Exercise 3: Vulnerability Scanning with Nessus
As discussed previously, reconnaissance is the key to successfully penetrating a site. Blind attacks are rarely successful. In modern times, when an attacker wants to penetrate your organization, he will spend a considerable amount of time learning about who you are. A key to a strong defense is to see yourself from the attacker's perspective. It is imperative that you employ the same techniques used by those who want to penetrate your site.
In order for an organization to know what holes exist in its perimeter, a series of external scans should be performed against its IP address range. One such tool that will look for both the open ports as well as the vulnerabilities of the services running on those ports, is Nessus.
No vulnerability scanner is 100% accurate. False positives are not the exception, but in fact, they are the norm. Therefore, the information retrieved from a scan should not be taken at face value. Hand-testing each open port and vulnerability found will verify if the information is accurate.
Nessus is a free, open source vulnerability scanner that provides a view of your networks as seen by outsiders. It uses Nmap to scan for open ports, and then it attempts to determine what vulnerabilities may exist for the services it finds. It can then provide a detailed report that identifies the vulnerabilities and the critical issues that need to be corrected.
The objective of this exercise is to teach you how to install, configure, and use Nessus. You will also learn how to interpret its output.
This exercise will scan a system for vulnerabilities. There is the possibility that the actual scan will cause the targeted machine to lock up or crash. If you are not the legal owner of the systems used for this exercise, you should obtain authorization from the legal owner and/or your management team prior to conducting this exercise. Do not proceed without receiving the necessary permissions.
Nessus's nessus-installer.sh, available at http://www.nessus.org
Linux OS with the 2.2 Kernel, or a later version
The following are the steps you are going to perform in this exercise:
Run a vulnerability scan.
Interpret the results.
Challenge Procedure Step-by-Step
The following are the detailed steps you are going to perform to install, configure, and run Nessus:
First, download the necessary files from http://www.nessus.org. Copy all the files to the install directory:
Next, install Nessus into the following directory:
Now, configure Nessus. Start the Nessus server daemon and add the host server user:
Create a Nessus user with the following command:
Start the Nessus server with the following command:
Then, start the Nessus client:
Now you can run a vulnerability scan. Log in as the user you created in step 4. When prompted for a password, enter it, and then click OK.
In the Nessus Setup box, select the Nessus Host tab. Click OK.
Now, select the vulnerabilities to be scanned for by choosing the Plugins tab and then enabling each option you want to scan.
Next, you'll select the target to be scanned. Do this by first selecting the Target Selection tab of the Nessus Setup screen. Choose either your loopback address or the IP address bound to your local NIC card. This scan can take a considerable amount of time. Make sure you have allocated at least 30 minutes to run a complete scan.
After the scan has completed, review the results.
cp *.* /usr/local/tools
Use the following command:
In the following screen, password should be replaced with an appropriate, complex password, such as those that are used in a real-world environment.
If you select Enable All, there is a high probability that you will cause the targeted machine to crash. For the purposes of this exercise, select Enable All but Dangerous Plugins.
There are three different categories of output provided by Nessus:
Security Holes Considered by Nessus to be high occurrence vulnerabilities on your devices. Whatever is found in this category, and is not proven to be a false positive, should be corrected immediately.
Security Warnings Those vulnerabilities that are known but do not always have exploits associated with them or are rare occurrences.
Security Notes Configuration information or excessive, unwanted open ports on a device.
The options at the bottom of the screen will let you sort the information by port number or save the information in different formats.
Investigate the details of the vulnerabilities.
You can expand each item for a detailed explanation of the exploit, and you can learn not only how to resolve it, but also where on the Internet to look for further details regarding the problem.
Deraison, Renaud. "How to Write a Security Test in NASL," http://www.nessus.org/doc/nasl.html.
Nessus is a powerful vulnerability and port scanner that allows you to see the same view of your network that an outsider sees. Using client/server architecture and a graphical user interface, it makes it very easy for an administrator to determine the corrective action required to secure the vulnerabilities found in the network. Additionally, as part of the open source community, users from around the world constantly make contributions to Nessus's capabilities as new vulnerabilities are discovered. Because of this, Nessus is extremely fast at providing its users the data needed to scan for the latest vulnerabilities. The open source nature of this application also allows its users to customize it to fit individual circumstances and needs. Refer to the GNU License for additional information on open source licensing.