Video Activity

Vulnerability Scanning (part 2) Nessus

Video Transcript

We'll start by using an automated vulnerability scanner. We will look at some other options for vulnerability analysis, but we're gonna start with Vulnerability Scanner. Some people say vulnerability scanners. They're kind of like cheating some of the courses you might do. hey might say you can't use a vulnerability scanner on your test. For instance, it's true that a skilled pen tester should be able to replace the Vulnerability scanner. We should always do manual analysis. We should always verify our results manually. But like many things with computers, they can do task very quickly that are repetitive and dull on requires input. Same thing with vulnerability.

Scanners basically give it a database of possibilities and checks of how to try it. And it could do lots of Czechs rapidly. Whereas we can only tooth so many ourselves on dhe, it can course remember everything. So I think that they're quite useful. If you do any professional pin testing, no doubt you will find yourselves working with wanna really scanners a lot, so I would definitely encourage you to know how to use them. At the very least, we're going to use one called Nexus. There are certainly others you're welcome to try others as well. If you have access to other free version or your work or school has a license for others, well, I mean, feel free to use those. We're gonna use necessaries. It's necessary home additions to the free version that you should only use for your home purposes. There we're just gonna uses on our local network. We're gonna do service necessary.

Start on that. All right, it's service necessary. E start, Mrs Demon. And so that starts that up. So that's like our service Apache to start we did in our Lennox section and disturbs up Dennis a server necessaries not installed on Callie, right? A fault in your setup instructions and showed you how to install it. So it does have the command line interface, but also house or web gooey. So that's going to be listening over https on its level hose. 127.0. That deer, that one and that port is 8834 was necessary support, and she is is necessary Home. There's a necessary professional edition. Ness is home is going to be limited in what it can do, and it is free, whereas we have to pay for our professional addition. I made my usual name, Georgia, and my password password. And don't use password is your password. But if I don't do that, then I forget them. So I always used them for classes. But don't do what I do. Do as I say, not as I do. So the nexus interface may change. It has gone through a lot of changes since I've been using it. So by the time you run this, you may find that your interface is completely different, but the way it works will still be the same.

You have policies, and in this case, you actually have to create a policy. Some of the ones that I've seen come with policies already in them, so it really just depends on what you're gonna get. I think it may be the pro version versus the home version now, because I've seen it come with policies recently, and this is a fairly recent install, so you may have policies. You may not. If you have to create one. He's got a new policy here, and it's just going to be what kinds of checks and things that necessary is going to run honestly, a new policy and all sorts of different stuff here, like credentialed Pat Patch audit. A lot of times you do this like you're on the internal security team. You conjugate bit like domain admin credentials on a log and everywhere and check internally so it won't only find network baseball in our abilities.

For things like out of date iTunes and out of date flash and other things that might lead to a client side attack, which will discuss a bit later, it will be able to find that as well. Let's just do it. Basic networks can and all those college or his policy his policy. Next, choose the type internal works. I'm not gonna do any authentication again. That's if we want to log in, which you may find your clients. Have you do that empty, like configuration reviews, where they give you credentials and it logged in and check the registry and such. But typically, we don't do that. We have a policy, so we need some policy again. It may come with policies it may not, and if it does, then you can use one of the bills in ones or create your own, and we're going to advance mode here. We can see like, um, plug ins, make it by default.

It has brute force attacks, disabled that might lockout accounts and even bring something down. So that would be checks that might be detrimental to the environment. So those air turned off, but a fault. Other ones are disabled like there's some things for mobile devices we don't have. Any mobile device is here don't have too much for mobile devices. A few things and policy compliance is also we could turn on compliance checks if we were logging in. What a lot of things already on so you can go in and enable specific plug ins as well on all this used to default. But as you used this more and more, you may find that they're specific things that work well for you. Like printers are always a disaster, with necessary and other vulnerability scanners.

They pronounce smiley faces and stuff. So if you're client doesn't know entirely what's going on, you might get a call about why did all the printers go horse in the middle of the night and start putting out pages show I was once on an on site security team for a while, where we did a periodic credential scan check the past levels and such in the environment. And then one day we decided to go try and find all the printers and every floor we went to. We were trying to put him on a villain by themselves, which they should have been anyways, they weren't. That was our test, what Every floor we went to because it would be like, you know, our corner spit out all this stuff once a week. So it's not really that big a deal, but wasting paper so well, just again leave. It is the default. It's now we're gonna run a scan. You knew, scan already, George's policy, and we can upload a target file. We only have to hear three. If you want to do the Windows seven.

Target is well, that won't really find anything. But of course, we can just type the end. So mine are 19 to 1 68 1.76 192.168 at Wonder 80. So those are my two targets my bun to you on my Windows Ex peak, and you can put the window seven in as well. Let's leave it out to save time in the video, because example of a more complex target it patched has some issues on the website, and we'll see it in client sides and such a swell. But from a network perspective, pretty up to date on our skin is running, and we can actually see it in real time to 0% done. But we're already starting to see vulnerabilities here, lighting up orange and yellow and blue going See here blew his info. Looks like we've got a medium high. It looks like we just got a critical as well. So you see him coming in. We can click vulnerabilities, appear to see all the vulnerabilities or see them by host as we were deceived. Vulnerabilities for a particular host.

So I have the set up specifically for classes so that there will be vulnerabilities that the Vulnerability scanner will not find that we will have to find with other method. You might find that in those cases, stuff is going to get missed on your pin test. If you've got a really large pin test and not that much time to do it. The possibility of you doing manual checks against every single port in the environment against thousands and thousands of hosts and say a week of night testing it's unlikely, says things may get miss. The Vulnerability scanner is not going to necessarily find 100% of the issues in the environment, but it will give you a lot of possibilities very quickly. So it is also prone to false positives. Again, you brother habits say it's there and then it not be there, then have it not say it's there and then be there. So it is part of the false positives plus sells more licenses, hunts 1000 vulnerabilities. And if it finds six right, so that makes sense.

We always want to do manual checks before we do any reporting on this. Assuming it's allowed, I mean, certainly you'll probably find clients who just want you to run a vulnerability scan. So this is a vulnerability scan and be done with it. It's good money for basically clicking a button. So again, no reason not to know how to do that. I mean, everybody does it. It's not as fun. It's been testing, but again, it's easy money. And a lot of clients are a little bit afraid of the scary pin testing. So don't say so. We're still running here. We got five. Critical is here. It looks like PHP is out of date. It's likely got MSO nine s and B vulnerabilities. What of here? Supported operating system V S F T p d smiley face Backdoor. Did we talk about that already in our information gathering section? I think we did. I think we talked about that. The version number 2.3 point four for V S f t p D. Was the correct version to possibly be vulnerable to the smiley face back door. But we weren't sure because a version number didn't change after the patch or before it, but necessary mes to think that is there.

This is actually seems to kind of exploded it, because again, all you have to do is give it a smiling face in the user name. It said that it gave us root access, so we should be able to exploit that during our exploitation phase. No problem. And also over here to the right has more information, so exploits are available and it says there's one in medicine. Lloyd that will find that we can do this manually just is easily looks like that one's done denial of service. Probably not gonna want running a denial of service is his network file system share user amount of all we didn't see the network file system port. I didn't really look at it yet. It looks like share called export Georgia with the contents here. Partial content. So that might be something we want to take a look at. See what's in the network files isn't here. It may be nothing again, like printers to come up again. Like sometimes they have network file system shares have really nothing interesting in them.

You think? Oh, it's little print jobs in it and maybe depending on configuration, but it may just as easily be like nothing. So you may find network file system shares that really give get you nowhere in terms of the pin test. Or you may find a gold mine, which this being a pin testing class, you know, chances are that's gonna be something we want to take a look at. Not see compu disclosures. I mean, the kind of stuff that we would probably verify and report on. But like Track Trace isn't going to get us domain level access, for instance. But I need those things but generally report on anyway. But the other one okay, looks like we're done. So let's see, Not a lot of critical. Lt's here. Looks like we got some other date Apache out of date. PHP looks like its Windows X p, which is un supported, which it wasn't unsupportive when I started teaching this class, but it was surprised how many Windows X, P s and Windows 2000 you find lying around. And Lennox is even worse. Really. It's like at least you find people who have administrators you could do Windows boxes.

It seems like a lot of times they install the limbic system, and then the Lenox guy leaves and they never updated. I find stuff this 20 years old on the Lenox all the time. So if anybody ever says that my classes don't matter because we use out of date operating systems, well, one we're gonna use up today operating systems to and also I find these all the time on my tests all the time. Like in the last week of done a couple tests on dhe I found X p in 2000 on both of them. So of course it's all true and our favorite in Minnesota. 67 We already saw this one, actually, in the Medicine Point model, where we learned how to use medicine. Lloyd. This is always the exploit that I start with. It's another one of those really in Mr Alito, 67 is so old but still works. See it unpatched internally a lot still, even today, and it only takes one.

You got one box that's unpacked, and then it's a member of the domain and local admin password that is, everywhere else could be game over, which we'll talk about that a bit later on in post exploitation. But, I mean, it really only takes one miss system, and when you're looking at thousands and thousands of them, it's really easy to forget something. You're not doing this periodically and checking for vulnerabilities. There's really no way you would know again, some out of date Apaches. I mean, some of this it's just that things have updated since I felt the images. Yeah, yeah, It looks like a lot of out of date Apaches.

Openness is so we found a few things here. It looks like we know that emits a radio. 67 is exploitable. We saw it with medicine boy. And that's always gonna be one will look out for us. We know if we find the missile 8067 it's something that could give us easy system privileges. Always want to try that one. If we have permission to exploit, we already know how to do that so you can check back to the medicine ball it section. You wanna see it again? No, I mean a few interesting things here. We might be able to find something like for Apache. Like there's medicine point modules for some of these Apache things. I would find that the Web server wonder really not that easy to get to exploit nicely, especially when they say keep overflow or heat based buffer overflow. We don't even cover anything Heat based in our exploit development section. If you continue studying, exploit development, you get to it.

But it's it's a little more complicated than are stacked based exploitation. Things just don't tend to work quite as nicely. So you may find that there's a hard to get to work. Generally, don't go for exploiting those unless I don't really worry about bringing stuff down. Of course, in our lab, we don't have any problem with that at all. So by all means, feel free to run whatever you feel like. Like this one says exploits, you're available, but it doesn't have any listed, so we'd probably have to use exploit code from the Internet. Which, of course, we need to be careful with. So we did find a lot of interesting information very quickly here and with little effort, really. We just had to click go, and that was that. So again, I did design this, such that there's gonna be other stuff that we can find that the scanner didn't find that is going to be exploitable. But I would always encourage you to run the vulnerability scanner. At least you what you get out

Course link:
Advanced Penetration Testing
The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.
Instructed by
Georgia Weidman

I am the founder and CTO at Shevirah and Bulb Security LLC. I am a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. I hold an MS in computer science, and I also hold the CISSP, CEH, and OSCP certifications.