TLFeBOOK Register for Free Membership to solutions@syngress.com Over the last few years, Syngress has published many best-selling and critically acclaimed books, including Tom Shinder’s Configuring ISA Server 2000, Brian Caswell and Jay Beale’s Snort 2.0 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal Packet Sniffing One of the reasons for the success of these books has been our unique solutions@syngress.com program Through this site, we’ve been able to provide readers a real time extension to the printed book As a registered owner of this book, you will qualify for free access to our members-only solutions@syngress.com program Once you have registered, you will enjoy several benefits, including: ■ Four downloadable e-booklets on topics related to the book Each booklet is approximately 20-30 pages in Adobe PDF format They have been selected by our editors from other best-selling Syngress books as providing topic coverage that is directly related to the coverage in this book ■ A comprehensive FAQ page that consolidates all of the key points of this book into an easy to search web page, providing you with the concise, easy to access data you need to perform your job ■ A “From the Author” Forum that allows the authors of this book to post timely updates links to related sites, or additional topic coverage that may have been requested by readers Just visit us at www.syngress.com/solutions and follow the simple registration process You will need to have this book with you when you register Thank you for giving us the opportunity to serve your needs And be sure to let us know if there is anything else we can to make your job easier TLFeBOOK TLFeBOOK Nessus Network Auditing Renaud Deraison Haroon Meer Roelof Temmingh Charl van der Walt Raven Alder Jimmy Alderson Andy Johnston George A Theall Jay Beale Series Editor HD Moore Technical Editor Noam Rathaus Technical Editor TLFeBOOK Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER HV764GHVB7 POFGBN329M HJWWQV734M CVPLQ6CC73 239KMWH5T2 VBP95BNBBB H863EBN643 29MKVB5487 69874FRVFG BNWQ6233BH PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Nessus Network Auditing Copyright © 2004 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN: 1-931836-08-6 Publisher: Andrew Williams Acquisitions Editor: Christine Kloiber Technical Editor: Jay Beale, HD Moore, and Noam Rathaus Page Layout and Art: Patricia Lupien Copy Editor: Beth Roberts Indexer: Nara Wood Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc in the United States and Canada For information on rights and translations, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585 TLFeBOOK Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C J Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, John Chodacki, and Rob Bullington The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Rosie Moss, Chris Hossack, Mark Hunt, and Krista Leppiko, for making certain that our vision remains worldwide in scope David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books Kwon Sung June at Acorn Publishing for his support David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines v TLFeBOOK TLFeBOOK Series Editor, Technical Editor Jay Beale is a security specialist focused on host lockdown and security audits He is the lead developer of the Bastille project, which creates a hardening script for Linux, HP-UX, and Mac OS X; a member of the Honeynet Project; and the Linux technical lead in the Center for Internet Security A frequent conference speaker and trainer, Jay speaks and trains at the Black Hat and LinuxWorld conferences, among others Jay is a senior research scientist with the George Washington University Cyber Security Policy and Research Institute and makes his living as a security consultant through the MD-based firm Intelguardians, LLC, where he works on security architecture reviews, threat mitigation, and penetration tests against Unix and Windows targets Jay wrote the Center for Internet Security’s Unix host security tool, currently in use worldwide by organizations from the Fortune 500 to the Department of Defense He leads the Center’s Linux Security benchmark team and, as a core participant in the nonprofit Center’s Unix teams, is working with private enterprises and US agencies to develop Unix security standards for industry and government Jay has written a number of articles and book chapters on operating system security He is a columnist for Information Security Magazine and previously wrote a number of articles for SecurityPortal.com and SecurityFocus.com He co-authored the Syngress international best-seller Snort 2.0 Intrusion Detection (ISBN: 1-931836-74-4) and serves as the series and technical editor of the Syngress Open Source Security series, which includes Snort 2.1 Intrusion Detection, Second Edition (ISBN 1-931836-04-3) and Ethereal Packet Sniffing (ISBN 1-932266-82-8) Jay’s long-term writing goals include finishing a Linux hardening book focused on Bastille called, Locking Down Linux Formerly, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution vii TLFeBOOK Technical Editors and Contributors HD Moore is one of the founding members of Digital Defense, a security firm that was created in 1999 to provide network risk assessment services In the last four years, Digital Defense has become one of the leading security service providers for the financial industry, with over 200 clients across 43 states Service offerings range from automated vulnerability assessments to customized security consulting and penetration testing HD developed and maintains the assessment engine, performs application code reviews, develops exploits, and conducts vulnerability research Noam Rathaus is the co-founder and CTO of Beyond Security, a company specializing in the development of enterprise-wide security assessment technologies, vulnerability assessment-based SOCs (security operation centers) and related products He holds an electrical engineering degree from Ben Gurion University, and has been checking the security of computer systems from the age of 13 Noam is also the editor-in-chief of SecuriTeam.com, one of the largest vulnerability databases and security portals on the Internet He has contributed to several security-related open-source projects including an active role in the Nessus security scanner project He has written over 150 security tests to the open source tool’s vulnerability database, and also developed the first Nessus client for the Windows operating system Noam is apparently on the hit list of several software giants after being responsible for uncovering security holes in products by vendors such as Microsoft, Macromedia, Trend Micro, and Palm.This keeps him on the run using his Nacra Catamaran, capable of speeds exceeding 14 knots for a quick getaway He would like to dedicate his contribution to the memory of Haim Finkel viii TLFeBOOK Contributors Renaud Deraison is the Founder and the primary author of the open-source Nessus vulnerability scanner project He has worked for SolSoft, and founded his own computing security consulting company, Nessus Consulting Nessus has won numerous awards, most notably, is the 2002 Network Computing ‘Well Connected’ award Mr Deraison also is an editorial board member of Common Vulnerabilities and Exposures Organization He has presented at a variety of security conferences including the Black Hat Briefings and CanSecWest Raven Alder is a Senior Security Engineer for True North Solutions, a consulting firm specializing in network security design and implementation She specializes in scalable enterprise-level security, with an emphasis on defense in depth She designs large-scale firewall and IDS systems, and then performs vulnerability assessments and penetration tests to make sure they are performing optimally In her copious spare time, she teaches network security for LinuxChix.org and checks cryptographic vulnerabilities for the Open Source Vulnerability Database Raven lives in the Washington, DC area Jimmy Alderson is the Technical Product Manager at Atlantabased GuardedNet, a leader in Security Information Management, as well as a Founding member of DC-based firm Intelguardians Network Intelligence He is a member of the CVE Editorial board and a founding member of the Behavioral Computational Neuroscience Group which specializes in applications of stratification theory Jimmy was the author of the first Security Information Management system as well as the original pioneer on the use of Taps for performing intrusion detection on switched networks He has been an active member of the security community since 1992 ix TLFeBOOK 500 Index direct port connection, 381 final steps in creation, 383 FTP server listening on port 21, 380–381 respecting FTP protocol, 381–382 writing in NASL script, 374–380 FTP (File Transfer Protocol) libraries, 390 print server and, 20 FTP plugin, 372 FTP server, 195 ftp_func.inc library, 390, 466–467 full-connect scan, 249 function arguments, 438 function declarations, 437 function libraries FTP, 390 get_ftp_banner(), 382 HTTP, 387–389 NASL, 387, 393–394 NFS, 391–393 functions, calling, 438–439 Gula, Ron, 42 on ports, 12 web server scanning and, 101–102 H hacking, 156–158, 219 hardware requirements, 53–54 Heinbockel, William, 166 help, 417, 419–420 see also user community hiding, Nessus server, 75 honeypots, 313 host count, 113 host detection major milestone in Nessus scan, 240–241 overview of, 266 phase of assessment, 9–10 processor, 246–247 host ping, 100–101 hostname, 137, 161 hosts assessments, 5–6 false positives, 226 LaBrea tarpitted, 115–116 pinging, 117 HTML (Hypertext Markup G Language), 138, 139–141, Gain a shell remotely plugin, 372 147 Gain root remotely plugin, 372 HTTP/1.1’s keep -alive General plugin, 372 connection, 256–257 general query, Bugzilla, 410–411 HTTP daemon, 273 Gentoo, 51 HTTP functions, 456–457 get_ftp_banner(), 382 HTTP (HyperText Transfer get_kb_item(), 289–291, 294 Protocol) get_kb_item(string:name), NIDS evasion with, 102 282–283 on ports, 12 get_kb_list(), 294 web server scanning and, get_kb_list(string:name) function, 101–102 282–283, 286 HTTP login page, 101–102 get_port_state(), 381 HTTP protocol, 387–389 Gimp Toolkit (GTK) HTTP proxy, 80 Nessus installation and, 55, 57 HTTP redirect, 177 nessusd server connection with, http_func.inc library, 387–389, 76 467–469 removal of dependency, 64 http_keepalive.inc library, Gmane, 407 387–389, 469–470 Google, 407 httpver.nasl plugin, 256 grammar, 481 see also NASL2 http_version.nasl plugin, 256, grammar 387–388 graphs HUP (restart now) signal, 315–316 report format, 139–141 hybrid vulnerability assessment for vulnerability assessment, approach, 17–19, 22 340–344 Hydra, 104–105 grep command, 163 Hypertext Markup Language GTK see Gimp Toolkit (HTML), 138, 139–141, GUI clients see Nessus GUI 147 Client for X Windows; HyperText Transfer Protocol NessusWX Client for (HTTP) Windows NIDS evasion with, 102 I ICMP see Internet Control Message Protocol ICMP Echo test, 246 IDS (intrusion detection system), IIS (Internet Information Server), 195 IIS WebDAV overflow, 217–218 iis5_isapi_printer.nasl, 160 iis_webdav_overflow.nasl, 217–218 importing, report, 143, 152 ”inc” filename suffix, 387 individual process model, 242 information see help information exchange, 280–289, 293 information gathering milestone, 241 overview of, 267 process of, 251–254 information leaks memory disclosure, 198 network information, 198–199 overview of, 196–198, 206–207 path disclosure, 200–201 user enumeration, 201–202 version information, 199–200 Information Security Magazine, 29 Initial Sequence Number (ISN), 254 installation, client, 75–79, 83 installation, Nessus client installation, 75–79 configuring Nessus, 65–75 plugin updates, 79–80 quick start guide, 46–52 server, picking, 52–54 source, installation from, 57–65 source vs binary installation, 55–57 “Installed Windows Hotfixes” check, 253, 272 Institute for Security and Open Methodologies (ISECOM), 167 integrity, 155 interface, 478–479 internal assessment, 24 internal firewall, 36 internal functions, 478–480 Internet, 32 TLFeBOOK Index Internet Control Message Protocol (ICMP) network information leaks and, 199 ping and, 100–101 vulnerability assessment and, 9–10 Internet Information Server (IIS), 195 intrusion detection system (IDS), intrusion prevention system (IPS), 25 intrusive scanning, 217, 219 IP address host detection and, 246–247 Knowledge Base saving and, 291 IP functions, raw, 457–462 IPS (intrusion prevention system), 25 ISECOM (Institute for Security and Open Methodologies), 167 ISN (Initial Sequence Number), 254 K keys, 66–67 Kirhenstein, Victor, 143 Knowledge Base (KB), 400 basics, 123 configuration options, 274–279 data types stored in, 288 dependency trees, 288–289 function of, 39, 272–273 implementation, 259–260 information from, 181, 417 information gathering findings in, 252–253 limitations, 289–291, 293–294 location of, 260, 274 merits of, 272 NASL API and, 393–394 NASL2 library functions, 442 overview of, 129, 268 parsing, 260 plugins data sharing, 280–287 port number detection by, 380–381 repeat scan avoidance with, 88–89 reuse and scanner output, 176 reusing saved, 279–280 services marked in, 250 user community and, 400 when to use, 123 Knowledge Base saving compile options, 273 configuration option, 274–275 dangers of reuse, 279–280 in DHCP environment, 291 introduction of, 272 scan and, 181 known backdoors, 195 L lab, test, 312–313 LaBrea tarpitting, 115–116, 245 languages, 367 LaTeX, 139 Ledovskij, Sergei, 141 lexical analyzer, 476 libnasl library compilation of, 63–64 goals of, 366–367 libraries, function FTP, 390 HTTP, 387–389 NASL, 387, 393–394 NFS, 391–393 library, 365–367 see also NASL library; NASL2 library libwhisker, 102 Linksys Gozila CGI denial of service, 259 Linksys routers, 198 Linux Nessus installation from binary package on, 55–56 Nessus installation from source on, 63 Nessus installation on, 48–51 Linux Red Hat, 173–174 listening port, 75 Liston,Tom, 116 lists see mailing lists live systems, 9–10 load balancing, 177–178 loading, report, 142–143, 152 logfile, 71 logical operators, 434 login configuration, 492–494 login credentials, 105–107 log_plugins_name_at_load option, 72 logs, Nessus, 172, 181–182 log_whole_attack option, 72 loops, 436 501 Lotus Notes OpenServer Information Disclosure vulnerability, 197 M MAC address Knowledge Base saving in DHCP and, 291 Knowledge Base setting, 276 Nessus reports and, 114 MacOS X Directory Service DoS plugin, 259 Mailing list ARChives (MARC), 407 mailing lists archives, accessing, 406–407 growth of, 32–34 messages, receipt troubleshooting, 420–421 overview of, 400–402, 418 plugin-writers mailing list, 368 responses to questions, 420 sending message to, 404–406 subscription to, 42, 401, 402–404 Mailman message archiving, 406 missing messages and, 421 Nessus mailing lists and, 401, 402–404 sending messages with, 404–406 mail.nessus.org, 406 major milestones, 240–241 make command, 61 make install command, 61–62 Man-In-The-Middle attack, 50–51 man page, 71 MARC (Mailing list ARChives), 407 max_checks, 71, 320 max_threads, 69–70 MD5 hashing algorithm, 50–51 memory block, 198 corruption, 190–191 disclosure, 198 management, 477–478 Nessus daemon use of, 319–321 requirements for Nessus installation, 53–54 messages mailing list, identifying, 403 TLFeBOOK 502 Index sending to mailing lists, 404–406 Microsoft Baseline Security Analyzer, 16 Microsoft, “Best Practices: Security Patch Management”, 204 Microsoft HotFix checks, 272 Microsoft HotFixes enumeration, 240 Microsoft Outlook, 403 Microsoft SQL TCP/IP denial of service, 258 milestones, Nessus scan, 240–241 minor milestones, 240–241 mirror sites Nessus installation and, 47–48 source files for Nessus installation, 57–58 Misc plugin, 372 miscellaneous functions, 463–465 misc_func.inc library, 391–393, 470–471 misconfigurations, 195 Moore, H.D., 235 MS SMTP DoS plugin, 255 msadcs_dll.nasl, 213 msftp_dos.nasl, 160, 213–214 multiple clients, 153 multiple key/value pairs, 289–290 MySQL encryption, 42 exporting reports in, 149, 151–152 Nessus and, 38 http_keepalive.inc, 469–470 misc.func.inc, 470–471 nfs_func.inc, 471 smb_nt.inc, 471–475 smtp_func.inc, 475–476 telnet.inc, 476 uddi.inc, 476 NASL1, 424 nasl1 library, 366 NASL2 grammar, 425–439 data types, 430–431 declarations, 437–439 loops and control flow, 436 operators, 431–435 precedence, 435–436 preliminary remarks, 425 syntax, 425–429 NASL2 library, 366–367, 439–476 cryptographic functions, 462–463 description functions, 443–447 “glue” functions, 447 HTTP functions, 456–457 knowledge base functions, 442 miscellaneous functions, 463–465 NASL library, 466–476 network functions, 447–452 predefined constants, 439–441 raw IP functions, 457–462 report functions, 442–443 string manipulation functions, 452–456 “unsafe” functions, 465–466 NASL2 Reference Manual, 424–485 endnotes, 482–485 N grammar, 425–439 name element, report, 165 interpreter, 476–481 NASL see Nessus Attack introduction, 424–425 Scripting Language library, 439–476 NASL command-line interpreter references, 481–482 adding new features to nasl_exec, 477 grammar, 481 nasl_init.c, 480 adding new internal functions, NBE see Nessus BackEnd 478–480 nCircles’ IP360 system, ease of use with, 364 Nessus internal functions interfaces, buffer overflow attacks and, 191 478 components of, 34–39 memory management, 477–478 defined, 28–29 parser, 476–477 directory traversal plugins, 192 report results verification with, format string attacks and, 194 224 history, 32–34 syntax verification with, 378 mailing lists, 400–407 testing scripts with, 375 not hacking tool, 219 NASL library, 466–476 for security consultants, 31–32 dump.inc, 466 standard, 29–31 ftp_func.inc, 466–467 nessus-adduser utility, 67–68 http_func.inc, 467–469 Nessus Attack Scripting Language (NASL) see also NASL2 Reference Manual dependency trees, 288–289 development of/reasons for, 364–368 function libraries, 387–393 Knowledge Base and, 280–287, 393–394 Knowledge Base query, 272 plugins and, 38–39, 92, 242 regular expressions in, 385–387 report reading, 168–171, 180–181 scanner logic and, 158–161 script ID and, 162, 163 string manipulation, 383–385 structure of script, 368–374 writing your first, 375–383 Nessus BackEnd (NBE) exporting reports in, 149, 150 format/file fields, 136–137 Parse::Nessus::NBE tool and, 349 report elements, 161–167 saving/editing report in, 141 sd2nbe tool and, 347 vulnerability databases and, 327–328 “Nessus Book”, 378–379 Nessus community, 324 nessus-core, 64 Nessus FAQ, 400, 417 Nessus GUI Client for X Windows in general, 134–135 NessusWX client and, 153 NessusWX client vs., 185 plugin, disabling, 229–231 report, saving/exporting to other formats, 136–142 Report Viewer, 135–136 reports, loading/importing, 142–143 nessus-installer.sh, 46–48 nessus-libraries, 60–63 Nessus logs, 172, 181–182 nessus mailing lists see mailing lists Nessus nbe Log Parser, 141–142 nessus-plugins, 64–65 Nessus Project, 28–29 Nessus Report (NSR) file format, 137–138, 150 Nessus Security Scanner assessment process, 9, 10, 11–12 automated vulnerability assessment tools of, 7, hybrid approach of, 17, 18 TLFeBOOK Index report, report summary, 14 versions, variations among, 86 Nessus server Knowledge Base stored on, 274 Nessus client/server architecture, 35–37 picking for Nessus installation, 52–54 Nessus server certificate connecting to Nessus server, 76, 78 creation of, 65–66 nessus-update-plugins, 79–80, 313 nessusd server see Nessus; Nessus server nessusd.messages file, 172 NessusWX Client for Windows communication on cipher layer, 84 disabling plugin with, 227–229 installation/setup, 77–79 loading/importing reports, 152–153 marking result as false positive with, 231–232 Nessus GUI Client for X Windows vs., 185 report, saving/exporting, 146–152 report viewer, 143–146 net view command, 170 Netcat, 224 Net::Nessus::ScanLite tool, 348–349 NetWare plugin, 372 network Nessus server location, 54 scanning, 360 testing over, 160 topology considerations, 302–303 network assessment approaches, 15–19 described, 6–7 function of, network audit, Network Computing Magazine, 29 Network File System (NFS), 391–393 network functions, NASL2 library, 447–452 network information, 198–199 network intrusion detection system (NIDS) evasion techniques, 102–104 HTTP evasion of, 102 role of, Network Time Protocol (NTP), 257 network vulnerability assessment, 8–14, 22 NeWT Windows client, 84 NFS (Network File System), 391–393 nfs_func.inc library, 391–393, 471 nice C operators, 432–433 NIDS see network intrusion detection system Nikto, 102 NIS plugin, 372 Nmap configuring, 107, 110–111 host detection and, 247 port scanning for service detection, 248–249 port scans with, 116, 306–308 portscanning back engine, 350–351 report filtering with, 346 scan in Knowledge Base, 281 Synscan.nasl vs., 108 TCP/IP and, 109–110 Nmap wrapper plugin, 245 nmap.nasl, 248 nmap_wrapper.nes, 248 “NNP”The Nessus nbe Log Parser, 141–142 no404 plugin, 256 no404.nasl script function of, 235 report reading, 169–170 scanner output and, 174 noise, 221–222 nonintrusive scanning, 219 non_simult_ports option, 73 NSR (Nessus Report) file format, 137–138, 150 NTP (Network Time Protocol), 257 ntpd overflow plugin, 257 NULL byte, 384 503 OpenSSH Username Validity Timing Attack, 201–202 OpenSSL, 57, 462 operating systems, 53 operators, NASL2, 431–435 optimize_test option, 73, 176 os_fingerprint.nasl, 162 osTicket Attachment Code Execution vulnerability, 244 OSVDB (Open Source Vulnerability Database), 162, 223 output see scanner output outsider vulnerability assessment approach, 16–17, 22 P packagers, 56 “packet forgery” message, 375 packetstormsecurity.net, 222 parent path, 192 Parse::Nessus::NBE tool, 349 parser, 476–477 parsing, entries, 260–261 password-based authentication, 325–326 passwords best-practices vulnerability and, 205 default passwords as critical vulnerabilities, 194–195 Mailman, 404 in Nessus installation process, 61 scanner output and, 175–176 user account creation and, 67 vulnerability assessment and, 25 patches hybrid approach and, 17–19 submitting, 416, 419 vulnerability assessment and, path disclosure, 200–201 PC Magazine, 28 PDF (Portable Document Format), 148 O Peer-to-Peer file sharing plugin, Online Plugin Database, 407–409, 373 418–419 penetration test, 24–25 Open Source Testing Mythology performance, 113 (Institute for Security and Perl, 327–329, 365 Open Methodologies), 167 persistent vulnerabilities, 344 Open Source Vulnerability Peteanu, Razvan, 204 Database (OSVDB), 162, PGP signatures, 348–349 223 PHP script, 200–201 open-source vulnerability scanner, pie, 139–141 28–29 ping host, 100–101, 117 TLFeBOOK 504 Index scanner and, 174 Ping of Death, 202 ping plugin, 245 ping_host.nasl plugin, 246–247 ping_hosts, 70 “pkt_forge”, 424 plain text, 147 plugin dependency rule, 243–245 plugin-writers mailing list, 368 (plugin_depend.pl) #!/usr/bin/perl, 261–265 plugins see also scripts; tests bugs in, 178 categories, 99 dependencies, 322–323 disabling, 226, 227–232 DoS and, 93 enabling specific, 93–96 false positive and, 223, 237–238 feedback on, 225–226 filter, using, 97–99 fingerprinting plugins, 254–258 host detection plugin, 246–247 information, 100 information gathering, 251–254 Knowledge Base and, 39, 272, 280–287 Knowledge Base configuration options, 274–278 knowledge of, 268 memory consumption, 319–321 milestones and, 240–241 NASL, 38–39 NASL history/reasons for, 364–368 Nessus architecture/design, 242–245 Nessus community and, 324 Online Plugin Database, 407–409, 418–419 overview of, 92–93, 127 selection of, 89, 171–172 service detection plugins, 248–251 submitting, 416–417, 419 threat specific scanning and, 321–322 updates, 79–80, 83, 313–316 when to use, 130 Windows, 130 writing NASL script, 367–368, 375–383 plugins-writers, 401 plugins_folder, 71 plugins_timeout option, 73 plugin_upload option, 74 port field, 162 Red Hat Package Manager (RPM), 49–50 register_service(port, proto) call, 281–282 registry, 18 registry, system, 488–495 regular expressions, 385–387 remote file access plugin, 373 report functions, NASL2 library, 442–443 report, reading, 154–182 key report elements, 161–171 overview of, 154, 184–185 risk, 156–158 scanner logic, 158–161 scanner output, 171–182 vulnerabilities, 155–156 report types, 167 report viewer Nessus GUI Client for X Windows, 135–136 NessusWX Client for Windows, 143–146 reports analysis for false positive detection, 222–225 BOSS GUI, 153–154 bug, submitting with Bugzilla, 413–416 combining, 326–334 critical vulnerabilities in, 188–189 differential, 334–345 false positives in, 237 filtering, 345–347 MAC addresses and, 114 Nessus GUI Client for X Windows, 134–143 Nessus report accuracy, 185–186 NessusWX Client for Windows, 143–153 overview of, 359 vulnerabilities reporting, 14 Q of vulnerability assessment, questions, report, 168–171 resources, 182, 400 see also web QuickSearch, Bugzilla, 410 sites quotes, 384 result viewer toolbar, NessusWX, 145–146 R returning a value, 480 reuse, Knowledge Base, 276–278, Raptor firewalls, 254 279–280 Raptor/Novell Weak ISN plugin, reverse proxy, 177 254 risk raw IP functions, 457–462 attack types, 156–158 reactive security measure, critical vulnerability levels, reading arguments, 479 188–189 port range, 112 port scan with Nmap, 116 for service detection, 248–251 in vulnerability assessment, 10–11 port scanner, 115 Port scanners plugin, 373 Portable Document Format (PDF), 148 port_range option, 70, 72 ports detection by Knowledge Base, 380–381 direct connection to, 381 information-gathering plugin, 252 NBE file field, 137 service detection and, 250–251 service identification and, 11–12 unscanned, 112 vulnerability assessment and, 249 portscanner, 174–175 portscanning phase, 306–308 POSIX Extended regular expression syntax, 385–386 precedence, 435–436 predefined constants, 439–441 print server, 20 printer best-practices vulnerability of, 205 problems with, 354–355 *printf() function, 192–193 private key, 66 process count, 113 proxy, 159–160, 175 public key, 66 Putty Modpow integer handling plugin, 253 TLFeBOOK Index determination of, 215 elements of, 156 Nessus scan, 87–88 risk factors in HTML report, 140–141 in report, 166–167 Rivest, Ron, 50 root password, 61 root privilege, 62 RPC plugin, 373 RPM (Red Hat Package Manager), 49–50 rules client-based, 325 daemon-based, 324–325 for user account, 67–68 rules option, 75 S safe checks scanner output and, 173–174 testing approach and, 219–220 vulnerability fingerprinting plugins and, 257 Safe checks mode, 113–114 safe_checks option banner and scanner report, 159 function of, 74 SANS Institute (Sysadmin, Audit, Network, Security Institute), 34 Sasser worm, 189 SATAN (Security Administrator Tool for Analyzing Networks), 6, 32 save function, 145 saving, report, 136–142, 146–152 scalability, 35, 361 scan options connect scanner, 116 continuous scan, 115 detached scan, 114–115 e-mailing results, 115 host/process count, 113 hosts, pinging each, 117 MAC address, report by (DHCP), 114 Nmap for port scans, 116 optimized checks, 113 overview of, 111–112, 128 port range, 112 port scanner, configuring, 115–116 ports, unscanned, 112 Safe checks mode, 113–114 505 wildcard host, ignoring top bandwidth requirements, level, 117–118 303–312 scan preferences deployment needs analysis, host ping, specifying, 100–101 296–302 Hydra, brute force with, described, 296 104–105 differential reporting in, login credentials, configuring, 334–345 105–107 Nessus automated updates, NIDS evasion, 102–104 312–316 Nmap, configuring, 107–111 network topology overview of, 100, 128 considerations, 302–303 SMB scope, 105 overview of, 358 SNMP, configuring, 107 printers, problems with, WWW checks, configuring, 354–355 101–102 reports combining in, 326–334 scanner reports filtering, 345–347 configuration, 186, 359 scanner configuration, 316–326 configuration files, 179–180 third-party tools for Nessus, enterprise configuration, 347–349 316–326 volatile applications, problems job of, 215 with, 352–354 Knowledge Base and, 181 workstations, scanning, 355–357 logic, 158–161 scans report results verification with, architecture/design, 241–246 223–224 client configuration for remote testing approach of, 219–220 logon, 492–495 scanner output in command-line mode, 79 bugs in plugins, 178 configuring/running, 419 configuration files, 179–180 continuous, 115 dependencies role, 172 denial-of-service testing, Knowledge Base, 176, 181 258–259 NASL and, 180–181 detached, 114–115 Nessus logs, 181–182 host detection, 246–247 no404.nasl script, 174 information gathering, 251–254 ping remote host, 174 key report elements, 161–171 plugin selection and, 171–172 Knowledge Base, 259–261 portscanner settings, 174–175 Knowledge Base configuration proxies, firewalls,TCP options, 275–279 wrappers, 175 Knowledge Base data from, 272 safe checks and, 173–174 milestones, 240–241 scanning web servers, web sites, Nessus configuration and, 177 69–70 settings that impact, 176–177 network location of Nessus valid credentials, 175–176 server and, 54 web servers, load balancing, (plugin_depend.pl) 177–178 #!/usr/bin/perl, 261–265 scanning preparing for first, 126–127 frequency, 360 scheduling of, 125 intrusive scanning, 217 sequential for network analysis, Nessus approach to, 219–220 124 nonintrusive scanning, 217–218 service detection, 248–251 web servers, web sites, 177 SYN, 109–110 scanning, enterprise vulnerability fingerprinting, aggressive scanning, problems 254–258 with, 350–351 scans, running TLFeBOOK 506 Index authentication information, 89 authorization, 87 DoS and, 88 missing information and, 88–89 Nessus client, starting, 90–92 Nessus Knowledge Base, 123 overview of, 86 plugin selection, 89 plugins, 92–100 preferences, 100–111 risk vs benefit, 87–88 scan options, 111–118 security officers and, 90 starting scan, 123–125 target selection, 118–122 user information, 122–123 script body section, 369 script description section code of, 368–369 for FTP banner NASL script, 377–378 functions of, 369–374 script ID field, 162 script_bugtraq_id, 373 script_category(), 370–371 script_copyright(english:””), 371 script_cve_id, 373 script_dependencie() function find_service.nes and, 383 function of, 374 for http_version.nasl, 389 script_description(english:””), 369–370 script_exclude_keys, 374 script_family(english:””) , 371–373 script_id, 137 script_id(), 369 script_name(english:””), 369 script_require_keys, 374 script_require_ports, 374 scripts see also Nessus Attack Scripting Language; plugins; tests Knowledge Base used within NASL, 280–287 for remote scan logon, 490–491 script_summary(english:” ”), 370 script_timeout, 374 script_xref, 373–374 sd2nbe tool, 347 search and replace, 385 search function, 145 Secure Sockets Layer (SSL), 12, 37 SecuriTeam web site, 223 security false positives and, 216–217 of Knowledge Base information, 279–280 NASL goals for, 366–367 Nessus architecture for, 35–37 Nessus for, 30–32 scanning and, 324 technical personnel and, 360–361 user accounts and, 68–69 vulnerability assessment for, 2–3 Security Administrator Tool for Analyzing Networks (SATAN), 6, 32 security consultant, 30–32 security hole, 167 security identifiers (SIDs), 105 security note, 167 security officers, 90 security warning, 167 SecurityFocus Buqtraq ID (BID) number, 165 securityfocus.com, 222 security_hole, 163–164, 375–376 security_note, 163–164, 375–376 security_warning, 163–164, 375–376 Send fake RST when establishing a TCP connection, 103–104 server see also Nessus server; web server configurable settings, 419 information leaks and, 197 picking for Nessus installation, 52–54, 82 version information leaks by, 199–200 vulnerability fingerprinting, 255–258 web, scanning, 101–102 server certificate, 65–66, 76, 78 Server Error (error 5000), 233 Server Message Block (SMB), 105, 106–107 service banners, 213 service detection in Nessus scan, 240–241 overview of, 266–267 process of, 248–251 service, fingerprinting, 400 service identification, 11–12 services, 10–12 sessions, 122 set_kb_item(string: name, string: value), 282–283 shared libraries, 364–365 Shavlik Technology’s HFNetChkPro, 18 Shipley, Greg, 29 “Shoulders of Giants” (Zymaris), 400 SIDs (security identifiers), 105 Silicon.com, 203 Simple Mail Transfer Protocol (SMTP) server, 255 Simple Network Management Protocol (SNMP), 107, 199 single quotes, 384 Slapper worm, 189 SMB log in plugin, 252–253, 261 SMB (Server Message Block), 105, 106–107 smb_hotfixes.nasl plugin, 253 smb_lanman_browse_list.nasl script, 288–289 smb_login_deloder.nsl, 257 smb_nt.inc, 471–475 SMP (Symmetric Multiprocessing), 321 SMTP Problems plugin, 373 SMTP (Simple Mail Transfer Protocol) server, 255 smtp_func.inc, 475–476 SNMP plugin, 373 SNMP (Simple Network Management Protocol), 107, 199 social engineering, 197 software Bugzilla, 409–416 for Nessus installation from source, 57 open source, 400 where to find, 400 Solaris, 51–52, 63 Solaris sadmind arbitrary command execution flaw, 189 solution element, report, 166 Sophocles, 28 source, installing Nessus from, 57–65 binary vs., 55–57, 82 components to download, 58–60 /configure, 60–65 mirror sites with source files, 57–58 overview of, 82 TLFeBOOK Index software prerequisites, 57 spammers, 2–3 speed of Nessus web queries, 256–257 source vs binary Nessus installation and, 56 SQL commands, 150 SSH to perform local security checks plugin, 253 SSL-based services, 176–177 SSL (Secure Sockets Layer), 12, 37 stand-alone vulnerability assessment tools, string() function, 383, 384 string operators, 433 strings defined in NASL, 384 manipulation functions, 452–456 NASL scripting, 383–385 regular expressions in NASL, 385–387 subnet field, 161 subscription service solutions, subscriptions, mailing list, 42, 401, 402–404 subtraction (-) operator, 384–385 Sunfreeware, 52 support, Nessus, 42 SUSE Linux system, 49 symbolic link attack, 261 symmetric encryption, 66 Symmetric Multiprocessing (SMP), 321 SYN scans, 109–110, 115 Synscan.nasl, 108 syntactic analyzer, 477 syntax, NASL2 grammar, 425–429 syntax tree, 477 Sysadmin, Audit, Network, Security Institute (SANS Institute), 34 system administration, system requirements, Nessus daemon, 319–321 system restart, 21 T -t , 375 -T , 375 tar balls, 59–60 ‘tar xzf ’ command, 59–60 target selection automatic sessions, saving, 122 common scanning issues, 120 method for, 119–120 overview of, 118, 128 target ranges, 120–122 zone transfers, 122 TCP/IP (Transmission Control Protocol/Internet Protocol), 109–110 TCP ping described, 100–101 host detection with, 246, 247 TCP ports, 247 TCP (Transmission Control Protocol), 10–11 TCP wrappers, 175 tcp_chorusing.nasl plugin, 323 tcpdump code, 62 technical false positives, 212–214 Telnet, 224 telnet.inc, 476 temporary report file, 261 10 East, 407 Tenable Security, 42 testing see also plugin; scripts intrusive scanning, 217 Knowledge Base and, 273–274 Knowledge Base configuration options and, 275–279 Nessus approach to, 219–220 in Nessus scan process, 241 newly written plugin, 379–380 nonintrusive scanning, 217–218 phase described, 308–312 procedures, 312–316 Thimm, Axel, 49 threats, 321–324 time age of Knowledge Base, 277–278, 294 false positives waste, 216 issues of assessment tools, 19–20 Time-To-Live (TTL) field, 103 timing policy, 111 TLS (Transmission Layer Security), 37 toggle false by plugin ID, 145–146 toggle false function, 145 tools Net::Nessus::ScanLite, 348–349 Related Tools, 417, 419 sd2nbe, 347 update-nessusrc, 316, 322 where to find, 420 topologies, scanning 507 described, 316–317 flat, 317–318 islands, 317 star, 318–319 topology, network, 302–303 Transmission Control Protocol/Internet Protocol (TCP/IP), 109–110 Transmission Control Protocol (TCP), 10–11 Transmission Layer Security (TLS), 37 triple handshake, 109–110 trojan_horses.nasl, 159 troubleshooting aggressive scanning, 350–351 common scanning issues, 120 enterprise scanning, 359 printer problems, 354–355 scans, 129–130 volatile applications, 352–354 workstation scanning, 355–357 “trusted” NASL scripts, 397 TTL (Time-To-Live) field, 103 Turkia, Miika, 141 two-factor authentication, 67 type field, 137, 163–164 types, report, 167 U uddi.inc, 476 UDP (User Datagram Protocol), 10, 110 unencrypted traffic, 37 uninstall-nessus script, 60–61 uninstallation, Nessus, 60–61 UNIX disabling plugin in, 229–231 Nessus GUI Client for X Windows, 134–143 “unsafe” functions, 465–466 Untested plugin, 373 update-nessusrc, 316, 322 updates automated, 312–316 Nessus, 55–56 plugin, 79–80, 83, 178 vulnerability assessment and, Useless services plugin, 373 use_mac_addr option, 74 user account, 67–75 user community bug reporting via Bugzilla, 409–416 TLFeBOOK 508 Index information/help, additional, 417 mailing lists, 400–407 overview of, 400, 418 patches/plug-ins, submitting, 416–417 plug-in database, online, 407–409 User Datagram Protocol (UDP), 10, 110 user enumeration, 201–202 user information Nessus server configuration and, 122–123 overview of, 128–129 user logon scripts, 491 username, 201–202 Using NetBIOS to retrieve information from a Windows host plugin, 252 utilities, 99 Nessus site, 182 nessus-update-plugins updates, 313 Online Plugin Database, 407, 418 plugins, 99, 409 scanning, 177 Sunfreeware, 52 “Taking Over Cleartext Protocol on Switched Networks”, 47 vulnerability information, 222–223 WebDAV vulnerability, 217–218 Webmin, 233–235 webmirror.nasl plugin, 256 Wikipedia, 212 wildcard hosts, 117–118 Windows, administrative assessment approach for, 15–16 Windows client communication on cipher layer, V 84 van der Kooij, Hugo, 400 installation/setup, 77–79 variable declarations, 437 Windows domain logon script, Venema, Wietse, 491 verification, report results, Windows plugin, 373 223–225 Windows User Management version banners, 254 plugin, 373 version detection, 13 WinNuke, 202 version information, 199–200 Witty worm, 189 versions, Nessus, 86 workstations, scanning, 355–357 W vulnerabilities worms war driving, 194 administrator security critical vulnerabilities and, 189 web applications, 21 vulnerability report, 69 detection plugins, 92–96 web browser, 224 attack types, 156–158 wrapper, plugin, 242–243 elements susceptible to attack, web server writing NASL scripts false positives and, 21, 169–170, 155–156 first script, 375–383 233–234 false positives and, 212 reasons for, 367–368 intrusive scanning, 217 identification in assessment wu_ftpd_site_exec.nasl, 214 load balancing, 177–178 process, 13 no404.nasl script, 174 noise reduction and, 221 X scanning, 101–102, 177 plugins, writing for, 416–417 XML (Extensible Markup reporting in assessment process, web sites Language), 138 ATrpms collection, 49 14 Bug Tracker, 409 vulnerability assessment for, Bug Writing Guidelines, 416 web sites for information on, Z Bugzilla, 412 222–223 zone transfers, 122 help/information, 417 vulnerability assessment Zymaris, Con, 400 LaTeX project, 139 administrative approach, 15–16 mailing list archives, 406–407 automated, 7–14 mailing list resources, 401 defined, 2–3 mirror sites for Nessus expectations for, 19–21 installation source files, hybrid approach, 17–19 57–58 important points of, 23–24 outsider approach, 16–17 types of, 5–7 uses for, 4–5 vulnerability database overview of, 326–327 preparation for report generation, 327–334 vulnerability, definition, 2, 155 vulnerability fingerprinting overview of, 267 process of, 254–258 vulnerability report see report, reading; reports vulnerability scanner critical vulnerabilities and, 189 false positives of, 212 Nessus as standard, 29–31 Nessus history, 32–34 Nessus project, 28–29 vulnerability testing intrusive scanning, 217 Nessus approach to, 219–220 in Nessus scan process, 241 nonintrusive scanning, 217–218 Vulnerability tree, 143–144 vulnerability types best practices, 204–205 critical vulnerabilities, 188–196 denial of service, 202–203 information leaks, 196–202 vulnerability classification, 188 TLFeBOOK GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed Preamble The licenses for most software are designed to take away your freedom to share and change it By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software—to make sure the software is free for all its users.This General Public License applies to most of the Free Software Foundation’s software and to any other program whose authors commit to using it (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too When we speak of free software, we are referring to freedom, not price Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can these things To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have.You must make sure that they, too, receive or can get the source code And you must show them these terms so they know their rights We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software Also, for each author’s protection and ours, we want to make certain that everyone understands that there is no warranty for this free software If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors’ reputations Finally, any free program is threatened constantly by software patents We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary.To prevent this, we have made it clear that any patent must be licensed for everyone’s free use or not licensed at all The precise terms and conditions for copying, distribution and modification follow TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.The “Program”, below, refers to any such program or work, and a “work based on the Program” means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language (Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is addressed as “you” Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program) Whether that is true depends on what the Program does You may copy and distribute verbatim copies of the Program’s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any TLFeBOOK change b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections and above provided that you also one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections and above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections and above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance You are not required to accept this License, since you have not signed it However, nothing else grants you permission to modify or distribute the Program or its derivative works.These actions are prohibited by law if you not accept this License.Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions.You may not impose any further restrictions on the recipients’ exercise of the rights granted herein.You are not responsible for enforcing compliance by third parties to this License If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all For example, if a patent license would not permit royalty-free redistribution of the Program TLFeBOOK by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded In such case, this License incorporates the limitation as if written in the body of this License The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns Each version is given a distinguishing version number If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation 10 If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 11 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE,THERE IS NO WARRANTY FOR THE PROGRAM,TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE,YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION 12 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms To so, attach the following notices to the program It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found one line to give the program’s name and an idea of what it does Copyright (C) yyyy name of author TLFeBOOK This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version of the License, or (at your option) any later version This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU General Public License for more details You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Also add information on how to contact you by electronic and paper mail If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w’ This is free software, and you are welcome to redistribute it under certain conditions; type `show c’ for details The hypothetical commands ‘show w’ and ‘show c’ should show the appropriate parts of the General Public License Of course, the commands you use may be called something other than ‘show w’ and ‘show c’; they could even be mouse-clicks or menu items—whatever suits your program You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright disclaimer” for the program, if necessary Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision’ (which makes passes at compilers) written by James Hacker signature of Ty Coon, April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library If this is what you want to do, use the GNU Library General Public License instead of this License SYNGRESS PUBLISHING LICENSE AGREEMENT THIS PRODUCT (THE “PRODUCT”) CONTAINS PROPRIETARY SOFTWARE, DATA AND INFORMATION (INCLUDING DOCUMENTATION) OWNED BY SYNGRESS PUBLISHING, INC (“SYNGRESS”) AND ITS LICENSORS.YOUR RIGHT TO USE THE PRODUCT IS GOVERNED BY THE TERMS AND CONDITIONS OF THIS AGREEMENT LICENSE: Throughout this License Agreement,“you” shall mean either the individual or the entity whose agent opens this package.You are granted a limited, non-exclusive and non-transferable license to use the Product subject to the following terms: (i) If you have licensed a single user version of the Product, the Product may only be used on a single computer (i.e., a single CPU) If you licensed and paid the fee applicable to a local area network or wide area network version of the Product, you are subject to the terms of the following subparagraph (ii) (ii) If you have licensed a local area network version, you may use the Product on unlimited workstations located in one single building selected by you that is served by such local area network If you have licensed a wide area network version, you may use the Product on unlimited workstations located in multiple buildings on the same site selected by you that is TLFeBOOK served by such wide area network; provided, however, that any building will not be considered located in the same site if it is more than five (5) miles away from any building included in such site In addition, you may only use a local area or wide area network version of the Product on one single server If you wish to use the Product on more than one server, you must obtain written authorization from Syngress and pay additional fees (iii) You may make one copy of the Product for back-up purposes only and you must maintain an accurate record as to the location of the back-up at all times PROPRIETARY RIGHTS; RESTRICTIONS ON USE AND TRANSFER: All rights (including patent and copyright) in and to the Product are owned by Syngress and its licensors.You are the owner of the enclosed disc on which the Product is recorded.You may not use, copy, decompile, disassemble, reverse engineer, modify, reproduce, create derivative works, transmit, distribute, sublicense, store in a database or retrieval system of any kind, rent or transfer the Product, or any portion thereof, in any form or by any means (including electronically or otherwise) except as expressly provided for in this License Agreement.You must reproduce the copyright notices, trademark notices, legends and logos of Syngress and its licensors that appear on the Product on the back-up copy of the Product which you are permitted to make hereunder All rights in the Product not expressly granted herein are reserved by Syngress and its licensors TERM: This License Agreement is effective until terminated It will terminate if you fail to comply with any term or condition of this License Agreement Upon termination, you are obligated to return to Syngress the Product together with all copies thereof and to purge and destroy all copies of the Product included in any and all systems, servers and facilities DISCLAIMER OF WARRANTY: THE PRODUCT AND THE BACK-UP COPY OF THE PRODUCT ARE LICENSED “AS IS” SYNGRESS, ITS LICENSORS AND THE AUTHORS MAKE NO WARRANTIES, EXPRESS OR IMPLIED, AS TO RESULTS TO BE OBTAINED BY ANY PERSON OR ENTITY FROM USE OF THE PRODUCT AND/OR ANY INFORMATION OR DATA INCLUDED THEREIN SYNGRESS, ITS LICENSORS AND THE AUTHORS MAKE NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT TO THE PRODUCT AND/OR ANY INFORMATION OR DATA INCLUDED THEREIN IN ADDITION, SYNGRESS, ITS LICENSORS AND THE AUTHORS MAKE NO WARRANTY REGARDING THE ACCURACY, ADEQUACY OR COMPLETENESS OF THE PRODUCT AND/OR ANY INFORMATION OR DATA INCLUDED THEREIN NEITHER SYNGRESS, ANY OF ITS LICENSORS, NOR THE AUTHORS WARRANT THAT THE FUNCTIONS CONTAINED IN THE PRODUCT WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE PRODUCT WILL BE UNINTERRUPTED OR ERROR FREE.YOU ASSUME THE ENTIRE RISK WITH RESPECT TO THE QUALITY AND PERFORMANCE OF THE PRODUCT LIMITED WARRANTY FOR DISC: To the original licensee only, Syngress warrants that the enclosed disc on which the Product is recorded is free from defects in materials and workmanship under normal use and service for a period of ninety (90) days from the date of purchase In the event of a defect in the disc covered by the foregoing warranty, Syngress will replace the disc LIMITATION OF LIABILITY: NEITHER SYNGRESS, ITS LICENSORS NOR THE AUTHORS SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR SIMILAR DAMAGES, SUCH AS BUT NOT LIMITED TO, LOSS OF ANTICIPATED PROFITS OR BENEFITS, RESULTING FROM THE USE OR INABILITY TO USE THE PRODUCT EVEN IF ANY OF THEM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THIS LIMITATION OF LIABILITY SHALL APPLY TO ANY CLAIM OR CAUSE WHATSOEVER WHETHER SUCH CLAIM OR CAUSE ARISES IN CONTRACT,TORT, OR OTHERWISE Some states not allow the exclusion or limitation of indirect, special or consequential damages, so the above limitation may not apply to you U.S GOVERNMENT RESTRICTED RIGHTS If the Product is acquired by or for the U.S Government then it is provided with Restricted Rights Use, duplication or disclosure by the U.S Government is subject to the restrictions set forth in FAR 52.227-19.The contractor/manufacturer is Syngress Publishing, Inc at 800 Hingham Street, Rockland, MA 02370 GENERAL: This License Agreement constitutes the entire agreement between the parties relating to the Product The terms of any Purchase Order shall have no effect on the terms of this License Agreement Failure of Syngress to insist at any time on strict compliance with this License Agreement shall not constitute a waiver of any rights under this License Agreement This License Agreement shall be construed and governed in accordance with the laws of the Commonwealth of Massachusetts If any provision of this License Agreement is held to be contrary to law, that provision will be enforced to the maximum extent permissible and the remaining provisions will remain in full force and effect *If you not agree, please return this product to the place of purchase for a refund TLFeBOOK Syngress: The Definition of a Serious Security Library Syn•gress (sin-gres): noun, sing Freedom from risk or danger; safety See security AVAILABLE NOW order @ www.syngress.com Snort 2.1 Intrusion Detection, Second Edition Jay Beale, Brian Caswell, et al “The authors of this Snort 2.1 Intrusion Detection, Second Edition have produced a book with a simple focus, to teach you how to use Snort, from the basics of getting started to advanced rule configuration, they cover all aspects of using Snort, including basic installation, preprocessor configuration, and optimization of your Snort system.” —Stephen Northcutt Director of Training & Certification, The SANS Institute ISBN: 1-931836-04-3 Price: $49.95 U.S $69.95 CAN Ethereal Packet Sniffing AVAILABLE NOW order @ Ethereal offers more protocol decoding and www.syngress.com reassembly than any free sniffer out there and ranks well among the commercial tools You’ve all used tools like tcpdump or windump to examine individual packets, but Ethereal makes it easier to make sense of a stream of ongoing network communications Ethereal not only makes network troubleshooting work far easier, but also aids greatly in network forensics, the art of finding and examining an attack, by giving a better “big picture” view Ethereal Packet Sniffing will show you how to make the most out of your use of Ethereal ISBN: 1-932266-82-8 Price: $49.95 U.S $77.95 CAN AVAILABLE NOW order @ www.syngress.com The Mezonic Agenda: Hacking the Presidency Dr Herbert H Thompson and Spyros Nomikos The Mezonic Agenda: Hacking the Presidency is the first Cyber-Thriller that allows the reader to “hack along” with both the heroes and villains of this fictional narrative using the accompanying CD containing real, working versions of all the applications described and exploited in the fictional narrative of the book The Mezonic Agenda deals with some of the most pressing topics in technology and computer security today including: reverse engineering, cryptography, buffer overflows, and steganography The book tells the tale of criminal hackers attempting to compromise the results of a presidential election for their own gain ISBN: 1-931836-83-3 Price: $34.95 U.S $50.95 CAN TLFeBOOK ... the www .nessus. org site We’ve also included NeWT v2.0, a stand-alone security scanner made available by Tenable Network Security NeWT (Nessus Windows Technology) is a native port of Nessus under... 347 Nessus Integration with Perl and Net: :Nessus: :ScanLite 348 TLFeBOOK Contents Nessus NBE Report Parsing Using Parse: :Nessus: :NBE Common... author of the open-source Nessus vulnerability scanner project He has worked for SolSoft, and founded his own computing security consulting company, Nessus Consulting Nessus has won numerous awards,