Nessus: Advanced Ethical Hacking Tutorial
4.1 Acquiring Nessus
At this point, we want to get our hands on Nessus. Now, Nessus is a vulnerability scanner. And, it's actually created and managed by a company called Tenable Network Security. Now, Nessus actually used to be an open source product, and It was actually taken closed source because the maintainers felt that the community wasn't actually contributing and so they took it closed source, made a product out of it that could be sold and that's what we've got right now. We've got the Nessus vulnerability scanner by comparison with other commercial vulnerability scanners it's actually. Very reasonably priced. And we've gone to the Nessus Vulnerability Scanner page. And now we're going to go to Download. Now they offer a couple of different ways of getting this. And one of the things that they allow is for what they call a home feed. Now if you just want to use Nessus on your home network, if you want to use it so that you can learn about it and understand how it works and just get your hands dirty with it, You can use a home license. The home license is not one that you're supposed to be using for commercial purposes, and it's also behind the commercial grade licenses or the professional license. So the Updates actually are several days behind the professional license. So what we want to do here is we want to grab the correct installer and I've got a 64-bit operating system, so I need the 64 bit installer and it's going to download, it going to just download a pretty typical installation package. And you're going to need to determine whether you need a professional license or a home feed license and We can get Nessus installed and registered in the next lesson.
4.2 Setting Up Nessus
At this point we've got Nessus. And I've actually run through the installation. It's a pretty simple straight forward Windows installation. You just run the installer, it puts everything in place. We do need a registration code. And you could get a professional feed of course. Which you would have to pay for. Or in this case we're just doing demos. And working here on my home network. So I would do a home license and get a home feed and it's pretty simple. You just register here, I would put in my name and an email address and then of course I have to agree to the terms of service And then I would register, now when you are done with the installation it will bring you to the website and that's a local host because the web servers actually running on my system and we connect to it on port 8834 as usual with any of these type of local installs. They have self science certificates which of course generate problems with the browsers and so we have to go continue and then we're going to do a pretty basic setup here. It's going to ask me for some login information so we can create an Administrator account And, now I need to provide the activation code that I received in email. And, these activation codes are only good one time. So, even in the case where Maybe you're doing a lot of virtual machines and creating new systems and you wanted to do Nessus again. You can't reuse one of the activation codes, you actually have to go get another one. However, the activation code acquisition process is pretty easy, and you can go register for one, and you get one in your email within a very short period of time, depending, of course, on You know your mail settings and how quickly you're receiving mail. But Nessus actually generates those pretty quickly. So now what we're doing is grabbing the latest plugins. And Nessus will actually go grab the plugins on a regular basis. So that your configuration is always up to date. You always have the latest set of Nessus plugins. The first set is the largest of course. This gets all of the existing ones as of this particular point in time. And so this can take a little bit of time to actually go download and get them installed. Now once all of the plugins are downloaded and installed then we can go about starting the process of doing the configuration. We can create some scans so that we can see the vulnerabilities on the different systems that we can find. Of course, the thing about the vulnerability scanners is What they're looking for is particular signatures. And it's really about banners and about ports that are open. It's not about actually exploiting codes. It's actually a process that can lead to false positives. And we'll go through that a little bit later on. So I'm going to let the plugins download here and then in subsequent lessons, we'll be going through actually configuring Nessus and launching scans.
4.3 Configuring Nessus
At this point we've got Nessus installed. And the plugins are downloaded and they've actually been setup into Nessus so that they're already to use. So we're here at the login screen, I'm going to login And now we're into the Nessus user interface. And this is actually a reasonably new user interface. They've come through several iterations including - having a client at one point that would talk to the Nessus server. So, we've got a series of buttons over the top. This is where you would see results, if we had actually done any scans. This is where you would see the scans that are in progress and you can actually see that we've got zero here; and right here we've got where- There are some templates and policies and policies are actually where we would spend a lot of time doing configuration for scans. So you would create a policy. Or you would modify one of the existing policies. You would set up different preferences. And either turn on or turn off different plug-ins that you wanted to use. We can also create different users so We could give people a login and we can actually make them not an Administrator so maybe all they can do is look at the results. And they couldn't actually create scans as an example. So we've got the configuration here and if you needed to use a Proxy in order to get out to the internet. This is where you would set the web proxy so that you can go get plug ins. And here's where we've got the feed. We've actually got an activation code. If you wanted to go to To a professional feed away from a home feed that we've currently got, you could update the activation code here. We could force an update of the plugins but since we just did it a few minutes ago, not going to be any point in doing that. There are some mobile settings Where you could have an apple profile and do active sync so you could use your mobile phone in order to interface with Nessus. Finally some advanced settings so this would set some overall preferences On the scans that you are running and the various things that we will be doing inside of Nessus. So, that is really kind of what it looks like here as I said we will be spending a fair amount of time inside policies and we will be going through different configurations settings. For the different policies because they're actually reasonably dense and I can pop one open here. You can see we've got the four tabs for General Settings and we've got Credentials and then we've got Plugins and these are all of the plugins that Are installed, and you can either enable or disable, and finally, we've got some scan preferences for this particular policy. And you'll notice that several of the tabs actually have pull downs. So, in addition to the tabs, we have different pages. Within those tabs based on the different types of settings within the preferences. So we've got preferences here as an example. And we've got a lot of different preferences. For different components of this particular policy. And the same thing here with credentials as an example. We've got different types of credentials and we can set the preferences for those different credential types here within this page. So we're going to start getting into Configuring the policy and setting all of the different parameters that we're going to use in order to do some scans and we'll get started on that in the next couple of videos.
4.4 Scan Details: Network
So at this point we've looked at just some basic configuration details around Nessus. And what I want to do now is actually create a policy. So, I'm going to create a new policy here. And the first thing I need to do is give it a name. And I'm going to, I'm actually going to make it shared. Not that it matters because I'm the only user on this particular Nessus installation. If there were multiple users I could actually share it across to other users and they could make use of it as well. So just going to give it A description here. So my shared policy. So I'm going to update at this point. And now we're going to go back into here. And we're going to take a look at the other settings. So I've got port scanning. And I want to take a look at the different types of port scanning that I can do. I am going to use the Nessus S and MP scanner. And I'm going to use the Nessus TCP scanner as well. We're going to ping the remote host. And we're going to Do a couple of other types of Port Scanner. So SSH and WMI. So that would be a Windows Port Scanner. So doing Netstat for Windows. So that's the Port Scanning settings. And I'm actually going to leave the defaults, although if I wanted to scan everything here I could do 0-65535. In this case though, I'm going to say that the defaults are good enough so we're going to leave the defaults alone. Now we're going to check on the performance, that's about how many parallel connections that I want to allow, the number of simultaneous TCP sessions, really going to leave all of those alone I don't need to play with those at all. So we're going to go to advanced settings. We're going to uncheck Safe Checks in this case. I'm going to log the scan details to the server so I've got details about the scan. And We're just going to do silent dependency. So if there is a dependency on a particular plugin we're just going to allow that dependency without having it actually ask. And the reason I actually unchecked Safe Checks was Nessus will not perform particular tasks that may potentially cause an outage On the targeted system. In this case I'm actually going to be looking at a system on my own internal network here and so I'm just going to leave Safe Checks unchecked because I really want to throw at this system. I want to see what I can get as a result of doing those unsafe checks. See if I can actually turn up additional vulnerabilities So that's just the basic general settings here and the important ones are really in the port scanning. The different types of scanning that you want to be able to do and whether you're going to ping the system or not. And Then there's also advanced. And, really the big one there is the Safe Checks, whether you want to do Safe Checks. And then of course, there's if you want to log scan details to server or not. So, that's just some of the initial policy settings. For this policy that we're working on. And the next couple of videos, we'll be talking about some other setting over here in these tabs. We'll be talking about Credentials and then Preferences based on different applications and particularly, if we want to be looking at web applications, as well.
4.5 Scan Details: Credentials/Plugins/Options
So we've gone through just the general settings for this particular policy. I want to move on to credentials at this point. And so I've got Windows credentials. The system that I'm looking at targeting isn't a Windows system. So I'm going to leave all of these blank. But I could actually set up. Things like SMP passwords if I wanted to be able to check remote registry settings for example or look at files that were available on fileshares. So in this case, I'm not actually going to do that. Although actually I do have some SMB file share. So I'm actually going to set some Windows credentials here and we can see wether it turn up anything just a result of doing that. Now, I've got SSH settings which is going to allow me to provide A username and a password so that we can actually log into the device. Now you may wonder why I would want to provide that. Well the reason for that is because if I provide a username then I can actually do some investigation. Of the local system. In this case I do actually happen to know a login here in some cases many cases maybe doing some sort of BlackBox testing where you don't have a username and password and you would actually have to go digging for that. In this case I do happen to have a login on the device and so I want to provide some credentials for that. So that it can log in. And we'll do some local checks in addition to the network checks that we would otherwise be doing. So I'm not going to do anything with Kerberos because I'm not doing any Kerberos Or anything like active directory, which uses Kerberos. So I'm going to leave those alone and I've got some cleartext protocols settings here, so if I had telnet running for example, or rshell or rexec, or the R protocols, I could specify a username. Actually I do have a telnet server running. That I had installed for some testing purposes but I've already got an SSH login on this particular device so I'm going to leave those alone. Now were going to take a look at the plugins and it's going to load up all the plugins you can see that all of the different sections here are enabled and these are grouped into categories So we've got a number of different categories here and I'm going to scroll up back to the top. You can see Backdoors, we've got 88 plug ins, CGI abuses, we got 2,514 and so on. So there are a number of different plug ins that are in different categories. At the moment I've actually got everything turned on, I could go And pick and choose and mix and match, but Nessus will do a pretty good job of running the plugins that are needed, based on what's been found. Now we can go over to the Preferences tab over here and we can load up an number of different Preference types. So you can see we've got various things around port scanners and patch management. And SMB scope. And we can do SNMP settings. So I'm actually going to do some SNMP settings here. going to leave the community name alone. And the UDP port is okay. So I'm going to leave all of those alone. So I'm actually going to hold off on doing the web application settings for the next video. We'll look into the web application settings that Nessus is capable of Doing when they run wide application tests.
4.6 Scan Details: Web Applications
So we've done the basic configuration, we've looked at some application configuration. Now I actually want to take a look at some web application configuration for the policy preferences. So we can look at things like web mirroring if I wanted to go. And grab all of the pages from the web server if there happened to be a web server there. I could actually do web mirroring and then we've got Web Application Tests Settings. So I'm actually going to enable The web application tests. And we've got a maximum run time because web application testing can actually take quite a bit of time. Based on how big the web application is. Because there's a lot of tests to run on each individual page And particularly if you're doing things like playing around with sessions and trying different parameters then form fields. One application test can actually take a lot of time and so what we've got here is a threshold for the maximum amount of time We want to take for do english application test in this case the actually going to use to try all htp method so going to do get in posed,in air idle in htp method i actually want to try other htp grammar of prounsation is well. Want to see if I can actually cause some outages or errors or other types of failures within the web application. So in this case I want to stop at the first flaw. And I really want to look for all flaws. So I'm not going to stop at all. I'm going to look for All of the flaws that are available. So that's within the web application tests. In a second here I want to go back and take a look at the web application test plug ins. So let me just scan back through here in the preferences and see if there was something that I missed. And we've got HTTP cookies import. And I don't actually want to load up a cookies file, although if I had some cookies that may have some login or session cookies in there I may want to load up the cookies file in this case I'm not going to do that. There's a http login page setting so that I could Indicate what the login page is, what the form, and this would allow me to actually do testing against an authenticated web server. So if it's a web application that requires you to log in You've got all of these parameters here that you can use to do the login and then ensure that the login actually took. So I think that's actually it for all of the web application possibilities that we've got and we can go on And look at the plug-ins that are available. So we see the different plug-ins that we have available for web application testing inside of Nessus. So as I mentioned earlier, there's some CGI abuses. And CGI is the common gateway interface. And so, that has to do with Programmatic interface to these web applications. And if I scroll all the way down. We've got web servers here. So I can select web servers and we can take a look at the various Possibilities that we've got. So these are different web servers that are available that we can look at and do some testing against. And you can see all of the different tests against Apache servers. And there are a lot of vulnerabilities in Apache And here's Apache Tomcat, which would be an application server that's based in Java. And here's a number of other Tomcat possibilities or vulnerabilities. And we've got broken web servers and we can check for Blue Coat, as well. And let's actually scroll back up here. And take a look at the CGI settings. So CGI abuse is cross site scripting and you can see there's a number of vulnerabilities based on different Application types, so we've got Apache Jakarta, we've got Apache Mod_SSL and what these all are, these are plugins based on particular vulnerabilities that have been disclosed and. Typically have patches that have been provided by the vendor. In this case, what we're doing is we're checking whether the server is potentially vulnerable To these exploits or these vulnerabilities. So that's all of the web application settings that we've got. And since I've made a number of changes I'm going to go down here. I'm going to update the policy and The next thing that we need to do is we actually need to start off a scan and so we'll do that next.
4.7 Starting a Scan
So we've got ourself a policy here that we've created, My Policy. And now what I want to do is, I actually want to start off a scan. So I'm going to go up to the scans button up top, and of course we've got no scans here. So I'm going to add a new scan. And here's where I could actually do some scheduling of the scan. But in this case I actually want to Run Now. So just going to give it kind of a useless name, My Scan. And now I've gotta choose the policy. And I'm going to use the one that we created In the previous videos, the one that we called my policy. Now here's where I can set my targets. And I could set multiple targets. And I could also right here I could browse for a file with a target list in it. And so if I had a list of targets in a text file I can actually upload that here, in this case, I'm just going to use one system which is going to be my target. So that's really all there is to creating a new scan, we set the Scan Title, we set the Scan Type And I can do a run now, or I could do a template, which allows me to schedule some jobs. And I can do a scan policy. So here's all of the policies that I have on my system. And then finally I just set my scan target. Now, I click Create Scan and it's going to go create the scan in Nessus and you can see that the scan now shows up here in the list of scans. And it shows that it's running and it shows a completion percentage Right here. So at this point we haven't really done much of anything. If I wanted to cancel it I would just click this X here. That would allow me to stop it. And I've got options up here for pausing and resuming scan as well as stopping the scan. And I would actually have to click the check box over here. In order to be able to use options. So when the scan is running, at some point it will start generating some results. And I would go over to the results tab and while the scan is running, if there is actually any results, they would show up here. In this case we don't have any results yet. Although you can see we've got a listing here for a scan that's actually in progress. So the status over here shows running and there's the scan. And it will actually show the results while the scan is in progress as it updates. Is it actually finds anything that comes out of running the plugins and doing the port scanning and all of the other things. So at this point, the scan is really just getting underway, you You can see it's not really doing much of anything so it's loading up all of the plugins and setting all of the settings and doing all of the under the hood stuff that it needs to do prior to actually doing the scan. So you let the scan run at this point and we'll check on it in a little bit and then start reviewing the actual results.
4.8 Reviewing Results
At this point we've got some scans in Nessus and we want to take a look at those. So we're going to log in now and we're going to take a look at the scans that we've got And where we can go with the results that we have. So I'm in the Results tab. It immediately takes me there. I'm going to get some scanned results. going to pop this one up and of course it brings me to the Hosts Summary, and I've got the three hosts that I had scanned in this particular one and we've got a nice little graphical breakdown. Of the vulnerabilities and the different classifications for them. But what I want to do is go to the vulnerabilities tab at this point. Now I have got a number of Microsoft notifications here With some vulnerabilities in Windows XP. This is not surprising. I've got a Windows XP box that hasn't been patched in quite a long time. And these vulnerabilities are probably Easily there. I could actually go in and log into the box and see whether the patch has been installed. Or I could see whether Metasploit has an exploit against these. And I could test the exploit. That may be a way of double checking to see whether these vulnerabilities are really there or not. No, because at the end of the day you can't always trust the vulnerability scanner because it does rely on various things like banners and other types of signatures to determine whether a vulnerability exists or not. Now some of these here we've got like a Firefox vulnerability. This is a local vulnerability And it maybe one of those that you don't even want a report on necessarily depending on what other mitigations are in place. In reality, we provided the credentials for this particular server and NESSUS was able to log in and just see wether There were packages that were outdated, and whether there were any vulnerabilities that were attached to them, and it did find these. But, in order to exploit these, you'd actually have to be on the box. So You'd have to be able to either login regularly or find a nother way into the system in order to exploit those vulnerabilities. Now there are some other lends down here and I did want to take a look at. So we've got this SSL certificate cannot be trusted. SSL Self-Signed Certificate. So I could actually follow up on this and this is something I could easily do manually. I could do openssl s_client host would be 172.30.42.55 And port is 443. So now OpenSSL has done the negotiation with the server and we've got the certificate information back here. Looks like a TLS session. Which seems okay. Let's take a look up here at the certificate itself. And it does say it's a self signed certificate. So that is potentially a problem depending on what the reality of the situation is that maybe something That's worth taking a look at. It may in fact be a rogue server. So that may be something that you want to take a little bit of a closer look at. So going back to the Nessus results though. We've got a number of other SSL vulnerabilities potentially. And that's something that you may want to run SSL scan against. So This one says "weak ciphers are supported" and we've got a list here of the ciphers on port 25 ; and it does say that there are weak ciphers supported. You could double check it with SSL scan. This is going to be pretty reliable. It does have the- Ciphers listed here and here are the weak SSL ciphers they have less than a 56-bit key. So when you go through a vulnerability scan set of results, you really need to make sure that you understand what the vulnerabilities are and whether they're real or not. Because certainly they may not all be something that you need to be concerned with. So we're going to take a look at false positives up. But I did want to go through these results right now and just highlight the fact that you do need to check all of your results. Because the vulnerability scanner, no matter what it is, is relying on information that may or may not be complete or even accurate.
4.9 False Positives
So we've got some results up from Nessus right here. And I want to take a look for anything that could potentially be a false positive. Now a false positive is where we've got a situation Where it reports something that may not actually be real. So as an example, you may have an Apache server that's configured to only say that it's an Apache server, not give a version number. And Nessus may take that and make some guesses about the version that is actually running and throw up some Apache vulnerabilities in here and you'd have to and make sure that the version that you're running is actually one that's vulnerable. There are actually cases where you're going to get false positives, where Nessus reports something that's just not real. And a lot of these, actually right here look pretty real, something that you may want to take a look at. And look at in a little bit more detail. There are cases though where Nessus is going to report something that you may or may not care about. And to me that's almost like a false positive. So in this case we've got an issue where Nessus has reported a high risk vulnerability With Ruby. And the thing about that is the only reason Nessus knows about this is because we gave the login credentials for the server or the system to Nessus, so that it could log in. The only way it knew about the ruby vulnerability. And there are others that are similar. So the qemukvm vulnerability is another one. Nessus couldn't have known about that without actually having login credentials. So Would you consider this a high risk vulnerability if you actually had to be on the system. And maybe you had a strong password policy in place. That may be a case where you downgrade the risk here. Which doesn't mean that you shouldn't be recommending that patches get applied on a regular basis. But some of these may not be situations where they are critical vulnerabilities. And this is similar to a false positive. It actually is a real issue. The thing that's a little questionable is where you might actually rate that. So we do run into false positives from time to time. And that's a case where Nessus is relying on information that it's received in the case of Apache, for example, it gets a banner back. And it may have to make some guesses about what that server is, what version that server is running. And so It may actually throw an alert up that may not be real. Although most of the vulnerability scanners are pretty good about making really good guesses, but you still need to make sure that you're not running into False positives and go through your list of vulnerabilities from Nessus or Nexpose, or any other vulnerability scanner that you're using. And just make sure you're not getting false positives. The vulnerability scanners are not infallible. And some of it has to do with configuration, some of it has to do with the way it interacts with systems. So Always make sure that the list of vulnerabilities is actually true and accurate.
4.10 Setting Up Jobs
Once we've got some scan profile set up here and some policies, what we may actually want to do is kick those policies off on a regular basis and actually scan And some specific hosts with the different policies that we've got. Nessus actually provide the ability to do that quickly even though you can't actually schedule or run necessarily. What I could do here is I could create a template and let me show you the creation of a template and the template is just the way of Settings some specific details about a scan. We're going to call this new template and I'm going to say rather than run now, I'm going to say this is a template. And I'm going to choose the policy here Into say my policies is the policy and now I can say 172.30.42.55, 172.30.42.4, and 172.30.42.1 and we're going to actually scan those. You see rather than starting scan down here what I've got is the ability to create a template. Now that I have created the template, now instead of actually going through and doing this every time, like if I wanted to create a scan over here And I wanted to do that same thing, I could say scan here and then I could have my targets then and I would have to go through that every time I wanted to kick off a scan. Where a template gives me the ability to setup all of that information Choose the profile or the policy that I want to use as well as the hosts that I want to scan and now all I have to do is select that template and then I can say launch template right here. So, this is going to say, do you want to launch? It's going to launch it for me, and now we've got a scan queue up and running. It doesn't give me the ability to set a schedule on it, like every week Sunday at six PM for example. But it does give me the ability to kick off a scan very quickly With a specific set of information from the hosts to the policy that I actually want to scan with. So templates give me the ability to very quickly kick some things off rather than having to go to the scan queue and kicking off a scan every time I want to do a scan. If this is something I want to do on a regular basis I can set up that policy and then just launch the policy very, very quickly.
I hope above tutorial is helpful. Simplilearn offers an Advanced Ethical Hacking training course. With 7 hours of Self-Paced Learning, 101 High-Quality Lectures and Covers Web Application Testing.
About the On-Demand Webinar
About the Webinar