Shulou(Shulou.com)06/01 Report--

Nessus 8.9 I. introduction to Nessus 1. What is Nessus?

Nessus is the most widely used system vulnerability scanning and analysis software in the world.

two。 Software features

* provide a complete computer vulnerability scanning service and update its vulnerability database at any time.

* different from the traditional vulnerability scanning software, Nessus can be remotely controlled on the local machine or the remote end at the same time to scan the vulnerability analysis of the system.

* its operational effectiveness can be adjusted according to the resources of the system. If hosts are added to more resources (such as speeding up CPU or increasing memory size), their efficiency performance can be improved by enriching resources.

* you can define your own plug-in (Plug-in)

* NASL (Nessus Attack Scripting Language) is a language developed by Tenable to write security testing options for Nessus.

* full support for SSL (Secure Socket Layer).

* it has been 20 years since it was developed in 1998, so it is a familiar piece of software.

II. The installation and activation process of NessusWindows platform. 1. Official home page

Official download address

Https://www.tenable.com/downloads/nessus?loginAttempted=true

2.Nessus is mainly suitable for platform

Windows system, MAC OS X system, Linux system

3.Nessus download

In order to reduce the cost of learning, we choose Windows platform.

Different operating systems can choose different installation packages according to the prompts.

For installation methods, please refer to the software installation of their respective platforms.

4. Installation and activation

After the installation is complete, open it through the browser:

Https://localhost:8834

Get the activation code:

Choose the free version:

Fill in as required:

Check the activation code in the mailbox:

The activation code will be received in the mailbox and it will be valid for one hour.

Log in using the activation code and customize the administrator user name

Download the plug-in:

Prompt timeout:

Update manually using the command

PS D:\ Program Files\ Tenable\ Nessus >.\ nessuscli.exe update

After the update, restart the service:

Open the landing page again:

You can go to the page:

Introduction to the use of Nessus 1. Introduction to the Nessus system setup interface

Scans: scan menu

Settings: system settin

2. System settings-setting-about

About:

Overview:

Basic information of this machine, version, update time, etc.

License Utilization

The license for the certificate, the free version allows you to scan 16 IP, which contains the ones that have been used, and the certificate is valid for 90 days.

Software update

The cycle of the software update, or you can choose the server for the software update

Set the password for the current administrator account

3. System setup-setting-Advanced Settings

User interface

Modify some basic properties of the software, such as API interface, font, news, login prompt, user, server port, mixed hole group and leak group.

Scanning scan Settings:

Scan detail management, time management, scan port management, etc.

Logging log management

Record and format management of system log information and scan log.

Performance performance management

Number of processes, number of hosts scanned at the same time, maximum global TCP connections, etc.

Security security management

Certificate management, SSL connection management.

4. System setup-setting- Proxy

System proxy Server Settings

5. System setup-setting-SMTP

Mail server settings, used to send notifications such as scan results.

6. System setup-setting-Custom CA

Certificate, which is used when updating script plug-ins. Especially command line updates.

7. System setup-setting-Password

Set password complexity, connection timeout, maximum password attempts, minimum password length, and login prompts.

8. System setup-setting-Health

Overview: view system memory, cpu, hard disk and other resource information.

Network: view information such as bandwidth usage, scan records, number of DNS queries and DNS query delays.

Alerts: alarm message.

9. System setup-setting-Notifications

System prompt message

10. System setup-setting-My Account

Account information management, password modification, email.

API Keys

Software call interface and authentication management.

IV. Nessus scan Settings 1. Introduction to the Nessus scan menu

2 、 My Scans

Record the scan information of the current user, and you can create a folder

3 、 All Scan

The scan records of all users under the current server are recorded.

4 、 Trash

Deleted scan record

5 、 Policy

You can modify the properties of each scanning policy in Policy

6 、 Plugin Rules

Plug-in rules: allows you to modify the level of the default plug-in

7 、 Scanners

Shows how many scanners there are in the network. The free version defaults to the current host.

V. Use the Nessus arsenal 1.Host Discovery

Host discovery is mainly used to detect surviving hosts on the network, open ports, operating system information, etc.

2.Basic Network Scan

Port scanning is mainly aimed at the devices on the network, which is suitable for any network host.

3.Advanced Scan

Can scan ports, hosts, services, Web applications

4.Advanced Dynamic Scan

Advanced dynamic scanning: as above, you can also customize the scanning plug-in to reduce scanning time.

5.Malware Scan

Malware scanning: mainly aimed at hosts.

6.Web Application Test

Web application testing: used to test for vulnerabilities that have been released or unknown.

7.Credentialed Patch Audit

Authentication patch audit: authenticate the host and enumerate missing updates

8. Badlock detection

Badlock is a security vulnerability disclosed on April 12, 2016 that affects the Security account Manager (SAM) and Local Security Authentication (Domain Policy) (LSAD) remote protocols supported by Windows and Samba servers.

9.Bash Shellshock Detection

Shellshock, also known as Bashdoor, is a security vulnerability in Bash shell, which is widely used in Unix, and was first made public on September 24th, 2014. Many Internet daemons, such as web servers, use bash to process certain commands, allowing people to execute arbitrary code on vulnerable versions of Bash. This allows people to access the computer system without authorization.

10. DROWN Detection

OpenSSL is a powerful secure socket layer password library, which includes the current mainstream cryptographic algorithms, commonly used keys, certificate encapsulation management functions and SSL protocol, and provides rich applications for developers to test or other purposes. Due to the popularity of OpenSSL, this open source security tool has become the main target of DROWN***. DROWN allows people to break the encryption system and read or steal sensitive communications, including passwords, credit card account numbers, trade secrets, financial data, etc. CVE vulnerability numbers: CVE-2016-0800 and CVE-2016-0703.

11.Intel AMT Security Bypass

Intel AMT, whose full name is INTEL Active Management Technology (Intel active Management Technology), is essentially an embedded system integrated in a chipset, independent of a specific operating system. This technology allows managers to remotely manage and repair networked computer systems, and the implementation process is completely transparent to the service object.

The vulnerability exists in Intel AMT active management technology, which can be exploited even if security measures such as BIOS password, BitLocker,TPM Pin or traditional antivirus software are adopted. To make comprehensive use of the vulnerability, * * users can log in with the Intel Supervisor engine BIOS extension (MEBx) default password "admin" feature, gain full control of the system, steal data, and deploy malware on the device. Unlike Meltdown and Spectre, successful exploitation of this vulnerability (not yet named) requires physical access to the device.

12.Shadow Brokers Scan

13.Spectre and Meltdown

Spectre and Meltdown security vulnerabilities are also affecting chip makers such as Intel, ARM, and AMD, which contain the vulnerability in most of their computer and mobile device chips. The vulnerability allows * * to read sensitive information on a computer's CPU and has affected millions of chips in the past two decades. Although vendors like Apple, Microsoft and Intel are releasing patches to fix the vulnerability, some patches don't work and cause computers to malfunction.

14.WannaCry Ransomware

On May 12, 2017, the ransomware "WannaCry ransomware" * * against the Windows operating system appeared on the Internet. The ransomware took advantage of several Windows SMB service vulnerabilities disclosed by Microsoft on March 14 (CVE-2017-0143 and MS17 2017-0144, 2017-0144, 2017-0145, 2017-0145, respectively), corresponding to Microsoft vulnerability announcement: CVELV 2017-0148.

VI. Use Nessus for scanning

Usually if we want to scan a host or website, click My Scans, and then New Scan can create a new scan. If we want to scan the template, if we want to scan a website, we choose Web Application Tests;. If we want to scan a host, we choose Advanced Scan. If we want to find and scan the hosts in the network, we choose Host Discovery.

1. Create a new host-discovered scan

Select Host Discovery

The name is preferably in English, the description may not be written, and the target should be clearly written. It can be a network segment, such as 192.168.23.0 Universe 24, an address such as 192.168.23.6, and a host domain name, such as www.baidu.com. Save it after completion.

Go back to the My Scans interface, select the scan you want to perform, and click start

When the scan is over, click Task

You will find the hosts that exist in the current network segment and the open ports.

In the Report section in the upper right corner, you can choose to generate the report and the type of report.

If the scan is completed, there will be a scanning structure. There are five levels of vulnerabilities, the highest level Critical and the lowest level info.

Because we scanned the host and did not require vulnerabilities, no vulnerabilities were found.

two。 Create a custom network discovery scan

Fill in the basic information when creating a scan

In Discovery, select OS Identification in the Scan Type drop-down box to identify the operating system.

Save and run.

When the task is over, click Task.

You can see the type of operating system, open ports, etc., and you can also generate detailed reports.

Similarly, because there is no vulnerability scanning for vulnerabilities, there are no vulnerabilities in the report. Click Show Details to view the details.

The plug-ins used in this scan are shown in the details.

3. Create a Basic Network Scan

Create scan, select Basic Network Scan

Fill in the name and target

In the Discovery menu, find Scan Type

It is found that only port scanning is found, but it does not mean that Basic Network Scan does not support operating system detection. Save and start scanning, which takes a long time.

It can be seen that the system is scanned for vulnerabilities. Generate a report to view.

Click Show Details to view the details.

4. Create a basic advanced scan

Create a scan and select Advanced Scan

Fill in the name and address of the target

In this experiment, the target machine is OWAPS Broken Web Apps VM1.2.

After Save, start the scan. When the scan is complete, click Task.

You can see that the vulnerability has been scanned and we generate a report. In the report, click Show Detail to view details.

In the report, the name of the vulnerability will be displayed in detail, as well as the scanned plug-in, click on the plug-in, you can also see the details of the vulnerability.

5. Create an advanced scan (log in and not log in)

Create a new scan and select Advanced Scan.

After filling in the basic information, we choose Discovery

Host Discovery in Discovery

Check the other host by ping

If the Nessus host is also in the scanned network, the Nessus host will also be scanned.

Using fast network discovery is generally not recommended because the scan results may recover the effects of proxy servers and load balancing, resulting in inaccurate check results

The more accurate method of Ping is that ARP,TCP,ICMP,UDP does not recommend it.

Network equipment scanning, generally do not scan printers, Novell network devices and proprietary operating devices.

Remote wake-up, some devices turn on the network wake-up function, before scanning, you need to wake up the network device and specify the wake-up waiting time.

Port Scanning

The unscanned port is regarded as closed, which is generally not recommended. The scanning range of the port is default by default, and modified to full port 1-65535.

Local port enumeration. Local port refers to the local port, which means that Nessus can support login scanning. After login, netstat and SNMP will be used to try to obtain port information. If these two methods are not available or the device is not logged in, network port scanning will be used.

Network port scanning, using SYN semi-connection method, turn on firewall information detection, default is off, detection method is soft, not tough. Port scanning method, UDP is not recommended, the efficiency and accuracy are relatively poor.

Service Discovery

Try to perform service detection on all ports

Enable SSL/TLS detection, which is mainly used to discover Openssl vulnerabilities

Because you don't know whether the other host has modified the port or other reasons, select all the ports, identify the certificates that expire within 60 days by default, enumerate all the SSL/TLS decryption methods known by Nessus, and try to connect.

ASSESSMENT (Security Assessment)

General

Accuracy accuracy, no need to modify, Nessus will write all suspected content in the report.

Antivirus definition grace period (days)

SMTP, notification mail management

Brute Force brute force cracking settings

Use user-provided accounts for violence testing to reduce the risk of account closures.

For Oracle Database, do not use test account

Web Applications, scanning for web applications, off and on by default

Configure crawlers and browser agents

Application Test Settings app application test, check to open

If the scanned host cannot access the Internet, use the following code to test the site.

Windows

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.