Sunday, June 04, 2006

Nessus 3.0.3 on FreeBSD

Several times last year I talked about using Nessus on FreeBSD. Last night I finally got a chance to install and try Nessus 3.0.3 on FreeBSD. Here's how I did it.

First I downloaded Nessus 3.0.3 as a package for FreeBSD 6.x (called Nessus-3.0.3-fbsd6.tbz). I added the package:

orr:/root# pkg_add -v Nessus-3.0.3-fbsd6.tbz
Requested space: 16570324 bytes, free space: 4394956800 bytes in /var/tmp/instmp.YdVsPF
Running pre-install for Nessus-3.0.3..
extract: Package name is Nessus-3.0.3
extract: CWD to /usr/local
extract: /usr/local/nessus/lib/nessus/plugins/synscan.nes
extract: /usr/local/nessus/lib/nessus/plugins/12planet_chat_server_path_disclosure.nasl
...edited...
extract: /usr/local/nessus/bin/nasl
extract: /usr/local/nessus/bin/nessus
extract: /usr/local/nessus/bin/nessus-fetch
extract: /usr/local/nessus/bin/nessus-bug-report-generator
extract: /usr/local/nessus/bin/nessus-mkcert-client
extract: /usr/local/nessus/bin/nessus-mkrand
extract: /usr/local/nessus/sbin/nessus-add-first-user
extract: /usr/local/nessus/sbin/nessus-check-signature
extract: /usr/local/nessus/sbin/nessus-adduser
extract: /usr/local/nessus/sbin/nessus-chpasswd
extract: /usr/local/nessus/sbin/nessus-rmuser
extract: /usr/local/nessus/sbin/nessus-mkcert
extract: /usr/local/nessus/sbin/nessus-update-plugins
extract: /usr/local/nessus/sbin/nessusd
extract: /usr/local/nessus/var/nessus/nessus-services
extract: /usr/local/nessus/var/nessus/nessus_org.pem
extract: /usr/local/etc/rc.d/nessusd.sh
extract: CWD to .
Running mtree for Nessus-3.0.3..
mtree -U -f +MTREE_DIRS -d -e -p /usr/local >/dev/null
Running post-install for Nessus-3.0.3..
Running post-install for Nessus-3.0.3..
nessusd (Nessus) 3.0.3. for FreeBSD
(C) 1998 - 2006 Tenable Network Security, Inc.

Processing the Nessus plugins...
[##################################################]

All plugins loaded

- Please run /usr/local/nessus/sbin/nessus-add-first-user to add an admin user
- Register your Nessus scanner at http://www.nessus.org/register/ to obtain
all the newest plugins
- You can start nessusd by typing /usr/local/etc/rc.d/nessusd.sh start
Attempting to record package into /var/db/pkg/Nessus-3.0.3..
Package Nessus-3.0.3 registered in /var/db/pkg/Nessus-3.0.3

Next I added a user:

orr:/root# /usr/local/nessus/sbin/nessus-add-first-user
Using /var/tmp as a temporary file holder

Add a new nessusd user
----------------------


Login : bejnessus
Authentication (pass/cert) [pass] :
Login password :
Login password (again) :

User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that bejnessus has the right to test. For instance, you may want
him to be able to scan his own host only.

Please see the nessus-adduser(8) man page for the rules syntax

Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)

Login : bejnessus
Password : ***********
DN :
Rules :

Is that ok ? (y/n) [y] y
user added.
Thank you. You can now start Nessus by typing :
/usr/local/nessus/sbin/nessusd -D

Next I registered using the code emailed to me:

orr:/root# /usr/local/nessus/bin/nessus-fetch --register codegoeshere
Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update the plugins by itself.

Finally I started the Nessus daemon.

orr:/root# /usr/local/etc/rc.d/nessusd.sh start
Nessus
orr:/root# sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root nessusd 13116 4 tcp4 *:1241 *:*
root sendmail 434 4 tcp4 127.0.0.1:25 *:*
root sshd 428 4 tcp4 *:22 *:*
root syslogd 312 6 udp4 *:514 *:*

When I finished I removed the executable bit from the nessusd.sh script so it would not execute on boot. This is because I don't need it on boot, especially since it takes over a minute to load all the plugins.

orr:/root# chmod -x /usr/local/etc/rc.d/nessusd.sh

To start nessusd when the execute bit is not set, I do the following:

orr:/root# sh /usr/local/etc/rc.d/nessusd.sh start
Nessus

Note the default /usr/local/nessus/etc/nessus/nessusd.conf contains the following:

# Automatic plugins updates - if enabled and Nessus is registered, then
# fetch the newest plugins from plugins.nessus.org automatically
auto_update = yes
# Number of hours to wait between two updates
auto_update_delay = 24

I changed this to say

auto_update = no

because I prefer to update the plugins manually.

orr:/root# /usr/local/nessus/sbin/nessus-update-plugins

Nessus now provides a separate GUI client called NessusClient. I tried to install it this way:

orr:/usr/local/src# tar -xzvf NessusClient-1.0.0.RC5.tar.gz
x NessusClient-1.0.0.RC5/
x NessusClient-1.0.0.RC5/.root-dir
...edited...
x NessusClient-1.0.0.RC5/TODO
x NessusClient-1.0.0.RC5/VERSION
orr:/usr/local/src# cd NessusClient-1.0.0.RC5
orr:/usr/local/src/NessusClient-1.0.0.RC5# ./configure
creating cache ./config.cache
checking host system type... i386-unknown-freebsd6.0
...edited...
creating doc/NessusClient.1
creating include/config.h
orr:/root/NessusClient-1.0.0.RC5# make
...edited...
prefs_scope_tree.o(.text+0x434): In function `scopetree_rename':
prefs_dialog/prefs_scope_tree.c:179: undefined reference to `prefs_context_update'
prefs_scope_tree.o(.text+0x9c6): In function `scopetree_delete':
prefs_dialog/prefs_scope_tree.c:376: undefined reference to `prefs_context_update'
prefs_scope_tree.o(.text+0xab6):prefs_dialog/prefs_scope_tree.c:415: undefined reference to
`prefs_context_update'
prefs_scope_tree.o(.text+0xc65):prefs_dialog/prefs_scope_tree.c:500: more undefined references to
`prefs_context_update' follow
*** Error code 1

Stop in /usr/local/src/NessusClient-1.0.0.RC5/nessus.
*** Error code 1

Stop in /usr/local/src/NessusClient-1.0.0.RC5.

Rats. Luckily I found this post which suggested a fix using Gmake. After starting with a fresh extraction of NessusClient-1.0.0.RC5, I ran ./configure, gmake, and gmake install. Everything worked.

/usr/bin/install -c -m 755 /root/NessusClient-1.0.0.RC5/bin/NessusClient /usr/local/bin
test -d /usr/local/bin || /usr/bin/install -c -d -m 755 /usr/local/bin
/usr/bin/install -c -m 755 nessusclient-mkcert /usr/local/bin
/usr/bin/install -c -m 755 ssl/nessus-mkrand /usr/local/bin
installing man pages ...
/usr/bin/install -c -c -m 0444 doc/NessusClient.1 /usr/local/man/man1/NessusClient.1
/usr/bin/install -c -c -m 0444 doc/nessusclient-mkcert.1
/usr/local/man/man1/nessusclient-mkcert.1
/usr/bin/install -c -c -m 0444 doc/nessus-mkrand.1 /usr/local/man/man1/nessus-mkrand.1

I could now start the client:

orr:/home/richard$ NessusClient



I selected File -> Scan Assistant to create a "demo" Task, with "demo" scope, and "localhost" as target.

I then was prompted for my username and password to connect to the nessusd server.



Once connected, Nessus began scanning localhost.



When done I had a report.



These are the basics of running Nessus 3.0.3 with NessusClient on FreeBSD. I used the defaults for everything to get my results. An alternative would be to use Nessus 2.2.8, which is in the ports tree.

For more information, consider attending Nessus Training by Tenable Network Security.

3 comments:

JimmytheGeek said...

An acquaintence suggested getting all supplementary tools working before installing nessus. I don't have any personal experience, but he reports that nessus sometimes has trouble recognizing new tools for it to use.

Anonymous said...

Great article and very useful Mr Bejtlich.


I just want to make a little correction.

"because I prefer to update the plugins manually."

orr:/root# /usr/local/nessus/sbin/nessus-update-plugins

I think the command look like it;

/usr/local/nessus/bin/nessus-fetch --plugins

no?

Richard Bejtlich said...

extract: /usr/local/nessus/sbin/nessus-update-plugins

At the time I wrote the article, the above was what happened.

Since then, nessus-update-plugins has been replaced.