Last week we enumerated some of the services that are open on MS2. This week we
will run a comprehensive vulnerability scanning tool against it in hopes of
identifying specific vulnerabilities in each of those services.
As usual we will keep Kali up-to-date by checking for updates and installing them.
Open a terminal window and issue these commands:
sudo apt update
sudo apt upgrade
The Nessus vulnerability scanner is available for download at:
https://www.tenable.com/products/nessus. We will simply use the free
(Essentials) version. To do so you'll need to provide your name and email
address and in return you'll be given an access code. Sites change their
interfaces often so the instructions given here may not work exactly as
described. REMEMBER: The goal of this section is to install Nessus on
your Kali box and then to launch it.
At some point in the process you'll be asked to provide your name and email
address and you'll be sent an activation code that you will need to enter
when prompted.
Try these steps:
- From Firefox on your Kali virtual machine, visit the Tenable Security website
and navigate to the downloads page for Nessus.
- Select the appropriate 64-bit download for Kali (it will be listed as Debian
and will have a file with a .deb extension).
- After the download is complete, in a terminal windows navigate to the
Downloads directory and run the installer program as root:
sudo dpkg -i NameOfFile.deb
- Launch the newly installed Nessus program:
sudo systemctl start nessusd.service
NOTE: When the service installs it should display a message telling you
how to launch the service and what URL to visit (something like:
https://kali:8834/)
- In Firefox visit the URL name after installation. NOTE: Since we haven't
installed a signed certificate the browser will complain about a security
exception. Just ignore the warning and proceed to the site anyway.
- At this point you may need a license/code that was sent to your email address.
- Create a (local) Nessus account with whatever username/password combo you want.
- This will begin a process in which Nessus downloads and compiles a long list
of vulnerabilities. It will take quite some time (more than an hour) for this to
complete.
- (4 pts) When the downloading and compiling of plugins is complete take
a screenshot of Nessus running in the browser and upload that screenshot to the
Canvas assignment.
In case you have restarted your Kali virtual machine since the previous step,
remember you'll need to be running the Nessus service
(sudo systemctl start nessusd.service
) and you'll interact with it via
Firefox at https://kali:8834/).
Log in to Nessus in the browser using the credentials you created during the
install process.
For the scan we will do we will create a “policy” and then execute a scan
based on the policy. The advantage of this approach (rather than just running
a scan) is that we can save the scan settings and reuse them easily in the
future.
As always, the instructions here may be slightly different than the options
that appear for you. Remembering that our goal to is create a policy and then
run a scan based on that policy, follow these steps:
- Click
Policies -> + New Policy -> Advanced Scan
- Enter a name of your choosing.
- Under
Assessment -> Brute Force -> Check
specify “stop brute forcing
after first success”
- Under
Assessment -> Web Applications
specify “Turn on scan web applications”
- Under
Advanced -> General Settings
Check “Scan IP addresses in random order”
and check “Slow down scan when network congestion”
- Under the
Credentials
tab ... NOTE: This is where you would specify
any known credentials ... for now just leave this blank (although we
have uncovered some credentials from our enumeration step).
- Click Save
- Return to the
My Scans
page.
- Click
+ New Scan -> User Defined
and then select the policy you
just created.
- Specify folder and targets (the target is the MS2 IP number). Then click Save.
- Click on the new scan and then
Launch
.
- NOTE: This scan should take about half an hour or so to run. As it runs it will
update the page. If it finishes right away, it may be the case that MS2 is not
running.
- (4 pts) When the scan finishes take a screenshot that captures the time
the scan was run along with the ring chart of found vulnerabilities.
- Take several minutes to look through the list of vulnerabilities.
When the Nessus scan finishes you are ready to export the results to a file. Then
you will import those results into Metasploit.
Make sure the most recent scan results are being displayed. Then choose
Export -> Nessus
and choose Save file ...
. Make note of the name
and location of the export.
Now, from the command-line, launch msfconsole
and perform the following
steps:
- Switch to the
ms2
workspace.
- Verify that the
services
command shows the saved list of services that
are available on MS2.
- Use the
vulns
command to list known vulnerabilties. NOTE: This command should
show no (or perhaps just a couple) vulnerabilities because we haven't yet imported
the results of the vulnerability scan.
- Import the Nessus scan results:
db_import path_to/name_of_nessus_scan_file.nessus
- Use the
vulns
command again and now you should have a significant list of
suspected vulnerabilities.
- To see vulnerabilities specific to SNMP do:
vulns -S snmp
- To see vulnerabilities specific to SMB ports:
vulns -p 445,139
- (4 pts) Take a screen shot showing (a partial list) of the results of the
most recent command and upload it to this assignment in Canvas.
In future assignments we will attempt to leverage some of the vulnerabilities found
by this scan.