Vulnerability Scanning (part 2) Nessus

Video Activity

This video teaches about the automated vulnerability scanner Nessus. This is a good tool for professional PING testing. The instructor shows the Nessus command. This is not installed on Kali Linux by default. You can install this yourself and put policies in place is your version does not come with them. Instructor emphasizes to do manual checks be...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 26 minutes
Difficulty
Advanced
Video Description

This video teaches about the automated vulnerability scanner Nessus. This is a good tool for professional PING testing. The instructor shows the Nessus command. This is not installed on Kali Linux by default. You can install this yourself and put policies in place is your version does not come with them. Instructor emphasizes to do manual checks before running reports when doing a vulnerability scan.

Video Transcription
00:04
we'll start by using an automated vulnerability scanner. We will look at some other options for vulnerability analysis,
00:11
but we're gonna start with Vulnerability Scanner. Some people say vulnerability scanners. They're kind of like cheating some of the courses you might do. They might say you can't use a vulnerability scanner on your test. For instance,
00:24
it's true that a skilled pen tester should be able to replace the Vulnerability scanner. We should always do manual analysis. We should always verify our results manually. But
00:36
like many things with computers, they can do
00:40
task very quickly that are repetitive and dull on requires input.
00:46
Same thing with vulnerability. Scanners basically give it a database of possibilities and checks of how to try it. And it could do
00:54
lots of Czechs rapidly. Whereas we can only tooth so many ourselves
00:59
on dhe, it can course remember everything. So
01:03
I think that they're quite useful. If you do any professional pin testing, no doubt you will find yourselves working with wanna really scanners a lot,
01:12
so I would definitely encourage you to know how to use them. At the very least, we're going to use one called Nexus. There are certainly others
01:21
you're welcome to
01:22
try others as well.
01:23
If you have access to other free version or your work or school
01:29
has
01:30
a license for others, well, I mean, feel free to use those.
01:34
We're gonna use necessaries. It's necessary home additions to the free version that you should only use
01:41
for your home purposes. There we're just gonna uses on our local network. We're gonna do service necessary. Start on that. All right, it's service necessary. E start,
01:53
Mrs Demon.
01:55
And so that starts that up. So that's like our service Apache to start we did in our Lennox section and disturbs up Dennis a server necessaries not installed on Callie, right? A fault in your setup instructions and showed you how to install it.
02:08
So it does have
02:10
the command line interface, but also house
02:14
or web gooey.
02:15
So that's going to be listening over https on its level hose.
02:23
127.0. That deer, that one and that port is 8834
02:29
was necessary support,
02:32
and she is is necessary Home. There's a necessary professional edition. Ness is home is going to be limited in what it can do, and it is free, whereas we have to pay for our professional addition.
02:45
I made my usual name, Georgia, and my password password.
02:49
And don't use password is your password.
02:53
But if I don't do that, then I forget them. So I always used them for classes. But don't do what I do. Do as I say, not as I do.
03:00
So the nexus interface may change. It has gone through a lot of changes since I've been using it. So by the time you run this, you may find that your interface is completely different, but the way it works will still be the same. You have policies,
03:15
and in this case, you actually have to create a policy. Some of the ones that I've seen come with policies already in them, so it really just depends on what you're gonna get.
03:24
I think it may be the pro version versus the home version now, because I've seen it come with policies recently, and this is a fairly recent install, so you may have policies. You may not. If you have to create one. He's got a new policy here, and it's just going to be what kinds of checks and things that necessary is going to run
03:44
honestly, a new policy
03:46
and
03:49
all sorts of different stuff here, like credentialed Pat Patch audit. A lot of times you do this like you're on the internal security team.
03:57
You conjugate bit like domain admin credentials on a log and everywhere and check internally so it won't only find network baseball in our abilities. For things like out of date iTunes and out of date flash and other things that might lead to a client side attack,
04:13
which will discuss a bit later, it will be able to find that as well.
04:18
Let's just do it.
04:21
Basic networks can
04:25
and all those college or his policy
04:29
his policy.
04:32
Next,
04:33
choose the type internal works.
04:38
I'm not gonna do any authentication again. That's if we want to log in,
04:43
which you may find your clients. Have you do that empty, like configuration reviews, where they give you credentials
04:47
and it logged in and check the registry and such. But
04:51
typically, we don't do that.
04:54
We have a policy, so we need some policy again. It may come with policies it may not, and if it does, then you can use one of the bills in ones or create your own,
05:04
and we're going to advance mode here.
05:10
We can see like, um,
05:12
plug ins,
05:14
make it by default. It has brute force attacks, disabled that might
05:17
lockout accounts and even bring something down. So that would be
05:21
checks that might be
05:24
detrimental to the environment. So those air turned off, but a fault. Other ones are disabled like there's some things for mobile devices we don't have. Any mobile device is here
05:34
don't have too much for mobile devices. A few things
05:42
and policy compliance is also we could turn on compliance checks if we were logging in.
05:48
What a lot of things already on so you can go in and
05:51
enable specific plug ins as well on all this used to default. But as you used this more and more, you may find that they're specific things that work well for you. Like printers are always a disaster, with necessary and other vulnerability scanners. They pronounce smiley faces and stuff. So if you're
06:11
client doesn't know entirely what's going on, you might get a call about why did all the printers go horse in the middle of the night and start putting out pages show I was once on an on site security team for a while, where we did a periodic
06:25
credential scan check the
06:28
past levels and such in the environment. And then one day we decided to go try and find all the printers and every floor we went to. We were trying to put him on a villain by themselves, which they should have been anyways, they weren't. That was our test, what Every floor we went to because it would be like, you know, our corner spit out all this stuff once a week. So
06:46
it's not really that big a deal, but wasting paper
06:50
so
06:53
well, just again leave. It is the default. It's now we're gonna run a scan.
06:59
You knew, scan
07:05
already, George's policy, and we can upload a target file. We only have to hear three. If you want to do the Windows seven. Target is well, that won't really find anything.
07:16
But of course, we can just type the end. So mine are 19 to 1 68 1.76 192.168 at Wonder 80.
07:26
So those are my two targets my bun to you on my Windows Ex peak, and you can put the window seven in as well. Let's leave it out to save time in the video, because
07:36
example of a more complex target it patched
07:42
has some issues on the website,
07:45
and we'll see it in client sides and such a swell. But from a network perspective,
07:49
pretty up to date on our skin is running,
07:54
and
07:56
we can actually see it in real time to 0% done. But we're already starting to see vulnerabilities here, lighting up orange and yellow and
08:03
blue
08:05
going See
08:07
here
08:07
blew his info.
08:09
Looks like we've got a medium high. It looks like we just got a critical as well. So
08:16
you see him coming in. We can click vulnerabilities, appear to see all the vulnerabilities or see them by host as we were deceived. Vulnerabilities for a particular host.
08:26
So I have the set up specifically for classes so that there will be vulnerabilities that the Vulnerability scanner will not find that we will have to find with other method.
08:37
You might find that
08:39
in those cases, stuff is going to get missed on your pin test. If you've got a really large pin test and not that much time to do it. The possibility of you doing manual checks against every single port in the environment against thousands and thousands of hosts and say a week
08:54
of night testing it's unlikely, says things may get miss. The Vulnerability scanner is not going to necessarily find 100% of the issues in the environment,
09:05
but it will give you a lot of possibilities very quickly. So it is also prone to false positives. Again, you brother habits say it's there and then it not be there, then have it not say it's there and then be there. So it is part of the false positives plus sells more
09:20
licenses, hunts 1000 vulnerabilities. And if it finds six right, so
09:26
that makes sense. We always want to do manual checks before we do any reporting on this. Assuming it's allowed, I mean, certainly you'll probably find clients who just want you to run a vulnerability scan. So this is a vulnerability scan and be done with it. It's good money for basically clicking a button. So again,
09:43
no reason not to know how to do that. I mean, everybody does it. It's not as fun. It's been testing, but again, it's easy money.
09:50
And a lot of clients are a little bit afraid of the scary pin testing.
09:54
So
09:56
don't say so. We're still running here. We got five. Critical is here. It looks like PHP is out of date.
10:05
It's likely got
10:07
MSO nine s and B vulnerabilities.
10:13
What
10:13
of here?
10:20
Supported operating system V S F T p d smiley face Backdoor. Did we talk about that already in our information gathering section? I think we did. I think we talked about that. The version number
10:31
2.3 point four for V S f t p D.
10:35
Was the correct version to possibly be vulnerable to the smiley face back door.
10:41
But we weren't sure because a version number didn't change after the patch or before it, but necessary mes to think that
10:50
is there.
10:54
This is actually seems to kind of exploded it, because again, all you have to do is give it a smiling face in the user name.
11:00
It said that it gave us root access, so we should be able to exploit that during our exploitation phase. No problem.
11:09
And also over here to the right has more information, so exploits are available
11:13
and it says there's one in medicine. Lloyd that will find that we can do this manually just is easily
11:22
looks like that one's done
11:24
denial of service. Probably not gonna want running a denial of service is
11:30
his network file system share user amount of all we didn't see the network file system port.
11:35
I didn't really look at it yet.
11:39
It looks like
11:41
share called export Georgia with the contents here. Partial content. So that might be something we want to take a look at. See what's in the network files isn't here. It may be nothing again, like printers to come up again. Like
11:56
sometimes they have network file system shares have really nothing interesting in them. You think? Oh, it's little print jobs in it and maybe depending on configuration, but it may just as easily be like nothing. So you may find network file system shares that really give get you nowhere
12:13
in terms of the pin test. Or you may find a gold mine, which this being a pin testing class, you know, chances are
12:20
that's gonna be something we want to take a look at.
12:24
Not see
12:26
compu disclosures. I mean, the kind of stuff that we would probably verify and report on. But
12:33
like Track Trace isn't going to get us domain level access, for instance. But
12:37
I need those things but generally
12:41
report on anyway.
12:43
But the other one okay, looks like we're done. So let's see,
12:48
Not a lot of critical. Lt's here. Looks like we got some other date Apache out of date. PHP looks like its Windows X p, which is
12:56
un supported, which it wasn't unsupportive when I started teaching this class, but it was surprised how many Windows X, P s and Windows 2000 you find lying around.
13:07
And Lennox is even worse. Really. It's like at least you find people who have administrators you could do Windows boxes. It seems like a lot of times they install the limbic system, and then the Lenox guy leaves and they never updated. I find stuff this 20 years old
13:22
on the Lenox all the time. So
13:24
if anybody ever says that my classes don't matter because we use out of date operating systems, well, one we're gonna use up today operating systems to and also
13:37
I find these all the time on my tests all the time. Like in the last week of done a couple tests on dhe I found X p in 2000 on both of them.
13:48
So
13:48
of course it's all true and our favorite in Minnesota. 67 We already saw this one, actually, in the
13:56
Medicine Point model, where we learned how to use medicine. Lloyd. This is always the exploit that I start with.
14:03
It's another one of those really in Mr Alito, 67 is so old but
14:07
still works. See it unpatched internally a lot still, even today, and it only takes one. You got one box that's unpacked, and then it's a member of the domain and local admin password that is, everywhere else
14:24
could be game over, which we'll talk about that a bit later on in post exploitation. But,
14:28
I mean, it really only takes one miss system, and when you're looking at thousands and thousands of them, it's really easy to forget something. You're not
14:37
doing this periodically and checking for vulnerabilities. There's really no way you would know
14:43
again, some out of date Apaches. I mean, some of this it's just that things have updated since I felt the images.
14:50
Yeah,
14:52
yeah, It looks like a lot of out of date Apaches.
14:56
Openness is so
15:00
we found a few things here. It looks like we know that emits a radio. 67 is exploitable. We saw it with medicine boy. And that's always gonna be one will look out for us. We know if we find the missile 8067 it's
15:11
something that could give us easy system privileges. Always want to try that one. If we have permission to exploit,
15:18
we already know how to do that so you can check back to the medicine ball it section.
15:24
You wanna see it again?
15:28
No, I mean a few interesting things here. We might be able to find something like for Apache.
15:39
Like there's medicine point modules for some of these Apache things. I would find that the Web server wonder really
15:45
not that easy to get to exploit nicely, especially when they say keep overflow or heat based buffer overflow. We don't even cover anything Heat based in our exploit development section. If you continue studying, exploit development, you get to it. But it's it's a little more complicated than are stacked based exploitation.
16:04
Things just don't tend to work quite as nicely.
16:07
So you may find that there's a hard to get to work. Generally, don't go for exploiting those unless I don't really worry about bringing stuff down. Of course, in our lab, we don't have any problem with that at all. So by all means, feel free to run whatever you feel like.
16:25
Like this one says exploits, you're available, but it doesn't have any listed, so we'd probably have to use exploit code from the Internet. Which, of course, we need to be careful with.
16:36
So we did find a lot of interesting information
16:38
very quickly here and with little effort, really. We just had to click go, and that was that. So again, I did design this, such that there's gonna be other stuff that we can find that the scanner didn't find that is going to be exploitable. But I would always encourage you
16:53
to run the vulnerability scanner. At least you what you get out
Up Next