Lab 4 - Vulnerability Scanning

In this lab, you will use the Nessus vulnerability scanner to probe the Metasploitable2 VM for potential weaknesses.

Note 1: This lab has a good deal of "hurry up and wait", where you wait while the scanner is fetching the latest vulnerabilities, and wait while the scan runs.

Note 2: Your setup or scan work will complete faster if you increase your Kali resource allocation beyond the VMware defaults (2 CPU cores, 2 GB of RAM). If you didn't customize these settings when you first installed Kali, change them now to 3-4 CPU cores and 4-8GB of RAM, assuming your host system has those resources available. Note that you can only change the CPU/RAM settings when the virtual machine is shut down.

Nessus

Nessus is a commercial vulnerability assessment scanner.

First, register for a personal activation code at https://www.tenable.com/tenable-for-education

Second, download a copy of Nessus from https://www.tenable.com/downloads/nessus. The current version of Nessus as-of Feb 2024 is 10.8.3.

  • Intel/AMD users: Look for the platform Linux - Debian - amd64 (Kali is Debian-based)
  • Apple Silicon users: Look for platform Linux - Ubuntu - aarch64 (Closest platform with an ARM build)

Accept the license agreement, and the download will begin.

To install Nessus:

# First, change directory ('cd') to wherever the .deb installer is. 
$ cd ??????

# Then, run the installer you downloaded. Note that file is slightly different depending on your architecture type:
# For Intel/AMD users:
$ sudo apt install ./Nessus-10.8.3-debian10_amd64.deb 
# For Apple Silicon users:
$ sudo apt install ./Nessus-10.8.3-ubuntu1804_aarch64.deb

# Should see the following message at the end of installation
#  - You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
#  - Then go to https://localhost:8834/ to configure your scanner

# Note: Shafer got this error message, but it can be disregarded
# N: Download is performed unsandboxed as root as file 
# '/home/shafer/Downloads/Nessus-10.8.3-ubuntu1804_aarch64.deb' 
# couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Register Nessus:

Register the program with the "Nessus Essentials" activation code that was emailed to you. After activation (and only after!) will Nessus download the current set of vulnerability plugins to scan for.

$ sudo /opt/nessus/sbin/nessuscli fetch --register xxx-xxx-xxxx

Add Nessus User:

$ sudo /opt/nessus/sbin/nessuscli adduser
# Pick your username
# Pick your password
# YES we want this user to be 'system administrator'
# Blank rule set
# YES to confirm

# Note: 2/1/12024 - Shafer got "An error occurred" but the account was succesfully created, so ... shrug?

Start Nessus:

$ sudo systemctl start nessusd
$ sudo systemctl status nessusd   # Verify it's running

Access the Nessus web GUI at https://localhost:8834

  • Accept the self-signed certificate.
  • Login with the user account you previously created
  • Wait (and wait, and wait) while Nessus compiles all the plugins. You will not be able to start a scan until it tells you that "Plugins are done compiling"

Nessus External Scan: Tell Nessus to do an "Advanced Scan" of your Metasploitable2 VM:

  • Go to Scans -> New Scan
  • On the Scan Templates page under Vulnerabilities, choose the "Advanced Scan" type
    • Provide a name for your scan configuration (e.g. "External Scan")
    • Provide the target IP address (in this case, the IP address of the Metasploitable2 VM)
    • Save the scan template
  • Press the "Play" button on the My Scans page to launch the scan you just created

Once the scan has finished, answer the Deliverables questions.

Deliverables (External Scan):

  • How many vulnerabilities scored as critical, high, and medium did Nessus discover?
  • Submit the Report from Nessus for this scan (PDF format, Report->Complete List of Vulnerabilities by Host)

Nessus Internal Scan: Tell Nessus to do an "Advanced Scan" of your Metasploitable2 VM. But this time, we will also give Nessus a login (credential, in their terminology) to the target system, allowing it to perform a greater number of tests. Nessus accepts a variety of credentials, not just to the operating system (i.e. SSH or Windows login), but also to application servers like databases, virtual machine managers, etc.

  • Go to Scans -> New Scan
  • On the Scan Templates page under Vulnerabilities, choose the "Advanced Scan" type
    • Provide a name for your scan (e.g. "Internal Scan")
    • Provide the target IP address (in this case, the IP address of the Metasploitable2 VM)
    • Under Credentials -> SSH, change the authentication method to password and enter the VMs login (msfadmin / msfadmin). This will allow Nessus to ALSO do a scan from inside the system (in addition to the default external scan)
    • Save the scan template
  • Press the "Play" button on the My Scans page to launch the scan you just created

Once the scan has finished, answer the Deliverables questions.

When you're finished with the Nessus section of the lab, you can shut the program down.

$ sudo systemctl stop nessusd

Deliverables (Internal Scan):

  • How many vulnerabilities scored as critical, high, and medium did Nessus discover?
  • Submit the Report from Nessus for this scan (PDF format, Report->Detailed Vulnerabilities by Host).
    Observe that there might be a slight difference in the length of the report, compared to the earlier report type.

Deliverable (Essay):

Pick one of the vulnerabilities scoring as "Critical" by Nessus. Provide the title Nessus gives and then explain the vulnerability in your own words, as if you were explaining to another student. Copying and pasting text from the Nessus report is NOT a sufficient explanation here. You may need to follow the links Nessus provides and/or search for additional information on your own.

In your answer, explain:

  1. What is the vulnerability?
  2. How could it be exploited?
  3. How could it be fixed?

A 2 paragraph answer is a sufficient level of detail.