Brain Dump:Nessus

From Matt's Network Monitor

Jump to: navigation, search

For vulnerability scanning on an individual host, a Nessus scan will eventually be implemented. Nessus results will be used to display potential vulnerabilities on that host, and then passed to Metasploit and permit live, in session exploiting of that host.

Here is a result entry from a Nessus scan (in .nbe format):

results|10.10.2|10.10.2.114|https (443/tcp)|11213|Security Warning|\nSynopsis :\n\nDebugging functions are enabled on the remote web server. \n\nDescription :\n\nThe remote webserver supports the TRACE and/or TRACK methods. TRACE\nand TRACK are HTTP methods which are used to debug web server\nconnections. \n\nIn addition, it has been shown that servers supporting the TRACE\nmethod are subject to cross-site scripting attacks, dubbed XST for\n"Cross-Site Tracing", when used in conjunction with various weaknesses\nin browsers. An attacker may use this flaw to trick your legitimate\nweb users to give him their credentials. \n\nSee also :\n\nhttp://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf\nhttp://www.apacheweek.com/issues/03-01-24\nhttp://www.kb.cert.org/vuls/id/867593\n\nSolution :\n\nDisable these methods.\n\nRisk factor :\n\nMedium / CVSS Base Score : 5.0\n(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)\nSolution : \n\nAdd the following lines for each virtual host in your configuration file :\n\n RewriteEngine on\n RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)\n RewriteRule .* - [F]\n\nAlternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2\nsupport disabling the TRACE method natively via the 'TraceEnable'\ndirective.\n\n\n\nPlugin output :\n\nThe server response from a TRACE request is : \n\n\r\nTRACE /Nessus1872908457.html HTTP/1.1\r\nConnection: Close\r\nHost: 10.10.2.114\r\nPragma: no-cache\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\nAccept-Language: en\r\nAccept-Charset: iso-8859-1,*,utf-8\r\n\r\n\nCVE : CVE-2004-2320\nBID : 9506, 9561, 11604\nOther references : OSVDB:877, OSVDB:3726\n

Metasploit requires the following data to cross-reference a Nessus scan:

  • A vulnerability entry:
    • has_many Ports
    • has_many References
    • NASL ID in the format 'NSS-#####'
    • Data, the textual output provided by Nessus
  • Any number of reference entries:
    • name (CVE/BID/Other)
Retrieved from "http://www.loopforever.com/mnm/index.php/Brain_Dump:Nessus"
Personal tools