Network Security Hacks [Electronic resources] نسخه متنی

Hack 43 Scan Your Network for Vulnerabilities

Use Nessus to quickly and easily scan your
network for services that are vulnerable to attack.

As a network administrator,
you not only need to know which hosts are on your network and the
services they are running, but also if those services are vulnerable
to exploits. While Nmap [Hack #40]
can only show you what machines and ports are reachable on your
network, a security scanner such as Nessus
(http://www.nessus.org) can tell
you if those machines are vulnerable to known exploits.

Unlike a regular port scanner, a security scanner first locates
listening services, and then connects to those services and attempts
to execute all known exploits. It then records whether the exploit
was successful and continues scanning until all available services
have been tested. The key benefit here is that
you'll know at a glance how your systems perform
against the most recent exploits, and thus know whether they truly
are vulnerable to attack.

If you're feeling a bit adventurous,
Nessus can be installed by simply typing the
following command:

$ lynx -source http://install.nessus.org | sh

This will completely automate the installation of
Nessus, but isn't really a good
idea since you don't know what
you'll be executing on your system until you
actually run it. A better way to install Nessus
that retains the benefits of the automated installer is to download
the nessus-installer.sh script and execute it
manually. After you've downloaded the installer
script and run it, you will be asked where you want to install
Nessus (the default is
/usr/local) and prompted for your root password.
The script will then create a temporary SUID shell that is accessible
only through your user account. This may sound alarming at first, but
it tells you the filename for the shell, so you can verify that it is
indeed accessible only to you and make sure that it is deleted when
the installation has completed.

After installation has finished, you'll need to
create a Nessus user (not the same thing as a
Unix account). Since Nessus uses a client-server
model, you'll also need to generate a
certificate so that all communications can
be encrypted.

To create a new Nessus
user, run nessus-adduser. It will then
prompt you for a name and a password.
To create a certificate, you can run
nessus-mkcert, or if you have your own Certificate
Authority (CA) [Hack #45],
you can use that to create a certificate for Nessus
to use. If you do use your own

CA, you'll need to edit
nessus.conf to tell it where to look for the CA
certificate and the certificate and key that you generated.

The configuration file usually lives in /etc or
/usr/local/etc. To tell
Nessus where its certificates are, add lines
similar to the following:

cert_file=/etc/ssl/nessus.key
key_file=/etc/ssl/nessus.crt
ca_file=/etc/ssl/ca.crt

If you generated a certificate-key pair and used a password, you can
specify that password here as well:

pem_password=mypassword

After you've done all of that, you can start the
Nessus daemon. This is the business end of
Nessus and is what will actually perform the
scans against the hosts on your network.

You can start it by running something similar to this command:

# /usr/local/sbin/nessusd -D

Now
you can start the Nessus client and connect to
the server. There are several Nessus clients
available, including a command-line interface, an X11 application,
and a Windows client. The figures in this hack show the X11
interface. You can start the client by simply typing
nessus. After you've done that,
you should see a window like the one shown in Figure 3-8.

You'll need to fill in the information for the user
that you created and click the "Log
In" button. After that, you'll be
presented with a dialog that allows you to verify the information
contained in the server's certificate.

To select which types of
vulnerabilities to scan for, click on the Plugins tab, and
you'll see something similar to Figure 3-9.

In the top pane you can enable or disable types of scans, and in the
bottom pane you can disable individual vulnerability checks that
belong to the category selected in the top pane. One thing to note:
scans listed in the bottom pane that have an exclamation icon next to
them will potentially crash the server that they are run against. If
you want to enable all scans except for these, you can click the
"Enable all but dangerous plugins"
button. If you're running
Nessus on a noncritical machine, you can
probably leave these scans on, but you have been warned!
You'll probably want to disable several types of
scans unless you need to scan a machine or group of machines that run
a wide variety of services; otherwise, you'll waste
time having Nessus scan for services that you
aren't running. For instance, if you wanted to scan
a Solaris system, you might disable CGI abuses, CISCO, Windows,
Peer-To-Peer File Sharing, Backdoors, Firewalls, Windows User
Management, and Netware plug-ins.

In order for Nessus to more thoroughly test your
services, you can supply it with login information for various
services. This way, it can actually log into the service that it is
testing and have access just like any normal user. You can tell
Nessus about the accounts to use with the Prefs
tab, as shown in Figure 3-10.

In addition, you can tell
Nessus to attempt brute-force logins to the
services it is scanning. This can be a good testnot only of
the services themselves, but also of your intrusion detection system
(IDS) [Hack #82]
and your system logs.

The "Scan options" tab lets you
configure how Nessus will conduct its
port-scans. Most of these settings can be left at their default
value, unless you are also checking to see whether Nessus
can evade detection by the hosts that you are scanning.
For instance, Nessus is configured by default to
perform full TCP connect scans and to ping the remote host that it is
scanning. You can change this behavior by going to the
"Scan options" tab, enabling
"SYN scans" instead of
"TCP connect", and disabling the
ping. To specify which hosts you want to scan, you can use the
"Target selection" tab.

After you've made your selections, try
scanning a host by clicking
"Start the scan" at the bottom of
the window. You should now see a window similar to Figure 3-11. In this case, Nessus is
performing a scan against a Solaris machine.

The results of the scan are shown in Figure 3-12.

If you scanned multiple subnets, you can select those in the Subnet
pane. Any hosts that are in the selected subnet will then appear in
the Host pane. Similarly, when you select a host, the list of open
ports on it will appear in the Port pane. You can select these to
view the warnings, notes, and possible security holes that were found
regarding the selected port. You can view the information that
Nessus provides for these by clicking on them in
the Severity pane. Don't be too alarmed by most of
Nessus's
security notes and warnings; they are designed mainly to let you know
what services you are running and to tell you if that service might
present a potential vulnerability. Security holes are far more
serious and should be investigated.

To save the report that you are viewing,
click the "Save report" button.
Nessus will let you save reports in a variety of
formats. If you want to view the report in Nessus
again at a later date, you should use
Nessus's
own report format (NBE). Reports in this format can be viewed by
using the "Load report" button in
the main Nessus client window. Additionally, you
can save reports in XML, HTML, ASCII, and even LaTeX format.

While Nmap is probably the champion of host and port detection,
Nessus goes even further to demonstrate whether
your own services are vulnerable to known attacks. Of course, new
exploits surface all of the time, so it is important to keep your
Nessus plug-ins up-to-date. Using
Nessus, you can protect your own services by
attempting to break into them before the bad boys do.