{"id":1264,"date":"2012-09-03T08:50:54","date_gmt":"2012-09-03T08:50:54","guid":{"rendered":"http:\/\/blog.designed79.co.uk\/?p=1264"},"modified":"2012-09-03T08:50:54","modified_gmt":"2012-09-03T08:50:54","slug":"penetration-mac-os-x-server-with-nessus-5","status":"publish","type":"post","link":"https:\/\/blog.designed79.co.uk\/?p=1264","title":{"rendered":"Penetration Mac OS X Server With Nessus 5"},"content":{"rendered":"

One of my favorite tools for penetration testing is Nessus from Tenable Network Security. Nessus 5 is the latest release in the family of vulnerability scanners that is probably amongst the most prolific. Nessus 5 does discovery, configuration auditing, profiling, looks at patch management and performs vulnerability analysis on a variety of platforms. Nessus can also run on a Linux, Windows or Mac OS X and can be used to scan and keep track of vulnerabilities for practically any platform, including Mac OS X.<\/p>\n

To install Nessus, go to the\u00a0Nessus site<\/a>\u00a0and click on the Download button, around the middle of the page. Agree to the download agreement and then choose the version that is right for you (Mac OS X in this case).<\/p>\n

\"Download<\/a><\/p>\n

Download Nessus for Mac OS X<\/p>\n

The software will then download and need to be installed. Once downloaded, open the Nessus dmg and extract it. Inside will be the Nessus 5 package installer.<\/p>\n

\"The<\/a><\/p>\n

The Nessus Installer pkg<\/p>\n

Open the installer and click through the defaults to perform a basic installation.<\/p>\n

\"Installing<\/a><\/p>\n

Installing Nessus<\/p>\n

Once done, you\u2019ll have the Nessus Server Manager and Nessus Client.url in a Nessus folder in the Applications directory.<\/p>\n

\"The<\/a><\/p>\n

The Nessus Applications<\/p>\n

Open the Nessus Server Manager and authenticate as an administrator when prompted. When you downloaded the software you would have been prompted for registration. Provide that information in the registration field. Then click on Update plugins to make sure all of the Nessus plugins are running the latest version. Finally, click on Manager Users\u2026 to create your users.<\/p>\n

\"Nessus<\/a><\/p>\n

Nessus Server Configuration<\/p>\n

At the list of Nessus users, click on the plus sign and create a new user, likely making the user an admin (I see few vulnerability scanning stations that have non-administrative users, which would just be for viewing reports and the such). Click Save to create the user and then close at the List of users screen.<\/p>\n

\"Create<\/a><\/p>\n

Create Nessus Users<\/p>\n

If the Nessus server isn\u2019t started, click on Start Nessus Server. Then click on the Nessus Client.url file back where the Nessus Server manager was accessed. At the Nessus login screen, provide the username and password for the Nessus server that was previously created.<\/p>\n

\"Authenticate<\/a><\/p>\n

Authenticate to Nessus<\/p>\n

Once authenticated, you will be placed in the Scans screen. Before we configure any scans, we\u2019re first going to create a Policy (which defines how a scan operates for the most part). To do so, click on Policies and then click on the Add button. There are four policy tabs (aligned on the left sidebar). In the General pane, you will configure the name for the Policy, \u201cMac Servers\u201d in this example. Then we\u2019re going to check the boxes in the Scan section for Designate Hosts by their DNS Name, Log Scan Details to Server, Stop Host Scan on Disconnect and Avoid Sequential Scans. Then check the boxes in the Port Scanners section for TCP, SYN, SNMP, Netstat SSH and Ping Host. Leave the Port Scan Range set to default and the Performance options at their default values as well. These are useful when you\u2019re done tinkerating to get better performance out of the system, but we\u2019re not really there just yet.<\/p>\n

\"Nessus'<\/a><\/p>\n

Nessus’ General Policy Settings<\/p>\n

Click on the Next button to define any credentials you\u2019ll use during scans. Initially, I\u2019d leave this blank, although you can provide SMB information for up to 4 accounts to see what kind of access users have. You can also define Kerberos, SSH and various cleartext credentials as well. We\u2019re going to skip that for now and click Next to define the Plugins.<\/p>\n

\"Giving<\/a><\/p>\n

Giving Nessus Credentials To Your Boxen<\/p>\n

At the Plugins screen, we\u2019re initially going to leave all of the plugins on. The reason for this is that many of the Lion Server services are similar to those of the various Unix and Linux variants and we can scan SMB with the Windows plugins. These can\u2019t hurt, they might just waste a little time though. Clicking on a Family and then a plugin will show you what each does. Clicking on the green light for each will disable it.<\/p>\n

\"Choosing<\/a><\/p>\n

Choosing Nessus Plugins<\/p>\n

Click on Preferences and define any preferences that you need. Amongst the plugin preferences I usually enable network printer scanning, CGI scanning, Enable experimental scripts, set my Report verbosity to Verbose, provide any certificates needed and then hit Submit to create the new Policy.<\/p>\n

\"Defining<\/a><\/p>\n

Defining Nessus Options<\/p>\n

Next, let\u2019s click back on Scans in the navigation bar on the screen. As you can see here, I\u2019ve created a few template scans, but we\u2019re going to create a new one by clicking on the Add button.<\/p>\n

\"Adding<\/a><\/p>\n

Adding A Nessus Template<\/p>\n

Provide a name for the scan and then choose the Policy you just created. Set the Type to Run Now (since we\u2019re just testing) and put the IP address of a target into the Scan Targets field. You can also import a large set of targets using the Brows button and a csv file or use Schedule or Template rather than Run Now in the Type field to schedule scans or create a template scan. Click Launch to kick off the first scan.<\/p>\n

\"Running<\/a><\/p>\n

Running a Manual Test Scan<\/p>\n

Once started, click on the Reports button in the top nav bar to see the status of the scan.<\/p>\n

\"Completed<\/a><\/p>\n

Completed Nessus Scan<\/p>\n

Once the scan is finished, click on the scan to see a list of vulnerabilities and open ports, sorted by the severity of issues. Here, double-click on the host.<\/p>\n

\"Nessus<\/a><\/p>\n

Nessus Scan Results Overview<\/p>\n

The Report screen then shows each service and the vulnerabilities found for that service. Click on one of the vulnerabilities to see what Nessus thinks is problematic with it.<\/p>\n

\"Nessus'<\/a><\/p>\n

Nessus’ Service List<\/p>\n

Now for the fun part. Each of the vulnerabilities listed will have CVEs attached.<\/p>\n

\"Nessus<\/a><\/p>\n

Nessus Vulnerability Listing<\/p>\n

By default, Nessus is just looking at the service banners to determine vulnerabilities. If you look up the CVE at CVE Details or PacketStorm you\u2019ll see that it was patched a few months ago by most vendors. Now Nessus can get things wrong with Mac OS X. The issue is that Apple forks the code for many open source projects, not always updating version numbers on banners. Looking up or testing whether a vulnerability is still applicable can be tedious but would likely need to be done per service according to your internal security policies.<\/p>\n

An easy way to test these vulnerabilities is to use Metasploit, a tool I\u2019m long overdue to write an article on. Another way is to try and run the exploit against the host. Apple does a pretty good job of addressing CVEs in their security updates, so don\u2019t waste a lot of time trying things if Apple has already patched them. I have found a really good tool for automatically attempting to exploit via msf + nessus to be Carlos Perez\u2019 auto exploit tool, available on\u00a0github<\/a>.<\/p>\n

Finally, Nessus is a great tool for scripting. One of the big differences that throws off many an experienced Nessus operator off with the version for the Mac is the location of the Nessus binaries. They are in \/Library\/Nessus\/run\/bin. In here you\u2019ll find nasal, nessus, nessus-fetch, nessuscmd etc. The command line control here is pretty awesome. Let\u2019s run nessuscmd to scan a net mask of hosts (192.168.210.0\/24):<\/p>\n

sudo \/Library\/Nessus\/run\/bin\/nessuscmd 192.168.210.0\/24<\/p>\n

There are tons of other options for nessuscmd, such as adding ssh keys, smb logins, scanner options, using a remote nessus server, etc. Or use the nessus binary to kick off scans using a nessus config file. The nessus.conf file is also stored in the \/Library\/Nessus\/run\/etc\/nessus directory, worth looking into.<\/p>\n","protected":false},"excerpt":{"rendered":"

One of my favorite tools for penetration testing is Nessus from Tenable Network Security. Nessus 5 is the latest release in the […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1264","post","type-post","status-publish","format-standard","hentry","category-info-on-tech"],"_links":{"self":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1264"}],"version-history":[{"count":0,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/1264\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1264"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}