1 / 92

Using Nessus and Nmap to Audit Large Networks

Using Nessus and Nmap to Audit Large Networks. By Greg Johnson Principal Security Analyst University of Missouri – Columbia JohnsonG@missouri.edu Missouri Network Security Symposium December 18, 2001 Updated December 19, 2001. Using Nessus and Nmap to Audit Large Networks.

cullen
Télécharger la présentation

Using Nessus and Nmap to Audit Large Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Nessus and Nmap to Audit Large Networks By Greg Johnson Principal Security Analyst University of Missouri – Columbia JohnsonG@missouri.edu Missouri Network Security Symposium December 18, 2001 Updated December 19, 2001

  2. Using Nessus and Nmap to Audit Large Networks This presentation with any additional notes and corrections is at: www.missouri.edu/~johnsong/audit

  3. Using Nessus and Nmap to Audit Large Networks Management Goal: Justify regular use of NMAP, NESSUS, and similar external, network-based security auditing tools in your organization. Technology Goal: Show strategies to effectively use these tools in light of six audit-impeding challenges such as personal firewalls.

  4. Why Audit? • Find problems that need fixing. • Significant security vulnerabilities persist even after best practices. • Pilots, Santa Claus, & quality assurance. “Trust, but verify.”

  5. Why Audit? • Clustering 1, or, Bugs Have Families: An audit won’t find all vulnerabilities. But fixing the ones the audit does find tends also to fix many that the audit did not identify. • Clustering 2: Work groups that have good security (few problems) are doing something right. Imitate them.

  6. Why Audit? • Be a prophet: “I know 600 machines that will have security incidents.” • Such measurements support: • Requests for security budget $$ • Requests for security training for your enterprise. • Requests for mitigating measures such as better firewalls, filters—or disaster recovery!

  7. Why Audit? • By-products of frequent, large-scale security auditing: • Inventory of systems and services. “How many `servers’ do we have?” • Ability to respond quickly to application-specific exploitations such as Code Red. • Identification of unauthorized systems & services (intruders, unacceptable use).

  8. Network-based vs Internal Auditing: Single System Internal “white box” tests tend to be much faster and more thorough than external “black box” tests. However…

  9. Network-based vs Internal Auditing: Single System • If system is already compromised, internal indicators may lie! • Both internal and external tests may miss problems or yield false alarms. A second opinion can help, especially if from a very different perspective.

  10. Network-based vs Internal Auditing: Single System • Internally installed security tools are subject to attacks, as in recent Goner virus which disabled anti-virus and personal firewall.

  11. Network-based vs Internal Auditing: Single System • Very old, very new, or uncommon systems may lack internal tests. • Internal testing is impossible for networked printers, networked cameras, routers, etc. Devices with telnet/web/smtp or other network control interface can be remotely reconfigured with a duplicate IP. Do your network printers all have passwords?

  12. Network-based vs Internal Auditing: Enterprise • Unified analysis can simplify auditor effort across: • multiple operating systems (Windows 98/ME/NT/2K/XP, Unix, Linux, Mac OS, printer OS, … and their many releases) and • variant applications (IIS vs Apache vs Netscape Commerce Server vs… and their many releases).

  13. Network-based vs Internal Auditing: Enterprise • Security experts and other techs may not have adequate access to each system, thus making internal tests of each system impractical. • Network-based audits exercise your firewall, filters, and intrustion detection systems.

  14. Network-based vs Internal Auditing: Perspective As Robert Burns wrote: Wad a gift The giftie gie us, To see ourselves As others see us. Intruders use network-based auditing!

  15. Background: TCP & UDP Internet Protocol supports two major transport protocols: TCP: Transmission Control Protocol – Verifies that packets reach destination intact. UDP: User Datagram Protocol - No delivery guarantee. Ok for video and audio, or where application checks valid delivery.

  16. Background: IP Ports TCP and UDP give each packet a port number from 1 to 65,535. Ports are like jacks on a switchboard or stereo system. If an application wants to be found, it uses a conventional port number: 80/tcp = web 139/tcp and 139/udp = Microsoft sharing

  17. Background: Hide & Seek • If an application wants to be found, it can also use a local mechanism like RPC or a broker like Napster, Aimster, etc to locate port number by name. • Some applications don’t want to be found! Subseven, Netbus, …. To find these, you must search all 65,535 ports or else sniff traffic while the application is communicating (Intrusion Detection System.)

  18. Background: Port Status A port can be: • Closed (not in use), • Open (listening), or • Filtered (the client computer asked for open or closed status report, and the target computer did not reply, usually due to a firewall.)

  19. NMAP NMAP is one of many port-scanning programs. Relative to other tools, NMAP is particularly efficient in scanning simultaneously testing multiple ports and multiple hosts. NMAP is free, open source, from www.insecure.org.

  20. NMAP NMAP does three things: • Determines quickly if an IP address responds to TCP or ICMP pings. • Sends packets to a target IP address to find which port numbers are open, closed, or filtered. • Sends good packets and malformed packets to the target IP address and analyzes responses to try to guess what kind of operating system runs on the target computer.

  21. What NMAP Does Not Do NMAP does not determine what program is running at an open port! Whatever service NMAP reports—http, ftp, smtp, etc.—is an assumption based on standards. Hacker trick: disguise a remote control access with the port number normally used by domain name service (53), web service (80), etc. especially if firewalls pass traffic on these ports.

  22. Parlez HTTP? Habla DNS? NESSUS takes over where NMAP leaves off. • NESSUS first calls NMAP or uses previous NMAP results to find open ports. NESSUS can also check specified ports without a prior NMAP. • NESSUS then can check an open port for dozens of known protocols, such as HTTP, FTP, SMTP (e-mail), Subseven (remote control)…. • NESSUS, having determined what service runs on a port, sends data to that service to exploit known security vulnerabilties.

  23. Is Scanning Dangerous? Both NMAP and NESSUS aim to never damage data. In MU’s NMAP and NESSUS scanning of 13,000 connections in its network, no data has ever been lost through scanning.

  24. Is Scanning Dangerous? HOWEVER! • NMAP and especially NESSUS can freeze scanning targets. The network application may freeze. The entire system may require restarting. Some devices such as printers or routers may reset themselves—or not.

  25. Is Scanning Dangerous? • In MU’s scanning, freezes are rare: about one in six hundred general purpose systems for tests that are not explicitly dangerous. • NESSUS designates about 10% of its tests as dangerous, denial of service attacks such as oversize data or flooding. In tests of 200 diverse systems, around one third eventually fell to a denial of service attack.

  26. Is Scanning Dangerous? A full 65,535 TCP port scan and service check generates • at least 5 MB of traffic to the target • and at least 6 MB in reply. • Most of this traffic is small packets. Hence…

  27. Is Scanning Dangerous? • Typical testing over a 10 or 100 Mbps connection will noticeably but not painfully slow target system performance for around 15 minutes. • Scanning multiple targets through one network device can slow that subnet’s performance. • NMAP and NESSUS offer options to scan slowly or aggressively, and to randomize target sequence.

  28. Safe Scans • Hence, scan critical infrastructure systems with someone ready to restart systems. Performance monitoring may yield insights. • For extra safety, move NESSUS denial of service tests out of their normal directory.

  29. Safe Scans ‘Tis better to find exposures • from a friend who can desist and heal, • than from adversaries who repeatedly attack whenever they want.

  30. Anti-Scan Measures • Testing is a stimulus/response match. If no response arrives in a specified time, the test may be inconclusive.

  31. Anti-Scan Measures One way to resist attacks is to limit rate of responses to certain requests such as “is this port open?”. That excellent strategy slows down tests by both the bad guys and the good guys. webmail.cotse.com/CIE/RFC/ 1812/74.htm “Requirements for IP Version 4 Routers” section on rate-limiting

  32. Scanning Tools • Commercial: ISS, • Freeware: NMAP, NESSUS, NBTSCAN, LEGION,... • Network service: Mix of Unix, NT implementations

  33. For-Free Scans Via Web Useful as yet another perspective. See how enterprise gateway/firewall affects vulnerability scan. Not comprehensive. • www.dslreports.com/scan • security2.norton.com • hackerwhacker.com:4000/startdemo.dyn • www.securitylogics.com/portscan.adp • www.securityspace.com/sspace A variety of companies offer for a fee comprehensive and regularly-scheduled vulnerability scanning services .

  34. NMAP • www.insecure.org • Unix support; NT version promised. • NT port via e-eye • Performance determined mainly by presence of personal firewalls and other mechanisms designed to impede scanning.

  35. NMAP OPTIONS $ nmap -h Nmap V. 2.54BETA30 Usage: nmap [Scan Type(s)] [Options] <host or net list> Common Scan Types ('*' options require root) -sT TCP connect() port scan (default) -sS TCP SYN stealth port scan (best all-around TCP scan) * -sU UDP port scan * -sP ping scan (Find any reachable machines) -sF,-sX,-sN Stealth FIN, Xmas, or Null scan * -sR/-I RPC/ Identd scan (use with other scan types)

  36. NMAP OPTIONS Some Common Options (none are required, most can be combined): -O Use TCP/IP fingerprinting to guess remote operating system * -p <range> ports to scan. Example range: '1-1024,1080,6666,31337‘ -F Only scans ports listed in nmap-services

  37. NMAP OPTIONS -P0 Don't ping hosts (needed to scan www.microsoft.com and others) -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T <Paranoid|Sneaky|Polite|Normal| Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]

  38. NMAP OPTIONS -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile> -iL <inputfile> Get targets from file; Use '-' for stdin SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

  39. NMAP RESULTS $ nmap -O -sT -p 80-140 128.206.95.29-31 Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on static-095029.static.missouri.edu (128.206.95.29): (The 60 ports scanned but not shown below are in state: filtered) Port State Service 113/tcp closed auth

  40. NMAP RESULTS Too many fingerprints match this host for me to give an accurate OS guess Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on static-095030.static.missouri.edu (128.206.95.30): (The 60 ports scanned but not shown below are in state: filtered) Port State Service 113/tcp closed auth

  41. NMAP RESULTS Interesting ports on dourtyb.iats.missouri.edu (128.206.95.31): (The 59 ports scanned but not shown below are in state: closed) Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn Remote OS guesses: Windows Me or Windows 2000 RC1 through final release, Windows Millenium Edition v4.90.3000 Nmap run completed -- 3 IP addresses (3 hosts up) scanned in 49 seconds

  42. NMAP Front-End

  43. NMAP hardware & system requirements. • MU experience. Scan of 13,000 connections in Class B network (128.206.*.*, 65,535 addresses) for one port over mostly 100 Mbps edge network from one source takes about 40 minutes. Dividing the network between two source systems even in the same subnet halves elapsed time.

  44. NMAP PERFORMANCE DOESN’T ALWAYS SCALE Scanning 1 port on 10,000 computers can be faster than scanning 10,000 ports on one computer

  45. NMAP PERFORMANCE DOESN’T ALWAYS SCALE An unauthorized remote control program such as Subseven likes to hide out on an arbitrary UDP port. • Scanning all 65,535 UDP ports of a Windows 98 system can take as little as 2 minutes. • The same scan of a Solaris system can take eleven hours due to RFC 1812 error-reply rate-limiting.

  46. NMAP hardware & system requirements. MU bulk scanners work ok at edge, not centrally located. 900 Mhz 256MB Pentium 3 running Redhat Linux. Memory is most nearly controllable performance factor, to support more simultaneous connections. A high quality network card is probably prudent for continual scanning.

  47. NMAP as front end • NMAP and NESSUS can output results in formats that can, with typically a three line Perl or VB script, load into a spreadsheet or database. Besides NESSUS, other tools can utilize or add value to NMAP’s inventory of open ports. Here are some Unix tools:

  48. After NMAP • sdig (www.exploits.org/sdig) - obtain IP address' MAC address from its router. • nbtscan- obtain IP address' Netbios name, Netbios user, Netbios report of MAC address. Breathtakingly fast scanner if you're looking only for Netbios/NMB services.

  49. After NMAP • wget - get web or FTP page and headers. • wget http://whever.blah.blah:1214 = Morpheus/Kazaa

  50. FTP & WEB SERVER SUMMARY

More Related