There are a great many commercial network security scanners on the market. McAfee FoundStone, HfNetCheck, Retina, and probably scads of others. The problem with this is the word “commercial”. Commercial means “takes money”. Well, scanning with Nessus would be a good way to save money, right?
Let me take you though my journey trying to get Nessus setup and configured for automated scanning and then you can decide. Remember, I’m not an Open Source kinda guy, in general. I don’t have anything against it–I just usually don’t have the time for it. I need solutions that I can implement fast and that can provide value immediately. Which does not describe open source for the most part. (Let me take a moment and address the open source community: Sorry guys–that is my opinion, and flaming will only entrench those feelings further. I’d love to use more free software in the enterprise–honestly! But it all comes down to time and real costs.)
At the end of the day, after some serious challenges, what I ended up with was pretty slick. And more importantly, I believe it will end a major source of on-going pain.
Anyway, let’s get crack-a-lackin’.
Nessus is a true client/server application. The server is always Linux. The client can be linux, windows, or web (on linux). I want to plug Tenable Security for a second. The guys there are great–and have a FANTASTIC client called Lightning (soon to be renamed). However, they have to eat too, so you pay for the goodnessI went with Fedora Core. Some of the best documentation and support can be found with that distro. Debian has ALOT of documentation as well, but well, it’s all about choice, right :)?
Great thing is that redhat has fixed the download mirror issues. You can actually download all five (5) disks of Fedora Core 5 in pretty short order. So much better than the way it used to be, when you had to search for an open ftp mirror. You’d usually end up on some martian server somewhere that was soooooo very slow… So, get them all, and get them installed. I have a little P4 machine on my test network that seems to run it just fine.
Now, here is an issue. Please help me if you happen to have this info–because I can’t find it. I’ve called around inside Tenable Security and they don’t seem to know specifics either. What is the minimal linux load needed to run Nessus? Obviously, if you are going to put this in a DMZ and run scans into other networks you need a pretty tight box. First rule of securing a server is remove all unnecessary software–minimize the footprint. They can’t exploit a software that isn’t installed. Too bad there’s not a document to answer that question.
Get an OS, and get the Nessus downloads. You’ll need the server install (an RPM in this case). I went with the NessuWX client for Windows. It hasn’t been updated since 2003, unfortunately, but the author has posted the source code–which is a good thing since we’ll probably have to modify it.
You’ll also need to get Nikto (web server vulnerability checker) at the very least. Nessus uses it if it’s there in the path. You can also get THC Hydra (password cracker). However, this did not want to install for me and I didn’t fight it too much since it wasn’t really needed for my purposes.
Obviously, a Windows XP/2003 box is required on which to run the NessusWX client. I also installed mySQL on this box. I grabbed the mySQL essentials, the Administrator client, and the Query Browser.
I think that’s about it–except for a good network switch between the two machines. More on that one later.
Here’s what I got from Tenable. I asked:
Looking for documentation on the minimum modules required for a Nessus scanner setupâ€”this is for a DMZ. We will be controlling these machines with a console, probably Lightning from behind a firewall. So, for instance, do I have to load X? Do I need GTK+? Compilers? What can I strip out? This might be a documentation opportunity for you to sit down with Fedora 5 and just give some bullet points. I know that you need Nmap, Hydra, and Niktoâ€”is there anything else?
And here is the answer:
No need to GTK nor X. nmap, hydra nor nikto are not required either (don’t scale on an enteprise deployment). You simply need a default Red Hat install; with openssl and libdb installed (they are, by default).
But I didn’t get that until after I was already finished with my testing setup. So, I installed pretty fat…erm…phat. Do-wah diddy dum. And I already had nikto installed, but not hydra. So, it’s already a basket case–how depressing. On the upside, however, ignorance is bliss–none of this had any bearing on my tests 🙂
With Fedora 5, you have to select “Customize Now” to gain the ability to mix-n-match your install. So, I installed all of the compilers, x, gnome, and every administrative tool that seemed germain. I sought for and finally found snmp services and turned them on. I removed all the server services. Rinse. Repeat. Sometime about 4 hours later and 5 CDs swapped, I had an OS. Even better, I had an OS that booted to a command prompt rather than a goofy GUI login. Had a few great moments of flashbacks to Slackware. It almost makes me want to learn more about linux–but I can type “startx” with the best of them.
It was around this point that I began beating on the sides of the monitor. My soul, this GUI is slow. It’s pretty, and relatively functional. And yes, I checked all the hdparm stuff and whatever else I could to try to tw33kxor it. I did stop short of recompiling the kernel–this is just a test setup after all. (I could recompile Slack’s kernel in my sleep once upon a time…but I’ve never used the Redhat tools.)
After the frustration of fighting with Hydra for a brief time, the installs of nikto and nessus went relatively painlessly. I think I had to track down one dependency to install nikto, but the nessus rpm for FC5 installed perfectly. If ALL linux packages would install as easily as nessus did–there would be more desktops running linux.
I’m serious here.
Don’t forget to follow the documents though. You absolutly have to use the nessus user creation utility (even though the commandline says “type nessusd…”). It’s already documented there, so I’m not going to walk you through it. Naturally, I did not read the docs, wasted time troubleshooting client connections, realized my mistake, then had to kill nessusd, run the user util, and restart nessusd. I’m certain that you won’t do something stupid like that 🙂
Might as well adjust the Fedora firewall settings before we go any further. Click on System | Administration | Security Level and Firewall
Drill down on Other ports and click the Add button. You can see below that I already had the ports configured in my screen shot. A fresh install won’t have anything under Other ports.
Add a rule for port 1241. I added both UDP and TCP at first just to get it working. Turns out only TCP is needed.
At this point nessusd should be running and your firewall configured. Your linux box is ready to go. Time to talk about the client piece.
Download and install the NessusWX client…or unzip it to a directory, anyway. It doesn’t install, or even register any DLLs. I love that in a program.Side Note: Why can’t HP figure that out? Have you tried to use any of their home products? Hello, HP?!?! What makes you think I want to install hundreds of megabytes of horribly written software (for hours) and have all these goofy monitoring programs just to use a stupid printer? Do you guys even DO product testing?
Moving right along–if you’re going to store stuff in MySQL, you can go ahead and install that too. This is optional–there’s no need if you just want to do some scans and view the results. Also, I won’t bother walking you through MySQL–but there is one somewhat tricky aspect that I will mention. I had never really used MySQL before, so this info would have helped me.
You need the MySQL Essentials package, the Administrator package, and the Query Browser (if you want to verify that all of this is working). Load up MySQL Administrator, goto Tools | MySQL Command Line Client.
Create a database called nessus. Don’t forget to end the command with a semi-colon.
You can use the command show databases to see it.
Now you need to create the tables inside the database. Open the text file inside the NessusWX folder called “create_tables”. It’s a SQL file, so you could probably just import it. I like to see what’s going on, so I just copied and pasted both lines in the CLI window. Here are the two commands, in case you can’t find them:
- create table sessions (id integer,name varchar(255),owner varchar(255),time_start datetime,time_finish datetime,time_elapsed integer);
- create table results (session_id integer,host varchar(128),service varchar(48),plugin_id integer,type integer,is_false bool,description blob,risk_factor varchar(32),cve_id varchar(32),solution blob);
Lastly, you need to create a new MySQL user and give it rights to the nessus database. Select User Adminstration and click the New User button. Input the info for a user–I called mine “nessus”. Surprise.
Click on the Schema Priveleges tab. Select the nessus database, and then click the double arrow to assign them all. Sure you could lock this down…but it will be behind the firewall…and, man, you’re paranoid!
Next stop, configure a scan and run that baby. Go ahead! Do it!
Pretty plain jane, isn’t it? Well, don’t blame Victor. YOU didn’t pay anything for it, did you?!?! 🙂
Before I forget, go to File | Settings and click on the MySQL tab. Put your DB information in, that’s a good lad.
Now to work. Click on Communications | Connect which should launch a Connect dialog box. Put in the info. Save the password at your own discretion.
If you get the downloading plugins message, you probably did it all right up to this point. 🙂
Once it’s connected, it will tell you so in the area that I like to call the “Status Section”.
Now create a session. This is the scan job itself. Go to Session | New and the program will prompt you for a session name. Then we are presented with the Session Properties. In the first tab, Targets. click the Add button. You can add as many targets as you like, or do an entire subnet, or specify a range of addresses. I don’t know if there is a limit to the number of target items in the list, but I doubt you’d run into it if there was one.
Under Session Properties…well…I don’t really know what I’m doing here. I just check ’em all. 🙂 No, seriously, they all sound pretty good.
Ah, Port scans…I enabled them all in the bottom pane. What you want to do in the top pane is up to you–the full range that I plugged into the figure below may take a while, depending on how many hosts you’re scanning.
Of note, you don’t have to use the connection tab UNLESS you want to run NessusWX in batch mode. If you are running in batch mode from the command line, you have to have this connection info saved. It looks just like the connection dialog from before.
On the Plugins tab, check the plugin set box and then click Select Plugins. You can then pick and choose, or just click the Enable Non-DoS button. It will then ask you if you wish to enable all port scanners as well–you can click yes unless you have some specific requirement. Click close. Now click Apply. And you’re ready to go. To the next page.
Well, you’ll eventually get down to this. Execute the session you created. It will take a while depending on your settings. If you want something to do during this time, you could log in to the linux console and run “top” and watch nessusd bounce all over the utilization table. Or you could go wax your car–up to you. The status window is pretty self-explanitory.
By the way, if you don’t want the Execution Options to pop up each time you run a scan, go back into the properties of the session and on the Options Tab, click on “Don’t show execution options at session execution”.
When it’s done, you’ll be taken to the “Manage Results” dialog. You can also get here anytime by selecting a session with a single mouse-click and hitting F3 (or Session | Manage Reults). Don’t forget to select a session, though, or it won’t do anything and won’t tell you why it isn’t doing anything. From Manage Results you can select a session ID and View, or save it out to HTML with the Report button, or Export to MySQL should you choose to do so.
And that’s about it. I can’t tell you what to do with the results beyond research.
However, if you want to schedule this, you can make a batch file to do so. One thing about this though, it seems like the connection is much more touchy with the batch file than while inside the GUI.
Case-in-point: I had an old 10MB HP switch connecting these two test machines. They could connect and scan and do whatever I wanted within the GUI interface. No problems apparent. However, I could not make the batch mode work–the log said that it was authenticating fine, but “connection initialization timed out”. Very frustrating.
I was actually to the point of chucking the whole thing and I logged out of fedora completely. But I thought I’d try it one more time…the fedora console started going nuts, barfing up bad packets. I have no idea why it would log that to the console when no one was logged on, but I’m glad it did. Classic media-type missmatch (autonegotiation failure). I popped my little 100MB traveling switch in there, and suddenly batch mode worked. I’m assuming that Fedora has the NIC locked into 100MB Full Duplex or something…this old HP is only able to do 10MB Half.
Anyway, that’s the story, Morning Glory. I have a co-worker hacking on the source code of NessusWX so that it automatically exports to MySQL. This is a huge hole in the functionality of the client–you can schedule scans with batchmode scripting, but the information just sits there until you click the export button. If we can get this changed (at least in batch mode), I’ll post the binaries. Don’t hold your breath 🙂
Anyway, good luck. Remember–I am not a linux or nessus expert, so you probably won’t get earth-shattering answers to questions on either.
I’d give the process 3 out of 5 tree chickens.