On TryHackMe, the Nessus room not only introduces us to vulnerability scanning but it is a reminder that even the home user, student and hobbyist can run a cybersecurity vulnerability scanner at home with Tenable Nessus Essentials.
Nessus Scanner requires about 30GB of initial disk space. That disk space requirement will grow over time because Nessus will store the results from each scan into its database. Also as Nessus plugins get released and updated, that will also cause the data storage size to increase.
The Nessus room consists of 5 tasks:
Introduction - where you learn about Nessus scanner’s basic purpose
Installation - where you learn how to install Nessus on Kali Linux
Navigation and Scans - where you learn to move about the console
Scanning! - Lab with a target machine that you can run scans against
Scanning a Web Application! - Lab where you perform a specialized web app scan
The last 3 of the above tasks are those that require responses in the room. Make sure that when you work in this lab you are using your own Kali Linux machine (or VM) and connecting to the Nessus room labs with openVPN. This is because the minimum Hardware Requirements (https://docs.tenable.com/nessus/Content/HardwareRequirements.htm) for Nessus is 30GB of disk space for Nessus itself. The AttackBox on TryHackMe has 25GB of disk space (at the time of publishing this writeup) in total which will not accommodate the Nessus installation.
Navigation and Scans
THM: What is the name of the button which is used to launch a scan?
THM: What side menu option allows us to create custom templates?
THM: What menu allows us to change plugin properties such as hiding them or changing their severity?
THM: In the 'Scan Templates' section after clicking on 'New Scan', what scan allows us to see simply what hosts are alive?
THM: One of the most useful scan types, which is considered to be 'suitable for any host'?
THM: What scan allows you to 'Authenticate to hosts and enumerate missing updates'?
THM: What scan is specifically used for scanning Web Applications?
Scanning!
THM: Create a new 'Basic Network Scan' targeting the deployed VM. What option can we set under 'BASIC' (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.
New Scan button > Basic Network Scan > Settings > Schedule
THM: Under 'DISCOVERY' (on the left) set the 'Scan Type' to cover ports 1-65535. What is this type called?
After the scan completes, which 'Vulnerability' in the 'Port scanners' family can we view the details of to see the open ports on this host?
If you click on the above line-item, you will navigate to a detail page that shows which ports have been detected:
THM: What Apache HTTP Server Version is reported by Nessus?
To find the version of Apache HTTP Server click on the below line-item:
You will find the version in the following detail view:
Scanning a Web Application!
This scan you will set up like the Basic Network Scan but you will select the Web Application Tests as the Scan Type.
- New Scan button > Web Application Tests
- Enter the ip into the target text field
- Click Save
- Launch the scan and wait for results
In the vulnerabilities Tab of the scan you will notice a grouping of 2 vulnerabilities:
Click on the HTTP (Multiple Issues) line-item and you will see the following:
Then click on the line item “HTTP Server Type and Version” and you will see the plugin ID as shown below:
THM: What authentication page is discovered by the scanner that transmits credentials in cleartext?
Click on the line item “Web Server (Multiple Issues)”.
Then click on the line-item “Web Server Transmits Cleartext Credentials:
Under the Output section you will see the page that transmits cleartext Credentials:
THM: What is the file extension of the config backup?
Click on the “Backup Files Disclosure” vulnerability line-item:
The extension can be found under the Output section in the vulnerability detail:
THM: Which directory contains example documents? (This will be in a php directory)
THM: What vulnerability is this application susceptible to that is associated with X-Frame-Options?
No comments:
Post a Comment