – Lynx -source http://install.nessus.org | sh • It will download and install NESSUS-CLIENT, SERVER and NASL libraries. – Easy way: • Download script: – Nessus-installer.sh from: – http://ftp.nessus.org/nessus/nessus-0.10a/nessusinstaller/ • Execute : sh nessus-installer.sh 13 Testing Environment • Immediate Step: [Server Side] • Creating a User: – Execute : “nessus-adduser” – Create Username, Authentication [password/Cert] and Rules for User. • Execute “nessusd” as Daemon on UNIX machine. • The server is ready. NOTE: For nessusd options please view “man nessusd” 14 Testing Environment • Nessus Server &Client – 137.207.234.136:1241 • Authentication used: – Password – “nessus-mkcert” will generate X.509 Cert. • Remote Host Scanned: – 137.207.234.50 15 Testing Environment • Plugin – Scan is enabled for all possible plugins. – “upload-plugin” gives you to add plugin from local database. – Dependancies can be set enabled while scanning. 16 Testing Environment • Scanning Options – Port Range – Consider Unscanned ports as closed. [firewall] – Which Port Scanner to use. [nmap etc.] – How many hosts and plugings be scanned at a time. 17 Testing Environment • Target Section – 137.207.234.50 – 137.207.234.1-50 – 137.207.234.1/24 – //arunita2 • A single IP,A range of IP,CIDR,Hostname 18 Test Result [137.207.234.50] • Security Holes: – 2 security holes have been found • Warnings: – 16 security warnings have been found • Notes – 22 security notes have been found The holes, warnings and notes are defined by plugin writer: 19 Descriptive Report • Vulnerability found on port http (80/tcp) The remote WebDAV server may be vulnerable to a buffer overflow when it receives a too long request. An attacker may use this flaw to execute arbitrary code within the Local System security context. *** As safe checks are enabled, Nessus did not actually test for this *** flaw, so this might be a false positive Solution : See http://www.microsoft.com/technet/security/bulletin/ms03-007.asp Risk Factor : High CVE : CAN-2003-0109 BID : 7116 Other references : IAVA:2003-A-0005 Nessus ID : 11412 20 Result • Graphical Report – This Pie-chart classifies security risks in LOW, MEDIUM and HIGH. – Classifications are defined by scriptwriters. 21 Result • Graphical Report... – Here number of security holes are plotted wrt dangerous services. – In my test, only 1 hole is found per service. 22 Result • Graphical Report... – Major Services are plotted against number of holes found. – The ports on which gathered data is not showing any information, are marked as “Unknown” 23 Conclusion “Nessus Network Security Scanner offers a free and extremely thorough way to scan your network for vulnerabilities. This cross-platform utility offers an overwhelming number of configuration and scanning options.” - PC Magazine • Nessus's Report Generation is the most interesting feature. • Vulnerabilities are classified on the bases of risk-factor, NOT os or protocol. - better for SysAdmin. • One of the most flexible, opensource and24 powerful vulnerability scanner. Reference • • • • • http://www.nessus.org/ http://www.securityfocus.com/infocus/174 1 http://www.securityfocus.com/infocus/175 3 http://www.nessus.org/doc/nasl.html http://www.pcmag.com/article2/0,4149,14 00321,00.asp 25 Thank You Questions!! 26