May
10th

Vulnerability Assessment On The Cheap

Filed under Server Security | Posted by Gary

Your server is only as secure as the scripts you run on it. Strong passwords, firewalls and a tight security policy aren’t going to help if you have scripts or applications that contain vulnerabilities. Unfortunately, many of the most popular scripts and applications do contain flaws and/or poorly written code that may allow the bad guys to deface your web site or use your resources.

So … how can you prevent this from happening without spending a fortune on expensive auditing tools or services? There are several very good assesment tools that are free and/or open source. We’re going to look at two of the most popular and, in my opinion, most useful tools for testing your server.

Nessus

Nessus is an application that runs on Windows and various Unix operating systems. It ‘probes’ your server and looks for many of the known vulnerabilities in server software. After performing a scan (which can take several hours) it will list all of the vulnerabilities and potential vulnerabilities it found and in many cases will offer possible solutions such as upgrading your server software. At the very least it can provide you with a very detailed report about the ports and server applications that are exposed by your server. You would be surprised to see just howw much information can be gleaned from a server by running a few simple commands and probing the server ports. Information such as the operating system type and version as well as the versions of applications such as the web server, mail server etc are usually displayed by default. If a hacker knows that you are running a version of software that has some known vulnerabilities then they virtually have their foot in the door.

The Nessus application and it’s huge range of plugins are updated regularly. The plugins (and there are literally thousands of them) define the parameters for vulerabilities and potential security holes. You can download Nessus from www.nessus.org.

Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

So, rather than being a general security scanner, Nikto is totally focussed on vulnerabilities in web server software and scripts. Your web server tends to be one of the most vulnerable applications as it is usually publically available and can access the file system on your server.

Nikto is updated regularly with updated plugins available on theĀ  Nikto web site. The list of features is quite long:

* Uses rfp’s LibWhisker as a base for all network funtionality
* Main scan database in CSV format for easy updates
* Fingerprint servers via favicon.ico files
* Determines “OK” vs “NOT FOUND” responses for file type, if possible
* Determines CGI directories for each server, if possible
* Switch HTTP versions as needed so that the server understands requests properly
* SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL)
* Output to file in plain text, HTML or CSV
* Plugin support (standard PERL)
* Checks for outdated server software
* Proxy support (with authentication)
* Host authentication (Basic)
* Watches for “bogus” OK responses
* Attempts to perform educated guesses for Authentication realms
* Captures/prints any Cookies received
* Mutate mode to “go fishing” on web servers for odd items
* Builds Mutate checks based on robots.txt entries (if present)
* Scan multiple ports on a target to find web servers (can integrate nmap for speed, if available)
* Multiple IDS evasion techniques
* Users can add a custom scan database
* Supports automatic code/check updates (with web access)
* Multiple host/port scanning (scan list files)
* Username guessing plugin via the cgiwrap program and Apache ~user methods

It really is an essential tool if you want to know whether your web site has any well known vulnerabilities. The Nikto application (Unix only) is available at http://www.cirt.net/nikto2.

You must be logged in to post a comment.