Академический Документы
Профессиональный Документы
Культура Документы
version 1.2
1 Purpose
In this laboratory assignment you will use the Nessus vulnerability scanning tool to
gather information about and to assess the security of a system. The purpose of the
lab is threefold; 1) to get some hands-on experience with a common vulnerability
assessment tool; 2) to learn common signs on insecure practices, and 3) to become
a more security aware computer user.
2 Preparations
Unless you are already familiar with Nessus, you are encouraged to read the Nessus
User’s Manual, section 4, before the lab occasion. The manual is available at
http://ftp.intevation.de/boss/doc/users-manual-20050103.pdf
3 Reporting
Work your way through the labpm. When you encounter a paragraph beginning
with the text Assignment you should do the task. To report your findings and
progress there is a reporting sheet available for download from the course lab page.
The sheet is called Report sheet lab3.pdf.
When you have finished the assignments, you need to show the completed report
sheet for the supervisor. Be prepared to motivate and discuss your results.
Nessus is a vulnerability scanner. It performs port scans and is able to test a target
computer system for over 10000 known vulnerabilities. The Nessus architecture con-
sists of two parts; a server daemon (nessusd) and a client providing a graphical user
interface (NessusClient) for interaction with nessusd. nessusd runs on a separate
host and can serve multiple NessusClients simultaneously.
To use the Nessus service, each lab group has a certificate generated. The certifi-
cate allows you to connect to the nessusd without supplying username and password.
The Nessus server runs at host arwen.ce.chalmers.se and uses SSL for secure con-
nection.
21
Figure 4 shows the lab setup. NessusClient is installed on all computers in the
lab. To perform a scan, NessusClient first connects to nessusd residing on arwen.
nessusd then performs the scan of the vulnerable host lx08.ce.chalmers.se‡ .
Figure 4: The NessusClient connects to the nessusd which performs the scanning of the
remote computer host.
5 Lab assignment
In this lab you will use the Nessus vulnerability scanner to scan a remote computer
and assess its security. You will also use your findings to propose how the system
can be made more secure. For instructions of how to report your findings, refer to
Section 3.
22
Figure 5: The NessusClient graphical user interface as seen when program is started.
enable SSL, you tick the “Use SSL encryption” check-box. To enable authentication
with certificates, tick the “Authentication by certificate” check-box. The certificate
and key is contained in the same file, called cert nessuswx csecYYY.pem. This file
is in your lab account home directory. Enter the path to this file in both the “User
Certificate File” and the “User Key File” fields. Then click Ok.
Note: Unless you enable SSL encryption, you will get an error and a dialog-box
will pop up and tell you that the “Remote host is not using the good version of the
Nessus Communication protocol (1.2) or is tcpwrapped.”
After you have connected to the nessusd, a dialog-box will appear to provide you
with authentication options. Use the pre-selected option and press Ok. Another
dialog-box will then appear. This box contains the server’s certificate. Look at the
certificate and approve it by clicking Ok. You are now connected!
23
When the scan is complete, Nessus generates a report containing a list of <port
number/service name> tuples for you. Rename the report “Portscan csecYYY”.
* * *
Step 3 and 4 below require the use of plugins, i.e. vulnerability tests. Each plugin
contains a specific test and the plugins are grouped according to usage area. Each
group has a more or less descriptive name, such as FTP, service detection and
general. To use a specific plugin, you first have to enable it. This is done by ticking
the check box after the plugin name. If you double-click on the plugin, a dialog
box will appear to display additional information about the plugin, including what
information will be returned to you if a test is successful. An example dialog for
plugin “Telnet Server Detection” is shown in Figure 6.
Note: It is very important that you make sure that the safe checks check-box is
ticked at all times when plugins are used since some plugins may harm the remote
computer.
24
Figure 6: When double-clicking a plugin a dialog box appear to display plugin informa-
tion.
Note: As in real life, it is not certain that a service reveals its version. If you for
any service do not find enough information to pinpoint the version of the service,
try to enable all plugins in the general, misc and service detection groups. If you
still are unable to find the information, note this in the report sheet.
25
Note: A full scan using all plugins may take some time to finish. Be patient and
do not stop the scan before it is finished.
6 Useful links
Port numbers, services
• FILE: The file /etc/services. File is present on the lab computers.
• URL: http://www.iana.org/assignments/port-numbers
• URL: http://en.wikipedia.org/wiki/List of TCP and UDP port numbers
• URL: http://www.unix.org.ua/orelly/networking/puis/ch17 03.htm
• TIP: Use keywords like “tcp, port, <portno>” in a browser of your choice.
Vulnerabilities
• URL: http:www.securityfocus.com
• URL: http://www.cve.mitre.org/cve
• TIP: Browse service vendors’ home pages
26