What vulnerabilities found by Nessus would you attack? Why? Why would you want to scan a target using modules in msfconsole? Does a medium vulnerability always mean that a system can easily be exploited?
CYB 362 – Vulnerability Analysis Hands-on Assignment
Objective
The objective of this lab is to gain experience in vulnerability analysis.
Prerequisites
- Laptop with internet connectivity
- Virtual environment
- One metasploitable machine
- One Kali machine
Lab Setup
- Go to https://www.tenable.com/try and sign up for a nessus trial
- Go to the email you signed up with and copy the activation code to a note and click the download link
- Download the nessus version that will work on your kali box. (Nessus-x.x.x-debian_amd64.deb)
- Be sure you downloaded and installed the VirtualBox extension pack form https://www.virtualbox.org/wiki/Downloads
- Go to https://sourceforge.net/projects/metasploitable/files/latest/download and download metasploitable to your host machine
- Extract the files to a folder on your desktop
- In VirtualBox create a new machine
- Set the type to linux and the version to Debian 32bit
- Create a new virtual hard disk, VDI
- Ensure the disk is dynamically allocated
- Set the hard disk size to whatever you like, this will be deleted soon
- Open the machines settings
- Go to storage
- Under Controller:SATA click the “machine_name”.vdi file
- Click add hard disk and choose existing disk
- Navigate to the folder with the metasploitable files
- Choose metasploitable.vmdk
- Go to the system tab
- In processor, check the extended features box
- Save the settings
Lab Procedure
- Start the metasploitable machine you downloaded and login
- The credentials are msfadmin:msfadmin
- Type ifconfig to get the IP address and note it
- In kali, go to your downloads folder from command line where you should already have downloaded Nessus-x.x.x-debian6_amd64.deb
- Install Nessus. For this example, we are using version 7.2.1
- sudo dpkg -i Nessus-7.2.1-debian6_amd64.deb
- Start Nessus
- sudo /etc/init.d/nessusd start
- Open your browser and navigate to 127.0.0.1:8834
- Create a username and password for your nessus account
- Enter the activation code you were sent from tenable
- Wait for plugins to compile (This may take some time)
- Create a new scan
- Choose advanced scan
- Name the scan msf scan
- Add the IP address of your msf machine, for example 192.168.1.x
- Save the scan
- Under my scans, click the run button next to your new scan
- The scan will populate in real time so you may see results during the test
- Once the scan is complete, take a screenshot of the results
- Pick several vulnerabilities and read what they do and how to exploit them
- Next, prepare a metasploit scan
- Open a console in Kali and start postgresql
- service postgresql start
- Initialize the metasploit database
- sudo msfdb init
- Start metasploit
- sudo msfconsole
- Ensure that the database has been connected
- db_status
- A positive result will be “postgresql connected to msf”
- Next, check the nmap db
- db_nmap
- Nmap the metasploitable machine from msfconsole
- db_nmap 192.168.1.x
- Screenshot the results
- FTP appears to have an open port on the target, let’s see if it’s vulnerable to anonymous login
- Select the FTP scanner is your msfconsole
- use auxiliary/scanner/ftp/anonymous
- Show the available options for the module
- show options
- Set the rhost, which is the target you wish to scan, from msfconsole to the metasploitable machine
- set RHOSTS 192.168.1.x
- Run the module
- run
- Screenshot the results
- Look in the auxiliar/scanner/ are of msfconsole for modules that can scan any services you find interesting
- Scan at least 1 other service and screenshot the results
- Use Nessus to scan your Ubuntu VM. Discuss the vulnerabilities found. See if you can find any vulnerabilities in your setup that you did not know existed.
Report Questions
- What vulnerabilities found by Nessus would you attack? Why?
- Why would you want to scan a target using modules in msfconsole?
- Does a medium vulnerability always mean that a system can easily be exploited?
- Name two vulnerabilities found by Nessus that you would not attack and why.
- Explain why Nessus is only one step to finding vulnerabilities and how it may be inaccurate.