Hacking and Vulnerability Scanning with Nessus | TryHackMe Pentest+ Nessus Lab

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
okay youtube should be good now i think i think we're solid and we can and we can get through that okay so let's try this again what's good everybody what's going on we got the live stream working today we're going to be talking about one of my favorite scanning tools um which is nessus tenables nessus vulnerability scanner it's great from a few different perspectives whether you're a pen tester you can use it to enumerate and look to see what type of vulnerabilities exist on different boxes and that was kind of the the gist of why we were starting to do this video because it is in the try hack me pen test plus learning path that being said on the flip side on the defensive side on the blue team side on the i t side operations grc all that good stuff tenables nessus vulnerability scanner is something that we use quite a bit to ensure that our patching levels are uh you know up to par and we're doing all the stuff that we need to do as far as maintaining the um health of our systems from a patching standpoint so this video we're gonna talk about a few different things um involved with that um the room itself is kind of small so we should be able to go through that pretty quickly and i kind of did a whole bunch of stuff ahead of time to make that be a little bit easier so hopefully we're going to have a good conversation have some questions and be able to do a little bit of deeper dive into things that actually are more applicable to the type of things that you would run into in an operational environment so thanks for sticking around and working through those technical issues that absolutely sucked um yeah it because it sucks so much if you don't want to like this video that's completely fine whatever but you're here so i appreciate it so uh let's hop over into the uh the desktop over here and we can kind of get into that um is the link in the bio yes it is so the link is in the description of the video for the room that we're using all right so let us take a look at a few things here this room as i was mentioning before is a little bit different than the other try hackme rooms that we've previously done in that you actually need to download the tenable nessa software onto your computer and connect into tryhackme's network via openvpn to be able to do the scanning that you need to do likewise if you don't want to do that you can just download it and use it in your home environment which is perfectly fine because the cool thing with the nessus vulnerability scanner is that they have a free version of it called nessus essentials it actually can even be used for commercial purposes so if you are a consultant and you don't want to pay the full license you can download nessus essentials and you can use it for your clients if you're doing some type of spur of the moment vulnerability assessment there is a limitation with it though and that is that you can only do 16 ips with it so you're not going to be able to take it and put it into you know a medium or large size environment but you can do almost everything that you you need to do from a vulnerability management perspective with it um there is a few things that you can't do with it and we actually will get into that and i'll talk about those once we actually get into nessus and take a look at it so uh pretty much i got a link here for where you can go to get it kind of talk about how it's similar to nmap but like times a thousand you can do a whole bunch of different things that you can't do with nmap including credentialed scanning which we're going to get into the pros and cons of credentialed scanning versus uncredentialed scanning here in a little bit so we can go ahead and say we read the description not much to that so this first part here is kind of the installation process and i'm going to save you a lot of time with this because to actually go through this probably takes about an hour because once you actually download the software it has to update all the plugins and things like that and uh yeah i did that yesterday so we actually don't need to worry about that but pretty much what you do is you go to tenable's website for nss essentials you put in your name email and it will send you an activation code awesome and then uh depending upon what os you have that you're going to use you're going to go to uh their website to go and download whichever version that you need so if we actually go to their download page and take a look at this you can see that they have stuff that runs on everything i personally have run this on uh windows i've run it on mac i've um today i'm running it on ubuntu uh i've also run it on red hat um and back in the day i'm not sure if they still do it now but they used to also have it as a an appliance so you could download it um kind of within its own linux ecosystem then you wouldn't have to worry about doing the patching on it just make sure that whenever you do download it from here you are getting the uh the correct version whether it's 32-bit or 64-bit because if you don't do that then um yeah it won't run you'll you'll get some errors kicking that back so just something to be aware of so when you do that in this case they have it you know just downloading in your downloads file and that's exactly what i did as i said using ubuntu downloaded it there and then there's a d package command to run the install and then there's a system ctl start command to start this i am going to point out something that you might want to do if you are downloading this onto something that you're going to continually use and that is there are commands that you would want to use to ensure that it starts up every time that you start up your vm or whatever if you're running on hardware you'll start up whenever your your linux system boots up also worth mentioning they do give you the md5 hash for it so be a good steward of whatever network you are on if you are downloading software it is always good to compare the hashes you could either do this through the command line on a linux box or if you're on a windows box there is some md5 uh hash checker software or you can even go there's websites you can go to where you can you know compare uh the hash that you're supposed to get and then it will scan and do a hash on the file that you downloaded just want to make sure that you are downloading uh what you were expecting to and we can kind of see when we go back to the tenable site they got checksums for all of it so it kind of makes it easy what i did want to mention here was running this command here the system ctl enable now and that will in essence make sure that every time that you reboot that nessa starts automatically so kind of helpful so you don't have to go back in and run service dart commands whenever you want to do it so if we take a look let's see you go back here see what else they do so once you go through all that and the service is started and we can actually see [Music] through my other so systemctl status d ssd is the the program and you can see that it's loaded and it's active so we know that it's up we also know that because i have the web browser here and we got the login prompt for it but good to know anyway so let us kind of check these off as i mentioned it it goes through this pretty quickly and if we were actually we're downloading and installing yesterday when i did this it actually took about 45 minutes to uh do all of the plug-in updates so be prepared for that if you do go through and do that on your own um cool thing with nessus whenever you're using it it actually defaults to 8834 as the port that you use to connect to it so if you try to go over 443 that's not going to work off the bat it does have a self-signed cert so you do want to make sure that you accept that risk if you're using it in a operational environment you actually can load in your own certs into that so that you won't end up having this come up now when we go to actually set it up we have a few different options here and so i wanted to kind of hit on this because there are a few different flavors of nessus that you might use in a few different cases and this is kind of again outside of the realm of pen testing but for all my it operations it engineering blue team folks then this is good information to know so nessus essentials is the free one that i mentioned you have the 16 ip limit cool nessus professional is a standalone version of nessus um that you would just use an environment uh or if you are kind of like a consultant or if you were a pen tester that's probably what you're gonna go with is nissa's professional as we kind of look at some different options that we have moving into larger organizations there's a few different things so in essence with nessus whenever you want to do vulnerability scanning and asset discovery in your environment the default way that we used to do this was you would open up all ports to everywhere in your environment from your nessus box this is great because you would be able to see everything this is bad because if your nessus box becomes compromised then you don't really have any acls in place that's going to protect against that so one of the things that nessus kind of has moved to over the past few years is actually using agents and these agents can be deployed on windows boxes linux boxes unix boxes almost anything that's not a hardware device almost anything that's a os you can run a nessus agent on it the nice thing with that it only has one port that you use when you are doing your scanning and it's connecting back to your nesa server the difference is though that you need to have a specific type of nesa server to do that and that's what this nessus manager server here would be so that's kind of something interesting to know the other option is this managed scanner so again in larger environments there's actually a whole tenable suite of different types of software components and i've actually written a few different blogs on what these are so we have like nessus is the vulnerability scanner they have kind of a log correlation sim tool called lce they also have a passive vulnerability scanner that you can kind of feed a port scan or not poor scan a what's the word that i want to use a copy of traffic off of your switches to this uh device and it kind of you know will take that that copy and run different types of signatures on it looking for different types of things all of the data from these different types of applications gets fed up into this server called security center and i think they might have renamed it recently it might be sc instead of calling it security center because they like to get cute with their acronyms but still the same thing and so what security center does is it allows you to kind of take all these inputs from the nested scanners from lce from nnm which is that that inline server and put it all together in one dashboard where you're able to look at different types of events vulnerabilities you can do a whole bunch of different types of reports scanning jobs all sorts of crazy stuff so as you're kind of wondering how this would all fit in your environment and different types of protections that you can have it's kind of good at least from my perspective to understand where nessus fits into that overall hierarchy or or ecosystem of tenable tools uh let's see then once we so we would have selected here nessus essentials the activation code that would have went to our email we would have put in here and then you would create a local account for nessus essentials to be able to log into it and here we would end up doing the initialization this is where i was talking about it will take like 45 minutes to download all the different plugins um interesting thing with nessus is they are always updating the plugins so whenever you think about new vulnerabilities coming out nessus is developing new plugins to look for those vulnerabilities so depending upon where your nesis server is in your environment it might have access to the internet back to tenable servers to pull down those plugins automatically if it doesn't then you want to make sure that you're constantly pulling down offline updates to make sure that your nesa server is updated and again we can go ahead and log in and this will kind of bring us up to where we are here and we can hop into this any questions on any of that so far it's kind of a lot of information as far as the install of nessus and then kind of you know where it fits into the whole tenable security tools offering all right if there's no questions then we will move on and answer some of the questions in this so um when we log into this then we kind of are going to get a few different options for different types of things that we can do um so host discovery we're just looking to see what's out there it's kind of like nmap and it's in its own way basic network scanning this is going to try and scan for everything and i'm going to show you what the plugins look like they have different plugins for different types of operating systems and devices and all sorts of different stuff and so pretty much that scan is going to go after whatever ip ranges you give it and it's going to be like i have no idea what these are i'm going to try all of my different plugins against that it is interesting to note with that though and i said that we were going to hit on this the difference between an uncredentialed scan and a credentialed scan so uncredentialed scan is we don't have anything to log into the device with so pretty much we're just going to try to do all the plugins that we can do we're going to get responses back and and we're gonna match on plugins that we can get from scanning ports and whatever types of headers and things like that uh login banners all that type of stuff that they're gonna provide back but we really aren't gonna get that great of an in-depth look at you know the vulnerabilities that are on that machine so a credentialed scan is when we actually have an account that has the right privileges uh normally that's going to be admin privileges or or root privileges to be able to log in and run a whole bunch of different types of system checks normally what this is going to be doing is looking uh for patch levels this is going to be looking for different types of configurations this is going to be looking for you know more specific uh things within the operating system and configurations that we can't see externally of the device so pen testers depending upon the the scope of the work that they're doing they might not actually be given credentials to be able to do that um within an it operational environment you 100 want to be running credentialed scans that's how you're going to get the most validity with your scans and then based off of that then you're going to have an idea of what things need to be patched and and what specific configurations and patch levels and things like that you need to be pushing out everywhere within your environment it's important to note uh when you are doing that and you are reading scans um you want to take a look to see what type of scan was actually run was it credentialed or uncredentialed because if it was uncredentialed you might look at the scan report and be like oh we're good we're solid there's not that many vulnerabilities but then when you actually go through the plugins and you look to see what was run um you might end up seeing that all these plugins fail to log in and then at that case then you're not really out of the woods you really just didn't do that thorough of a credentialed scan so other types of scans that you can do looking for malware you can actually do yara rules i'm not sure i don't think you can do yara rules on the free version of this but uh when you have the paid version you definitely can do yara rules so if you want to look for specific types of hashes and things like that you can do that web application tests um that's going to be a whole bunch of enumeration we're actually going to do one of those so that would be good credentialed patch audits something else that's worth mentioning here is you can do compliance scans so if you are in an organization where you have to do or have to use certain types of security configuration baseline so whether it's cis benchmarks whether it's disa stigs whether it's certain types of hipaa configurations tenable has different uh plug-in pol plug-ins aren't the right word with that it has different types of configuration files that you can load and scan against your devices and it's able to tell you if you have things configured correctly or not again that's an option that's not with the free one but in most very large organizations that are required to meet those types of benchmarks or having a related requirements uh that's a a thing that they do quite a bit with nessus it's very very helpful as far as automating that all right let's see that's pretty neat yeah i mean it's it's helpful it's a lot easier than going box to box or uh you know going i mean think about this so if you have a windows environment uh and depending upon the type of uh configurations that you're required to verify nobody wants to sit there and go through a gpo looking for 300 different types of configurations it sucks it's horrible i've done it so having a tool that can automate that makes it so much easier it's not perfect there are things that it might not be able to get i've also found that in doing those compliance scans it's actually you'll have much better success if you're using the nessus agent than actually doing it from nessus itself so something to kind of think about and be aware of but it's still pretty cool all right let's get through these questions here what is the name of the button which is used to launch a scan well let's go take a look new scan pretty straightforward i think what side menu option allows us to create custom templates i don't know if it's maybe oh you see in here is all that compliant stuff that i was talking about let's try let's see what the hint is it's under resources okay i don't know if i see settings nope i don't see resources underneath here i got a question coming in so you can do a full scan like with av covering all bases so um depends on what you mean by full scan so uh you're talking about doing like a scan for malware or a scan for for what so when i was talking full scans we're talking about vulnerability scans um but if you are looking for a particular type of malware you can do malware scans let me see let's see okay i don't remember seeing where the resources were on that let me pull something up real quick and look and see if we can find that if anybody else can find the answer to that question that would be cool too let's see so i think oh i see i see what they were trying to get at uh let's go back so under resources is right in front of my face policies so if you go into policies you can create custom templates okay what menu allows us to change plugin properties such as hiding them or changing their severity plug-in rules to hide or change the severity of a plug-in i don't normally have to deal with that too much i'll be honest though in most of the environments that i end up working with nessus we're using security center and that kind of has its own flavor of being able to do this type of stuff you do it within security center and then it kind of pushes the rules out to your your ness's scanners so let's go plug in rules okay in scan templates section after clicking on new scan what scan allows you to simply see uh what hosts are live so that was host discovery if you remember we go back and we look at that host discovery yep one of the most useful uh scan types which is considered suitable for any host basic network scan suitable for any host as kiki pointed out last time we did this uh tryhackme loves to put the answers for stuff uh they try to make it pretty straightforward in their questions uh let's see what did i say that was basic network scan scan okay what scan allows you to authenticate to host and enumerate missing updates um credential patch audit so why would you do that versus a basic network scan well this might have a bit more limited in the plugins that it's running versus this which is going to run everything let's see credentialed patch audit okay what scan is specifically used for web applications scans well i bet you the name is [Music] where you at uh web application tests yup okay bam all right so i already started up this box and uh i'm gonna show you how to do this and we can wait for it to do it but i've already done the scan as well so we can look through the results too so we don't have to like really wait wait so uh create a new basic scan targeted to the deployment the vm what option under basic on the left uh on the left to set a time for the scan to run this can be very useful when network congestion is an issue i already know what the answer for that is going to be scheduled but let's take a look at this okay so since i said they don't really go too in-depth here let's walk through these because it's really worth pointing it out so you're going to name it whatever you want to name it we're just going to call it that give it a name if you have different folders you can break it up this might be helpful if you are doing different jobs or something like that you want different folders this is where you put in the targets so ips this can be ranges subnets domain names um in this case it's just going to be a single ip if you already have a list already created you can upload that here which is nice um schedule is what they were talking about if we wanted to do that during certain times now that actually brings up a very interesting point depending upon what it is that you're doing uh and the scope of it so if you're in an operational environment and you uh are in the blue team you're on the scanning team you're doing stuff like that you might want to schedule your vulnerability scans after hours that way there's a limited impact possibility of it not actually breaking anything depending on what type of scan you're doing it could break things normally you figure that out and then you don't do that ever again so but it's it's good to it's good to understand that you can schedule it when there's there's less folks around that could be impacted if something does go sideways from a pen testing perspective you could do the same thing although you could also schedule uh something like this uh maybe you actually do want to do it during the day depending upon the type of host or devices that you're interacting with you might be able to hide in the noise a bit more if you're doing it when there's more activity going on within the network it really depends notifications you can have reports sent out an alert sent out whenever your scan is done discovery types so uh you can kind of read through some different things here the important thing with this is determining whether or not you want to hit all the ports certain ports popular ports this is where you would kind of configure that so if we wanted to go custom we could go under and set those um or all ports right so let's see what else were we doing there if we did go custom then it opens a post discovery and you can change these whether you want to do ping ping methods depending upon the type of security tools that you have in between you and the host that you're trying to scan you might want to do different things there if icmp is blocked on the network then it might not be worth running through icmps especially if that's going to take a bit longer if you have different types of fragile devices you can do that if you need to use wake on lan you got some windows boxes that power down or or go into a hibernated state and you need to wake them to be able to scan them you can put that in here port scanning um whether or not you will consider unscanned ports is closed how you actually want to do the the scanning stuff this kind of goes back into some of the stuff that we're talking about when we're doing the nmap rooms um general settings enumerating ciphers you know depends on what type of enumeration that you want to do and whether or not that's important for the the purpose that you're using the scanner for default scanning for web vulnerabilities default i think is going to pretty much do everything except web application stuff just because that gets a little bit more intensive reports again this kind of gives you a little bit of an option as far as like what type of data comes out of your report and i'll we'll get into what those actually look like by default again if you're using security center then there's a million different reports that you can do you need a lot more granular than what you can out of nessus itself and then scan types you have a few different options here default custom scan for low bandwidth links the amount of ram that you have on your box and the cpu that you have will play into this so you might want to play around with that a little bit in an operational environment you can kick this up quite a bit more and that way that will help make your scan go a lot quicker especially if you have a lot of hosts that you need to hit uh other section here they don't cover this at all in this in this lab and i think it's important to cover so if we were doing credentialed scans this would be where we would go when we put the information in here so how you want to do it if you want to use a public key passwords uh all that type of stuff would go in here so if we were doing ssh we're going to use a password we're going to elevate privileges if it's a cisco device you need to use enable then you can put that there and then put the enable password right if it's sue or sudo then you can do that there this is also important uh what's the preferred port for using ssh and uh you can get into some interesting issues here depending upon the client version of ssh that you're using so all things to be aware of windows on the other hand is a little bit more straightforward right you can use hashes the lm or ntlm hash if you want to normally in places that i've been we use a password username password and the domain just got to make sure that the account that you're using has a proper credentials to do the scans that you need to do which normally is going to be domain admin so you also want to make sure that you have other protections in place in active directory to monitor that account because that kind of is an account that could get you in trouble if it's compromised on some other global credential settings which are good to know so uh let's go ahead and answer these create a new basic scan targeting the deployed vm what was the thing that we could use for timing at certain times schedule under discovery set the scan type to cover ports 1 through 65335 so if we go back and we look at the settings discovery let's see that was under discovery we didn't want to do a custom we wanted to do port scan all ports port scan all ports hey man what's good yeah we're just uh crushing some nessus here ask any questions if you got any as we're going through this all right um what scan type can we change under advanced for lower bandwidth connections we kind of looked at that already scan low bandwidth links what that's going to do is it's going to limit the amount of simultaneous hosts that you can connect to so what that means is that the nexus box will only reach out to two hosts at a time and then it will only do two checks at a time where if we look at the default it's gonna try to hit 30 different hosts and do four different checks or plug-ins at the same time again like i said if you bump up your cpu and you bump up your ram then you can kind of be a little bit more aggressive with with these types of things but the answer for that was scan low bandwidth links okay uh with these options set launch the scan so we're going gonna go ahead hit save oh i didn't mean to do that we're gonna get rid of that we don't need that either let's go back settings we're going to go default save okay and now we see that we have this here once you have your scan in place and remember you can have a whole list of different subnets so it could be your whole organization could be in this one scan policy um you're just going to hit the launch button and what you can do is you see once that goes and it kicks off you're going to get this little running thing moving here the cool thing with nessus is that you can click in here and you can see the vulnerabilities as they come up in real time if you're doing this on security center you can't see it that way you can only see it once it's done so we're going to hop into this and let's see let's see if i did something wrong with that probably i might have missed let's see oh i'm gonna go configure did i not let's see where we messed up here discovery we did all ports scan type default let's make sure that we have the right ip right see if we can ping this it doesn't like that okay not a problem we can do that and spin this up again and let's also take a look at our vpn connection here and we can spin that up again there we go that might have been something when we were having those issues earlier and i had to reboot it might not have actually come back up the proper way but no issue we'll have the ip here in a few seconds any questions so far as uh as we're up to this point right once we get that yo what's up man what's good devin just crushing some nessus all right so let's take this let's go back in here let's go back to my scans we're going to go we're going to edit this again we'll change this configure rename that there we go rename that save it just for kicks and giggles we'll make sure that we can ping it there we go yup that should be good save it and back to scans we'll go ahead kick that off again there we go so it already just covered the host and we can see as i mentioned is it's going to go through this and running we're going to see stuff come up now this is a good time to talk about how they actually score these vulnerabilities so they have four different levels well i should say five different levels they have critical high medium low and informational your initial reaction when looking at this is going to be informational don't matter it's just giving you information it's just uh yeah this is how it's configured don't be like that don't take that as it being something you don't need to look at informational a lot of times will give you a lot of information of things of how they're configured and in a lot of cases it might be things that are configured in a way that you don't want them to be configured which actually are vulnerabilities so yes criticals and highs you need to patch right away you need to take care of that for sure but info can have a awful lot of pertinent data in there that could be well or could represent something that's misconfigured or could be bad i think also if you ask any pen testers they're going to get a lot of useful data out of that info vulnerabilities that come up that are that are labeled info um it's gonna be one of the main ways that they're gonna be doing a lot of enumeration is through the stuff that comes back from that so uh be aware of that uh the flip side to that is also when you get a whole bunch of criticals these are all based off of cvss 3.0 and they kind of rank everything on a 0 to 10 scale and nessus kind of takes that 0 to 10 scale and kind of lines these different vulnerability rankings up to that scale that cvss score though doesn't actually take into account what you have in your environment as far as mitigations or other types of protections so just because something is a high doesn't mean that it really is that big of a risk in your environment compared to something else that could be a medium that could be a much bigger risk for your environment or likewise something that could be you have two criticals right one critical is on you know a device that is actually internet-facing has ports that are open to it versus maybe something else that yes the vulnerability exists and is a critical on the device but the specific service that needs to be running to be able to be exploited maybe isn't actually enabled and you have different types of data flow protections in place that don't even allow traffic to get to that type of device specifically from the internet or things like that so when you're looking at kind of these these different scan results it actually does take a little bit of analysis to figure out which stuff you want to handle and which stuff you want to prioritize also depending upon the type of organization that you work in sometimes there are different types of compliance requirements as far as how quickly you get those types of vulnerabilities remediated normally criticals you've got to do as soon as possible highs you normally have 30 days mediums could be 90 or 60 days lows could be 90 days or it could be whenever and then they don't pay attention to infos even though they should pay attention to infos so kind of uh something to just be aware of so let's take a look at the vulnerabilities that came up here so uh what this families here represent is different types of plugins and so the plugins as i mentioned kind of fall into different operating systems or different things like that uh in this case there's general plugins web server plugins if this was like let's say a microsoft server and we did a credentialed scan then there would be a whole bunch of microsoft uh plugins that fall under microsoft family here uh let me tell you count we see that all these here are info we can take a look to kind of see what this looks like when we click into it so uh keep clicking into it and we see all right what is the output that the scanner got from uh from doing uh this type of scan right so pretty much it was it was able to pull back um a banner saying you know what version of apache was running gives you uh the information as far as what port what service and the host it was pulled from excuse me when you have multiple hosts um that come up for the same finding then they just will kind of lay them out here so it would have you know let's say there was two hosts that had the same thing coming up then it would be this ip and then colon and then the next one right let's take a look and see some other stuff device type this is them trying to figure out what they think it is and they give you a confidence level the general purpose you know it might come back and they're going to be like oh it's a cisco switch and their confidence level is 85. it's just based off of the different plugins that actually hit for it and that's how they kind of determine what they think it is nessa scan information this kind of gives you a little bit of data as far as what the scan did what was enabled this is uh useful when troubleshooting scans that aren't working and you want to know what was actually going on let's see anything else common platform enumeration again depending upon the the purpose of who's running the scan having an idea of what version of apache is running on a server could be very useful to you because then you're going to go and look for particular vulnerabilities for that and then a way to exploit those uh let's see you got a question come in so all the fixes have to be done manually no auto fix so that completely depends upon what the device is um and what you're using for your software patching right so normally once you get into a good rhythm of doing vulnerability scanning uh in an operational environment that really has this figured out really well they might be doing it bi-weekly or monthly um it should be lining up with your normal patching process right so yeah you're going to have windows stuff coming up but you're going to be doing your normal windows patching so it's a bit cyclical and you know it's it kind of works together once in a while you might have you know a windows vulnerability that comes up where you have to do the patch and then there's a registry command that you have to enter as well but that's not really the fault of tenable or nessus for telling you that if you go and you look up the kb article for that windows patch it's going to tell you that you need to do that anyway so really this is kind of just consolidating all the different information from multiple vendors into one place and allowing you to have a better view of your entire organization and the things that you need to do um as far as automation stuff like that it really depends upon what you have in place for patch management right so maybe you have uh wussis or sccm to push out patches automatically if you've got red hat servers maybe using satellite things like that another question coming in would this be helpful for an attacker to use it seems like a pretty noisy scan so my precious this is more helpful for blue teamers um so it depends this is a i think it's a pretty good tool especially if you're external to an organization then you can kind of scan because that's pretty much what people out on the internet are doing all the time to your organization so uh that's one thing depending on the um scope of your pen test you might actually have a vulnerability scan as being part of the scope so most definitely i mean i've been through many red team assessments where a nessa scan is also one of the things that they do um and if if it's i guess you're kind of getting into the the conversation of whether or not it's like a white box assessment or a black box assessment if it's a white box assessment really they're going to try and get as much information as they possibly can from you to be able to do things i mean you might even give them credentials on things right uh whereas black box you know they gonna start off with almost nothing and just try to get their way through uh the organization so it i think it's very very beneficial i've seen many use it a lot of times it just depends on the scope and what you're trying to do as far as a pen test or red team um or if it's just a vulnerability assessment that you're paying for an organization to come in and do or a company to come in and do for your organization okay so that kind of did that i guess the other thing that is worth noting here is the the vpr system the vulnerability priority rating so this is something cool that tenable's done recently um so i kind of was crapping on the cvss scores and how it's not really um uh ground truth i guess well tenables put out this vpr uh threat scoring which kind of takes the cvss stuff and then looks at other data as far as whether or not things have actually exploits have actually been found in the wild if other organizations have been compromised if other organizations that are kind of within your industry have been compromised a few other bits of data and they kind of combine that and give you a little bit more of a realistic score as far as the severity of the vulnerabilities that they're finding i find it to be uh like a little bit more agreeable to me than the cvss uh although again you still need to take it uh into account with what you have in your environment and the protections that you have in place and the mitigations and you know a little bit of common sense cvss is old school now it's 100 old school but i will tell you that i work with some organizations that are grabbing on for dear life and do not want to go the way of the vpr scoring even though i think even trying to remember if nist put out something recommending going uh or using vpr i know that it's been it's been a few different places been like yeah this is a lot better than the cvs cvss scoring the other thing with the cvss scoring is it does have the ability for you to modify the score based off of your own internal variables the problem is most places don't do that so you're just they just knew jerk reaction and go with whatever the default scoring is instead of actually spending the time of trying to figure out what the score really should be okay let's see go back and do that after the scan completes which vulnerability in the port scanners family can review the details to see open ports on this host that was port scanners so the nesa sin scanner and it's showing that only port 80 was open that's kind of kind of like some nmap stuff that we were talking about before let's do that let's submit that okay what apache uh server version was reported we actually kind of looked at that apache server version 2.4.99 2.4.99.99 okay now scanning a web application now we could actually sit and go through this i think last time when i did it yesterday it took like 15 minutes we're not going to do that um because i already ran the scan and i've already shown you what it looks like when you actually run a scan and stuff comes in in real time which is what i kind of wanted to show you with this so i'm cool with not having to go all the way back through that i will show you kind of what that looks like as far as setting it up though really it was just changing the the type of scan under did all ports assessment and we just did a scan for all web vulnerabilities quick and this kind of gives you a breakdown of what it's doing where it's starting to crawl from how many pages it's crawling max you know gives you a little bit of an idea there if you go complex then it's going to go a little bit deeper on some stuff so we can go back and take a look at actually what came up with this so we click into this and now we actually see that we have some mediums come in mixed here has some low and some infos so we can actually go back and take a look at the the questions here what is the plugin id of the plugin that determines the http server type and version mixed nope let's see see how that's going to be one two three four five let's see what that is what's the hint on that found on the right of http server type and version i'm just not seeing it is it just like right in front of me and i'm just missing it there we go no server type inversion okay web servers if we look at that so it's uh debian okay our plugin id i'm sorry uh the plugin id so this is also a good way to search for things uh and also a good way to uh create those policies or plug-in rules where you want to avoid certain plugins you can do that via the plugin id uh so every single plugin has its own unique uh id number 10107 cool well authentication page is discovered by the scanner that transmits credentials in clear text probably some type of php let's see web server transmit clear text credentials yup login.php okay what is the file extension of the config backup backup file disclosure [Music] so dot bak which directory contains uh which directory contains example documents this will be in the php example documents let's see so let's see if there was a browsable web directories examples there we go right here i like having this all on the same vm because doing these other try hack me rooms it would let you copy and paste back and forth which sucks at least here we can go like that cool what vulnerability is this application susceptible to that is associated with x frames options click jacking bam all right was there something that we missed yeah we did that cool all right so that is it that is all of our intro to nessus room which is cool and uh yeah decent amount of folks stuck around the whole time i appreciate everybody kind of hanging in through uh all of the technical difficulties but we ended up getting there um it is worth pointing out i put the links for the room there um i also had a blog post that i wrote a while back pretty much going over the fundamentals of nessus essentials and how to go about setting up different types of scans credentialed scans windows scans ssh all that type of stuff i put the link for that in the video description as well so um that's pretty good tenables documentation for this stuff is is kind of straightforward but you know that it's a free tool that you can download and use use it on your whole network you know download it try out try it out on your windows boxes your mac you know whatever you got in your environment at home and you can become pretty familiar with it it's important to understand you know how to read the reports and uh you know figure out where things are and how you can go about uh remediating different types of vulnerabilities and stuff like that so uh yeah we got some comments coming in if you got any questions throw them in here uh before we wrap up um just found out i got covid thanks for having something to keep me distracted learn at the same time oh wow sorry to hear that you'll pull through it um get some rest but at the same time make sure that you are you know drinking staying hydrated taking some vitamins trying to do stuff you know that's good for uh your your body um we had coveted in the house beginning of this year and so it's it's stressful for sure so make sure that you take care of yourself um and uh yeah you'll get through it so and glad uh glad we could be a little bit of a distraction kiki awesome job appreciate it i guess it worth pointing out that kiki and i are going to do another try hack me room next wednesday i think that we said we're going to do the the wire shark one so looking forward to that that should be pretty fun so make sure every you come back and check out that one good stuff learn quite a bit awesome awesome i mean that's the reason for doing it hopefully uh you know it was digestible and understandable and i didn't ramble on too much i know it is a lot of a lot of content to cover but i think uh i enjoy using nessus myself so i don't mind talking about it well if uh if nobody else has anything else then we can go ahead and wrap it up appreciate everybody dropping in and asking questions leaving comments um anybody who's watching this after the fact you can leave some comments on the video and i'll try to answer your questions for sure and uh yeah if you're still here make sure you smash the like button subscribe if you are already subscribed and yeah go get at it this week and we will talk soon alright bye
Info
Channel: CyberInsight
Views: 7,645
Rating: undefined out of 5
Keywords: tryhackme nessus, tryhackme nessus tutorial, tryhackme pentest+, pentest+ nessus, tryhackme pentest+ nessus, tryhackme vulnerability scanning, security+ nessus, pentest+ nessus lab, tryhackme pentesting, cyberinsight, intro to nessus, vulnerability assessment, nessus web application scanning, nessus manager, nessus tutorial, nessus walk through, vulnerability scanning lab, nessus lab, how to use nessus, tenable nessus lab, tenable nessus tutorial, PT0-002, passed new pentest+
Id: F5-bR08cvf4
Channel Id: undefined
Length: 61min 5sec (3665 seconds)
Published: Thu Apr 08 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.