Transcript Using Nessus and Nmap to Audit Large Networks

Using Nessus and Nmap to
Audit Large Networks
By Greg Johnson
Principal Security Analyst
University of Missouri – Columbia
[email protected]
Missouri Network Security Symposium
December 18, 2001
Updated December 19, 2001
Using Nessus and Nmap to
Audit Large Networks
This presentation with any additional
notes and corrections is at:
www.missouri.edu/~johnsong/audit
Using Nessus and Nmap to
Audit Large Networks
Management Goal: Justify regular use
of NMAP, NESSUS, and similar
external, network-based security
auditing tools in your organization.
Technology Goal: Show strategies to
effectively use these tools in light of
six audit-impeding challenges such
as personal firewalls.
Why Audit?
• Find problems that need fixing.
• Significant security vulnerabilities
persist even after best practices.
• Pilots, Santa Claus, & quality
assurance. “Trust, but verify.”
Why Audit?
• Clustering 1, or, Bugs Have Families:
An audit won’t find all vulnerabilities.
But fixing the ones the audit does
find tends also to fix many that the
audit did not identify.
• Clustering 2: Work groups that have
good security (few problems) are
doing something right. Imitate them.
Why Audit?
• Be a prophet: “I know 600 machines
that will have security incidents.”
• Such measurements support:
– Requests for security budget $$
– Requests for security training for your
enterprise.
– Requests for mitigating measures such
as better firewalls, filters—or disaster
recovery!
Why Audit?
• By-products of frequent, large-scale
security auditing:
– Inventory of systems and services.
“How many `servers’ do we have?”
– Ability to respond quickly to applicationspecific exploitations such as Code Red.
– Identification of unauthorized systems &
services (intruders, unacceptable use).
Network-based vs Internal
Auditing: Single System
Internal “white box” tests tend to
be much faster and more thorough
than external “black box” tests.
However…
Network-based vs Internal
Auditing: Single System
1. If system is already compromised,
internal indicators may lie!
2. Both internal and external tests may
miss problems or yield false alarms.
A second opinion can help,
especially if from a very different
perspective.
Network-based vs Internal
Auditing: Single System
3. Internally installed security tools
are subject to attacks, as in recent
Goner virus which disabled antivirus and personal firewall.
Network-based vs Internal
Auditing: Single System
4. Very old, very new, or uncommon
systems may lack internal tests.
5. Internal testing is impossible for
networked printers, networked
cameras, routers, etc. Devices with
telnet/web/smtp or other network
control interface can be remotely
reconfigured with a duplicate IP. Do
your network printers all have
passwords?
Network-based vs Internal
Auditing: Enterprise
1. Unified analysis can simplify auditor
effort across:
– multiple operating systems (Windows
98/ME/NT/2K/XP, Unix, Linux, Mac OS,
printer OS, … and their many releases)
and
– variant applications (IIS vs Apache vs
Netscape Commerce Server vs… and
their many releases).
Network-based vs Internal
Auditing: Enterprise
2. Security experts and other techs
may not have adequate access to
each system, thus making internal
tests of each system impractical.
3. Network-based audits exercise your
firewall, filters, and intrustion
detection systems.
Network-based vs Internal
Auditing: Perspective
As Robert Burns wrote:
Wad a gift
The giftie gie us,
To see ourselves
As others see us.
Intruders use network-based auditing!
Background: TCP & UDP
Internet Protocol supports two major
transport protocols:
TCP: Transmission Control Protocol –
Verifies that packets reach
destination intact.
UDP: User Datagram Protocol - No
delivery guarantee. Ok for video and
audio, or where application checks
valid delivery.
Background: IP Ports
TCP and UDP give each packet a port
number from 1 to 65,535. Ports are
like jacks on a switchboard or stereo
system.
If an application wants to be found, it
uses a conventional port number:
80/tcp = web
139/tcp and 139/udp = Microsoft
sharing
Background: Hide & Seek
• If an application wants to be found, it
can also use a local mechanism like
RPC or a broker like Napster, Aimster,
etc to locate port number by name.
• Some applications don’t want to be
found! Subseven, Netbus, …. To find
these, you must search all 65,535
ports or else sniff traffic while the
application is communicating
(Intrusion Detection System.)
Background: Port Status
A port can be:
• Closed (not in use),
• Open (listening), or
• Filtered (the client computer asked
for open or closed status report, and
the target computer did not reply,
usually due to a firewall.)
NMAP
NMAP is one of many port-scanning
programs.
Relative to other tools, NMAP is
particularly efficient in scanning
simultaneously testing multiple ports
and multiple hosts. NMAP is free,
open source, from www.insecure.org.
NMAP
NMAP does three things:
• Determines quickly if an IP address
responds to TCP or ICMP pings.
• Sends packets to a target IP address
to find which port numbers are open,
closed, or filtered.
• Sends good packets and malformed
packets to the target IP address and
analyzes responses to try to guess
what kind of operating system runs
on the target computer.
What NMAP Does Not Do
NMAP does not determine what
program is running at an open port!
Whatever service NMAP reports—
http, ftp, smtp, etc.—is an assumption
based on standards.
Hacker trick: disguise a remote control
access with the port number normally
used by domain name service (53), web
service (80), etc. especially if firewalls
pass traffic on these ports.
Parlez HTTP? Habla DNS?
NESSUS takes over where NMAP leaves off.
1. NESSUS first calls NMAP or uses previous
NMAP results to find open ports. NESSUS
can also check specified ports without a
prior NMAP.
2. NESSUS then can check an open port for
dozens of known protocols, such as HTTP,
FTP, SMTP (e-mail), Subseven (remote
control)….
3. NESSUS, having determined what service
runs on a port, sends data to that service
to exploit known security vulnerabilties.
Is Scanning Dangerous?
Both NMAP and NESSUS aim to
never damage data.
In MU’s NMAP and NESSUS scanning
of 13,000 connections in its network,
no data has ever been lost through
scanning.
Is Scanning Dangerous?
HOWEVER!
• NMAP and especially NESSUS can
freeze scanning targets. The
network application may freeze. The
entire system may require
restarting. Some devices such as
printers or routers may reset
themselves—or not.
Is Scanning Dangerous?
• In MU’s scanning, freezes are rare:
about one in six hundred general
purpose systems for tests that are
not explicitly dangerous.
• NESSUS designates about 10% of its
tests as dangerous, denial of service
attacks such as oversize data or
flooding. In tests of 200 diverse
systems, around one third eventually
fell to a denial of service attack.
Is Scanning Dangerous?
A full 65,535 TCP port scan and
service check generates
– at least 5 MB of traffic to the target
– and at least 6 MB in reply.
– Most of this traffic is small packets.
Hence…
Is Scanning Dangerous?
• Typical testing over a 10 or 100
Mbps connection will noticeably but
not painfully slow target system
performance for around 15 minutes.
• Scanning multiple targets through
one network device can slow that
subnet’s performance.
• NMAP and NESSUS offer options to
scan slowly or aggressively, and to
randomize target sequence.
Safe Scans
• Hence, scan critical infrastructure
systems with someone ready to
restart systems. Performance
monitoring may yield insights.
• For extra safety, move NESSUS
denial of service tests out of their
normal directory.
Safe Scans
‘Tis better to find exposures
• from a friend who can desist and
heal,
• than from adversaries who
repeatedly attack whenever they
want.
Anti-Scan Measures
• Testing is a stimulus/response
match. If no response arrives in a
specified time, the test may be
inconclusive.
Anti-Scan Measures
One way to resist attacks is to limit rate
of responses to certain requests such as
“is this port open?”. That excellent
strategy slows down tests by both the
bad guys and the good guys.
webmail.cotse.com/CIE/RFC/
1812/74.htm
“Requirements for IP Version 4
Routers” section on rate-limiting
Scanning Tools
• Commercial: ISS,
• Freeware: NMAP, NESSUS,
NBTSCAN, LEGION,...
• Network service:
Mix of Unix, NT implementations
For-Free Scans Via Web
Useful as yet another perspective. See how
enterprise gateway/firewall affects
vulnerability scan. Not comprehensive.
•
•
•
•
•
www.dslreports.com/scan
security2.norton.com
hackerwhacker.com:4000/startdemo.dyn
www.securitylogics.com/portscan.adp
www.securityspace.com/sspace
A variety of companies offer for a fee
comprehensive and regularly-scheduled
vulnerability scanning services .
NMAP
•
•
•
•
www.insecure.org
Unix support; NT version promised.
NT port via e-eye
Performance determined mainly by
presence of personal firewalls and
other mechanisms designed to
impede scanning.
NMAP OPTIONS
$ nmap -h
Nmap V. 2.54BETA30 Usage:
nmap [Scan Type(s)] [Options] <host or net list>
Common Scan Types ('*' options require root)
-sT TCP connect() port scan (default)
-sS TCP SYN stealth port scan (best all-around TCP
scan) *
-sU UDP port scan *
-sP ping scan (Find any reachable machines)
-sF,-sX,-sN Stealth FIN, Xmas, or Null scan *
-sR/-I RPC/ Identd scan (use with other scan types)
NMAP OPTIONS
Some Common Options
(none are required, most can be combined):
-O Use TCP/IP fingerprinting to guess remote
operating system *
-p <range> ports to scan. Example range:
'1-1024,1080,6666,31337‘
-F Only scans ports listed in nmap-services
NMAP OPTIONS
-P0 Don't ping hosts
(needed to scan www.microsoft.com and others)
-Ddecoy_host1,decoy2[,...]
Hide scan using many decoys
-T <Paranoid|Sneaky|Polite|Normal|
Aggressive|Insane> General timing policy
-n/-R Never do DNS resolution/Always resolve
[default: sometimes resolve]
NMAP OPTIONS
-oN/-oX/-oG <logfile>
Output normal/XML/grepable scan logs to <logfile>
-iL <inputfile>
Get targets from file; Use '-' for stdin
SEE THE MAN PAGE FOR MANY MORE OPTIONS,
DESCRIPTIONS, AND EXAMPLES
NMAP RESULTS
$ nmap -O -sT -p 80-140 128.206.95.29-31
Starting nmap V. 2.54BETA30 (
www.insecure.org/nmap/ )
Warning: OS detection will be MUCH less reliable
because we did not find at least 1 open and 1 closed
TCP port
Interesting ports on static-095029.static.missouri.edu
(128.206.95.29):
(The 60 ports scanned but not shown below are in
state: filtered)
Port
State
Service
113/tcp closed
auth
NMAP RESULTS
Too many fingerprints match this host for me to give an
accurate OS guess
Warning: OS detection will be MUCH less reliable
because we did not find at least 1 open and 1 closed
TCP port
Interesting ports on static-095030.static.missouri.edu
(128.206.95.30):
(The 60 ports scanned but not shown below are in
state: filtered)
Port
State
Service
113/tcp closed
auth
NMAP RESULTS
Interesting ports on dourtyb.iats.missouri.edu
(128.206.95.31):
(The 59 ports scanned but not shown below are in
state: closed)
Port
State
Service
135/tcp open
loc-srv
139/tcp open
netbios-ssn
Remote OS guesses: Windows Me or Windows 2000 RC1
through final release, Windows Millenium Edition
v4.90.3000
Nmap run completed -- 3 IP addresses (3 hosts up)
scanned in 49 seconds
NMAP
FrontEnd
NMAP hardware & system
requirements.
• MU experience. Scan of 13,000
connections in Class B network
(128.206.*.*, 65,535 addresses)
for one port over mostly 100 Mbps
edge network from one source
takes about 40 minutes. Dividing
the network between two source
systems even in the same subnet
halves elapsed time.
NMAP PERFORMANCE
DOESN’T ALWAYS SCALE
Scanning 1 port on 10,000 computers
can be faster than scanning 10,000
ports on one computer
NMAP PERFORMANCE
DOESN’T ALWAYS SCALE
An unauthorized remote control
program such as Subseven likes to hide
out on an arbitrary UDP port.
• Scanning all 65,535 UDP ports of a
Windows 98 system can take as little
as 2 minutes.
• The same scan of a Solaris system can
take eleven hours due to RFC 1812
error-reply rate-limiting.
NMAP hardware & system
requirements.
MU bulk scanners work ok at edge,
not centrally located. 900 Mhz
256MB Pentium 3 running Redhat
Linux. Memory is most nearly
controllable performance factor, to
support more simultaneous
connections. A high quality
network card is probably prudent
for continual scanning.
NMAP as front end
• NMAP and NESSUS can output
results in formats that can, with
typically a three line Perl or VB
script, load into a spreadsheet or
database. Besides NESSUS, other
tools can utilize or add value to
NMAP’s inventory of open ports.
Here are some Unix tools:
After NMAP
• sdig (www.exploits.org/sdig) -
obtain IP address' MAC address
from its router.
• nbtscan - obtain IP address'
Netbios name, Netbios user,
Netbios report of MAC address.
Breathtakingly fast scanner if
you're looking only for
Netbios/NMB services.
After NMAP
• wget - get web or FTP page and
headers.
• wget
http://whever.blah.blah:1214 =
Morpheus/Kazaa
FTP & WEB SERVER SUMMARY
FTP & WEB SERVER DETAILS
After NMAP
• coderedscan.pl - posted on UNISOG
list, also finds traces of NIMDA.
• Open e-mail relay tests - Manually via
www.abuse.net
NESSUS
• www.nessus.org
• Secure client/server
architecture
• Server must be on Unix system.
• Clients for Unix, Windows, Java applets,
and command line of server. Client can
securely login with ID and password or
certificate, and can be restricted to set
of IP addresses they can scan.
NESSUS PERFORMANCE
• At MU Nessus runs on Linux
systems previously described.
• NESSUS non-dangerous tests on a
typical host, take about 10 minutes
more in addition to NMAP scan.
Including NMAP reconnaissance,
NESSUS rarely takes more than 20
minutes per host.
NESSUS PERFORMANCE
• A NESSUS server can handle
– simultaneous tests of multiple hosts
– multiple tests per host.
• MU has settled on 20 hosts per
scanner. If NMAP is not mired with
a personal firewall, a full
NMAP+NESSUS scan can process
100 hosts per hour.
NESSUS PERFORMANCE
• However, in a hundred targets you
will find a few that will occupy
NMAP full scan for half a day each
unless you take care to separate
these slow-movers.
VULNERABILITY TESTS
• Plugin architecture - 812 plugins
as of Dec 18, 2001, with around 2
new, and a dozen updated plugins
every week. Almost all plugins are
in a C-like script language, “NASL”.
C can also be used for plugins. You
can make your own plugins.
VULNERABILITY TESTS
• Knowledgebase - test results for
an IP can be preserved for
specified time, to avoid retesting.
• NESSUS applies tests conditionally:
web buffer overflows (such as
Code Red) are applied only to http
ports. You can tell Nessus to
respect banners, so if a host claims
to use Apache don’t run IIS tests.
NESSUS
Plugins
Menu
NESSUS
Preferences
Menu
NESSUS
Scan
Options
NESSUS
Target
Selection
NESSUS Status
NESSUS Results
NESSUS Results
• Reports - Nessus produces reports
in several formats including HTML
with management-friendly pie
charts. Results can be imported
into spreadsheet databases to try
to understand enterprise issues.
NESSUS RESULTS
• Reports offer links or succinct
advice for fixing most
vulnerabilities.
• Relative to other scanning
products, NESSUS has exhibited
fewer false alarms, finds more
vulnerabilities, and produces
appropriate levels of advice.
TECHIE ADVICE: Versions
1. NMAP is stable, months between
updates to beta. Use latest beta.
2. Currently, Nessus source code is
updated a couple of times per
week, beta version is updated
about monthly. My advice: use
latest Nessus beta.
TECHIE ADVICE:
Optimization
3. Read the Changelogs and Readme
files, if not source and plugins. These
contain tips on optimization.
4. NMAP option for timeouts of scan
allows –T Aggressive. -T Normal
seems in many cases faster
apparently due to dynmaic
adjustment of timeouts.
TECHIE ADVICE: Plugins
5. There are about two new NESSUS
plugins every week. Run “nessusupdate-plugins” daily if possible.
This restarts server, interupting in
scan in progress.
Daily restarting server is not a bad
idea. Memory leaks are about
vanished from current beta, but
maybe not completely.
TECHIE ADVICE: Plugins
5. Spread scan. For example, scan
addresses ending in “.0”, then
addresses ending in “.1”, then
addresses ending in “.2”, etc.
6. Generate a fresh list of hosts to
scan, iterating as above but skipping
unallocated subnets, broadcast
addresses, network devices, and
things like printers that don’t merit
frequent testing.
SIX AUDIT CHALLENGES
AND STRATEGIC
RESPONSES TO THEM
1.
2.
3.
4.
5.
6.
First, Do No Harm
Time
Scan-Resistant Computers
Identifying Computers
Identifying People
Prioritizing Response to Audit Results
Challenge 1: First Do No
Harm
• Strategy: Get permission, and buyin from highest levels.
"The difference between a hacker and a
security analyst is permission." John Greene,
in SANS Institute Auditing With NMAP
• Have your business case in order:
mandates for security, risk
analysis, "you can't manage what
you don't measure",…
Challenge 1: First Do No
Harm
• Strategy: Start small
• Strategy: Initial scan series run
from 7 a.m. to 3 p.m. or whenever
someone is available to restart
systems.
• Strategy: Maintain exception lists:
infrastructure devices to be tested
only by arrangement, delicate
devices.
Challenge 2: Time
• Strategy: More exception lists.
Don't waste time scanning free
subnets, broadcast addresses,
rarely-changed devices such as
routers and printers.
Challenge 2: Time
• Strategy: Divide and conquer.
Use multiple computers to speed
throughput.
Try to NMAP one port on many
computers simultaneously rather
than many ports on one computer.
Challenge 2: Time
Recognize bottlenecks such as hubs,
wireless, and firewalls where many
computers funnel through the
same network connection.
Challenge 2: Time
Strategy: Test only for a few key
vulnerabilities, not all 812+. A few
vulnerabilities account for a
disproportionate number of
breakins and mischief.
Challenge 2: Time
Sources of "top ten" current
exploits:
– www. incidents.org
– aris.securityfocus.com
– mynetwatchmn.com/mynetwatchma
n/topports.asp
– your own records
Challenge 2: Time
• Strategy: Detect new and updated
systems, and scan these
thoroughly.
• Strategy: Offer self-service
scanning.
Challenge 2: Time
• Strategy: Avoid diminishing
returns. Some tests consume
much more time than others, but
rarely find a host with this
vulnerability, or the vulnerability is
not severe. For example, detecting
the PGP service was the 4th most
time-consuming scan in recent MU
tests, but found no PGP hosts.
Challenge 2: Time
• Strategy: Maintain OS inventory.
• Strategy: Maintain network
services inventory.
Challenge 3: ScanResistant Computers
• Net good news for security, but a
challenge for independently
verifying security.
• Symptoms: No reply to pings or
other unexpected traffic. Rate
limits on error replies or status
requests. Teergruben - tar pits.
Complete block of scan source that
triggers some threshold. VPN.
Challenge 3: ScanResistant Computers
• Strategy: Use SNMP, not ping, to
find connected devices.
• Strategy: Identify scan-resistant
computers for special treatment.
• Strategy: Use network IDS to
identify open ports for priority
attention.
Challenge 3: ScanResistant Computers
• Strategy: Encourage users to
configure firewall or intrusion
detection software to accept traffic
from authorized source(s).
• Strategy: Self-service scanning.
User can temporarily turn off
personal firewall at least with
respect to scan source.
Challenge 3: ScanResistant Computers
Footnote: Conscientious people
running personal firewalls,
firewalls, intrusion detection
systems, access monitoring, etc.
will notice your scanning and
complain. Have written
explanation and permission ready.
Challenge 4: Identifying
Computers
• IP address identifies connection,
not computer.
• Strategy: Use SNMP to identify
systems by MAC and physical port.
Challenge 5: Identifying
People
• Strategy: Improved logging of use
of central services.
• Strategy: Create incentives to
register computers with people
(user and any support staff):
– Access to scan results
– theft tracing via MAC address
– disconnection if problem and no
registered support.
Challenge 6: Prioritizing
Response
• Strategy: Get the big picture by
putting Nessus results in a
spreadsheet. Use this to find:
– Which extreme vulnerabilities do we
have?
– Which extreme vulnerabilities have lowcost solutions?
– Are there any correlations with extreme
vulnerabilities, such as department or
operating system type?
Spreadsheet
POINTS TO REMEMBER
• Vulnerability scanning can uncover
security disasters before they happen.
• Vulnerability scanning increases
defense in depth.
• Get permission and administrative buyin for scanning.
• Phase in audits.
POINTS TO REMEMBER
• Personal firewalls and kindred tar pits
are highly desirable defenses.
Authorized scanning must arrange to
bypass these or else deal with them
separately from hosts that scan much
more quickly.
• Don’t waste time detecting
vulnerabilities that are relatively minor
or that cost too much to fix.
POINTS TO REMEMBER
• In scanning, the security analyst can
have advantages over the intruder:
– Permission to intensively scan.
– Higher-speed access.
– Access to SNMP identification or other
means of identifying stealth targets,
moving targets, and valuable targets.
– Long term records.
USE YOUR ADVANTAGES!