HW06: Vulnerability Scanning due Mon 09 Oct 23:59

In this assignment you will use the free version of Nessus to pe...
...Metasploitable2 (MS2) and you will import results into Metasploit.


Last week we enumerated some of the services that are open on MS2. This week we will run a comprehensive vulnerability scanning tool against it in hopes of identifying specific vulnerabilities in each of those services.

Update Kali

As usual we will keep Kali up-to-date by checking for updates and installing them. Open a terminal window and issue these commands:
sudo apt update
sudo apt upgrade

Install Nessus

The Nessus vulnerability scanner is available for download at: https://www.tenable.com/products/nessus. We will simply use the free (Essentials) version. To do so you'll need to provide your name and email address and in return you'll be given an access code. Sites change their interfaces often so the instructions given here may not work exactly as described. REMEMBER: The goal of this section is to install Nessus on your Kali box and then to launch it.

At some point in the process you'll be asked to provide your name and email address and you'll be sent an activation code that you will need to enter when prompted.

Try these steps:

  1. From Firefox on your Kali virtual machine, visit the Tenable Security website and navigate to the downloads page for Nessus.
  2. Select the appropriate 64-bit download for Kali (it will be listed as Debian and will have a file with a .deb extension).
  3. After the download is complete, in a terminal windows navigate to the Downloads directory and run the installer program as root: sudo dpkg -i NameOfFile.deb
  4. Launch the newly installed Nessus program: sudo systemctl start nessusd.service NOTE: When the service installs it should display a message telling you how to launch the service and what URL to visit (something like: https://kali:8834/)
  5. In Firefox visit the URL name after installation. NOTE: Since we haven't installed a signed certificate the browser will complain about a security exception. Just ignore the warning and proceed to the site anyway.
  6. At this point you may need a license/code that was sent to your email address.
  7. Create a (local) Nessus account with whatever username/password combo you want.
  8. This will begin a process in which Nessus downloads and compiles a long list of vulnerabilities. It will take quite some time (more than an hour) for this to complete.
  9. (4 pts) When the downloading and compiling of plugins is complete take a screenshot of Nessus running in the browser and upload that screenshot to the Canvas assignment.

Launch Nessus Scan

In case you have restarted your Kali virtual machine since the previous step, remember you'll need to be running the Nessus service (sudo systemctl start nessusd.service) and you'll interact with it via Firefox at https://kali:8834/).

Log in to Nessus in the browser using the credentials you created during the install process.

For the scan we will do we will create a “policy” and then execute a scan based on the policy. The advantage of this approach (rather than just running a scan) is that we can save the scan settings and reuse them easily in the future.

As always, the instructions here may be slightly different than the options that appear for you. Remembering that our goal to is create a policy and then run a scan based on that policy, follow these steps:

  1. Click Policies -> + New Policy -> Advanced Scan
  2. Enter a name of your choosing.
  3. Under Assessment -> Brute Force -> Check specify “stop brute forcing after first success”
  4. Under Assessment -> Web Applications specify “Turn on scan web applications”
  5. Under Advanced -> General Settings Check “Scan IP addresses in random order” and check “Slow down scan when network congestion”
  6. Under the Credentials tab ... NOTE: This is where you would specify any known credentials ... for now just leave this blank (although we have uncovered some credentials from our enumeration step).
  7. Click Save
  8. Return to the My Scans page.
  9. Click + New Scan -> User Defined and then select the policy you just created.
  10. Specify folder and targets (the target is the MS2 IP number). Then click Save.
  11. Click on the new scan and then Launch.
  12. NOTE: This scan should take about half an hour or so to run. As it runs it will update the page. If it finishes right away, it may be the case that MS2 is not running.
  13. (4 pts) When the scan finishes take a screenshot that captures the time the scan was run along with the ring chart of found vulnerabilities.
  14. Take several minutes to look through the list of vulnerabilities.

Move Scan Result to Metasploit

When the Nessus scan finishes you are ready to export the results to a file. Then you will import those results into Metasploit.

Make sure the most recent scan results are being displayed. Then choose Export -> Nessus and choose Save file .... Make note of the name and location of the export.

Now, from the command-line, launch msfconsole and perform the following steps:

  1. Switch to the ms2 workspace.
  2. Verify that the services command shows the saved list of services that are available on MS2.
  3. Use the vulns command to list known vulnerabilties. NOTE: This command should show no (or perhaps just a couple) vulnerabilities because we haven't yet imported the results of the vulnerability scan.
  4. Import the Nessus scan results: db_import path_to/name_of_nessus_scan_file.nessus
  5. Use the vulns command again and now you should have a significant list of suspected vulnerabilities.
  6. To see vulnerabilities specific to SNMP do: vulns -S snmp
  7. To see vulnerabilities specific to SMB ports: vulns -p 445,139
  8. (4 pts) Take a screen shot showing (a partial list) of the results of the most recent command and upload it to this assignment in Canvas.

In future assignments we will attempt to leverage some of the vulnerabilities found by this scan.