# Scanning Vulnerabilities with Nessus
## Nessus
{% hint style="success" %}
**Image by Cornell University** :point\_right: [Link](https://es.wikipedia.org/wiki/Nessus).\
**Nessus** is a program for **vulnerability scanning** on **various operating systems**. It consists of a daemon or demon (`daemon`), **`nessusd`**, which performs the scan on the target system, and **`nessus`**, the client (based on `console or graphical`) that shows progress and reports on the status of scans.
{% endhint %}
### Installing Nessus (Essentials)
In order to install **`Nessus`** we must create a free account that will give us access to **`Nessus Essentials,`** a limited but still very powerful version of **`Nessus`** which includes enough scans to be able to carry out this exercise.
{% hint style="success" %}
**Website to register at the following** :point\_right: [**Li**](https://www.tenable.com/products/nessus/nessus-essentials)**nk**. \
Creating the account is a trivial process like any website and we will not cover it as part of the exercise.
{% endhint %}
Once we are registered and have our `Nessus Essentials` account we will receive by email our `activation key` to be able to download and install `Nessus`.
{% hint style="danger" %}
**Nessus** is a software that **consumes a fair share of resources**, if possible it is recommended to have a **dedicated VM for its use**. This way we can leave the scanning running in the **Nessus VM** and continue any other task in our **regular work VM** without affecting its smoothness and without risking that other tasks affect Nessus scanning processes.
{% endhint %}
The Nessus download page offers various versions depending on our operating system. For this exercise we will use a **`VM with Kali Linux 2020.4`**.
{% hint style="success" %}
**Nessus download page:** :point\_right: [**Link**](https://www.tenable.com/downloads/nessus?loginAttempted=true).
{% endhint %}
In this case I will download the version indicated for distributions based on **`Debian 64 bit`**.
The website asks us to accept the License and the download begins. Let's see how we install the **`.deb`** downloaded using the command **`dpkg -i {FileName.deb}`**.
In our terminal we go to the downloads folder (or the directory where you downloaded **Nessus**) and run the command:
Once installed we need to initialize the service that will run the **`daemon`** To Domains \[Sharing this NS] **`nessusd`**. To start the service we use the command **`/bin/systemctl start nessusd.service`**.
{% hint style="warning" %}
It is necessary to run the command with privileges using **`sudo`**.
{% endhint %}
With this we already have Nessus ready to be started, however the first start involves additional configurations before being able to use Nessus.
### Starting Nessus
To start Nessus, open the following URL [`https://kali:8834/`](https://kali:8834/) as mentioned in the message we received after installing Nessus.
When doing so, we will receive a warning about the invalid certificate. Click `click` on the button **`advanced`** and on the `link` at the end **`Proceed to kali (unsafe)`**. You should now see this screen:
With the Nessus Essentials option selected click `click` on **`Continue`**. In the next step it will ask us to register, since we already have our account and activation key, click `click` on **`skip`**. In the next step we will enter our activation code and click `click` on **`continue`**.
Nessus will ask us to create an `administrator` account to use the tool, enter the `user and password` that we want and click `click` on **`Submit`**.
Next Nessus will begin downloading and initializing its plugins.
{% hint style="danger" %}
*If at this point you receive an error that plugin download failed, visit this* :point\_right: [***section***](/tzero86/vulnerability-analysis/escaneando-vulnerabilidades-con-nessus.md#troubleshooting-nessus-descarga-fallida) *at the end of this document called* [***Troubleshooting Nessus***](/tzero86/vulnerability-analysis/escaneando-vulnerabilidades-con-nessus.md#troubleshooting-nessus-descarga-fallida)*. Otherwise* keep reading.
{% endhint %}
If everything went well, we will see the following screen where it will ask us to enter the username and password we specified earlier for the admin account.
Once logged into **`nessus`**, we will see the following screen and we will have everything ready to start our exercise.
### Our first scan with Nessus (`Discovery & Vulnerability Scans`)
Now that we have **Nessus** installed and ready, we will see below how we can **`perform a vulnerability scan`**, what **`information we obtain`** from it and how **`nessus`** presents the results.
For this exercise I will use as targets the **`VMs`** from my [Local lab for practice of **`Active Directory`**](/tzero86/scanning/running-scans-with-nmap.md#intro-distintos-tipos-de-scans-con-nmap) and we will see the vulnerabilities it manages to detect **`Nessus`**.
**Targets to scan:**
| Device | IP |
| ----------------------------------- | ---------------------------- |
| DC: Domain Controller
| 192.168.31.131
|
| Client1: Windows 10 Enterprise | 192.168.31.132 |
| Client2: Windows 10 Pro | 192.168.31.133 |
We enter the addresses **`IP`** in the **`targets`** field of the Nessus welcome window and click **`click`** on the button **`submit`**.
By clicking **`submit`** Nessus will begin to perform a **`host discovery`** process to locate additional hosts that may exist within the specified targets. When completed, we select those that we will actually scan.
{% hint style="warning" %}
Keep in mind that **`Nessus Essentials`** limits us in the number of **`hosts`** we can scan. Currently that limit is **`16 hosts.`**
{% endhint %}
At this point it is enough to click **`click`** on **`Run Scan`** and **`Nessus`** it will automatically perform a basic scan of each target to begin to learn a little more about them.
To see our **`scan`** in progress we can go to the **`tab`** called **`History`**:
After a moment we will see that the **`tabs`** called **`Hosts`** and **`Vulnerabilities`** will begin to record results:
We will let the scan run until it is completely finished, however it is good to know that we can review in real time the detections recorded in the corresponding **`tabs`** of the screen **`My Basic Network Scan`**.
After a few minutes we obtain the result of the **`basic scan`**:
As we can see Nessus classifies the vulnerabilities found based on different severity levels and their **`CVSS (Common Vulnerability Scoring System)`** score specified by the **`National Vulnerability Database in its CVSSv2 version`** (previously it was more aligned to **`CVSSv1`**).
{% hint style="success" %}
To learn more about how severities are classified in **CVSSv2** and their respective **values**, visit the following :point\_right: [**link**.](https://nvd.nist.gov/vuln-metrics/cvss)
{% endhint %}
| CVSS Score | Severity in Nessus |
| ------------------- | ------------------ |
| Between 1.0 and 3.9 | Low/Info |
| Between 4.0 and 6.0 | Medium |
| Between 7.0 and 9.9 | High |
| 10.0 | Critical |
Let's look in this case in detail at the vulnerability of severity **`Medium`** detected: **`SBM Signing not required`**.
To see the detail of any result, simply **`click`** and Nessus will show us the following screen with all available details:
For each vulnerability we will get a similar detail, in this case the following information is provided:
* **Vulnerability Details:**
* **Vulnerability severity**: **`MEDIUM`**.
* **Description:** We get a description of the possible impact of the vulnerability. In this case it indicates that the **signing of communications with the server** **SMB**, **is not required**. Which may allow an attacker to carry out attacks of the type **`MITM (Man in the Middle)`**.
* **Solution:** Part of the detail offered by Nessus for each vulnerability includes possible solutions to mitigate the risk of each detected vulnerability. In this case the solution is to enable the requirement that all communication must be signed **`(Digitally Sign Communications)`**.
* **Related articles:** As part of the detailed report Nessus also usually includes links to various articles where the affected technology is explained (for example SMB) and additional resources that may include other articles where the vulnerability is detailed.
* **List of Affected Ports and Hosts:** Includes the detail of the affected ports and the list of hosts where the same vulnerability was detected (this quantity corresponds to the value indicated in the **`Count`** column in the vulnerabilities list of the previous screen). In this case we see that only two of the three lab machines are affected by this vulnerability.
* **Plugin Details**: Basic and reference information about which plugin was used to perform the detection.
* **Risk Information:** Detail of the risk factors and the different CVSS scores that apply for this vulnerability.
* **Vulnerability Information:** This section shows additional details about the vulnerability and the date it was originally published.
The process of how to fix the vulnerability is not part of this exercise, we will focus only on scanning them and how they are reported by Nessus.
{% hint style="info" %}
The lab has several vulnerabilities and it is not the intention to remediate them, since the idea is to use it to practice the different attack vectors. However if you are interested in reading how to fix this particular vulnerability, I recommend the following post in Spanish from the **0xsecure** blog at the following :point\_right: [**link**](https://0xsecure.blogspot.com/2019/10/smb-signing-not-required-firma-smb-no.html?m=1).
{% endhint %}
So far we have seen how we can perform a basic scan on a clean installation of Nessus and how to see the details of the vulnerabilities detected. However it is not the only way to do scans since normally after the first scan is performed, Nessus no longer shows the Welcome screen to start a quick automatic scan as we saw in this example. For this reason in the next section we will see how we can start an on-demand scan in Nessus Essentials and the necessary steps to do so.
### Performing `Scans On Demand` with Nessus (`Zerologon Vuln Detection`)
Once we have at least one scan performed in Nessus, when opening the program we will see that the welcome screen no longer appears to let us enter the **`targets`** and perform an **`basic scan`** automatic. To start a new scan we must click `click` on the button **`New Scan`**.
After clicking **`click`** on **`New Scan`** Nessus shows us the following screen where the types of available scans are listed, including some to which we will not have access with Nessus Essentials.
The first two scans listed (**`Host Discovery`** and **`Basic Network Scan`**) are those that were executed by Nessus when we loaded our targets on the welcome screen. Among the available scans there is one to detect if our target is vulnerable to **`Zerologon`**, a vulnerability that continues to impact machines that do not have the necessary patches. Let's see if any of our **`VMs`** lab machines are vulnerable, even if not vulnerable we will see how the process is to start a manual scan in Nessus (process that applies to any scan with more or fewer required configurations depending on the type of scan).
To start a scan we must first configure it, we start by clicking **`click`** on the scan called **`Zerologon Remote Scan`** and we will see the following screen.
On this screen we must specify a Name for the scan, Targets to scan. Nessus is a HUGE tool and it is not possible to cover in this exercise all possible configurations for this or any other scan. But it is important to know that it offers options to configure the scan to our liking and needs. Among these additional options are settings such as Ping configurations and types of Ping to perform, port range, port enumerators to use and even advanced options such as stopping operations if the host stops responding during the scan.
An important part to understand about Nessus is that all its functionalities are provided by plugins and plugin families. These plugins are used in the different scans and provide specific tests that Nessus will carry out. We can see the list of plugins that will be used during a scan in the **`tab`** called **`Plugins`**. In this case we can see that the current scan only makes use of one plugin to test **`Zerologon`**.
If we click **`click`** on the plugin name (column **`Plugin Name`**) we can see a detail or summary about the plugin and the vulnerability it tests.
The detail is similar to what we saw during the first scan and includes all available detail about the vulnerability. Once we are ready with the adjustments for our scan, we indicate the name for it and the target IPs:
At this point we can save our scan to run it later or by clicking **`click`** on the down-arrow button that the button called **`Save`**has, we can choose to run it right now by clicking **`click`** on **`Launch`**:
{% hint style="info" %}
The **`scans`** saved ones will be listed under **`My Scans`** along with the other scans that we have run or saved previously.
{% endhint %}
If you didn't save the scan you can run it by clicking **`click`** on the **`play`** button that is shown for this scan in the scan list (**`My Scans`**) as shown in the following image.
From here on it is the same as we saw during the first basic scan, Nessus will perform the necessary tests using the **`Plugin`** configured for the **`scan`** and will return the results of the vulnerabilities found if present on the scanned targets. Let's see what results it offers us:
As we can observe Nessus determined in **`5 minutes`** that the **`Domain Controller (DC)`** of our lab is vulnerable to the **`Zerologon`**attack. If we click **`click`** on the vulnerability we can get an idea of the power of **`Nessus`**.
With just **`23`** attempts it was able to compromise the security of the **`DC`**and verify that it is indeed vulnerable to the exploit **`Zerologon`**. We even see the detail of the **`request`** and **`response`** sent by **`Nessus`**.
This is where we end this vulnerability scanning exercise with **Nessus**. We saw how to install Nessus and perform its initial configuration, up to its basic use to perform an initial automatic scan (**`Discovery`** and **`Network Basic Scan`**). Finally we performed an on-demand manual scan to check if our lab was vulnerable to the exploit **`Zerologon`** that affects **`Domain Controllers`**. With that scan we confirmed that our **`DC`** is indeed vulnerable.
Attached to this exercise is the report generated by Nessus for the ZeroLogon scan.
{% file src="/files/c991419162e66bf33b5f57eca88c001e28a9723c" %}
Report Generated by Nessus (PDF).
{% endfile %}
{% hint style="info" %}
**Nessus** has many options that we cannot cover in this exercise, however it is good to know that it provides tools to create our own **`templates`** version of **`Policies`** to determine the actions carried out in each type of **`scan`**. It also includes functionalities for report generation, and custom**`rules`**for the operation of the **`plugins`**. All this without taking into account the other functionalities and **`scans`** that are enabled with the paid version.
It is certainly a very interesting tool and I am interested in understanding it in greater depth. I may dedicate a particular write-up going deeper into its use at some point. For now I may make one or two updates to this same exercise.
{% endhint %}
### Troubleshooting Nessus
If during the installation and first start process you receive a download error or any other error that prevents Nessus from finishing configuring, you can try the following solutions that may be useful to remedy the problem.
In my case, solution number two was necessary to fix it, the problems I had when installing **Nessus**.
#### Solution Number 1:
If during the initial configuration of Nessus you receive the error **`Download Failed`** Try the following solution.
{% hint style="danger" %}
**NOTE:** In case of receiving an error that the download failed. We can run the following command to fix it **`sudo /opt/nessus/sbin/nessuscli update`**.
{% endhint %}
Once we run that command, we will see the following result in the console.
In some cases with this we will be able to resume Nessus configuration.
#### Solution Number 2:
In case the error persists after trying solution 1 or we receive some other error that also prevents the correct initialization of Nessus. We can try the following commands that will completely reset Nessus:
{% hint style="danger" %}
**If the error persists:** We can use the following commands in order to completely reset Nessus. More information in the following :point\_right: [**link**](https://tenable.force.com/s/article/Nessus-feed-reset-to-fix-plugin-issues-or-error?r=7\&ui-knowledge-aloha-components-aura-components-knowledgeone.ArticleActions.handleEditPublished=1\&ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1).
1. **# service nessusd stop**
2. **# /opt/nessus/sbin/nessuscli fix --reset**
3. **# /opt/nessus/sbin/nessuscli fetch --register ACTIVATIONCODE**
4. **# /opt/nessus/sbin/nessusd -R**
5. **# service nessusd start**
{% endhint %}
I hope this is helpful.
{% hint style="info" %}
These labs are subject to modifications and corrections; the most up-to-date version is available online at [the following link](https://tzero86.gitbook.io/tzero86/).
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://tzero86.gitbook.io/tzero86/vulnerability-analysis/escaneando-vulnerabilidades-con-nessus.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.