Introduction to Nessus and Hands on Practice to Scan the Network đ
So letâs have a look at Nessus which are developed by the Tenable network Security. It is one of the most popular and capable known vulnerability scanner. Nessus Professional is a commercial product and a free Nessus Home version is also available. However, itâs limited and only licensed for home network use.
Some of the abilities and functions of Nessus is stated in the Figure below:
đ„ Nessus allow scans for many types of vulnerabilities. This include the vulnerabilities that allow a remote hacker to control or access sensitive data on the system. In addition, Misconfigurations like open mail relay, missing patches, use default passwords, common and blank passwords on some system accounts.
đ„ Nessus is able to call Hydra which is an external tool to launch a dictionary attack on the system. Besides that, attack like denials of service against the TCP/IP stack by using malformed packets.
đ„ In a typical operation, Nessus begins by performing a port scan to determine which ports are open on that target and then tries various exploits on the open ports.
đ„ The vulnerability tests available as subscriptions are written in NASL (Nessus attacks scripting language). A scripting language that are optimized for custom network interaction.
đ„ Nessus is also constantly updated with more than 70000 plugins. Key features include remote and local authorized security checks. A client/server architecture with a web based interface and an embedded scripting language for writing your own plugins or understanding an existing one.
đ„ The results of Nessus report can be reported in various formats such as plain text, XML and HTML etc.
đ For more details: https://www.tenable.com
Installing and Downloading Nessus in Kali Linux OS:
âïž Nessus is not embedded in the Kali Linux operating system. So letâs start download it and install it with the following steps:
Search for âNessus home downloadâ in the search engine (no matter what you are using, maybe you can try out duckduckgo đ€). The Nessus home version is the name for the free version of Nessus which I mentioned before.
We need an activation code in order to use Nessus home and we have to register for an activation code. Thus, you better register with your exact name and email address.
In this page, we can find a download link for Nessus home after clicking on the Download button.
In the email address that we registered, we will found a activation code for Nessus. Then, click on the button to proceed to the download link.
Here is the list of the binaries of Nessus Home. My machine (Kali Linux OS) is a 64-bit Debian and Iâm going to click on it and download.
Remember to save the file for this machine.
Locate the Nessus file that we just downloaded.
Then, switch to user and install the packet. Use the âdpkgâ Linux command with -i parameter and the file name. By the way, remember that you can use the tab key to complete the file name and hit enter.
Now, letâs look at the message. It says that we should start the nessusd to start Nessus Home and then we can connect to the web interface of Nessus which will be served at port 8834 which is the default port of Nessus Homeâs Interface.
Use the service command to check for the status of nessusd daemon and it is inactive at the moment.
Type âservice nessusd startâ to start the nessusd daemon. Then, we will look into the port of our Kali Machine which happened to be in listen mode with ânetstatâ command with -tnlp parameters.
Now, we can access Nessus Homeâs web interface:
The IP address â127.0.0.1â stands for the local host and â:8834â which is the default port for nessusd.
(Note: You may also use the IP address of your Kali Machine as it will still work. Here, we have a bad request in the browser.)
The Nessus is a HTTPS service so we need to use the HTTPS at the beginning of the browserâs URL. Then, we can see that the connection posses a warning message with Potential Security Risk Ahead. This is because the local certificate of Nessus is not registered by a CA(certificate authority). No worries! We can just click Advanced>Accept Risk and Continue to continue.
Here is the first interaction with Nessus Homeâs web interface.
Here is the Nessus product type installation and we select the Nessus Essentials which is the free version.
Then, we are able to register the email address to get the activation code if you havenât do so. However if you already registered, then skip this process.
Enter the required activation code from the email address.
Then, create a new user account for the Nessus scanner.
First, it will download the plugins and the speed vary according to the connection speed. Then, it will start the process of compiling the plugins. It may take a few minutes, be patient and go grab yourself some snack đ and coffee âïž.
After we finish downloading the plugins, we enter the username and password to log into Nessus account.
Preparation for Scanning with our own custom policy :
In the Nessus web interface, click Policies in the left panel and then click on create a new policy.
In the Policy templates, there are a lot scanner. As for the âAdvance Scanâ all the options are chosen by us without any guidance or recommendation. You can navigate through the list of scanner and see its details.
Letâs configure our own scan by clicking on the âAdvanced Scanâ. First, we provide the name and description of the policy.
Now, we are at the Discovery Section. In the figure above, we are in the Host Discovery page.
If we have the data that we collected from Nmap (for my case), then we can close this ping scan because we already have the list of hosts.
Then, Click the Port Scanning to configure the port scanning options. The port scan ranges is set as default. This means that Nessus will scan the ports present in its nessus-service file.
Now, we will locate or find the nessus-service file and analyze it. Since we canât locate it, then we will find the file first with the find command. The â/â means that the search will initiate from the root directory. As for the â-nameâ shows the name of the search file. In the figure above, the file with name nessus-services is found.
The less command is use to see the content of the file.
Here, we can see that there are ports, protocols and the default services which use these ports is illustrated. Enter Q to quit.
Now, I want to see the number of the lines of nessus-services file to understand how many ports that are actually scanned by default. Use cat command with file name, then add a pipe and âwcâ for word count.
- 9013 = number of lines
- 18026 = number of words
- 168729 = number of charcters
Therefore, we can conclude that 9,013 ports are scanned by default which is the total ports for both the TCP and UDP ports.
What if you want to see the number of TCP ports scanned in the file by default? How?
We can use the grep command before the âwcâ parameter. With this command, you can see the number of TCP port scanned by default.
If we want to scan all ports, we need to specified it by typing in â1â65535â in the port scan range field.
However, if you have some credentials that you want to scan some services in depth. You can define those credentials before the scan in the credentials tab.
Letâs continue back to Port Scanning, there are many options for the local port enumerators under the Port Scanning option.
Still in the Port Scanning, we have the Network Port Scanners type option. The SYN scan is selected by default. If you prefer other, you can select the TCP and UDP scan as well according to the preferences.
Under the service discovery, there are options to probe all ports to find services and Search for the SSL/TLS services. All of this options will be leave as default.
There are also a lot of assessment that you can specified according to the preferences. In this demonstration, I will just leave all this options as default.
Under the report session, there are processing and output option that allow you to specify the information illustrated in the report. All of this, I will leave as default in current demonstration.
In the advanced section, safe checks are enabled by default.
Several scans available in Nessus have the potential to perform actions that may try intrusive tactics in order to find and test a vulnerabilityâs existence. These include the Shadow Brokers scan, the Spectre and Meltdown Scan, the WannaCry Ransomware scan, and various options in the Advanced Scan. To avoid damage to the target, the safe checks feature runs certain plugins in a non-intrusive way.
The âScan IP addresses in a random orderâ is selected to make the scan little more stealthy.
Here, this is the performance options for the scan.
In this demonstration, the number of Max simultaneous hosts per scan is reduced to 20 instead of 100. This is done to avoid delays and network traffic.
In addition, we are able to define the max number of concurrent TCP sessions per host which are not defined by default. The upper bound is defined to keep the hosts safe.
And again we may also define the maximum number of concurrent TCP sessions per scan to keep the network traffic safe.
In the Plugins tab, we have tons of plugin used in Nessus scans.
If you click on one of the plugins families, you will see all the plugin in the family at the right section. The number of the total plugins existed in the families is also shown in the figure above.
We can click on the âenabledâ green button to disable it.
You may also disabled the entire family by clicking on the âenabledâ button at tle left hand section which is the plugin families section.
Click save and the policy is saved.
Now, we have our own scan policy.
Now, we are ready to perform a scan:
In my scan sections. click on the ânew scanâ or âcreate new scanâ to start scanning.
First Nessus ask for the scanner. Unfortunately, some scans are disabled for the free version of Nessus. However, there are ton of basic scanner available for us like basic network scan.
Alternatively, we can navigate to the User Defined Tab and select our own policy. This is the policy that we defined in the preparation section that we mentioned before.
Click on the âCett Policyâ to proceed to this page. Now, all the field is added according to suit your preferences. In addition, the targets is also defined and specified with the IP address added. In this demonstration, I will scan my metasploitable machine (10.0.2.4) and window machine (10.0.2.5).
đNote: If you want to put multiple IP addresses in a line then just put a comma in between them. In addition, you may also define an IP Block or range.
Alternatively, if you have a file that contains a list of hosts, you can use the âAdd Fileâ link under the Upload Targets sections.
Now, we are ready to launch the scan that are located at the bottom of the page. We are able to save or launch the scan immediately. Next, I choose launch to start now.
The scanning process started.
If i click on the scan that started, it will be directed into the page shown in the figure. There are 3 tabs in this page which is âHostâ, âVulnerabilitiesâ and âHistoryâ.
When we click on the âVulnerabilitiesâ Tab, we observe the information related to the vulnerabilities found during the scan.
in the right hand side, we can see the severity levels of the vulnerabilities.
Nessus classified the vulnerabilities into 5 levels:
- Info: Identifies the non-vulnerability information and separates it from the vulnerability detail.
- Low: Identifies the flaws that might help an attacker to better refine his attack. However by itself this flaw wonât be sufficient to compromise that system.
- Medium: Identifies some information that is leaking from the remote host. An attacker might be able to read a file that he/she would not have the access to do so.
- High: identifies that the attacker can read arbitrary files on the remote host and or can execute commands on the remote host.
- Critical: It is the most important vulnerabilities which can be exploited by a tool and in most cases the attacker doesnât need to make an extra effort to exploit them.
Finally, the scan is completed in 8 minutes for both system and it is quite fast.
Here is all the vulnerabilities found in the metasploitable machine and it is ordered by severity levels by default.
Click on the vulnerability to see the details of it. We have the name of vulnerability, description, solution method and links to learn about it more.
This is the port and host where the vulnerability found.
In the right hand side, Nessus explain that we are able to exploit it using core impact which is a commercial and very powerful exploitation tool. 10.0 is the perfect for the score in Nessus.
Letâs see another critical vulnerabilities:
In this vulnerabilities, the VNC server is running on the host and itâs password is âpasswordâ. if thatâs true and there is no additional measure to protect the host. We can access that host very easily.
Now, letâs test it:
We can run the VNC viewer by typing âxvncviewerâ in the terminal and hit enter.
Note: If you donât have vnc viewer installed, then type âapt-get install xvncviewerâ and hit enter to install.
Type the IP address of Metasploitable machine in the VNC server and hit enter.
now, type the âpasswordâ into the password field and hit enter again.
Yay! We are in the system đ
- Use the âwhoamiâ to learn the user that I have caught.
- âuname -aâ to learn the operating system and the kernel details.
- âifconfigâ to see the information about the network interfaces etc.
- Use âls -alâ command to see all the files in metasploitable machine.