Whitepaper - David Marcoux, CISSP

advertisement
Using Nessus in a New Way
By: David Marcoux, CISSP
Introduction
Nessus is a popular software tool that scans computers and network devices for wellknown security vulnerabilities. It includes over 2000 different security tests, and the most
common way to use Nessus is to perform all of the tests. For large enterprise networks,
however, Nessus is not ideal because the scanning process is often very time-consuming
and the results can be overwhelming.
Nessus is like a shotgun—blasting network hosts with a barrage of security tests, but the
results from a typical Nessus scan can be sloppy. Can Nessus perform more like a
scalpel—quickly slicing quickly though an entire enterprise network?
Focus on a Single Vulnerability
Security experts should consider a new paradigm for identifying and correcting
vulnerable systems on their enterprise network. Scanning for a single vulnerability,
instead of scanning for all vulnerabilities, forces an organization to prioritize its risks and
then systematically focus on correcting one problem at a time. Thus, the process of
mitigating risk becomes more manageable and more measurable.
Other organizations now recognize the importance of honing in on a short list of known
vulnerabilities as a method of raising the organization’s overall security quotient. For
example, in 2001 the SANS/FBI Top 20 list was first published in an effort to raise
awareness about frequently exploited vulnerabilities.
Batch Scanning
Nessus is traditionally used as an interactive graphical scanning tool, but it can also be
used in a command-line mode. The powerful but often overlooked command line options
look something like this:
$ nessus –T <output format> <Nessus Server Host> <Nessus Server Port>
<User> <Pass> <Target Addresses List> <Output File>
The command line options are too tedious to remember and type correctly, therefore in
2003 I developed a small UNIX shell script called batch-scanner.sh to illustrate how to
harness the power of the command line options and automate the scan process. Batchscanner.sh requires you to specify a text input file and an output directory in order to run
properly.
Batch-Scanner.sh usage:
$ batch-scanner <input file> [results directory]
The input file needs three fields per line: Label, IP Range, and Contact Email and the
fields must be separated by either a space or tab.
Sample input file:
LAN_SEG_1
LAN_SEG_2
10.1.9.0-10.1.3.254
10.3.4.0-10.3.4.254
infosec@nyc.my.com
help@hq.my.com
The output file, ScanReport.csv, lists each vulnerable system in a comma separated value
(CSV) format, which can be easily imported into Microsoft Excel or a similar tool.
Sample output file, ScanReport.csv:
IP Address,Scan Time,Location,Domain,Hostname,Username,DNS
10.1.9.42,04-Mar 11:31 EST,LAN_SEG_1,ACC,RS3,RJONES,rs3.acc.my.com.
10.3.4.99,04-Mar 11:39 EST,LAN_SEG_2,AYY,RS9,BSMITH,rs9.ayy.my.com.
Batch-Scanner.sh provides some rudimentary screen messages to indicate its progress.
Sample screen output:
$ ./batch-scanner.sh
Input.txt
/data/MyScanResults
Nessus Batch Scanner version: 0.4b
Send Email flag=0
Send Popup flag=0
Writing results to directory: /data/MyScanResults
Scanning IP Range #1: 10.55.3.0-10-55.3.254 (LAN_SEG_1) ...
Scanning IP Range #2: 10.32.4.0-10.32.4.254 (LAN_SEG_2) ...
Results dir: /data/MyScanResults
Start Time: Thu Jun 3 14:17:55 EDT 2004
Finish Time: Thu Jun 3 14:18:25 EDT 2004
Batch-Scanner.sh also supports two additional reporting features: email notification and
SMB pop-up messages. The email notification feature is useful because it immediately
puts useful information into the hands of the system manager. Moreover, the SMB popup feature is useful because it immediately notifies the user about the vulnerability, which
can in turn put pressure on the system manager to take corrective action.
To enable either feature, you simply edit the file batch-scanner.sh and set the variables
“email=” or “netsend=” to 1 instead of 0.
[ begin excerpt from batch-scanner.sh ]
# email=1
# email=0
email=0
# (Send email notification to the contact address)
# (DO NOT send email notification to contact address)
[ end excerpt from batch-scanner.sh ]
Configure a Batch Scans
The most complex step required to use batch-scanner.sh is properly configuring the
Nessus client. Below is a list of the necessary steps:
1. Start the Nessus client GUI.
2. Choose the single Nessus plug-in that you want to use.
3. Typically you will want to tweak your scan options for optimal results. I
generally select NMAP SYN scans and then I use tcpdump to verify the
efficiency of my scanning.
4. Run a practice Nessus scan against a well-known network segment.
5. Exit the Nessus client GUI. When you exit, your configuration is saved to the
Nessus client configuration file in your *NIX home directory (.nessusrc). If the
Nessus configuration file becomes corrupted, you can delete it and start over.
6. Run the script batch-scanner.sh. When you run batch-scanner.sh it will invoke
the Nessus server (nessusd) with the same client configuration options that you
established with the client GUI.
7. Once the script completes review the output file, ScanResults.csv.
Requirements
The batch-scanner.sh script was developed and tested on a Red Hat Linux version 9 and
it should run with few modifications on any *NIX system.
General Requirements
1. User level console access to a *NIX system running X-Windows and Nessus.
2. Nessusd server information including hostname, port, username and password.
Note that the Nessusd account is separate from an operation system account.
You will need to edit batch-scanner.sh to customize these variables.
user=MyNessusUsername (usually root)
pass=MyNessusPassword
host=MyNessusServerHost (usually localhost)
port=MyNessusServerPortNumber (usually 1241)
3. A list of IP addresses (or address ranges) that you are authorized to scan.
4. Optional: Contact email address for the system manager of each IP address (or
address range).
System Requirements
1. Nessus client and server (recommend version 2.0 or higher).
2. Optional: Sendmail must be installed and configured in order to use the email
notification feature.
3. Optional: The SMB tools (smb-client and smb-common) need to be installed to
use the SMB pop-up feature.
Download
Batch-Scanner.sh is free and I encourage you to use it and share your modifications and
enhancements.
Script download site:
http://www.baseband.net/security/
About The Author
David Marcoux, CISSP is an information security professional with over ten years
experience.
Copyright, David Marcoux 2004
Download