How do the professionals (and a large number of hackers) scan networks for vulnerabilities about which to warn their clients, or to quietly exploit? After all, there are thousands of potentially exploitable problems out there. One solution is to use a dedicated vulnerability scanner to make a thorough assessment of the target network.
There are plenty of professional-quality scanners on offer today, but most of them are commercial in nature and cost a fortune. However, Nessus from Tenable Network Security offers a home edition, which is free for private use. This alternative to its $1,200 commercial licence is a great way to scan your home network, or the virtual private subnet we made in VirtualBox over the past two issues. Buy the digital version of issue 309 and issue 310.
To use Nessus, you must first register for a free activation code.
Introducing Nessus
Nessus (www.tenable.com) is used by professionals the world over to assess the security of networks. It has a client/server architecture with a web app front end, through which you communicate with the server to run scans and collect the results.
Before we begin, it’s important to note that Nessus is technically not free software. It is, however, free for home users to download and explore their own networks. If you plan to use it in a corporate environment, you must pay for the appropriate $1,200 annual subscription, but home users can sign up for the free HomeFeed service.
While this is slightly limited in that you can’t add plugins to perform specific jobs, it will let you scan like a professional and see how comprehensively your network can be probed.
On the Tenable Network Security website, click ‘Products’ and scroll down to the ‘Download’ button under the ‘Nessus’ link. Agree to the licence terms and select either the Windows 32-bit or 64-bit installation file from the list, depending on your OS.
Once downloaded, double- click the file to begin installation. Accept the licence agreement and click ‘Next’. Accept the default directory and go for a complete installation. Finally, click ‘Install’.
To run Nessus, first start the Nessus Server Manager. When the user interface pops up, click the large button marked ‘Obtain an activation code’. Your default web browser opens and you’re taken back to the Tenable website. Click the ‘HomeFeed’ button, agree to the licence agreement, enter a name, address and email address and click ‘Register’.
You’ll be sent a long activation code. When this arrives, you need to cut and paste it into the Server Manager window’s input box and click ‘Register’. The server manager will then download a default set of plugins for the server. This may take a few minutes to complete depending on the speed of your broadband connection and its current use.
Once complete, the server manager window enables the rest of its buttons and allows you to control the background server process. By default, the manager starts the Nessus server when the computer is booted up, but this may not be convenient if you only plan to use it occasionally. You can prevent the server running automatically by deselecting the tick box to start it at boot time.
We need to define a user before we can run Nessus proper, so click the ‘Manage users’ button. A subwindow appears. Click the ‘+’ button to add a new one and enter a name and password. Click the ‘Administrator’ box to give yourself full control over the server.
Each scanning policy contains lots of options, separated into four tabs.
A tour of Nessus
The Nessus program group is called Tenable Network Security on the Start menu. Click on the Nessus client and your default web browser will open to connect you to the server’s web interface over port 8834. You may receive a warning about it being an untrusted connection due to a problem with its self-signed certificate. This is fine.
In Firefox, click ‘I understand the risks’, then click ‘Add exception’. Click the ‘Confirm security exception’ button in the subwindow and the browser will complete the connection to the server. In Internet Explorer, click ‘Continue to this web site’ to overcome the certificate problem.
Log in using the account details you set up above and dismiss the warning about not using the HomeFeed version of Nessus on a corporate network. At the top of the screen are four categories: reports, scans, policies and users. To scan for vulnerabilities, start by creating a policy. This defines what to scan and how to scan it, including the types of services to scan for, and the checks to be made against them. Once completed, you create a scan and assign it a policy. After running the scan, you can see the results in the report.
Click the ‘Policies’ tab and you’ll see that there are some predefined policies. The one we’re interested in is ‘Internal Network Scan’. Double-click this to see the details.
Nessus contains a local self-signed security certificate that your browser should complain about when first run. It’s safe to dismiss the warning.
Credentials
There are four tabs down the left-hand side of the resulting page. The ‘General’ tab gives an overview of the scan to be performed. Click the ‘Credentials’ tab and enter any usernames and passwords you may have been able to gather using a network sniffer like Wireshark. Part of the art of the network security professional is to guess usernames and passwords that might apply, and this is where they’ll be entered.
SMB accounts and passwords are those you use to log into Windows computers. By default, Windows XP simply asks you to enter a username when you install it, making the job of hacking it a lot easier for tools like Nessus.
To scan the virtual internal network we showed you how to set up over the last two issues, click the Credential Type menu and select ‘Cleartext protocols settings’. Enter the username and password you use to log into the virtual guest computers you created and ensure that the three tick boxes are selected. This lets Nessus try to log into insecure services like Telnet if they’re available.
The ‘Plugin’ tab gives details of the comprehensive set of tests that Nessus will carry out on your network. Click one of the entries in the ‘Families’ list and the list of plugins the family contains appears in the right hand list. Some families have hundreds of plugins, and each will be run in turn against all of the targets you specify. Each plugin performs a battery of unique tests. Click one of these plugins and a description appears in the lower pane. Finally, the ‘Preferences’ tab allows expert configuration of some plugins.
Enter the IP addresses of the computers to be scanned in the box, then use the Private Subnet Scan policy to scan your virtual network.
Scanning the network
Let’s move on by scanning a subnet. We’ll use the virtual private subnet we created in VirtualBox over the past two issues as an example. Remember that to reach the network via the virtual Ubuntu guest we configured as a router, you need to add a route to the physical machine upon which the virtual network runs. Run the command line as administrator by right clicking it and selecting ‘Run as Administrator’ from the context menu that appears.
Enter the following command: ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.0.100. Boot up the router and the other guests that populate the private network and try pinging them from the command line you just opened (for example, ping 192.168.1.2). You should be able to reach them all.
Now, back in the Nessus client, click the ‘Scans’ button, then the ‘Add’ button to create a new scan. Enter a name for the scan and select ‘Internal network scan policy’ from the Policy pulldown menu. Enter a list of IP addresses of the computers to be scanned, one per line, and click the ‘Launch scan’ button at the bottom right of the page. The screen now changes to display a list of scans in progress – there will be just one. The page is updated every few seconds to reflect progress With over 40,000 tests to perform on every target computer, the scan will take a while to complete.
When finished, the scan will disappear from the list. Click the ‘Reports’ tab and double-click the scan. The page changes to show the host, the total number of vulnerabilities, the number of high, medium and low priority problems and ports open. You can click on the column headings to sort by a particular column.
Click on a host to see the details of the scan that has been made against it. This time the page displayed contains details of the services found on its open ports, as well as more general information about encountered risks. Click on a category (preferably a high risk) to see more detail. Click the ‘Severity’ heading to see the high level risks.
The results of a Nessus scan against a target are comprehensive.
High priority risks
A default installation of a Linux distro like Ubuntu without any security patches will contain a lot of high priority risks, and shows the need to install patches. Using Ubuntu 10.10, Nessus found 70 problems, 32 of which are classified as high risk.
Among the high priority risks are those that are merely implied by Nessus noticing a lack of applied security updates. A hacker would be able to use this snippet of information to infer huge amounts of detail about what’s running on the machine, the vulnerabilities that can be exploited and what level of access they will offer. It also gives an insight into the site network administrator’s attitude to security. Will they be likely to spot a hacker intruding if they haven’t bothered applying basic security patches? Unlikely.
If you have a telnet server running on one of the guest operating systems, you’ll see that this is flagged up as a vulnerability because it uses a clear text protocol that sends usernames and passwords without encrypting them. As we saw last month, these credentials can be captured using a network sniffer like WireShark.
A default installation of Windows XP may only have 14 high risk vulnerabilities, but they are serious. One is the ability to inject and execute code using a buffer overflow attack against the faulty ‘server’ service. Other ports have services that can be exploited in the same way. This shows how important it is to accept and install service packs and other updates. What’s perhaps equally as worrying is that port 5000 is open and seems to be running a web server. Has the process that creates the XP installation disks been compromised at the factory? No. In fact, this port is used by the Universal Plug and Play service and the Free Internet Chess Server, despite there being no chess game included with XP.
This feature is taken from PC Plus Issue 311 – on sale now. To view the expanded feature, as well as more fantastic articles, tutorials and reviews, click here to buy the digital version of PC Plus issue 311 now. You can also subscribe to PC Plus or buy PC Plus Magazine back issues.
Leave a Reply
You must be logged in to post a comment.