by January 31, 2004 0 comments

Nessus is the most popular vulnerability scanner around, probably because it has one of the largest databases of vulnerabilities, which it updates regularly. Every time a new vulnerability is detected, it gets added into Nessus’ database in the form of a plug-in. When you run Nessus, you can decide the plug-ins you want to use for the attack. This makes Nessus highly modular. The more plug-ins you use, the longer it takes to run Nessus and get the results. Nessus also gives you remedies to the vulnerabilities it detects, and you can output the reports in XML, HTML, etc together with complete graphs and charts. 

In this article, we’ll go through the installation procedure for Nessus, using it to detect common vulnerabilities on a Windows 2000 Server, patching up the server against Nessus attacks, detecting whether Nessus is running on your network, and finally using a Honeypot to draw a hacker to it so that he can be caught. 

Install Nessus
To install Nessus you have to install four files, which you will find on this month’s PCQ Essential CD. Place the CD into the CD-drive and copy the nessus.tar.gz file to your home directory and install it shown below.

#tar —zxvf nessus.tar.gz
#cd nessus
#tar —zxvf nessus-libraries-2.0.9.tar.gz
#cd ../nessus-libraries-2.0.9
#./configure && make && make install
#cd ../
#tar —zxvf libnasl-2.0.9.tar.gz
#cd libnasl-2.0.9
#./configure && make && make install
#cd ../
#tar —zxvf nessus-core-2.0.9.tar.gz
#cd nessus-core-2.0.9
#./configure && make && make install
#cd ../
#tar —zxvf nessus-plugins-2.0.9.tar.gz
#cd nessus-plugins-2.0.9
#./configure && make && make install

The above commands install four packages by first unzipping and untaring them and then compiling and installing their source code. Just make sure that you install them in the order given, else you’ll get dependency errors.

Now open the file called in /etc directory and enter a line /usr/local/lib in it. Now save the file and run the ldconfig command. 

Finally, make sure that /usr/local/bin and /usr/local/sbin is in your path. If not, you can add it by editing the hidden file .bash_profile in your home directory and adding the following words after the line which starts with PATH. 


Now you have to create a Nessus SSL certificate so that Nessus can be used over a secure SSL connection. To do so run the nessus-mkcert command in the terminal and follow the questions it asks.

Now add a user who will be authorized to use nessus. To do so run the following command and enter the username and pass-phrase when asked.


Using Nessus
Start the Nessus daemon from a terminal window using the nessusd & command. Then start the Nessus client (Interface) by just typing ‘nessus’ in any terminal. Login to this using the credentials you provided above, go to the plug-in tab and select all the attacks you want to run on the server. These attacks range from simple DOS attacks to those that can gain remote shell access. The best option is to select all plug-ins so that you can catch the maximum number of vulnerabilities. A word of caution is that this would increase the time to run significantly.

Lots of syn packets captured when nessus attack was done on a machine

Select the pref tab and you will get a lot of things to play around with. Here you can also provide a file from which Nessus will attempt a brute force attack on different services that you’ve selected. This can give an idea of the passwords strength on the host system. After getting through with this settings click on the Scan Option Tab. At the bottom of this tab you will find a list of port scanners and their descriptions. 

Select the ones you want to run. Again remember that running all of them will give the maximum data.

Finally, select the Target Selection tab and enter the hostname or IP-address of the server you want to attack. Then check the ‘Save this session’ option and hit the ‘Start the scan’ option. Nessus will take some time to do the scans and attack. After the process is over, it will provide you a comprehensive result of vulnerabilities on it. The most common vulnerability in Windows 2000 or NT servers is an open NetBIOS port. This will not only allow Nessus to get a listing of all user accounts on the server, but will also find out how many users haven’t changed their passwords in a long time. 

As you can imagine, this is a big vulnerability in itself. For instance, usually the first passwords given to users are the same as the username. Users are then expected to change this. If a hacker is able to detect the users who haven’t changed their passwords in a long time, he can try and access the network using their accounts. If one of them has the same username and password, the rest, as they say, will be history!

Anindya Roy

Protecting from Nessus

Since Nessus detects user accounts on a Windows 2000 Server through an open NetBIOS port, which is TCP port 139, you’d think the easiest solution would be to block access to this port. But, that is not so, especially if you’re still using old Win 98/ME clients on your network. Since these clients access the server through this port, blocking it might also stop some other legacy applications from functioning properly as well. If you’re using Windows 2000 Pro and above, and don’t have any legacy applications running, then you can safely block this port. 

Nessus is also used by hackers to attack Internet servers, so make sure your firewall blocks access to port 139. Plus, keep your systems updated with the latest patches and updates. The reports generated by Nessus give you a proper break-up of all vulnerabilities by severity level (High, Medium, Low). Keep a tab on these, and make sure that you take care of the high severity ones. 

Since Nessus runs such a large number of scans, it’s likely that any network intrusion-detection system would be able to detect at least one of them. However, there might be cases where the hacker doesn’t do a mass attack, and instead runs a few attacks at a time. So, it’s better that you use multiple techniques to catch Nessus. For instance, we used System Events Log Manager from Gfi to detect a brute force attack by Nessus. The software detected the attack and sent a mail to the administrator informing of the attack. 

Another way to find a Nessus attack is by using a packet-capturing utility like ethereal. One sign of a Nessus attack can be a sudden increase of the number of packets, which can be 20-times more than normal. The packets will contain lots of SYN and ASK packets from a single IP-address. This shows that some machine is continuously trying to connect and establish a new connection. 

Nessus and HoneyPot
Another way of catching Nessus is to use a HoneyPot, a decoy server setup for hackers. They would attack this server thinking it’s the actual one while actually it’s not (see article on Tiny HoneyPot in this issue). When we tried it out, Nessus did not know that it had entered the HoneyPot. It detected 10 security holes out of which nine were unknown, without figuring out that there’s a HoneyPot running on the machine. This technique can be used to get the hacker inside the server and possibly trap him.

Anindya Roy

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.