HERA

LAB ID: 7

NESSUS
POLICY AND SCAN CONFIGURATION
AUTHENTICATED SCANS
PLUGIN SELECTION
NESSUS AND METASPLOIT INTEGRATION
 [Nessus] LAB ID: 7

1. LAB
You’re asked to perform a Vulnerability assessment against the internal
network of FooCompany. Note that your machine is directly connected to
the company LAN. You are indeed at your client premises.

This is what client organization defined as scope of tests:

- Organization network: 192.168.78.0 /24

- DMZ: 10.100.0.0/24

The following image summarizes the Lab environment:

eLearnSecurity s.r.l. © 2012 | H E R A 2

 [Nessus] LAB ID: 7

2. GOALS
 Perform a vulnerability assessment

3. WHAT YOU WILL LEARN

 Configuring Nessus policies, credentials and plugins

 Using Nessus through Metasploit console

4. RECOMMENDED TOOLS
 Nessus

 Metasploit

eLearnSecurity s.r.l. © 2012 | H E R A 3

 [Nessus] LAB ID: 7

5. TASKS
Task 1. Nessus GUI – Internal network scan

Start Nessus and run a new scan on the target network 192.168.78.0/24,
using the existing policy “Internal Network Scan”.

Once the scan is finished fill in the following table with the discovered
hosts and the number of high/medium vulnerability found for each.

Host IP High Medium

Vulnerabilities Vulnerabilities

Note that you can also perform host discovery using tools like Nmap and
then feed Nessus with the right IP addresses.

eLearnSecurity s.r.l. © 2012 | H E R A 4

 [Nessus] LAB ID: 7

Task 2. Nessus scan and exploitation within Metasploit

Metasploit offers the ability to use Nessus directly from the msfconsole.
This is a very useful feature that allows us to load existing Nessus scans
and then exploit existing vulnerabilities.

Once you have loaded the previous scan (Task 1) into Metasploit, find
exploitable vulnerability ( or use plugins such as “auto_exploit” or
“db_autopwn” (NOTE: this plugin has been removed from recent versions
of Metasploit) ) in order to obtain one or more meterpreter shells.

This hopefully allows us to obtain access to target machines and then

retrieve useful information, such as credentials, to use for further Nessus
scans in our penetration testing cyclical process.

Task 3. Authenticated scan

You should now have a meterpreter session. Use it to dump password

hashes from the exploited machine (hashdump command from
meterpreter shell). Once you have got the hashes, create a new Nessus
scan in order to use NTLM hashes as Windows credentials.

Moreover set the following SSH credentials:

Username: netadmin / Password: netpwd

Once the scan is finished, you can notice that the report differs from the
previous obtained (Task 1). This happens because, Nessus is now able to
scan the remote host using credentials thus running checks with local
privileges.

eLearnSecurity s.r.l. © 2012 | H E R A 5

 [Nessus] LAB ID: 7

Please fill the next table with the results of the new scan:

Host IP High Medium

Vulnerabilities Vulnerabilities

Task 4. Configure Nessus Plugins and Preferences

The organization asks you to perform a Web Application scan to the

webserver, placed inside the DMZ (10.100.0.0/24). The server IP address
is 10.100.0.80.

Create a new Nessus policy and perform a Web App scan. Don’t use
existing policy but think about which plugins are useless and which are
not. Moreover, in the Preferences tab, you also have further configuration
options.

eLearnSecurity s.r.l. © 2012 | H E R A 6

 [Nessus] LAB ID: 7

Solutions

eLearnSecurity s.r.l. © 2012 | H E R A 7

 [Nessus] LAB ID: 7

Task 1. Nessus GUI – Internal network scan

The first thing to do is to start Nessus Service. We can do it in different

ways:

Once the service is running, we can access the Nessus GUI, at the address:
https://127.0.0.1:8834

We can now start our scan against the network. To do that let’s open the
“Scans” tab and then click “Add”.

eLearnSecurity s.r.l. © 2012 | H E R A 8

 [Nessus] LAB ID: 7

Here we can setup the name of the scan, the policy to use and a list of
hosts to scan. Note that since we are within the target network, if we set
the whole subnet to 192.168.78.0/24, our machine will be scanned too.
To avoid this we can use tools like Nmap to perform an host discovery,
and then manually provide Nessus with IP address to scan:

eLearnSecurity s.r.l. © 2012 | H E R A 9

 [Nessus] LAB ID: 7

The following screenshot shows the scan results:

Depending on the plugins update level, scan results might differ.

As you can see from the results, different vulnerabilities have been found
on the target machines. You can navigate them, clicking the IP addresses.

Task 2. Nessus scan within Metasploit

Instead of using the web browser GUI, we can also use Nessus from
Metasploit. This will help us in case we want to try assess and exploit any
vulnerability. Since we have already performed the scan, we will just load
the Nessus results in MSF and automatically exploit vulnerabilities.

Let’s open a new msfconsole and then let’s connect to Nessus:

host

Username Password

eLearnSecurity s.r.l. © 2012 | H E R A 10

 [Nessus] LAB ID: 7

Now that we are connected with Nessus, we can run basic commands
such as run a new scan, navigate reports and so on.

Since we already have a report, we can load it so that Metasploit can load
the list of vulnerabilities. Let’s first list all Nessus reports with the
command nessus_report_list and then load the one we want to import
with the command nessus_report_get.

You should see something like this:

Now vulnerabilities and targets have been imported into the database.

eLearnSecurity s.r.l. © 2012 | H E R A 11

 [Nessus] LAB ID: 7

We can see them by running the command vulns:

What we can do now, is to automatically exploit the target hosts using

vulnerabilities loaded into the DB. To do this, we will use the plugin
“auto_exploit” by darkoperator. You can download it here:
https://github.com/darkoperator/Metasploit-Plugins/blob/master/auto_exploit.rb

Once the plugin is loaded, we can run the exploitation process:

eLearnSecurity s.r.l. © 2012 | H E R A 12

 [Nessus] LAB ID: 7

As you can see, the machine 192.168.78.10 has been successfully

exploited and we have obtained a Meterpreter session.

Now we should be able to dump password hashes and then use them to
run a new Nessus scans with credentials:

eLearnSecurity s.r.l. © 2012 | H E R A 13

 [Nessus] LAB ID: 7

Task 3. Authenticated scan

The next step is to create and configure a new Nessus policy in order to
scan targets using the credentials obtained with the previous hashdump
command. Remember that the string obtained with hashdump is
composed as follow:

- The first field is the username

o i.e. : Administrator
- The second field is the Security IDentifier
o i.e. : 500
- The third field is the LM hash
o i.e. : e52cac67419a9a224a3b108f3fa6cb6d
- The forth field is the NTLM hash
o i.e. : 8846f7eaee8fb117ad06bdd830b7586c
We can now create a new scan policy and setup the Credentials tab as
follow:

Dumped hashes

eLearnSecurity s.r.l. © 2012 | H E R A 14

 [Nessus] LAB ID: 7

Moreover we have SSH credentials too. So let’s choose SSH Settings from
the top-down menu and let’s insert the given credentials:

We can leave the rest of the options as they are. Let’s run the scan and
see if we are able to obtain more information than before:

As you can see, configuring Nessus with the right credentials, allow us to
scan target hosts locally, and find many more vulnerabilities. In this case
the credentials worked for three hosts.

eLearnSecurity s.r.l. © 2012 | H E R A 15

 [Nessus] LAB ID: 7

Task 4. Configure Nessus Plugins and Preferences

First let’s create a new policy and start configuring it. Since we want to
scan the web applications, and we don’t want to generate too much
traffic on the network, we can start configuring ports to scan:

After that, we can skip the Credentials tab and start configuring the
Plugins. In this case we have enabled the following plugins:

- CGI abuses / XSS

- Databases
- DNS
- General
- Settings
- Web Servers

eLearnSecurity s.r.l. © 2012 | H E R A 16

 [Nessus] LAB ID: 7

We can move on to the last step (Preferences tab). The first plugin we will
configure is Global variable settings:

Note that some plugins can take long scanning time

Another useful plugin is the HTTP login page. This plugin provides control
over login forms within the web application. If you are given a login to the
web application, you should put it here to scan authenticated
functionalities:

eLearnSecurity s.r.l. © 2012 | H E R A 17

 [Nessus] LAB ID: 7

Another plugin that we have to use is the “Web Application Tests

Settings”. This plugin attempts to pass common CGI attack payloads such
as XSS, SQLi, RFI and so on:

The last plugin we will enable is “Web mirroring”. With this plugin, Nessus
will mirror web content to better analyze the contents for vulnerabilities:

Now that we have our policy set up, we can run the scan against the
webserver.

eLearnSecurity s.r.l. © 2012 | H E R A 18

 [Nessus] LAB ID: 7

As you can see, there are many vulnerabilities.

Now that you are more confident with Nessus, you can try to create
custom Nessus policies in order to check which plugins and which
configurations fit better for different situations. You can also practice
scanning and exploiting targets directly from Metasploit.

eLearnSecurity s.r.l. © 2012 | H E R A 19