How To use Nmap and Nessus by hzXRV3Pj


									HowTo: Configure Nmap and Nessus & Run a Vulnerability
The purpose of this document is to provide detailed information on how download and
configure nmap and nessus. While these two scanners are opensource, they are highly
accurate and effective in determine host and network vulnerabilities and

The scans are to be performed on the hosts determined to be within scope on each PCI

Part of a PCI investigation is determining how credit card information was removed from
the system. Performing internal and external vulnerability scans will not only assist in
helping you to determine possible attack vectors, but the information contained in the
scan results can be provided to the customer to assist them in improving their overall
security posture.

Prepare your Workstation
   1. Install nmap & nessus in Ubuntu

As Ubuntu Linux is our chosen Linux distribution for the XFERS team, the instructions
contained in this document will be shown using Ubuntu 7.10, or Gutsy, loaded into a
VMware Fusion session.

apt-get install nmap

apt-get install nessusd  This is the server daemon that the client will connect to

apt-get install nessus  This is the client

These two apt-get commands will download and install nmap, and both the nessus server
and nessus client in:


Using nmap

Nmap is a highly configurable, command line network port scanner. There are literally
hundreds of potential command switches which can be used to generate different results.
For the purposes of PCI engagements, you are going to run a discovery scan and
vulnerability scan.

A ping sweep scan is used to determine the available hosts on the network, provided that
they are replying to ICMP Echo Request (8), and are set to perform ICMP Echo Reply

By default, the –sP option sends an ICMP echo request and a TCP packet to port 80 to
the target(s). When executed by a non-privileged user (ie…not root), a SYN packet is
sent (using a connect () call) to port 80 on the target. When the target receives the SYN
packet, it will reply with a SYN/ACK in an effort to do its part in completing a TCP
handshake. However, not interested in establishing a TCP connection, the host from
which the scan has originated will not respond to the target, leaving the connection in a
state of limbo. This is called half open scanning.

When the scan is issued by a privileged user (ie…root), by default nmap will send an
ARP request (-PR), unless the –send –ip was specified. The –sP option can be used in
conjunction with any of the other probe options (except –P0, since that turn ICMP off)
for greater flexibility. When a firewall is in place between you and the target host(s),
these more advanced techniques may be needed to prevent the packets from being

In the majority of cases, a simple ping sweep will be sufficient for host discovery. You
can then use this output to compare against the list of hosts provided to you by the
customer to make sure you are not missing something due to an inaccurate report. To
scan the customer network using a ping sweep, use the following command:

nmap –sP > outfile.txt

The output will show you which hosts are alive, as well as providing you with their
respective MAC addresses.

After you have a list of IPs which are alive on the customer network, you are now ready
to run a Operating System discovery and port enumeration scan. Compare these results
with those which you will receive from nessus. They are not always the same. Nmap
and nessus use different scanning engines and have different databases which they use for
identification. If they both return the same information, then you can be probably 90%
sure that the findings are correct. However, in the event that each returns something
different, you may have to try another means of enumeration to properly identify the
To perform an OS discovery and port enumeration scan, issue the following command:
nmap –A –vv –P0 <hostname or IP_Address> > outfile.txt

**Forensic Note**
        When performing scans of any type, it is important that you know who you
scanning! Unless you are on the local subnet, make sure that you run a whois query
against the target IP and ensure it is owned by the customer.

        Also, you may be given an IP address with a bit mask at the end. If you are like
me, and binary math gives you headaches, you can download a nice GUI utility that will
do the math for you from:

Configuring Nessus

Nessus operates in a client/server model, so you will have to start the nessusd (server)
service before you are able to connect with nessus (client). However, even before you
connect, there are a few steps which you have to take to configure the utility properly.

          Create your user account
              o /usr/sbin/nessus-adduser
                       Select a username
                       Authentication [pass] = password
                       Choose a password
                       Validate your password
                       Enter the rules…just hit ctrl –d…this give you the defaults
                       Press “Y” if the information is OK
          Create the certificate
              o /usr/bin/nessus-mkcert-client
                       Do you want to register…”Y”
                       Choose the default of “365” days
                       Country Code = US
                       State name = your state
                       Town name = your town
                       Organization name = IBM ISS X-Force ERS
                       Organization unit = none
                       Username #1 = your username
                       Choose defaults for days, country, state, city, and organization
                       Enter your IBM email address
                       Ctrl –D
                       Do not make another cert…unless you really want to
          Register your copy of Nessus
               o This will be done at download time. Tenable will send you an email
                 with your account code. You will need this number do download the
                 latest patches. Don’t worry…it’s free,
               o Once you have your code, update nessus with the following
               o /usr/bin/nessus-fetch –register <your_registration_code>
               o /usr/bin/nessus-update-plugins

Once you have performed these steps, you are ready to start nessusd (server).

nessusd –D  you can either be root, or use sudo
sudo nessus (this will start the client)

The nessus GUI will popup, and you can enter in your username and password. Once
you are connected, you will need to make a few configuration changes before you initiate
a scan. Leave the defaults in place, and only make the following changes to these three

       By default, all of the plugins are loaded. You either just leave them in place as is,
or you can select the ones you need for the specific host(s) you are targeting. I would
recommend just leaving things as they are so that you don’t accidentally miss something.

       Change of the default value of 15000 to 65535, and check the box marked, “Do a
reverse lookup on the IP before testing.
        Enter your target or targets on this line. You can scan up to 20 hosts at a time by
default. You can also use this option to point nessus at a file with hostnames/IP
addresses…single value…one entry per line.
Once you have set up nessus with the target hosts, you are ready to scan. To start your
scan(s), simply click the “Start the Scan” button. Be sure to save your results in html
format and put them in the same folder as the nmap scan results.

        You will need to conduct internal vulnerability scans for all PCI cases. Using
namp and nessus, you can perform comprehensive vulnerability scanning within a
relatively short period of time. Make sure you save your results in an easily identifiable
location and make sure your result names make sense (like IP address, or hostname).

Additional Resources  Nmap homepage <-- This is for Windows, but it has
some good information in it!  Nessus homepage

To top