上QQ阅读APP看书，第一时间看更新

Nessus

Nessus is one of the most popular vulnerability scanners on the market. Like other vulnerability scanners, Nessus contains a database of known vulnerabilities across different platforms and protocols. Nessus is available in both the paid version (commonly used by penetration testers and in-house security departments to perform vulnerability scans) and the free version, which is called Nessus Home. In this book, we will use Nessus Home, which is limited to scanning only a few IP addresses. Since Nessus is not installed by default in Kali Linux, we will need to install it.

Follow these steps to do so:

Navigate to https://www.tenable.com/products/nessus-home and register for an activation code for Nessus Home. Once you complete the registration, you will have the option to download Nessus. The direct link for the Nessus download page is https://www.tenable.com/downloads/nessus#download.
Download the version titled Debian 6, 7, 8, 9/Kali Linux 1, 2017.3 AMD64, or Debian 6, 7, 8, 9/Kali Linux 1, 2017.3 i386 (32-bit), depending on your Kali Linux architecture. Although the software version displayed a previous version of Kali Linux, it will work in the current version that's used throughout this book, which is version 2019.1.
Once you have downloaded the correct version, you can install it within Kali Linux by navigating to your download directory and using the dpkg -I command. The installation should be relatively quick. Once completed, you will be presented with the summary, as shown in Figure 19:

Figure 19: Nessus installation

Start the Nessus scanner by running the /etc/init.d/nessusd start or service nessusd start commands and navigate to the graphical interface, which is located at https://kali:8834 using Firefox ESR, which is built in to Kali Linux.

The URL for the graphical interface might differ in your environment. Please take note of the summary once the installation completes.

Once Nessus has been started and you navigate to the administrator URL, you will be presented with some options to create a new user account. After the account has been created, Nessus will perform some post-installation tasks, such as installing plugins. Once all of the tasks are completed, you will be able to log in to the admin portal, as shown in Figure 20:

Figure 20: The Nessus admin portal

Let's perform a vulnerability scan on a Metasploitable 2 virtual machine (which you learned about in Chapter 1, Introduction to Penetration Testing). To get your Metasploitable 2 virtual machine up and running, open metasploitable.vmx with your hypervisor (in my case, I am using VMware Fusion). Once Metasploitable 2 loads, log in using the default username and password of msfadmin and issue the ifconfig command to display the IP address of the virtual machine, as shown in Figure 21. Make sure that Kali Linux is on the same virtual network as Metasploitable:

Figure 21: Metasploitable 2 IP address

From the Nessus admin portal, select New Scan. You will be presented with a number of scan templates. A scan template is a set of predefined tasks that you can quickly leverage for a specific type of scan. Some templates are only available in the paid license version of Nessus. For our demo, we will use the Basic Network Scan template. Once we've selected this template, we will be presented with a number of options.

Under the Settings tab, in the General section, we will provide inputs for the Name, Description, and Targets fields, as shown in Figure 22:

Figure 22: Nessus scan general configuration

The next section we will configure is under the Discovery section, and the Scan Type that we will select is Port Scan (common ports). After that, we will select Assessment and choose the Scan for all web vulnerabilities (complex) option. Lastly, we will click on Save. Once you have saved the scan, you will be directed back to the main admin page, where you can now select your saved scan and then click on the Launch button. Your scan will now begin running and after a while, you will be presented with the output, as shown in Figure 23:

Figure 23: Nessus scan results

As we can see, Nessus found a number of vulnerabilities in Metasploitable 2. Nessus places these findings in order of criticality. Nessus is able to provide detailed information about the findings. For example, by looking at one of the critical findings, we can see that Nessus provides information on exploitability. It even goes one step further and covers what the vulnerability is exploitable with, as shown in Figure 24:

Figure 24: Nessus vulnerability information

You can perform a Nessus scan on both Metasploitable 2 and 3 virtual machines. In Chapter 5, Diving into the Metasploit Framework, you will use the Nessus scan of the Metasploitable 3 virtual machine.

Nessus and OpenVAS are both excellent vulnerability scanners. It's important to note that as a penetration tester, knowing how to interpret the vulnerability assessment results is a key skill to have. Generally, verification of the results will need to be conducted manually to ensure that you have the full picture and can eliminate any false positives.