Using Nessus in a New Way By: David Marcoux, CISSP Introduction Nessus is a popular software tool that scans computers and network devices for wellknown security vulnerabilities. It includes over 2000 different security tests, and the most common way to use Nessus is to perform all of the tests. For large enterprise networks, however, Nessus is not ideal because the scanning process is often very time-consuming and the results can be overwhelming. Nessus is like a shotgun—blasting network hosts with a barrage of security tests, but the results from a typical Nessus scan can be sloppy. Can Nessus perform more like a scalpel—quickly slicing quickly though an entire enterprise network? Focus on a Single Vulnerability Security experts should consider a new paradigm for identifying and correcting vulnerable systems on their enterprise network. Scanning for a single vulnerability, instead of scanning for all vulnerabilities, forces an organization to prioritize its risks and then systematically focus on correcting one problem at a time. Thus, the process of mitigating risk becomes more manageable and more measurable. Other organizations now recognize the importance of honing in on a short list of known vulnerabilities as a method of raising the organization’s overall security quotient. For example, in 2001 the SANS/FBI Top 20 list was first published in an effort to raise awareness about frequently exploited vulnerabilities. Batch Scanning Nessus is traditionally used as an interactive graphical scanning tool, but it can also be used in a command-line mode. The powerful but often overlooked command line options look something like this: $ nessus –T <output format> <Nessus Server Host> <Nessus Server Port> <User> <Pass> <Target Addresses List> <Output File> The command line options are too tedious to remember and type correctly, therefore in 2003 I developed a small UNIX shell script called batch-scanner.sh to illustrate how to harness the power of the command line options and automate the scan process. Batchscanner.sh requires you to specify a text input file and an output directory in order to run properly. Batch-Scanner.sh usage: $ batch-scanner <input file> [results directory] The input file needs three fields per line: Label, IP Range, and Contact Email and the fields must be separated by either a space or tab. Sample input file: LAN_SEG_1 LAN_SEG_2 10.1.9.0-10.1.3.254 10.3.4.0-10.3.4.254 infosec@nyc.my.com help@hq.my.com The output file, ScanReport.csv, lists each vulnerable system in a comma separated value (CSV) format, which can be easily imported into Microsoft Excel or a similar tool. Sample output file, ScanReport.csv: IP Address,Scan Time,Location,Domain,Hostname,Username,DNS 10.1.9.42,04-Mar 11:31 EST,LAN_SEG_1,ACC,RS3,RJONES,rs3.acc.my.com. 10.3.4.99,04-Mar 11:39 EST,LAN_SEG_2,AYY,RS9,BSMITH,rs9.ayy.my.com. Batch-Scanner.sh provides some rudimentary screen messages to indicate its progress. Sample screen output: $ ./batch-scanner.sh Input.txt /data/MyScanResults Nessus Batch Scanner version: 0.4b Send Email flag=0 Send Popup flag=0 Writing results to directory: /data/MyScanResults Scanning IP Range #1: 10.55.3.0-10-55.3.254 (LAN_SEG_1) ... Scanning IP Range #2: 10.32.4.0-10.32.4.254 (LAN_SEG_2) ... Results dir: /data/MyScanResults Start Time: Thu Jun 3 14:17:55 EDT 2004 Finish Time: Thu Jun 3 14:18:25 EDT 2004 Batch-Scanner.sh also supports two additional reporting features: email notification and SMB pop-up messages. The email notification feature is useful because it immediately puts useful information into the hands of the system manager. Moreover, the SMB popup feature is useful because it immediately notifies the user about the vulnerability, which can in turn put pressure on the system manager to take corrective action. To enable either feature, you simply edit the file batch-scanner.sh and set the variables “email=” or “netsend=” to 1 instead of 0. [ begin excerpt from batch-scanner.sh ] # email=1 # email=0 email=0 # (Send email notification to the contact address) # (DO NOT send email notification to contact address) [ end excerpt from batch-scanner.sh ] Configure a Batch Scans The most complex step required to use batch-scanner.sh is properly configuring the Nessus client. Below is a list of the necessary steps: 1. Start the Nessus client GUI. 2. Choose the single Nessus plug-in that you want to use. 3. Typically you will want to tweak your scan options for optimal results. I generally select NMAP SYN scans and then I use tcpdump to verify the efficiency of my scanning. 4. Run a practice Nessus scan against a well-known network segment. 5. Exit the Nessus client GUI. When you exit, your configuration is saved to the Nessus client configuration file in your *NIX home directory (.nessusrc). If the Nessus configuration file becomes corrupted, you can delete it and start over. 6. Run the script batch-scanner.sh. When you run batch-scanner.sh it will invoke the Nessus server (nessusd) with the same client configuration options that you established with the client GUI. 7. Once the script completes review the output file, ScanResults.csv. Requirements The batch-scanner.sh script was developed and tested on a Red Hat Linux version 9 and it should run with few modifications on any *NIX system. General Requirements 1. User level console access to a *NIX system running X-Windows and Nessus. 2. Nessusd server information including hostname, port, username and password. Note that the Nessusd account is separate from an operation system account. You will need to edit batch-scanner.sh to customize these variables. user=MyNessusUsername (usually root) pass=MyNessusPassword host=MyNessusServerHost (usually localhost) port=MyNessusServerPortNumber (usually 1241) 3. A list of IP addresses (or address ranges) that you are authorized to scan. 4. Optional: Contact email address for the system manager of each IP address (or address range). System Requirements 1. Nessus client and server (recommend version 2.0 or higher). 2. Optional: Sendmail must be installed and configured in order to use the email notification feature. 3. Optional: The SMB tools (smb-client and smb-common) need to be installed to use the SMB pop-up feature. Download Batch-Scanner.sh is free and I encourage you to use it and share your modifications and enhancements. Script download site: http://www.baseband.net/security/ About The Author David Marcoux, CISSP is an information security professional with over ten years experience. Copyright, David Marcoux 2004