6

Which methods do you use to quickly scan a network for certain vulnerabilities?

I read in the O'Reilly book Network Security Tools that Nessus had the ability to test for one vulnerability only, but that it had to be done via the command line. But that was long ago, and Nessus is different now. Is this possible today, and if so, what's the correct syntax?

Is this also possible with OpenVAS? If it's not possible with either Nessus or OpenVAS in their current incarnations, would it be easier to write Nmap NSE scripts to find these vulnerabilities -- and what would be the trade-off in terms of functionality, reliability, and performance compared to Nessus/OpenVAS?

An example list of the types of vulnerabilities that I'm talking about can be found in the Pen Test Bookmarks, under the section "MSF Exploits or Easy". I'm trying to build and enhance my own version of common/easy exploits based on my own personal risk management and penetration-testing experience.

atdre
  • 18,885
  • 6
  • 58
  • 107

1 Answers1

3

Regarding nessus: ./bin/nasl works well, especially given the “-M” flag.

It’s pretty easy to modify existing nasl scripts or to copy and paste a single nasl script to derive a custom check.

The "-M" option is key because it enables script dependencies in cli mode. For example, the apache_http_version.nasl script has a dependency defined, which looks like:

$ grep dependencies ../lib/nessus/plugins/apache_http_version.nasl script_dependencies("http_version.nasl");

If you run a single nasl script that has dependencies without the "-M" flag, your results will be empty:

$ sudo ./nasl -t 10.10.10.5 ../lib/nessus/plugins/apache_http_version.nasl
$

But, if you add the "-M" flag, then you get the below (and a working check):

$ sudo ./nasl -M -V -t 10.10.10.5 ../lib/nessus/plugins/apache_ssl_overflow.nasl
----------[ Executing ping_host.nasl ]------
----------[ Finished ping_host.nasl ]------
----------[ Executing http_version.nasl ]------
----------[ Finished http_version.nasl ]------
[...]

Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
  • Wow, incredibly useful. I found this -- http://blog.tenablesecurity.com/2007/06/using-the-nasl-.html -- but some of it might be outdated. I'm really looking for the state-of-the-art, perhaps a performance comparison – atdre Apr 12 '11 at 01:52
  • 1
    Also found -- http://blog.tenablesecurity.com/2010/11/scanning-for-default-easily-guessable-credentials-with-nessus.html -- which answers a little better. Here you can seem to scan an entire directory full of NASLs (I just need to match them to my own personal lists) with the command -- bin/nasl -t 192.168.1.206 \ -k /opt/nessus/var/nessus/users/paulda/kbs/192/168/1/192.168.1.206 \ /opt/nessus/lib/nessus/plugins/account_*.nasl – atdre Apr 12 '11 at 01:57
  • So NASL to launch NASL scripts and nessuscmd to run plugins? – atdre Apr 12 '11 at 02:03
  • This looks cool, too, but probably wildly out-of-date -- http://michel.arboi.free.fr/nasl2ref/ – atdre Apr 12 '11 at 02:30
  • I'm going to add this comment as well -- http://www.digininja.org/blog/nessus_over_sock4a_over_msf.php -- useful once you have a Meterpreter session – atdre Apr 13 '11 at 19:33