CREATING A NEW POLICY
We will now create a new custom policy for scanning a Windows machine on my local area network. To create a policy, click on “Policies” at the top and then the “+add” button. You will see a screen similar to the one shown here:
Enter the name of the policy. In my case, I entered “WindowsBox” since I am scanning a
Windows machine on my network. The visibility is set to private, which means that the policy will not be shared with other users.
You will also see lots of options under the policies tab. You can tweak these options according to your requirements. We will discuss a few of them, which are enabled by default, and also the ones that can be helpful in our penetration tests. I will leave the rest for you to explore on your own.
Windows machine on my network. The visibility is set to private, which means that the policy will not be shared with other users.
You will also see lots of options under the policies tab. You can tweak these options according to your requirements. We will discuss a few of them, which are enabled by default, and also the ones that can be helpful in our penetration tests. I will leave the rest for you to explore on your own.
SAFE CHECKS
You should always enable “Safe Check.” This will only run the low-risk checks so that the availability of the target system is not compromised. If you don’t enable it, you are most likely to crash older system and hence causing denial of service, which is not recommended in a penetration test unless you are asked so.
SILENT DEPENDENCIES
This does not include dependent checks in your report, which will make your report much more effective without the list of dependencies.
AVOID SEQUENTIAL SCANS
When the “Avoid sequential scans” box is checked, nessus will scan the given IP addresses in a random order and not in the default sequential order. The advantage of this check is that it can get past some firewalls that block the “consecutive port” traffic.
For example, Nessus will scan for port 21, and then it will jump over to 53, and then jump to
another port.You don’t need to do much with the default options as these are used for most of your penetration tests. You can read more about each of the options in the “Nessus User Guide.”On the left sidebar, you would see other options such as credentials, plug-ins, and
preferences.
For example, Nessus will scan for port 21, and then it will jump over to 53, and then jump to
another port.You don’t need to do much with the default options as these are used for most of your penetration tests. You can read more about each of the options in the “Nessus User Guide.”On the left sidebar, you would see other options such as credentials, plug-ins, and
preferences.
PORT RANGE
By default, nessus will perform a scan from ports 1–1024, but this, in my opinion, should not be set to default, because lots of administrative consoles and web services run on ports higher than 1024, This may lead to missing many vulnerabilities. So it’s recommended you check for all ports by changing the “default” keyword to “all”. This process may take more time, but will help in finding additional vulnerabilities.
CREDENTIALS
On the left sidebar, you will see “Credentials” options, which allow you to specify OS IDs, SMB, FTP, HTTP, and other credentials. This can help you perform an in-depth analysis with Nessus. Most of the time, you would not have access to these credentials, unless you are in a corporate environment.
PLUG-INS
The third option that you will see is for “plug-ins,” which will tell nessus what type of vulnerabilities it shall look for. The plug-ins are coded in “Nessus Attack Scripting Language.” Learning it will help you code your own plug-ins or modify existing ones.
From this screenshot, you can clearly see that nessus contains a huge list of plug-ins. However, we want to disable the “Denial of service” plug-in, since we don’t want to knock targets offline while performing the scan. Also, I would recommend you to be specific about the plug-ins and deselect certain checks that may not be useful for scanning. For example, if you are scanning against a Windows machine, you don’t need Fedora, Freebsd, and other checks enabled.
PREFERENCES
There are a lot of preferences in Nessus that you can customize to handle different types of
contents. The “Nessus User Guide” lists the important preferences you should be using.
Once you are done with it, click on the “Submit” button. This will save your policy.
contents. The “Nessus User Guide” lists the important preferences you should be using.
Once you are done with it, click on the “Submit” button. This will save your policy.
SCANNING THE TARGET
Now that we are done with the hard part, we need to specify the targets to scan. The process is pretty straightforward. All you need to do is go inside the Scan option and specify the target and the policy that we created in the last step.
Once you have launched the scan, you will see this screen:
Once you have launched the scan, you will see this screen:
Once the scan is complete, go to the “Reports” tab and either download the report or view it in the panel by clicking on it.
There are different types of report formats for nessus. You can read the pros and cons of each report format in the “Nessus User Guide.” To download the report, go to the “Reports” menu, select the report, and click “Download” at the top.
There are different types of report formats for nessus. You can read the pros and cons of each report format in the “Nessus User Guide.” To download the report, go to the “Reports” menu, select the report, and click “Download” at the top.
If you are performing a vulnerability assessment, you can download the report in the preferred format and send it to the customer. However, if you are performing a penetration test and your goal is to exploit the vulnerability, choose the .nessus format, because this would enable you to import the information into Metasploit, and within Metasploit, you can perform various other checks and choose relative exploits based upon your findings.
No comments:
Post a Comment