How to Complete a Vulnerability Assessment with Nessus

March 21, 2018 by

In this lab, we will show you how to conduct and analyze a vulnerability risk assessment using the popular vulnerability scanning tool Nessus. We will:

  • Run a Nessus scan on a victim machine
  • Review and analyze Nessus for potential vulnerability and risk assessment
  • Download Nessus report

Background information

  1. Nessus is a vulnerability scanner by Tenable Network Security. Tenable provides enterprise-class solutions for continuous monitoring and visibility of vulnerabilities, configurations, user activity and system events that impact security and compliance.
  2. Before you begin, get information about the scanning machine, e.g., IP address and hostname.

Step 1: Get information about the target machine

  1. Start a full Nmap scan on the target or your network subnet
  2. Output the results into an XML file and note the target IP address

Step 2: Set up Kali machine & Nessus scan

  • Boot the Kali machine and start Nessus service using the following command: /etc/init.d/nessusd start. Place the following URL into your browser:
  • While logging into Nessus for the first-time, use the following credentials for the login: Admin and Password of your own choice

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Step 3: Scan victim machine with Nessus

  • Create a scan. This can be done by clicking on My Scans and then on the New Scan button.
  • Upon clicking on the new scan, you will be presented with the different scan options provided by the Nessus. Note that most of the options are for the paid versions. We will be selecting the Basic Network Scan for the home use edition.
    • The third step is to configure the scan Name: metasploitable2
    • Description: metasploitable2
    • Folder: My Scans
    • Scan Targets:
    • Click the Save button
  • The fourth step is to launch the scan (Part 1)
    • Check metasploitable2
    • Click the More down drop box
    • Select Launch
  • Launch scan (Part 2)
    • Click the Launch button
  • Launching message. This message box will disappear in a moment:
  • In this step, the user will be presented with the running message:
  • It will take between three and five minutes for the running icon to turn into a completed icon.

Step 4: View Nessus Results

The Nessus scan for Metasploitable2 revealed 384 vulnerabilities:

Main vulnerabilities are listed below.

1. Topic: rsh Unauthenticated Access

  • Overview: This issue makes it possible for an attacker to log on this machine without a password.
  • Summary: Using common usernames, as well as the usernames reported by "finger," Nessus could log in through rsh. Either the accounts do not have passwords, or the ~/.rhosts files are not configured correctly.
  • Proposed fix: Remove the .rhosts files or set a password on the impacted accounts.
  • Risk factor/CVSS base score: Critical; 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
  • Reference: https://www.rapid7.com/db/modules/auxiliary/scanner/rservices/rsh_login

2. Samba Heap-Based Remote Buffer Overflow

  • Overview: An attacker can execute arbitrary code on the target system using a vulnerable installation of Samba.
  • Summary: The version of the Samba server installed on the remote host is affected by multiple heap overflow vulnerabilities, which can be exploited remotely to execute code with the privileges of the Samba daemon.
  • Proposed fix: Upgrade to Samba version 3.0.25 or later.
  • Risk factor/CVSS base score: Critical; 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
  • Reference: https://www.rapid7.com/db/vulnerabilities/cifs-samba-ms-rpc-bof

3. Apache Tomcat Manager Common Administrative Credentials

  • Overview: An attacker can use this issue to log into the Apache Tomcat management console using a known set of credentials.
  • Summary: An attacker can use this issue to install a malicious application on the affected server and run code with Tomcat's privileges.
  • Proposed fix: Edit the associated "tomcat-users.xml" file and change or remove the affected set of credentials.
  • Risk factor/CVSS base score: Critical; 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  • Reference: https://www.rapid7.com/db/modules/exploit/multi/http/tomcat_mgr_deploy

4. vsftpd Smiley Face Backdoor

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

  • Overview: An attacker can use this issue to execute arbitrary code on the system using the vulnerable installation of VSFTPD server.
  • Summary: The version of vsftpd running on the remote host has been compiled with a backdoor. An unauthenticated, remote attacker could exploit this to execute arbitrary code as root.
  • Proposed fix: Use a legitimate copy of the vsftpd software.
  • Risk factor/CVSS base score: Critical; 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
  • Reference: https://pastebin.com/AetT9sS5

5. MySQL Unpassworded Account Check

  • Overview: An attacker can access the remote database server without password.
  • Summary: It is possible for a remote attacker to connect to the MySQL database server using an unprotected account. This may allow an attacker to launch further attacks against the database.
  • Proposed fix: Disable or set a password for the affected account
  • Risk factor/CVSS base score: High; 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
  • Reference: https://dev.mysql.com/doc/refman/5.7/en/default-privileges.html

SecRat works at a start-up. He's interested in Windows Driver Programming.