6.1 Vulnerability Scanner - Nexpose

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
6 hours 28 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Welcome back to the Cybrary course
00:00
in Building Your Infosec Lab.
00:00
I'm your host and Instructor, Kevin Hernandez.
00:00
In our last module,
00:00
we studied integrating log sources into QRadar.
00:00
To be more precise,
00:00
we integrated pfSense in QRadar.
00:00
We also created custom properties
00:00
and a custom DSM in order to
00:00
correlate events inside QRadar
00:00
with these new lock sources.
00:00
If you also recall correctly,
00:00
prior in the lesson and the classes,
00:00
we actually installed Nexpose in our lab environment.
00:00
However, we didn't get too far with it,
00:00
up to the activation point only.
00:00
In today's lesson, we're actually
00:00
going to have an introduction
00:00
into Nexpose. Now let's get started.
00:00
Now as you saw earlier,
00:00
one of the things Nexpose will continue to ask over and
00:00
over again is the activation or license key.
00:00
You'll receive an email, such
00:00
as the one seen on the left side of the screen,
00:00
put your product key.
00:00
Let's go ahead and input that key into our product.
00:00
As you can see, it's currently
00:00
in the activation process.
00:00
The screen itself will look as if it's stuck.
00:00
However, if you refresh the page,
00:00
you will see that you can now successfully
00:00
navigate to Nexpose with no issues.
00:00
Now in order to do a scan with Nexpose,
00:00
first go to the little
00:00
Assets page here, the monitor-looking item.
00:00
In here, you need to create a site.
00:00
"Create".
00:00
Let's say "My network."
00:00
[NOISE]
00:00
This can be
00:00
left blank for now, so its just as this.
00:00
Let's go ahead to assets.
00:00
In here you'll put the range of
00:00
the IPs you want to cover in the scan.
00:00
If you want to scan your home network you, for example,
00:00
can type
00:00
192.168.1.0/24 and hit a comma.
00:00
You can see it'll actually cover all of them.
00:00
Now, if you want to target specific IPs,
00:00
let's just say your ESXI,
00:00
you can actually type the IP as such and hit a comma.
00:00
However, I want to scan the whole network.
00:00
Afterwards you have authentication.
00:00
Here you can put credentials in case you
00:00
have some type of domain access or domain admin,
00:00
here's where you can put
00:00
those credentials in order to have
00:00
more privilege levels of a scan.
00:00
On the next tab is the templates.
00:00
This is what type of scan you want to run,
00:00
a full audit without Web Spider is
00:00
probably one of the most complete scans there are.
00:00
However, if you want to target
00:00
something specific like HIPAA,
00:00
you're welcome to do so.
00:00
You just want to see what's in
00:00
the network you can also select "Discovery scan".
00:00
However, let's just go full audit without Web Spider.
00:00
Here you can pick how many hosts you
00:00
want to utilize to perform the scan.
00:00
In this case, since we have only one device,
00:00
we'll keep it as local scan engine.
00:00
Alerts are basically some type of
00:00
pre-configured parameter such as scan started,
00:00
scan ends, vulnerabilities discovered etc,
00:00
that you can configure and program, and for example,
00:00
sends an email to you or shows
00:00
a notification to make
00:00
you aware that something's going on.
00:00
The last step is to schedule.
00:00
Schedule is basically, when do you want us to run?
00:00
Do you want to run automatically?
00:00
Do you want to run later on, after hours?
00:00
You can just come to create schedules.
00:00
Here you can set the parameters, I want to scan.
00:00
One of the good things about schedules
00:00
is if you go really into details,
00:00
you can actually create blackouts as well.
00:00
For example, pause a scan during business hours.
00:00
However, in this case,
00:00
I'm going to go ahead and save and
00:00
scan so it scans the network right now.
00:00
It wants to make sure.
00:00
Let's go "Save and scan" and it'll scan the network.
00:00
Now a scan can take anywhere from within
00:00
a few minutes to a few days or more.
00:00
It all depends on the amount of
00:00
assets and the type of scan that you're performing.
00:00
This is the type of thing that if you're running
00:00
the whole subnet and you have several devices,
00:00
it's better just to let it run.
00:00
Go watch a TV show,
00:00
start developing a network a little better.
00:00
Continue enhancing those diagrams and then
00:00
eventually come back and see the results.
00:00
As you can see, it actually detected
00:00
>> 18 assets currently.
00:00
>> It says that supposedly 34 hours have passed,
00:00
even though that's not true.
00:00
It's now around 30 minutes in
00:00
and you can see that nine of
00:00
the computers have been completed and
00:00
nine is still active scan.
00:00
As you can see right here in completed assets,
00:00
you have a general overview of
00:00
several Linux devices as well as Windows devices.
00:00
You can see how long the scan took on each of these.
00:00
As the video progresses,
00:00
you can see the assets being added.
00:00
Actually, if you pay close attention,
00:00
this asset over here that I just marked appears to
00:00
have nine vulnerabilities and so is this one.
00:00
Obviously, we have to look into those.
00:00
Most likely these are IoT devices,
00:00
as you can see, it's Linux.
00:00
Therefore, those don't
00:00
have too much support from the vendor.
00:00
We have to make sure we have
00:00
additional controls that we can establish,
00:00
maybe through VLANs, maybe through firewalls,
00:00
etc, to control and make sure these devices are secure.
00:00
If you look at this, this is news from
00:00
2016 where basically,
00:00
Hacked IoT Devices Unleash
00:00
a record DDoS Mayhem, right there back then.
00:00
Basically, IoT's are more of a convenience,
00:00
they don't really think about much regarding security.
00:00
Especially if it's an END or
00:00
a new product for a more small company.
00:00
Remember one of the vendors I
00:00
talked to regarding cameras,
00:00
they promote security features in their product.
00:00
I actually approached them and said,
00:00
"Hey, how secure is this?
00:00
Is this something special,
00:00
some type of encryption?"
00:00
They told me "No, it's a little blue LED that blinks
00:00
if somebody walks into
00:00
the room while the alarm is activated."
00:00
I'm like, "How's that a security feature?"
00:00
[LAUGHTER] Me thinking physical security,
00:00
they referred that it was more of a deterrent
00:00
that they see activity and they walk away.
00:00
I don't know. [LAUGHTER] Now as we
00:00
reach our 45-minute mark,
00:00
you can see that now only one system is
00:00
pending to complete the scan.
00:00
Now, let's go ahead and take a look
00:00
into one of the device's vulnerabilities.
00:00
Let's go ahead and click on it.
00:00
Here you go, you got the operating system,
00:00
the IP, last scan time, the risk score.
00:00
Now context-driven risk score.
00:00
This is basically their way to
00:00
saying you have this vulnerability and it's this old,
00:00
and that way it increases the severity.
00:00
As you can see down here,
00:00
you have different vulnerabilities that apply to it.
00:00
You can see that they're from 2017.
00:00
You can see most of them are regarding DNS,
00:00
heap buffer overflow vulnerabilities,
00:00
integer underflow flaw leading to buffer overhead,
00:00
so it's buffer overflows,
00:00
DNS servers allow cache snooping.
00:00
If you want to get more details,
00:00
other than the severities
00:00
and how many times it's been detected,
00:00
you can always click,
00:00
[NOISE] and here you
00:00
go and you get a little more information on it.
00:00
It actually say when it's published,
00:00
when it was modified,
00:00
the actual score,
00:00
categories, remote execution.
00:00
So yes, somebody can actually control
00:00
this device depending on what it is right here.
00:00
It's also very dependent
00:00
on what type of resources it has.
00:00
We've got to be a little bit aware of that.
00:00
Right here it actually says what it says,
00:00
it can crash it and it can actually
00:00
do execute arbitrary code via crafted IPv6.
00:00
As you see is basically DNSMasq before 2.78.
00:00
The way to fix this, in theory,
00:00
will be to update your DNSMasq to 2.78.
00:00
But if you go here,
00:00
and let's go here as well.
00:00
You can actually get a little more details on them.
00:00
Here you have the action remediation download
00:00
the most recent stable version of DNSMasq from here.
00:00
Now, here's the thing, like I said,
00:00
this could most likely be an IoT.
00:00
Like I stated earlier,
00:00
if you click on those tabs,
00:00
you have a little more information here from
00:00
both Google and NIST, National Vulnerability Database.
00:00
Right here you can see it's very high.
00:00
If you go back to the assets page
00:00
now that the scan is finished,
00:00
you can see a general overview of the environment.
00:00
First of all, it gives you the amount of
00:00
systems by operating system,
00:00
it gives you also the exploitable
00:00
>> assets by skill level.
00:00
>> Even though this Linux with nine vulnerabilities,
00:00
it's a high risk,
00:00
you can also see that the amount of level that is
00:00
required it's expert level for those assets.
00:00
Now you see also other systems
00:00
>> such as ESXi having four,
00:00
>> Windows 7 having one,
00:00
and pfSense, for example, having two.
00:00
Now it's not necessarily something bad.
00:00
Some of these could be recently
00:00
released and therefore not necessarily patch.
00:00
But it is what it is. [LAUGHTER] As you can see here,
00:00
I'm looking at the ESXi now,
00:00
and you can see it's a certificate error,
00:00
obviously we've installing the certificate.
00:00
[inaudible] microarchitectural data sampling
00:00
, MDS, vulnerability.
00:00
Let's go click on it.
00:00
Unreachable memory on some microprocessing
00:00
utilizing speculating execution may allow
00:00
an unauthenticated user to potentially
00:00
enable information disclosure via
00:00
side-channel with local access.
00:00
How to mitigate it again,
00:00
you can scroll down and it
00:00
says to basically download an upgrade.
00:00
You can see always,
00:00
most of these vulnerabilities are
00:00
taken care of by upgrades.
00:00
Give or take that's really what Nexpose is used for.
00:00
Scans the assets,
00:00
provides you a report,
00:00
you verify the data,
00:00
patch results, and make a more secure environment.
00:00
What did we learn today? We actually run
00:00
a vulnerability scan in a network with Nexpose.
00:00
We were able to identify several systems that had flaws
00:00
within our own architecture environment patches etc.
00:00
We will have to work close in order to protect
00:00
[inaudible] Network properly for these devices.
00:00
In the next lesson, we'll actually do a course review.
00:00
I hope to see you soon. Have a great day.
Up Next