Thursday, May 28, 2009

Vulnerability Scanner: Nessus

If you're looking for a vulnerability scanner, chances are you've come across a number of expensive commercial products and tools with long lists of features and benefits. Unfortunately, if you're in the same situation as most of us, you simply don't have the budget to implement fancy high-priced systems. You might have considered compromising by turning to free tools like nmap. However, you probably saw these tools as a compromise, as their feature sets didn't quite match the commercial offerings.

It's time that you learn how to use Nessus! This free tool offers a surprisingly robust feature-set and is widely supported by the information security community. It doesn't take long between the discovery of a new vulnerability and the posting of an updated script for Nessus to detect it. In fact, Nessus takes advantage of the Common Vulnerabilities and Exposures (CVE) architecture that facilitates easy cross-linking between compliant security tools.

The Nessus tool works a little differently than other scanners. Rather than purporting to offer a single, all-encompassing vulnerability database that gets updated regularly, Nessus supports the Nessus Attack Scripting Language (NASL), which allows security professionals to use a simple language to describe individual attacks. Nessus administrators then simply include the NASL descriptions of all desired vulnerabilities to develop their own customized scans.

With the release of Nessus 3 in December 2005, Tenable Network Security Inc., the company behind Nessus, introduced a complete overhaul of the product. The most current version at the time of this writing, Nessus 3.2, was released in March 2008. Nessus is now available for a wide variety of platforms, including Windows, various flavors of Linux, FreeBSD, Solaris and Mac OS X. Here's an overview of the significant changes in Nessus 3:

  • Nessus is now closed-source. The base product is still available for free. With the introduction of Nessus 3, however, Tenable moved Nessus from an open source to a commercial licensing model. In other words, while the software itself remains free, updated vulnerability information will come with a fee, at least for enterprises (home users may download updates for free). Tenable cites the need to invest in the future of Nessus as the motivation for moving to a proprietary license scheme.
  • Significant speed enhancements. In benchmarking tests performed by Tenable, Nessus 3 scans systems at about twice the speed of Nessus 2. This is due to optimizations in the scan engine and a complete overhaul of NASL.
  • Dramatic reduction in resource requirements. Nessus 3 uses significantly less memory and CPU cycles than Nessus 2, allowing simultaneous scanning of a larger number of hosts.

Nessus uses a modular architecture consisting of centralized servers that conduct scanning and remote clients that allow for administrator interaction. You may deploy Nessus scanning servers at various points within your enterprise and control them from a single client. This allows you to effectively scan segmented networks from multiple vantage points and conduct scans of large networks that require multiple servers running simultaneously.

If you're looking for a robust, inexpensive vulnerability scanning product, definitely take Nessus out for a test drive! The tips in this tutorial will guide you along the way.

Nessus Installation on Red Hat Linux

I understand that there are many ways to install and configure Nessus. This tutorial covers only one of them. This tutorial makes several assumptions:
1. You are competent with Windows, Linux and basic networking. If you don’t know how to use command line FTP for example, then this tutorial will be of no use to you.
2. You have 2 computers, one with a Windows and the other with Red Hat, both in good working order. It also assumes that you have at least one supported compiler such as GCC installed on your Red Hat Box.
3. This tutorial is written by me with no references or “borrowed” material. If something doesn’t work or something isn’t clear, yell at me because I am 100% responsible.


On your Red Hat box, from the directory of your choice, ftp to and login anonymously. Once there, path to /pub/nessus/nessus-2.0.7/nessus-installer/ and download

Now that you have all of the software, it’s time to install. Let’s begin with the Nessus engine because it requires most of the work.

1. From the directory where you downloaded, simply type: sh The Nessus installation script will tell you that you need root priviledges to complete the install, press ENTER to continue if you are logged in as root already.
2. Nessus will ask where you want it installed. /usr/local is the default so just hit ENTER when you see the prompt. At this point, Nessus will tell you that it is ready to compile. Hit ENTER and sit back while it compiles. It will take a little while. When it is finished, you’ll see a screen detailing the next steps. Hit ENTER.
3. Now, at this point you have to decide if you want Nessus to start up each time you boot your box or if you just want to start it when you feel like it. To start it when you feel like it, use /usr/local/sbin/nessusd –D. If you want to start it automatically when your box boots up, add /usr/local/sbin/nessusd –D & to /etc/rc.local.
4. Now, decide how you want to handle updating the plugins. You can do it each time the box boots by adding /user/local/sbin/nessus-update-plugins & to /etc/rc.local. You can also copy the nessus-update-plugins script to /etc/cron.daily and it will go out each day and grab the updates.
5. OK, we now have to generate a certificate so go to /usr/local/sbin/ and type nessus-mkcert. This will prompt you for a bunch of information that you would see when generating any SSL certificate. Answer all the questions.
6. Now you have to add a user by running nessus-adduser from /usr/local/sbin. When run, provide a login ID of your choice. When it asks for pass or cert, hit ENTER to accept pass as the auth method. When asked for a password, provide it one. Next you will see a blurb about user rules. Simply hit Ctrl – d and Nessus will verify your input. Type in “y” and Nessus will inform you that the user has been added.

Well now all you have to do is reboot the box to launch Nessus or you need to start the deamon manually as shown in step 3.

OK, now all you have to do is run the installer. On the first screen, click next to continue. Next click the checkbox if you agree to the license, then hit next to continue. The next screen shows the install path, click next to continue. Select Binaries Only, then click next. The next screen names the program group, hit next to continue. It now has all the info to begin installation. Hit next and it will begin. Once this is done, look for the eyeball icon on your desktop. Launch it. It will ask about a nessusdb and all you need to do is say yes to create it.

OK, now you need to configure a session:
1) Form the mune pulldowns, select COMMUNICATIONS, then CONNECT. Enter the IP address of your Nessus server then enter the username you created on the Nessus server. You need to use password authentication and it is your choice to save the password or not. Once you do that, hit CONNECT. Accept the certificate however you like (I always do perminant because I trust the source).
2) From the menu pulldowns, select SESSION then NEW.
3) This will open a window to enter your list of target hosts. Add your hosts in here.
4) Now, each tab has tons of options so I will hit on the key ones for now. Hit the portscan tab and enter the range 1-65535.
5) Hit the plug-ins tab and check “use session specific plugin set”, then hit the select plugins button, then select either all plug-ins (bad idea for a production box that you want to scan) or Non-DOS. Click OK.
6) Now, right click on your session (green book icon) and select EXECUTE.
7) On the next pop-up hit the EXECUTE button and you should see your scan underway.

At this point, you are golden. When the scan is done you can preview it or you can generate a report. I usually select HTML output.

In conclusion, I left out *tons* of options and configs but this tutorial is only intended to get you scanning. You’ll need to look into the docs to explore all this tool has to offer.

Happy scanning!

No comments: