Nessus介紹及報(bào)表分析

1、Nessus介紹及報(bào)表分析姓名：呂芳發(fā)1大綱Nessus介紹報(bào)表分析風(fēng)險(xiǎn)評分標(biāo)準(zhǔn)及相關(guān)資料庫案例2系統(tǒng)弱點(diǎn)掃描網(wǎng)路上作業(yè)系統(tǒng)或應(yīng)用軟體存在許多漏洞利用工具發(fā)現(xiàn)系統(tǒng)弱點(diǎn)改善系統(tǒng)弱點(diǎn),確保系統(tǒng)安全3Nessus主要特點(diǎn)R. Deraison成立一個(gè)計(jì)劃，命名為Nessus，在透過許多同好的協(xié)助與網(wǎng)路社群討論修改，於1998年4月首次發(fā)表Nessus 免費(fèi)下載、功能強(qiáng)大、架構(gòu)完整、更新迅速且相當(dāng)容易使用的主機(jī)安全稽核掃瞄軟體發(fā)展目的是幫助系統(tǒng)管理者搜尋系統(tǒng)主機(jī)的弱點(diǎn)所在，讓系統(tǒng)管理者對主機(jī)進(jìn)行錯(cuò)誤的更正或防護(hù)，以避免被入侵者攻擊Nessus的可延伸性使得掃描更具有發(fā)展空間，因?yàn)樗S意增加原本所沒有的

2、偵測模式，而外掛模組(Plugins)就是對每個(gè)安全漏洞的描述和稽核，因此擴(kuò)充外掛模組就可提升軟體的稽核能力4Nessus主要特點(diǎn)外掛Plugins：使用者可依需求修改外掛模組，而不需修改內(nèi)部核心的程式碼時(shí)常性更新弱點(diǎn)資料庫：Nessus的開發(fā)維護(hù)人員每天專注於檢查最新的安全漏洞支援作業(yè)平臺(tái)包括：Linux, FreeBSD, Solaris, Windows等5Nessus安裝6Nessus安裝7Nessus安裝8Nessus安裝9系統(tǒng)弱點(diǎn)掃描工具軟體:Nessus-()10Nessus 使用11Nessus 使用12Nessus 掃描結(jié)果說明掃瞄位址：顯示目前掃描及狀況分析的主機(jī)IP訊息代

3、碼(Plugin information)：顯示此弱點(diǎn)代表的ID碼，透過這個(gè)ID碼可以到Nessus網(wǎng)站找到此弱點(diǎn)更詳細(xì)的說明弱點(diǎn)(Vulnerability)：顯示風(fēng)險(xiǎn)等級，若是”hole”狀況，請立即處理相關(guān)安全問題狀況描述(Description)：描述這個(gè)弱點(diǎn)發(fā)生的原因解決方法(Solution)：提供管理人員解決上述弱點(diǎn)的解決方案與建議。13Nessus Report14Nessus ReportNessus的分析報(bào)告包含三種安全等級：安全紀(jì)錄（Notes）：透過測試的結(jié)果，可以獲得某些系統(tǒng)資訊。安全警告（Warning）：測試的結(jié)果，可能影響系統(tǒng)安全 。安全漏洞（Hole）：測試的

4、結(jié)果，嚴(yán)重影響到系統(tǒng)安全。15Common Vulnerability Scoring System（CVSS） 弱點(diǎn)（vulnerabilities）是網(wǎng)絡(luò)安全中的一個(gè)重要因素,通用弱點(diǎn)評價(jià)系統(tǒng)（CVSS）是由美國國家基礎(chǔ)建設(shè)諮詢委員會(huì) (NIAC) 開發(fā)的一個(gè)開放並且能夠被產(chǎn)品廠商免費(fèi)採用的標(biāo)準(zhǔn)。使用標(biāo)準(zhǔn)的數(shù)學(xué)方程式，來判定威脅的嚴(yán)重性，列入評估標(biāo)準(zhǔn)的因素，還包括安全弱點(diǎn)能否被遠(yuǎn)端利用，或是攻擊者是否需要登入，才能利用此一弱點(diǎn)。利用該標(biāo)準(zhǔn)，可以對弱點(diǎn)進(jìn)行評分，幫助我們判斷修復(fù)不同弱點(diǎn)的優(yōu)先等級。16Common Vulnerability Scoring System（CVSS） 17Co

5、mmon Vulnerability Scoring System（CVSS） 如果漏洞既可遠(yuǎn)程利用，又可以本地利用，取值應(yīng)該為遠(yuǎn)程利用的值。 攻擊複雜度的值為低/中/高。 需要認(rèn)證的例子，如需要預(yù)先有Email、FTP帳號等 。18Common Vulnerability Scoring System（CVSS） BaseScore = round_to_1_decimal(10 * AccessVector * AccessComplexity * Authentication * (ConfImpact * ConfImpactBias) + (IntegImpact * IntegIm

6、pactBias) + (AvailImpact * AvailImpactBias)19Common Vulnerability Scoring System（CVSS） Medium / CVSS Base Score : 5 (AV:R/AC:L/Au:NR/C:P/A:N/I:P/B:N)該漏洞的影響為中，CVSS基本評價(jià)分值為5分，其中分項(xiàng)取值表格 - BASE METRIC EVALUATION SCORE - Access Vector Remote(1.00) Access Complexity Low (1.00) AuthenticationNot-Required(1.0

7、0) Confidentiality ImpactPartial (0.70) Integrity ImpactPartial (0.70) Availability Impact None(0.00) Impact Bias Normal(0.333) - BASE FORMULABASE SCORE - round(10 * 1.0 * 1.0 * 1.0 * (0.7 * 0.333) + (0.7 * 0.333) + (1.0 * 0.333) = (4.66) 20IAVs IAVA- Information Assurance Vulnerability Alert alerts

8、 of high priority ,must be eradicated from the network IAVB- bulletins of medium priority , do not pose an immediate threatIAVT- technical notes on vulnerabilities , without remediation urgency21CVE Common Vulnerabilities and Exposuresfree for public useCVE is a dictionary of publicly known informat

9、ion security vulnerabilities and exposures.22OSVDB 開放原始碼弱點(diǎn)資料庫（The Open Source Vulnerability Database，簡稱OSVDB）將網(wǎng)際網(wǎng)路相關(guān)軟體的安全瑕疵分類，供使用者查詢。23Nessus Reportrtsp (554/tcp)Synopsis :The remote RTSP (Real Time Streaming Protocol) server is prone to a buffer overflow attack. Description :The remote host is runn

10、ing Helix Server or Helix DNA Server, a mediastreaming server. The version of the Helix server installed on the remote hostreportedly contains a heap overflow that is triggered using an RTSPcommand with multiple Require headers. An unauthenticated remoteattacker can leverage this flaw to execute arb

11、itrary code subject tothe privileges under which it operates, by default LOCAL SYSTEM onWindows. Solution:Upgrade to Helix Server / Helix DNA Server version 11.1.4 or later. Risk Factor :Critical / CVSS Base Score : 10.0(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)24Nessus Reportmysql (3306/tcp)Synopsis :An un

12、passworded database server is listening on the remote port.Description :The remote host is running MySQL, an open-source database server. Itis possible to connect to the remote database using one of thefollowing unpassworded accounts :- root - anonymousThis may allow an attacker to launch further at

13、tacks against thedatabase. Solution:Disable the anonymous account or set a password for the root account. Risk Factor :High / CVSS Base Score : 7 (AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)25Nessus Reportftp (21/tcp)Synopsis : You seem to be running an which is vulnerable.An attacker may use this problem to e

14、xecute arbitrary commands on this host.Solution: Upgrade your software to the latest version.Risk Factor : HighCVE : CVE-2001-0249, CVE-2001-0550BID : 2550, 3581Other references : IAVA:2001-b-0004, OSVDB:686, OSVDB:8681Plugin ID : 1082126Nessus Report27Nessus Report28Nessus Report 29Nessus Reportftp

15、 (21/tcp)The remote is vulnerable to a SQL injection whenit processes the USER command.An attacker may exploit this flaw to log into the remote hostas any user.Solution: If the remote server is ProFTPd, upgrade to ProFTPD 1.2.10 whenavailable, or switch the SQL backend to PostgreSQL.Risk Factor : Hi

16、ghBID : 7974Plugin ID : 1176830Nessus Reporthttp (80/tcp) The following URLs seem to be vulnerable to BLIND SQL injectiontechniques : /internal/news.php?-=&user_id=+AND+ba&password=/internal/news.php?-=&user_id=+AND+1=1&password=/internal/news.php?-=&user_id=+AND+1=1)&password=/internal/news.php?-=&

17、user_id=/*/&password=An attacker may exploit this flaws to bypass authenticationor to take the control of the remote database.Solution: Modify the relevant CGIs so that they properly escape argumentsRisk Factor : HighSee Also : Plugin ID : 1113931Nessus ReportSQL Injection 是使用者輸入的資料中夾帶 SQL 指令，在設(shè)計(jì)不良的

18、程式忽略了檢查，這些夾帶進(jìn)去的指令就會(huì)被資料庫伺服器誤認(rèn)為是正常的SQL指令而執(zhí)行，因此招致到破壞。利用SQL Injection 可植入惡意程式。32Nessus Reporthttp (80/tcp) The following URLs seem to be vulnerable to various SQL injection techniques : /doclink/formlink01.asp?-=+OR+a Edit - Home Directory - Configuration. Click the Add button, specify C:winntsystem32in

19、etsrvasp.dll as the executable (may be different depending on your installation), enter .asa as the extension, limit the verbs to GET,HEAD,POST,TRACE, ensure the Script Engine box is checked and click OK.Risk Factor : HighPlugin ID : 1099138Nessus Reporthttp (80/tcp) The remote host is using a versi

20、on of OpenSSL which isolder than 0.9.6m or 0.9.7dThere are several bug in this version of OpenSSL which may allowan attacker to cause a denial of service against the remote host.Solution: Upgrade to version 0.9.6m (0.9.7d) or newerRisk Factor : HighCVE : CVE-2004-0079, CVE-2004-0081, CVE-2004-0112BI

21、D : 9899Other references : IAVA:2004-B-0006, OSVDB:4316, OSVDB:4317, OSVDB:4318Plugin ID : 1211039Nessus Reportsnmp (161/udp)Synopsis :The community name of the remote SNMP server can be guessed.Description :It is possible to obtain the default community names of the remoteSNMP server.An attacker may use this information to gain more knowledge aboutthe remote host, or to change the configuration of the remotesystem .Solution: Disable the SNMP service on the remote host if you do not use it,filter incoming UDP packets going to this port, or change the default community string.Risk Fa