© 2018 Caendra, Inc. - Hera For PTP - Nessus
© 2018 Caendra, Inc. - Hera For PTP - Nessus
© 2018 Caendra, Inc. - Hera For PTP - Nessus
This lab will present you with different tasks in order to fulfill these objectives.
The tasks are meant for educational purposes and to show you the usage of different tools
and different methods to achieve the same goal.
Armed with the skills acquired during these tasks, you can achieve the Lab goal.
Repeat this lab as often as you like, but if this is the first time you do this lab, we advise you
to follow these tasks.
• Nessus
• Metasploit
Once the scan is finished, complete the following table with the discovered hosts and the
number of high/medium vulnerability found for each.
Note: you can also perform host discovery using tools like Nmap and then feed Nessus with
the right IP addresses.
Metasploit offers the ability to use Nessus directly from the msfconsole. This is a very
useful feature that allows us to load existing Nessus scans and then exploit existing
vulnerabilities.
Once you have loaded the previous scan (Task 1) into Metasploit, find exploitable
vulnerabilities, or use plugins such as auto_exploit or db_autopwn, in order to obtain
one or more meterpreter shells.
NOTE: this plugin has been removed from recent versions of Metasploit, you'll need to
install manually.
This hopefully allows us to obtain access to target machines and then retrieve useful
information, such as credentials, to use for further Nessus scans in our penetration testing
cyclical process.
• Username: netadmin
• Password: netpwd
Once the scan is finished, you can notice that the report differs from the previous obtained
(Task 1). This happens because, Nessus is now able to scan the remote host using
credentials thus running checks with local privileges.
Please fill the next table with the results of the new scan:
The organization asks you to perform a Web Application scan to the webserver, placed
inside the DMZ (10.100.0.0/24). The server IP address is 10.100.0.80.
Create a new Nessus policy and perform a Web App scan. Don’t use existing policy but
think about which plugins are useless and which are not.
Once the service is running, we can access the Nessus GUI, at the address:
https://127.0.0.1:8834
We can now start our scan against the network by starting a new Scan based on Basic
Network Scan policy.
NOTE: since we are within the target network, if we set the whole subnet to
192.168.78.0/24, our machine will be scanned too. To avoid this, we can use tools
like Nmap to perform a host discovery, and then manually provide Nessus with IP
address to scan: nmap -sn -oG - 192.168.78.* | awk '/Up$/ {print $2}'
As you can see from the results, different vulnerabilities have been found on the target
machines. You can navigate them by selecting the host and then the specific vulnerability.
Instead of using the web browser GUI, we can also use Nessus from Metasploit. This will
help us in case we want to try assess and exploit any vulnerability. Since we have already
performed the scan, we will just load the Nessus results in msf and automatically exploit
vulnerabilities.
Now that we are connected with Nessus, we can run basic commands such as run a new
scan, navigate reports and so on.
Since we already have a report, we can load it so that Metasploit can load the list of
vulnerabilities. First of all, let's list the existing scans:
Once we know the Scan identifier, then can use the nessus_report_* commands as
follow:
or
now vulnerabilities and targets have been imported into the database. To explore the list,
we need to invoke vulns:
https://github.com/darkoperator/Metasploit-Plugins/blob/master/pentest.rb
root@kali:~/.msf4/plugins# wget
https://raw.githubusercontent.com/darkoperator/Metasploit-Plugins/master/pentest.rb
___ _ _ ___ _ _
| _ \___ _ _| |_ ___ __| |_ | _ \ |_ _ __ _(_)_ _
| _/ -_) ' \ _/ -_|_-< _| | _/ | || / _` | | ' \
|_| \___|_||_\__\___/__/\__| |_| |_|\_,_\__, |_|_||_|
|___/
Version 1.3
Pentest plugin loaded.
by Carlos Perez (carlos_perez[at]darkoperator.com)
[*] Successfully loaded plugin: pentest
msf >
Active sessions
===============
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::
:
eLSAdmin:1003:67fb9805a02c8249aad3b435b51404ee:b0c6522c478a0886fb92544d16c75679:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:a88f7de3e682d17fea34bd03086620b5:2b07e52daf608f50d4cd9506c5b0220d:
::
netadmin:1004:6d4c8d28110c649d1f6252914a7633d7:1f1c7bfdba645b14c37dde4465b59542:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9f79c84005db73e0122f424022f8db
c0:::
meterpreter >
We can now create a new scan policy and add the exported Windows Credentials:
From the Policies menu, let's create a new policy. Since we want to scan a web
application, from the Scanner Template we can select Web Application Tests.
Then, let's perform a simple Nmap port scan, in order to restrict the ports to scan:
Note: 135, 139 and 1026 were ignored because not related to the web application, but
you could add them as well.
From the Assessment section, as Scan Type let's select: Scan for all web
vulnerabilities and Save.
Now that we have completed our policy set-up, we can run the scan against the webserver.
Here's the results: