Introduction to Vulnerability Assessment with Nessus

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Vanessa scanner can be used to do vulnerability assessment on network connected house to use Nessus it first needs to be installed installation instructions download of the packages and the license key are available from the Nessus website there is a license key for home users to practice with necess it does have some restricted functionality such as not all scan templates are available and you can only scan local subnets and I believe you can't scan more than a Class C subnet but the home license is plenty enough to practice with once nessus is installed you need to start the necessaries if you're using an operating system like samurai the one reason now when you log in you're gonna be logged in as a regular user so you'll either need to escalate privileges at root or you'll need to start missus with the sudo command to run necessary if you're on an operating systems such as Kali Linux where the default user is the root user then this that may not be necessary so to start we'll go ahead and get the nesting and running so on this operating system we've already got the nesting and scheduled to start at startup and we can see that the process is running on 11:34 you want to verify connectivity to the target typically when you're doing and that's this assessment you're either gonna discover the targets using necess or you're gonna feed information from a tool like in map into messes the in map XML files can be uploaded as Meneses also you can just copy the IP addresses of the targets out of in map in this case we're gonna be using the Metasploit framework as the target Metasploit Abel is a vulnerable operating system that's distributed as a virtual machine by rapid7 so we already have Metasploit little running also note that you need to make sure that the host that has necess writing has connectivity to the Metasploit abullah framework in this case we have both virtual machines running inside of vmware have configured a network card in each of the virtual machines to be on a host only network that's a network that's only available to this host the host itself in this case a mac is available on this network as well but we're going to ignore the mac the IP address on which the Metasploit Abel is running it's 172 1601 62 if you're using VMware and you're studying a post only networks you'll notice that the host only network start with 172 16.0 and then there are assigned a random number as the last octet in this case 162 from edible Abel we need to verify that the samurai Linux installation is also on the host only network Samer has two network cards associated with it one of them has an ACK running at 1000 240 that's not the network we're going to use to do the scheme the host only network is 172 1601 89 and again the host only networks will start with 172 16-0 we can try to ping that exploitable on 162 to make sure we have connectivity we can also try to ping from that exploitable the samurai installation on 189 and it appears that we have connectivity back and forth between both machines so to use neces we're going to go to the necess console so we'll start Firefox again with the necessaries already running and we'll browse to HTTP localhost we're going to use port 8 8 3 4 so again note that we're using HTTP the that's the service doesn't offer the console over unencrypted connections so if you get an error it may be that the s has not been added on to the protocol when you installed necess you gave it a username and a password for you to log in with so you're gonna log in with that username and password we can see an example here of scans that have already been created and it'll show up under my scans you can create scans directly but it may be more useful to create policies and then scans from those policies the reason is is that you can create a policy that contains the general configuration that you want to scan the run with but then from that one policy you can create many scans that can save you time if you're going to run a lot of different scans but generally using the same configuration to create a policy go to policies and then click on new policies we'll go ahead and start creating some policies that we can use to do discovery and vulnerability assessment so we're gonna click on new policy and then we can start with a host discovery just to find the hosts the ones with a purple banner are only available in the commercially licensed version and necess but you can use the ones that don't have the banner on him so we're gonna use host discovery to get started and this one is just gonna be a host discovery scheme so we'll just call it host discovery you can give it a description if you like well we're on the left is where we set up the different configuration so you'll have the general settings and you also have the permissions that you can give it and then the type of discovery that you want to do so we're just going to do a host enumeration we can see that this is going to be approximately equivalent to the way in map does it Spinks caning there's going to be some TCP and arc scanning and then ICMP as well the other types would be also similar to in map in a less identification the port scans and then you can set up custom schemes and you can also set up sort of configuration about the ports but we're just going to leave the defaults so now we have a host discovery test policy that we've created from that we can create a new scheme we can also go ahead and set up some other policies as well so after we do a host discovery we have the host that we want to target we may want to see what ports are running on that host so we'll do host discovery and then we'll do port scan this time we need to change the default type from host enumeration to port scan you can do common ports which is going to be somewhere in the neighborhood of a thousand ports or you can do all ports which will scan in 65535 ports we'll just do common ports for the sake of speed after we've discovered the hosts and the ports that are running on the host we might want to feed that information into a vulnerability assessment so to do that we would pick the basic network net work scan and the settings are over here on the left so again it's going to do a port scan to discover common ports you can also do all ports which is not necessarily a bad idea if you have a very small number of targets and you're not really sure exactly what the purpose of the different boxes are under assessment you can pick the assessment types including what kind of web assessments you'd like to do assuming that necessarily finds a website you can set the report settings and then also set the Advanced Settings under the settings on the left and then finally we'll do a basic Network scan but we'll go ahead and give it to the credentials to Metasploit able one of the things to know when you're trying to do a credential assessment is because under the new version of necess the credentials are entered by clicking on this link up here and so the type of credentials we're going to use are going to be the SSH credentials any authentication method is going to be username and password so over on Metasploit Abel the username is MSF admin and the password is the same that's the root user so we don't really need to elevate the privileges because this is SSH it's going to be over port 22 and we would have verified that using the port scan that we're going to be doing here in necess or a port scan that we had previously done in mac so now we have our host discovery for discovery vulnerability assessment and authenticated vulnerability assessment once you do these scans you'll notice that there's a big difference between the vulnerability assessment and the authenticate availability assessment as far as the number of items found that's because when neces it can go through the configuration files of the hosts especially if it has root permissions and discover the types of software that are running on the system two versions and look at those vulnerabilities and a database so once you have your policy set up you can create the skenes that match the policies so you click on new scan to create a new scan and then you can use the templates that you created notice that there's a user tab that shows up I want you to create some policies and then your policies are going to be shown here so the first one that we did was the host discovery test policy you can create a folder to put your scans under we're just going to use the default and if you have scanners that you're controlling from this console you can pick the scanner in this case we just have the local scanner we don't have scanners installed throughout and then you would pick the targets so we knew from the Metasploit able that the different targets the target was the IP address of the Metasploit itself which should be 162 and you can see that again by doing an eyes config if you weren't sure what the IP address was of the target which is common then you could just scan the subnet and try to find the target so to put a class-c in there we'll just use the slash 24 and then the scan runs you can also schedule the scan to run later and you can make a scan to where it'll run when you click on run so you don't have to always have the scan run right away well that scans running we'll go ahead and create another skin so the second policy that Currie created was the port discovery and we're cheating a little bit but we know that the host of every scheme is going to end up finding host 162 so we'll go ahead and enter that in if you click on schedule this is where you can decide if you want to run the scan immediately you can uncheck this box and say that and then I don't let you play the port discovery skin when you want to by clicking the launch button so the host discovery scan has completed we can click on that and we'll see that different house were discovered that one 162 192 and 254 if we didn't have knowledge that Metasploit law was already on 162 what we could do is we could take these four IP addresses and feed them into the next scan typically that's the way it would be done so if we go over to the port discovery scan we would enter those in here so they can launch the port discovery scan by clicking the launch button the what looks like a play button here on the right so while the port discovery scan is running we'll go ahead and create the next game so we created a vulnerability assessment test policy we'll use that for the vulnerability assessment scheme and again cheating a little bit but we know that eventually it's going to discover that Metasploit was running on 162 we're gonna see that there's a whole lot of ports that are gonna be open on that host and if you go to rapid settings website you can see a lot of documentation on Metasploit rule and you'll see what types of services that has running and that there's approximately 2025 ports on that box and we'll go to the schedule and uncheck the launch skate immediately and that'll go ahead and create the vulnerability assessments can these games are running fairly quickly because we're obviously running on a local network plus we're not scanning very many targets but these games can take some time to do so we'll see that there's 25 ports that were discovered on host 162 now we'll go ahead and start the vulnerability assessments key and we'll come back and look at the port discovery scheme so I'm the vulnerability assessment scan will go ahead and launch it and you can see how the vulnerability assessments cane is doing by clicking on it and looking at the progress bar we go back to the port discovery and we can look at the results so it discovered 13 ports on 177 one on 176 one at 254 respectively but 26 ports on 162 and technically this is probably 25 ports because one the pieces of information was that it responded to the pain that discovered that the host was active on the network we can click on the court discovery and then see the ports so we have ftp ssh telnet email dns web so on and so forth and you can go down and look at the various ports and of course the ports themselves that are open may imply certain issues with the host but we'll use the vulnerability assessment results to see most of the issues if we go back to the scans remember this is not an authenticated scan so the scanner is going to be limited in the type of vulnerabilities that it can find on the host let's go ahead and create the last scan while we're waiting for the vulnerability assessment scan a complete so the one early assessment skiing is running and it's only about two percent complete it can take a long time for these skeins to complete so when you run them may want to allow this game to run for thirty minutes to an hour per host if you believe that the hosts have a tremendous amount of problems or if you're very far away from the host such as you're standing from the internet over several different routers you'll find that type of information out when you do the reconnaissance and the foot printing of the network usually using tools like in map to do a lot of the initial discovery about how the different schemes are going to go to see some of the results go ahead and click on the bar and then you'll notice that the results are color-coded so the criticals are red orange high medium for yellow yellow for medium and then lows even some of the low vulnerabilities can be good stepping stones into the next phase of the assessment which would be the exploitation phase so clear-text FPT credentials for example already implies that we may be able to set up some sort of machine in the middle attack or start guessing against ftp service using a tool like hydra since ftp services often don't have any type of lockout controls so don't ignore the lows just because they are low they probably don't yield very much results but that's not necessarily always true obviously we would probably focus in on the criticals at first vulnerabilities that are critical tend to be so because there's a publicly known exploit available for them and they're very easy to exploit and they're typically have a high level of exposure meaning that the service is easy to reach easy to interact with we'll go ahead and take a look at the VNC server password and drill down on that one so the reason that necess is concerned about this particular service is that NESTA's was able to login with a password of password because that system was actually able to confirm the ability that raises its ranking as well if there is a remote exploit available nessus will tell you over here on the right-hand side and this particular vulnerability doesn't even require an exploit you can just log in that's the problem as the results come in they'll start to stack up here under this view you can see that the console will refresh once every 5 or 10 seconds or so some of the have vulnerabilities can be pretty serious as well some of them won't even require exploits necessarily for example the I'm privileged access to shares would just let you see the files that were located on this file share vulnerabilities like this vs f DB D smiley face backdoor may actually have an exploit associated with them so if we drill down on this and then look here on the right we can see under exploit information that exploits are available and in this case Metis folia contains a module that would allow you to exploit this vulnerability so you can take this information and go out to the rabbit 7 website to research this module learn what you need to learn about it and then you can also practice with it on a virtual machine lab like this that you set up in advance before you try to use it on an assessment now there's one more scan that we haven't run yet and it would take a very long time and it would be run very similar to the vulnerability assessment scan and that's the authenticated Network scan in this case the scan will take approximately as long as a vulnerability assessment scan and the results would be similar except for it's gonna find even more vulnerabilities than the vulnerability assessment scan so after this vulnerability assessment scan completes you'll want to go ahead and run the authenticated Network's game by clicking the launch button to see the differences between the authenticated scan and the unauthenticated scan and it's important to note that when doing vulnerability assessments if it's at all possible to do a credentialed scan whether that be on a web application or on network host always use the credential scan after testing that the scan doesn't harm the host because you'll get much better results than you would normally with the regular vulnerability assessment scheme

Info

Channel: webpwnized

Views: 75,549

Rating: 4.7124181 out of 5

Keywords: vulnerablity, help, Computer Security (Software Genre), Vulnerability Assessment (Competitive Space), simple, tenneble, nessus, hacker, testing, nmap, easy, metasploitable, Intro, tutorial, method, how to, rapid7, webpwnized, introduction, beginners, noob, Metasploit Project (Software), penetration, guide, scanning, pen, intro, basic, Software (Industry), Learn, Helpful, Network Security (Literature Subject), Help, best, Hack, Hacker (Interest), Vulnerability, assessment, beginner, webpwnzied, Youtube

Id: 5jvNYzkPkRo

Channel Id: undefined

Length: 24min 14sec (1454 seconds)

Published: Sun Sep 20 2015