Nessus is a widely used vulnerability scanning tool developed by Tenable, Inc. It helps identify potential security vulnerabilities in networks, systems, and applications by performing thorough vulnerability scans and generating detailed reports. Nessus is widely used by security professionals, network administrators, and compliance auditors to maintain and improve the security of IT environments.
This program can be used in many applications related to ethical hacking. This includes using it for HacktheBox machines, bug bounty, and other CTFs. In addition to this, many companies use it for vulnerability management within their company to monitor their systems. Furthermore, Nessus can aid in the detection of malware and backdoors, helping to identify compromised systems and facilitating remediation efforts. Compared to many other hacking tools available, Nessus is very easy to get started using. One of the major benefits of Nessus is that it is consistently being updated with new vulnerabilities that can be exploited.
There are three main versions of Nessus that you can obtain. This includes their Expert, Professional, and Essentials plan. Both the Expert and Professional plans are very expensive and are better suited for a company’s needs. The Expert and Professional plans each have varying capabilities depending on what your needs are. In this example, I will show you how to get started using Nessus Essentials, the free (but very capable) version of Nessus.
To download Nessus Essentials, you need to navigate to the Tenable Downloads page in your browser. https://www.tenable.com/downloads/nessus From here, you need to select the latest version and your desired platform that you will be installing it on. Nessus can be installed on most major systems available, including Linux, Mac OS, and Windows. In this tutorial, I will be installing it on Kali Linux so I will select the Linux-Debian-amd64 version.
For Windows, you can just download the installer and run it as normal. For Kali Linux, download the installer and open your terminal in the downloads directory. From here, type:
$ sudo dpkg -I Nessus*.deb
After it has finished installing, you need to enter the following command to start the Nessus service:.
$sudo systemctl start nessusd
Afterward, you can enter https://localhost:8834 to go to your Nessus dashboard.
You should be greeted with Nessus being initialized.
After this finishes, you need to register your installation with Tenable. Click continue.
Select “Register for Nessus Essentials.”
Enter your information to get your activation code. Click Register, and on the next window, click Continue.
Next, you will need to create a user account for this installation. Be sure to write this down somewhere.
After you create your administrator account, Nessus will then begin to install all of the plugins.
After this process finishes, you will be greeted with the Tenable Nessus Essentials Dashboard.
You will need to wait some time before everything has been initialized properly. When it is finished, you will see the green ‘New Scan’ button become available.
Go ahead and create a new scan.
Here you can see all of the different scanner templates that are available for Nessus to perform within your network. There are three categories of scanner templates.
- Discovery — This is used to see what computer hosts are on your network, and associated information such as IP addresses, FQDN, operating systems, and open ports. This tool is very similar to Nmap, but for hacking purposes, I highly recommend using Nmap. It provides many more options for customizing network scans and, in my experience, tends to be faster.
- Vulnerabilities — We utilize vulnerability scan templates for the majority of our scanning requirements. Tenable offers these templates, enabling you to scan your network for specific vulnerabilities or groups of vulnerabilities. Tenable regularly updates its Nessus scan template library with new templates that detect the latest high-profile vulnerabilities, such as Log4Shell.
- Compliance — Tenable suggests using configuration scan templates to verify if host configurations adhere to various industry standards. These compliance scans, also known as configuration scans, ensure conformity.
For our first scan, go ahead and click on the Basic Network Scan.
Here you configure the name of your scan, and the description, and enter the target on your network. In my situation, I will be using the IP address 192.168.1.138. This device is running Metasploitable 2, a deliberately vulnerable machine that can be freely downloaded online.
On the Discovery tab, on the sidebar, you can select if you want to scan all the ports on the target machine or just the common ones. I will be scanning the most common ports because it is faster.
On the Assessment Tab, you can configure it to scan for web vulnerabilities.
On the Advanced tab, you can set your scan to be more performant. This can be helpful to minimize our impact on systems that we are scanning in critical environments.
On the Credentials tab, on the top bar, we can input usernames and passwords, if we already have them, to help have more detailed scans on those hosts. This feature is more relevant to a business that is conducting a scan than for our purposes.
On the Plugin tab, we can see all the plugins that Nessus will be using to scan our network for different vulnerabilities. With the basic scan option that we selected, we can only see what plugins are available; however, in the advanced scan, we will be able to enable and disable these plugins.
Once everything has been configured properly, you can click the save button at the bottom of the page.
Now we are back on the main dashboard. To start the network scan, click on the launch button represented by the triangle.
After the scan finishes, you can click on the scan to see the results of the vulnerability scan. From my scan, I found a total of 47 alerts. Each of these alerts is rated on a Common Vulnerability Scoring System (CVSS) score from 0 to 10, showing what vulnerabilities are the most critical to fix. Each of these alerts can be clicked on to show more details. Ten of the vulnerabilities are labeled as critical; however, the majority are just for informational purposes and pose no real imminent threat.
It should be noted that just because there is an alert that shows a vulnerability, it does not negate your responsibility to manually test it to be sure. The scanner just shows where you could attack the server, but sometimes it will give you false flags.
Immediately, we see several critical vulnerabilities that need to be fixed. On this machine, we see that the VNC server has a very weak password that needs to be changed. Additionally, there is a Bind shell backdoor that was detected on the server that would allow an attacker to have the ability to enter commands on the target server.
Now that you have some basic information for getting started with Nessus, you can leverage this tool to identify vulnerabilities across various applications and devices effectively. Whether you choose the straightforward Basic Scan for quick assessments or the customizable Advanced Scan for detailed analyses, Nessus equips you with one of the most powerful vulnerability scanners to enhance your ability to identify potential vectors of attack.
0 Comments