Nessus Vulnerability Scanner. Irina Grosu Ana-Teodora Petrea. History. The “Nessus” Project was started by Renaud Deraison in 1998 as a free and open source remote security scanner.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Nessus Vulnerability Scanner Irina Grosu Ana-Teodora Petrea
History The “Nessus” Project was started by Renaud Deraison in 1998 as a free and open source remote security scanner. 5th October 2005 – Tenable Network Security changes Nessus 3 to a proprietary license and makes it closed source. July 2008 – home users get full access to plugin feeds with a non commercial license. Nessus 4 released on April 9, 2009. Nessus 5 released on February 15, 2012. The Nessus 2 engine and some of the plugins are still under GPL license which lead to forked open source projects based on Nessus: OpenVAS, Porz-Wahn.
Background Network security scanner with an extensive plugin database that is updated on a daily basis. Rated among the top products of its type throughout the security industry. Endorsed by professional information security organizations such as the SANS Institute. Provides the ability to locally audit a specific machine for vulnerabilities, compliance specifications, content policy violations, etc. Provides the possibility to remotely audit networks and determine whether they have been compromised in some way.
Architecture Modular Architecture – provides the flexibility to deploy the scanner (server) and connect to the GUI (client) from any machine with a web browser Plugin Architecture – each security test is written as an external plugin and grouped into one of 42 families. This way, users can easily add their own tests by selecting specific plugins, or choose an entire family
Features NASL – the Nessus Attack Scripting Language, a language designed specifically to write security tests easily and quickly Up-to-date Security Vulnerability Database – focuses on the development of security checks for newly disclosed vulnerabilities Tests Multiple Hosts Simultaneously Smart Service Recognition – Nessus does not expect the target hosts to respect IANA assigned port numbers
Features Multiple Services – if two or more web servers run on the same host, on different ports, Nessus will identify and test all of them. Plugin Cooperation – no unnecessary checks are performed. If a FTP server does not offer anonymous logins, then anonymous login related security checks will not be performed. Complete Reports – detects security vulnerabilities and the risk level of each (Info, Low, Medium, High, and Critical), and also offers solutions. Full SSL Support – tests services offered over SSL such as HTTPS, SMTPS, IMAPS.
Features Smart Plugins (optional) – ”optimization” option that will determine which plugins should or should not be launched against the remote host. Non-Destructive (optional) – Certain checks can be detrimental to specific network services. For avoiding a service failure, enable the ”safe checks” option, which will tell Nessus not to exploit real flaws to determine if a vulnerability is present.
Scanning a simple website • Scanned our website for the WADE course: http://soma.azurewebsites.net • Identified 10 Vulnerabilities (1 medium, 9 Info): • [Medium] Backup Files Disclosure – files that may contain sensitive information can be accessed. • [Info] HTTP Methods Allowed (per directory) – the attacker can execute HTTP methods on resource directories like: images, content, scripts.
The Nessus Port Scanning Engine Determining if a port is open or closed is a critical step in the discovery process associated with successful attacking systems The Nessus port scanner system has three network-based port scanners: TCP Scanner – sends sequence of packets to initiate a full TCP connect to the target hosts, completing the TCP three-way handshake each time. The TCP scanner will dynamically estimate the RTT (Round Trip Time) and make multiple passes on unresponsive ports. It does not operate on Windows and Mac OS due to operating system limitations
The Nessus Port Scanning Engine SYN Scanner -The Nessus SYN scanner is fully supported on Linux, Mac OS X and Windows. Simplifies the process by sending packets and waiting for a response, but not initiating the full three-way handshake. It does not open sockets, but generates raw packets using low-level libraries tends to be slower, but more reliable.
The Nessus Port Scanning Engine Netstat Port Scanner- a more reliable way to enumerate open ports on a given host is to login to the system and execute a command that shows all open TCP and UDP ports this method is typically more reliable useful to compare the Netstat results with what is being reported to be open/closed across the network.
Windows Malware scan • Nessus reports if the scanned host is on a known botnet list or communicating with a known botnet IP. It audits antivirus agent by reporting if it’s misconfigured or has out-of-date rules. It detects known malware running on the PC. Here's how: • Nessus authenticates to the Windows system. • It enumerates the list of running processes on the system. • For each process, a cryptographic hash is generated and looked up against Tenable's cloud-based database. • If the process is found to be malicious, the plugin logs the results with information about the malware found.
Case study – Clemson University The Clemson Clemson University is recognized as the 25th best college in the U.S. The IT security team is responsible for the compliance, policy setting and information protection of more than 80.000 registered devices connected to its network. In order to to improve their security and auditing process,they chose Tenable’s software solutions: SecurityCenter, Nessus and Log Correlation Engine.
Case study – Clemson University • Part of the new system is the Nessus Vulnerability Scanner, which automatically scans the systems every 30 days for: • Vulnerabilities; • Identification of unpatched systems; • After the scans are finished, it sends a report to the system administrators and to the security team, highlighting which systems are missing critical patches, and the progress made after applying the missing patches identified in the previous months.
Integration of other tools with Nessus Nmap - security scanner that provides features like: host discovery, port scanning, OS detection. It can be integrated with Nessus and it can be used to get the maximum performance with effective scans. The system can be scanned with Nmap and the output can be used as input for Nessus in order to perform an Internal Network Scan. Nikto - web application scanning tool that searches for misconfigurations, openly accessible web directories and a host of web application vulnerabilities. By integrating it with Nessus the scan can be automatically started from the Nessus interface and the result will be displayed in Nessus. Besides the new scanning capabilities, this also allows users to take advantage of the filtering and reporting system of Nessus.
Conclusions - Advantages Free for non-commercial use. Available on multiple operating systems (Windows, Mac OS, various distributions of Linux). Advanced scans for networks, websites, operating systems, mobile devices. By default Nessus does “Safe Checks” which ensure that there won't be any adverse effects on the system or network. Aggressive and in-deep checks (e.g. DoS attacks) can be enabled at user’s will. Good for Security Audits. Scanning multiple hosts on the same scan.
Conclusions - Disadvantages Hard to configure for beginners. The free non-commercial license is limited to up to 16 IP addresses that must be within the same household. Limited support for Ubuntu, Fedora Core, FreeBSD, Debian.
Bibliography http://www.tenable.com/products/nessus http://www.tenable.com/blog/integrating-nessus-with-backtrack-5s-tools http://en.wikipedia.org/wiki/Nessus_(software) http://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/case-studies/Clemson_CS_(EN)_v3_web.pdfhttp:/www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/case-studies/Clemson_CS_(EN)_v3_web.pdf http://en.wikipedia.org/wiki/Nmap