Nessus : another brick in the (security) wall

ArticleCategory: [Choose a category for your article]

System Administration

AuthorImage:[Here we need a little image form you]

[Photo of the Author]

TranslationInfo:[Author + translation history. mailto: or http://homepage]

original in en Georges Tarbouriech

en to en Lorne Bailey

AboutTheAuthor:[A small biography about the author]

Georges is a long time Unix user. He thinks computer security is one of the main challenges of this century.

Abstract:[Here you write a little summary]

Nessus is a free security scanner available from http://www.nessus.org. The project was started and is maintained by Renaud Deraison. The stable version at the time of this writing is 1.09 and the experimental one is 1.14. The software is released under GPL (Gnu Public License) and many people contribute to the project, especially for plugins... while some other people benefit from nessus work without even mentioning the name (more on this at the end of the article). Nessus works on many Unix flavors as a client and a server, and on Win32 as a client. Let's have a look at this great tool.

ArticleIllustration:[This is the title picture for your article]

[illustration]

ArticleBody:[The article body]

Getting and installing nessus

Going to http://www.nessus.org, you can get this great piece of software. Since nessus is also available as a client for Win32, we obviously will consider the Posix version in this article.
To use nessus, you need at least nmap and Gtk (Gimp Toolkit). Links to those tools are provided from nessus' website. However, since you can use nessus from the command line, Gtk is not mandatory.
You can get nessus in three different ways : the good, the bad and the ugly.
The good way is the standard one, that is, you download the archives from the ftp site closest you. You have four archives : nessus libraries, nasl libraries, nessus core and nessus plugins. Once unpacked, you build and install them as usual : ./configure, make, make install, for all the archives. If you have a previous version of nessus installed on your machine, you'll have to remove it. To do this, nessus provides an uninstall script to use after the first "./configure" in the nessus libraries package. Run this script before typing "make". Do the same for each provided package (except running the uninstall script) and you're done.
The bad way, is to run a downloadable script called nessus-installer.sh. Then typing "sh nessus-installer.sh" will auto-install the package. The four packages don't need to be installed separately. It's now just one stand-alone package.
The ugly way : as long as you have lynx installed on your machine and you're connected to the Internet, just type "lynx -source http://install.nessus.org | sh" and that's it. You must NOT be root to do this.
Obviously, we recommend the "good" way... well, if you download nessus, we suppose security matters to you ! Since we're talking about security, don't forget to check the MD5 checksum.
Nessus comes with different utilities (nasl, a scripting language, nessus-adduser, nessus-build...). Each of these utilities has its own man page for the client and the server. More documentation is available within the distribution (README, INSTALL...) or on the nessus website.

Configuring and running nessus

To make things easier to understand, we'll show examples with the nessus X11 version, the one that uses Gtk.

The nessusd server

To start nessus, you obviously need to run the server daemon, nessusd. When launching the daemon for the first time you'll have to create a username and password by using the nessus-adduser command. If the nessus libraries package has been compiled with the "--enable-cipher" option (highly recommended, not to say mandatory !), nessus generates a private key. This key can be protected with a passphrase. The server has many options available and you'll find them all in the nessusd man page.
From there you can create the user database and the corresponding rules. That determines who may to run the server daemon and what you will allow her to scan (a machine, a network...). The rules are of the form "accept" or "deny" followed by a network IP address with its netmask.
For example : accept 192.168.1.0/24, allows the user to test the whole 192.168.1 network.
It's also possible to define one single user with no rules at all. If you wish to allow various users to run nessusd, you'll have to be very careful about what you allow them to do. You can't let everybody do everything on your network, can you ?
Last, nessusd relies on a configuration file (usually) found in /usr/local/etc/nessus/nessusd.conf. You can change this file by hand - as soon as you know what you're doing.

The nessus client

After configuring and starting the demon, you can start the nessus client to connect to the nessusd server. One way to run the client is to type "nessus &" in a shell. This opens the nessus setup window after asking for the above mentioned passphrase. This window provides you with seven tabs.
The first tab is called "nessusd host". From it you can connect to the nessusd host clicking on the "Log in" button. Of course, this assumes you're allowed to connect as this user, in other words, that your username exists in the user database.

nessusd host


The second tab concerns the plugins. Here you select or deselect the plugins you want to use during the scan. For instance, you can disable the dangerous plugins (the ones able to crash a machine !). Clicking on a plugin in the bottom part of the window displays some information about that plugin.

plugins plugin detail


The third tab allows you to define the preferences for the plugins. This concerns ping, TCP, FTP... Here you can fine tune the way you'll use nessus to scan the target host(s) or network.

preferences


The fourth tab allows you to define the scan options and the port scanner to use, usually nmap. Find out more on nmap there.

scan options


The fifth tab is where you tell nessus the target of your scan. In the target field you can write the name of a host, the name of different hosts separated by commas, one or more IP addresses, again separated by commas, or a network address with its netmask (for example 192.168.1.0/24). There's also a check box to perform a DNS zone transfer. That is, connecting to a DNS server, nessus will try to get the list of the hosts in this domain.

target selection


The sixth tab allows the user to change his passphrase, to delete his private key or to add rules.

user


Last but not least, the seventh tab opens the credits window containing as well the version number. That shows all the information you should provide when using nessus for a different project... Well, that's the way it should be !

credits


You can have an eighth tab if you compiled nessus with the "--enable-save-kb" configure option. Kb stands for "knowledge base". This experimental feature allows to using the results from previous tests. This feature will be a default one in nessus 1.1.0. More on kb at www.nessus.org/doc/kb_saving.html.
Once you have "visited" every tab, you can run the "beast". Click the "Start the scan" button. What happens then ?

Nessus at work

When you start the scan, nessus opens a window displaying the scan status. For example, let's say you are testing a whole network, called 192.168.1.0/24. Eight machines (hosts) will be displayed at once, showing which plugin is used for which machine and a progress gauge. It looks like this:

scan status


As you can see, the whole test can be stopped at any time.
Obviously, if you scan a whole network with a lot of hosts, the test will last quite a long time. It will depend on the OSes, the network speed, the machine's roles (more or less open ports), the number of active plugins, etc.
You can also test in two other different ways : the detached scans or the differential scans. This assumes you compiled nessus with the above mentioned "--enable-save-kb" configure option. The detached scans allow running the tests in the background while the differential scans, as the name says, only shows the differences between two scans.
You'll find much more information about these features going to nessus documentation (www.nessus.org/doc).
Of course, the result you get at the end of the scan is the most important. One of nessus' greatest features is reports it provides you with.

report


These rather detailed reports often suggest a solution for the detected vulnerability. Even more, they really reliable. If a found vulnerability is not a real one, nessus tells you that it might be a false positive. This can happen, for instance, with patched versions of some daemons : a recently corrected vulnerability may be detected as a potential risk. However, the plugins are quickly updated for this sort of thing.
Another small mistake may come from nmap (2.53) when identifying the OS version. But, this is really of little interest. Personally, I don't mind if NotTerminated 4.0 with SP6a is identified as NotTerminated 4.0 with SP5, or if Linux kernel 2.2.19 is detected as 2.2.14. I won't either complain about "exotic" OSes such as AmigaOS or BeOS identified as a printer or a router. I mean, I can't imagine sending a mail to Fyodor (nmap's author) to tell him such a thing : who uses such OSes in a network today ? For the AmigaOS, I would say 5 people... in the whole world :-(
Some other OSes are not perfectly identified either, but they often are rather "new" or not really used like MacOS X or QNX. But, again, it isn't that important and this may be already solved in the new 2.54 beta version of nmap (and, by the way, this new version provides a MacOS X port).
Anyway, the main point is that nessus gives you tons of information that allows you to correct the machine's vulnerabilities or weaknesses on your local network.
These reports can be saved as text, NSR, HTML, HTML with pies... thus allowing comparisons between two scans. It may seem obvious, but the state of a network at a given time may be quite different from what it can be 30 minutes later. Why ? A network is alive ! This is one of the main reasons why securing a network is not easy : things change all the time. If you're wondering about the need to use tools such as nessus and nmap, that is the answer.
If you are curious about the way nessus works, watch the system logs or, if you use snort, watch snort logs. Another place to find information is in /usr/local/var/nessus.
From there, you probably will have some work to do to reduce the weaknesses of many machines in your network. The more you harden each host, the better. To help you in this big task, nessus (and nmap) are tools you can't live without.

Plugins

Plugins are the "heart" of nessus. They are security tests - that is test programs to discover a given vulnerability. NASL (Nessus Attack Scripting Language) is the recommended language to write security tests. You'll find a lot about NASL going to this URL : http://www.nessus.org/doc/nasl.html.
Accordingly, if you want to contribute to the nessus project writing plugins, this is where you'll find the right information. At the time of this writing, there are 756 plugins in nessus' database !
There are almost 20 plugin families : backdoors, denial of service, gain root remotely... As already mentioned, each plugin reports information. It tells you what's wrong and what you should do to correct the problem.
We can't talk about plugins without mentioning CVE (Common Vulnerabilities and Exposures). It's a huge information database available from http://cve.mitre.org. There you'll find all the details about known security risks. Another great place to share knowledge. This website is the absolute reference that you must visit.
Of course, there's a lot to say about nessus plugins, but a book wouldn't be enough. A good way to understand how they work and how they are written is to read them from your /usr/local/lib/nessus/plugins directory. Thanks again to Renaud Deraison and contributors for doing such a great job.

And now for something completely different ...

Even if this title sounds like Monty Python, unfortunately there is no humor in it. The three or four people reading my articles know about my usual off-topic sentences : this time, it's a whole section ! Is it really off-topic, that's another story. Let's go.
Since I'm quite interested in computer security, I often visit the dedicated websites. Sometimes to learn about new vulnerabilities or to discover new security tools. Incidentally, I found a few products based on an online scanning service. In fact they call themselves (at least for now) ASP (Application Service Provider). If you go a bit further, you quickly discover that the engine behind the service is nessus. So far, so good. However, when trying to find the explicit information you can't see the word "nessus". That's where I'm hurt !
Many people working for the free software community do this work for free, not for a living. The only payment they get is called : credit. Nessus is released under the GPL. That is, everyone can use the product, modify the source code, adapt it... as long as they mention the original author(s). Of course, the license says much more than this. If you don't know the GPL, have a look there.
To me, this looks like a theft. I mean, I don't even need a license to credit other people's work. I have very much respect for those people working for free (almost always) and sharing with a community. They deserve recognition from that community. This is especially true when people try to make money from somebody else's work. You can call that respect, recognition, it doesn't matter. The fact is, those words seem to have lost their meaning. Sure, we could say the GPL is the cause of such behavior. With ASP, you're not considered to be selling the software. Depending on the country, the GPL may have no legal value.
A solution could be that the users of such ASPs request the name of the scanning engine doing the real work. The answer given will at least show if the people providing the service are "honest". If they don't answer or if they say they "invented" that engine (which you identified as nessus), just don't use it ! Install nessus instead (the true one), it'll be more secure anyway.
But again, do we need a license to say "thank you" to people having done a really big and great job ? And, by the way, Renaud Deraison doesn't want to change nessus license : nessus will stay under GPL.
Sorry for that long digression, but I believe it had to be said.

It's all over !

Despite the last section, what to remember from this article is that nessus provides a high quality standard. It's quite an impressive software. Used in conjunction with nmap, it becomes a must have whenever security is a concern. It is a very responsible tool, improving every day. Thanks to Renaud and friends for their constant updates to plugins.
Today, a sysadmin can't work without nessus and nmap. These tools find vulnerabilities you thought you solved. This is true for most of the OSes found on your network. And when you know that some OSes are like sieves, nessus lets you relax a bit.
Even more, nessus can help you understand the way a network (or a machine) can be compromised.
If you read the reports provided carefully, take them into account and make the right corrections, you'll improve the security of that network (or machine) considerably. Again, I said "improve" : your network won't be 100% secure just because you run nessus. The road to security is a very long one and we are far from the end of it.
Once more, thanks to the free software community for the great work it does about security.
Concerning those nice people trying to make money from the work of this free software community members, I'd like to add something. Saying "thanks" is not a badge of shame. Being honest is not that awful, is it ? If this kind of behavior grows, the risk is either the end of the community or a big change in licensing (and probably more and more patents !). In either case, you'll be on your own and things will become much harder for you. And unfortunately, we won't be able to use free software anymore. This doesn't mean you'll be able to sell yours. Think it over !
Aren't we living in a great time ?