Hack 45 Audit Network Security

Use the nessus tool under Knoppix to perform a security audit on your network.

Being a systems administrator is 90% boredom and 10% absolute panic. When a virus or worm infects your network, or a new exploit is announced, you want to confirm that all of your machines are patched and that none of your machines are vulnerable to any other known exploits. To reduce your stress during those panic times, put some of that 90% boredom to good use, and audit your network for vulnerabilities. To aid in network security audits, Knoppix includes the nessus tool, an excellent open source vulnerability scanner. With nessus on Knoppix, you can boot up on any machine on your network and perform an audit.

5.10.1 Nessus

The nessus tool is actually split into two parts: the nessusd server, which runs in the background and performs all of the actual scanning, and the nessus client, which provides an interface for nessus users to start network audits and view results.

Nessus allows for a detailed (and noisy) look at a given network or a given host. It probes each subnet, domain, and host that it finds in the ways that you direct it to.

To make Nessus as useful as possible, new plug-ins for Nessus are published frequently. You can get these plug-ins for your Nessus server by running the script nessus-update-plugins. While this script eliminates the time-consuming work of downloading plug-ins, it isn't without risk. The plug-ins are not signed, and it is possible for an attacker to hijack your updates and replace them with their own malware, so don't run this on an insecure network (such as HOPE or Defcon). This is a known risk; the manpage has more information on this subject.

To run the update script, you need root privileges, so click K MenuKNOPPIXRoot Shell. The default /etc/nessus configuration directory and the /usr/lib/nessus/plugins directory are on read-only media, so you must move it out of the way, and copy it back to the ramdisk so you can download the new plug-ins to it:

root@ttyp0[knoppix]# mv /etc/nessus /etc/nessus.bak

root@ttyp0[knoppix]# mkdir /etc/nessus

root@ttyp0[knoppix]# cp -a /etc/nessus.bak/* /etc/nessus/

root@ttyp0[knoppix]# cp -a /usr/lib/nessus/plugins /etc/nessus/

Now edit /etc/nessus/nessusd.conf and change:

plugins_folder = /usr/lib/nessus/plugins

to:

plugins_folder = /etc/nessus/plugins

Now run the nessus-update-plugins script and download all of the new plug-ins:

root@ttyp0[knoppix]# nessus-update-plugins -v

. . .

./osticket_view_attachments.nasl

./freebsd_php_438.nasl

./php_strip_tags_memory_limit_vuln.nasl

root@ttyp0[knoppix]#

With all of the latest plug-ins ready to use, click K MenuSystemSecurityNessus Security Tool to launch the Nessus client.

5.10.2 Nessusd Host

Knoppix has a modified version of nessus that is preconfigured and easy to use. The normal nessus setup requires setting up certificates and passwords to connect to the server. The Knoppix version of nessus has been modified to use a login and password that has already been set up for you, so you don't need to set up each time you use nessus with Knoppix. To connect to the nessusd server, make sure the host, port, login, and password fields under the Nessusd host tab are filled out with localhost, 1241, knoppix, and knoppix, respectively; then click Log In.

The new window that appears asks you to choose an SSL setup. It is OK to accept the default; click Yes to accept the certificate with which you are presented.

5.10.3 Plug-ins

Some plug-ins included with nessus have the ability to crash remote services or hosts. These plug-ins are disabled by default, and you should enable them only if you know what you are doing.

After you have logged in, the Plugins tab will be selected (Figure 5-5). It contains a list of all the categories of plug-ins on the nessusd that are available to you as a client.

Figure 5-5. Nessus Plugin tab

You can select and deselect entire categories for a given target or network of targets. By clicking on each of the categories, a list of individual tests is shown in the space below.

The tests that have an icon of a triangle with an explanation point "!" next to them are tests that may result in damage or destruction of the system in question. By default, these tests are disabled, as noted previously.

For your first scan, it's best to click the "Enable all but dangerous plugins" button, then select only the relevant groups of plug-ins from what's now available. If you know the host you're going to scan isn't a Cisco router, you don't need to scan it with every Cisco plug-in. Choose your selection depending on your need. This increases the speed of your probing, as it's going to test only what you tell it to.

5.10.4 Prefs

After you select the desired plug-ins, click the Prefs tab.

Start at the top and work your way down, selecting the options that you want. Note that the differences in each preference can have a major impact on the type, length, and stealth of a given scan.

Nessus uses nmap to perform port scans on targets. You can load a previous nmap port scan to speed up the scanning process. Scroll down in the Prefs tab and enter the nmap results in a field labeled "File containing nmap's results."

The nessus that comes with Knoppix has features that are disabled, because most of the other tools that nessusd uses are not on the CD. One example of this is nessus's ability to force logins for various protocols. If your needs include some of these types of scans, you have outgrown the default Knoppix distribution and should give a security-focused distribution such as Knoppix STD [Hack #87] a try.

5.10.5 Scan

The Scan tab allows you to set the various scan options for the different methods of scanning. A number of plug-ins are listed at the bottom of the panel that can be disabled if they don't suit your need for scanning.

5.10.6 Target Selection

In the Target Selection tab, you can select your targets for scanning. You may enter multiple targets into the top field if you separate them with a comma, such as:

172.16.0.1,172.16.0.2,192.168.0.0/24,www.lostinthenoise.net

If the network's DNS server allows you to perform a zone transfer, you can enter that DNS server here. Nessus then automatically probes all the hosts that are returned by the zone transfer. It's worth noting that it's a bad idea to enter multiple hosts and enable zone transfers, because nessus attempts a zone transfer for each host, which can potentially generate a lot of network traffic and a lot of hosts to scan. Separate those scans from your general, random RFC 1918-address space scans unless you know better.

Check the box for saving your session, because it is handy to have access to information that you have already created.

5.10.7 User Rules

The User Rules tab allows you to configure limitations on different users who access nessus. You can see the default rule sets in the file /etc/nessus/nessusd.rules. By default, Knoppix allows everything.

5.10.8 Knowledge Base

If you wish to save your scans on the nessusd host for future reference, enable knowledge-base (KB) report-saving to rerun scans regularly, to stop and resume scans, and to probe conveniently. It's useful to use the difference scan options (check "Reuse the knowledge bases about the hosts for the test," and then check "Only show differences with the previous scan") to see what's changed since the last time you scanned a given host.

5.10.9 Credits

Who could forget the Credits tab?

Many thanks are attributed to the authors and contributors of this fine product. It's not the only one of its kind, but it's the best open source/free-software project of its type. It's easy to modify and even easier to extend with your own plug-ins.

5.10.10 Start the Scan

With all of the preferences configured (or not, if you have decided on defaults), click "Start the scan" option.

The current status of the scan is shown in a window. You can stop the scan at any point. Otherwise, take a coffee break or enjoy a movie, and then come back to read the report and its results. Depending on the probing depth that you have selected, this part of the process varies in completion time.

5.10.11 The Results

If you've made it this far, you're looking for results.

After the progress bars reach their end, the Nessus NG report is displayed with the familiar setup window.

For my sample scan, I choose to probe a local machine. The results are shown with a split screen view that makes it easy to asses the results for many hosts and subnets (Figure 5-6).

Figure 5-6. Results from a Nessus scan

In this example, the results are broken into five main sections: Subnet, Host, Port, Severity, and Descriptions.

You can see the number of open ports detected for each selected host, and for each port, you can see the severity of the potential security hole. This host has a number of security warnings, notes, and holes. Each different alert suggests fixes for the various problems that it has. It's quite obvious that this machine is running Windows 2000 and is lacking all of the needed updates available from Microsoft.

5.10.12 Save the Report

You can save the report in a variety of formats, including NBE, NSR, XML, HTML, LaTeX, ASCII text, or even HTML with pie charts and graphs. To revisit any past reports, click on the load report button.

5.10.13 Drawbacks to Using Nessus

The drawbacks to using nessus are mainly that it can be slow (if you're dealing with a large number of hosts), damaging (if you don't pay attention), and illegal (if you don't have permission). It can also give a false sense of security (no program catches everything), and it's quite noisy (HIDS/NIDS detects nessus). Remember that security is a process: it isn't a problem that can be solved simply by throwing software solutions at it. It's also worth noting that this is simply one part of a good security analysis of your network.

If you're seriously interested in security, check out Knoppix STD [Hack #87] . It has nearly everything that Knoppix is missing. It's the right tool for the job if you're interested in security.

—Jake Appelbaum