Time
5 hours 38 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Description

This video and the next three explore the Metasploit Nessus scanner. It's useful for uncovering potential vulnerabilities with web applications running on a target host. Dean starts out by demonstrating the basics of Nessus, which can be downloaded from the tenable website. There are several paid versions along with a free, home version. You should download and install the AMD64 distro for Kali. There are two modes for running Nessus: from the Metasploitable framework using the CLI or web-based from within a web browser. Dean runs through some basic Nessus commands and configuration options. The industry standard for vulnerability, configuration and compliance assessments used by more than one million users across the globe. Nessus prevents network attacks by identifying the vulnerabilities and configuration issues that hackers use to penetrate your network. **Download Nessus from Tenable to follow along the with the course! Click below to download your free trial of Learn more about Tenable on their Cybrary channel. Click below to follow for all the latest updates: **

Video Transcription

00:04
All right, I'm gonna go ahead and
00:06
clear my
00:08
screen.
00:10
I'm going to, uh, double chapter, Sea of mine. Esus,
00:16
silvers.
00:22
So I do a service necessary status. I can see that it is running, so that's good.
00:28
What I could do is to also try to connect to it from my Web browser.
00:34
Now I have installed
00:37
necessary from the
00:40
come
00:45
1 31 Rico port 8834 I've installed Nexus by downloading it from
00:53
tenable. So you do have to register with them. We'll go to the website really quick.
01:04
No,
01:07
spell it room. Sorry about that.
01:15
And so if we go to our products section,
01:19
we can see there's a download link for Nexus.
01:25
And what I've downloaded is the home version. So this one's free doesn't expire.
01:30
You can certainly pay for
01:32
the features that come with more of enterprise solution or even a cloud based solution.
01:38
Uh,
01:38
you simply click that download button
01:42
and then for Callie
01:44
Lennox,
01:45
you want to pick the AMG 64 distribution,
01:51
and it comes in a dot Deb file,
01:55
and, uh,
01:57
the instructions for installation are pretty simple.
02:00
I think you just do a D package
02:02
command
02:04
in order to install messis
02:08
d package Dash I
02:12
So I've already gotten installed from previously to my downloads directory
02:20
and so I could run a deep package dash I
02:24
and
02:25
begin the process
02:28
groups
02:30
with this file here.
02:35
I've already installed it, so I'm not gonna repeat that. But that's how you get to that point.
02:39
Once it's installed necessary will, uh,
02:44
now run as a service.
02:47
That's why you have the
02:50
one of the other things you can do is a service dash status all confessed to a grip
02:57
for NASA's.
02:59
And there it is necessary. The plus time means that's running.
03:02
So the various ways to to determine our if you're necessary violent is ready to go.
03:13
So we have two options we can
03:15
trying to connect to. Ness is from the Medicine Boyd framework.
03:22
Uh,
03:23
I was trying that earlier, and I had a little bit of trouble with it, so we'll give it another shot.
03:28
But if that doesn't work, we know we still have the Web based option.
03:34
So
03:35
let's go back to
03:39
our minutes boy framework.
03:45
Have a look at it being That's a nice banner today.
03:49
Okay, so first I'm going to load? Nah, sis.
03:53
And then I've got necessary her score. Help!
03:55
Give me an idea of what my possibilities are.
04:01
First thing I'm gonna try to do is connect to my necessary evil.
04:05
See if that works.
04:08
Um,
04:09
if it doesn't, then we'll just go to Nexus as the Web version. Violence wanted to show this part of it
04:15
so we can log into a necessary for If you've got a different user name and password,
04:19
you can do things like,
04:21
uh,
04:23
give a list of folders on this us the nexus installation. I can do a scan from all the I P addresses that are in my hosts table.
04:32
I can run reports on the host second room reports of vulnerabilities.
04:36
All this within the frame where once you get the connectivity established,
04:42
I could also I'll get a list of my scans. Pauses can stop a scan, resume a scan. I can list all of my plug ins.
04:49
I can show my ness is users once I'm connected.
04:54
All right. So let's see if we can get the connection toe work that sis
04:58
connect
05:00
Dash H. So it's saying I have thio use user name, colon, passport and host named Colin Port.
05:08
And then I either specify SSL verify as us. L ignore.
05:12
You'll notice that we are connecting with SSL, so I'm gonna try the SSL option first.
05:17
We'll see if this
05:18
works.
05:20
And what I'm using is the
05:25
credentials that I created when I built
05:30
this instance, or when I installed this instance of nurses.
05:34
So I'm going to my host.
05:38
It's on Callie. So it's 1 31
05:41
port 8834
05:46
And then I wanted us US troops
05:50
verify.
05:53
No, I didn't work.
05:55
Certificate verified, failed.
06:00
Let me see if I can do it. Why are you ignoring the certificate?
06:06
No,
06:06
It's interesting, though, is it's trying to connect
06:11
to seek a nexus
06:13
and study. It says as admin. But it's still giving me a
06:17
prefix on the address that makes you wonder if there's
06:21
something else.
06:30
I'm gonna leave the port off. Maybe the porter's the problem
06:35
now. Something
06:36
Okay, well,
06:38
for the sake of moving along with the course, we're going to just leave this as is. There's probably some something that needs to be done that's not in place
06:48
of this. This connectivity is built here for being able to do your scans from within
06:55
the framework
06:56
and not having to break out to use a separate tool.
07:00
That being said,
07:01
why don't we get logged into necessary? Have a look around?

Up Next

Metasploit

This Metasploit tutorial will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor