Nessus - NASL: Marmagna Desai
Nessus - NASL: Marmagna Desai
Nessus - NASL: Marmagna Desai
Marmagna Desai
[592- Project]
Agenda
• Introduction
– Nessus
– Nessus Attack Scripting Language [ N A S
L]
• Features
– Nessus
– NASL
• Testing Environment
• Test Result
• Conclusion
2
Introduction - Nessus
• Nessus:
– Remote Vulnerability Scanner
– Remote Data Gathering , Host Identification,
Port Scanning are the main purposes of using
this tool.
– Client/Server Setup.
• Server – UNIX Based
• Client – Windows and UNIX Based.
– Open Source, Highly flexible, Harmless.
3
Introduction - NASL
• NASL
– Scripting Language used by Nessus to form Attacks to
detect vulnerability.
– Garantees
• Will not send packets to any other hosts than target
• Will execute commands on only local systems.
– Optimized built-in fuctions to perform Network related
tasks.
• [e.g. Socket operations, open connection if port is
open, forge IP/TCP/ICMP etc. Packets ]
– Rich Knowledge Base [KB], which provides ability to use
results of other scripts to use in custom script.
4
Features - Nessus
• Plug-in Architecture
– Security Tests are as external Plugins, easy to
add / modify tests without reading source code of
Nessus.
• Security Vulnerability Database
– Database is updated Daily Bases, keeps record
of latest security holes.
• Client-Server Architecture
– Server: Performs Attacks
– Client: Front-end
5
– Both can be located at different machines
Features - Nessus
7
NASL - Example
# # The script code starts here #
if (get_port_state(5010)) {
sock5010 = open_sock_tcp(5010);
if (sock5010) {
send(socket:sock5010, data:crap(2048));
close(sock5010);
sock5010_sec = open_sock_tcp(5010);
if ( !sock5010_sec ) {
security_hole(5010);
} else close(sock5010_sec);
}
}
8
NASL Experiment
7 port is open
SOCR IS VULNERABLE....!!!!!!
12
Testing Environment
• Download:
– Best and Easy way:
• Make sure Lynx is instsalled and Execute:
– Lynx -source http://install.nessus.org | sh
• It will download and install NESSUS-CLIENT,
SERVER and NASL libraries.
– Easy way:
• Download script:
– Nessus-installer.sh from:
– http://ftp.nessus.org/nessus/nessus-0.10a/nessus-
installer/ 13
• Execute : sh nessus-installer.sh
Testing Environment
• Immediate Step: [Server Side]
• Creating a User:
– Execute : “nessus-adduser”
– Create Username, Authentication [password/Cert]
and Rules for User.
• Execute “nessusd” as Daemon on UNIX
machine.
• The server is ready.
15
Testing Environment
• Plugin
– Scan is enabled for
all possible plugins.
– “upload-plugin” gives
you to add plugin
from local database.
– Dependancies can
be set enabled while
scanning.
16
Testing Environment
• Scanning Options
– Port Range
– Consider Unscanned
ports as closed.
[firewall]
– Which Port Scanner
to use. [nmap etc.]
– How many hosts and
plugings be scanned
at a time.
17
Testing Environment
• Target Section
– 137.207.234.50
– 137.207.234.1-50
– 137.207.234.1/24
– //arunita2
• A single IP,A range
of
IP,CIDR,Hostname
18
Test Result
[137.207.234.50]
• Security Holes:
– 2 security holes have been found
• Warnings:
– 16 security warnings have been found
• Notes
– 22 security notes have been found
The holes, warnings and notes are defined by
plugin writer:
19
Descriptive Report
• Vulnerability found on port http (80/tcp)
21
Result
• Graphical Report...
– Here number of
security holes are
plotted wrt
dangerous services.
– In my test, only 1
hole is found per
service.
22
Result
• Graphical Report...
– Major Services are
plotted against
number of holes
found.
– The ports on which
gathered data is not
showing any
information, are
marked as “Unknown”
23
Conclusion
“Nessus Network Security Scanner offers a free and extremely thorough way to
scan your network for vulnerabilities. This cross-platform utility offers an
overwhelming number of configuration and scanning options.”
- PC Magazine
Questions!!