Laboratory assignment 3

Vulnerability scanning with Nessus

version 1.2

1 Purpose
In this laboratory assignment you will use the Nessus vulnerability scanning tool to
gather information about and to assess the security of a system. The purpose of the
lab is threefold; 1) to get some hands-on experience with a common vulnerability
assessment tool; 2) to learn common signs on insecure practices, and 3) to become
a more security aware computer user.

2 Preparations
Unless you are already familiar with Nessus, you are encouraged to read the Nessus
User’s Manual, section 4, before the lab occasion. The manual is available at
http://ftp.intevation.de/boss/doc/users-manual-20050103.pdf

3 Reporting
Work your way through the labpm. When you encounter a paragraph beginning
with the text Assignment you should do the task. To report your findings and
progress there is a reporting sheet available for download from the course lab page.
The sheet is called Report sheet lab3.pdf.
When you have finished the assignments, you need to show the completed report
sheet for the supervisor. Be prepared to motivate and discuss your results.

4 Nessus architecture and lab setup

Note: Before attempting to connect, be sure to read the entire paragraph 5.1.

Nessus is a vulnerability scanner. It performs port scans and is able to test a target
computer system for over 10000 known vulnerabilities. The Nessus architecture con-
sists of two parts; a server daemon (nessusd) and a client providing a graphical user
interface (NessusClient) for interaction with nessusd. nessusd runs on a separate
host and can serve multiple NessusClients simultaneously.
To use the Nessus service, each lab group has a certificate generated. The certifi-
cate allows you to connect to the nessusd without supplying username and password.
The Nessus server runs at host arwen.ce.chalmers.se and uses SSL for secure con-
nection.

21
 Figure 4 shows the lab setup. NessusClient is installed on all computers in the
lab. To perform a scan, NessusClient first connects to nessusd residing on arwen.
nessusd then performs the scan of the vulnerable host lx08.ce.chalmers.se‡ .

Figure 4: The NessusClient connects to the nessusd which performs the scanning of the
remote computer host.

5 Lab assignment
In this lab you will use the Nessus vulnerability scanner to scan a remote computer
and assess its security. You will also use your findings to propose how the system
can be made more secure. For instructions of how to report your findings, refer to
Section 3.

5.1 Step 1: Get to know NessusClient

The NessusClient runs on each host in the lab and you execute it by opening a
terminal window and enter NessusClient at the command prompt. When done,
the NessusClient GUI will appear as shown in Figure 5.
You should now get to know the NessusClient a little better. Use the Nessus
user’s manual (section 4) and familiarize yourself with the NessusClient GUI and its
functionality. Make sure that you know how the GUI works.
When you have become familiar with the GUI you should do the following:
Create a new task named “Vulnerability scan lab, csecYYY”, where YYY is your
lab group number.
To be able to perform a security scan, you first need to connect to the nessusd
server. In order to do this, you must first create a scope for the scan.
Create a new scope for the newly created task. Name this scope “Vulnerability scan
scope, csecYYY”. Then connect to the nessusd server at arwen.ce.chalmers.se.
Use your lab account name as login name but leave the password field blank. For
authentication, the server is configured to use certificates and SSL encryption. To
‡
lx08 is lowercase l, lowercase x, zero, eight.

22
 Figure 5: The NessusClient graphical user interface as seen when program is started.

enable SSL, you tick the “Use SSL encryption” check-box. To enable authentication
with certificates, tick the “Authentication by certificate” check-box. The certificate
and key is contained in the same file, called cert nessuswx csecYYY.pem. This file
is in your lab account home directory. Enter the path to this file in both the “User
Certificate File” and the “User Key File” fields. Then click Ok.
Note: Unless you enable SSL encryption, you will get an error and a dialog-box
will pop up and tell you that the “Remote host is not using the good version of the
Nessus Communication protocol (1.2) or is tcpwrapped.”
After you have connected to the nessusd, a dialog-box will appear to provide you
with authentication options. Use the pre-selected option and press Ok. Another
dialog-box will then appear. This box contains the server’s certificate. Look at the
certificate and approve it by clicking Ok. You are now connected!

5.2 Step 2. Port scanning

A running network service that serves incoming requests listens to a specific port.
A port that a service listens to is considered as being open. A common first step in
assessing the security of a computer host (as well as mounting an attack) is to figure
out what ports are open.
Prepare Nessus to perform a port scan of the target host lx08.ce.chalmers.se.
Use the keyword default in the port range field§ . Also, make sure that you disable
all plugins before you start the scan.
When you have finished the preparations you can perform the scan.
Note: Do not attempt to scan the full range of ports. Doing this takes a long time
and slows down the other groups’ scannings as well.
§
By using default, nessusd will scan a number of well known ports.

23
 When the scan is complete, Nessus generates a report containing a list of <port
number/service name> tuples for you. Rename the report “Portscan csecYYY”.

Assignment 1: Gather information about open ports.

Make a list of <port number/service name> tuples for the ports that you see in the
generated report. For each tuple in the list you should describe what the service
is used for. Check particularly if any recommendations are issued against using a
specific service or if the functionality that the service offers now can be found in a
more secure successor. Limit your answers to a few sentences. To find information
you are free to use whatever resource available, such as man pages for the services and
the Internet (some useful links are gathered in Section 6). Based on the information
you find, suggest appropriate action <keep, disable> for each tuple to make the
system potentially more secure.

* * *

Step 3 and 4 below require the use of plugins, i.e. vulnerability tests. Each plugin
contains a specific test and the plugins are grouped according to usage area. Each
group has a more or less descriptive name, such as FTP, service detection and
general. To use a specific plugin, you first have to enable it. This is done by ticking
the check box after the plugin name. If you double-click on the plugin, a dialog
box will appear to display additional information about the plugin, including what
information will be returned to you if a test is successful. An example dialog for
plugin “Telnet Server Detection” is shown in Figure 6.
Note: It is very important that you make sure that the safe checks check-box is
ticked at all times when plugins are used since some plugins may harm the remote
computer.

5.3 Step 3. Service fingerprinting

You have gathered information about what ports are open and what services you
expect to find behind the ports. The next step is to find out a little bit more about
each service.
Regularly performing checks of available resources is important to discover vul-
nerabilities in services. It is also important to know what resources are currently
up and running and whether or not the services conforms to an established secu-
rity policy. You should use a subset of the available plugins to gather some more
information, i.e. fingerprinting, about the services. Service fingerprinting plugins in
Nessus is located in the groups “service detection”, “general” and “misc”. Explore
the groups to find appropriate plugins to use. And remember, sometimes you need
to use multiple plugins to achieve your goal.

Assignment 2: Service fingerprinting.

Try to discover what versions of telnet, ftp, ssh, smtp and www that are running on
the remote host. Use plugins from the service detection, the general and the misc
group. Create one report for each scan, named <service¶ > fingerprinting csecYYY.
¶
Where service is one of telnet, ftp, ssh,smtp and www

24
Figure 6: When double-clicking a plugin a dialog box appear to display plugin informa-
tion.

Note: As in real life, it is not certain that a service reveals its version. If you for
any service do not find enough information to pinpoint the version of the service,
try to enable all plugins in the general, misc and service detection groups. If you
still are unable to find the information, note this in the report sheet.

In addition to vulnerable services, many attack targets certain versions of oper-

ating systems. An administrator need to be aware of what computers are active on
the network as well as what operating system versions they run. Sometimes this
information can be retrieved from the banners displayed by various services. Sum-
ming up banner information from different sources can reveal a lot about the host
computer.

Assignment 3: Remote host fingerprinting.

Look again at the results from the service fingerprinting and try to gather as much
information as possible about the remote computer. Document your findings.

5.4 Step 4: Vulnerability scanning

The next step is to scan the discovered services for potential vulnerabilities. You
will now test the telnet, ftp, ssh, smtp and www services for vulnerabilities.

Assignment 4: Service vulnerability scanning.

Scan the services for vulnerabilities using a full scan, i.e. enable all test plugins
available. Create a new report called “Full system vulnerability scan csecYYY” and
enable all plugins. The result of the scan is a report containing all vulnerabilities
that nessusd discovered on the scanned system.

25
Note: A full scan using all plugins may take some time to finish. Be patient and
do not stop the scan before it is finished.

5.5 Step 5: Assessment and recommendations

Now when you have discovered the potential vulnerabilities you need to follow up
your investigation by looking further into what can be done to mitigate or remove
the problems. Restrict your follow-up investigation to include only the telnet,
ftp, ssh, smtp and www services. For the found vulnerabilities, Nessus provides
recommendations as to what needs to be done.

Assignment 5: Assess and improve the security state.

Read the recommendations contained in the vulnerability scan report and give a
detailed explanation to what needs to be done to improve the security. Restrict
your investigation to the telnet, ftp, ssh, smtp and www services. Do not forget to
support your decisions with facts and recommendations from nessus, such as severity
of problem. Compare your recommendations to the recommendations you made in
assignment 1.
Note: If you find that a service has several vulnerabilities of the same type, e.g.
several buffer overflow vulnerabilities, you should provide a general recommendation
rather that doing one recommendation for each vulnerability.

5.6 Step 6: Assessment follow-up

Assignment 6: Propose a strategy for keeping the system secure.
A computer is constantly exposed to various threats. Propose a strategy for keeping
a networked computer up to date with security. List a few actions that should be
done regularly to keep the computer secure.

6 Useful links
Port numbers, services
• FILE: The file /etc/services. File is present on the lab computers.
• URL: http://www.iana.org/assignments/port-numbers
• URL: http://en.wikipedia.org/wiki/List of TCP and UDP port numbers
• URL: http://www.unix.org.ua/orelly/networking/puis/ch17 03.htm
• TIP: Use keywords like “tcp, port, <portno>” in a browser of your choice.

Vulnerabilities
• URL: http:www.securityfocus.com
• URL: http://www.cve.mitre.org/cve
• TIP: Browse service vendors’ home pages

26