Vulnerability scanning with Nessus
So far, we have learned the basics of port scanning, along with the practical implementation with Nmap. Port scanning has been extended to several other tools which further enhance the process of scanning and information gathering. In the next few recipes, we will cover those tools which scan the target for available services and open ports and then tries to determine the type of vulnerability that may exist for that particular service or port. Let us begin our journey to vulnerability scanning.
Nessus is one of the most widely used vulnerability scanners. It scans the target for a range of vulnerabilities and produces a detailed report for it. Nessus is a very helpful tool during penetration testing. Either you can use the GUI version of Nessus, or you can also use it from the Metasploit console. In this book, we will primarily focus on using Nessus with msfconsole.
Getting ready
To start working with Nessus in msfconsole, we will have to load Nessus and then connect it with the server to start our penetration testing.
First, we will connect our database with Metasploit so as to store the interim results. The process of starting and connecting the database in Metasploit has been explained in the previous chapter. After connecting the database, our next task is to load the Nessus plugin.
How to do it...
- To connect the database and load Nessus in Metasploit, we will execute the following command:
msf > db_connect msf3:8b826ac0@127.0.0.1:7175/msf3 msf > load nessus [*] Nessus Bridge for Nessus 4.2.x [+] Type nessus_help for a command listing [*] Successfully loaded plugin: nessus - After successfully loading it, we will have to connect it with the server. The following command is used to connect it with the server manner:
msf > nessus_connect root:toor@localhost ok [*] Connecting to https://127.0.0.1:8834/ as root [*] AuthenticatedIn the preceding command
okis an extra parameter that is passed to ensure the Nessus server is running on a trusted network.
We can check for the list of available users in Nessus by using the nessus_user_list command.
A new user can also be added by using the command nessus_user_add. By using the command nessus_policy_list, we can view the list of available policies on the server.
How it works...
Once Nessus is connected with the server, it can be used for scanning target machines. The process of scanning is simple and quick. Let us perform a quick scan on a target to see how Nessus scanning operates. To start the scan, we will have to pass the following command:
msf > nessus_scan_new 1 testscan 192.168.56.102 [*] Creating scan from policy number 1, called "testscan" and scanning 192.168.56.102 [*] Scan started. uid is 9d337e9b-82c7-89a1-a194-4ef154b82f624de2444e6ad18a1f
Once the scanning process is complete, our next target will be to import the list generated by Nessus. Let us check out the available list:
msf > nessus_report_list [+] Nessus Report List ID Name Status ---- ------ 9d337e9b-82c7- 89a1-a19-4ef154b82 testscan completed f624de2444e6ad18a1f
The ID column represents the report that has been generated as a result of our scan. Let us import this report now.
msf > nessus_report_get 9d337e9b-82c7-89a1-a1944ef154b82f624de2444e6ad18a1f [*] importing 9d337e9b-82c7-89a1-a1944ef154b82f624de2444e6ad18a1f
Once the report has been imported, it can now be operated by using the console commands and can be analyzed to find out the weaknesses in the target. To view the vulnerabilities in the target, execute the following command:
msf> hosts -c address, vuls, os_name
There's more...
Let us look through a quick guide to working with Nessus in GUI mode.
Nessus can also be used from its GUI mode which is also as powerful and easy to use as the console mode. If you are using Nessus for the first time, then first you will have to register yourself and get a registration code from the Nessus website. Registration can be done at the following link:
http://www.nessus.org/register/
Once the registration is complete, we will have to start Nessus and add the registration code. Go to Applications | BackTrack | Vulnerability Assessment | Network Assessment | Vulnerability Scanner | nessus start.
On starting Nessus, you might be prompted with the following error message:
Starting Nessus : . Missing plugins. Attempting a plugin update... Your installation is missing plugins. Please register and try again. To register, please visit http://www.nessus.org/register/
The error is because Nessus is not yet registered. In order to register, we will have to use the registration code that we received through an e-mail from Nessus. The following command will help us complete the registration process:
/opt/nessus/bin/nessus-fetch -register YOUR REGISTRATIN CODE root@bt:~# /opt/nessus/bin/nessus-fetch --register E8A5-5367-982E-05CB-972A Your activation code has been registered properly - thank you. Now fetching the newest plugin set from plugins.nessus.org... Your Nessus installation is now up-to-date. If auto_update is set to 'yes' in nessusd.conf, Nessus will update the plugins by itself.
Now launch the browser and type the following address:
https://localhost:8834
If you are launching Nessus in the browser for the first time, then it will take some time to load. So be patient.