Scanning Vulnerabilities with Nessus
In this lab we will see how to do vulnerability scanning using Nessus Vulnerability Scanner.
Nessus
Image by Cornell University 👉 Link.
Nessus is a program for vulnerability scanning on various operating systems. It consists of a daemon or demon (daemon), nessusd, which performs the scan on the target system, and nessus, the client (based on console or graphical) that shows progress and reports on the status of scans.
Installing Nessus (Essentials)
In order to install Nessus we must create a free account that will give us access to Nessus Essentials, a limited but still very powerful version of Nessus which includes enough scans to be able to carry out this exercise.
Website to register at the following 👉 Link. Creating the account is a trivial process like any website and we will not cover it as part of the exercise.
Once we are registered and have our Nessus Essentials account we will receive by email our activation key to be able to download and install Nessus.
Nessus is a software that consumes a fair share of resources, if possible it is recommended to have a dedicated VM for its use. This way we can leave the scanning running in the Nessus VM and continue any other task in our regular work VM without affecting its smoothness and without risking that other tasks affect Nessus scanning processes.
The Nessus download page offers various versions depending on our operating system. For this exercise we will use a VM with Kali Linux 2020.4.
Nessus download page: 👉 Link.
In this case I will download the version indicated for distributions based on Debian 64 bit.
The website asks us to accept the License and the download begins. Let's see how we install the .deb downloaded using the command dpkg -i {FileName.deb}.
In our terminal we go to the downloads folder (or the directory where you downloaded Nessus) and run the command:
Once installed we need to initialize the service that will run the daemon To Domains [Sharing this NS] nessusd. To start the service we use the command /bin/systemctl start nessusd.service.
It is necessary to run the command with privileges using sudo.
With this we already have Nessus ready to be started, however the first start involves additional configurations before being able to use Nessus.
Starting Nessus
To start Nessus, open the following URL https://kali:8834/ as mentioned in the message we received after installing Nessus.
When doing so, we will receive a warning about the invalid certificate. Click click on the button advanced and on the link at the end Proceed to kali (unsafe). You should now see this screen:
With the Nessus Essentials option selected click click on Continue. In the next step it will ask us to register, since we already have our account and activation key, click click on skip. In the next step we will enter our activation code and click click on continue.
Nessus will ask us to create an administrator account to use the tool, enter the user and password that we want and click click on Submit.
Next Nessus will begin downloading and initializing its plugins.
If at this point you receive an error that plugin download failed, visit this 👉 section at the end of this document called Troubleshooting Nessus. Otherwise keep reading.
If everything went well, we will see the following screen where it will ask us to enter the username and password we specified earlier for the admin account.
Once logged into nessus, we will see the following screen and we will have everything ready to start our exercise.
Our first scan with Nessus (Discovery & Vulnerability Scans)
Discovery & Vulnerability Scans)Now that we have Nessus installed and ready, we will see below how we can perform a vulnerability scan, what information we obtain from it and how nessus presents the results.
For this exercise I will use as targets the VMs from my Local lab for practice of Active Directory and we will see the vulnerabilities it manages to detect Nessus.
Targets to scan:
Device
IP
DC: Domain Controller
192.168.31.131
Client1: Windows 10 Enterprise
192.168.31.132
Client2: Windows 10 Pro
192.168.31.133
We enter the addresses IP in the targets field of the Nessus welcome window and click click on the button submit.
By clicking submit Nessus will begin to perform a host discovery process to locate additional hosts that may exist within the specified targets. When completed, we select those that we will actually scan.
Keep in mind that Nessus Essentials limits us in the number of hosts we can scan. Currently that limit is 16 hosts.
At this point it is enough to click click on Run Scan and Nessus it will automatically perform a basic scan of each target to begin to learn a little more about them.
To see our scan in progress we can go to the tab called History:
After a moment we will see that the tabs called Hosts and Vulnerabilities will begin to record results:
We will let the scan run until it is completely finished, however it is good to know that we can review in real time the detections recorded in the corresponding tabs of the screen My Basic Network Scan.
After a few minutes we obtain the result of the basic scan:
As we can see Nessus classifies the vulnerabilities found based on different severity levels and their CVSS (Common Vulnerability Scoring System) score specified by the National Vulnerability Database in its CVSSv2 version (previously it was more aligned to CVSSv1).
To learn more about how severities are classified in CVSSv2 and their respective values, visit the following 👉 link.
CVSS Score
Severity in Nessus
Between 1.0 and 3.9
Low/Info
Between 4.0 and 6.0
Medium
Between 7.0 and 9.9
High
10.0
Critical
Let's look in this case in detail at the vulnerability of severity Medium detected: SBM Signing not required.
To see the detail of any result, simply click and Nessus will show us the following screen with all available details:
For each vulnerability we will get a similar detail, in this case the following information is provided:
Vulnerability Details:
Vulnerability severity:
MEDIUM.Description: We get a description of the possible impact of the vulnerability. In this case it indicates that the signing of communications with the server SMB, is not required. Which may allow an attacker to carry out attacks of the type
MITM (Man in the Middle).Solution: Part of the detail offered by Nessus for each vulnerability includes possible solutions to mitigate the risk of each detected vulnerability. In this case the solution is to enable the requirement that all communication must be signed
(Digitally Sign Communications).Related articles: As part of the detailed report Nessus also usually includes links to various articles where the affected technology is explained (for example SMB) and additional resources that may include other articles where the vulnerability is detailed.
List of Affected Ports and Hosts: Includes the detail of the affected ports and the list of hosts where the same vulnerability was detected (this quantity corresponds to the value indicated in the
Countcolumn in the vulnerabilities list of the previous screen). In this case we see that only two of the three lab machines are affected by this vulnerability.Plugin Details: Basic and reference information about which plugin was used to perform the detection.
Risk Information: Detail of the risk factors and the different CVSS scores that apply for this vulnerability.
Vulnerability Information: This section shows additional details about the vulnerability and the date it was originally published.
The process of how to fix the vulnerability is not part of this exercise, we will focus only on scanning them and how they are reported by Nessus.
So far we have seen how we can perform a basic scan on a clean installation of Nessus and how to see the details of the vulnerabilities detected. However it is not the only way to do scans since normally after the first scan is performed, Nessus no longer shows the Welcome screen to start a quick automatic scan as we saw in this example. For this reason in the next section we will see how we can start an on-demand scan in Nessus Essentials and the necessary steps to do so.
Performing Scans On Demand with Nessus (Zerologon Vuln Detection)
Scans On Demand with Nessus (Zerologon Vuln Detection)Once we have at least one scan performed in Nessus, when opening the program we will see that the welcome screen no longer appears to let us enter the targets and perform an basic scan automatic. To start a new scan we must click click on the button New Scan.
After clicking click on New Scan Nessus shows us the following screen where the types of available scans are listed, including some to which we will not have access with Nessus Essentials.
The first two scans listed (Host Discovery and Basic Network Scan) are those that were executed by Nessus when we loaded our targets on the welcome screen. Among the available scans there is one to detect if our target is vulnerable to Zerologon, a vulnerability that continues to impact machines that do not have the necessary patches. Let's see if any of our VMs lab machines are vulnerable, even if not vulnerable we will see how the process is to start a manual scan in Nessus (process that applies to any scan with more or fewer required configurations depending on the type of scan).
To start a scan we must first configure it, we start by clicking click on the scan called Zerologon Remote Scan and we will see the following screen.
On this screen we must specify a Name for the scan, Targets to scan. Nessus is a HUGE tool and it is not possible to cover in this exercise all possible configurations for this or any other scan. But it is important to know that it offers options to configure the scan to our liking and needs. Among these additional options are settings such as Ping configurations and types of Ping to perform, port range, port enumerators to use and even advanced options such as stopping operations if the host stops responding during the scan.
An important part to understand about Nessus is that all its functionalities are provided by plugins and plugin families. These plugins are used in the different scans and provide specific tests that Nessus will carry out. We can see the list of plugins that will be used during a scan in the tab called Plugins. In this case we can see that the current scan only makes use of one plugin to test Zerologon.
If we click click on the plugin name (column Plugin Name) we can see a detail or summary about the plugin and the vulnerability it tests.
The detail is similar to what we saw during the first scan and includes all available detail about the vulnerability. Once we are ready with the adjustments for our scan, we indicate the name for it and the target IPs:
At this point we can save our scan to run it later or by clicking click on the down-arrow button that the button called Savehas, we can choose to run it right now by clicking click on Launch:
If you didn't save the scan you can run it by clicking click on the play button that is shown for this scan in the scan list (My Scans) as shown in the following image.
From here on it is the same as we saw during the first basic scan, Nessus will perform the necessary tests using the Plugin configured for the scan and will return the results of the vulnerabilities found if present on the scanned targets. Let's see what results it offers us:
As we can observe Nessus determined in 5 minutes that the Domain Controller (DC) of our lab is vulnerable to the Zerologonattack. If we click click on the vulnerability we can get an idea of the power of Nessus.
With just 23 attempts it was able to compromise the security of the DCand verify that it is indeed vulnerable to the exploit Zerologon. We even see the detail of the request and response sent by Nessus.
This is where we end this vulnerability scanning exercise with Nessus. We saw how to install Nessus and perform its initial configuration, up to its basic use to perform an initial automatic scan (Discovery and Network Basic Scan). Finally we performed an on-demand manual scan to check if our lab was vulnerable to the exploit Zerologon that affects Domain Controllers. With that scan we confirmed that our DC is indeed vulnerable.
Attached to this exercise is the report generated by Nessus for the ZeroLogon scan.
Troubleshooting Nessus
If during the installation and first start process you receive a download error or any other error that prevents Nessus from finishing configuring, you can try the following solutions that may be useful to remedy the problem.
In my case, solution number two was necessary to fix it, the problems I had when installing Nessus.
Solution Number 1:
If during the initial configuration of Nessus you receive the error Download Failed Try the following solution.
NOTE: In case of receiving an error that the download failed. We can run the following command to fix it sudo /opt/nessus/sbin/nessuscli update.
Once we run that command, we will see the following result in the console.
In some cases with this we will be able to resume Nessus configuration.
Solution Number 2:
In case the error persists after trying solution 1 or we receive some other error that also prevents the correct initialization of Nessus. We can try the following commands that will completely reset Nessus:
If the error persists: We can use the following commands in order to completely reset Nessus. More information in the following 👉 link.
# service nessusd stop
# /opt/nessus/sbin/nessuscli fix --reset
# /opt/nessus/sbin/nessuscli fetch --register ACTIVATIONCODE
# /opt/nessus/sbin/nessusd -R
# service nessusd start
I hope this is helpful.
Last updated
Was this helpful?