A new Windows client gives you UNIX-powered security
Nessus Security Scanner is an open-source vulnerability scanner that you can use to audit your network. Available from http://www.nessus.org, Nessus has three primary components: a server that launches tests, a client that controls the server, and vulnerability plugins. The server/client division lets clients communicate with one server and lets you distribute tests among different users, and Nessus's many plugins let you run different attacks against a specified host and determine which holes are exploitable.
Although originally developed for UNIX systems—in fact, the Nessus server component runs only on UNIX—Nessus's plugins can attack Windows machines as well, and a GUI client called NessusWX is available for Windows. The scanner uses OS-fingerprinting techniques to identify the target OS and runs only plugins related to that OS.
Let's take a look at how to install and configure a Nessus server, then how to install the NessusWX client. Finally, we'll walk through the process of performing a security scan.
As I mentioned earlier, you must install the Nessus server on a UNIX host. The Nessus Web site doesn't specify the particular flavors of UNIX with which Nessus is compatible, but any reasonably modern version of UNIX should be able to compile it. I've successfully compiled the scanner on Linux (Red Hat Linux 7.2, Red Hat Linux 7.1, SUSE Linux 8.0, and SUSE Linux 7.1) and Sun Microsystems' Sun Solaris 8 and Sun Solaris 7.
Before you download and install Nessus, I recommend that you install Nmap 2.52, a port-scanning tool that you can download at http://www.insecure.org/nmap. If at all possible, also install OpenSSL, which ensures secure client-server communication and lets you test for Secure Sockets Layer (SSL) vulnerabilities; you can download OpenSSL at http://www.openssl.org. If you plan to use the UNIX GUI, you'll also need GTK 1.2, a UNIX graphics library, which you can download at ftp://ftp.gimp.org/pub/gtk/v1.2. Installation of these components is outside the scope of this article, but any modern Linux distribution (such as Red Hat Linux 7.3) will likely install them by default. Otherwise, the methods for installing these packages are similar to the method for installing Nessus.
To install the latest version of the Nessus server (version 1.2.5, as of this writing), use the nessus-installer.sh script, which you'll find in the \nessus-installer directory. Execute the script as root (i.e., the machine's superuser or administrator) by running the following command:
UNIX # sh ./nessus-installer.sh
The script prompts you for the location in which you want to install the binary files—the default location, \usr\local, should be fine for most users. The script then compiles the software and installs it for you. The script might prompt you to add \usr\local\lib to \etc\ld.so.conf; answer Yes.
Nessus contains a database of rules that can control how users use the scanner, but you must initialize the database, then use a certificate to secure it. Then, you can distribute the power of Nessus to certain individuals and groups, and you can prevent those individuals or groups from using Nessus outside a permissible range. For example, you can grant a top-level administrator the ability to scan all hosts while letting department administrators audit only their networks.
First, you need to install a security certificate so that the client can communicate with the server. The script creates a Certificate Authority (CA), if none currently exists, and a server certificate that authenticates the server. On the server, run the following (as the root):
UNIX # /usr/local /sbin/nessus-mkcert
The program will prompt you for information. For the most part, the default values will work fine—you can press Enter to accept a value presented within brackets as the default. First, enter your organization's name. Next, you need to add at least one user. To add a user, run the following command:
UNIX # /usr/local /sbin/nessus-adduser
At the resulting logon prompt, enter the username you want to use to connect to the server. The program will then prompt you for an authentication method: pass or cert. Choose pass (for password), and the program will prompt you for the user's password. The cert method permits authentication through a certificate file. (Interested users can find documentation about the cert method at the Nessus Web site.)
After you enter the password, the program will ask for the user's ruleset. Simply press Ctrl+D to give the user a blank ruleset. (I cover the syntax for user rules in the Nessus Rules for Users section.) Confirm the choices you made by choosing Y. You've now added a Nessus user.
Finally, start the Nessus daemon. Run the following command:
UNIX # /usr/local /sbin/nessusd -D
This command places Nessus in the background, listening on TCP port 1241.
Nessus includes a script—called nessus-update-plugins—with which you can download and install all available vulnerability plugins. If you've just installed Nessus, I recommend running the script as root. The script requires either Lynx or Wget, two common UNIX Web tools. Lynx is a command-line—based browser, and Wget can download entire Web sites easily. If you have either tool installed on your system (most standard Linux distributions do), the script will automatically locate the tool for you. Running the script with the -l option lists the plugins the script can fetch but doesn't actually install them. Using the -v or -vv option increases the detail of the output that the tool displays.
One word of caution: The script doesn't verify the authenticity of the plugins; it simply downloads them from the Nessus Web site. You must trust both the quality of the plugins and your connection to the Web site. You can use Cron, the UNIX command-scheduling facility, to run the nessus-update-plugins script nightly so that you always have the most up-to-date plugins. As the root, run
and enter a line similar to the following code. (To enter text, you must first press i.)
0 23 * * * /usr/local/sbin /nessus-update-plugins
where 0 is the minute, 23 is the hour, and asterisks indicate "all" for the day of the month, the month, and the day of the week. Therefore, the script runs every day at 11:00 p.m. After you enter this line, type
and press Enter.
The vulnerability database consists of scripts (or plugins) written in the C-like Nessus Attack Scripting Language (NASL). A complete NASL primer is available at http://www.nessus.org/doc/nasl.html. Essentially, NASL lets you easily create IP packets, test services, and configure attack methods—without compromising security. The language is designed to prevent the script from sending packets to any host other than the one you're scanning through the client and to prevent the script from running commands on the local system.
NASL doesn't have a debugger per se, but the package includes the standalone interpreter Nasl. You can therefore test a new script by running Nasl from the command line (as opposed to loading it into the GUI). The syntax is fairly straightforward:
nasl -t target_host nasl_script
Nessus Rules for Users
Nessus rules let users run attacks against only specific targets. Using these rules, you can ensure, for example, that a certain department audits only its network. Rule syntax is simple. Every line contains one of three keywords: accept, deny, or default. The first two keywords take an IP address followed by the subnet mask (e.g., 192.168.1.0/24). The default keyword takes accept or deny as an argument and prescribes the right Nessus grants by default if no other rules match the IP address.
You might give a user a ruleset (either in a file or through the Nessus-Adduser script) that resembles the following:
accept 192.168.0.0/16 accept client_ip deny 192.168.1.0/24 default deny
The keyword client_ip converts the client's IP address at runtime and lets you grant or deny a user's right to scan his or her machine.
For new users, simply add rules as the Nessus-Adduser program directs when you create the account. If you want to add rules for existing users, edit your ruleset, which resides in the \usr\ocal\var\nessus\username\auth\rules file, where username specifies the user for whom you want to add rules. (The Nessus-Adduser program automatically created this file.) You can also define systemwide rules to prevent any user from scanning certain network segments. Edit the \usr\local\etc\nessusd.rules file on the server on which Nessus is installed, and add the rules you want to globally enforce, one rule per line.
After you add or change rules, be sure to restart the Nessus daemon so that the server receives the updates. The command
UNIX # kill -HUP `cat /usr /local/var/nessus/nessusd.pid`
instructs the running Nessus daemon to reread the configuration files.
The Nessus Client
The GTK-interface client that the installation script automatically compiles is called Nessus. To start this client, simply boot into the GUI, click Run, and type
Because the GTK GUI is the original client, it has a different look and more features than the Windows client, which seems more of an afterthought. Where the GTK GUI rises above the Windows client is in its ability to modify the way the Nessus scanner works. When you set up the Nessus client, you'll find that you can specify port-scan types, Ping options, evasive options for the scans, and even brute-force options (on the Prefs. tab, which Figure 1 shows). If you want to specifically include or exclude any plugins, you can do so on the Plugins tab. The average user won't use most of these parameters, but systems administrators with specific goals might prefer the GTK GUI to the Windows GUI.
Although the GTK GUI is feature rich, not all organizations have access to a modern UNIX machine running X Window System with GTK. Most of us will need to use the Windows client, NessusWX.
The NessusWX Client
The Windows client is more complicated to set up and lacks many features of the GTK GUI. The Windows client's greatest benefit is probably its ability to output reports in a format that Microsoft Excel can understand. As of this writing, the most recent version of NessusWX is 1.4.1 (available at http://nessuswx.nessus.org). Make sure that you download the correct Windows GUI. Two other GUIs—WinNessus and NessusW—are available at the main Nessus Web site, but these GUIs are for archival purposes only and don't work with the latest version of Nessus.
Extract the .zip file to C:\NessusWX (or wherever you desire). You can download precompiled binaries, a self-installing archive, or the source code. For this article, I went with the first option—precompiled binaries—but the self-installing archive is intuitive for Windows users.
After you download and install the files, locate the directory that holds the executable files and double-click nessuswx.exe. Because you've never run Nessus before, the program will ask whether you want to create a database directory. Nessus might think you already have a database installed and will try to recover it. If that problem occurs, choose Yes (unless you actually do have a database that you want to preserve), and the program will create and populate C:\NessusDB for you.
A dialog box asks whether you want to accept the host's certificate. Choose Accept & Save to reconnect to the server. On Nessus's main screen, you'll see two panels: The session panel (at the top) displays the various sessions or scans that are available, and the message panel (at the bottom) displays realtime information about the program and the operations. To begin an operation, click Session, New, or press the Insert key.
Next, click Create, and you'll see a Session Properties dialog box, which Figure 2 shows. On the Targets tab, you can specify (by host, IP address range, or subnet) which computers to scan. The default values on the Scan Options tab should work fine for most users, but if your Web servers' cgi-bin directories reside in a nonstandard location, modify that field accordingly. On the Connection tab, you enter information about your Nessus server. Select the Use Session Specific Connection Information check box, and type your Nessus server's host name and port number (default is 1241) in the appropriate dialog boxes.
The TLSv1 option—which stands for Transport Layer Security—should work fine for encryption. The username and password fields should contain the same values that you entered when you ran the Nessus-Adduser command. If you don't select the Save Password check box, the program will prompt you for your password whenever you connect to the server.
On the Plugins tab, you can choose and configure the vulnerability plugins. However, you can't configure plugins until you have a connection to a Nessus server, which you don't have yet. Just click OK; you can return to the Properties dialog box later by right-clicking the session icon. Now, let's start scanning.
Performing a Security Scan
To perform a scan from the Nessus client, you must first enter the server, port, username, and password on the Nessusd host tab, then click Log in. After you connect to the Nessus server, click the Target selection tab and type the host or hosts you want to scan. To obtain a list of hosts to scan, you can also load a file that contains a list of host names or perform a DNS zone transfer. When you perform a DNS zone transfer, the system attempts to connect to the remote name server and obtain a list of all the hosts within the domain. (You shouldn't perform a zone transfer on sites without name servers.) After you choose your targets from the list of hosts, click Start the scan. When the scan is finished, you'll see a report that displays networks, hosts, and vulnerabilities, as Figure 3 shows. Clicking Save report lets you save the scan's results in a variety of formats, including HTML, HTML with pies and graphs, ASCII, XML, and LaTeX.
The session icon will appear in the program's main window. (If you haven't assigned it a name, it will likely be called Session1.) To perform a scan from the NessusWX client, right-click the session icon and select Execute. The program will connect you to the Nessus server and (if you didn't select Save Password) prompt you for a password. In the resulting dialog box, I recommend selecting the Enable session saving and Enable KB saving check boxes. Session saving keeps a record of the current scan, so you won't need to restart the scan in the event of a system crash. KB Saving is an experimental feature that remembers important information about a scanned host. (KB stands for Knowledge Base.) When you use KB Saving, subsequent scans against the same host will take less time because Nessus remembers the OS, open ports, and so on. You can also choose to perform a detached scan—a background scan that doesn't require user intervention. Click Execute.
The Scan Status dialog box, which Figure 4 shows, appears. The scan starts with an Nmap scan to discover listening ports, then tries the list of vulnerability plugins. The scan will likely take a while, particularly if you chose to use all the vulnerability plugins. You can enable or disable plugins by selecting Plugins from the Communications menu on the Nessus console (or by pressing F8). You can configure many of the plugins by choosing Communications, Plugins Preferences (or pressing Ctrl+F8). After the scan is finished, close the Scan Status dialog box. In the Manage Session Results dialog box that appears, select the most recently completed session and click View. The View Session Results dialog box displays information about the scanned host or hosts, including problems discovered. Yellow icons in the treeview indicate moderate vulnerabilities; red icons indicate critical problems. By clicking an icon, you can access a summary of the problem and possible methods of correction, as Figure 5 shows.
You can export the data into databases and other data formats. To view available export options, click Export in the Manage Session Results dialog box. To export to a MySQL database, you must select Settings from the File menu (or press F9) and configure the client. You can also export the scan data to a Comma Separated Value (CSV) file (which you can load into Excel) or an SQL table. Furthermore, you can later load these exported reports back into Nessus (or a different instance of the program) for record keeping.
One of Nessus's most useful tasks is its ability to create reports that are readable from outside the program. Using this ability, a network administrator can easily scan entire subnets and create easy-to-understand and -implement security fixes. In the Manage Session Results dialog box, click Report to output the session scan as a plaintext, HTML, or Adobe Acrobat PDF file. The reports list the detected vulnerabilities according to severity, which facilitates hole-patching. A Common Vulnerabilities and Exposures (CVE) number is attached to most of the listed vulnerabilities, so you can access further information about a given vulnerability at http://www.cve.mitre.org.
Nessus is available free under the GNU General Public License (GPL). You can download and install the software, and you'll encounter no restrictions for using it in your organization. New vulnerability tests are available every week on the Web site.
Nessus is a powerful, frequently updated vulnerability scanner that might prove to be an indispensable part of your systems administration toolkit. You can use it to quickly audit your network for potential security threats and nullify them before intruders exploit them. I encountered no false positives while performing my scans, and the accuracy of the plugins is always improving. If you're a security-conscious systems administrator, you'll want to add Nessus to your arsenal.