OK, so recently I showed in you how you
can effectively setup Metasploit and today we will add one more item
to arsenal to help make Metasploit even more useful and deadly. I
will show you how to install Nessus on your Linux box, although
directions should not be too different for Windows, and when we are
done you will be able to install and configure your server as well as
customizing your own vulnerabilty scans and be well on your way to
incorporating things fully into Metasploit for ultimate pwnage.
Before we begin you need to download the Nessus Scanner, version 5
just recently released is the latest and greatest. You then need to
register for a HOME FEED which will get you a product code sent to
your email chosen for activation later (link is near top of download
page in yellow bar).
You can find the download here:
http://www.tenable.com/products/nessus/select-your-operating-system
OK, move this to your desired location
to work with and we will get started by de-packaging the download
file. We do this using the “dpkg” command with the “-i”
argument to tell it to install the file content as needed.
COMMAND: sudo dpkg -i
Nessus-5.0.0-filename.deb
The system will do the required
installation tasks for the most part, simple answer accordingly if
any prompts come up. Once completed Nessus server will be started and
we can navigate to the login page in our Browser of choice, you can
find it at either http://localhost:8834
OR http://bt:8834. You will probably
need to accept a security warning since the certificate is self
signed...
Once accepted you get the welcome page
as first sign we are one our way
Now go through the necessary steps to
create a new user account for Nessus, and take note or write it down
– whatever you do to remember your logins.
Download plugins, wait for it to finish
its initializing (it finishes configruation and restarts server).
Once its done you will need to login with your new account you just
created.
Once logged in you will see the Nessus
web panel from which all the magic happens (for the most part),
should look like this:
In o rder to get started we need to go
to the Policies tab. You will see the default Policies which are
already setup and ready to go. You can view them for reference and
use as you like, but eventually you will want to customize your own
scan settings. In order to do this we need to hit the +ADD button in
upper right.
Now we can configure our own scan with
all the settings we want as we like. The first tab is the General
settings which affect how the tool funcitons. You can define how to
handle congestion, what ports to scan, what type of scan method to
use, etc. Also, we give our Policy a name so we can identify it later
for use.
Next we add any credentials we might
have on the Credentials tab. This step is optional but is suggested
if you have them as it will allow the scans to run much deeper and
with greater access. The results between a blank scan and a
credentialed scan can often times be alarming.
The next tab allow syou to define which
modules you actually want to use during the scan. Typically you will
simply use them all but in delicate situations this is where you can
go to fine tune things as needed.
The last tab we have is the preferences
tab. This tab covers a lot of items like adding additional
credentials, fine tuning scan settings, and other misc things like
this (check it out to see what all is available to you). The more
you put in the more you will get back as it allows for more in depth
scans to be performed.
When you're done simply hit the SUBMIT
button in the lower right hand corner of the last tab (Preferences).
Now we have a scan policy we can use anytime going forward, but how
do we use it? In order to use it we need to now go to the SCAN tab to
setup our actual scan to run. You will need to give your scan a name
which will be used for the reports as well, also identify the IP
address to scan. The IP can be provided as a single IP, and range or
in CIDR format. You can also choose to use a file with one IP per
line which will be used to scan through – very helpful in large
environments. The policy type from the drop down will be what defines
how the scan is performed, and is what we setup a minute ago :) When
you have it setup how you like simply hit the LAUNCH SCAN button in
lower right to start the scan process.
You can go to the REPORT tab now to
view your running scans as well as all the completed ones. You can
click on the BROWSE button up right or double-click to open any
report up to view the results of the scan.
The reports in the new v5 are really
impressive visually and make for very good reports to hand over to
others if needed following a job (use HTML output option).
The whole framework is very user
friendly, you can double-click anywhere on the report to drill down
for more information.
You can drill all the way down and see
the identified vulnerability, the CVE reference number, as well as a
general description of the vulnerability in most cases and possible
remediation paths to follow. In some cases you may even be lucky
enough to get a link to additional reference material. Now when we
are done we probably want to export a copy of the scans for safe
keeping, reference, and to use with other tools (especially
Metasploit). Nessus supports several file formats for the output
file.
The HTML report provides you with
everything needed to present the findings to both technical and
non-technical parties. It has pretty graphics which get lots of “oos
and ahs”. The .NBE and .NESSUS formats are probably the most useful
as they can both be imported into Metasploit's database for further
use, mainly CVE references to match to known exploits. Play around
with them and find what suits you best, I tend to export my results
in multiple formats so I have options depending on the need.
All in all I rate this new release an
A++ in my book. This concludes our basic instroduction to the Nessus
vulnerability scanner. You should now be able to set it up properly
on your system and customize your own scans to run on targets. I will
have a follow up series coming shortly on how we can import into
Metasploit for taking things to the next level as well as how to run
scans directly from Metasploit once our policies have been defined.
QUICK FINAL NOTE: The
Nessus Server will start up on system startup. If you wish to start,
stop, or re-start the Nessus server at anytime just use this command
syntax and select your option accordingly.
COMMAND: sudo
/et/cinit.d/nessusd start|stop|restart
I
hope you have enjoyed this tutorial and until next time, Enjoy!
No comments:
Post a Comment