CSG 254 - Network Security

Lab: Vulnerability Scanning

In this lab, you will be using Nessus to scan machines for vulnerabilities. This lab will be using information from the Port Scanning lab. Your are required to finish that lab before trying this one.

1. Introduction

Nessus is a vulnerability scanner designed to remotely detect publicly-known vulnerabilities. There are many resources online dedicated to Nessus. Make sure to read the Wikipedia entry, along with an introduction article, and become familiar with the Nessus architecture.

Although Nessus started life as an open-source tool, the license has changed as of version 3.0. You can read more about the controversial move online. For this lab, you will be using the last GPL version available.

2. Setup

Before you begin scanning, you have to update and setup Nessus.

1. Login to your Linux machine. Review the man page for the nessus-update-plugins command. Now use the command to download all the latest plugins for Nessus:

   nessus-update-plugins -v
   		

2. Before you can connect to your Nessus daemon securely, you must create an SSL certificate. Use the nessus-mkcert command, answering all the questions.

3. Start up the Nessus service, nessusd, on your Linux machine as root:

   /etc/init.d/nessusd start
   		

4. Create a nessus user with the command nessus-adduser. Configure this user for password authentication and be sure to remember the password for later.

3. Scanning

1. Log into your Windows machine. Download and install the NessusWX client. You will likely need to install an unzip program as well, Freezip is one option. Use the installed client to connect to your Nessus server. You'll need to connect to your router's inside interface, which holds IP 10.0.T.1, where T is your team number.

2. Configure a session to scan 3 hosts: your Windows server and the two systems you discovered in the Port Scanning Lab. Execute the scan and then export the results to an NBE format file. You will submit this in your report.

Report

For this lab, your team must submit a report with the following information:

1. The NBE reports from your scans.

2. Suppose an attacker wanted a Nessus server to overlook a vulnerability on a server. How could he accomplish this? Hint: see the man page for nessus-update-plugins.

3. How could an attacker trick a Nessus client into connecting to a fake Nessus daemon?

4. What are dangerous plugins? Why would you use care before enabling them?

Grading

Your grade for this lab will be composed of:

• 50% - The reports from the scans.

• 50% - The rest of the questions.