Checking Your Work with Scanners, Part II: Nessus
Last month we began exploring the dangerous and fun world of scanning, focusing on the powerful port scanner Nmap. Nmap helps system administrators and security auditors (and yes, prospective crackers too) determine for what services a given host is accepting connections.
Seeing what points of entry a host offers is a good start in evaluating that host's security. But how do we interpret the information Nmap gives us? For example, in one of the scans we tried last month, the output looked like Listing 1.
Just what does this mean? Sure, we know this host is running a web server (on TCP 80), some level of RPC services (UDP 111, UDP 1026) and probably Windows shares, too (UDP 137, TCP 138-139). But which of these services are actually exploitable?
This is where security scanners come in. At the risk of getting ahead of ourselves, let's look at the output from a Nessus scan of our test target (see Figure 1).
Space doesn't permit me to show the entire (expanded) report, but even this abbreviated version shows that Nessus identified seven apparent “holes”, or potentially exploitable vulnerabilities in our target system. It also generated four additional warnings and provided two supplemental security notes.
Among other things (you can't see all of this in Figure 1, so you'll have to take my word for it), Nessus determined that this host was running the Sambar web server with no administrative password and with the dangerous mailit.pl cgi-script, had its entire C:\ drive shared without any password set (and even if one had been set, Nessus determined that this system was vulnerable to both “Null session” connections and “first-letter” passwords), was running an FTP server on TCP port 1432 (which Nmap had incorrectly guessed was running the blueberry-lm service) and had a TCP/IP stack that used predictable TCP sequence numbers. These can be exploited a number of ways, including TCP-hijacking and IP-spoofing attacks.
Yow! This host is ripe to be owned.
So, what is this deadly magic called Nessus? And why did it dance little circles around Nmap when it came to analyzing this system?
Whereas a port scanner like Nmap (which is the gold standard in port scanners) tells you what's listening, a security scanner like Nessus tells you what's vulnerable. Since you need to know what's listening before even trying to probe for actual weaknesses, security scanners usually either contain or are linked to port scanners.
As it happens, Nessus invokes Nmap as the initial step in each scan. Thus, it was misleading of me to imply that Nessus out-analyzed Nmap: Nessus depends on Nmap.
Once a security scanner has determined which services are present, it performs various checks to determine which software packages are running, which version each package seems to be at and whether they're subject to any known vulnerabilities. Predictably, this level of intelligence requires a good vulnerability database that must be updated periodically as new vulnerabilities come to light.
Ideally, the database should be user-editable, i.e., it should be possible for you to create custom vulnerability tests particular to your environment and needs. This also ensures that, should the scanner's developer not immediately release an update for a new vulnerability, you can create the update yourself. Not all security scanners have this level of customizability, but Nessus does.
After a security scanner locates, identifies and analyzes the listening-services on each host it's been configured to scan, it creates a report of its findings. The better scanners don't stop at pointing out vulnerabilities; they explain them in detail and suggest how to fix them.
So meaty are the reports generated by good security scanners that highly paid consultants have been known to present them as the primary deliverables of supposedly comprehensive security audits. This is a questionable practice, but it emphasizes the fact that a good scan produces a lot of data.
There are a number of free security scanners available: VLAD, SAINT and Nessus are just a few. Nessus, however, stands out as a viable alternative to powerful commercial products, such as ISS' Internet Scanner and NAI's CyberCop Scanner. Developed primarily by Renaud Deraison and Jordan Hrycaj, Nessus surely ranks with the GIMP and Apache as tools that equal and in many ways exceed the usability and flexibility of their proprietary counterparts.
Before we go any further, I should repeat last month's caution: knowledge is power—use it responsibly! Tools such as Nessus and Nmap should only be run against systems and networks you're authorized to scan. And note that unauthorized port scanning, while frowned upon, is generally not illegal, but unauthorized security-scanning can get you into a great deal of trouble. Consider yourself warned.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- Stunnel Security for Oracle
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- SourceClear Open
- SUSE LLC's SUSE Manager
- My +1 Sword of Productivity
- Managing Linux Using Puppet
- Google's SwiftShader Released
- Parsing an RSS News Feed with a Bash Script
- Non-Linux FOSS: Caffeine!
- SuperTuxKart 0.9.2 Released