|
Ihr Spezialist für komplexe IT-Systeme
|
|
Ihr Spezialist für komplexe IT-Systeme
|
This chapter introduces Nessus [Nessus]. Nessus is a very popular open source security scanner. Which allows us to perform automatic scanning of vulnerabilities on remote computer systems. To make Nessus more effective in terms of vulnerability scanning of Oracle products, we will also have a short look on how to write new plugins or customize exiting plugins. Because it may be necessary to reflect some Oracle specific issues. Like uncommon port numbers like 1810, 7777 or things like that.
The installation of nessus is quite simple and will be done in a few minutes. First download the nessus installer (a shell script) from the download page. And execute it:
[frank@w0001 frank]$ bash nessus-installer.sh
The installer will ask you some questions (root password :-), install location etc). Afterwards the nessus server and a GTK client are build (compiled) using the source code and installed on your computer.
To use SSL communication between nessus client and server, we need to generate a certificate:
[frank@w0001 frank]$su -Password: [root@w0001 root]#nessus-mkcert[root@w0001 root]#
And to login, it is nice to have an user :-), I did not define any access rules for the user.
[root@w0001 root]# nessus-adduser
[root@w0001 root]#
And now it is time to start the server:
[root@w0001 root]#nessusd -D[root@w0001 root]#ps xa | grep nessusd26933 ? S 0:00 nessusd: waiting for incoming connections 26935 pts/5 S 0:00 grep nessusd [root@w0001 root]#
Security is a dynamic business, so it is always a good idea to update the nessus plugin database :-)
[root@w0001 sbin]# nessus-update-plugins
[root@w0001 sbin]#
If you need further information about installation or configuration please consult the nessus homepage.
For the scans of my OCS system I used the nessus client for Microsoft Windows [NessusWX], you can download that client here. The installation is down by just doubleclicking on setup.exe :-). After installation you can start NessusWX and see the following dialog:
First we need to connect to the nessus server:
And create a new scan-session:
Enter the IP-number or server name of your OCS installation:
Nessus includes some port-scan methodes, you should enable at least nmap.
To have some fun, I just enabled all plugins. If you like you can disable scans you do not like (e.g. scans for Mircosoft Windows or IIS).
Some plugins can be configured with some additional parameters, to get some more indepth information I entered usernames/passwords for POP3 and IMAP. I also enabled anonymous FTP logins in IFS.
It is time to execute your scan now:
You make take a cup of coffee and watch the progress bar :-D
Thats the funny part, reading and analysing the scan results
Currently there are only a few nessus plugins that perform tests on Oracle products. That is may be related to the fact that not many nessus hackers have running Oracle installations. But that also means that we have to write our own plugins.
Anyway, writing plugins for nessus is most of the time very simple business (depending most of the time on the underlying protocols used). My example will test if one of the Oracle Demos is accessible. This demo may allow SQL injection so it is worse checking for it.
Nessus plugins are normally structured in two parts:
To start with writing a new plugin I am normally searching for similar plugins that already exist. So you just have to copy the existing one and use it as an template for the new one :-).
So lets start with coding, we want to check if we can request an URL to /pls/portal/PORTAL_DEMO.ORG_CHART.SHOW. And that is the NASL code for this one:
if(description) {
script_id(11918);
script_version("$Revision$");
name["english"] = "Oracle 9iAS PORTAL_DEMO ORG_CHART";
script_name(english:name["english"]);
desc["english"] = "your description of the plugin";
script_description(english:desc["english"]);
summary["english"] = "Tests for presence of Oracle9iAS PORTAL_DEMO.ORG_CHART";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "http_version.nasl");
script_require_ports("Services/www", 80, 7777, 7778, 7779);
script_require_keys("www/OracleApache");
exit(0);
}
include("http_func.inc");
port = get_kb_item("Services/www");
if(!port)port = 80;
if(get_port_state(port)) {
req = http_get(item:"/pls/portal/PORTAL_DEMO.ORG_CHART.SHOW", port:port);
soc = http_open_socket(port);
if(soc) {
send(socket:soc, data:req);
r = http_recv(socket:soc);
http_close_socket(soc);
if("Organization Chart" >< r)
security_hole(port);
}
}
I marked the really important parts of the code in red, even if you don't know C or other programming languages very well, it shouldn't be very difficult to read the code. We send our URL and check if the response includes the string "Organization Chart" which is the title of that demo page. That's all folks :-). If you want to learn more about NASL, just visit the Nessus Homepage and read the NASL reference.
For your reference you can also download the plugin from my homepage. Normally you should get the latest version during a normal nessus plugin update.