Vulnerability Scanning using Nessus
Scanning for vulnerabilities is crucial for computer security because it helps identify weaknesses in your systems before attackers can exploit them. These weaknesses could be software bugs, misconfigurations, or even weak passwords.
Imagine your computer system like a castle. Regularly scanning for vulnerabilities is like checking the castle walls for cracks or loose stones. By patching these weaknesses, you make it much harder for attackers to break in and steal your data.
Hereâs where vulnerability scanners like Nessus or OpenVAS shine. These powerful tools provide a birdâs-eye view of your networkâs security posture with just a few clicks. They can quickly identify which devices are vulnerable, allowing you to prioritize remediation efforts and bolster your defenses.
In this brief guide, I will show you how to use Nessus Essentials to scan for vulnerabilities on Kali Linux. To begin letâs install Nessus on our Kali Linux machine.
The first step is to register for a product key on the website: https://www.tenable.com/products/nessus/nessus-essentials. After logging in to our email, we should receive the key.
Then, after accessing the page: https://www.tenable.com/downloads/nessus?loginAttempted=true select the version of Nessus for your operating system.
After downloading the file, use a terminal to type the command:
dpkg -i Nessus-<version number>-debian6_amd64.deb
Next, to start the Nessus service type:
systemctl start nessusd
Upon launching the browser, you should see the following screen and click continue.
Then click on âRegister for Nessus Essentialsâ.
Now that you have received the activation code, you can skip the registration process by clicking on âskipâ.
Here you enter the code you received earlier.
After that, you can create your user account.
Here, Nessus will complete the installation by downloading the relevant plug-ins (this can take a while).
And this is what it looks like when the whole process is complete.
Now, I will go further into the settings to show you what information you can find there. We have several sections here. In the âAboutâ tab you can find general information about Nessus. Upon âOverviewâ, you can check when you last updated your scanner. If you click âSoftware Updateâ, you will be able to check whether it is correctly configured to receive all updates for plugin components or whether we have disabled automatic updates.
From your âScanner Healthâ, you will see the overall health of your scanner. You could see how much memory is used, what CPU load is currently ongoing, and the hosts that are being scanned, as well as some graphs showing all that information.
Furthermore, we can examine network activity by navigating to the âNetworkâ tab. This section provides insights into ongoing scans, active targets, and current sessions.
With our vulnerability scanning program in place, letâs put it to the test on a Windows 11 virtual machine hosted by VirtualBox.
You can download an ISO image of Windows 11 from https://www.microsoft.com/software-download/windows11.
To ensure seamless communication between Nessus on Kali Linux and our Windows 11 virtual machine, a crucial step lies in configuring the network adapters for both systems. You need to transition them from NAT mode to bridged mode. This configuration essentially places both machines on the same network, enabling Nessus to effortlessly âseeâ and interact with the Windows 11 environment for a comprehensive vulnerability scan.
After installing Windows, it often happens that our newly created account does not have administrator rights. Before I go on to scan this machine, I will first show you how to quickly fix this problem, as you need these permissions.
First, you need to use command prompt and enter the following:
shutdown /r /o
/r â Indicates that the computer will restart when the system is closed.
/o â Indicates that Windows will launch the advanced options menu after logging in.
Then, click on âTroubleshootâ.
Followed by âAdvanced optionsâ.
Further âStart-up Settingsâ.
And click âRestartâ.
After that, choose the option âEnable Safe Modeâ by clicking number 4 on your keyboard.
After logging in, change the account type to Administrator.
You can now enter the password you set up earlier.
Now use the command prompt again and enter:
net user Administrator /active:yes
This will enable the administrator's account.
shutdown /r
This will reboot Windows.
Finally, letâs start preparing our virtual machine for the vulnerability scan. First, letâs check the IP address.
The next step is to confirm network connectivity between Kali Linux and the Windows 11 virtual machine. We can achieve this by using the ping command on Kali Linux, targeting the IP address assigned to the Windows machine.
Our initial ping test yielded no response. This is a common scenario when the target device, in this case, the Windows 11 virtual machine, has a firewall enabled. While disabling firewalls for vulnerability scans is a practice strictly reserved for controlled testing environments like ours, it highlights the importance of proper firewall configuration before deploying systems on a production network.
To demonstrate the functionality of our vulnerability scanner, letâs disable the firewall in this test environment. Remember, this step would never be recommended in a real-world scenario.
Start by changing the local account to administrator, and then type the following in the start menu:
Now go to the firewall properties and disable the firewall state in the domain, private, and public profiles.
After temporarily disabling the Windows Defender firewall (for demonstration purposes only!), we can now successfully ping the Windows 11 virtual machine from Kali Linux. This confirms successful network communication.
Letâs navigate back to Nessus. We can initiate a new scan by selecting the âNew Scanâ option within the âMy Scansâ section.
Nessus offers a comprehensive vulnerability scanning experience. The âHost Discoveryâ scan at the top helps identify all devices on your network.
The various vulnerability templates you see are pre-configured to target specific threats. For instance, the âWannaCry Ransomwareâ scan, popular in 2017, affected all Windows machines at the time. When something like that comes out, a lot of times Nessus will create a specific scan vulnerability for that one plugin. This saves you time by allowing you to quickly assess critical threats like Spectre, Meltdown, WannaCry, Ripple20, and others instead of manually configuring scans.
Our objective is to gain a thorough understanding of our threats. A single vulnerability scan wouldnât suffice. Therefore, we will leverage Nessusâ âBasic Network Scanâ to identify a broad spectrum of potential security weaknesses in our virtual machine. This initial scan will establish a baseline, providing a clear picture of our current security posture and guiding our future security efforts.
Upon initiating the âBasic Network Scan," you will be presented with a configuration screen. Here, you can tailor the scan to your specific needs.
First, craft a descriptive name for the scan. Avoid generic terms like ânetwork scan"; something like âWindows 11 VM Vulnerability Assessmentâ would be far more informative for future reference. Similarly, consider adding a clear description that outlines the scanâs purpose (e.g., âThis scan identifies potential security weaknesses on the Windows 11 virtual machineâ). These details will prove invaluable months down the line when revisiting the scan results.
Next, designate a location to save the scan configuration. We can do it in the âMy Scansâ folder, which you see in the top left corner, or you have the âAll Scansâ folder.
Finally, you will need to specify the target of the scan. This can be done using either domain names (like âsuspicious-host.comâ) or IP addresses. In our case, we will utilize the IP address assigned to our Windows 11 virtual machine: 172.22.5.95.
While manual entry is an option, Nessus offers a more efficient approach for targeting a large number of devices. You can upload a CSV file containing a list of IP addresses or domain names. This is particularly useful for managing scans that target hundreds or even thousands of clients across diverse subnets. Simply click the âAdd Fileâ button and select your CSV file to streamline the target definition process.
You can access the âScheduleâ section to configure automated scans at customizable intervals. Whether you require weekly, daily, monthly, or even yearly assessments, Nessus can be tailored to your specific needs. But for our purposes, we wonât do it.
Through the âNotificationsâ section, you can configure an SMTP server to automatically send email alerts upon scan completion. This ensures you receive a detailed security report, delivered directly to your inbox as a PDF attachment. You can also set up alerts to inform you only when vulnerabilities meet specific criteria, such as exceeding a certain severity level.
When navigating to the âDiscoveryâ section, we can specify the types of scans we intend to execute. Typically, the default setting entails scanning popular ports, which generally includes the top 1000 most frequently used ports. This method is notably quicker but may overlook certain elements. Alternatively, we have the option to conduct a comprehensive scan of all ports (1â65355). However, for our purposes, scanning only the essential ports should be sufficient.
Furthermore, thereâs the option to opt for a custom scan type, granting us the ability to tailor our discovery settings precisely. This entails selecting from various parameters such as host discovery, port scanning, service discovery, or identity verification. Within the service discovery option, we can specifically target particular types of servers, such as an Apache web server operating over ports 80 or 443. This gives us additional flexibility and specificity in our scans. However, for our current requirements, we will proceed with the entire port scan.
Under "Assessment,"we will also have the opportunity to determine the scan type. By default, we will initiate a basic scan, which currently excludes scanning for web application vulnerabilities. This setup suffices when scanning numerous hosts within a network, such as workstations, where web applications typically arenât deployed. However, when evaluating a web server, itâs crucial to activate web application scans.
Within our âReportâ settings, we can configure various options, such as organizing hosts by their DNS names, showcasing all responsive hosts to a ping, and highlighting any unreachable hosts. For instance, if you anticipate 50 machines to be online but only discover 40, you would want to identify the remaining 10 offline machines. By enabling the display of unreachable hosts, this information will be readily available at the bottom of your report, providing clarity on the status of all expected machines.
Next, we will navigate to the âAdvancedâ tab, where we will encounter yet another scan type option. Currently, we are sticking with the default setting, which is suitable for our purposes. However, if you are conducting scans over a low-bandwidth connection like a VPN or a remote office link, opting for a different setting may be advisable. You could either select a predefined option adapted to such scenarios or customize the scan parameters according to your specific requirements. Additionally, you have the flexibility to adjust the number of scanners utilized in each scan iteration, depending on factors such as network load and resource availability.
Another option available is to perform a credentials scan, accessible through the âCredentialsâ tab. We will address this aspect later by conducting a scan on the same virtual machine and juxtaposing the results. Utilizing a credentials scan requires entering the username and password associated with an account on the system. In our case, this can be done very easily by clicking âWindowsâ and then entering the username and password, and Nessus will be able to connect to that computer using those user credentials and better understand what vulnerabilities exist.
Finally, we have "Plugins.â. Plugins within Nessus serve the purpose of identifying specific vulnerabilities. On the interface, you will notice plugin families listed on the left, accompanied by corresponding plugin names on the right.
Letâs save our settings and initiate the scan by pressing the highlighted button on the right.
Now letâs see how our Windows 11 machine looks after performing the scan.
The Nessus scan was successfully completed, identifying a single medium-severity vulnerability along with several informational findings. This absence of critical, high, or low vulnerabilities is a positive security posture indicator. As you look at the scan details, you can see when it started and when it stopped, and in this case, it took nine minutes to scan one machine.
Additionally, you can access the âVulnerabilitiesâ section, where you will find a comprehensive list of the things detected. Each vulnerability is categorized by severity, ranging from informational, low, medium, high, to critical, as I said before.
In the âHistoryâ tab, you will find information about all the scans that have been made with that profile.
Now, letâs investigate our âMediumâ vulnerability by clicking on it.
As you can see, Nessus provides extensive details concerning each detected vulnerability. This includes a coherent description of the vulnerability along with suggested mitigation measures, facilitating swift resolution. Moreover, information regarding the plugin utilized and the risk posed by the vulnerability is provided and assessed through the CVSS scale.
The Common Vulnerability Scoring System serves as a standardized framework for evaluating vulnerability severity. It assigns a score based on various metrics, such as the attack vector employed, the potential impact, and the exploitability of the vulnerability.
Furthermore, although we have numerous vulnerabilities categorized as informational severity, itâs important to note that these arenât critical issues. Instead, they provide informative insights that may not necessarily pose a security threat. For instance, below, Nessus has identified the system as Windows 11, which isnât a vulnerability but rather valuable information.
In addition to navigating the individual gaps in the interface, you can compile them into a structured report. To initiate this process, click on the âReportâ option in the upper right corner. You will then be asked to select the type of report you require. Options include a complete list of vulnerabilities by host, detailed vulnerabilities by host, detailed vulnerabilities by plugins, or a vulnerability operations report. This feature streamlines the presentation of vulnerability data, facilitating accurate analysis and decision-making.
In order to perform a credential scan to begin with, we need to configure our Windows 11. This involves accessing the âServicesâ section within your system management tools. Here, you will need to enable the âRemote Registryâ service. Activating this service is crucial for conducting thorough credential scans. This will enable Nessus to delve deeper into the registry to uncover vulnerabilities.
The next thing to do is to enable file and printer sharing.
Furthermore, we need to go to âUser Account Control Settingsâ and drag the bar to âNever Notify.â. Itâs important to note that for optimal security on a domain-joined machine, strong User Account Control (UAC) settings are essential. However, for demonstration purposes within this controlled lab environment, we can temporarily disable UAC notifications by adjusting the slider to âNever Notify.â. This action significantly weakens security safeguards and should never be implemented on a production system.
The last step is to go to the Registry Editor. In it, we need to find the following path: HKEY_LOCAL_MACHINE\NSOFTWARE\NMicrosoft\NWindows\NCurrentVersion\NLocalAccountTokenFilterPolicy
If it does not exist, create it by right-clicking the machine, then clicking "New.â.
Next, click on âDWORD (32-bit value)â and set the name to LocalAccountTokenFilterPolicy.
Then right-click on what we created and press "Modify.â. In the âValue dataâ box, type 1, and then click OK.
Now, you would be able to perform a credentialed scan against the target Windows machine even with UAC set to the highest level. Now we need to reboot our system.
Going back to Nessus, we need to set up a credential scan of our Windows 11 machine. Again, we enter the name, description, what folder we want to save to, and our target, which is 172.22.5.95.
After that, we go to the âCredentialsâ tab, and here we press Windows. We enter the username, which in our case is "Administrator,â and the password, which is the same as what we set when creating our virtual machine.
We run a scan and wait for the results.
After scanning our system, we observe that, compared to scanning without credentials, the number of vulnerabilities detected is significantly higher, with some reaching high severity levels. Besides, if we compare the duration of scanning, it is almost 2.5 times longer. Now, letâs delve into the precise descriptions of the identified vulnerabilities.
The scan identified a critical vulnerability (Windows Terminal RCE) that could allow an attacker to remotely take control of your system. This means an unauthorized attacker could potentially run any program on your machine, steal data, or cause damage. Fortunately, mitigating this vulnerability is remarkably simple. Updating Windows Terminal to the latest version is a quick and painless process. Leaving this vulnerability unaddressed exposes your system to significant security risks.
Letâs explore a high-severity vulnerability residing in the Windows Raw Image Extensions Library. This flaw exposes system to a remote code execution (RCE) attack. Just like the Windows Terminal issue, this vulnerability can potentially grant attackers undue control over your system. The good news? Addressing it is often as simple as patching the affected application through the Microsoft Store. Regularly updating your software is a fundamental security practice, and Nessus helps identify applications in need of critical updates.
Certainly, there are more high-severity vulnerabilities discovered, but I aimed to illustrate the process of identifying them and discovering solutions.
Moreover, I would like to demonstrate you how vulnerability scanning appears on a machine frequently utilized by pentesters for learning penetration testing â the well-known Metasploitable 2. To begin, I will guide you through the installation process in VirtualBox, as it differs slightly from installing a typical ISO image of an operating system. You can download Metasploitable 2 from this website: https://sourceforge.net/projects/metasploitable/
Here we create the name and change the type to Linux (version) and to Debian (64-bit).
Then leave the default settings because we do not need as many resources as usual.
And lastly, instead of creating a virtual hard disk, we will use an existing file, as demonstrated below.
Additionally, please remember to adjust your network card settings to match those of a Windows 11/Kali Linux machine (from NAT to bridged).
This is how it should appear after the installation is completed.
Letâs check the IP address of the Metasploitable machine.
Now, we need to verify that our Kali Linux can successfully ping the Metasploitable 2 machine.
As you can observe, everything is running smoothly. Now, letâs initiate a scan using Nessus.
Thatâs all we need to do. Letâs click on âSaveâ and then proceed to run the scan.
As you would expect, vulnerability scanning within Metasploitable 2 exposes a wider range of threats compared to a standard Windows 11 machine. This number of weaknesses in security serves as a valuable training ground for novice pentesters. By understanding how these vulnerabilities can be exploited, pentesters develop the skills to identify and eliminate security weaknesses in real-world systems. Scanning for vulnerabilities is the foundation of any penetration test, providing a comprehensive picture of potential vulnerabilities before digging into techniques to exploit them. Letâs look at some of these vulnerabilities.
Letâs dive into the second vulnerability we have encountered, which is âNFS Exported Share Information Disclosure," rated as critical with a severity score of 10.0. This vulnerability belongs to the RPC (Remote Procedure Call) family of plugins. In the middle, we have its description, solution, and the output provided by the scanner. On the right side, we find details about the plugin, including its ID, severity, version, type, family, publication date, and last modification date.
Notably, this vulnerability dates back to 2003, marking it as a well-known and longstanding issue, persisting for over two decades. Despite its age, it remains highly susceptible to exploitation. The risk information indicates a critical risk factor with a score of 10.0 under the CVSS version 2 standard. While this vulnerability isnât updated to the latest scoring systems like CVSS version 3 or 3.1 due to its age, its critical nature remains evident.
Whatâs more, information about security vulnerabilities emphasizes the availability of exploits, increasing the urgency to patch them. Publicly available exploits raise the risk, emphasizing the need for immediate action. In addition, the ease of exploitation has been noted, and exploits are readily available. The security vulnerability dates back to January 1, 1985, making it exceptionally old and therefore particularly concerning. You can use tools such as Metasploit to exploit this particular vulnerability.
Another critical vulnerability discovered by Nessus is âVNC Server âpasswordâ Passwordâ. This shows that, in addition to patching our systems, it is very important to secure each application with the right password. The âpasswordâ can be cracked by an attacker in the blink of an eye, which can lead to devastating consequences. This shows the additional advantage of Nessus: it is able to detect even places where the passwords used are so weak that they should be changed immediately.
Letâs take a look at our bind shell backdoor detection. This vulnerability has a rating of 9.8, indicating its critical severity. It involves a shell listening on a remote port without requiring any authentication. This presents a significant security risk, as attackers can exploit it to connect to the remote port and issue commands directly to the system.
To address this issue, the first step is to verify if the remote host has been compromised. If confirmed, the next course of action would be to reinstall the system as necessary. Given the nature of this vulnerability, it is possible that it represents a backdoor or a rootkit, which is particularly concerning. Therefore, remediation is essential to mitigate any potential damage and restore the systemâs security posture.
There are so many vulnerabilities in this system, so in this case, it will be ideal to create a report, which I have already shown how to do. This would provide us with a comprehensive PDF version of the report, enabling us to prioritize and address threats effectively. After mitigating the vulnerabilities, we can then rescan the system to ensure that any potential risks have been minimized.
Unfortunately, in most production networks, vulnerability scans often reveal a situation similar to what we have seen here. Various factors contribute to this, such as systems being offline during patch updates, patches failing to install correctly, or users postponing patch installations. Consequently, vulnerabilities accumulate within the system.
However, utilizing tools like Nessus proves invaluable in such scenarios. By conducting scans across the network, you can swiftly identify which machines require immediate attention. For instance, upon seeing the Windows 11 and Metasploitable 2 VMs on the screen, it becomes apparent that prioritizing efforts towards securing Metasploitable 2 is essential due to its critical, high, medium, and low severity vulnerabilities, in addition to informational ones.
The essence of using tools such as Nessus lies in their ability to pinpoint vulnerable elements in the network and guide the user in effectively addressing these vulnerabilities.
