Monthly Archives: January 2012

Vulnerability scanning with Nessus

Don’t worry, this is not going to be another security-only blog but as I mentioned Nessus before I thought about doing a quick tutorial on this vulnerability tool too.
Compared to Nexpose, the tool I described earlier, Nessus seems to be rather light-weight (both system requirements and handling).

You can get Nessus from “Tenable Network Security” – Website (including other applications based on Nessus, Trainings, and so on) as Windows executable, binaries for Mac OSX and packages for many different flavors of *nix systems.
After downloading the appropriate file for you system (article based on a Debian Linux) install it with

dpkg -i Nessus-4.4.1-debian6_amd64.deb

After successful setup, Nessus prints the following output on the screen:

nessusd (Nessus) 4.4.1 [build M15078] for Linux
(C) 1998 - 2011 Tenable Network Security, Inc.

Processing the Nessus plugins...
[##################################################]

All plugins loaded
- Please run /opt/nessus//sbin/nessus-adduser to add a user
- Register your Nessus scanner at http://www.nessus.org/register/ to obtain
all the newest plugins
- You can start nessusd by typing /sbin/service nessusd start

So first step is to create a Nessus user. Change to /opt/nessus/sbin/ and execute nessus-adduser command and fill in a username, password and define/assign a ruleset (if you want to).
After that head over to http://www.nessus.org/register/ and register your scan engine.
If you are a professional user (please see Nessus/Tenable explanation) select the ProfessionalFeed – if you are using Nessus at home (without commercial background) select the free HomeFeed.
After accepting the license agreement fill in your name and email address. After a few minutes you receive an email with detailed explanation on how to activate and download the most recent plug-ins.
As we are using Linux we execute the follwing command:

[root@host ~]# /opt/nessus/bin/nessus-fetch --register 1234-1234-1234-1234-1234
Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update the plugins by itself.

If your computer/server is not directly connected to the Internet you can perform an offline activation (just scroll down your mail until you reach the “If you are offline” section).
After that step your Nessus engine is ready for action. If the process nessusd is not running (check with your favorite command) start it with

/etc/init.d/nessusd start

Depending on your system the first startup might take a significant amount of time (coffee break) to complete.
You can watch the initialization at the web front end (https://yourip:8834/ by default). The listening port can be change in the Nessus configuration file (located at /opt/nessus/etc/nessus)
Upon completion of the initialization login with the credentials you specified earlier.
Compared to Nexpose you are presented with a rather clear and “light” interface.

Policy

First thing is to specify a new and custom policy for your scan. Just click on “Policies” and then “Add” (but you can also alter the default policies).

Now fill in a name and configure the settings as you wish. On the tab “Credentials” you can add a username and password to log into the system (you are about to scan) to perform additional in-depth scans (like missing OS patches).
At the “Plugins” section you can select/remove plug-ins for your scan. So if you don’t scan a Windows server you don’t need Windows plugins.
The last tab is the “Preferences” tab where you can add username/password for some plug-ins you selected at the previous step.
As soon as you are ready hit “Submit” to save your new policy.

Scan

Now you are ready to perform your first scan with Nessus.
Click on the “Scans” tab and then on “Add”.
Give your scan a name and then select when you want to run your scan (now, schedule, template). At the next drop down field labeled “Policy” select your policy and then fill in the IP addresses of your scan targets.
Hit “Launch Scan” and off you go.

Reports

On the “Reports” tab you can watch your scan to complete and look at the outcome of the scan. As you would expect the reports are very detailed and clear.
Every vulnerability found is displayed next to a detailed explanation of the problem and a solution for it. It also provides links to external resources like DSA and KB articles.

CLI

If you don’t like to use the GUI on the website feel free to have a look on the cli tools Nessus has to offer.
Go to /opt/nessus/bin and execute the “nessus” binary in this directory. There are a lot of parameters and options you can set. If you have a look on the netstat output you will see that there is another listening port associated with nessus.
This is some sort of API you can use to interact with Nessus but this will be a topic in another blog post.

Summary

I like

Quick and easy to setup and get started
Custom templates with detail port and vulnerability definition

I don’t like

none :)

Vulnerability scanning with Nexpose

So, you are a bit into security auditing, vulnerability scanning and such things?
Then you are probably familiar with the tool “Nexpose” from Rapid7.
As it is part of my profession to ensure system security and compliance I tend to use tools like Nessus and Nexpose a lot.

I don’t want to use just a single tool for auditing (different systems find different vulnerabilities) and so I started to use Nexpose to get a “second opinion”.
The community edition is a free download from the Rapid7 website and is available for Windows (2008 Server, Windows 7) and Linux (Ubuntu and Redhat).
Compared to other vulnerability scanners it needs a significant amount of system resources. But all in all nowadays it shouldn’t be that hard to meet the requirements.

Now I would like to walk you through the first steps with Nexpose (based on a Linux System)
After downloading the package assign it the correct permissions to run:

chmod +x NeXposeSetup-Linux64.bin

Then fire up the setup procedure with

./NeXposeSetup-Linux64.bin

A shell-based setup guide will help you configuring the system.
After a few minutes (depending on your system) of copying files around you can watch the initialization of Nexpose on https://serverip:3780
Upon completion of the initialization you are presented with the login prompt. Just enter your credentials you specified during the setup and off you go.

I want to scan a host – What shall I do?

Your setup procedure completed without errors and you successfully logged into the admin panel – You are now ready to start your first scan with Nexpose.

The first step is to add a new site (click “Assets” at the top panel and then “View” next to “Sites”).

Asset Menue

Somewhere on the page you should have a button labeled with “New static site”. Now you can fill in all the preferences for your new site. The most important textbox is at “Assets” where you specify your hosts (IP or Hostname) to scan. Next (at “Scan Setup”) choose a template (and no you can not alter the templates with the free edition of Nexpose :( ) As soon as you hit “Save” at the top of the page your new site is ready for a security scan.

Go back to the “Asset Overview” page and click the green play button next to the name of the site you just created. After confirming the scan summary the assets you defined get scanned.

Are there any reports?

Yes, there are :) Just click the button on the panel which says “Reports”. Then select “New report” and work your way through the report wizard. You can select a lot of parameters like automatically report generation after each scan and different formats for your report. Make sure to select your site at the “Scope” section.

Thats it – I hope I covered the most important tasks and steps with Nexpose. Have fun! :)

Summary

I like

Detailed report – The report you end up with is very detailed. It includes charts and other visuals to help you identifying vulnerabilities. If Nexpose finds a security issue it exactly reports where it is and what you can do against it (Including knowledge-base articles and other third-party references)
Schedule – Easy scheduling for security scans. Just set up the site and set a timetable (including recurring/periodic scans)

I don’t like

Fix Template – With the free version you can not change or alter existing scan templates. There is no way to change the ports (or port range) and you can not see which vulnerabilities are checked. Additionally you can not create a new template. Editing/Adding is possible with the “Express Edition” which sells for about 3000 USD.
OS fingerprint – During testing fingerprinting didn’t work at all. No host was identified correctly.

References and links

Rapid7 Website: http://www.rapid7.com/
Nexpose system requirements: http://www.rapid7.com/products/nexpose/system-requirements.jsp
Comparisson of Nexpose versions: http://www.rapid7.com/products/nexpose/compare-and-buy.jsp

P.s.: That was my first blog post here – feedback is appreciated :)