The Nessus vulnerability scanner was created by the Nessus Development Team, lead by Renaud Deraison. Nessus is incredibly useful, including some distinct advantages over other tools in this genre (including the commercial tools). Its advantages include:
You can review the source code of the main tool and any of the security checks to make sure that nothing "fishy" is going on.
You can write your own vulnerability checks and incorporate them into the tool.
A large group of developers is involved around the world creating new vulnerability checks.
The price is right: US $0.00.
Nessus includes a variety of vulnerability checks, implemented in a modular architecture. Each vulnerability check is based on a small program called a plug-in. One plug-in conducts one check of each target system. Together, these plug-ins comprise the Nessus vulnerability database. Nessus has more than 500 distinct plug-ins that check for a variety of vulnerabilities. The plug-ins are divided into the following categories:
Finger abusesThese checks all center on the Finger service commonly used (and misconfigured) on UNIX systems.
WindowsThis category focuses on attacks against Windows systems, ranging from Window 9x to Windows 2000 and everything in between.
Back doorsThese checks look for signs of back-door tools installed on the target system, including Back Orifice and NetBus.
Gain a shell remotelyThis category of plug-ins looks for vulnerabilities that allow an attacker to gain command-line access to the target system.
CGI abusesThese checks look for vulnerable Common Gateway Interface scripts. These scripts are run on Web servers and are used to implement Web applications.
GeneralThis catchall category includes a variety of checks, such as gathering the server type and version number for Web servers, FTP servers, and mail servers.
Remote file accessThese checks look for vulnerabilities in file sharing, including the Network File System (NFS) and Trivial File Transfer Protocol (TFTP).
RPCThese plug-ins scan for vulnerable Remote Procedure Call programs.
FirewallsThese checks look for misconfigured firewall systems.
FTPThis category includes a very large number of checks for misconfigured and unpatched FTP servers.
SMTP problemsThese plug-ins look for vulnerable mail servers.
Useless servicesThese checks determine whether the target is running any services that have doubtful functional value.
Gain root remotelyThese plug-ins look for the holy grail of vulnerabilities, the ability to have superuser access on the target system across the network.
NISThese checks look for vulnerabilities in the Network Information Service used by UNIX machines to share account information.
Denial of serviceThese attacks look for vulnerable services that can be crashed across the network. Many of these tests will actually cause the target system to crash.
MiscellaneousThis is another catchall category of plug-ins, including tracerouting and system fingerprinting.
Nessus also includes Nmap as its built-in port-scanning tool, increasing its usefulness tremendously.
The Nessus Architecture
Nessus is based on a classic client/server architecture, where the client includes a user configuration tool and a results repository/report-generation tool. The Nessus server includes a vulnerability database (the set of plug-ins), a knowledge base of the current active scan, and a scanning engine. The Nessus client/server architecture is shown in Figure 2.
Figure 2 The Nessus architecture.
Nessus supports strong authentication for the client-to-server communication, based on public key encryption. Furthermore, the confidentiality and integrity of all communication between clients and servers are supported using strong encryption based on the twofish and ripemd algorithms. The separation of client and server can be useful in some network architectures, particularly with remote locations connected via low-bandwidth links. The client can configure the server over the low-bandwidth link, while the server at a remote location can scan the targets at that location over a faster short-range network. The most common use of the tool, however, involves running the client and server on a single machine. For my own scanning adventures, I carry a Linux laptop that includes both the client and the server.
The Nessus server runs on a variety of UNIX platforms, including FreeBSD, Linux, and Solaris. An earlier version of the Nessus server was written for Windows NT, but that version isn't getting much development attention lately and has significantly fewer capabilities. Because of its limited capabilities and lack of current support, I recommend that you avoid the Nessus server on Windows NT and install the Linux version instead. The Nessus client runs on FreeBSD, Linux, and Solaris, and also includes Windows support, running on Windows 9x and Windows NT/2000. Additionally, a Java-based client offers generous platform support because it can be run on any Java-enabled system, such as a Macintosh running a Netscape browser.
Configuring Nessus for a Scan
Nessus includes an easy-to-use GUI, shown in Figure 3, that allows for the configuration of the tool. Via the GUI, a user can configure:
Which plug-ins to run
Target systems (networks or individual systems)
Port range and types of port scanning (all Nmap scan types are supported)
The port for client/server communication
Encryption algorithms for client-to-server communication
E-mail address for sending the report
Figure 3 The Nessus GUI supports the selection of various plug-ins.