Make Nessus Your New Security Tool of Choice

by Carla Schroder

If you like nmap, you'll love Nessus. Carla Schroder writes about her tool of choice for hardcore security scanning.

No ace sysadmin should be without Nessus, it's the utility of choice for hardcore security scanning. Nessus is based on nmap, the excellent port scanner by Fyodor. Primarily authored by Renaud Deraison, it adds a nice graphical interface and loads of attack functions.

A nice use for that elderly Pentium sitting around getting in the way is to turn it into a security-monitoring box. There are a wealth of good free network utilities that run on Unix/Linux, give that old PC a useful job to do.

Getting Nessus ready to use is a two-step process: install the server, configure the client. The client, nessus, is the user interface to the server, nessusd. Nessus is multi-user, users are managed with access control lists. It runs either in X, or from the console. Nmap is required, and the Gtk toolkit for running Nessus in X. OpenSSL is not required, but is recommended for communication between the client and server, and for testing SSL services. A good Windows client is available, NessusWX; both the *nix and Windows versions are licensed under the GPL.

Installation is straightforward, download the tarballs, and install in this order:

  • nessus-libraries
  • libnasl
  • nessus-core
  • nessus-plugins

Be sure to verify the MD5SUM signatures- md5sum --check filename. If you want to run Nessus only from the command line, set this up during configuration of nessus-core:

$ ./configure --disable-gtk

I prefer the Gtk version, the graphical interface is a real time-saver. Compiling nessus-libraries with --enable-cipher
will cause Nessus to generate a private key, to encrypt communications between the server and client. This is not the same as using OpenSSL- don't use both. The key can be protected with a password.

After installation and key generation, set up the user database and permissions. If it's just you, this will be easy. Use allow-deny rules to control what network segments users can access. Nessus is a powerful, potentially dangerous tool, don't let your minions fool around unfettered on your network.

The configuration file in /usr/local/etc/nessus/nessusd.conf usually works without editing. Have a look at it to make sure it puts things where you want them. Once everything looks right, start nessusd:

# nessusd -D

Yes, you read that right, run it as root. As Nessus does not run as a public service, and has all kinds of built-in security, it's probably OK. The nervous can fiddle with chroot. Now set up the client, type nessus at the prompt. Do this on the same machine nessusd is on if you like. It will ask first for the key password, if you set one. Enter it, then click 'login', and away you go. #1 login failure reason: not having a user account on the server. Windows users need to install the client software separately.

Running Scans
The tabbed interface is well-thought out and logically organized. Select the tests you want by clicking checkboxes, and typing additional options, such as IP addresses and port ranges. Nessus supports CIDR notation, if you're still resisting using it, it's high time to learn. Once the scan starts, it displays in real-time, and also logs everything.

Extending Nessus
Nessus performs over 700 security checks. It is aggressive, using it to poke around other people's networks will get you in trouble. Nessus not only probes for banners, it simulates various protocols by fibbing. It will pretend to be a Web server, or a SMB client, or FTP, or whatever server it is testing. It finds trojans and backdoors, and tests for CGI weaknesses. Some scans will slow down network traffic, or even cause crashes. There is a 'safe scan' option, it only reads banners. This is usually not reliable, after all, what network admin worth her salt permits truthful banners? And 'safe scan' does not test for vulnerabilities, which is the main purpose of Nessus. So it may take some trial and error to craft a scan that won't create problems.

Nessus is most untrusting, it does not assume that standard services will adhere to IANA port numbers, but will recognize services running on non-standard ports. For example, your Webmaster gets squirrely and runs http on port 31337- Nessus will know, and report it.

The heart of Nessus is its vast collection of plugins. The Nessus team created a scripting language called NASL: Nessus Attack Scripting Language. Plugins can be written in any language, NASL is preferable for these reasons:

  • a NASL script will not send any packet to a host other than the target host
  • it will not execute any commands on your local system
  • simple enough to learn quickly, so that anyone can write custom plugins
  • The user never needs to touch the core Nessus code.

Here's a wee sampling of the available plugins:

  • Back Orifice
  • PC Anywhere
  • Deep Throat
  • Code Red
  • VNC
  • WinSatan
  • /cgi-bin/get32.exe
  • Is /scripts/ listable?
  • Tortures the arguments of the remote CGIs
  • various Denial of Service tests
  • attempts to log in using rsh
  • remote root exploits

Reporting is one of Nessus' strongest features. At the conclusion of a scan, a summary is displayed, with problems highlighted. Reports can be displayed in five different formats, from plain old boring ASCII to jazzy colored pie charts.

Vulnerability-auditing needs to be done on a regular basis. It carries some risks, such as slowing network operations down, or even causing hosts to crash. Don't forget to look for threats from within, as well as without. The most time-consuming part is reviewing the logs, Nessus can fill up dozens of pages without even trying hard. It does a good job of finding and reporting trouble spots all on its own, still, there's no substitute for human eyeballs on the raw data. The current version of Nessus implements 'diff scans'; only the differences between a new scan and an old one are displayed. Differential scans are still considered experimental.

Another useful, and still-experimental feature is detached scans. This runs the scans in the background, there is no real-time display. Scans can be timed to run continuously, over and over, or periodically, at set intervals. Reports are emailed to the admin only where there is trouble. A cron job automatically keeps Nessus patched and up-to-date. This is a rather unrealistically optimistic scenario at the moment, but Nessus development and maintenance is active, so it could be a dependable reality in the near future.

Nessus mail list

» See All Articles by Columnist Carla Shroder

This article was originally published on Monday Nov 11th 2002