Nsat

From aldeid
Jump to: navigation, search
Nsat-logo.png

Description

NSAT (a.k.a. Network Security Analysis Tool) is a fast, stable bulk security scanner designed to audit remote network services and check for versions, security problems, gather information about the servers and the machine and much more. Unlike many other auditing tools, it can collect information about services independently of vulnerabilities, which makes it "timeless", meaning it doesn't depend on frequent updates as new vulnerabilities are found.

Installation

Recommended installation

$ cd /data/src/
$ wget http://prdownloads.sourceforge.net/nsat/nsat-1.5.tgz
$ tar xf nsat-1.5.tgz
$ cd nsat/
$ ./configure
$ make
$ sudo make install

Pre-patched version

If you have following error while compiling:

$ make
make[1]: entrant dans le répertoire « /data/src/nsat/src »
make[2]: entrant dans le répertoire « /data/src/nsat/src/smb »
compiling ADM smb scanner... In file included from ./client.c:73:
./ADMsmb.c: In function ‘ADMsmb’:
./ADMsmb.c:126: error: lvalue required as unary ‘&’ operand
make[2]: *** [client.o] Erreur 1
make[2]: quittant le répertoire « /data/src/nsat/src/smb »
make[1]: *** [../smb-ns] Erreur 2
make[1]: quittant le répertoire « /data/src/nsat/src »
make: *** [all] Erreur 2

You can rather use my pre-patched version:

$ cd /data/src/
$ wget http://dl.dropbox.com/u/10761700/nsat-1.5-patched.tar.bz2
$ bzip2 -cd nsat-1.5-patched.tar.bz2 | tar xf -
$ cd nsat
$ ./configure
$ make
$ sudo make install

Shortcut

Then alternatively create a symbolic link in your /pentest/ directory.

$ mkdir -p /pentest/scanners/nsat/
$ ln -s /usr/local/bin/nsat /pentest/scanners/nsat/nsat

Usage

Basic syntax

$ ./nsat [options] -h <hostname>
$ ./nsat [options] -f <input file>
$ ./nsat [options] -s <start ip> -e <end ip>

Options

-L
new logging mode: create directory for each host
-A
go into agent mode, waiting for scan requests
-M <agentlist>
scan through the specified agents, rather than locally
-E <file>
specify a file containing excluded IP address ranges
-C <file>
specify a custom configuration file
-V <host>
specify a virtual host or IP address to scan from
-n
don't go into background and report status to console
-t <n>
set connection timeout to n seconds
-m <n>
set maximum process count to n
-l <n>
set maximum seconds to spend scanning one host
-i <n>
set idle time for coward mode to n seconds
-p <0/1>
ping dependence: don't scan on ping timeouts
-c <0/1>
coward mode: watch out for local user activity
-v <0-3>
old-style scan intensity (0-3). (deprecated)

Examples

Windows XP

Following example shows the output of nsat launched against a Windows XP SP3 box, with IIS installed:

$ sudo ./nsat -h 10.1.1.2
$ for i in *.log; do echo '-----'$i'-----'; cat $i; done;
-----cgi.log-----
10.1.1.2 - ../..
10.1.1.2 - /%00.nsf/../lotus/domino/notes.ini
-----ftp.log-----
10.1.1.2 - 220 Microsoft FTP Service
10.1.1.2  - anonymous login
-----httpd.log-----
10.1.1.2 - Microsoft-IIS/5.1
-----netbios.log-----
10.1.1.2 - OOPS-4604F61946
-----sendmail.log-----
10.1.1.2  220 oops-4604f61946 Microsoft ESMTP MAIL Service, Version: 6.0.2600.5512 ready at  Sun, 28 Nov 2010 13:44:56 +0100

Linux Debian

Another output on a Debian box:

$ for i in *.log; do echo '-----'$i'-----'; cat $i; done;
-----httpd.log-----
10.1.1.3 - Apache
-----os.log-----
10.1.1.3 - Linux kernel 2.0.x
-----ports.log-----
10.1.1.3  - portmap
-----rpc.log-----
10.1.1.3  - 100000 111     tcp     2       134621955
10.1.1.3  - 100000 111     udp     2       134621955
10.1.1.3  - 100024 57319   udp     1       134626365       VULNERABLE
10.1.1.3  - 100024 57609   tcp     1       134626365       VULNERABLE
-----sendmail.log-----
10.1.1.3  220 foo.bar.com ESMTP Exim 4.69 Sun, 28 Nov 2010 13:49:22 +0100
-----ssh.log-----
10.1.1.3 - SSH-2.0-OpenSSH_5.1p1 Debian-5

Notice that 2 vulnerabilities have been identified on the second example. We can confirm that these two ports are opened with a Nmap scan.

First port: 57319/udp:

$ sudo nmap -sU -sV -p 57319 10.1.1.3
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-11-28 14:00 CET
Nmap scan report for 10.1.1.3
Host is up (0.0048s latency).
PORT      STATE SERVICE VERSION
57319/udp open  status  1 (rpc #100024)
MAC Address: 00:50:8B:**:**:** (Hewlett Packard)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds

Second port: 57609/tcp:

$ sudo nmap -sS -sV -p 57609 10.1.1.3
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-11-28 14:03 CET
Nmap scan report for 10.1.1.3
Host is up (0.064s latency).
PORT      STATE SERVICE VERSION
57609/tcp open  status  1 (rpc #100024)
MAC Address: 00:50:8B:**:**:** (Hewlett Packard)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.62 seconds

An audit on the machine confirms our thoughts:

# lsof | grep 57609
rpc.statd  2147        statd    8u     IPv4       4890                  TCP *:57609 (LISTEN)
# lsof | grep 57319
rpc.statd  2147        statd    7u     IPv4       4887                  UDP *:57319 
# ps aux | grep statd
statd     2147  0.0  0.0   1956   728 ?        Ss   05:33   0:00 /sbin/rpc.statd
root     30491  0.0  0.0   3148   768 pts/0    R+   14:13   0:00 grep statd

Rpc.statd is installed on the machine. This service is installed with the nfs-common package:

# dpkg -l | grep nfs
ii  libnfsidmap2                      0.20-1                     An nfs idmapping library
ii  nfs-common                        1:1.1.2-6lenny2            NFS support files common to client and serve

For more information on this vulnerability, please refer to: http://www.cert.org/advisories/CA-1996-09.html.

Comments