nessus and nmap overview - scanning networks...
TRANSCRIPT
Running head: USING NESSUS AND NMAP TOOLS 1
Nessus and Nmap Overview - Scanning Networks
Research Paper On Nessus and Nmap
Mike Pergande
Ethical Hacking
North Iowa Area Community College
Running head: USING NESSUS AND NMAP TOOLS 2
Nessus and Nmap Overview - Scanning Networks
Network administrators may be asked or required to check for vulnerabilities in the
company network and then take steps to better secure the network. Administrators want to check
for open ports and other security vulnerabilities on the network. What scanning tools are
available for the network administrator to use that will provide this valuable information?
Attackers have a goal of finding vulnerabilities in company networks and then exploiting
those vulnerabilities. Attackers want to check for open ports and other security vulnerabilities on
the network. What scanning tools are available for the network attackers to use that will provide
this valuable information?
Two popular tools available to scan networks for vulnerabilities are Nessus and Nmap.
Both the network administrator and the attacker use Nessus and Nmap scanning tools to find
network vulnerabilities. Let’s take a look at these vulnerability scanning tools starting with
Nmap.
Nmap is a free and open source utility program and is used for network exploration.
Nmap can determine a multitude of characteristics about a network. Just a few examples are
what hosts are available on the network including what applications are running on the hosts,
what operating systems are being used, and what firewalls are being used. (“Introduction,”
Nmap, n.d.)
A lab environment was setup on its own isolated network and Nmap was run on this
network to capture vulnerabilities on the network. Nmap scan results are displayed below.
Running head: USING NESSUS AND NMAP TOOLS 3
Nmap can be run using a command line interface as well as a Graphical User Interface
(GUI) called Zenmap. Figure 1.1 shows Nmap running as the Zenmap GUI with the network
hosts to be scanned outlined in the Target field with a Profile set to Intense Scan. Once you click
Figure 1.1 Initial Screen
on the Scan button, the scan commences and reveals scan results under the Nmap Output tab
pane window. Figure 1.2 shows an example of some scan results when Nmap first begins
scanning, including ports, the state of the port, and the service running on the port. The
information tells you if a host within your network scan range is down or up and what type of
scan is running.
Running head: USING NESSUS AND NMAP TOOLS 4
Figure 1.2 Nmap Output Results Pane
Nmap also lays out a topology of the network being scanned. An example of the lab
network topology can be seen in Figure 1.3. Depending on the number of devices or hosts on the
network, this topology can provide essential device and host locations on the network based on
how many hops from the local host to the other devices.
Running head: USING NESSUS AND NMAP TOOLS 5
Figure 1.3 Network Topology
Nmap also allows you to save your scan results to a text document. Figure 1.4 shows
scan results for host 192.168.1.3 on the lab network. The report shows several open ports on the
Figure 1.4 Nmap Scan Report
Running head: USING NESSUS AND NMAP TOOLS 6
host. From the network administrator’s point of view, these open ports could then be evaluated
to see if the service running on these ports is needed for the network. If the service is not
needed, the port can be closed, therefore hardening the system. From the attacker’s point of
view, the open ports are an opportunity to get into the network. For example, one scan result in
this lab shows TCP port 1029 open. Kevin Liston, a handler on duty at the Internet Storm Center
for the SANS Institute, published port details for port 1029 revealing that the port was targeted
for an ICQ Nuke 98 trojan attack 1,100 times on April 13, 2011. (Liston, 2011)
Besides port status on network devices, Nmap reveals MAC addresses, Operating
Systems (OS), OS versions, how long the device has been up and running, and host RSA security
keys, just to name a few.
Nmap is a powerful tool and provides a wealth of information about a network and the
devices attached to the network. This information can be used for good or evil. Good - for
penetration tests by network administrators wanting to increase security of the network, and evil
- for attackers attempting to exploit vulnerabilities on a company network.
The other vulnerability scanning tool mentioned earlier is called Nessus. This tool is a
product of Tenable Network Security and it is available in a free HomeFeed version and a
commercial ProfessionalFeed version. The lab environment mentioned previously was scanned
using Nessus HomeFeed version. (Tenable, n.d.)
Before running a Nessus scan, you need to create a policy to tell Nessus what you want to
scan for. Figure 1.5 shows an example of a Nessus Scan Policy window. The policy contains
the plugins you wish to scan, ports/protocols, and other preferences for your scan. You then give
Running head: USING NESSUS AND NMAP TOOLS 7
Figure 1.5 Adding a Policy
your scan a name, select the policy you created, and enter the network target devices for the scan.
The next step is to start the scan by clicking Launch Scan. When the scan is complete you can
save the full scan report in html. A report on each device scanned is listed which includes the
Scan Time, Number of vulnerabilities, and Remote host information. Some of the results for the
scan on the lab environment are detailed below.
Four machines were scanned in this lab environment. One machine showed several
vulnerabilities. Vulnerabilities listed in this scan include open ports and risk categories of the
vulnerabilities. The categories are High, Medium, and Low. As seen in Figure 1.6, the machine
with address of 192.168.1.2 showed 12 open ports, 2 high risk vulnerabilities, 4 medium risk
vulnerabilities, and 47 low risk vulnerabilities. Each vulnerability includes a Synopsis,
Description, Risk factor, CVSS Base Score, Solution if available, Plugin output, and Plugin ID.
Running head: USING NESSUS AND NMAP TOOLS 8
Figure 1.6 Device Initial Scan Information
Figure 1.7 shows a closer look at one of the critical risk vulnerabilities found during the
scan. The machine is running an obsolete operating system which is not supported and therefore
no security patches are available for the system. One vulnerability related to this operating
system is referenced in the National Vulnerability Database of the National Institute of Standards
Figure 1.7 Critical Vulnerability
Running head: USING NESSUS AND NMAP TOOLS 9
and Technology web site. According to the NVD, local users can “cause a denial of service or
gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname”. (US-
Cert/NIST, 2010)
The Nessus report of this vulnerability displays that a solution to the vulnerability is to
upgrade to a newer version of the operating system. The network administrator can use this
information to increase network security and prevent an attacker from exploiting this
vulnerability. An attacker would use the information to exploit the vulnerability and gain access
to root privileges on the network. If the network administrator is not using a tool like Nessus and
the attacker is using the tool, the attacker has a huge advantage over the administrator.
Further investigation of the Nessus scan report shows a medium risk vulnerability
regarding an unsigned SSL certificate as shown in Figure 1.8. As the report states, access to this
host could easily be established because there is no authentication in place to prevent an attacker
from setting up a man in the middle attack. Again, this is critical information that can help the
Figure 1.8 SSL Certificate Vulnerability
Running head: USING NESSUS AND NMAP TOOLS 10
network administrator take steps to resolve the issue or allow an attacker to choose his steps.
This vulnerability can be resolved by purchasing or generating a proper certificate as shown in
Figure 1.9.
Figure 1.9 SSL Vulnerability Solution
Like Nmap, Nessus is a powerful tool to help administrators protect their network
against attacks. A crucial key is for the administrator to actually use the tool periodically to
become familiar with the network and learn what can be done to better protect it. Michael
Mullins writes in an article for Tech Republic that you cannot always rely on vendor patches for
your entire security strategy. You must take steps to plug those holes that the black hat attackers
are looking for. (Mullins, 2005)
Nmap and Nessus are a critical step in protecting your network. They do not resolve all
the issues but they help educate you to stay a step ahead of the attackers. You need to become
familiar with their tactics and deploy measures necessary to thwart their efforts. Preventive
maintenance practices have been around a long time; Nmap and Nessus are great preventive
maintenance tools you can use to secure your network. Since they are open source, they will not
put a dent in your IT budget. That can sound pretty good to company management; increased
network security at a minimal cost!
Running head: USING NESSUS AND NMAP TOOLS 11
References
Introduction. (n.d.) NMAP.ORG. Retrieved from http://nmap.org/
Liston, K. (2011). Port Details – Port 1029. Internet Storm Center, SANS Institute.
Retrieved from http://isc.sans.edu/port.html?port=1029
Mullins, M. (2005). Learn how Nessus can fit your remote scanning needs. TechRepublic.
Retrieved from
http://www.techrepublic.com/article/learn-how-nessus-can-fit-your-remote-scanning-
needs/5755585?tag=mantle_skin;content
Tenable. (n.d.) Tenable Security Center. nessus.org. Retrieved from
http://www.nessus.org/products
US-CERT/NIST. (2010). Overview-Vulnerability Summary for CBE-2009-3547. National Cyber-
Alert System. Retrieved from
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3547