Nessus scan policies and report Tutorial for beginner

MODULE 5:- Scanning Network and Vulnerability

Getting Start Nessus Scan and finding Vulnerability

When you have finished installation and configuration of Nessus How to Install Nessus on Kali Linux 2.0, then you have ready to scan and finding vulnerability of local, network, window and Linux machine. In this note I will guide you to find vulnerability of network and system step by step.

Getting Start finding Local Vulnerability by Nessus

Local vulnerability depends on what system you are using local if you are using windows operating system then you will find windows vulnerability and if you are using Linux operating system then you will find vulnerability of linux.

How to Nessus scan policies and report

Let’s start the process of find out Kali Linux vulnerabilities with Nessus by opening the Iceweacel web browser:

Open Nessus at http://127.0.0.1:8834. And login with credential.
Click on the Policies on the bar at the bottom.
Click on New Policy button at the left side bar.
Select desired templates. In policy wizard has following Scanner templates:

Advanced Scan: Scan template for users who want total control of their policy configuration.

Audit Cloud Infrastructure: For users who want to audit the configuration of cloud-based services such as Amazon Web Services (AWS) and Salesforce.com.

Bash Shellshock Detection: Remote and credentialed checks for the Bash Shellshock vulnerability.

Basic Network Scan: For users scanning internal or external hosts.

Credentialed Patch Audit: Log in to systems and enumerate missing software updates.

GHOST (glibc) Detection: Credentialed checks for the GHOST vulnerability.

Host Discovery: Identifies live hosts and open ports.

Internal PCI Network Scan: For administrators preparing for a Payment Card Industry Data Security Standards (PCI DSS) compliance audit of their internal networks.

Mobile Device Scan: For users of Apple Profile Manager, ADSI, MobileIron, or Good MDM.

Offline Config Audit: Upload and audit the config file of a network device.

PCI Quarterly External Scan: An approved policy for quarterly external scanning required by PCI. This is offered on Nessus Enterprise Cloud only.

Policy Compliance Auditing Audit system configurations against a known baseline provided by the user.

SCAP Compliance Audit: Audit systems using Security Content Automation Protocol (SCAP) content.

Web Application Tests: For users performing generic web application scans.

Windows Malware Scan: For users searching for malware on Windows systems.

Policy Settings: Every policy has five sections under settings:

Basics
Discovery
Assessment
Report
Advanced

These sections allow user to make changes in the policy setting and refine the settings.

Basics: Basic section has two parts

General : There are two section instide the general section:
- Name: Provide the policy name like “Local vulnerability scan”
- Description: Here user can provide the description about the policy
Permission : In this section there are two option:
- Private : this policy is used only by you.
- Share: This policy is available for other users.

Discovery section: This section under policy settings control the following option used by policy.
1. Host discovery
2. Port scanning.
3. Service Discovery.
Assessment: Under this section User configure “Web Application scanning” setting and SMB enumeration perform if required. If the “scan web application” is not enabled these option will not visible.
Report: as the name of this policy shows, that this section is used to configures the appereance of scan report and where It will be show and deliver after complete scan.
Advance: The Advanced section allows configuration of more advanced features, such as performance settings, additional checks, and logging features.

As you see there are two tab on top side one is setting and another is credential about setting I have described everything. Next, describe about credential tab

Policy Credentials: Nessus is very effective scanner against vulnerability, checked large veriety of vulnerability, which could be exploited remotely. For remote scanning, nessus log into the system and check for vulnerability on targeted host. Following type of credential are required for policy.

Cloud Services, which includes Amazon Web Services (AWS) and Salesforce.com
Database, this section used to give the information about Username, password, Databse type which includes Oracle, MySQL, DB2, PostgreSQL, and SQL Server, Databse port, Authentication type, and SID. This is also include MongoDB Databse.
Host, which includes Windows logins, SSH, and SNMPv3
Mobile Device Management
Patch Management servers
VMware, Red Hat Enterprise Virtualization (RHEV), IBM iSeries, Palo Alto Networks PAN-OS, and directory services (ADSI and X.509)
Plaintext authentication mechanism including FTP, HTTP, POP3, and other services

When you enter all the required field then save the policy. Policy has been saved you can use at the time of Scan.

SCAN After creating the policy next step to create a New scan.

Creating, launching and Scheduling Scan

At the top near policies you will find another option scan click on scan and in the left side bar you find New Scan button click on it, you can create new policy, scanner templates, or you can select user created policies that you have created earlier.

There are three sections under scan setting

General :
1. Name : Provide any name for scan to remember later.
2. Description: Enter the short description about scan
3. Folder: My scanner by default
4. Scanner: Type of scanner local or remote
5. Targets: most important section, targets. You can enter single IP addres (192.168.1.10) or hostname (Kali System) or enter multiple target at time every targets should be separated by comma example ( 192.168.1.10, 192.168.1.14, 192.168.1.28, 192.168.1.36,test.com), or you can provide entire network for scan (192.168.1..0/24)
6. Upload Targets: In this section you can upload file consist targets list.
Schedule: you scan schedule your scan to perform scanning time to time, by default it is disabled so enable it. Once enabled you can find out following options;
1. Launch: you can select you launch option once, daily, weekly, monthly or yearly.
2. Starts on: Select here start scanning data and time
3. Time zone: Select time Zone
4. Summary: summary will be display
Email Notification: Here you should enter the email address single or multiple where you want to send notification. To proper work of this section your SMTP should be configure.

Scan Results and Reports

Nessus allow user to view the scan results and generate reports

View Scan Result : Scan results are displayed with name of scan, and date of last scan. When you click on the completed scan you will find the results. Above the scan results, there are four buttons for working with the scan result:

Configure Navigates you back to the scan settings.

Audit Trail Pulls up the audit trail dialogue. Audit trails are covered later in this section.

Launch Pulls up two choices to launch a scan: Default and Custom. The custom option allows you to define different targets for the scan, where default will run the scan with the predefined targets.

Export Allows you to save the scan result in one of four formats: Nessus (.nessus), HTML, CSV, or Nessus DB. Exporting scan results is covered later in this section.

Here Nessus allow user to export and download the report in five formats nessus, pdf, html, CSV and Nessus DB.

For example if you want to download report in PDF format click on export then PDF, New window will be popup there are two option select Executive summary for default and custom for changes. Click in the export. Download will be ready save the file. And Analyze the report

How to Install Nessus on Kali Linux 2.0 step by step

MODULE 5:- Scanning Network and Vulnerability

How to Install Nessus on Kali Linux 2.0

Hello friends, Welcome again !

We are studying of Penetration Testing Tutorial This article will cover how to downlad, install, activate and access web interface of Nessus on kali Linux. This post is origin How to Install Nessus on Kali Linux 2.0 Move forward and start your tutorial. In previous post you have completed Nessus Vulnerability Scanner Tutorial If you did not read, please read it.

Step 1: Access activation code and Download Nessus for Kali Linux 2.0

Now as you know Nessus is pwerfull vulnerability scanner tool, And we are using kali linux for penetration testing. If you think, Is it not installed Kali Linux? Yes, Nessus is not inbuilt in Kali Linux so if you want to take test of Nessus just go on this link https://www.tenable.com/products/nessus-home

And Fill the form and register yourself for activation. When you finished you will be redirect on Nessus downloading page. Click download button you will be there for downloading, just Click on Linux Menu will be open click on Debian option for Kali Linux. Agreement window will be appear, read terms and condition carefully and accept and save file

Step 2: Installation of Nessus on Kali Linux 2.0:

By default Nessus file is downloaded in the Download directory so first go inside the Download directory and run following command to install Nessus on Kali Linux.

#cd Downloads/

#dpkg -i Nessus_package.deb

And after complete installation run another command to start service.

#/etc/init.d/nessusd start

Step 3: Accessing Web Interface of Nessus:

Nessus provide web interface for work, it can be accessed with Iceweasel browser by making https connection. Iceweasel browser does not have ssl certificate you will get untrusted connection error, you can resolve this error to add this site as exception. https://locatlhost:8834 or https://192.168.0.102:8834

Nessus Vulnerability Scanner Tutorial For beginner

MODULE 5:- Scanning Network and Vulnerability

Hello Friends, Welcome again !

You are here to study of Penetration Testing Tutorial Nessus vulnerability scanner is a part of Scanning This Article will cover what is vulnerability, what is nessus, and key features includes in Nessus. We will cover full nessus vulnerability scanner tutorial in next two posts. How to Install Nessus on Kali Linux 2.0 and

What is Vulnerability?

Vulnerability is loop holes and weakness in computer Security, which allow attacker (hacker) to get into the System and reduce a System’s information assurance. There are three flaws of vulnerability:

System suspicious flaw.
Attacker find out vulnerability.
Attacker exploit System by this vulnerability a very critical flaw.

It is also known as security bugs. Computer users and network personnel can protect computer systems from vulnerabilities by keeping software security patches up to date. These patches can remedy flaws or security holes that were found in the initial release. Computer and network personnel should also stay informed about current vulnerabilities in the software they use and seek out ways to protect against them.

More Detail : http://en.wikipedia.org/wiki/Vulnerability_(computing)

What is Nessus Vulnerability Scanner?

Nessus is one of the most popular an capable vulnerability scanner, available for Linux, Microsoft Windows, Mac Os X, FreeBSD, GPG Keys.

Nessus is the most trusted vulnerability scanning platform for auditors and security analysts. Users can schedule scans across multiple scanners, use wizards to easily and quickly create policies, schedule scans and send results via email. Nessus supports more technologies than any other vendor, including operating systems, network devices, hypervisors, databases, tablets/phones, web servers and critical infrastructure.

Key features include:

High-Speed Asset Discovery
Vulnerability Assessment
Malware/Botnet Detection
Configuration & Compliance Auditing
Scanning & Auditing of Virtualized & Cloud Platforms

The Home edition of Nessus is available free of cost for students and small organization. Nessus® Home allows you to scan your personal home network (up to 16 IP addresses per scanner) with the same high-speed, in-depth assessments and agentless scanning convenience that Nessus subscribers enjoy. Enterprises version available as trail for 7 days.

For More detail visit: http://www.tenable.com/

Video Tutorial: https://www.youtube.com/user/tenablesecurity

Nmap options for Firewall IDS evasion in Kali Linux

MODULE 5:- Scanning Network and Vulnerability

What is a firewall?

Firewall is a software or hardware to protect private network from public network. If hacker make activity to scan network, these methods are discarded by Firewall. so this is most important for hackers and Pentester to scan the network without being caught. If you can bypass firewall then you are safe. In this tutorial you will learn how to bypass and test firewall.

Best nmap options to bypass firewall

During penetration testing, you may encounter a system that is using firewall and IDS to protect the system. If you just use the default settings, your action may get detected or you may not get the correct result from Nmap. The following options may be used to help you evade the firewall/IDS:

• -f (fragment packets):

This purpose of this option is to make it harder to detect the packets. By specifying this option once, Nmap will split the packet into 8 bytes or less after the IP header.

• –mtu:

With this option, you can specify your own packet size fragmentation. The Maximum Transmission Unit (MTU) must be a multiple of eight or Nmap will give an error and exit.

• -D (decoy):

By using this option, Nmap will send some of the probes from the spoofed IP addresses specified by the user. The idea is to mask the true IP address of the user in the logfiles. The user IP address is still in the logs. You can use RND to generate a random IP address or RND:number to generate the <number> IP address. The hosts you use for decoys should be up, or you will flood the target. Also remember that by using many decoys you can cause network congestion, so you may want to avoid that especially if you are scanning your client network.

• –source-port <portnumber> or –g (spoof source port):

This option will be useful if the firewall is set up to allow all incoming traffic that comes from a specific port.

• –data-length:

This option is used to change the default data length sent by Nmap in order to avoid being detected as Nmap scans.

• –max-parallelism:

This option is usually set to one in order to instruct Nmap to send no more than one probe at a time to the target host.

• –scan-delay <time>:

This option can be used to evade IDS/IPS that uses a threshold to detect port scanning activity. You may also experiment with other Nmap options for evasion as explained in the Nmap manual (http://nmap.org/book/man-bypass-firewalls-ids.html).

Port scanning to check open ports by nmap network scanner

Port Scanning to check open ports

TCP IP header flags list

MODULE 5:- Scanning Network and Vulnerability

What is TCP IP header?

TCP IP header refers Transmission control Protocol is responsible to make communication between devices and send data over network. It provides reliable, ordered and error check comunications. Major internet application rely on by this protocol such as World wide web, email, remote adminsitration, file transfer etc. Applications that don’t require reliableity use UDP (User Datagram Protocol).

TCP has main operations at the time of communication:
Establish connections
Terminate connections
Reliable Transmission
Error Detection and check sum
Flow Control
Congestion control
Decide maximum segment size
Acknowledgment of transfer data
Forcing data delivery

And these operations handled by TCP IP header Communication flags. There are six type of Flags used by TCP

URG (Urgent)
Data with this flag should be processed immediately
FIN (finish)
this flag tell there is no more data remain for transmission on remote system
RST (Reset)
It is used to reset the connection
PSH (Push)
It is used to instruct to send all buffered data immendiately to the recieving system
ACK (Acknowledgement)
Used acknowledge the receipt data packets
SYN (Synchronize)
It is used to initiate the a connection between the hosts

To know More : Packetcrafter

Scanning for Live System in Network by Ping and Ping sweep tools

Check Live host by Network Scanner

Live system means system should be Up and connected and reachable inside Network. If system is not connected in the network or down is called dead system. We have two method to check live system one is single system scanning another scan multiple systems at once.

Free IP scanner Network Utility Ping

Ping checks live system with the help of ICMP scanning. Ping scan sends ICMP ECHO request to a host. If the host is live, it will return an ICMP ECHO reply. No reply means host is dead. Sometimes firewall discards ICMP ECHO request so We cant identify host is live or dead.

Ping sweep ip scanner tools in network

Ping sweep is used to check live systems in network within rang of IP addresses. If multiple hosts are connected in the network, to find out live hosts is a big challenge for Pen Tester. Ping Sweep is useful in this condition. In this scanning method Attacker sends ICMP requests to multiple Systems. If host is alive it will return ICMP reply.

Ping Sweep tools:

Ping sweep is performed by multiple tools for windows as well as for Linux.

fping a ping Linux program

Zenmap a GUI for Nmap

Zenmap is a free graphical interface for the very popular port scanner nmap comes with the 10 defferent scan type ping scan is one of them

Other Ping Sweep Tools:

Angry IP Scanner,

Solarwinds Engineer’s Toolset,

Colasoft Ping tool,

PacketTrap MSP Ping Sweep,

Ping Scanner Pro,

Network Ping,

Ultra Ping pro

What is network scanning ?

Network Scanning

As we discuss in previous, information gathering is the first phase of Penetration testing in which the pentester gather the information about the target. This phase is not enough alone to get much information, so we need another method to gather many more details about target. In This phase attacker get the detail about system, network, and vulnerabilities about potential target.

Types of scanning:

Live host scanning
Port scanning
UDP scanning
Vulnerability scanning

Network scanning is one of the most important phases of intelligence gathering. During the this process, you can gather information about specific ip addresses that can be accessed over the intent, their targets operating systems, system architecture, and the services running on each computer. In addition, the attacker also gather details about the networks and their individual host systems.

Purpose of Scanning

Discovering live hosts, ip address, and open ports of live hosts running on the network

Discovering open ports are the best way to break into the system.

Discovering Operating systems and system architecture

Identifying the vulnerabilities and threat

Detecting the associated network service of each port