1
00:00:00,150 --> 00:00:04,720
At last we are ready to start at Nessus vulnerability scan.

2
00:00:04,740 --> 00:00:08,200
This is the main page of the Nessus web interface.

3
00:00:08,220 --> 00:00:13,080
We are in my scan section of scans tab. At the upper left corner

4
00:00:13,080 --> 00:00:19,150
click new scan. First Nessus asks for the scanner.

5
00:00:19,310 --> 00:00:20,590
We have seen them before.

6
00:00:20,600 --> 00:00:24,620
So here we can choose the most suitable one for our scan.

7
00:00:24,790 --> 00:00:29,520
But in the home version of Nessus, unfortunately, some scans are disabled.

8
00:00:29,780 --> 00:00:35,710
If you click internal PCI network scan for example the application redirects you to the Nessus website

9
00:00:35,810 --> 00:00:37,660
to buy Nessus Professional.

10
00:00:37,970 --> 00:00:45,170
There are also available scanners like basic network scan or alternatively go to "User Defined" tab and

11
00:00:45,170 --> 00:00:47,170
select your own policy.

12
00:00:47,180 --> 00:00:49,960
This is the policy we defined in the previous lectures.

13
00:00:49,970 --> 00:00:51,520
So I chose this.

14
00:00:51,860 --> 00:00:58,070
Now give a name to your scan as you can see on the right side of the Name field. The required fields

15
00:00:58,070 --> 00:01:06,620
are identified by Nessus. Write a description, if you want.

16
00:01:06,650 --> 00:01:11,070
Select the folder for the outputs and define the target.

17
00:01:11,210 --> 00:01:15,400
You can list the hosts in "Targets" field one by one.

18
00:01:15,500 --> 00:01:25,890
I want to scan my two systems now, 99.139 is OWASP BWA and 99.206 is my Metasploitable system.

19
00:01:26,270 --> 00:01:32,250
So if you want a multiple IP addresses just put a comma in between them.

20
00:01:32,250 --> 00:01:38,750
You can also define an IP block or a range just as you remember in the Nmap lectures.

21
00:01:39,190 --> 00:01:45,220
Or alternatively if you have a file that contains a list of the hosts that we also covered earlier you

22
00:01:45,220 --> 00:01:50,310
can add that file using the "Add File" link in the "Upload Targets" for you.

23
00:01:50,410 --> 00:01:54,060
So now we're ready to launch the scan. At the bottom of the page,

24
00:01:54,100 --> 00:02:00,400
select "Save" or click the down arrow button and select "Launch" to start the scan immediately.

25
00:02:00,400 --> 00:02:05,500
I choose "Launch", it first saved the scanned and then launched immediately.

26
00:02:05,500 --> 00:02:11,540
So while scanning, Lets see some of the parts of Nessus interface. At the left you see the folders next

27
00:02:11,540 --> 00:02:12,890
to "My Scans" folder.

28
00:02:12,890 --> 00:02:16,720
It says that I have one active scan. And in "My Scans" page.

29
00:02:16,730 --> 00:02:18,740
You see the scan that we just started.

30
00:02:18,740 --> 00:02:22,030
If you click on it you see the scan details.

31
00:02:22,050 --> 00:02:26,930
There are three tabs here, "Host", "Vulnerabilities" and "History".

32
00:02:27,170 --> 00:02:31,930
When you click on the "Vulnerabilities" tab you see the vulnerabilities found during the scan.

33
00:02:32,270 --> 00:02:34,690
Here we already have some results.

34
00:02:34,720 --> 00:02:38,530
Now click the "Hosts" tab to turn back.

35
00:02:38,530 --> 00:02:41,230
These are the systems that we defined as targets:

36
00:02:41,380 --> 00:02:45,580
OWASP BWA and Metasploitable.

37
00:02:45,580 --> 00:02:51,870
At the right, you see the severity levels of the vulnerabilities. Nessus classifies vulnerabilities into 5 levels.

38
00:02:52,420 --> 00:02:59,890
Informational level quickly identifies non-­vulnerability information, which is “nice to know” and

39
00:02:59,890 --> 00:03:08,780
separates them from the vulnerability detail which is need to know.

40
00:03:08,790 --> 00:03:14,970
Low level identifies the flaws that might help an attacker to better refine his attack, but by itself that flaw won't be sufficient for a compromise.

41
00:03:14,970 --> 00:03:18,320
Medium level identifies it

42
00:03:18,330 --> 00:03:21,560
some information is leaking from the remote host.

43
00:03:21,780 --> 00:03:27,450
An attacker might be able to read a file he should not have access to. High level identifies that the

44
00:03:27,450 --> 00:03:34,440
attacker can read arbitrary files on the remote host and or can execute commands on it and critical

45
00:03:34,440 --> 00:03:40,800
level vulnerabilities are most important vulnerabilities for us. These vulnerabilities can be exploited

46
00:03:40,800 --> 00:03:47,270
by a tool and in most cases the attacker does not need to make an extra effort to exploit them.

47
00:03:47,280 --> 00:03:48,730
So let's fast forward scan,

48
00:03:52,150 --> 00:03:58,100
now on the right side of each host role you can see the status of the scan of that host.

49
00:03:58,200 --> 00:04:06,810
100% percent means the scan of that host is complete.

50
00:04:06,900 --> 00:04:10,630
You can ping the host sometimes to understand that they're still alive.

51
00:04:19,950 --> 00:04:26,530
And finally our scan is completed in 4 minutes which is a very fast scan for a vulnerability scan.

52
00:04:27,550 --> 00:04:33,830
Now let's click the Metasploitable to go to the vulnerabilities of that host. Here are the vulnerabilities

53
00:04:33,830 --> 00:04:36,780
of the Metasploitable machine found by this scan.

54
00:04:37,130 --> 00:04:42,320
Please note that, there might be other vulnerabilities that cannot be found by Nessus with the policy

55
00:04:42,320 --> 00:04:43,160
that we used.

56
00:04:43,370 --> 00:04:46,580
The vulnerabilities are ordered by severity levels by default.

57
00:04:46,580 --> 00:04:48,530
And I think that's a good idea.

58
00:04:49,460 --> 00:04:54,380
The vulnerabilities in a critical severity level are the most important ones for us again.

59
00:04:54,430 --> 00:04:57,660
So click on a vulnerability to see the details of it.

60
00:04:57,750 --> 00:05:00,190
So here we have the name of the vulnerability.

61
00:05:00,530 --> 00:05:07,680
A brief description, a solution method and the links to learn more about it.

62
00:05:07,870 --> 00:05:15,640
And last the host and the port where the vulnerability lives. At the right side of the screen you see

63
00:05:15,640 --> 00:05:19,980
some additional and important information about the vulnerability.

64
00:05:19,990 --> 00:05:26,230
So for this particular vulnerability Nessus says if we can exploit it using Core impact which is a commercial,

65
00:05:26,230 --> 00:05:35,680
and very powerful exploitation tool. And here the scores of this vulnerability 10.0 is perfect for us.

66
00:05:37,040 --> 00:05:39,680
So click "Back back to vulnerabilities"

67
00:05:39,680 --> 00:05:46,260
to go back to the list of the vulnerabilities. Here there is another vulnerability which says the VNC

68
00:05:46,260 --> 00:05:51,030
server is running on the host and it's password is "password".

69
00:05:51,150 --> 00:05:58,320
If that's true and if there's no additional measure to protect the host. We can access that host very

70
00:05:58,320 --> 00:05:59,320
easily.

71
00:05:59,350 --> 00:05:59,910
I'll show you.

72
00:05:59,910 --> 00:06:01,180
Let's test it.

73
00:06:01,260 --> 00:06:08,560
Go to the terminal screen and run the VNC viewer by typing "xvncviewer" and hit enter.

74
00:06:08,730 --> 00:06:17,520
If you don't have VNC viewer installed on your Kali. Type “apt­get install xvncviewer” and hit

75
00:06:17,520 --> 00:06:17,790
enter

76
00:06:21,320 --> 00:06:30,880
Type the IP address of Metasploitable as the VNC server, and hit enter and now type "password" as the password

77
00:06:30,880 --> 00:06:38,180
and hit enter again and voila we are in the system.

78
00:06:38,260 --> 00:06:43,690
I use the "whoami" Linux command to learn the user that I've caught.

79
00:06:44,290 --> 00:06:52,180
And "uname -­a" to learn the operating system and the kernel details. "ifconfig" to see the information

80
00:06:52,180 --> 00:06:55,590
about the network interfaces etc..

81
00:06:58,500 --> 00:07:03,300
Now, type "rm ­rf /".

82
00:07:03,350 --> 00:07:04,110
No no no no.

83
00:07:04,200 --> 00:07:04,710
Just kidding.

84
00:07:04,710 --> 00:07:05,970
Don't don't do that.

85
00:07:06,060 --> 00:07:06,300
Don't.