Educause Security Discussion mailing list archives

Re: NESSUS

From: Josh Richard <jrichar4 () D UMN EDU>
Date: Thu, 24 Feb 2005 10:46:35 -0600

Hi Chad,

We are running FreeBSD on a Dell 2650 (2X3Ghz XEON 2GB RAM) and are able
to scan 29 /24 bit networks in under 2 hours.  I assume when you say
subnets, you are talking about /24's. This is achieved by selecting 5 or
so Nessus plugin id's we would like to enforce using Jon Ballem's
Net::Nessus::ScanLite Perl module to dispatch the scans.

The algorithm is simple:

if the host is reachable via ICMP Ping
   scan the host (see
http://search.cpan.org/~jpb/Net-Nessus-ScanLite-0.01/lib/Net/Nessus/ScanLite.pm
for documentation)
   react to the scan however you need

The 2 hour time frame can be reduced greatly by not scanning the subnets
sequentially, but scanning all 20+ subnets at the same time using a
wrapper script which calls a Perl program which expects a subnet on the
command line.  Choosing to do this, is up to you however.

Please enjoy these code stubs!  The usual disclaimer applies:

'If it does not work for you, you have the code'. :)


Wrapper script:
----
#!/usr/bin/perl
use strict;

my @subnets = (1 .. 20);

for (@subnets){
   system ("/usr/local/bin/scan_subnet.pl 10.1.$_ &");
}

----


Where <scan_subnet.pl> looks something like this:
----
#!/usr/bin/perl
##
# This is a code stub, not really tested and included for reference.
# Hopefully this will get you off the ground.
#
# No warranty implied or otherwise, however we will always give out rope.
# - Hanging yourself is optional.
#
# Please clean this up as needed.
# Josh Richard UMD
##
use strict;
use Net::Ping;

# adjust this to remove your gateway or only include ips where machines
exist...
my @ips = (1 .. 253);
my $network = $ARGV[0];

for (@ips){
   my $host = "$network.$_";
   # needs to run as root for icmp scans...
   my $p = Net::Ping->new('icmp',1);

   if ($p->ping($host)){
   print "Ping returned ok, scanning $host...\n";
   if (&host_is_vulnerable($host)){
       # do something, or not. ;)
   }
   }
}

###
#
## SUBS
#
###
sub host_is_vulnerable{
   use Net::Nessus::ScanLite;

   my $addr = shift;

   my $plugins = '10394;etc'; # See documentation, John is a good
writer... ;)
   my $user = 'user'; # See documentation
   my $pwd = '*****'; # See documentation
   my $nessus_server = 'server_running_nessus'; # See documentation
   my $logmessage;

   my $nessus = Net::Nessus::ScanLite->new(
                                           host            =>
$nessus_server,
                                           port            => 1241,
                                           ssl             => 1,  #
comment or set to 1 out if using ssl
                                           );
   # Modify the following if you need to
   $nessus->preferences( { host_expansion => 'none', safe_checks =>
'yes', checks_read_timeout => 1 });
   $nessus->plugin_set($plugins);

   if( $nessus->login($user,$pwd) ) {
       $nessus->attack($addr);
   }else{
       print "Could not login to server. \n";
       die;
   }

   # Vulnerability to scan set detected if true
   if ($nessus->total_holes){

       my $ids;
       my $need_a_semicolon = 0;

       # Get the ';' string of plugin ids the log file.
       my @a = $nessus->hole_list;
       foreach my $obj (@a){
           $ids .= ';' if ($need_a_semicolon);
           $ids .= $obj->ScanID();
           $need_a_semicolon = 1;
       }
       $logmessage = "scan_subnet: $addr [check:$plugins] [VULN:$ids]";

   # Note you could log this to a file easliy...
   print "$logmessage\n";

       return 1;
   }
   # Otherwise not vulnerable, continue
   return 0;
}

---------------

Code based on this example worked well for us in testing and reduces the
time to scan all subnets to a little over the time it takes to scan 1
subnet.  We were able to scan about 6000 machines in just over an hour
***.  For 20 subnets, you should be safe and be able to make that big
server earn it's paycheck.

Regards,

Josh Richard
University of Minnesota Duluth
ITSS
http://www.d.umn.edu/~jrichar4


*** Footnote of fun:  Scanning 6000 (120 subnets) machines at once is
not recommended...This required performance tuning the IP Stack on the
BSD server, some sleep statements in the wrapper script to stop a dual
server meltdown and is just included as a proof of concept.  I had to
try it once.  Have fun :)





Chad McDonald wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I amy trying to use Nessus to do a baseline vulnerability scan of our
university network.  To date, I am not having much luck finding the
right hardware that can support this large of a scan (20+ subnets) in
a reasonable timeframe.  Before I make a purchase, could those of you
using Nessus let me know what kind of hardware you have had success
with?  My current "desktop pc" configuration running on Suse just
doesn't fit the bill.

Thanks,
Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
478.445.4473  Office
478.454.8250 Cell
478.445.1202 Fax


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQh3Z9jNg/DEZZq7MEQIjgQCgq9sm0dAi/n1xa9vvMtp0lJGfbrcAn1xS
isvpoP2PuAMayP5JdfYvaIj4
=bCEq
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

NESSUS Chad McDonald (Feb 24)
- <Possible follow-ups>
- Re: NESSUS Matthew Keller (Feb 24)
- Re: NESSUS Phillip G Deneault (Feb 24)
- Re: NESSUS Peter Moody (Feb 24)
- Re: NESSUS Matthew Keller (Feb 24)
- Re: NESSUS Josh Richard (Feb 24)
- Re: NESSUS Josh Richard (Feb 24)
- Re: NESSUS Kevin Shalla (Feb 24)
- Re: NESSUS Brian K. Dore' (Feb 24)