DEV Community

OULD AMARA Amine
OULD AMARA Amine

Posted on

Vulnerability management using Nessus

What is vulnerability management ?

It is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside with other security tactics, is vital for organizations to prioritize possible threats and minimizing their "attack surface."

Security vulnerabilities, in turn, refer to technological weaknesses that allow attackers to compromise a product and the information it holds. This process needs to be performed continuously in order to keep up with new systems being added to networks, changes that are made to systems, and the discovery of new vulnerabilities over time.

How does Nessus work ?

To learn how Nessus and other port-scanning security tools work, it is necessary to understand different services (such as a web server, SMTP server, FTP server, etc) are accessed on a remote server. Most high-level network traffic, such as email, web pages, etc reach a server via a high-level protocol that is transmitted reliably by a TCP stream. To keep different streams from interfering with each other, a computer divides its physical connection to the network into thousands of logical paths, called ports. So if you want to talk to a web server on a given machine, you would connect to port #80 (the standard HTTP port), but if you wanted to connect to an SMTP server on that same machine you would instead connect to port #25.

Each computer has thousands of ports, all of which may or may not have services (ie: a server for a specific high-level protocol) listening on them. Nessus works by testing each port on a computer, determining what service it is running, and then testing this service to make sure there are no vulnerabilities in it that could be used by a hacker to carry out a malicious attack. Nessus is called a "remote scanner" because it does not need to be installed on a computer for it to test that computer. Instead, you can install it on only one computer and test as many computers as you would like.

Downloading and installing required software and OS

Download and install Nessus essentials

In order to download Nessus essentials, follow this link to the download page, you'll have to create an account using your name and email, the you'll be redirected to another page where you can click Download to download the software. look for the most recent version that's compatible with your OS, in my case it this one:

Image description

After the download has finished, install it, then a web browser window will open with this URL "https://localhost:8834/", you may have to do some extra steps to allow it through the firewall if you're using linux.
Go ahead and click "Connect via SSL". Your browser will warn you that the connection is not private, just click on "Advanced" and "Proceed to ...", you'll have to wait a few minute for the configuration to finish.
After that, choose Nessus essentials, this is the free version of the product, click continue. Since you already received the activation code upon your first registration,you can click skip and enter the code directly without giving your name and email again. Next click continue, setup a username and a password, make sure you don't forget them and click submit. while it's installing, let's download and install our windows 10 client machine in virtualbox.

Oracle virtual box

Note that the performance of your computer might be affected depending on what hardware do you have and how much you allocate to your virtual machines.

On windows

Head out to virtual box's download page and follow the installation instruction.

On linux

Just follow this guide by Oracle. If you have dependencies issues, check out this page by the virtualbox team.

On MacOS

Much like windows, you only need to visit virtual box's download page and select the OS X hosts option, then follow the installation instruction and you're done.

Windows 10

Head to this page to get it. When you go there, click "Get started," and follow the instructions and prompts until you finally get to the download page. Choose your language and whether you want to download the 32-bit or 64-bit version. I downloaded the 64-bit version, because I installed it on a 64-bit machine. Remember where you downloaded the ISO file, because you'll need to know that later.

Creating the virtual machines

So the next thing we're going to do is we're going to create our virtual machine. Open up virtualbox, I'm using Linux Ubuntu 20.04 so your interface might look slightly different if you're running it on Windows or MacOS.
Image description
We'll go to "new" and we're going to create the Windows 10 computer first, pick windows 64-bit, you should name it accordingly to remember which machine is which. just leave all the settings by default and simply click next, the settings should be so that you can use at least run three virtual machines at the same time depending on you computer's hardware, or you can tweak them as you please.

Installing Windows 10 in our VM

Before launching the VM, left click it and go to "settings", "Network" and set "Attached to :" as "Bridged Adapter".
Double click the VM to start it, it's going to open up a window, this is where we're going to select the Windows 10 iso that we downloaded earlier, we'll click "choose a virtual optical disk file" (it's the little yellow folder next the the list), click Add and you'll browse to where you put the Windows 10 iso file and add it, choose it in your newly updated lists of optical drives and click OK. Start the virtual machine and it will prompt you to a classic Windows 10 installation, click next, choose custom install and click next.

Ensure connectivity with VM

In order for us to scan the virtual machine for vulnerabilities, we have to be connected. Open a command prompt on the windows 10 guest machine and type "ipconfig", there you can find the machine's IP address under IPv4 address. Go to back to your computer, open a command prompt and try to ping that address, it's will not work because the two computers are not connected.
In a real-life situation the two machines will be on the same network, we can recreate that either by installing another machine in which we install Nessus, then configure both machines in virtualbox to be in the same internal network, Or we can add a second network adapter to our windows 10 guest as host only and configure it.
For simplicity's sake, we will deactivate the windows 10 guest machine's firewall, but note that this is not done in real-life because it's a vulnerability in itself.
For that, in the windows 10 machine go to start and type "wf.msc", this will open windows defender firewall settings, click on "windows defender firewall properties" then turn every off in "domain profile", "private profile" and "public profile".

Image description

You can now retry to ping the guest machine and you'll see that it works, because we have allowed all incoming connections into our guest computer.

Create a new scan in Nessus

Nessus essentials should be ready by now, it's a web application so it's normal that you're using it in a web browser, go ahead and create a new scan by clicking "Create a new scan" and then choose "Basic network scan", name it and enter the windows 10 vm IP address in the "Targets" field then hit save.

Image description

There's a lot of other options you can choose from for performing scans, for example you can schedule scans to be performed each X amount of time or you can perform a scan using credentials which are the username and password of the targeted machine which will be a more in depth scan for registry and other things that require admin rights to read.

Inspecting the first scan (no credentials)

In the "My scans" panel, you'll find the scan you just created, click launch and wait for it to finish. After it's done, click it and you'll face a bunch of data, you can find scan details on the right and tabs on the top : Hosts shows you the targeted machine that have been scanned, Vulnerabilities tab contains the vulnerabilities your machine has each color coded according to the severity of the Vulnerability. Info means that it's not necessarily a vulnerability but it's something worth knowing, you'll also find a description and a solution for remediating each one.
You can go through each one and try to understand what it is about, you'll find some that say that Nessus wasn't able to fully scan for them because we didn't provide credentials, we'll do that in the next step.

Configuring VM for credentialed scans

In order to perform a scan with credentials, the targeted machine has to be in the same domain as the machine performing the scan, since it's not in our case, we are will have to make some tweaks on the windows 10 VM to allow our computer to perform a credentialed scan. As said before, in a real-life situation the two machines in the same organization will be the same network and in the same domain, so these tweaks won't be necessary.

Image description

  • We already configured the VM's network adapter as bridged, if not go ahead and do it, you'll have to shut down the vm first.
  • Open the start menu and look for "services.msc", find "Remote registry", double click and choose "Start type" as automatic and click Start.
  • From the start menu look for "Advanced sharing options" and turn on network discovery and file sharing. Next from the start menu look for "User account control settings" and turn it down to "never notify".
  • From the start menu look for "Registry Editor", on the left side panel navigate to "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" or simply paste it the directory input field. Right click on an empty space under all the other settings in this directory and choose NEW -> DWORD (32-bit) value and name it "LocalAccountTokenFilterPolicy", double click and set the value to 1. Restart the machine in order for the changes to apply.

First scan with credentials

Go back to Nessus, my scans, you can create a new scan or modify the previous one, check the previously created scan, go to "More" and "Configure". This time go to the "Credentials" tab and choose windows on the left side panel, set the authentication method as "Password", fill the username input field with the windows 10 VM account username, if you can't remember or find it simply go back to the VM, open a command line prompt and type "whoami". Fill the password, leave the other settings as default, hit save and launch the scan.

Inspecting the first scan (with credentials)

Right away you can see that a lot more critical vulnerabilities have been found comparing to the previous scan, you can compare the two by going to the "History" tab. The reason for that is when performing a scan without credentials we didn't scan any of filesystems, registry or running services. Dive into the results and other tabs, try to remediate some of these issues for a better understanding.

Remediating vulnerabilities

One of the easiest things you can do is, update your windows and deprecated software, go ahead and look for "Updates" in the start menu and install the latest updates. Next open up Microsoft Edge and go to Settings and more > Help and feedback > About Microsoft Edge (edge://settings/help). If the About page shows Microsoft Edge is up to date., you don't need to do anything. If the About page shows An update is available. Select Download and install to proceed.
Not all vulnerabilities are remediated with updates and patches, so you can try and remediate the other vulnerabilities by yourself for practice

Inspect scan results after remediating vulnerabilities

Running another scan on our machine, we can see that we have less high risk vulnerabilities, but still some of them need remediating manually.

Final thoughts

In this lab you've learned :

  • How to install a Windows 10 Virtual Machine on Oracle's Virtual Box.
  • How to install Nessus Essentials and run scans (with and without credentials)
  • Analyze the data and remediate some of the vulnerabilities found.

These are the basics of how vulnerability management works, but there's still a lot more for you to learn, read up on the subject and learn more about how it's done in detail, visit Teenable's documentation on Nessus and try to implement the other features that are available in Nessus Essentials.
You can also keep experimenting and install versions of software or OS like windows 7 or XP. Learn more about how vulnerability management is done in big organizations where you have to perform scans from a computer targeting computers and devices all withing the same domain, gain access to the other employees computers using their credentials and other advanced techniques for vulnerability management.
Also, make sure to automate updating software and OS in your organization so that you can only focus on the real issues that are harder to fix than simply launching an update. Machines are generally deployed with zero or the least amount of vulnerabilities, this is called a "secure build standard" making sure the device is secure before it goes into production.
Lastly, you'll also have to deal with humans and not only machines, getting everyone to coordinate and cooperate to face threats and how to respond when an incident occurs and how to prevent it from re-occurring can also be a part of the job.


Credit where credit's due,

Top comments (0)