Nessus 5.0 Review

Nessus 5.0 just got released, and if the forum is anything to go by, people are not impressed, me included!

First off its a major new version number, but appears to have no new functionality whatsoever. All that has changed are the report templates, and they’re totally screwed up. You’ve got HTML that doesn’t wrap properly and takes an age to render the XSLT, the Synopsis and Solution are no longer output at all (WTF?!) and the PDF export relies on Oracle Java, who knows why they didn’t use LaTeX or something.

There’s reports of people not being able to upgrade, downgrade or even install on various flavours of Linux, MacOSX and Windows; let alone do offline updates/activation.

There’s bugs in the Flash that prevent people even getting as far as the login screen, or being able to filter the plugin list – even after two updates in the feed already! I have no idea why it still uses Flash and not HTML5/Ajax like the rest of the planet.

The severity levels have changed – Low/None seem to become Info depending on what function you call and script attribute you set, they are different to 4.x and there’s a new Critical severity.

I know you should never use a x.0 release of any software, but seriously, this should really be called 4.5beta, not 5.0. If you thought upgrading from 4.2.2 to 4.4.1 was hardly worth it, then you won’t want to bother with this.

I’ve quickly grabbed all of the 4.4.1 installers before they remove them, as support for all but the very latest Linux distro’s has been ditched in 5.0, as have the generic tarballs.

Nessus is seriously going in the wrong direction, its trying to appeal to PHB’s when that should be the realm of Security Center. Users want new functionality like better IPv6/SCTP support and VoIP fuzzing, not bling.

If nmap‘s Lua scripting engine was more mature or OpenVAS was packaged a bit better, I’d be jumping ship.

Update: I’ve just tried 5.01 which I think has somehow managed to get even worse – report upload doesn’t show the upload window half the time (Chrome 20 or Firefox 13) and when installing for some reason it recreated the database cache (a long process) then fetched the new plugins and re-cached the database!

Junos 10

Today I have been mostly installing Junos. Well actually I’ve wasted most of the day trying to get Junos 10.4 to work in Olive under VirtualBox. I understood that it required FreeBSD 7.1, so tried installing it under 7.1 and 7.4 to no avail.

In the end I cloned my Junos 9.0/FreeBSD 4.11 VM, allocated 512Mb instead of 256Mb and installed 10.4 as an upgrade, which also meant I didn’t have to bother removing checkpic.

I wasted a few rounds of installing due to using the export version, which doesn’t include SSH! Also part of the trick of getting it to work under VBox seemed to be to create a serial port as a named pipe – not sure why but that seemed to help get past the bootloader hanging, possibly as it had a TTY to allocate.

I also upgraded my 9.0 to 9.6 which has a bit of a more useful JWeb interface, and also requires 512Mb now.

All of this was to aide my development of a set of NASL scripts to do Junos security compliance auditing. It seems Tenable have worked around the UNIX-only limitation of Nessus’ ssh_cmd() function by putting in a special check for when uname -a fails – i.e. its either IOS or Junos (or unsupported). Of course in Junos shell mode, it will pass (as its FreeBSD) so you have to check that you’re in CLI mode to do the config checking.

Its only taken them four years of me asking for this, and I guess its come as a result of Nessus’s new IOS support for their own compliance plugin and local security checks for Junos patches etc.

Update: I’ve written 20 NASL plugins to do the Junos auditing now and I noticed I was hitting the SSH rate-limit setting in Junos, so my plugins were getting booted off. It was because for each plugin I was calling ssh_cmd() at least once and also a function that checks I could login with the correct level/privileges etc; so was making at least two SSH connection attempts per plugin, which soon hit the 10 connection attempts per minute limit that was configured.

So now I’ve moved all of my ssh_cmd() calls into one big include file which uses a single SSH connection to send 30 or so commands, and populates the knowledgebase with the results. The plugins then have that in their script_dependencies() and don’t use SSH at all, just a couple of calls to get_kb_item() which simplifies the code quite a lot and an entire scan can be done in 10secs!

Commercial Android Apps

What is it with commercial apps for Android that just don’t work?!

First off you’ve got Plex whose developers just say “its a Cyanogenmod7 problem, get them to fix it”, and now Nessus for Android logs in but doesn’t actually do anything – no scans or reports are displayed!

I also found that the version of iGo 8.4.2 for Android that I was using has what I can only assume is a broken skin, as the co-ordinate input method is just not there. Downloaded the unofficial MotoGIS 2.4 skin and it works a treat!

I also upgraded the blog to WordPress version 3.1.3

JtR Jumbo 12 RPM’s

I’ve compiled some RPM’s of John The Ripper 1.7.6 with the jumbo-12 and early-release-md5-gen-v3 patches applied. I can’t get the hmailserver-02 or intrinsics-2 patches to merge nicely, or build reliably even with manual fudgery.

Its got a bit crazy recently with five patches for 1.7.6 after jumbo-12 which are incompatible with each other and the omp-des-7 patch. They really need to be merged into jumbo-13 or even 1.7.7 or preferably ditch patches altogether and work from Git, but apparently this won’t happen.

I’ve also been trying out Nessus 4.4.1 with my custom plugins, which now number around 190.

I watched TRON: Legacy, which I thought was utter rubbish, and in fact Tron was in it for about three minutes. There were some references to the original, but really it was a standalone film.

Nessus ssh_cmd() fix?

I think I’ve found the main source of the PS1 problem with Nessus’ ssh_cmd(); it would seem it doesn’t like ksh, as it produces something like the following in the report output, which appears to be due to PS1 being set to “$ “:

Last login: Fri Dec 3 11:08:43 2010 from 192.168.1.2
$ $

If you change the login user’s shell to bash, the problem goes away (as long as PS1 ends with $, %, # or >), although I guess its possible that if the bash prompt was set to just “$ ” instead of the usual “-bash-3.00$ ” it would suffer the same problem as ksh.

Interestingly it seems to happen if you use su/sudo or not, I previously thought it was unique to su/sudo usage due to this section of code in the ssh_cmd() function from ssh_func.inc – note the prompt detection at line 2268:

 # su/sudo: shell prompt -> sends command
if ( strlen(tempbuf) > 5 ) last5 = substr(tempbuf, strlen(tempbuf) - 6, strlen(tempbuf) - 1 );
else last5 = tempbuf;
if (!isnull(su) && spass == 0 && ("$" >< last5 || "#" >< last5 || ">" >< last5 || "%" >< last5 ))
{
 for ( sub1 = 0 ; sub1 < strlen(cmd) ; sub1 += 1024 )
 { 
  if ( strlen(cmd) <= sub1 + 1023 )
    sub2 = strlen(cmd) - 1;
  else
    sub2 = sub1 + 1023;
  cmdd = substr(cmd, sub1, sub2);
  payload = raw_int32(i:remote_channel) + putstring(buffer:cmdd);
  send_ssh_packet(payload:payload, code:raw_int8(i:94));
 }
 spass = 1;
}