Using Nessus and Nmap to Audit Large Networks

Using Nessus and Nmap to Audit Large

NetworksBy Greg Johnson

Principal Security AnalystUniversity of Missouri – Columbia

[email protected]

Missouri Network Security Symposium December 18, 2001

Updated December 19, 2001


NetworksThis presentation with any

additional notes and corrections is at:

www.missouri.edu/~johnsong/audit


NetworksManagement Goal: Justify regular use

of NMAP, NESSUS, and similar external, network-based security auditing tools in your organization.

Technology Goal: Show strategies to effectively use these tools in light of six audit-impeding challenges such as personal firewalls.

Why Audit?• Find problems that need fixing.

• Significant security vulnerabilities persist even after best practices.

• Pilots, Santa Claus, & quality assurance. “Trust, but verify.”

Why Audit?• Clustering 1, or, Bugs Have

Families: An audit won’t find all vulnerabilities. But fixing the ones the audit does find tends also to fix many that the audit did not identify.

• Clustering 2: Work groups that have good security (few problems) are doing something right. Imitate them.

Why Audit?

• Be a prophet: “I know 600 machines that will have security incidents.”

• Such measurements support:– Requests for security budget $$– Requests for security training for

your enterprise.– Requests for mitigating measures

such as better firewalls, filters—or disaster recovery!

Why Audit?

• By-products of frequent, large-scale security auditing: – Inventory of systems and services.

“How many `servers’ do we have?”– Ability to respond quickly to

application-specific exploitations such as Code Red.

– Identification of unauthorized systems & services (intruders, unacceptable use).

Network-based vs Internal Auditing:

Single System

Internal “white box” tests tend to be much faster and more thorough than external “black box” tests.

However…


Single System1. If system is already

compromised, internal indicators may lie!

2. Both internal and external tests may miss problems or yield false alarms. A second opinion can help, especially if from a very different perspective.


Single System

3. Internally installed security tools are subject to attacks, as in recent Goner virus which disabled anti-virus and personal firewall.


Single System4. Very old, very new, or uncommon

systems may lack internal tests.5. Internal testing is impossible for

networked printers, networked cameras, routers, etc. Devices with telnet/web/smtp or other network control interface can be remotely reconfigured with a duplicate IP. Do your network printers all have passwords?


Enterprise1. Unified analysis can simplify

auditor effort across:– multiple operating systems

(Windows 98/ME/NT/2K/XP, Unix, Linux, Mac OS, printer OS, … and their many releases) and

– variant applications (IIS vs Apache vs Netscape Commerce Server vs… and their many releases).


Enterprise2. Security experts and other

techs may not have adequate access to each system, thus making internal tests of each system impractical.

3. Network-based audits exercise your firewall, filters, and intrustion detection systems.


PerspectiveAs Robert Burns wrote:

Wad a giftThe giftie gie us,

To see ourselvesAs others see us.

Intruders use network-based auditing!

Background: TCP & UDPInternet Protocol supports two

major transport protocols:TCP: Transmission Control Protocol

– Verifies that packets reach destination intact.

UDP: User Datagram Protocol - No delivery guarantee. Ok for video and audio, or where application checks valid delivery.

Background: IP Ports

TCP and UDP give each packet a port number from 1 to 65,535. Ports are like jacks on a switchboard or stereo system.

If an application wants to be found, it uses a conventional port number:

80/tcp = web139/tcp and 139/udp = Microsoft

sharing

Background: Hide & Seek

• If an application wants to be found, it can also use a local mechanism like RPC or a broker like Napster, Aimster, etc to locate port number by name.

• Some applications don’t want to be found! Subseven, Netbus, …. To find these, you must search all 65,535 ports or else sniff traffic while the application is communicating (Intrusion Detection System.)

Background: Port Status

A port can be:• Closed (not in use), • Open (listening), or• Filtered (the client computer

asked for open or closed status report, and the target computer did not reply, usually due to a firewall.)

NMAP

NMAP is one of many port-scanning programs.

Relative to other tools, NMAP is particularly efficient in scanning simultaneously testing multiple ports and multiple hosts. NMAP is free, open source, from www.insecure.org.

NMAP

NMAP does three things:• Determines quickly if an IP address

responds to TCP or ICMP pings.• Sends packets to a target IP address

to find which port numbers are open, closed, or filtered.

• Sends good packets and malformed packets to the target IP address and analyzes responses to try to guess what kind of operating system runs on the target computer.

What NMAP Does Not Do

NMAP does not determine what program is running at an open port! Whatever service NMAP reports—http, ftp, smtp, etc.—is an assumption based on standards.

Hacker trick: disguise a remote control access with the port number normally used by domain name service (53), web service (80), etc. especially if firewalls pass traffic on these ports.

Parlez HTTP? Habla DNS?

NESSUS takes over where NMAP leaves off.1. NESSUS first calls NMAP or uses

previous NMAP results to find open ports. NESSUS can also check specified ports without a prior NMAP.

2. NESSUS then can check an open port for dozens of known protocols, such as HTTP, FTP, SMTP (e-mail), Subseven (remote control)….

3. NESSUS, having determined what service runs on a port, sends data to that service to exploit known security vulnerabilties.

Is Scanning Dangerous?

Both NMAP and NESSUS aim to never damage data.

In MU’s NMAP and NESSUS scanning of 13,000 connections in its network, no data has ever been lost through scanning.


HOWEVER!• NMAP and especially NESSUS

can freeze scanning targets. The network application may freeze. The entire system may require restarting. Some devices such as printers or routers may reset themselves—or not.


• In MU’s scanning, freezes are rare: about one in six hundred general purpose systems for tests that are not explicitly dangerous.

• NESSUS designates about 10% of its tests as dangerous, denial of service attacks such as oversize data or flooding. In tests of 200 diverse systems, around one third eventually fell to a denial of service attack.


A full 65,535 TCP port scan and service check generates – at least 5 MB of traffic to the target – and at least 6 MB in reply. – Most of this traffic is small packets.

Hence…


• Typical testing over a 10 or 100 Mbps connection will noticeably but not painfully slow target system performance for around 15 minutes.

• Scanning multiple targets through one network device can slow that subnet’s performance.

• NMAP and NESSUS offer options to scan slowly or aggressively, and to randomize target sequence.

Safe Scans

• Hence, scan critical infrastructure systems with someone ready to restart systems. Performance monitoring may yield insights.

• For extra safety, move NESSUS denial of service tests out of their normal directory.

Safe Scans

‘Tis better to find exposures • from a friend who can desist and

heal, • than from adversaries who

repeatedly attack whenever they want.

Anti-Scan Measures

• Testing is a stimulus/response match. If no response arrives in a specified time, the test may be inconclusive.

Anti-Scan Measures

One way to resist attacks is to limit rate of responses to certain requests such as “is this port open?”. That excellent strategy slows down tests by both the bad guys and the good guys. webmail.cotse.com/CIE/RFC/

1812/74.htm “Requirements for IP Version 4 Routers” section on rate-limiting

Scanning Tools

• Commercial: ISS,• Freeware: NMAP, NESSUS,

NBTSCAN, LEGION,...• Network service:

Mix of Unix, NT implementations

For-Free Scans Via Web

Useful as yet another perspective. See how enterprise gateway/firewall affects vulnerability scan. Not comprehensive.

• www.dslreports.com/scan • security2.norton.com • hackerwhacker.com:4000/startdemo.dyn • www.securitylogics.com/portscan.adp • www.securityspace.com/sspace

A variety of companies offer for a fee comprehensive and regularly-scheduled vulnerability scanning services .

NMAP

• www.insecure.org• Unix support; NT version

promised.• NT port via e-eye• Performance determined mainly

by presence of personal firewalls and other mechanisms designed to impede scanning.

NMAP OPTIONS$ nmap -hNmap V. 2.54BETA30 Usage: nmap [Scan Type(s)] [Options] <host or net list>

Common Scan Types ('*' options require root)

-sT TCP connect() port scan (default)-sS TCP SYN stealth port scan (best all-around TCP

scan) *-sU UDP port scan *-sP ping scan (Find any reachable machines)-sF,-sX,-sN Stealth FIN, Xmas, or Null scan *-sR/-I RPC/ Identd scan (use with other scan types)

NMAP OPTIONSSome Common Options

(none are required, most can be combined):

-O Use TCP/IP fingerprinting to guess remote operating system *

-p <range> ports to scan. Example range: '1-1024,1080,6666,31337‘

-F Only scans ports listed in nmap-services

NMAP OPTIONS -P0 Don't ping hosts

(needed to scan www.microsoft.com and others)

-Ddecoy_host1,decoy2[,...] Hide scan using many decoys

-T <Paranoid|Sneaky|Polite|Normal| Aggressive|Insane> General timing policy

-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]

NMAP OPTIONS

-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>

-iL <inputfile> Get targets from file; Use '-' for stdin

SEE THE MAN PAGE FOR MANY MORE OPTIONS,

DESCRIPTIONS, AND EXAMPLES

NMAP RESULTS$ nmap -O -sT -p 80-140 128.206.95.29-31

Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )

Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port

Interesting ports on static-095029.static.missouri.edu (128.206.95.29):

(The 60 ports scanned but not shown below are in state: filtered)

Port State Service113/tcp closed auth

NMAP RESULTSToo many fingerprints match this host for me to

give an accurate OS guessWarning: OS detection will be MUCH less reliable

because we did not find at least 1 open and 1 closed TCP port

Interesting ports on static-095030.static.missouri.edu (128.206.95.30):

(The 60 ports scanned but not shown below are in state: filtered)

Port State Service113/tcp closed auth

NMAP RESULTSInteresting ports on dourtyb.iats.missouri.edu

(128.206.95.31):(The 59 ports scanned but not shown below are in

state: closed)Port State Service135/tcp open loc-srv 139/tcp open netbios-ssn

Remote OS guesses: Windows Me or Windows 2000 RC1 through final release, Windows Millenium Edition v4.90.3000

Nmap run completed -- 3 IP addresses (3 hosts up) scanned in 49 seconds

NMAP Front-End

NMAP hardware & system requirements.

• MU experience. Scan of 13,000 connections in Class B network (128.206.*.*, 65,535 addresses) for one port over mostly 100 Mbps edge network from one source takes about 40 minutes. Dividing the network between two source systems even in the same subnet halves elapsed time.

NMAP PERFORMANCE DOESN’T ALWAYS

SCALEScanning 1 port on 10,000 computers can be faster than scanning 10,000 ports on one computer

NMAP PERFORMANCE DOESN’T ALWAYS

SCALEAn unauthorized remote control program such as Subseven likes to hide out on an arbitrary UDP port.

• Scanning all 65,535 UDP ports of a Windows 98 system can take as little as 2 minutes.

• The same scan of a Solaris system can take eleven hours due to RFC 1812 error-reply rate-limiting.

NMAP hardware & system requirements.

MU bulk scanners work ok at edge, not centrally located. 900 Mhz 256MB Pentium 3 running Redhat Linux. Memory is most nearly controllable performance factor, to support more simultaneous connections. A high quality network card is probably prudent for continual scanning.

NMAP as front end

• NMAP and NESSUS can output results in formats that can, with typically a three line Perl or VB script, load into a spreadsheet or database. Besides NESSUS, other tools can utilize or add value to NMAP’s inventory of open ports. Here are some Unix tools:

After NMAP

• sdig (www.exploits.org/sdig) - obtain IP address' MAC address from its router.

• nbtscan - obtain IP address' Netbios name, Netbios user, Netbios report of MAC address. Breathtakingly fast scanner if you're looking only for Netbios/NMB services.

After NMAP

• wget - get web or FTP page and headers.

• wget http://whever.blah.blah:1214 = Morpheus/Kazaa

FTP & WEB SERVER SUMMARY

FTP & WEB SERVER DETAILS

After NMAP

• coderedscan.pl - posted on UNISOG list, also finds traces of NIMDA.

• Open e-mail relay tests - Manually via www.abuse.net

NESSUS• www.nessus.org• Secure client/server

architecture• Server must be on Unix system. • Clients for Unix, Windows, Java

applets, and command line of server. Client can securely login with ID and password or certificate, and can be restricted to set of IP addresses they can scan.

NESSUS PERFORMANCE

• At MU Nessus runs on Linux systems previously described.

• NESSUS non-dangerous tests on a typical host, take about 10 minutes more in addition to NMAP scan. Including NMAP reconnaissance, NESSUS rarely takes more than 20 minutes per host.

NESSUS PERFORMANCE

• A NESSUS server can handle – simultaneous tests of multiple hosts– multiple tests per host.

• MU has settled on 20 hosts per scanner. If NMAP is not mired with a personal firewall, a full NMAP+NESSUS scan can process 100 hosts per hour.

NESSUS PERFORMANCE

• However, in a hundred targets you will find a few that will occupy NMAP full scan for half a day each unless you take care to separate these slow-movers.

VULNERABILITY TESTS

• Plugin architecture - 812 plugins as of Dec 18, 2001, with around 2 new, and a dozen updated plugins every week. Almost all plugins are in a C-like script language, “NASL”. C can also be used for plugins. You can make your own plugins.

VULNERABILITY TESTS

• Knowledgebase - test results for an IP can be preserved for specified time, to avoid retesting.

• NESSUS applies tests conditionally: web buffer overflows (such as Code Red) are applied only to http ports. You can tell Nessus to respect banners, so if a host claims to use Apache don’t run IIS tests.

NESSUS

Plugins Menu

NESSUS

Prefer-ences Menu

NESSUS Scan

Options

NESSUS Target

Selection

NESSUS Status

NESSUS Results

NESSUS Results

• Reports - Nessus produces reports in several formats including HTML with management-friendly pie charts. Results can be imported into spreadsheet databases to try to understand enterprise issues.

NESSUS RESULTS

• Reports offer links or succinct advice for fixing most vulnerabilities.

• Relative to other scanning products, NESSUS has exhibited fewer false alarms, finds more vulnerabilities, and produces appropriate levels of advice.

TECHIE ADVICE: Versions

1. NMAP is stable, months between updates to beta. Use latest beta.

2. Currently, Nessus source code is updated a couple of times per week, beta version is updated about monthly. My advice: use latest Nessus beta.

TECHIE ADVICE: Optimization

3. Read the Changelogs and Readme files, if not source and plugins. These contain tips on optimization.

4. NMAP option for timeouts of scan allows –T Aggressive. -T Normal seems in many cases faster apparently due to dynmaic adjustment of timeouts.

TECHIE ADVICE: Plugins5. There are about two new NESSUS

plugins every week. Run “nessus-update-plugins” daily if possible. This restarts server, interupting in scan in progress.

Daily restarting server is not a bad idea. Memory leaks are about vanished from current beta, but maybe not completely.

TECHIE ADVICE: Plugins

5. Spread scan. For example, scan addresses ending in “.0”, then addresses ending in “.1”, then addresses ending in “.2”, etc.

6. Generate a fresh list of hosts to scan, iterating as above but skipping unallocated subnets, broadcast addresses, network devices, and things like printers that don’t merit frequent testing.

SIX AUDIT CHALLENGES AND STRATEGIC

RESPONSES TO THEM1. First, Do No Harm2. Time3. Scan-Resistant Computers4. Identifying Computers5. Identifying People6. Prioritizing Response to Audit

Results

Challenge 1: First Do No Harm

• Strategy: Get permission, and buy-in from highest levels."The difference between a hacker and a security analyst is permission." John Greene, in SANS Institute Auditing With NMAP

• Have your business case in order: mandates for security, risk analysis, "you can't manage what you don't measure",…

Challenge 1: First Do No Harm

• Strategy: Start small• Strategy: Initial scan series run

from 7 a.m. to 3 p.m. or whenever someone is available to restart systems.

• Strategy: Maintain exception lists: infrastructure devices to be tested only by arrangement, delicate devices.

Challenge 2: Time

• Strategy: More exception lists. Don't waste time scanning free subnets, broadcast addresses, rarely-changed devices such as routers and printers.

Challenge 2: Time

• Strategy: Divide and conquer. Use multiple computers to speed throughput. Try to NMAP one port on many computers simultaneously rather than many ports on one computer.

Challenge 2: Time

Recognize bottlenecks such as hubs, wireless, and firewalls where many computers funnel through the same network connection.

Challenge 2: Time

Strategy: Test only for a few key vulnerabilities, not all 812+. A few vulnerabilities account for a disproportionate number of breakins and mischief.

Challenge 2: Time

Sources of "top ten" current exploits:– www. incidents.org– aris.securityfocus.com– mynetwatchmn.com/

mynetwatchman/topports.asp– your own records

Challenge 2: Time

• Strategy: Detect new and updated systems, and scan these thoroughly.

• Strategy: Offer self-service scanning.

Challenge 2: Time

• Strategy: Avoid diminishing returns. Some tests consume much more time than others, but rarely find a host with this vulnerability, or the vulnerability is not severe. For example, detecting the PGP service was the 4th most time-consuming scan in recent MU tests, but found no PGP hosts.

Challenge 2: Time

• Strategy: Maintain OS inventory.

• Strategy: Maintain network services inventory.

Challenge 3: Scan-Resistant Computers

• Net good news for security, but a challenge for independently verifying security.

• Symptoms: No reply to pings or other unexpected traffic. Rate limits on error replies or status requests. Teergruben - tar pits. Complete block of scan source that triggers some threshold. VPN.


• Strategy: Use SNMP, not ping, to find connected devices.

• Strategy: Identify scan-resistant computers for special treatment.

• Strategy: Use network IDS to identify open ports for priority attention.


• Strategy: Encourage users to configure firewall or intrusion detection software to accept traffic from authorized source(s).

• Strategy: Self-service scanning. User can temporarily turn off personal firewall at least with respect to scan source.


Footnote: Conscientious people running personal firewalls, firewalls, intrusion detection systems, access monitoring, etc. will notice your scanning and complain. Have written explanation and permission ready.

Challenge 4: Identifying Computers

• IP address identifies connection, not computer.

• Strategy: Use SNMP to identify systems by MAC and physical port.

Challenge 5: Identifying People

• Strategy: Improved logging of use of central services.

• Strategy: Create incentives to register computers with people (user and any support staff):– Access to scan results– theft tracing via MAC address– disconnection if problem and no

registered support.

Challenge 6: Prioritizing Response

• Strategy: Get the big picture by putting Nessus results in a spreadsheet. Use this to find:– Which extreme vulnerabilities do we

have?– Which extreme vulnerabilities have

low-cost solutions?– Are there any correlations with

extreme vulnerabilities, such as department or operating system type?

Spreadsheet

POINTS TO REMEMBER• Vulnerability scanning can uncover

security disasters before they happen.

• Vulnerability scanning increases defense in depth.

• Get permission and administrative buy-in for scanning.

• Phase in audits.

POINTS TO REMEMBER• Personal firewalls and kindred tar

pits are highly desirable defenses. Authorized scanning must arrange to bypass these or else deal with them separately from hosts that scan much more quickly.

• Don’t waste time detecting vulnerabilities that are relatively minor or that cost too much to fix.

POINTS TO REMEMBER• In scanning, the security analyst can

have advantages over the intruder: – Permission to intensively scan.– Higher-speed access.– Access to SNMP identification or other

means of identifying stealth targets, moving targets, and valuable targets.

– Long term records.

USE YOUR ADVANTAGES!

Using Nessus and Nmap to Audit Large Networks

Documents

Transcript of Using Nessus and Nmap to Audit Large Networks