Using Nessus to Identify Vulnerabilities
Nessus is one of the most popular vulnerability assessment tool on the market. Nessus scans cover a wide range of technologies, such as operating systems, network devices, databases, web servers, and infrastructure. It performs its scans by heavily utilizing plugins, which run against each host on the targeted machine or network in order to identify vulnerabilities.
Starting up Nessus, we have the ability to configure it the way we want. In this exmaple we are going to configure it to scan the host network that VirtualBox created for us - 192.168.56.1. Using Georgia Weidman - Penetration Testing: A Hands-on Introduction to Hacking book as a guidance, we can boot up the three vulnerable machines we created when we were starting our pentest journey. Because all three machines are under the same subnet, we configured Nessus to scan the 192.168.56.0 subnet.
So Nessus is going to scan all the virtual machines that are currently powered on, using the same host network:
- 192.168.56.9 - Kali machine (running Nessus)
- 192.168.56.26 - Windows XP machine
- 192.168.56.27 - Windows 7 machine
- 192.168.56.3 - Ubuntu machine
As you can see, the Nessus scan scanned all machines powered on under the subnet 192.168.56.0. Doing this we were able to scan multiple machines all at once instead of individually. From there we can quickly identify which machine has most severe vulnerabilities and go from there.
Here we pick pick a known and easy vulnerability we can easily exploit - MS08-67.
Selecting the vulnerability it outlines a lot of information pertaining to it. This is very helpful if you’re unsure what the vulnerability is, and how to go about getting all its information.
We can clearly see that, this vulnerability is quite a bit old and that there was a patch released for it already. But, other than that, we see it has to do with Remote Code Execution (RCE). This is good information because now we can use Metasploit to see if there is currently an exploit for the vulnerability.
But before we exploit the vulnerability, we can do more active reconnaissance by using nmap
Looking at the nmap results, we can see port 135 - Microsoft Windows RPC is open. If we look back at the Nessus result, we can see its the same vulnerability.
Here we find an exploit for MS08-67 on Metasploit. We input the requried information to gain access to the targeted machine.
Voila, the exploit worked, and we are now in the targeted machine.
This was just a quick introduction to Nessus. I didn’t want to go into too much depth about the exploit because we’ve already been there. I wanted to quickly show how to to use Nessus to identify vulnerabilities and further pivot off of it.