- Once you are logged in, you can access the other tab sections. - The Plugins tab is where you can selectively enable or disable certain groups of plug-ins as well as individual plug- ins (see Figure 5.2). - Each category is listed, and when you click on a category the individ- ual plug-ins in that category appear in the lower section. - By deselecting the box to the right of an item, you can disable that category or plug-in.. - Plug-ins that may cause a problem with a service or can crash servers are highlighted with a triangular exclamation symbol (see Figure 5.2). - You can use the Filter button to sort the plug-ins by Name, Description, Summary, Author, ID number, or Category. - I recommend that you generally run Nessus with dangerous plug-ins disabled, unless you have prepared for a true denial of service test and are willing to risk crashing some of your servers.. - Most of the server-side Nessus options are configured on the Preferences tab (see Fig- ure 5.3). - Figure 5.2 Nessus Plugins Tab. - Nmap You use these Nmap settings to customize the configuration of how the port scan part of the test runs. - You can also enter a location for an Nmap results file so that Nessus will use that data rather than run a new scan.. - Ping the remote host This selection lets you ping the machines on the target network to determine first if they are alive, or just scan all the IPs in the target range. - This is the setting I recommend using most of the time, because you don’t want to waste time and bandwidth running the tests against dead addresses. - However, if you are scanning from outside a firewall, you may want to run Nessus without pinging the hosts so you don’t risk missing anything. - You can also configure the number of tries it makes before considering a nonresponding host dead. - The default of 10 is probably too high for most high-speed networks. - Unless you are scanning from a dial-up connection, turn the retries rate down to 3 to speed up the scan Figure 5.3 Nessus Preferences Tab. - You can also set whether dead hosts should appear in the report. - Usually you don’t want these to be included because they will skew your overall scan statistics, reporting that there are more hosts scanned on your network than there really are. - However, this can be useful when you want to know each IP that was contacted.. - Login configurations This section is where you set up login accounts if you want Nessus to test some services at a deeper level. - However, if you specify an account and password for a certain service, Nessus will run additional tests on it. - For example, if you enter a Windows domain login (SMB account), it will further test your Windows domain security as a logged-on user. - You can have it test FTP, HTTP, IMAP, NNTP, POP2, POP3, and SNMP services with valid logins.. - You can give it the specific URL and form fields to be filled in. - Brute-force login (Hydra) This section lets you take advantage of the add-on pro- gram Hydra, which tests the integrity of your system’s passwords. - With Hydra, you can attempt brute force on the following services:. - SMB use host SID to enumerate local users This section gives a range of User ID (UID) numbers to try to get additional information about the user names in the domain.. - The default uses UIDs which always encompasses at least the administrator and guest users accounts on Windows networks. - You can specify certificates to check and get reports on the level of encryption your Web servers will accept. - You can also change the default start directory.. - Information on the News Server If there is a Network News (NNTP) server located on any of the IPs in the target range, Nessus checks the settings and restrictions set on postings. - Test HTTP dangerous methods The Integrist test checks to see if any Web servers on the network will allow dangerous commands such as PUT and DELETE. - This is dis- abled by default because the test could delete your home page if your server responds to these commands.. - The default setting checks the permissions listed by the file system and responds if one shows as being writable. - You can also have it ignore what the file system says and try to write a file anyway to test that there are no writ- able directories. - Again, like the Integrist test above, be careful with this option because you could end up overwriting files on your FTP server.. - Nessus.org is used as the default domain the test mail would be coming from, though this is configurable here. - You may want to change this address if you are an outside consultant and want your client to know where the dummy e-mails are coming from. - However, don’t use your own domain if you are scanning from within a company. - However, if you do run a NIDS on your net- work and want to see if it’s really working, you can run these tests to see if it picks up your scans.. - Most modern NIDS will catch these tricks, but if you have an older system or one that hasn’t been patched in a while, it is worth trying these to see if your NIDS catches them. - Unlike the individual tests on the Preferences tab, this tab contains settings that affect the overall scan (see Figure 5.4).. - Port range This controls which ports are scanned during the port scan phase of the test.. - The default is 1–15,000, which should catch most normal services. - However, you should open it up to scan all 65,535 TCP and UDP ports if you want to search for Trojan horses and other services operating on unusual high ports. - You should do a full port scan of the machines on your network on regular basis, either monthly or quarterly depending on the network size.. - If you didn’t set your port range wide enough in the last option, you may miss something, but it makes your scan run faster and puts less traffic on the net- work.. - In fact, on average servers (under 2Ghz) machines, I recommend changing this to 10 hosts from the default setting of 30. - However, if you have a super-server and have a very large network, you can try turning it up as high as you can get away with.. - The default setting of 10. - however, you can do more or fewer depending on your how much horsepower your Nessus server has.. - Path to the CGIs This is the default location where Nessus will look for CGI scripts on the remote system to test them. - If you have an unusual configuration on a machine, you should change this to the correct path so that Nessus will test your CGIs.. - Do a reverse lookup on the IP before testing it This setting attempts to do a reverse DNS lookup and determine every IP’s hostname before testing them. - You can disable this here so Nessus will run every test on every host regardless of what the port scan finds.. - It will depend on banners or Figure 5.4 Nessus Scan Options Tab. - Designate hosts by their MAC address Enable this option if you want Nessus to show hosts in the report by their MAC address rather than IP address, which is the default.. - If you have a good database of MAC addresses on your network and you have a hard time correlating IP addresses to specific hosts because of DHCP, this may create a more useful report for you.. - This is usually done to run scans at unusual times without human intervention.. - You can use this to set up an automatic scan of your network on a scheduled basis. - However, if you don’t want to set up the Web server and database required by NCC, this feature is a quick and easy way to do a regular scan.. - Port scanner This has several global settings for the port scanner portion of the test.. - The benefit of using this is that it is much less memory-intensive and faster.. - However, it is noisier on the network and will leave logs on most machines it scans.. - Nmap: This uses Nmap and the assorted settings configured on the Preferences tab for the port scan.. - This eliminates some of the noise of the scan but still doesn’t give you the granular control that Nmap does.. - Ping the remote host: This pings hosts in the target range to make sure they are alive before performing any tests on them.. - The following list describes the ways you can designate scan targets.. - Any combination of the above separated by commas . - There are several options you can set on this tab.. - This must be a standard text file with addresses formatted as in the above example.. - Save this session Keeps a record of the targets and settings so they can be restored at a future date. - By default, this is turned on.. - Figure 5.5 Nessus Target Selection Tab. - Previous sessions This lists all your previously run sessions and allows you to reload them by clicking on the listing.. - This tab shows all the users you have set up to use the Nessus server and any rules associ- ated with those users (for example, only able to log on from a specific IP address). - These are set up when you create the user with the nessus-adduser script, but you can also edit or add rules for any users from this tab at any time.. - This is one of the most useful features Nessus offers. - The Knowledge Base keeps track of all the scans you have done. - Figure 5.6 Nessus Knowledge Base Tab. - Test all hosts This is the default setting. - Test only hosts that have been tested in the past This setting has Nessus test only hosts that it has tested in the past in the target range. - This reduces network traffic a little, but Nessus won’t test any machines on your network that have been added since your last scan.. - Test only hosts that have never been tested in the past This is the opposite of that last setting. - it looks only for new hosts on the target network. - This is useful for doing a quick check for new machines on your network without scanning your existing machines.. - Do not execute scanners that have already been executed. - This skips the port scanning portion of the test, relying on the results of past port scans.. - Do not execute info gathering plug-ins that have already been executed. - Nessus won’t run any information-gathering plug-ins that were run on previous scans. - Any new information-gathering plug-ins that have been released and you have loaded since the last scan will be run.. - Do not execute attack plug-ins that have already been executed. - This does the same as the last setting, but for attack plug-ins.. - Do not execute DoS plug-ins that have already been executed. - This does the same as the previous two settings, but applies to Denial of Service plug-ins.. - This can be useful to see what has changed on your network since the last scan. - The default setting is 86,400 seconds, which is one day. - You can set this up to 60 days, which is 5,184,000 seconds. - You can see each host being tested and how far along in the process it is
Xem thử không khả dụng, vui lòng xem tại trang nguồn hoặc xem
Tóm tắt