- Nessus Essentials
- CMD
- VMWare
- Windows 10 (21H2)
- VMWare Workstation Pro: https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html
- Nessus Essentials: https://www.tenable.com/products/nessus/nessus-essentials
- Windows 10 ISO: https://www.microsoft.com/en-us/software-download/windows10
The first thing I am going to do is Download Nessus Essentials, my Vulnerability management software. It takes a long time to download so I can accomplish a few things while it is downloading, like downloading Windows 10 on a Virtual Machine and configuring it (which also takes a long time)
For the Virtual Machine that I will be managing vulnerabilities on, I have to configure the network adapter to be bridged so it can be on the same network as my native. I do this because Nessus has to Secure Server Login (SSL) into the Virtual Machine and it's just easier if it's using my local network.
Nessus at this point is still downloading and my Virtual Machine successfully downloads Windows 10, so I open up CMD to figure out it's IP address which I will need to be able to run vulnerability scans on Nessus. I named the VM Admin. The screenshot shows that the IP address is 192.168.50.185
I try to ping the VM from my native computer to see if I can communicate with the VM. The reason I am doing this is because of I can't ping the VM then Nessus won't be able to as well and can't run its scans. As we can see the pings are timing out, meaning my native PC can't establish a connection with it at the moment.
The reason my PC can't establish a connection is because the VM has a firewall active and it is blocking all connection attempts (which is a good thing, but not for the purposes of this lab) so I have to disable the firewalls. This is something I would NEVER do in a production environment as it could and would be catastrophic, but this is a just a junk VM so no worries.
I have to turn off all three firewalls which are circled at the top in Red, Blue, and Green. Circled in Yellow is showing that the firewalls are currently On. I have to turn them Off to be able to communicate properly with the VM.
Now that the VM's firewall is disabled, I try to Ping it again from my native PC and this time it is successful.
By this time Nessus Essentials successfully downloads. The first thing I want to do is create a new scan, then select Basic Network Scan.
The newly created scan asks me to name the scan and select a target to scan. I configure it to scan the VM's IP address which is 192.168.50.185
I launch the newly created scan and it immediately goes to work scanning for any known vulnerabilities. When the grey checkmark appears, the scan is complete.
Lets look at the results! It is showing 33 results, 32 of which are info and 1 low. If this was an actual production environment these most likely would be left alone. The Info results are probably because some things don't have proper credentials and are not essentially vulnerabilities
Looking at one of the INFO results you can see that the Target Credential Status By Authentication Procotol was triggered because we did not actually provide any credentials for this scan.
Next thing I do is configure the VM to be able to accept authenticated scans and provide credentials to Nessus. I will then rescan the VM and compare the results. I go to services.MSC to start this process and enable Remote Registry. This will allow Nessus to connect to the VM's registry and properly scan for vulnerabilities such as insecure connections or deprecated cipher suites. I'm following these steps from Nessus and what they recommend to actually do credentialed scans. There might be a better way to do this.
From there I go to User Account Controls and disable it. I have to do this because this VM is not on a domain so I kind of have to do hacker stuff to get it to work properly. I would never do this in an actual organization or production environment.
Then I'm going to open the registry and add a key that is suppose to allow Nessus to connect in by further disabling user account controls.
Now I navigate the Registry to the file that Nessus instructs us to (highlighted Yellow in the search bar) and I have to add a DWORD value and name it LocalAccountTokenFilterPolicy and give it a value of 1.
After doing that I have to restart the VM so the changes can take effect.
With the registry configured, it is now time to go back into Nessus and configure the scan I created. I have to add the Credentials to the scan so it can work properly. The credentials I'm talking about is the username and password of the VM. This will allow Nessus to use those credentials in places where it is required in the VM registry.
After the scan is properly configured with the right credentials, I run it again.
This new scan has given us a lot more vulnerabilities than the first one because it is able to scan deeper into the VM due to having credentials. The top picture is the new credentialed scan and the bottom picture is from the first non-credentialed scan. Most of the vulnerabilities found is probably because the version of Windows 10 this VM is running is not up to date.
I want to see how powerful this Nessus Scanner is so I'm going to download a very old version of Firefox which probably has many vulnerabilities and see if Nessus can discover them (I'm sure it will.)
After a deprecated version of Firefox is downloaded, I run another scan. We can see many new alerts and vulnerabilities just from Firefox! 68 Critical!
A comparison between scans to show the progression of alerts and vulnerabilities.
Showing what some of the alerts and vulnerabilites look like. We can see most of the Critical alerts are just from Firefox. A few ways we can remediate some of the vulnerabilities is by either Updated Firefox, which will probably remediate a lot of them, or we can simply delete Firefox.
To start the process of remediating vulnerabilities, I elect to just delete Firefox. That will instantly fix a lot of these issues.
To remediate the Windows vulnerabilities, I choose to update Windows. This version is old so it takes a few restarts to get it up to date.
After a few restarts, Windows is finally up to date. I run one more Nessus scan to find if the steps I took to remediate some of the alerts worked.
Here is a final comparison between the four scans I took while doing this lab. The last picture is the after remediation scan. There we can see a lot of the vulnerabilities that were being alerted are gone! Still a 1 critical but I'll remediate that another time!