Tuesday, July 3, 2012


OK, so recently I showed in you how you can effectively setup Metasploit and today we will add one more item to arsenal to help make Metasploit even more useful and deadly. I will show you how to install Nessus on your Linux box, although directions should not be too different for Windows, and when we are done you will be able to install and configure your server as well as customizing your own vulnerabilty scans and be well on your way to incorporating things fully into Metasploit for ultimate pwnage. Before we begin you need to download the Nessus Scanner, version 5 just recently released is the latest and greatest. You then need to register for a HOME FEED which will get you a product code sent to your email chosen for activation later (link is near top of download page in yellow bar).

OK, move this to your desired location to work with and we will get started by de-packaging the download file. We do this using the “dpkg” command with the “-i” argument to tell it to install the file content as needed.

COMMAND: sudo dpkg -i Nessus-5.0.0-filename.deb

The system will do the required installation tasks for the most part, simple answer accordingly if any prompts come up. Once completed Nessus server will be started and we can navigate to the login page in our Browser of choice, you can find it at either http://localhost:8834 OR http://bt:8834. You will probably need to accept a security warning since the certificate is self signed...

Once accepted you get the welcome page as first sign we are one our way

Now go through the necessary steps to create a new user account for Nessus, and take note or write it down – whatever you do to remember your logins.

Download plugins, wait for it to finish its initializing (it finishes configruation and restarts server). Once its done you will need to login with your new account you just created.

Once logged in you will see the Nessus web panel from which all the magic happens (for the most part), should look like this:

In o rder to get started we need to go to the Policies tab. You will see the default Policies which are already setup and ready to go. You can view them for reference and use as you like, but eventually you will want to customize your own scan settings. In order to do this we need to hit the +ADD button in upper right.

Now we can configure our own scan with all the settings we want as we like. The first tab is the General settings which affect how the tool funcitons. You can define how to handle congestion, what ports to scan, what type of scan method to use, etc. Also, we give our Policy a name so we can identify it later for use.

Next we add any credentials we might have on the Credentials tab. This step is optional but is suggested if you have them as it will allow the scans to run much deeper and with greater access. The results between a blank scan and a credentialed scan can often times be alarming. 

The next tab allow syou to define which modules you actually want to use during the scan. Typically you will simply use them all but in delicate situations this is where you can go to fine tune things as needed. 

The last tab we have is the preferences tab. This tab covers a lot of items like adding additional credentials, fine tuning scan settings, and other misc things like this (check it out to see what all is available to you). The more you put in the more you will get back as it allows for more in depth scans to be performed.

When you're done simply hit the SUBMIT button in the lower right hand corner of the last tab (Preferences). Now we have a scan policy we can use anytime going forward, but how do we use it? In order to use it we need to now go to the SCAN tab to setup our actual scan to run. You will need to give your scan a name which will be used for the reports as well, also identify the IP address to scan. The IP can be provided as a single IP, and range or in CIDR format. You can also choose to use a file with one IP per line which will be used to scan through – very helpful in large environments. The policy type from the drop down will be what defines how the scan is performed, and is what we setup a minute ago :) When you have it setup how you like simply hit the LAUNCH SCAN button in lower right to start the scan process.

You can go to the REPORT tab now to view your running scans as well as all the completed ones. You can click on the BROWSE button up right or double-click to open any report up to view the results of the scan. 

The reports in the new v5 are really impressive visually and make for very good reports to hand over to others if needed following a job (use HTML output option). 

The whole framework is very user friendly, you can double-click anywhere on the report to drill down for more information. 

You can drill all the way down and see the identified vulnerability, the CVE reference number, as well as a general description of the vulnerability in most cases and possible remediation paths to follow. In some cases you may even be lucky enough to get a link to additional reference material. Now when we are done we probably want to export a copy of the scans for safe keeping, reference, and to use with other tools (especially Metasploit). Nessus supports several file formats for the output file. 

The HTML report provides you with everything needed to present the findings to both technical and non-technical parties. It has pretty graphics which get lots of “oos and ahs”. The .NBE and .NESSUS formats are probably the most useful as they can both be imported into Metasploit's database for further use, mainly CVE references to match to known exploits. Play around with them and find what suits you best, I tend to export my results in multiple formats so I have options depending on the need.

All in all I rate this new release an A++ in my book. This concludes our basic instroduction to the Nessus vulnerability scanner. You should now be able to set it up properly on your system and customize your own scans to run on targets. I will have a follow up series coming shortly on how we can import into Metasploit for taking things to the next level as well as how to run scans directly from Metasploit once our policies have been defined. 

QUICK FINAL NOTE: The Nessus Server will start up on system startup. If you wish to start, stop, or re-start the Nessus server at anytime just use this command syntax and select your option accordingly.

COMMAND: sudo /et/cinit.d/nessusd start|stop|restart

I hope you have enjoyed this tutorial and until next time, Enjoy!

No comments:

Post a Comment