Categories
Security

Vulnerability Scanning with Nessus

All software has bugs. Everyone has experienced waiting for your laptop, tablet or phone to install some critical update, or had their computer crash with a spinning wheel of death or blue screen.

Bugs in software are generally faults in the programming code or mistakes in the logic of the code. Programmers make mistakes, programming languages and platforms are developed with assumptions that don’t match quite how the software is used, or even users intentionally trying to manipulate or forcing the program to do something it was never intended to do.

Programming mistakes can be found during the development and testing phase, they can be found when users start interacting with the software and sometimes they aren’t found for years and years, hidden deep in thousands or millions of lines of code.

Modern software is incredibly complex. The Linux kernel which is the heart of all Linux based operating systems and is the part of the operating system that directly interacts with the computer hardware has over 27 million lines of code, and that’s not including all the software a user generally interacts with like Desktop UIs, games and web browsers.

So with millions and millions of lines of code, billions of users and devices all running with different configurations and environments for various purposes, it’s next to impossible to be 100% certain there’s no bugs.

But not all bugs are vulnerabilities.

A vulnerability is a weakness in a program or system that could be exploited by an attacker. A bug could be anything, a misplaced semi-colon in a programming statement that causes a script to fail might just be an annoyance unless an attacker can manipulate that annoyance, chaining it with other bugs or weaknesses, to gain access to a system or cause the software to do something unexpected, like dump out the list of your users and passwords.

Ethical Hackers and security experts dedicate their time and energy to hunting for these bugs, to find them before the attackers do, and to fix them. It’s essentially an arms race between the security professionals and the attackers to find the bugs first. Previously unknown vulnerabilities, known as zero-days (for the 0 days that the vendors or developers have had to implement a fix), can be worth big money.

Once bugs are found, and fixes produced in the form of updates or even firewall rules to prevent a bug being exploited, users need to be notified about them.

Tenable Nessus is an industry standard vulnerability scanner that can be used against single systems, applications or entire fleets of machines to help find vulnerabilities before they’re exploited. Nessus won’t find unknown vulnerabilites, but it uses it’s database of already discovered vulnerabilities to scan systems and provide a report that can be used to patch your systems.

I’ve had the opportunity to deploy Nessus agents across a fleet of hundreds of Linux servers and run extensive scans from Tenable cloud.

In this article I’ll describe setting up Nessus in Linux to scan remote hosts. Having knowledge of the vulnerabilities present in your environment is critical in defending against Cyber attack. Using Nessus you can scan hosts across your network and generate reports on the vulnerabilities discovered so that they can be remediated before an incident occurs.

First thing’s first, head over to the Nessus downloads page and download the package appropriate for the machine you’ll be using. As I’m using Kali Linux, I’ll download the latest Debian amd64 version.

Next open a terminal window and install the package.

Note: There are a number of ways to install a package in Linux. In this example I used apt from the terminal, you can also use dpkg or by opening a file explorer and clicking on the package to open the GUI software manager.

Once the package has installed, you can start the Nessus service by typing

 sudo systemctl start nessusd.service 

and then navigating to https://127.0.0.1:8834.

If you see a security warning it’s ok to click ‘Accept’ and continue.

I’ll select Nessus Essentials as it’s the free version, and click continue.

Next you’ll be asked to register for an activation key. You can either do this by filling in the form presented on the next screen which will send a verification email to your email address, or you can register for a key on the Tenable website. I just filled in the form and pasted the key into the next page.

Once you’ve activated Nessus you’ll have to wait for a few minutes for setup to complete. Nessus needs to download and install plugins and initialise the installation before it can be used, this can take a while depending on the resources available on your machine.

Once setup has completed you’ll be presented with the dashboard and a prompt to create your first scan.

For the purposes of this demo, I’ve got another virtual machine running CentOS Linux that I’ll scan. Type the IP address of the potentially vulnerable host you wish to scan and click ‘Submit’ followed by ‘Run Scan’.

Nessus will then kickstart a basic network scan to identify vulnerabilities on the host. Please note though that this basic scan is not going to be a thorough list of all vulnerabilities on the host. The basic network scan will only scan the host from the outside and can’t determine an extensive amount of details. For that, you’ll need to configure Nessus further, possibly even installing agents on the host that can probe deeper into the system. For now though, this is good enough.

Once the scan completes you can review the results.

As you can see, Nessus identified 14 potential vulnerabilities that can be investigated further. For this scan there’s nothing incredibly interesting as the machine I scanned is a basic CentOS install with no open services, so I didn’t expect to find anything.