Nessus 3.2 beta available for testing

Nessus 3.1.2, the first public BETA of what will become Nessus 3.2, has been released for the Linux, FreeBSD and Solaris operating systems. 

There are many new features available including:

• Experimental IPv6 support
• Improved bandwidth throttling
• Extended nessusd.rules functionality to add support for ports and plugins
• New command 'nessuscmd' which lets you do a quick command-line scan
• Improved NASL engine including an API to write custom WMI checks
• Easy-update : Nessus can now update its own engine by doing /opt/nessus/sbin/nessus-update

This blog entry discusses these new features and how BETA testers should provide feedback. Over the next few weeks, we will discuss these topics (such as IPv6 and the new WMI library) in much more detail.

Experimental IPv6 support

Nessus 3.2 supports IPv6 natively. It allows you to scan any IPv6 host provided that the host it runs on has an IPv6 stack enabled. To scan an IPv6 host, simply type its IP address. If the host is on the local network (fe80::XXXX) you can also specify the interface to use when doing the scan. For example,  enter "fe80::20d:93ff:abcd:efab%eth0" to scan the host fe80:20d:83ff:abcd:efab on the local network connected to eth0.

Note that it is not possible to specify a range of addresses, as scanning each of them would not make sense. For example, scanning fe80::1/64 is an astronomical number and would take a very long time to enumerate each IPv6 address.

Nessus 3.2 has the ability to send a multicast ping query to determine the IPv6 hosts of your local network. Simply enter "link6%eth0" and nessusd will discover all the IPv6 enabled hosts.

Finally, if you scan the same host with both IPv4 and IPv6 addresses (ie: you enter a target of 192.168.1.1 and fe80::4242) then in the final report the same host will appear twice : once as an IPv6 system, and once as an IPv4 host. This is actually not much different than scanning the same physical system that has a "real" IPv4 address and perhaps a second network interface with another IPv4 address.

Improved Bandwidth Throttling

max_simult_tcp_sessions

In order to avoid flooding a network, Nessus now has the ability to define a maximum number of TCP connections in parallel, on a per-nessusd or per-scan basis. In nessusd.conf, setting the following option :

global.max_simult_tcp_sessions = 50

will guarantee that the system running your nessus scan will never establish more than 50 tcp sessions in parallel (wether there is one, ten or one hundred scans going on at the same time).

In your .nessusrc, adding the option :

max_simult_tcp_sessions = 20

will guarantee that your scan will not establish more than 20 sessions in parallel. If you have two scans running with this setting, then your system might end up doing 40 tcp sessions in parallel.

The "max_simult_tcp_sessions" setting is scan based whereas the "global.max_simult_tcp_sessions "is scanner based.

global.max_hosts

It is also possible to configure nessusd on a per-nessusd basis so that a maximum number of hosts are being scanned in parallel. It works like the current "max_hosts" settings, but on a per scanner basis, meaning that if you set "global.max_host" to 20 in nessusd.conf and have 10 scans running, eventually each scan will only scan 2 hosts in parallel.

Extended nessusd.rules

The grammar of the nessusd rules has been extended to let you forbid/allow nessusd to connect to some ports. In nessusd.rules, you can now prevent the connections to some ports. For instance, adding :

    reject 0.0.0.0/0:9100

will prevent the connection to any HP printer on port 9100. The ports can be entered as ranges as well, such as:

    reject 192.168.0.0/24:1-1024

This would prevent scans from connecting to ports 1 to 1024 on the subnet 192.168.0.0/24.

Please note that these rules only apply to TCP ports, not UDP and also that these rules do not work with IPv6 host addresses yet.

Plugin usage can also be limited such as:

    plugin-reject 10335
    plugin-accept 10000-40000

These rules can be set in the nessusd.rules file, on a per user basis or supplied by the end-user (as this is currently the case in Nessus 3.0).

New command 'nessuscmd'

The nessuscmd program (whose name might change -- suggestions are welcome) is a simple utility designed to perform a quick scan of a host or network for a small set of plugin IDs. For instance, if you want to scan your local subnet to determine which hosts have a default SNMP community set, do:

/opt/nessus/bin/nessuscmd -i 10264 192.168.0.0/24

More info can be obtained by doing :

/opt/nessus/bin/nessuscmd -h

Astute readers should find some similarity between some of the switches of nessuscmd and nmap.

Improved NASL engine

New functions

A few new functions have been added, in particular a plugin may now reduce the selected set of plugins while the scan is running. For instance, one may want to make sure that if the remote host is considered as being sensitive (ie: it's the payroll db server, a SCADA device, etc...) then one wants to programatically disable all plugins except one family or two which are known not to have any side effect. The functions to manage the plugin selection are :

• disable_all_plugins()
• enable_plugin_family(<name>)
• disable_plugin_family(<name>)
• enable_plugin_id(<id>)
• disable_plugin_id(<id>)

Note that a script can only reduce the set of selected plugins. If you do a scan with only the plugin #12345 being enabled, you can't have it enable plugins which were selected by the end user. However, you could do a plugin like :

if ( remote_host_is_the_payroll_server() )
{
  # Only audit the MSFT bulletins against the remote host

  disable_all_plugins(); # First : disable every other plugin
  enable_plugin_family("Windows : Microsoft Bulletins");
}

Support for pre-compiled libraries

NASL 3.2 supports the inclusion of pre-compiled libraries (we call this .nlib files). From within a NASL script, one can import a .nlib file by doing :

import("libName.nlib");

The only .nlib file available at this time is our WMI library. More information about performing WMI audits of Windows hosts with this library is available at http://cgi.tenablesecurity.com/tenable/WMI.html Tenable has also previously blogged about utilizing WMI audits for vulnerability scans here.

Nessus Program Easy-update

It's now very easy to upgrade your Nessus installation to the newest version of the engine. Simply make sure you are registered and type : /opt/nessus/sbin/nessus-update and Nessus will update itself. This feature is currently supported in Linux and FreeBSD, but not Solaris yet.

Miscellaneous Features

Scan pausing is now supported (with the command-line client, put the client in background by doing ctrl-Z to pause the scan and type 'fg' to resume it. GUI support will follow soon). Note that if you disconnect from nessusd while a scan is paused, the scan will be lost.

If a tested host is disconnected in the middle of a scan, nessusd should detect it and stop scanning that particular system (and tell you about it in the nessusd.messages logs).

Feedback

Please send your feedback, crash dumps, suggestions and complaints directly to Tenable's Director of Research, Renaud Deraison.