Nessus - NASL: Marmagna Desai

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 26

Nessus - NASL

Marmagna Desai
[592- Project]
Agenda
• Introduction
– Nessus
– Nessus Attack Scripting Language [ N A S
L]
• Features
– Nessus
– NASL
• Testing Environment
• Test Result
• Conclusion
2
Introduction - Nessus
• Nessus:
– Remote Vulnerability Scanner
– Remote Data Gathering , Host Identification,
Port Scanning are the main purposes of using
this tool.
– Client/Server Setup.
• Server – UNIX Based
• Client – Windows and UNIX Based.
– Open Source, Highly flexible, Harmless.
3
Introduction - NASL

• NASL
– Scripting Language used by Nessus to form Attacks to
detect vulnerability.
– Garantees
• Will not send packets to any other hosts than target
• Will execute commands on only local systems.
– Optimized built-in fuctions to perform Network related
tasks.
• [e.g. Socket operations, open connection if port is
open, forge IP/TCP/ICMP etc. Packets ]
– Rich Knowledge Base [KB], which provides ability to use
results of other scripts to use in custom script.
4
Features - Nessus

• Plug-in Architecture
– Security Tests are as external Plugins, easy to
add / modify tests without reading source code of
Nessus.
• Security Vulnerability Database
– Database is updated Daily Bases, keeps record
of latest security holes.
• Client-Server Architecture
– Server: Performs Attacks
– Client: Front-end
5
– Both can be located at different machines
Features - Nessus

• Can Test unlimited amount of hosts in each scan.


– Depending on the power of Server, scan can be
performed on any range of hosts.
• Smart Service Recognition.
– Doesn't believe on fixed port for particular service.
– Checks all ports for specific vulnerability.
• Non-Destructive.
– The option is given to choose all non-destructive
scripts to run for scanning, Nessus will rely only
on banner information.
6
NASL Example
# This script was written by Noam Rathaus <[email protected]> #
if(description) {
script_id(10326);
script_version ("$Revision: 1.12 $");
script_cve_id("CAN-2000-0047");
name["english"] = "Yahoo Messenger Denial of Service attack";
script_name(english:name["english"]);
desc["english"] = " It is possible to cause Yahoo Messenger to crash by
sending a few bytes of garbage into its listening port TCP 5010. Solution:
Block those ports from outside communication Risk factor : Low";
script_copyright(english:"This script is Copyright (C) 1999
SecuriTeam"); family["english"] = "Denial of Service";
script_family(english:family["english"];
exit(0);
}

7
NASL - Example
# # The script code starts here #
if (get_port_state(5010)) {
sock5010 = open_sock_tcp(5010);
if (sock5010) {
send(socket:sock5010, data:crap(2048));
close(sock5010);
sock5010_sec = open_sock_tcp(5010);
if ( !sock5010_sec ) {
security_hole(5010);
} else close(sock5010_sec);
}
}

8
NASL Experiment

Remote Host: socr.uwindsor.ca


if(description){
script_name(english:”Marmagna's Trivial Scanner”);
script_description(english:”This script is part of
Project”);
script_summary(english:”Port Range is 1-1024”);
script_family(english:”windows”);
script_copyright(english:”Marmagna[101282813]”);
exit(0);
}
9
NASL - Experiment

#Actual Script Starts Here#


for(i=1;i<-1024;i++){
soc = open_sock_tcp(i);
if(soc){
data = receive(socket:soc, length:200);
display(data+”\n”);
display(i+”\n”);
security_warning(data:”port is open”);
}
} 10
Output Gathered

desai8@socr:~/nessus/lib/nessus/plugins$nasl -t socr.uwindsor.ca marmagna.nasl


**WARNING : Packet forgery will not work
**As NASL is not running as Root

7 port is open

21 port is open : 220 ProFTPD 1.2.8 Server(SOCR)


[socr.uwindsor.ca]

22 port is open: SSH-1.99-OpenSSH_3.7.1p2

23 port is open: ...........#..

25 port is open: 250 socr.uwindsor.ca ESMTP Sendmail


8.12.10/8.12.10; Thu, 19 Feb 2004 19:03:33 -0500

37 port is open: ...W

110 port is open: +OK Qpopper (version 4.0.4) at


socr.uwinsor.ca starting.
11
Output Continued...
113 port is open:
143 port is open: OK [CAPABILITY IMAP4RAV1 LOGIN-REFERRALS
STARTTLS AUTH = LOGIN] localhost
443 port is open:
993 port is open:
995 port is open:

SOCR IS VULNERABLE....!!!!!!

12
Testing Environment

• Download:
– Best and Easy way:
• Make sure Lynx is instsalled and Execute:
– Lynx -source http://install.nessus.org | sh
• It will download and install NESSUS-CLIENT,
SERVER and NASL libraries.
– Easy way:
• Download script:
– Nessus-installer.sh from:
– http://ftp.nessus.org/nessus/nessus-0.10a/nessus-
installer/ 13
• Execute : sh nessus-installer.sh
Testing Environment
• Immediate Step: [Server Side]
• Creating a User:
– Execute : “nessus-adduser”
– Create Username, Authentication [password/Cert]
and Rules for User.
• Execute “nessusd” as Daemon on UNIX
machine.
• The server is ready.

NOTE: For nessusd options please view “man nessusd” 14


Testing Environment
• Nessus Server &Client
– 137.207.234.136:1241
• Authentication used:
– Password
– “nessus-mkcert” will
generate X.509 Cert.
• Remote Host Scanned:
– 137.207.234.50

15
Testing Environment
• Plugin
– Scan is enabled for
all possible plugins.
– “upload-plugin” gives
you to add plugin
from local database.
– Dependancies can
be set enabled while
scanning.

16
Testing Environment
• Scanning Options
– Port Range
– Consider Unscanned
ports as closed.
[firewall]
– Which Port Scanner
to use. [nmap etc.]
– How many hosts and
plugings be scanned
at a time.
17
Testing Environment
• Target Section
– 137.207.234.50
– 137.207.234.1-50
– 137.207.234.1/24
– //arunita2
• A single IP,A range
of
IP,CIDR,Hostname

18
Test Result
[137.207.234.50]

• Security Holes:
– 2 security holes have been found
• Warnings:
– 16 security warnings have been found
• Notes
– 22 security notes have been found
The holes, warnings and notes are defined by
plugin writer:

19
Descriptive Report
• Vulnerability found on port http (80/tcp)

The remote WebDAV server may be vulnerable to a buffer overflow


when
it receives a too long request.
An attacker may use this flaw to execute arbitrary code within the
Local System security context.
*** As safe checks are enabled, Nessus did not actually test for this
*** flaw, so this might be a false positive
Solution : See
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
Risk Factor : High
CVE : CAN-2003-0109
BID : 7116
Other references : IAVA:2003-A-0005
Nessus ID : 11412
20
Result
• Graphical Report
– This Pie-chart
classifies security
risks in LOW,
MEDIUM and HIGH.
– Classifications are
defined by script-
writers.

21
Result
• Graphical Report...
– Here number of
security holes are
plotted wrt
dangerous services.
– In my test, only 1
hole is found per
service.

22
Result
• Graphical Report...
– Major Services are
plotted against
number of holes
found.
– The ports on which
gathered data is not
showing any
information, are
marked as “Unknown”
23
Conclusion
“Nessus Network Security Scanner offers a free and extremely thorough way to
scan your network for vulnerabilities. This cross-platform utility offers an
overwhelming number of configuration and scanning options.”
- PC Magazine

• Nessus's Report Generation is the most


interesting feature.
• Vulnerabilities are classified on the bases of risk-
factor, NOT os or protocol. - better for SysAdmin.
• One of the most flexible, opensource and
powerful vulnerability scanner.
24
Reference
• http://www.nessus.org/
• http://www.securityfocus.com/infocus/174
1
• http://www.securityfocus.com/infocus/175
3
• http://www.nessus.org/doc/nasl.html
• http://www.pcmag.com/article2/0,4149,14
00321,00.asp
25
Thank You

Questions!!

You might also like