1

: Finding Vulnerabilities with Nessus

Before using Nessus, we will need to install and activate it on your Kali Linux VM.

1.

First, request an activation code for Nessus Home edition to be sent to your e

-

mail

address by

filling out the form at

http://www.tenable.com/products/nessus/nessus

-

plugins/obtain

-

an

-

activation

-

code

.

Please try to avoid using NKU email since

the

email filter might block the

activation email.

When downloading Nessus from tenable.co

m, use the

Debian 6, 7, 8 / Kali Linux 1

AMD64

version

2.

Install Nessus as root by going to root's Downloads directory and running:

dpkg

-

i Nessus*

Step 2 will take a substantial amount of time, as it will download the Nessus scan

plugins.

3.

Register

Nessus by running the following command, replacing the placeholder CODE with the

activation code you received in email from step 1.

/opt/nessus/sbin/nessuscli fetch

-

register CODE

4.

Start Nessus with the following command as root

.

You will need to run thi

s command every

time you need to use Nessus after a reboot or shutdown.

/etc/init.d/nessusd start

5.

Login

with username

nessus

and the same password as the Kali root account.

May need to register Nessus again. If initial registration code received in the a

ctivation

email does not work for Nessus (Home, Professional...), select Managed by Security

in the dropdown menu.

To scan a target with Nessus, login to the web interface

at

https://localhost:8834/

t

hen:

1.

Click on Ne

w Scan.

2.

Click on Basic Network Scan.

3.

For Name, enter Lab #

4

.

4.

For Targets, enter the IP address of the target VM.

5.

Do not modify any of the other fields.

6.

Click on Save.

When you save a new scan, it should begin running immediately. If for some reason it

does not start,

click on the Launch icon to start the scan. The scan will take between 5 and 10 minutes to complete.

Once the scan completes, click on the scan name to view the summary of results. Click on the color

-

coded bar showing all of

the vulnerabilities to view vulnerability details.

1

.1: How many vulnerabilities were found in total?

1

.2: How many in each severity level from critical to info?

2

: Understanding Vulnerabilities

Click on the first vulnerability of critical severity to see the details Nessus reported about the

vulnerability. Each vulnerability has multiple attributes, the most important of which are

1.

Nessus plugin ID number:

Identifies the plugin that reported the

vulnerability.

2.

Nessus plugin name:

The name of the plugin that reported the vulnerability.

3.

CVE (Common Vulnerabilities and Exposures) vulnerability identifier:

Some

vulnerabilities will not have this identifier, but vulnerabilties that do are recorded in

the

National Vulnerability Database (nvd.nist.gov) and can be looked up there or at

www.cvedetails.com

. A single Nessus vulnerability may correspond to multiple CVE

identifiers. These identifiers are of the f

orm CVE

-

YEAR

-

####.

4.

Other vulnerability identifiers:

Many vendors, such as Microsoft (MS

-

## format) and the

Mozilla Foundation (MFSA

-

YEAR

-

####) record vulnerabilities in their own databases, which

may provide more information than Nessus shows or that can

be found in CVE databases. Other

identifiers include OSVDB numbers for the Open Source Vulnerability Database and BID

numbers for the Bugtraq database at securityfocus.com.

5.

CVSS base score:

The Common Vulnerability Scoring System (CVSS) provides a numeric

al

indication of vulnerability severity raning from 0 to 10. Critical vulnerabilities will have CVSS

scores near 10. The current CVSS version is 2.0. More details can be found at

https://nvd.nist.gov/cvss.cfm.

6.

Exploit available:

Indicates whether or not

an open source (like Metasploit) or commercial

(like Canvas or Core Impact) exploit framework has an exploit for this vulnerability. Even if no

exploit exists for a vulnerability in a popular framework, individual exploit scripts may be

found on sites li

ke Exploit DB (

www.exploit

-

db.com)

.

7.

Exploitable with:

Names which frameworks have exploits for this vulnerability.

8.

See also:

This section contains additional references to the vulnerability, which may help to

better understand its impact or aid you in find

ing exploits for the vulnerability.

2

.1:

For each of the critical severity vulnerabilities reported by Nessus, enter all of the items in

the list above in order except for the last one (See also). For item 4, other vulnerability

identifiers, only list CV

E identifiers if available; otherwise, list only the first other identifier

reported.

2

.

2

:

Exploit the backdoor identified by the Rogue Shell Backdoor Detection vulnerability using the

netcat

command with the target IP and the target port number reported by Nessus for this vulnerability.

$ nc TARGET_IP TARGET_PORT

Once logged into the target machine, determine which user you are logged in as and which

directory you are currently in. Include

both command output and answers to the questions in

the previous sentence in the box below.

# id

# pwd

2

.

3

: Let's use this backdoor shell login, to learn more about the system. In particular, we can determine

which network services are running

on the target.

# lsof

-

i

-

n

-

P

Write down the

list of n

etworks you see

2

.

4

: Using nmap from your Kali VM,

determine which network services are running on the target.

# nmap

-

sT TARGET_IP

2

.

5

:

Which ports did

lsof

find that

nmap

did not report?

2

.6: Exploit the vulnerability

reported by VNC Server 'password' Password plugin. To access the VNC

remote desktop on the target use the following command. The number 0 following the target IP

address indicates the first VNC remote desktop on the target. If multiple desktops are runn

ing, you will

need to experiment with changing that number to 1, 2, 3, etc. to reach the remote desktop.

$ xvnc

viewer TARGET_IP:0

Note:

If the command above does not work, use the following:

$ vncviewer TARGET_IP:0

Run the

id

command once logged into the target and write the results below. Which user's

remote desktop are you accessing?