The study of security improvements
of an OS via patches, and effectiveness of patches themselves.
Which Operating Systems reveal the greatest security improvements, that is,
a reduction in vulnerabilities from an out-of-the-box (default)
state to a patched state (via the latest vendor-patches)?
A Using Nmap
and Nessus we will scan Operating Systems installed with
default options that is, without any patches or configurations. Then we will
scan them again with the latest patches and compare the scans of before and
Q Is a patch always effective
in that they nullify all (high risk) vulnerabilities that were known prior to
the patch release? Or do these patches sometimes overlook security holes and
perhaps could do more damage?
A By looking at the progression
of patches for each Operating System, (for example, from Windows 2000 Server
SP1 to SP2 to SP3 to SP4) we will see specifically what threats were or weren’t
eradicated between patches and thus help us better assess the effectiveness
of a latter patch.
Nessus is a software package that performs Security Scanning of Operating Systems
(OS) and networks. It is a free product and is very popular in the Security
Industry. Many security professionals use it today to scan their systems looking
for common vulnerabilities and companies like Enterasys are incorporating Nessus
scanning into their Intrusion Detection products like Dragon and Squire.
Nessus will allow you to save the information it
has discovered in several formats, including but not limited to: XML, HTML,
Text, and etc. We provide you with the HTML format with a small paragraph at
the beginning of the scan to introduce the scan. In the beginning of the scan
results, you will see a reference to the following: Security holes, Security
Notes, and Security Warnings. We could not find a definition of any of these
in the MAN pages or on their site, so we emailed Renaud Deraison, one of the
developers of NESSUS and asked for his definitions of the three. He responded
Security Notes are just "nits". It's information that may be
valuable in itself (i.e.: the name of the remote operating system, and
so on), but it does not make the host more prone to be victim of an attack.
Security warnings advices we recommend you to follow, or a bug waiting
to be exploited in conjunction with another vulnerability. A service that
is historically known to be buggy is likely to get such a warning, even
if the tested release was considered as bug free. A service which operates
in clear text may also get a warning and so on. In one word, I'd call
them "disasters waiting to happen". Meaning that they're not
fatal now, but they might be some day.
Security holes means that a cracker can get instant access on your box
(either read any file or walk thru the filesystem or even have a shell
Nessus offers much functionality, some of which consist of:
Up-to-date security vulnerability
database- We mostly focus on the development
of security checks for recent security holes. Our security checks database
is updated on a daily basis, and all the newest security checks are available
here and on your FTP servers and mirrors.NASL-
The Nessus Security Scanner includes NASL, (Nessus Attack Scripting Language)
a language designed to write security test easily and quickly. (security checks
can also be written in C)
Smart Service Recognition-
Nessus does not believe that the target hosts will respect the IANA assigned
port numbers. This means that it will recognize a FTP server running on a
non-standard port (31337 say), or a web server running on port 8080
Nessus does not believe that version x.y.z of a given software is immune to
a security problem. 95% of the security checks will actually perform their
job - they'll try to overflow your buffers, relay some mails, and even to
crash down your computer !
The above information and additional information
on Nessus can be found at www.nessus.org.
What is NMAP?
NMAP is a port scanner and OS detection tool. NMAP was written by a hacker known
as FYODOR. He has, throughout the years, with input from other hackers and security
experts, written and developed this tool used by both, the security administrators
and the hackers/crackers. Nmap offers some the following:
Supports dozens of advanced techniques for mapping out networks filled with
IP filters, firewalls, routers, and other obstacles. This includes many port
scanning mechanisms (both TCP & UDP), OS detection, pings sweeps, and
While Nmap offers a rich set of advanced features for power users, you can
start out as simply as "nmap -O -sS targethost". Both traditional
command line and graphical (GUI) versions are available to suit your preference.
Binaries are available for those who do not wish to compile Nmap from source.
The primary goals of the Nmap Project is to help make the Internet a little
more secure and to provide administrators/auditors/hackers with an advanced
tool for exploring their networks. Nmap is available for free download, and
also comes with full source code that you may modify and redistribute under
the terms of the GNU General Public License (GPL).
A security vulnerability is a flaw in a product
that makes it infeasible even when using the product properly
to prevent an attacker from usurping privileges on the user's system, regulating
its operation, compromising data on it, or assuming un-granted trust.
A universal vulnerability is a state in a computing
system (or set of systems) which either
allows an attacker to execute commands
as another user
allows an attacker to access data that
is contrary to the specified access restrictions for that data
allows an attacker to pose as another entity
allows an attacker to conduct a denial
What is a default Install?
A default install as used for this report is defined as an installation of an
OS without changing, adding, or subtracting from the installation menus. In
other words, just clicking Next as the install asks.
For our test, we used RedHat 7.2 on a Compaq Deskpro 233MMX
machine. We installed Nessus 1.0.9 and Nmap 2.54BETA22.
This was connected via a hub to each target machine.
For the Nessus scan, we choose the option Enable
all but dangerous plugins. This option will scan the system for known
vulnerabilities in its database and skip those that may harm the
remote host by disabling the attacked service or by crashing the host.
The scan was run and the results for Nessus were saved as html with charts.
NESSUS uses NMAP to do a default scan, and that
is what is displayed with the results from NESSUS. However, we performed an
NMAP scan of our own on some of the scans just to confirm the results. When
we performed the additional scan, we used the following command:
nmap v sS target > (machine
This command tells Nmap to perform a vanilla SYN
scan and be verbose about it. We had the results piped to a file that represented
the machines name.