En este blog informático está reflejada mi experiencia en el mundo de la informática. Mis publicaciones serán sobre seguridad informática e Internet. Las técnicas y herramientas aquí explicadas son para fomentar la seguridad de la información dentro de la filosofía del hacking ético. En línea desde 2005.

Escáner de redes de gratuito, NESSUS.

Nessus es una herramienta para el escaneo de redes y agujeros de seguridad en distintos sistemas operativos. Nessus además de escanear puertos escanea vulnerabilidades utilizando plugins, en constante actualización, escritos en NASL (Nessus Attack Scripting Language, Lenguaje de Scripting de Ataque Nessus por sus siglas en inglés), un lenguaje scripting optimizado para interacciones en redes. Esta compuesto por dos partes cliente y servidor que normalmente se instalan en la misma maquina pero que pueden ser muy útiles por separado para gestión remota de seguridad de redes.
Tiene varias funciones de escaneo en las que se encuentra una muy potente denomina no segura, en la que utiliza diversos exploits esta función pueden causar caídas en sistemas o corromperlos, es recomendable usarla con mucho cuidado. Sus resultados pueden exportarse en mucho formatos, además se incluyen en una base de datos en la que se pueden comparar entre si. Nessus es compatible con los siguientes sistema operativos Linux, FreeBSD, Solaris, Mac OS X y Windows 2000, XP y 2003 (32 bits).

Aquí un ejemplo de un resultado de un escaneo realizado con Nessus:

http (80/tcp)

The remote web server seems to be vulnerable to a format string attack on HTTP 1.0 header value.
An attacker might use this flaw to make it crash or even execute arbitrary code on this host.

Solution: upgrade your software or contact your vendor and inform him of this vulnerability

Risk Factor : High
Plugin ID :
15642

Port is open
Plugin ID :
11219


A web server is running on this port
Plugin ID :
10330

Synopsis :

Remote web server is not or badly configured

Description :

The remote web server seems to have its default welcome page set.
It probably means that this server is not used at all.

Solution:

Disable this service, as you do not use it

Risk Factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Plugin ID :
11422

The following directories were discovered:
/cgi-bin, /icons, /manual

While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards

Other references : OWASP:OWASP-CM-006
Plugin ID :
11032

The remote web server type is :

Apache/1.3.33 (Darwin)

Solution: You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
Plugin ID : 10107

Synopsis :

The remote Apache server can be used to guess the presence of a given user name on the remote host.

Description :

When configured with the 'UserDir' option, requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home.

For instance, by default, requesting /~root/ displays the HTML contents from /root/public_html/.

If the username requested does not exist, then Apache will reply with a different error code. Therefore, an attacker may exploit this vulnerability to guess the presence of a given user name on the remote host.

Solution:

In httpd.conf, set the 'UserDir' to 'disabled'.

Risk Factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-2001-1013
BID : 3335
Plugin ID :
10766

ntp (123/udp)

It is possible to determine a lot of information about the remote host by querying the NTP (Network Time Protocol) variables - these include OS descriptor, and time settings.

It was possible to gather the following information from the remote NTP host :

version='ntpd 4.1.1@1.786 Sun Mar 20 15:40:56 PST 2005 (1)',
processor='Power Macintosh', system='Darwin8.9.0', leap=0, stratum=3,
precision=-18, rootdelay=127.663, rootdispersion=341.525, peer=63308,
refid=xx.xxx.xxx.xx, reftime=0xc9e1db36.0ad83c6c, poll=13,
clock=0xc9e1ef2f.94560c7c, state=4, offset=15.376, frequency=-12.998,
jitter=93.360, stability=1.789



Quickfix: Set NTP to restrict default access to ignore all info packets: restrict default ignore

Risk Factor : Low
Plugin ID :
10884


imap (143/tcp)

Synopsis :

An IMAP server is running on the remote host.

Description :

An IMAP (Internet Message Access Protocol) server is installed and running on the remote host.

Risk Factor :

None

Plugin output :

The remote imap server banner is :
* BYE [ALERT] Cannot connect to IMAP server connect error 10061

Plugin ID :
11414

smtp (25/tcp)

The SMTP server on this port answered with a 421 code.
This means that it is temporarily unavailable because it is overloaded or any other reason.

** Nessus tests will be incomplete. You should fix your MTA and
** rerun Nessus, or disable this server if you don't use it.

Plugin ID : 18528

For some reason, we could not send the 42.zip file to this MTA
BID : 3027
Plugin ID :
11036

general/tcp

The remote host is running Mac OS X 10.4.9
Plugin ID :
11936

It is possible to crash the remote host by sending it an SCTP packet.

Description :

There is a flaw in the SCTP code included in Linux kernel versions 2.6.16.x that results in a kernel panic when an SCTP packet with an unexpected ECNE chunk is received in a CLOSED state. An attacker can leverage this flaw to crash the remote host with a single, possibly forged, packet.

See Also :

http://labs.musecurity.com/advisories/MU-200605-01.txt
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17

Solution:

Upgrade to Linux kernel version 2.6.17 or later.

Risk Factor :

Low / CVSS Base Score : 3
(AV:R/AC:H/Au:NR/C:N/A:C/I:N/B:N)
CVE : CVE-2006-2271
BID : 17910
Plugin ID :
21560

Fin de ejemplo.



Más información y descarga de Nessus:
http://www.nessus.org
Escáner de redes de gratuito, NESSUS. Escáner de redes de gratuito, NESSUS. Reviewed by Álvaro Paz on lunes, mayo 14, 2007 Rating: 5
Publicar un comentario en la entrada
Este Blog sobre Seguridad Informática está bajo una licencia de Creative Commons, Álvaro Paz. Con la tecnología de Blogger.