Nsat
Description
NSAT (a.k.a. Network Security Analysis Tool) is a fast, stable bulk security scanner designed to audit remote network services and check for versions, security problems, gather information about the servers and the machine and much more. Unlike many other auditing tools, it can collect information about services independently of vulnerabilities, which makes it "timeless", meaning it doesn't depend on frequent updates as new vulnerabilities are found.
Installation
Recommended installation
$ cd /data/src/ $ wget http://prdownloads.sourceforge.net/nsat/nsat-1.5.tgz $ tar xf nsat-1.5.tgz $ cd nsat/ $ ./configure $ make $ sudo make install
Pre-patched version
If you have following error while compiling:
$ make make[1]: entrant dans le répertoire « /data/src/nsat/src » make[2]: entrant dans le répertoire « /data/src/nsat/src/smb » compiling ADM smb scanner... In file included from ./client.c:73: ./ADMsmb.c: In function ‘ADMsmb’: ./ADMsmb.c:126: error: lvalue required as unary ‘&’ operand make[2]: *** [client.o] Erreur 1 make[2]: quittant le répertoire « /data/src/nsat/src/smb » make[1]: *** [../smb-ns] Erreur 2 make[1]: quittant le répertoire « /data/src/nsat/src » make: *** [all] Erreur 2
You can rather use my pre-patched version:
$ cd /data/src/ $ wget http://dl.dropbox.com/u/10761700/nsat-1.5-patched.tar.bz2 $ bzip2 -cd nsat-1.5-patched.tar.bz2 | tar xf - $ cd nsat $ ./configure $ make $ sudo make install
Shortcut
Then alternatively create a symbolic link in your /pentest/ directory.
$ mkdir -p /pentest/scanners/nsat/ $ ln -s /usr/local/bin/nsat /pentest/scanners/nsat/nsat
Usage
Basic syntax
$ ./nsat [options] -h <hostname> $ ./nsat [options] -f <input file> $ ./nsat [options] -s <start ip> -e <end ip>
Options
- -L
- new logging mode: create directory for each host
- -A
- go into agent mode, waiting for scan requests
- -M <agentlist>
- scan through the specified agents, rather than locally
- -E <file>
- specify a file containing excluded IP address ranges
- -C <file>
- specify a custom configuration file
- -V <host>
- specify a virtual host or IP address to scan from
- -n
- don't go into background and report status to console
- -t <n>
- set connection timeout to n seconds
- -m <n>
- set maximum process count to n
- -l <n>
- set maximum seconds to spend scanning one host
- -i <n>
- set idle time for coward mode to n seconds
- -p <0/1>
- ping dependence: don't scan on ping timeouts
- -c <0/1>
- coward mode: watch out for local user activity
- -v <0-3>
- old-style scan intensity (0-3). (deprecated)
Examples
Windows XP
Following example shows the output of nsat launched against a Windows XP SP3 box, with IIS installed:
$ sudo ./nsat -h 10.1.1.2 $ for i in *.log; do echo '-----'$i'-----'; cat $i; done; -----cgi.log----- 10.1.1.2 - ../.. 10.1.1.2 - /%00.nsf/../lotus/domino/notes.ini -----ftp.log----- 10.1.1.2 - 220 Microsoft FTP Service 10.1.1.2 - anonymous login -----httpd.log----- 10.1.1.2 - Microsoft-IIS/5.1 -----netbios.log----- 10.1.1.2 - OOPS-4604F61946 -----sendmail.log----- 10.1.1.2 220 oops-4604f61946 Microsoft ESMTP MAIL Service, Version: 6.0.2600.5512 ready at Sun, 28 Nov 2010 13:44:56 +0100
Linux Debian
Another output on a Debian box:
$ for i in *.log; do echo '-----'$i'-----'; cat $i; done; -----httpd.log----- 10.1.1.3 - Apache -----os.log----- 10.1.1.3 - Linux kernel 2.0.x -----ports.log----- 10.1.1.3 - portmap -----rpc.log----- 10.1.1.3 - 100000 111 tcp 2 134621955 10.1.1.3 - 100000 111 udp 2 134621955 10.1.1.3 - 100024 57319 udp 1 134626365 VULNERABLE 10.1.1.3 - 100024 57609 tcp 1 134626365 VULNERABLE -----sendmail.log----- 10.1.1.3 220 foo.bar.com ESMTP Exim 4.69 Sun, 28 Nov 2010 13:49:22 +0100 -----ssh.log----- 10.1.1.3 - SSH-2.0-OpenSSH_5.1p1 Debian-5
Notice that 2 vulnerabilities have been identified on the second example. We can confirm that these two ports are opened with a Nmap scan.
First port: 57319/udp:
$ sudo nmap -sU -sV -p 57319 10.1.1.3 Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-11-28 14:00 CET Nmap scan report for 10.1.1.3 Host is up (0.0048s latency). PORT STATE SERVICE VERSION 57319/udp open status 1 (rpc #100024) MAC Address: 00:50:8B:**:**:** (Hewlett Packard) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
Second port: 57609/tcp:
$ sudo nmap -sS -sV -p 57609 10.1.1.3 Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-11-28 14:03 CET Nmap scan report for 10.1.1.3 Host is up (0.064s latency). PORT STATE SERVICE VERSION 57609/tcp open status 1 (rpc #100024) MAC Address: 00:50:8B:**:**:** (Hewlett Packard) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.62 seconds
An audit on the machine confirms our thoughts:
# lsof | grep 57609 rpc.statd 2147 statd 8u IPv4 4890 TCP *:57609 (LISTEN) # lsof | grep 57319 rpc.statd 2147 statd 7u IPv4 4887 UDP *:57319 # ps aux | grep statd statd 2147 0.0 0.0 1956 728 ? Ss 05:33 0:00 /sbin/rpc.statd root 30491 0.0 0.0 3148 768 pts/0 R+ 14:13 0:00 grep statd
Rpc.statd is installed on the machine. This service is installed with the nfs-common package:
# dpkg -l | grep nfs ii libnfsidmap2 0.20-1 An nfs idmapping library ii nfs-common 1:1.1.2-6lenny2 NFS support files common to client and serve
For more information on this vulnerability, please refer to: http://www.cert.org/advisories/CA-1996-09.html.