Vulnerability Assessment

Nessus

Downloading Nessus

To download Nessus, we can navigate to its Download Page to download the correct Nessus binary for our system. We will be downloading the Debian package for Ubuntu for this walkthrough. Nessus download page showing Nessus-8.15.1-ubuntu910_amd64.deb for Ubuntu 9.10/10.04, 46.3 MB, dated Aug 10, 2021.

Requesting Free License

Next, we can visit the Activation Code Page to request a Nessus Activation Code, which is necessary to get the free version of Nessus:

Nessus activation code prompt: 'Need an Activation Code? Get Activation Code button to complete installation.

Installing Package

With both the binary and activation code in hand, we can now install the Nessus package:

eldeim@htb[/htb]$ dpkg -i Nessus-8.15.1-ubuntu910_amd64.deb

Selecting previously unselected package nessus.
(Reading database ... 132030 files and directories currently installed.)
Preparing to unpack Nessus-8.15.1-ubuntu910_amd64.deb ...
Unpacking nessus (8.15.1) ...
Setting up nessus (8.15.1) ...
Unpacking Nessus Scanner Core Components...
Created symlink /etc/systemd/system/nessusd.service → /lib/systemd/system/nessusd.service.
Created symlink /etc/systemd/system/multi-user.target.wants/nessusd.service → /lib/systemd/system/nessusd.service.

Starting Nessus

Once we have Nessus installed, we can start the Nessus Service:

Getting Started with Nessus

eldeim@htb[/htb]$ sudo systemctl start nessusd.service

Accessing Nessus

To access Nessus, we can navigate to https://localhost:8834. Once we arrive at the setup page, we should select Nessus Essentials for the free version, and then we can enter our activation code:

Once we enter our activation code, we can set up a user with a secure password for our Nessus account. Then, the plugins will begin to compile once this step is completed:

Note: The VM provided at the Nessus Skills Assessment section has Nessus pre-installed and the targets running. You can go to that section and start the VM and use Nessus throughout the module, which can be accessed at https:// < IP >:8834. The Nessus credentials are: htb-student:HTB_@cademy_student!. You may also use these credentials to SSH into the target VM to configure Nessus.

Finally, once the setup is complete, we can start creating scans, scan policies, plugin rules, and customizing settings. The Settings page has a wealth of options such as setting up a Proxy Server or SMTP server, standard account management options, and advanced settings to customize the user interface, scanning, logging, performance, and security options.

Nessus Advanced Settings page showing tabs for User Interface, Scanning, Logging, Performance, Security, and Miscellaneous. Settings include Allow Post-Scan Editing set to Yes, Disable API set to No.

Skills Assessment

Requirements

Navigate to the web interface at the end of this section and log in with the provided credentials.

Once logged in, perform a BASIC NETWORK SCAN (modify the scan template to scan ALL ports, leave all other options the same) against the target: 172.16.16.100. Additionally, set up the scan to be authenticated using administrator:Academy_VA_adm1! as the credentials.

The scan will take up to 60 minutes to finish.

Note: It may take 1-2 minutes for your target instance to spawn. Additionally, it may take up to an hour for the scan to run

Alternatively, use the pre-populated scan data to answer the questions below without having to wait for the scan to finish but feel free to practice configuring and running it.

Reminder: Nessus can be accessed at https:// < IP >:8834. The Nessus credentials are: htb-student:HTB_@cademy_student!. You may also use these credentials to SSH into the target VM to configure Nessus.

  • What is the name of one of the accessible SMB shares from the authenticated Windows scan? (One word)

Nessus can be accessed at https:// < IP >:8834. The Nessus credentials are: htb-student:HTB_@cademy_student!. You may also use these credentials to SSH into the target VM to configure Nessus.

  1. Create a basic scan

  1. Then setup the scan to be authenticated using the provided credentials

administrator:Academy_VA_adm1!

After launch, it get the name of SMB shares (the average time is the 60 minutes)

  1. Click on "Windows_Basic_authed"

  2. Go to the Vulnerabilities tab and search for "SMB Shares"

  • What was the target for the authenticated scan?

  • What is the plugin ID of the highest criticality vulnerability for the Windows authenticated scan?

  • What is the name of the vulnerability with plugin ID 26925 from the Windows authenticated scan? (Case sensitive)

  1. Go to the scan results and filter the results with Plugin ID

  1. Once filtered you will see only the results with the filtered criteria

  2. Click on the vulnerability and on the title you will see the name

  • What port is the VNC server running on in the authenticated Windows scan?

OpenVAS

Installing Package

First, we can start by installing the tool:

eldeim@htb[/htb]$ sudo apt-get update && apt-get -y full-upgrade
eldeim@htb[/htb]$ sudo apt-get install gvm && openvas

Next, to begin the installation process, we can run the following command below:

eldeim@htb[/htb]$ gvm-setup

This will begin the setup process and take up to 30 minutes.

Terminal output showing database setup and user creation with a generated admin password.

Starting OpenVas

Finally, we can start OpenVas:

eldeim@htb[/htb]$ gvm-start
Terminal output showing GVM/OpenVAS services starting, with Greenbone Security Assistant web UI available at https://127.0.0.1:9392.

Note: The VM provided in the OpenVAS Skills Assessment section has OpenVAS pre-installed and the targets running. You can go to that section and start the VM and use OpenVAS throughout the module, which can be accessed at https://< IP >:8080. The OpenVAS credentials are: htb-student:HTB_@cademy_student!. You may also use these credentials to SSH into the target VM to configure OpenVAS.

Skills Assessment

You have been contracted by the company Inlanefreight to perform an internal vulnerability assessment against one of their servers. They have asked for a cursory assessment to be performed to identify any significant vulnerabilities as they do not have the budget for a full-scale penetration test this year. The results of this vulnerability assessment may enable the CISO to push for additional funding from the Board of Directors to perform more in-depth security testing.

The target server is a Linux Server host.

Requirements

Navigate to the OpenVAS web interface at the server below and log in with the provided credentials.

Once logged in, create a new task with the OpenVAS Default Scanner and use the Full and Fast config against the target: 172.16.16.160. Additionally, ensure you have the scan set up to run as an authenticated user using the credentials: root:HTB_@cademy_admin!.

The scan will take up to 60 minutes to finish.

Note: It may take 1-2 minutes for your target instance to spawn.

Alternatively, use the pre-populated scan data to answer the questions below without having to wait for the scan to finish but feel free to practice configuring and running it.

Reminder: OpenVAS can be accessed at https://< IP >:8080. The OpenVAS credentials are: htb-student:HTB_@cademy_student!. You may also use these credentials to SSH into the target VM to configure OpenVAS.

  • What type of operating system is the Linux host running? (one word)

After access to https://10.129.202.120:8080/ and the credentials provided:

  1. This one is simple

  2. Just go the Linux Basic Scan

  3. Open the report

  4. Select the OS Tab and you will see that the OS is in fact Ubuntu

  • What type of FTP vulnerability is on the Linux host? (Case Sensitive, four words)

  • What is the IP of the Linux host targeted for the scan?

  • What vulnerability is associated with the HTTP server? (Case-sensitive)

PreviousFootprinting Lab - Hard

Last updated