Hack 43 Scan Your Network for Vulnerabilities

Use Nessus to quickly and easily scan your network for services that are vulnerable to attack.

As a network administrator, you not only need to know which hosts are on your network and the services they are running, but also if those services are vulnerable to exploits. While Nmap [Hack #40] can only show you what machines and ports are reachable on your network, a security scanner such as Nessus (http://www.nessus.org) can tell you if those machines are vulnerable to known exploits.

Unlike a regular port scanner, a security scanner first locates listening services, and then connects to those services and attempts to execute all known exploits. It then records whether the exploit was successful and continues scanning until all available services have been tested. The key benefit here is that you'll know at a glance how your systems perform against the most recent exploits, and thus know whether they truly are vulnerable to attack.

If you're feeling a bit adventurous, Nessus can be installed by simply typing the following command:

$ lynx -source http://install.nessus.org | sh

This will completely automate the installation of Nessus, but isn't really a good idea since you don't know what you'll be executing on your system until you actually run it. A better way to install Nessus that retains the benefits of the automated installer is to download the nessus-installer.sh script and execute it manually. After you've downloaded the installer script and run it, you will be asked where you want to install Nessus (the default is /usr/local) and prompted for your root password. The script will then create a temporary SUID shell that is accessible only through your user account. This may sound alarming at first, but it tells you the filename for the shell, so you can verify that it is indeed accessible only to you and make sure that it is deleted when the installation has completed.

After installation has finished, you'll need to create a Nessus user (not the same thing as a Unix account). Since Nessus uses a client-server model, you'll also need to generate a certificate so that all communications can be encrypted.

To create a new Nessus user, run nessus-adduser. It will then prompt you for a name and a password. To create a certificate, you can run nessus-mkcert, or if you have your own Certificate Authority (CA) [Hack #45], you can use that to create a certificate for Nessus to use. If you do use your own CA, you'll need to edit nessus.conf to tell it where to look for the CA certificate and the certificate and key that you generated.

The configuration file usually lives in /etc or /usr/local/etc. To tell Nessus where its certificates are, add lines similar to the following:

cert_file=/etc/ssl/nessus.key key_file=/etc/ssl/nessus.crt ca_file=/etc/ssl/ca.crt

If you generated a certificate-key pair and used a password, you can specify that password here as well:

pem_password=mypassword

After you've done all of that, you can start the Nessus daemon. This is the business end of Nessus and is what will actually perform the scans against the hosts on your network.

You can start it by running something similar to this command:

# /usr/local/sbin/nessusd -D

Now you can start the Nessus client and connect to the server. There are several Nessus clients available, including a command-line interface, an X11 application, and a Windows client. The figures in this hack show the X11 interface. You can start the client by simply typing nessus. After you've done that, you should see a window like the one shown in Figure 3-8.

Figure 3-8. Nessus client setup

You'll need to fill in the information for the user that you created and click the "Log In" button. After that, you'll be presented with a dialog that allows you to verify the information contained in the server's certificate.

To select which types of vulnerabilities to scan for, click on the Plugins tab, and you'll see something similar to Figure 3-9.

Figure 3-9. Nessus plugin selection

In the top pane you can enable or disable types of scans, and in the bottom pane you can disable individual vulnerability checks that belong to the category selected in the top pane. One thing to note: scans listed in the bottom pane that have an exclamation icon next to them will potentially crash the server that they are run against. If you want to enable all scans except for these, you can click the "Enable all but dangerous plugins" button. If you're running Nessus on a noncritical machine, you can probably leave these scans on, but you have been warned! You'll probably want to disable several types of scans unless you need to scan a machine or group of machines that run a wide variety of services; otherwise, you'll waste time having Nessus scan for services that you aren't running. For instance, if you wanted to scan a Solaris system, you might disable CGI abuses, CISCO, Windows, Peer-To-Peer File Sharing, Backdoors, Firewalls, Windows User Management, and Netware plug-ins.

In order for Nessus to more thoroughly test your services, you can supply it with login information for various services. This way, it can actually log into the service that it is testing and have access just like any normal user. You can tell Nessus about the accounts to use with the Prefs tab, as shown in Figure 3-10.

Figure 3-10. Nessus's Prefs tab

In addition, you can tell Nessus to attempt brute-force logins to the services it is scanning. This can be a good test not only of the services themselves, but also of your intrusion detection system (IDS) [Hack #82] and your system logs.

The "Scan options" tab lets you configure how Nessus will conduct its port-scans. Most of these settings can be left at their default value, unless you are also checking to see whether Nessus can evade detection by the hosts that you are scanning. For instance, Nessus is configured by default to perform full TCP connect scans and to ping the remote host that it is scanning. You can change this behavior by going to the "Scan options" tab, enabling "SYN scans" instead of "TCP connect", and disabling the ping. To specify which hosts you want to scan, you can use the "Target selection" tab.

After you've made your selections, try scanning a host by clicking "Start the scan" at the bottom of the window. You should now see a window similar to Figure 3-11. In this case, Nessus is performing a scan against a Solaris machine.

Figure 3-11. Performing a vulnerability scan

The results of the scan are shown in Figure 3-12.

Figure 3-12. The vulnerability scan results

If you scanned multiple subnets, you can select those in the Subnet pane. Any hosts that are in the selected subnet will then appear in the Host pane. Similarly, when you select a host, the list of open ports on it will appear in the Port pane. You can select these to view the warnings, notes, and possible security holes that were found regarding the selected port. You can view the information that Nessus provides for these by clicking on them in the Severity pane. Don't be too alarmed by most of Nessus's security notes and warnings; they are designed mainly to let you know what services you are running and to tell you if that service might present a potential vulnerability. Security holes are far more serious and should be investigated.

To save the report that you are viewing, click the "Save report" button. Nessus will let you save reports in a variety of formats. If you want to view the report in Nessus again at a later date, you should use Nessus's own report format (NBE). Reports in this format can be viewed by using the "Load report" button in the main Nessus client window. Additionally, you can save reports in XML, HTML, ASCII, and even LaTeX format.

While Nmap is probably the champion of host and port detection, Nessus goes even further to demonstrate whether your own services are vulnerable to known attacks. Of course, new exploits surface all of the time, so it is important to keep your Nessus plug-ins up-to-date. Using Nessus, you can protect your own services by attempting to break into them before the bad boys do.