Nessus介绍及报表分析

1、Nessus介紹及報表分析姓名：呂芳發1大綱Nessus介紹報表分析風險評分標準及相關資料庫案例2系統弱點掃描網路上作業系統或應用軟體存在許多漏洞利用工具發現系統弱點改善系統弱點,確保系統安全3Nessus主要特點R. Deraison成立一個計劃，命名為Nessus，在透過許多同好的協助與網路社群討論修改，於1998年4月首次發表Nessus 免費下載、功能強大、架構完整、更新迅速且相當容易使用的主機安全稽核掃瞄軟體發展目的是幫助系統管理者搜尋系統主機的弱點所在，讓系統管理者對主機進行錯誤的更正或防護，以避免被入侵者攻擊Nessus的可延伸性使得掃描更具有發展空間，因為它隨意增加原本所沒有的

2、偵測模式，而外掛模組(Plugins)就是對每個安全漏洞的描述和稽核，因此擴充外掛模組就可提升軟體的稽核能力4Nessus主要特點外掛Plugins：使用者可依需求修改外掛模組，而不需修改內部核心的程式碼時常性更新弱點資料庫：Nessus的開發維護人員每天專注於檢查最新的安全漏洞支援作業平台包括：Linux, FreeBSD, Solaris, Windows等5Nessus安裝6Nessus安裝7Nessus安裝8Nessus安裝9系統弱點掃描工具軟體:Nessus-()10Nessus 使用11Nessus 使用12Nessus 掃描結果說明掃瞄位址：顯示目前掃描及狀況分析的主機IP訊息代

3、碼(Plugin information)：顯示此弱點代表的ID碼，透過這個ID碼可以到Nessus網站找到此弱點更詳細的說明弱點(Vulnerability)：顯示風險等級，若是”hole”狀況，請立即處理相關安全問題狀況描述(Description)：描述這個弱點發生的原因解決方法(Solution)：提供管理人員解決上述弱點的解決方案與建議。13Nessus Report14Nessus ReportNessus的分析報告包含三種安全等級：安全紀錄（Notes）：透過測試的結果，可以獲得某些系統資訊。安全警告（Warning）：測試的結果，可能影響系統安全 。安全漏洞（Hole）：測試的

4、結果，嚴重影響到系統安全。15Common Vulnerability Scoring System（CVSS） 弱點（vulnerabilities）是網絡安全中的一個重要因素,通用弱點評價系統（CVSS）是由美國國家基礎建設諮詢委員會 (NIAC) 開發的一個開放並且能夠被產品廠商免費採用的標準。使用標準的數學方程式，來判定威脅的嚴重性，列入評估標準的因素，還包括安全弱點能否被遠端利用，或是攻擊者是否需要登入，才能利用此一弱點。利用該標準，可以對弱點進行評分，幫助我們判斷修復不同弱點的優先等級。16Common Vulnerability Scoring System（CVSS） 17Co

5、mmon Vulnerability Scoring System（CVSS） 如果漏洞既可遠程利用，又可以本地利用，取值應該為遠程利用的值。 攻擊複雜度的值為低/中/高。 需要認證的例子，如需要預先有Email、FTP帳號等 。18Common Vulnerability Scoring System（CVSS） BaseScore = round_to_1_decimal(10 * AccessVector * AccessComplexity * Authentication * (ConfImpact * ConfImpactBias) + (IntegImpact * IntegIm

6、pactBias) + (AvailImpact * AvailImpactBias)19Common Vulnerability Scoring System（CVSS） Medium / CVSS Base Score : 5 (AV:R/AC:L/Au:NR/C:P/A:N/I:P/B:N)該漏洞的影響為中，CVSS基本評價分值為5分，其中分項取值表格 - BASE METRIC EVALUATION SCORE - Access Vector Remote(1.00) Access Complexity Low (1.00) AuthenticationNot-Required(1.0

7、0) Confidentiality ImpactPartial (0.70) Integrity ImpactPartial (0.70) Availability Impact None(0.00) Impact Bias Normal(0.333) - BASE FORMULABASE SCORE - round(10 * 1.0 * 1.0 * 1.0 * (0.7 * 0.333) + (0.7 * 0.333) + (1.0 * 0.333) = (4.66) 20IAVs IAVA- Information Assurance Vulnerability Alert alerts

8、 of high priority ,must be eradicated from the network IAVB- bulletins of medium priority , do not pose an immediate threatIAVT- technical notes on vulnerabilities , without remediation urgency21CVE Common Vulnerabilities and Exposuresfree for public useCVE is a dictionary of publicly known informat

9、ion security vulnerabilities and exposures.22OSVDB 開放原始碼弱點資料庫（The Open Source Vulnerability Database，簡稱OSVDB）將網際網路相關軟體的安全瑕疵分類，供使用者查詢。23Nessus Reportrtsp (554/tcp)Synopsis :The remote RTSP (Real Time Streaming Protocol) server is prone to a buffer overflow attack. Description :The remote host is runn

10、ing Helix Server or Helix DNA Server, a mediastreaming server. The version of the Helix server installed on the remote hostreportedly contains a heap overflow that is triggered using an RTSPcommand with multiple Require headers. An unauthenticated remoteattacker can leverage this flaw to execute arb

11、itrary code subject tothe privileges under which it operates, by default LOCAL SYSTEM onWindows. Solution:Upgrade to Helix Server / Helix DNA Server version 11.1.4 or later. Risk Factor :Critical / CVSS Base Score : 10.0(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)24Nessus Reportmysql (3306/tcp)Synopsis :An un

12、passworded database server is listening on the remote port.Description :The remote host is running MySQL, an open-source database server. Itis possible to connect to the remote database using one of thefollowing unpassworded accounts :- root - anonymousThis may allow an attacker to launch further at

13、tacks against thedatabase. Solution:Disable the anonymous account or set a password for the root account. Risk Factor :High / CVSS Base Score : 7 (AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)25Nessus Reportftp (21/tcp)Synopsis : You seem to be running an which is vulnerable.An attacker may use this problem to e

14、xecute arbitrary commands on this host.Solution: Upgrade your software to the latest version.Risk Factor : HighCVE : CVE-2001-0249, CVE-2001-0550BID : 2550, 3581Other references : IAVA:2001-b-0004, OSVDB:686, OSVDB:8681Plugin ID : 1082126Nessus Report27Nessus Report28Nessus Report 29Nessus Reportftp

15、 (21/tcp)The remote is vulnerable to a SQL injection whenit processes the USER command.An attacker may exploit this flaw to log into the remote hostas any user.Solution: If the remote server is ProFTPd, upgrade to ProFTPD 1.2.10 whenavailable, or switch the SQL backend to PostgreSQL.Risk Factor : Hi

16、ghBID : 7974Plugin ID : 1176830Nessus Reporthttp (80/tcp) The following URLs seem to be vulnerable to BLIND SQL injectiontechniques : /internal/news.php?-=&user_id=+AND+ba&password=/internal/news.php?-=&user_id=+AND+1=1&password=/internal/news.php?-=&user_id=+AND+1=1)&password=/internal/news.php?-=&

17、user_id=/*/&password=An attacker may exploit this flaws to bypass authenticationor to take the control of the remote database.Solution: Modify the relevant CGIs so that they properly escape argumentsRisk Factor : HighSee Also : Plugin ID : 1113931Nessus ReportSQL Injection 是使用者輸入的資料中夾帶 SQL 指令，在設計不良的

18、程式忽略了檢查，這些夾帶進去的指令就會被資料庫伺服器誤認為是正常的SQL指令而執行，因此招致到破壞。利用SQL Injection 可植入惡意程式。32Nessus Reporthttp (80/tcp) The following URLs seem to be vulnerable to various SQL injection techniques : /doclink/formlink01.asp?-=+OR+a Edit - Home Directory - Configuration. Click the Add button, specify C:winntsystem32in

19、etsrvasp.dll as the executable (may be different depending on your installation), enter .asa as the extension, limit the verbs to GET,HEAD,POST,TRACE, ensure the Script Engine box is checked and click OK.Risk Factor : HighPlugin ID : 1099138Nessus Reporthttp (80/tcp) The remote host is using a versi

20、on of OpenSSL which isolder than 0.9.6m or 0.9.7dThere are several bug in this version of OpenSSL which may allowan attacker to cause a denial of service against the remote host.Solution: Upgrade to version 0.9.6m (0.9.7d) or newerRisk Factor : HighCVE : CVE-2004-0079, CVE-2004-0081, CVE-2004-0112BI

21、D : 9899Other references : IAVA:2004-B-0006, OSVDB:4316, OSVDB:4317, OSVDB:4318Plugin ID : 1211039Nessus Reportsnmp (161/udp)Synopsis :The community name of the remote SNMP server can be guessed.Description :It is possible to obtain the default community names of the remoteSNMP server.An attacker may use this information to gain more knowledge aboutthe remote host, or to change the configuration of the remotesystem .Solution: Disable the SNMP service on the remote host if you do not use it,filter incoming UDP packets going to this port, or change the default community string.Risk Fa