Vulnerability scanning with nessus tutorial
Nessus is a vulnerability scanner.
Nessus can scan your website, or network for vulnerabilities.
Nessus allows you to be proactive in securing your base so that all your base belongs to you :D
You can get Nessus from nessus.org. nessus installs on windows and Linux and osx.
Picking a Feed
Once you install Nessus you need to activate a ‘feed’ before you can use it.
The feed will keep your Nessus plugins up-to-date with the latest security issues.
There are two options for this:
- Professional feed
- Home feed
The professional feed will give you access to lots of nice plugins, the home feed will give you lots of plugins, but not quite as many as the pro feed does. you need to pick one. once you register Nessus will send you an email with an activation code in it and instructions on how to activate your feed. once activated Nessus will take a while to load on first run. this is normal.
When you have Nessus up and running you will want to scan something. this is a Nessus tutorial after all, so ill begin:
Nessus splits its web front end into 4 sections:
Reports, Scans, Policies and Users
Reports are just that – this section contains the reports from all the past scans that you have run against a target or a set of targets.
Scans are where you configure the settings to run a new scan (eg running an XSS check against your own website)
Policies are where you configure the things that you would like to run during the scans configured above. eg you could make a policy for ‘pci compliance’ and another for ‘front end XSS checks’
Users are to give the system some permission control over which policies users can run.
The policy section uses plugins. one for each type of test.
there are lots and lots of plugins and lots and lots of settings to choose from, but ill give you a basic set to get you started.
- point your browser at https://localhost:8834
- goto policies
- click ‘add’
- give your policy a name, like ‘basic scan’
- make your new policy ‘shared’
- give your new policy a description
You now need to set some things for your policy
- enable ‘save knowledge base’
- enable ‘safe checks’ so that you don’t cripple your own server
- enable silent dependencies’
- enable ‘log scan details to server’
- enable ‘stop host scan on disconnect’
- enable ‘avoid sequential scans’
- enable ‘Reduce parallel connections on congestion’
- enable ‘use kernel congestion detection’ if you run linux
- enable ‘syn scan’
- enable ‘snmp scan’
- enable ‘netstat scan’
- enable ‘netstat wmi scan’
- enable ‘ping host’
All of the options and setting descriptions are available in the Nessus user manual: http://static.tenable.com/documentation/nessus_4.4_user_guide.pdf [page 11]
By default Nessus loads all plugins. so the next thing you want to do is
- click on ‘plugins on the left
- go to the bottom and click ‘uncheck all’
- enable ‘cgi abuses’
- enable ‘cgi abuses: XSS’
- enable ‘gain a shell remotely’
- enable ‘Service detection’
- enable ‘Settings’
- enable ‘Web Servers’
- you can enable ‘X local security checks’ where X is the OS of your server, eg CentOs local security checks or Slackware local security checks.
Each of the plugins in Nessus comes with a description, so if you don’t know what it is, just select it and read the description
The next step is to click ‘Preferences’ on the right.
- from the drop down select ‘Do not scan fragile devices’
- make sure both are unchecked.
- from the drop down select ‘Global variable settings’
- enable ‘enable CGI scanning’
- enable ‘Enable Experimental scripts’
- enable ‘Thorough tests (slow)’
- make ‘report verbosity’ be ‘verbose’
- from the drop down select ‘Web Application Tests Settings’
- enable ‘Enable web application tests’
- enable ‘send POST requests’
- enable ‘HTTP parameter pollution’
Hit ‘submit’ to save all the settings.
Once you have configured a policy it is then available to users with sufficient permissions to use as ‘parameters’ for a scan. Once you have set up the policies correctly then you don’t need to set them up every time!!!
I’m not going to explain what these are, there is lots of information available, and if you do know what they are then good =)
Once you have a policy in place you can initiate a scan:
- go to the scans tab
- hit ‘add’
- give your new scan a name – this is the name that will appear in the report’s section with the results of your scan
- select the type ‘run now’ – you can also set scheduled scans if you like
- select your previously created policy
- type in a target hostname, ip-address or range of ip-addresses etc
- click ‘launch scan’ to start your scan!
Wait for the scan to complete and then go to the reports tab to view the results =)
I’ve found a few good tutorials that explain to you how the parameters work and how to start scanning your sites for different vulnerabilities
http://www.symantec.com/connect/articles/introduction-nessus has some good info; though a bit outdated
there is, of course http://www.nessus.org/documentation/ which has lots of info