Running head: USING NESSUS AND NMAP TOOLS 1

Transcription

1 Running head: USING NESSUS AND NMAP TOOLS 1 Nessus and Nmap Overview - Scanning Networks Research Paper On Nessus and Nmap Mike Pergande Ethical Hacking North Iowa Area Community College

2 Running head: USING NESSUS AND NMAP TOOLS 2 Nessus and Nmap Overview - Scanning Networks Network administrators may be asked or required to check for vulnerabilities in the company network and then take steps to better secure the network. Administrators want to check for open ports and other security vulnerabilities on the network. What scanning tools are available for the network administrator to use that will provide this valuable information? Attackers have a goal of finding vulnerabilities in company networks and then exploiting those vulnerabilities. Attackers want to check for open ports and other security vulnerabilities on the network. What scanning tools are available for the network attackers to use that will provide this valuable information? Two popular tools available to scan networks for vulnerabilities are Nessus and Nmap. Both the network administrator and the attacker use Nessus and Nmap scanning tools to find network vulnerabilities. Let s take a look at these vulnerability scanning tools starting with Nmap. Nmap is a free and open source utility program and is used for network exploration. Nmap can determine a multitude of characteristics about a network. Just a few examples are what hosts are available on the network including what applications are running on the hosts, what operating systems are being used, and what firewalls are being used. ( Introduction, Nmap, n.d.) A lab environment was setup on its own isolated network and Nmap was run on this network to capture vulnerabilities on the network. Nmap scan results are displayed below.

3 Running head: USING NESSUS AND NMAP TOOLS 3 Nmap can be run using a command line interface as well as a Graphical User Interface (GUI) called Zenmap. Figure 1.1 shows Nmap running as the Zenmap GUI with the network hosts to be scanned outlined in the Target field with a Profile set to Intense Scan. Once you click Figure 1.1 Initial Screen on the Scan button, the scan commences and reveals scan results under the Nmap Output tab pane window. Figure 1.2 shows an example of some scan results when Nmap first begins scanning, including ports, the state of the port, and the service running on the port. The information tells you if a host within your network scan range is down or up and what type of scan is running.

4 Running head: USING NESSUS AND NMAP TOOLS 4 Figure 1.2 Nmap Output Results Pane Nmap also lays out a topology of the network being scanned. An example of the lab network topology can be seen in Figure 1.3. Depending on the number of devices or hosts on the network, this topology can provide essential device and host locations on the network based on how many hops from the local host to the other devices.

5 Running head: USING NESSUS AND NMAP TOOLS 5 Figure 1.3 Network Topology Nmap also allows you to save your scan results to a text document. Figure 1.4 shows scan results for host on the lab network. The report shows several open ports on the Figure 1.4 Nmap Scan Report

6 Running head: USING NESSUS AND NMAP TOOLS 6 host. From the network administrator s point of view, these open ports could then be evaluated to see if the service running on these ports is needed for the network. If the service is not needed, the port can be closed, therefore hardening the system. From the attacker s point of view, the open ports are an opportunity to get into the network. For example, one scan result in this lab shows TCP port 1029 open. Kevin Liston, a handler on duty at the Internet Storm Center for the SANS Institute, published port details for port 1029 revealing that the port was targeted for an ICQ Nuke 98 trojan attack 1,100 times on April 13, (Liston, 2011) Besides port status on network devices, Nmap reveals MAC addresses, Operating Systems (OS), OS versions, how long the device has been up and running, and host RSA security keys, just to name a few. Nmap is a powerful tool and provides a wealth of information about a network and the devices attached to the network. This information can be used for good or evil. Good - for penetration tests by network administrators wanting to increase security of the network, and evil - for attackers attempting to exploit vulnerabilities on a company network. The other vulnerability scanning tool mentioned earlier is called Nessus. This tool is a product of Tenable Network Security and it is available in a free HomeFeed version and a commercial ProfessionalFeed version. The lab environment mentioned previously was scanned using Nessus HomeFeed version. (Tenable, n.d.) Before running a Nessus scan, you need to create a policy to tell Nessus what you want to scan for. Figure 1.5 shows an example of a Nessus Scan Policy window. The policy contains the plugins you wish to scan, ports/protocols, and other preferences for your scan. You then give

7 Running head: USING NESSUS AND NMAP TOOLS 7 Figure 1.5 Adding a Policy your scan a name, select the policy you created, and enter the network target devices for the scan. The next step is to start the scan by clicking Launch Scan. When the scan is complete you can save the full scan report in html. A report on each device scanned is listed which includes the Scan Time, Number of vulnerabilities, and Remote host information. Some of the results for the scan on the lab environment are detailed below. Four machines were scanned in this lab environment. One machine showed several vulnerabilities. Vulnerabilities listed in this scan include open ports and risk categories of the vulnerabilities. The categories are High, Medium, and Low. As seen in Figure 1.6, the machine with address of showed 12 open ports, 2 high risk vulnerabilities, 4 medium risk vulnerabilities, and 47 low risk vulnerabilities. Each vulnerability includes a Synopsis, Description, Risk factor, CVSS Base Score, Solution if available, Plugin output, and Plugin ID.

8 Running head: USING NESSUS AND NMAP TOOLS 8 Figure 1.6 Device Initial Scan Information Figure 1.7 shows a closer look at one of the critical risk vulnerabilities found during the scan. The machine is running an obsolete operating system which is not supported and therefore no security patches are available for the system. One vulnerability related to this operating system is referenced in the National Vulnerability Database of the National Institute of Standards Figure 1.7 Critical Vulnerability

9 Running head: USING NESSUS AND NMAP TOOLS 9 and Technology web site. According to the NVD, local users can cause a denial of service or gain privileges by attempting to open an anonymous pipe via a /proc/*/fd/ pathname. (US- Cert/NIST, 2010) The Nessus report of this vulnerability displays that a solution to the vulnerability is to upgrade to a newer version of the operating system. The network administrator can use this information to increase network security and prevent an attacker from exploiting this vulnerability. An attacker would use the information to exploit the vulnerability and gain access to root privileges on the network. If the network administrator is not using a tool like Nessus and the attacker is using the tool, the attacker has a huge advantage over the administrator. Further investigation of the Nessus scan report shows a medium risk vulnerability regarding an unsigned SSL certificate as shown in Figure 1.8. As the report states, access to this host could easily be established because there is no authentication in place to prevent an attacker from setting up a man in the middle attack. Again, this is critical information that can help the Figure 1.8 SSL Certificate Vulnerability

10 Running head: USING NESSUS AND NMAP TOOLS 10 network administrator take steps to resolve the issue or allow an attacker to choose his steps. This vulnerability can be resolved by purchasing or generating a proper certificate as shown in Figure 1.9. Figure 1.9 SSL Vulnerability Solution Like Nmap, Nessus is a powerful tool to help administrators protect their network against attacks. A crucial key is for the administrator to actually use the tool periodically to become familiar with the network and learn what can be done to better protect it. Michael Mullins writes in an article for Tech Republic that you cannot always rely on vendor patches for your entire security strategy. You must take steps to plug those holes that the black hat attackers are looking for. (Mullins, 2005) Nmap and Nessus are a critical step in protecting your network. They do not resolve all the issues but they help educate you to stay a step ahead of the attackers. You need to become familiar with their tactics and deploy measures necessary to thwart their efforts. Preventive maintenance practices have been around a long time; Nmap and Nessus are great preventive maintenance tools you can use to secure your network. Since they are open source, they will not put a dent in your IT budget. That can sound pretty good to company management; increased network security at a minimal cost!

11 Running head: USING NESSUS AND NMAP TOOLS 11 References Introduction. (n.d.) NMAP.ORG. Retrieved from Liston, K. (2011). Port Details Port Internet Storm Center, SANS Institute. Retrieved from Mullins, M. (2005). Learn how Nessus can fit your remote scanning needs. TechRepublic. Retrieved from Tenable. (n.d.) Tenable Security Center. nessus.org. Retrieved from US-CERT/NIST. (2010). Overview-Vulnerability Summary for CBE National Cyber- Alert System. Retrieved from