1. 1 Nessus - NASL Marmagna Desai [592- Project]

2. 2 Agenda Introduction –Nessus –Nessus Attack Scripting Language [ N A S L] Features –Nessus –NASL Testing Environment Test Result Conclusion

3. 3 Introduction - Nessus Nessus: –Remote Vulnerability Scanner –Remote Data Gathering, Host Identification, Port Scanning are the main purposes of using this tool. –Client/Server Setup. Server – UNIX Based Client – Windows and UNIX Based. –Open Source, Highly flexible, Harmless.

4. 4 Introduction - NASL NASL –Scripting Language used by Nessus to form Attacks to detect vulnerability. –Garantees Will not send packets to any other hosts than target Will execute commands on only local systems. –Optimized built-in fuctions to perform Network related tasks. [e.g. Socket operations, open connection if port is open, forge IP/TCP/ICMP etc. Packets ] –Rich Knowledge Base [KB], which provides ability to use results of other scripts to use in custom script.

5. 5 Features - Nessus Plug-in Architecture –Security Tests are as external Plugins, easy to add / modify tests without reading source code of Nessus. Security Vulnerability Database –Database is updated Daily Bases, keeps record of latest security holes. Client-Server Architecture –Server: Performs Attacks –Client: Front-end –Both can be located at different machines

6. 6 Features - Nessus Can Test unlimited amount of hosts in each scan. –Depending on the power of Server, scan can be performed on any range of hosts. Smart Service Recognition. –Doesn't believe on fixed port for particular service. –Checks all ports for specific vulnerability. Non-Destructive. –The option is given to choose all non-destructive scripts to run for scanning, Nessus will rely only on banner information.

7. 7 NASL Example # This script was written by Noam Rathaus # if(description) { script_id(10326); script_version ("$Revision: 1.12 $"); script_cve_id("CAN-2000-0047"); name["english"] = "Yahoo Messenger Denial of Service attack"; script_name(english:name["english"]); desc["english"] = " It is possible to cause Yahoo Messenger to crash by sending a few bytes of garbage into its listening port TCP 5010. Solution: Block those ports from outside communication Risk factor : Low"; script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam"); family["english"] = "Denial of Service"; script_family(english:family["english"]; exit(0); }

8. 8 NASL - Example # # The script code starts here # if (get_port_state(5010)) { sock5010 = open_sock_tcp(5010); if (sock5010) { send(socket:sock5010, data:crap(2048)); close(sock5010); sock5010_sec = open_sock_tcp(5010); if ( !sock5010_sec ) { security_hole(5010); } else close(sock5010_sec); }

9. 9 NASL Experiment Remote Host: socr.uwindsor.ca if(description){ script_name(english:”Marmagna's Trivial Scanner”); script_description(english:”This script is part of Project”); script_summary(english:”Port Range is 1-1024”); script_family(english:”windows”); script_copyright(english:”Marmagna[101282813]”); exit(0); }

10. 10 NASL - Experiment #Actual Script Starts Here# for(i=1;i<-1024;i++){ soc = open_sock_tcp(i); if(soc){ data = receive(socket:soc, length:200); display(data+”\n”); display(i+”\n”); security_warning(data:”port is open”); }

11. 11 Output Gathered desai8@socrdesai8@socr:~/nessus/lib/nessus/plugins$nasl -t socr.uwindsor.ca marmagna.nasl **WARNING : Packet forgery will not work **As NASL is not running as Root 7 port is open 21port is open : 220 ProFTPD 1.2.8 Server(SOCR) [socr.uwindsor.ca] 22port is open: SSH-1.99-OpenSSH_3.7.1p2 23port is open:...........#.. 25 port is open: 250 socr.uwindsor.ca ESMTP Sendmail 8.12.10/8.12.10; Thu, 19 Feb 2004 19:03:33 -0500 37 port is open:...W 110 port is open: +OK Qpopper (version 4.0.4) at socr.uwinsor.ca starting.

12. 12 Output Continued... 113 port is open: 143 port is open: OK [CAPABILITY IMAP4RAV1 LOGIN-REFERRALS STARTTLS AUTH = LOGIN] localhost 443 port is open: 993 port is open: 995 port is open: SOCR IS VULNERABLE....!!!!!!

13. 13 Testing Environment Download: –Best and Easy way: Make sure Lynx is instsalled and Execute: –Lynx -source http://install.nessus.org | shhttp://install.nessus.org It will download and install NESSUS-CLIENT, SERVER and NASL libraries. –Easy way: Download script: –Nessus-installer.sh from: –http://ftp.nessus.org/nessus/nessus-0.10a/nessus- installer/http://ftp.nessus.org/nessus/nessus-0.10a/nessus- installer/ Execute : sh nessus-installer.sh

14. 14 Testing Environment Immediate Step: [Server Side] Creating a User: –Execute : “nessus-adduser” –Create Username, Authentication [password/Cert] and Rules for User. Execute “nessusd” as Daemon on UNIX machine. The server is ready. NOTE: For nessusd options please view “man nessusd”

15. 15 Testing Environment Nessus Server &Client –137.207.234.136:1241 Authentication used: –Password –“nessus-mkcert” will generate X.509 Cert. Remote Host Scanned: –137.207.234.50

16. 16 Testing Environment Plugin –Scan is enabled for all possible plugins. –“upload-plugin” gives you to add plugin from local database. –Dependancies can be set enabled while scanning.

17. 17 Testing Environment Scanning Options –Port Range –Consider Unscanned ports as closed. [firewall] –Which Port Scanner to use. [nmap etc.] –How many hosts and plugings be scanned at a time.

18. 18 Testing Environment Target Section –137.207.234.50 –137.207.234.1-50 –137.207.234.1/24 –//arunita2 A single IP,A range of IP,CIDR,Hostname

19. 19 Test Result [137.207.234.50] Security Holes: –2 security holes have been found Warnings: –16 security warnings have been found Notes –22 security notes have been found The holes, warnings and notes are defined by plugin writer:

20. 20 Descriptive Report Vulnerability found on port http (80/tcp) The remote WebDAV server may be vulnerable to a buffer overflow when it receives a too long request. An attacker may use this flaw to execute arbitrary code within the Local System security context. *** As safe checks are enabled, Nessus did not actually test for this *** flaw, so this might be a false positive Solution : See http://www.microsoft.com/technet/security/bulletin/ms03-007.asp Risk Factor : High CVE : CAN-2003-0109 BID : 7116 Other references : IAVA:2003-A-0005 Nessus ID : 11412 http://www.microsoft.com/technet/security/bulletin/ms03-007.aspCAN-2003-0109711611412

21. 21 Result Graphical Report –This Pie-chart classifies security risks in LOW, MEDIUM and HIGH. –Classifications are defined by script- writers.

22. 22 Result Graphical Report... –Here number of security holes are plotted wrt dangerous services. –In my test, only 1 hole is found per service.

23. 23 Result Graphical Report... –Major Services are plotted against number of holes found. –The ports on which gathered data is not showing any information, are marked as “Unknown”

24. 24 Conclusion Nessus's Report Generation is the most interesting feature. Vulnerabilities are classified on the bases of risk-factor, NOT os or protocol. - better for SysAdmin. One of the most flexible, opensource and powerful vulnerability scanner. “Nessus Network Security Scanner offers a free and extremely thorough way to scan your network for vulnerabilities. This cross-platform utility offers an overwhelming number of configuration and scanning options.” - PC Magazine

25. 25 Reference http://www.nessus.org/ http://www.securityfocus.com/infocus/174 1 http://www.securityfocus.com/infocus/175 3 http://www.nessus.org/doc/nasl.html http://www.pcmag.com/article2/0,4149,14 00321,00.asp

26. 26 Thank You Questions!!