Using Freeware Vulnerability Scanners

Vulnerabilty scanners are all the rage in the security industry. Some scan externally for weaknesses, and others perform host-based scanning and everything in between. If you have ever used Cybercop (http://www.nai.com) or ISS Safesuite (http://www.iss.net), you know these products can be expensive. There are alternatives that do not cost a lot of money, but how do you know which ones are best and how do you find them?

In this article, we will briefly describe the methodology of using vulnerability scanners and give some freeware options for the security-minded administrator. There are a number of pros and cons to using freeware versus commercial products, and the validity of even performing security testing. The three products discussed in this article are Nessus (http://www.nessus.org), Narrow Security Scanner (http://www.packetstorm.securify.com/UNIX/scanners/nss/), and SAINT (http://www.wwdsi.com/saint/). The usage of these products is placed in the context of performing a security review and these are just a sample of available products.

To secure a site, a logical progression must be followed. Downloading a scanner and executing it against your network is only part of the solution. For a comprehensive security review, the following steps must be taken:

1. Footprint Analysis -- Scan the environment for operating systems, applications, and services running.

2. Vulnerability Analysis -- Determine potential vulnerabilities in services, applications, and operating systems.

3. Penetration Testing -- Attempt to exploit vulnerabilities found in the Vulnerability Analysis step.

4. Securing -- Fix the weaknesses found in the Penetration Testing step and institute procedures to minimize future weaknesses in the environment.

Footprint Analysis -- Possible Scanner Usage

In a previous Sys Admin article "Freeware Web Security Tools" (March, 2001), we discussed how to perform the Footprint Analysis step. This article was specific to Web server security, but the same concepts can be applied to a network environment. Some scanners can find footprinting information, but this step is geared toward manual techniques or simple automated scripts.

Vulnerability Analysis -- Scanner Usage

The use of the scanner software becomes necessary in Vulnerability Analysis. In Vulnerability Analysis, the data gathered in Step 1 is used to determine potential vulnerabilities. For example, if we see port 21 (ftp) open, and it's running Wu-ftp 6.0, we record this as potentially vulnerable based on a known published exploit. Completing the Vulnerability Analysis involves mapping out all potentially vulnerable services. Scanner software can be used to scan all hosts and open ports to determine whether any may be exploitable. These scanners will check against a list of known vulnerabilities. If the target is running a service such as ftp, and the version is known to be weak, the scanner will flag it as vulnerable. This could be a severe weakness, but cannot be verified until the Penetration Testing phase. One weakness of scanners is that they are infrequently updated and do not find all weaknesses. They will find about 70% of known bugs; manual tests must find the rest.

Penetration Testing

The output from Vulnerability Analysis will be used in Penetration Testing. Penetration Testing is usually a manual process. The person doing the testing must check each potential vulnerability to determine whether it is actually exploitable. Frequently, scanner products will report a service as vulnerable when it is not -- a false positive result. These scanner products can sometimes be used in Penetration Testing in the area of brute force attacks. The scanners can do these automated processes with little intervention from the administrator. The intelligence has not yet been built into them to carry out all the attacks to lead to a compromise. Scanner software can be very beneficial if usage and limitations are understood.

Why Do Security Testing?

This may seem like an easy question to answer, but we have found that many companies just don't see the value of spending the money on the necessary tools, consultants, and time to perform these tests. The benefits of security testing far outweigh any problems that may arise.

Pros

• Know Thyself -- Your best defense against attacks is to fix weaknesses before they are found by a hacker.
• Proactive Security -- Weaknesses can be fixed before the whole underground has a chance to find them. We frequently see product companies testing their products before they go live to proactively fix bugs in the products.
• Gain Resources -- If a systems administrator can show major weaknesses in a Production Internet site, more resources will likely be dedicated to the IT department.
• Security Standards -- This would lead to all machines being secured similarly and standards followed by everyone. If a network has a number of different weaknesses across machines, a standard for security is not being applied.
• Awareness -- Successful testing results in making everyone more aware of security needs and can lead to a corporate-wide security program.
• Responsiveness -- Administrators who are aware of security testing of the environment will learn to be responsive to attacks and have a heightened sense of security. If we perform security tests and flags are not raised, the test results usually cause a major change in the environment.
• Credibility -- Security testing tells customers that a proactive stance toward security has been taken and that customers can feel secure using the site.

No matter what problem may arise, and there can be several, security testing is a must. The problems listed below are minor and should not stop security testing.

• Reality of Results -- Receiving incorrect data from a security audit is just as bad as not doing any tests at all. One problem is doing testing is the knowledge of the testers. Many organizations must hire consultants because the administrators do not have the time or experience to perform security tests. Be sure those consultants are experienced and reputable.
• Tool Usage -- Minor vulnerabilities can lead to a large weakness that a scanner tool may not be able to interpret. Just downloading and running tools without understanding them completely can lead to a false sense of security. Half the benefit of knowledgeable security folks is how they interpret the results. The tools will not link vulnerabilities together.
• Friendly Fire -- Even commercial scanners have been known to cause problems. If the administrators running these tools do not fully understand them, they may use them incorrectly and damage the network.
• One-Time Attack -- Vigilance over time is essential to security testing. Organizations cannot perform a security test once and consider the site secure. Security is an ongoing process, and new exploits come out daily.

A security review methodology is aimed at developing standards for security, and ensuring that the organization conforms to those standards. A good baseline standard for security should first be developed before systems are put into production. A security baseline is a set of standards applied to systems to ensure a minimum level of security. Failing this, the first security review should be aimed at finding and fixing vulnerabilities and defining a security baseline model.

Testing should first be done against the development environment. You never know what can go wrong, especially with powerful products such as vulnerability scanners. Production environments should only be scanned after the development environment. Also, production environments should be scanned only during off peak hours. Administrators should be prepared for problems related to the scanning.

The freeware products discussed in this article have all been compiled on FreeBSD 4.1. Most of the freeware scanners are UNIX based, usually Linux. Most have to be compiled by the user, which requires some knowledge of compiling programs and some in-depth knowledge of the operating system if the compilation has errors. The source code can usually be viewed and modified by the user.

Systems administrators must have a firm grasp of the operating system to fully utilize these products in most cases. The results will take more analysis and research than that of commercial products. The real value of these products is the interpretation of the output. The problems can't be fixed if you cannot interpret the output.

Freeware Scanners

The three example scanners will now be discussed in detail. We have broken down the analysis of the scanners into Installation, Configuration, Scanning, and Reporting. As these programs report weaknesses in the system, the report output should be restricted to administrators.

Nessus

Nessus is one of the best freeware scanners. It is built on client/server architecture. Its plugin capabilities allow users to add their own checks and expand development of the product. It currently has 558 checks.

Installation

The tar file includes the following:

• nessus-libraries-x.x.tar.gz
• libnasl-x.x.tar.gz
• nessus-core.x.x.tar.gz
• nessus-plugins.x.x.tar.gz

These must then be compiled in the following order:

Install nessus-libraries:

• cd nessus-libraries
• ./configure
• make
• make install

Install libnasl:

• cd libnasl
• ./configure
• make
• make install

Configuration

Nessus is a client/server architecture security scanner. You can install a Nessus server on one machine, and use another machine to control that Nessus server remotely. Using public key cryptography, Nessus encrypts the communication between the managing client and the Nessus server.

First of all, you need to assign a one-time password for the first user:

root# nessusd --make-user=nessustest,nessustest 
Generating primes: ........q.....pg

nessusd -L

nessustest - user password

For further user management of Nessus, use nessus-adduser. You'll need to add a user to access the Nessus daemon before starting the Nessus daemon. To do this, use nessus-adduser, and the program will prompt you for necessary information, including login name, authentication method, source restriction, and scan target rules. After using the Nessus client to connect to the Nessus daemon, you can use the GUI to manage the users.

Scanning

Use nessusd -D to start your Nessus daemon (Server) first. Then run "nessus" to start the client. If you created the user, started the daemon, and the client, you are ready to begin your scan. Of course, you must login first; in this case, "nessustest" is our user name. Setting up the target host is the second step. You must either specify the host(s) you want to scan in the input field (using comma for delimiter for multiple hosts), or put the host(s) you want to scan into a file and read them in.

Choose the plugins you want to use in the "Plugins" tab. Some dangerous plugins (mostly DoS type) are disabled by default. You can set some preferences after you've decided which plugins you are going to use. Under the "Prefs" tab, you will see options for some different scan methods, such as port scan, SMB login, or imap account/password.

After you hit "Start the scan", you can sit back and have a cup of coffee and wait for the results. Nessus tends to be very "noisy". Use Nessus to scan your IDS or firewall and see how many log entries you can get. More plugins will take a longer time.

Reporting

The reports can then be sorted either by host or by port. The report can be saved as html, NSR, LaTeX and XML (experimental) formats. The reports also make reference to CVE (Common Vulnerabilities and Exposures) numbers to provide more detailed information regarding the vulnerabilities found by Nessus. See Figure 2.

Summary

Nessus is a security scanner with an easy-to-use interface and flexible architecture (client/server). The extensible plugins (NASL modules and plugins automatic update program) make it easy to add additional checks. Nessus has improved with each release and will give the commercial scanners a run for their money.

Narrow Security Scanner

Narrow Security Scanner (NSS) is a middle-weight security scanner that provides simple command-line control to scan more than 500 known vulnerabilities. For this article, we used NSS 2k-pre12.

Installation

NSS does not have a configuration installation like Nessus. The installation of NSS only requires downloading the file, untarring it and modifying the nss.conf file according to your platform. Then you can begin using it.

Configuration

The configuration file of NSS is pretty simple. You just choose which plugins you want by changing the value to "1" in the nss.conf file. Specify the path of "rpcinfo" and "dig", then you are ready to run NSS.

Scanning

To scan a single host, use: nss -s <IP>. You can also list the hosts you want to scan in a file and use -h <file> to read the file. -l can change the name of the log file, as -m can mail the result to the email address specified by you.

Report

NSS will save the results of the scan into a file called <IP>.log using the different IP addresses you specify. Here is one example of the log file:

-< 2XX.XX.XX.XX >-< OS: Unknow
-< 2XX.XX.XX.XX >-< FTP Server: wu-2.6.0(1)
-< 2XX.XX.XX.XX >-< Authentication (auth) Service Running
-< 2XX.XX.XX.XX >-< "rlogin" Service Running
-< 2XX.XX.XX.XX >-< "shell" Service Running
-< 2XX.XX.XX.XX >-< FingerD Service Running
-< 2XX.XX.XX.XX >-< User(s) logged on:
Login  Name Tty   Idle Login  Time  Office     Office Phone
core        pts/0  49  Nov 22 13:34 (rduXX-XX-2XX.XX.XX.com)
root   root *tty1 13d  Nov 8  16:00
-< 2XX.XX.XX.XX >-< Never logged in user: lp
-< 2XX.XX.XX.XX >-< Never logged in user: named
-< 2XX.XX.XX.XX >-< Vulnerabilities Found: 5

Summary

NSS is a small, fast scanner that can check for many known vulnerabilities. It does not have a GUI interface, but is very easy to use by command line. The code (written in Perl) is available for review and modification by the user. There can be some compilation errors that may require knowledge of Perl for a successful execution.

NSS does not generate a fancy report in different formats like Nessus. It only points out where the vulnerabilities might be. Then you must find the related information about the vulnerability. A lot of research may be needed to fix the problems if the administrator is not security savvy.

SAINT

SAINT (Security Administrator's Integrated Network Tool) is a security assesment tool based on SATAN. Features include scanning through a firewall, updated security checks from CERT and CIAC bulletins, four levels of severity (red, yellow, brown, and green) and a feature-rich HTML interface. We used SAINT 3.1 which checks for approximately 100 vulnerabilities.

Installation

Before installing SAINT, you must have nmap (http://www.insecure.org) and SMB-related tools (e.g., SAMBA on UNIX-like systems) on your system. You can then go to the directory where you untarred the files and execute the following:

./configure
make
make install

# Default attack level (0=light, 1=normal, 2=heavy,
# 3=heavy+, 4=top10, 5=custom)
$attack_level = 0;

Scan

When you start SAINT, a browser window pops up with a menu of "Data Management", "Target Selection", "Data Analysis", "Config Management", "Documentation", and "Trouble Shooting". You can keep the default setting in the 'Data Management' section in the beginning. Before you select your target, SAINT will notify you that when you use your browser to connect to other WWW servers, some information might be revealed during the process (see Figure 3). You can decide whether to continue. After you decide on your target, you can choose the attack level from Light, Normal, Heavy, Heavy+, Top10, or Custom. You can begin with Normal and change the level as you go on. As you change levels from Light to Heavy, more checks will be done. The scan will collect data and store it for reporting.

Report

The results can be categorized by Vulnerabilities, Host information, or Trusted Hosts. You can easily identify vulnerabilities and find related information by the hyperlinks to CVE or other places (see Figure 4). There is a SAINT Writer that can generate customized reports in HTML for you. SAINT Writer has just been released.

Summary

SAINT inherited many advantages from SATAN. It is very flexible, like Nessus, because of its client/server architecture. The vulnerabilities it can check are limited, however, and it is not as easy to pick specific checks to scan. It is also not as easy to add modules for SAINT, because there are no tools similar to NASL for Nessus. You must know Perl to make your own changes to SAINT. Its speed is comparable to NSS, and it is faster than Nessus. Solutions to the vulnerabilities found will require some research, but SAINT provides some good information to begin fixing the problems.

Conclusion

After looking at all these free scanners, here are some criteria to consider for new similar programs/tools:

1. Flexible architecture. With client/server architecture, you can run the control client behind a firewall and the server in front of it.

2. Ease of use. If you can launch the scan by a one-line command, it will be handy wherever you are.

3. Modular design. Ease of use in selecting checks and customization of the program.

4. Reporting. Are the results and reports generated by the program in clearly understood format? The solutions for found vulnerabilities should be easy to find and understand. Reports should be flexible, exportable, and easily modified.

With these four criteria in mind, you should be able to pick the scanner you need in the future.

The outputs of these scans will point to a number of potentially vulnerable services and programs. This data will lead to the next step in the security methodology -- Penetration Testing. Just because the scanners found a vulnerability doesn't mean it actually exists. It could be a false positive.

These freeware products can be used by almost anyone, but administrators who are not yet technically savvy are cautioned to use them carefully.

For systems administrators looking for inexpensive security products, freeware scanner tools provide a viable alternative. They may not be as easy to use, but the list of checks can be comprehensive and accurate. The best part is you can test them out and become familiar with scanner tools before you leap into purchasing those expensive commercial products.

The vulnerability scanners assume security is a snapshot in time. Security is an ongoing process and every day brings a new security challenge. Periodic security scans will not keep your systems secure. Scanners help, but are not the end-all solution. Continuous assessments are needed to keep the organization secure.

Gary Bahadur is the Chief Information Officer for Foundstone Inc (http://www.foundstone.com). Foundstone specializes in security consulting and training. Gary had been performing Attack and Penetration testing for more than five years. He can be reached at: gary@foundstone.com.

Yen-ming Chen is a security consultant with Foundstone Inc. Yen-ming has been performing Attack and Penetration testing for several years. He can be reached at: yenming.chen@foundstone.com.