In today's digital landscape, where cybersecurity threats
are ever-present, understanding and managing security vulnerabilities is
paramount to safeguarding networks. In this comprehensive guide, we will delve
into the world of vulnerability management with a focus on one of the most
powerful tools available - Nessus. By mastering the capabilities of Nessus,
individuals can enhance their skills and readiness for a successful career in
cybersecurity.
This guide will go over vulnerability management and its importance in an organization. It will also cover how to use a vulnerability scanning tool called Nessus. This program is designed to rapidly and simply identify vulnerabilities, classify them, and remedy them. We'll do this with a host machine running Nessus and a target machine running Windows 10.
Vulnerability management: Vulnerability management is the continuous process of recognizing vulnerabilities, assessing assets and risks, and determining the best ways to mitigate them to an acceptable risk tolerance. This ensures that the business can address the vulnerabilities before a threat actor exploits them, which could result in significant damage to the organization in a variety of ways. There are six phases of vulnerability management.
Click here to learn the six phases: https://www.microsoft.com/en-ca/security/business/security-101/what-is-vulnerability-management
Nessus: An open-source tool that scans for security vulnerabilities and classifies the risks while showing methods to remediate them. Nessus stands out as a leading vulnerability scanning tool utilized by cybersecurity professionals globally. Comprising a client interface for administrators and a server for conducting scans, Nessus follows a structured process involving port scanning, service detection, vulnerability identification, and probing to uncover potential weaknesses within networks.
Installing Nessus:
To install Nessus we must run the following command:
# apt-get install nessus
Afterwards we need to add an administrator that will be in charge of the Nessus configuration. We can do that with the command below:
# nessus-adduser
Login : admin
Login password :
Login password (again) :
Do you want this user to be a Nessus 'admin' user ? (can upload plugins, etc...) (y/n) [n]: y
User rules
----------
Nessus has a rules system which allows you to restrict the hosts that admin has the right to test. For instance, you may want him to be able to scan his own host only. Please see the nessus-adduser manual for the rules syntax.
Enter the rules for this user, and enter a BLANK LINE once you are done: (the user can have an empty rules set)
Login : admin
Password : ***********
This user will have 'admin' privileges within the Nessus server
Rules :
Is that ok ? (y/n) [y] y
User added
We can see that we created a new user with username admin and password admin (which cannot be seen, because it's not shown on the screen for security purposes), and we specified the user to be administrator.
If we try to update our Nessus installation to include all the latest plugins, we need to run nessus-update-plugins command, which won't succeed at this current time. This can be seen here:
# nessus-update-plugins
Fetching the newest updates from nessus.org...
Could not validate this nessus-fetch.rc file - has it been copied from another system?
The error message says that there is no nessus-fetch.rc file present. This file is automatically created when we activate our Nessus installation with an activation code. To obtain an activation code, we must visit Nessus Activation Code and choose "Using Nessus at Home", which is shown in the picture below:
We need to click on the "Select" button and agree to the Subscription Agreement, after which we'll need to provide our first name, last name and email address. We need to enter the right information as shown in the picture below:
When we input the required information into the web form, we need to click on Register to register ourselves. Shortly after registration we'll receive the following email in our inbox:
We can see that we've successfully registered and obtained an activation code, which is 0249-114E-2A4C-7D9D-4088. To register the Nessus installation and download all the latest plugins, we need to run the command below:
# nessus-fetch --register 0249-114E-2A4C-7D9D-4088
Your activation code has been registered properly - thank you.
Now fetching the newest plugin set from plugins.nessus.org...
Your Nessus installation is now up-to-date.
If auto_update is set to 'yes' in nessusd.conf, Nessus will
update the plugins by itself.
The command nessus-fetch updates all the newest plugins from the official Nessus plugins page. Now we can also run nessus-update-plugins, which should basically do the same as nessus-fetch above – download the newest plugins.
To start Nessus now all we need to do is run one of the following commands:
# /etc/init.d/nessusd start
# nessus-service -D
# /usr/sbin/nessusd -D
The nessusd init.d script essentially runs the nessusd or nessus-service command manually, so I guess the second option is best if something goes wrong, because it allows us to see what's happening when Nessus is starting.
After installation, it should open in your browser. Go ahead and log in, and your screen should look something like this:
Preparation:
We will be scanning another host that is not connected to a domain. I will be using a Windows 10 virtual machine.
On the target machine, go to Windows Defender Firewall with advanced security → Widows Defender firewall properties → Set the domain firewall state of the domain, private, and public profile off.
Note: This is to allow Nessus to connect to my machine, which is a significant security risk but should only be used for testing purposes. If you choose, you can build a firewall rule that does not block the scanner's source IP address.
Ping your target by going to command prompt →(targets IP address).
Non Credentialed Scan
A non-credentialed scan will just scan the target at the surface level. It provides an outside picture of the target's environment without getting into great depth.
- To scan your device, go to Nessus → New Scan
→ Basic Network Scan. Enter a name for your scan, an optional
description, and then the IP address of the target.
You can customize your scan in the settings, such as doing a scheduled scan or even scanning all ports by going to discovery → port scan(all ports).
2. click Save → launch Icon. While you wait, you can monitor the scan's progress by clicking on it. As you can see, each vulnerability is colour-coded to indicate its severity.
3. Click on the scan to view the list of vulnerabilities found. Information is not commonly regarded as a vulnerability; rather, it states a fact.
You can click on any of them to learn more about each one.
Credentialed Scan:
A credentialed scan performs an in-depth scan of the machine, searching for vulnerabilities at the device's root. This scan requires administrative access and executes with valid user credentials.
We will allow authorized scans on a single host target.
You can also find these instructions on the Official Tenable Nessus website. https://community.tenable.com/s/article/Scanning-with-non-default-Windows-Administrator-Account?language=en_US
- Go to Services → enable remote registry. This will allow the scanner to connect and scan the registry.
- Open share across devices → Enable network discovery and file and printer sharing.
- Go to user account control → bring the bar down to never notify. This is not good to do in a cooperative environment but rather to get the best results.
- Open registry editor → locate the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
- Create a DWORD called LocalAccountTokenFilterPolicy and
set the value to 1.
- Return to Nessus and create a new scan or configure the previous one.
- Set up the name, description, and target as previously done.
- Go to Credentials → Windows → Enter the username and password of the target. You can also configure the credentialed scan, but I will leave it as default.
- Save the scan and then launch it.
The results will be more complete and accurate than those from a non-credentialed scan.
You can also test Nessus by downloading and scanning an older version of the software on the target machine.
I downloaded a previous version of Mozilla Firefox and reran the scan. As you can see, there are many more critical vulnerabilities.
Firefox is responsible for the vast majority of serious vulnerabilities.
Nessus Reports
When the scan is complete, it will be uploaded to the Reports page, where we will be able to view the results. We can also export the report in various forms so that others can view it.
Nessus Scans
Here, we can create a new scan by specifying the hostname of the target website and the policy that will be used. This is demonstrated in the image below, where the target website is http://www.google.com and the scan policy is one of the defaults, the "Web App Tests" policy.
When the scan is started, it will be added to a list of all scans already done or currently pending still in the Scans tab. There are various actions we can take with each of the scans: stop it, pause it, delete it, etc.
Nessus Policies
Nessus policies define what Nessus will do when the scan is run. The default Nessus policies are external network scans, internal network scans, PCI-DSS audits, and web application scans, as seen in the image below.
When creating a new policy, a new screen will appear like follows:
There are a few parameters that we need to know about. The Add Policy tabs are shown below.
General
The Basic field on the General tab allows us to name the scan policy, set its visibility, and describe it.
The Scan field contains the following options:
• Save knowledge base information, such as open ports and found services, for later use.
• Enable or disable safe checks to prevent web server crashes.
• Do not include the list of dependencies in the report.
• Save scan details to the server log file.
• Stop Host Scan on Disconnect: disable scanning if the website becomes unavailable due to DoS, IDS, etc.
• Randomly scan the list of IP addresses rather than sequentially.
• Consider unscanned ports as closed.
• For virtual hosts, use hostnames instead of IP addresses.
In Network Congestion, we can select settings to lessen the network load transmitted to the testing web server when congestion is detected.
The Port Scanners provide the scan methods used to determine whether a port is open or closed. TCP scanner, UDP scanner, SYN scanner, SNMP scan (guesses the correct SNMP name), netstat ssh scan (issues the netstat command via SSH), netstat wmi scan (issues the netstat command via WMI), and ping scan (pings the target machine).
Next, there are Port examine Options, which allow us to choose the ports that Nessus will examine. We can manually enter the ports as a comma-separated list of values. Alternatively, we can select between two predefined options: default and all. The default option scans approximately 5000 standard ports, while all scan all available ports.
The Performance field contains choices that do not require further description.
Credentials
Nessus may use credentials to automatically login into many services, determining whether security patches have been deployed and the most recent software version is being used. The drop-down box allows us to select one of the following options: Windows credentials, SSH settings, Kerberos setup, or Cleartext protocol settings. All of these enable us to enter credentials for the following services: SMB, SSH, Kerberos, Telnet, rsh, and rexec.
Plugins
Allows us to select specific security tests to be run on the target website. The graphic below shows the enabled category FTP, which will attempt to discover an anomaly in the FTP server by comparing the existing FTP server to all of the defined plugins on the right, which represent all currently known vulnerabilities in FTP servers:
Preferences
The Preferences page allows us to customize our scanning options. We can provide as much information as we have on the target system. This allows the Nessus scanner to complete scans more precisely and fast. We can define the type of database being used, its login and password, how the report should be generated, what user agent the requests should mimic, the client certificate to use against the target website, and many other details.
When we've configured all of the choices we want, we can save the new policy and launch a fresh scan with our new policy.
Conclusion
We've seen the functionality that the Nessus scanner offers. It is up to us to decide whether to use Nessus or another security scanner to scan our network for vulnerabilities. However, we should not rely solely on the network scanner; instead, we should hire a penetration testing company to conduct a thorough penetration test on our website or entire network. Only then can we feel somewhat safe. Of course, only after we have addressed all of the detected vulnerabilities.
Mastering Nessus is instrumental in fortifying network security against evolving threats. By adopting proactive vulnerability management practices, organizations can enhance their defenses and safeguard digital assets effectively. Cybersecurity is an ongoing journey that requires vigilance and continuous learning. Whether you are an experienced professional or an aspiring cybersecurity enthusiast, harnessing the capabilities of Nessus can significantly contribute to securing digital environments.
Thank you for accompanying us on this cybersecurity journey.
Stay Informed, Stay Safe!
